Shmoocon 2008 videos are now online

June 1, 2008 – 8:34 AM

The videos from ShmooCon 2008 have hit the shelves. Go download them at:

http://www.shmoocon.org/2008/videos/

EDIT: As of the time of this post, some of the videos are incorrectly named. Here is the 1-> 1:
Correctly Named:

  1. 21st Century Shellcode for Solaris
  2. Advanced Protocol Fuzzing – What We Learned when Bringing Layer2 Logic to SPIKE land
  3. Backtrack Demo – “Hacking and Stuff”
  4. Bake Not (Fried, spelling error on filename) Fired – Performing Unauthorized Phishing
  5. Closing Remarks
  6. Forensic Image Analysis for Password Recovery (same video is also under another name below)
  7. Got Citrix Hack it!
  8. Hacking the Samurai Spirit
  9. Keynote Address – Alex Halberman
  10. Legal Issues for Bot-Net Researchers and Mitigators
  11. Malware Software Armoring Circumvention (same video is also under another name below)
  12. On the Social Responsbility of Hackers – Hacker Panel
  13. Opening Remarks
  14. Path X – Explosive Security Testing Using Xpath
  15. PEAP Pwned Extensible Authntication Protocol
  16. Practical Hacker Crypto
  17. SIPing Your Network
  18. The Geek and the Gumshoe
  19. They’re Hacking Our Clients – What are we focusing on Servers? (same video is also under another name below)
  20. TL1 Device Security (same video is also under another name below)
  21. Using Aspect Oriented Programming to Prevent App Attacks
  22. Virtual Worlds – Real Exploits
  23. VOIP Penetration Testing Lessons Learned
  24. Web Portals – Gateway to Information or Hole in Our Perimeter Defenses
  25. Why are Databases so Hard to Secure
  • Named: Flash Drives and Solid State Drives Data Recovery Comparison to Hard Drives
    • Actually: Hacking Windows Vista Security
  • Named: Active 802.11 Fingerprinting
    • Actually: Using Aspect Oriented Programming to Prevent App Attacks
  • Named: Own the Con
    • Actually: TL1 Device Security
  • Named: A Hacker Looks Past 50
    • Actually: RenderMan’s: How do I Pwn Thee
  • Named: I will be your Eyes and Hands
    • Actually: Malware Software Armoring Circumvention
  • Named: Intercepting Mobile Phone GSM Traffic
    • Actually: Forensic Image Analysis for Password Recovery
  • Named: Passive Host Characterization
    • Actually: They’re Hacking Our Clients – Why are we focusing on Servers
  • Named: Smarter Password Cracking
    • Actually: Practical Hacker Crypto
  • Named: Vulncatcher – Fun with Vtrace and Programmatic Debugging
    • Actually: Path X – Explosive Security Testing Using XPath
  • Named: When Lawyers Attack! Dealing with the New Rules of Electronic Discovery
    • Actually: Legal Issues for Bot-Net Researchers and Mitigators
  • Named: You Must Be This Tall to Ride the Security Ride
    • Actually: Closing Remarks

Source:  Room362

Lynis – Security and system auditing tool

June 1, 2008 – 8:21 AM

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems.

lynis-screenshot

Homepage:
http://www.rootkit.nl/projects/lynis.html

Nessus 3.2.1 Released – New Report Filtering Features Added

May 30, 2008 – 8:35 PM

Tenable Network Security has released version 3.2.1 of the Nessus vulnerability scanner. This point release includes a variety of small bug fixes as well as a new report filtering interface for the Nessus client. This blog entry will discuss the new Nessus features, bug fixes and reporting filters for the Nessus Client.

