Cisco IOS Rootkit Demonstrated

May 27, 2008 – 7:02 PM

Last Thursday at the EUSecwest conference, security researcher Sebastian Muniz of Core Security Technologies demonstrated a proof-of-concept rootkit for Cisco’s IOS router operating system.A root kit consists of one or several related applications designed to give the program user root or administrator privileges on a given computer, whether or not that user is authorized to operate with such privileges. In general, rootkits are designed to operate covertly, often in conjunction with malware.

Perhaps the highest profile rootkit incident in recent years occurred in 2005, when security researcher Mark Russinovich found that Sony BMG had been distributing a rootkit with some of its music CDs as a means of copyright protection.

While rootkits for common operating systems, like Windows, are well known, they haven’t been an issue for Cisco’s IOS until now.

In a post to the Full Disclosure mailing list, security researcher Nicolas Fischbach wrote, “At the end of the day this is nothing new from a rootkit technology point of view, but it’s in the IOS/router world.”

The reason a potential vulnerability like this is noteworthy is because so many routers run Cisco’s IOS. Cisco routers accounted for 65% of router revenue worldwide in 2007, according to Dell’Oro Group, a telecommunications analysis firm.

Fischbach’s view is that the sky isn’t falling, at least not yet. There is a tool available to detect whether IOS has been altered: CIR, which stands for “Cisco Information Retrieval.” Furthermore, there are still hurdles to installing a rootkit in a Cisco router.

Fischbach characterized the installation process as “noisy” and as something that administrators should notice, unless they acquired the router through questionable or illegal channels.

As it happens, counterfeit routers have been keeping the FBI busy. In late February, the FBI said that various law enforcement agencies had seized over $76 million in counterfeit Cisco hardware and labels over the past two years.

Cisco recommends that customers follow industry best-practices to keep their networks secure and advises customers to read its publicly posted response to Muniz’s work.

“We thank Mr. Sebastian Muniz and Core Security Technologies for working with us towards the goal of keeping the Internet and Cisco networks, as a whole, secure,” Cisco said in an e-mailed statement. “We are currently in the process of analyzing the information that Mr. Muniz and Core Security Technologies presented at the conference.”

Source: Information Week

Posted in Hardware, Networking, Security | No Comments

New Adobe Flaw Being Used in Attacks

May 27, 2008 – 2:00 PM

An unpatched bug in Adobe Systems’ Flash Player software is being exploited by online criminals, Symantec reported Monday.

Few details on the bug are available, but the flaw lies in the latest version of the Adobe Flash Player browser plugin, which is widely used by Internet surfers to view animated Web pages. The flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0, according to an advisory posted Monday to Symantec’s Security Focus Web site.

The flaw lets attackers run unauthorized software on the PC, and if the attack fails for some reason it will likely crash the browser, Security Focus said. Symantec is not aware of any vendor-supplied patches for the flaw, the advisory states.

Flash bugs have lately been a favorite of attackers. Adobe last month patched seven bugs in Flash Player, including the one that allowed hacker Shane Macaulay to win a laptop and US$5,000 for hacking into a Windows Vista machine in a March contest at the CanSecWest security conference.

In January, Adobe and other Web-development-tool vendors had to fix bugs in their development tools that created buggy Shockwave Flash (.swf) files that could be exploited in a cross-site scripting attack. This attack can be used by phishers, but it also gives the bad guys a nearly undetectable route into a victim’s bank account or almost any type of Web service.

Read the rest of this story…

Posted in Coding, Internet, Security, Software | No Comments

Troubleshoot Firefox in Safe Mode

May 27, 2008 – 8:10 AM

You already know how to create multiple user profiles in Firefox for various types of online work; but if you’re trying to troubleshoot an existing Firefox profile, start up the ‘fox in “Safe Mode” to disable add-ons or reset other custom configuration. Use firefox -safe-mode at the command line for safe mode.

Source: Lifehacker

Posted in Internet, Linux, Security, Software, Windows | No Comments

Five free pen-testing tools

May 27, 2008 – 6:09 AM

Security assessment and deep testing don’t require a big budget. Some of most effective security tools are free, and are commonly used by professional consultants, private industry and government security practitioners. Here are a few to start with.

For scanning in the first steps of a security assessment or pen test, Nmap and Nessus share the crown. Nmap is a simple, powerful and very well-reviewed scanner that one finds in the toolbox of any serious security consultant. Nmap and its Zenmap graphical interface are free and available at nmap.org for virtually any platform from Vista and OS X to AmigaOS, and will happily run on low-power systems.

Nessus performs scans and up-to-date vulnerability testing in one interface, through a purchased “feed” of vulnerability modules for the freely downloadable application. A free but delayed noncommercial “home feed” of updates will continue to be available at nessus.org after Tenable Inc. changes the Nessus license this coming July.

The Metasploit Framework provides more operating system and application exploit information than most analysts would know what to do with. Recently rewritten in Ruby with a graphical interface, it comes with several hundred common exploit modules in the basic download available at metasploit.com. For testing Web applications specifically, the well-regarded Nikto has also undergone recent updates and is available at cirt.net/nikto2.

Wireshark provides top-notch network protocol capture and analysis, and its filtering and search functions make a good noninvasive tool for beginners interested in TCP/IP. This high-quality successor to the long-running Ethereal tool is available for Windows, Linux and Mac. The “Buy” button at wireshark.org leads to a happy reminder that it’s free and open source.

KisMAC’s simple interface belies its powerful wireless assessment and penetration testing features. This OS X application is available at trac.kismac-ng.org, where one can also find an active support community. Kismet, its more powerful but less friendly progenitor, is available at kismetwireless.net for Linux and Windows. There are active communities and numerous add-ons for each.

Read the rest of this story…

Posted in Linux, Networking, Privacy, Security, Software, Windows | No Comments

Five steps to successful and cost-effective penetration testing

May 27, 2008 – 6:05 AM

Whether you hire outside consultants or do the testing yourself, here are some tips for making sure your time and money are well spent.

1. Set goals. Make sure you know before you start your penetration testing what you want the results to encompass. Adding in too many systems can be overwhelming and costly.

2. Assign staff and resources to the project. Penetration testing can be expensive, so you might as well get the most out of your consultant’s time, says Joe Basirico, senior training engineer at Security Innovation Inc. He recently worked on a project where the client did not assign staff to assist him and, unbeknownst to him, had only allocated a laptop for remote access. Each night, while Basirico conducted his tests off-site, the remote server would time out. He eventually found out that the company’s cleaning person would close the lid on the laptop dedicated to his testing. Basirico called this lack of attention to the project a waste of their money.

3. Offer your tester documentation. The more information you share about your systems, the less legwork they have to do to come up to speed, which is less time on the clock. Include details about the types of encryption you use and system configurations.

4. Prioritize the results. Once you’ve got the results of your tests, map them to your goals. You can’t tackle everything so make sure you do a solid risk assessment of the vulnerabilities to lead the way. Try to check things off the list that have immediate payback for your clients’ security.

5. Understand no network is perfectly secure. It can be shocking to receive the results of a penetration test, according to Chris Nickerson, security services lead at Alternative Technology Inc. But it’s better to know what you’re dealing with and fix it than to have a false sense of security and pay the price later.

Source: ComputerWorld

Posted in Hardware, Internet, Linux, Networking, Privacy, Security, Software, Windows | No Comments