Add Wireshark to the PortableApps Suite

March 19, 2009 – 6:04 AM

I just saw that Wireshark has a version available for download to add it directly to your PortableApps Suite.  This will allow you to carry a working copy of Wireshark around with you on a USB stick with all of your other portable applications.

First, grab the portable version of Wireshark from the website:
http://www.wireshark.org/download.html

wireshark1

wireshark2

Next, open up your PortableApps Suite and click on Options > Install a New App:

wireshark3

Browse to the *.paf.exe file for Wireshark and install it.  You now have Wireshark everywhere you go.

wireshark4

Rootkit code to exploit major Intel chip

March 18, 2009 – 9:41 AM

This is the scariest, stealthiest, and most dangerous rootkit I’ve seen come around since the legendary Blue Pill! No, I’m not just trying to sensationalize this or spread fear, uncertainty and doubt. This is serious and represents a massive new security threat for us all.

Security Researchers Joanna Rutkowska and Loic Duflot are planning to release a research paper + exploit code for a new SMM (System Management Mode) rootkit that installs via an Intel CPU caching vulnerability. Joanna, of blue pill fame, reported this on her blog

“Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel CPU cache mechanisms. The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours.”

The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it’s not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors so if you’d like further education or history lesson here is a good article
Now remember that what Joanna and Loic will be releasing is a brand new, never before disclosed Intel caching hack that allows them to gain access to SMM space and run their new rootkit that takes control of the PC. The rootkit even has the ability to call home to its creator to get new code or deposit its findings. No software you can run on your operating system would be able to detect this type of exploit once you are powned.

Source:
http://wwww.networkworld.com/community/node/39825

Browser plugin blocks ad-tracking cookies

March 17, 2009 – 12:36 PM

A researcher has developed a browser extension that stops advertising networks from tracking a person’s surfing habits, such as search queries and content they view on the web.

The extension, called Targeted Advertising Cookie Opt-Out (TACO), enables its users to opt out of 27 advertising networks that are employing behavioural advertising systems, wrote Christopher Soghoian, who developed it, on his website.

Soghoian, a fellow at the Berkman Center for Internet and Society at Harvard and a doctoral candidate at Indiana University, modified a browser extension Google released under an Apache 2 open-source license.

Google’s opt-out plugin for Internet Explorer and Firefox blocks cookies delivered by its Doubleclick advertising network. A cookie is a small data file stored in a browser that can track a variety of information, such as websites visited and search queries, and transmit that information back to the entity that placed the cookie in the browser.

Google’s opt-out plugin comes as the company announced plans last week to target advertisements based on the sites people visit. Targetted advertising is seen as a way for advertisers to more precisely find potential customers as well as for website publishers to charge higher advertising rates.

Source:
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=112888

When Safe Mode Isn’t So Safe

March 17, 2009 – 12:21 PM

Windows has, for many years, come with a special mode you can load at boot called Safe Mode. The idea is that non-essential services and software don’t load in safe mode and so it can be useful in diagnosing system problems.

You might assume that it can be useful in fixing malware infections and you’d be right, but not in all cases. As McAfee’s Avert Labs points out in a blog entry, it’s possible for malware to set itself up to load even in Safe Mode.

The software and services designated to run in Safe Mode are listed in these registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

McAfee says that malware can set itself through these keys to load at boot time even in a safe boot. They don’t list any specific malware which does this.

Source:
http://blogs.pcmag.com/securitywatch/2009/03/when_safe_mode_isnt_so_safe.php

Researcher upset by Windows DNS patch

March 17, 2009 – 7:35 AM

One of the patches Microsoft issued last week is nothing of the sort, according to a researcher who has accused Microsoft of making functionality a higher priority than security.

According to Tyler Reguly, a senior security engineer with nCircle Security, last Tuesday’s MS09-008 update does not fix the problem for all users, many of whom may not realise that they’re still vulnerable to attack.
“When you get a patch from a vendor, you expect it to provide some level of security,” said Reguly. “But MS09-008 only mitigates the problem, it doesn’t patch it.”

MS09-008, one of three security updates released March 10, addressed four separate flaws in Windows’ DNS and WNS servers, and required that network administrators patch all currently-supported server editions of Windows, including Windows 2000 Server, Server 2003 and Server 2008.

Reguly has taken exception with the part of the update that addresses a vulnerability in the WPAD (Web Proxy Auto-Discovery) functionality of Windows DNS Server.

“WPAD is a way to automatically configure proxy servers on machines,” he explained. “When the browser, like Internet Explorer, is configured to ‘Automatically Detect Settings,’ it will look for wpad.company.com and attempt to resolve and pull down a configuration file. But if an attacker can manipulate the WPAD entry, all the traffic from those machines will go through his server. That would let him run ‘man-in-the-middle’ attacks to steal passwords or any other information.”

Source:
http://www.techworld.com/security/news/index.cfm?newsID=112854&pagtype=samechan