Nessus Release Notes

New features

  • New multi-criteria report filter in NessusClient. There is more on this later in the blog.
  • On Mac OS X, it is now possible to authenticate with NessusClient to a remote Nessus server via a SSL certificate
  • New NASL functions – bn_dec2raw(), bn_raw2dec(), bn_hex2raw(), bn_raw2hex(), rsa_public_encrypt(), rsa_private_encrypt() and rsa_private_decrypt()
  • New options in nessusd.conf : ‘enable_listen_ipv4’ and ‘enable_listen_ipv6’ let the user disable IPv4 and IPv6 bindings
  • Builds for Ubuntu Linux 8.04 and Fedora 9
  • Support for Windows 2000

Bug fixes in this release

‘nessus’ command-line client :

  • report entries longer than 16Kb would be truncated
  • When exporting a report to the .nessus format, some report entries could sometimes be truncated
  • When exporting a report to the .nessus format, backslashes would not be properly escaped

Nessus server :

  • Fixed a concurrency issue when too many threads write to the plugin database
  • On Solaris, SIGCHLD signals would not always be properly handled, thus leaving zombie processes
  • Fixed a segmentation fault in nasl occurring on 64 bits systems

Nessus client :

  • When searching for plugins, the filtering interface now works as expected

Plugins :

  • ssl_ciphers.nes has been removed in favor of the new ssl_ciphers.nasl
  • Fixed a segmentation fault in nessus_tcp_scanner.nes

Packaging :

  • The %uninstall section of the RPMs contained a bug which would force users doing an upgrade to call ‘chkconfig nessusd on’ manually. Due to the nature of this bug, be sure to call ‘chkconfig nessusd on’ when upgrading from 3.x.y to 3.2.1
  • The Debian 4 i386 build was incorrectly registering itself as x86-64, thus breaking ‘nessus-update’ on Debian 4 i386

Download here:
http://www.nessus.org/download/

Microsoft Warns Of Security Vulnerability Arising From Apple’s Safari

May 30, 2008 – 6:08 PM

Microsoft on Friday said it is investigating reports of “a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari Web browser has been installed.”An attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, which would initiate the download of malware without requiring the victim to take additional actions, according to Microsoft.

In a statement, Tim Rains, security response communications lead for Microsoft, said, “Safari is not installed with Windows XP or Windows Vista by default: It must be installed independently or through the Apple Software Update application.”

Apple received considerable criticism in March when it opted to make its Safari Web browser available to Windows users by default, as part of an iTunes update. Mozilla CEO John Lilly said Apple’s decision to do so “borders on malware distribution practices.”

Microsoft has issued a Security Advisory that explains the issue and offers risk mitigation advice. The company said that customers who have changed the default Safari download location are not at risk.

The issue arises from what security researcher Nitesh Dhanjani calls the Safari Carpet Bomb vulnerability. “It is possible for a rogue Web site to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in Mac OS X),” he explains in a blog post.

“This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed). … The implication of this is obvious: Malware downloaded to the user’s desktop without the user’s consent.”

Dhanjani said he has brought three security vulnerabilities to Apple’s attention and that Apple said it plans to fix one of the issues reported, an undisclosed Safari vulnerability that could allow a remote attacker to steal files from the user’s system.

Source: Information Week

Students crack Microsoft CardSpace

May 30, 2008 – 6:04 PM

Students at the Ruhr University of Bochum, Germany, say they have found a way to steal security tokens in Microsoft’s new CardSpace authentication framework. Attackers can apparently get access to protected, encrypted user data – such as passwords, credit card numbers, and delivery addresses – when they are transmitted. CardSpace (formerly InfoCard) is the successor to Passport. In both architectures, users’ personal data are stored locally on the user’s system. Depending on the web site, users can decide which data they want to transmit. CardSpace is designed to make classic passwords a thing of the past, by replacing them with digital certificates that may be self-signed or signed by an authoritative CA such as Verisign.

According to the report, anti-DNS pinning, DNS rebinding, DNS spoofing, and drive-by pharming are apparently all successful ways to steal transmitted tokens. Attackers basically need to manipulate the user system’s name resolution so that the token for the browser-based CardSpace is sent to the attacker. To this end, attackers manipulate the DNS entries on a router, for instance by means of cross-site request forgery, and send the attacked user to a malicious name server. If the attacker manages to switch name resolution during an authentication process so that the victim lands both on a shop’s genuine CardSpace website and on a malicious forgery, the attacker then gets the token. During the token’s validity, attackers can then pretend to be the user in question when they go shopping.

The students have created a demo server that they claim demonstrates the problem. To reproduce the demonstration, you should change your own DNS settings and install an untrusted certificate. In our test at heise Security, we could not get the demonstration to run, however. Microsoft has apparently already been informed of the problem and is working on a solution. In their report, the students propose improving Same Origin Policy as a security function for browsers.

Read the rest of the story…