Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills

Ways to bypass the Big Belgian firewall

2009-10-31T19:53:00.000+01:00

Yes, the Belgian government can decide which websites we visit and which we don't. The first step on a road that will lead us to situations like we have seen in Australia (According to Child Support groups, Net filtering is a waste of money)

Here is the best Belgian article I have read to date about this issue which covers all aspects : "zwarte lijst voor belgische surfers omstreden" by Els Bellens (Zdnet.be)

Like Tim Berners-Lee, inventor of the WWW stated, the internet was designed to be used without limitations. The main argument of government officials to start with this blacklist, is that "average users won't be able to stumble upon these bad websites anymore. It's for their own protection. "

And in a typical Belgian fashion, (luckily for us), it's implemented in the least efficient manner: a DNS blacklist.

And as expected, a lot of internet users (e.g. blogologie, lvb.net, belgiancowboys.be, tik vzw) have started listing ways to bypass this filter just as a matter of principle (like the Streisand effect).

So let's hope that this blacklist will go away and the government will stop throwing away money on an inefficient systems that will never work.

Sign against Dataretention - bewaarjeprivacy.be

2009-10-28T19:42:00.004+01:00

Finally something in Belgium to be proud of. Several organizations in Belgium representing internet users, lawyers, journalists, etc.... have started a petition against the Belgian adaptation of the EU Dataretention law.

Why should you sign this petition?

It's an invasion on your privacy
It makes 10 million Belgians potential suspects
It invades the professional confidentiality between lawyers and their clients, journalists and their sources etc....
The necessity of Dataretention has yet to be proven
Dataretention provides no guarantee against terrorism or crime
It will result in a high price that consumers will have to pay....

So go to http://bewaarjeprivacy.be/ and sign the petition.

Automated Social Networking Surveillance Systems

2009-10-27T21:14:00.005+01:00

Last week, I noticed the existence of an EU surveillance project called "Intelligent information system supporting observation, searching and detection for security of citizens in urban environment" better known as "INDECT". You can have a look at their official website.

According to Wikileaks, INDECT’s “Work package 4″ is designed “to comb web blogs, chat sites, news reports, and social-networking sites in order to build up automatic dossiers on individuals, organizations and their relationships.” Ponder that phrase again: “automatic dossiers.” (source)

Automatic dossiers? Doesn't that give you a warm fuzzy feeling inside? There are a lot more reports and articles mentioned about similar projects (including network monitoring and data mining suites designed by Nokia Siemens, Ericsson and Verint) on this website.

I enjoy and believe in the benefits of social networks as long as commons sense prevails about what you publish. But how many people are aware of the potential issues? Not that mass surveillance should be expected and allowed.
Say a word online out of context and be labeled a potential 'problem' case. I don't believe in a technological magic wand who will correctly filter information. Too much possible false positives. Hasn't the world of IDS taught us that? Question is, who is making the alert filters for this systems? Who is going to watch the watchers?

Some time ago, the Social Media Security blog and podcast was founded. While I haven't really had time to spend some time on it, I highly advice to have a closer look at it.

So apart from cybercriminals, must we also fear our governments?

Related posts:

(Photo under creative commons from matthileo's photostream)

Privacy and the 'Belgian Mobility Card' (BMC)

2009-10-27T14:10:00.004+01:00

It has been some while since we blogged about the "Privacy failure in the Belgian RFID transport card", but the card will still be introduced nationally.

See Chipkaarten De Lijn niet voor volgend jaar (datanews)

Testing will occur in 2010 and the rollout will happen during 2011 and 2012. Time to go over some past facts.

Some researchers of the UCL published a report about a privacy issue together with opensource tools that they used to test the card. On http://www.uclouvain.be/sites/security/mobib.html

But the details of the research were removed soon after, together with the tool. Why? Were they pressured in removing it? What would the benefit be in removing it? Don't people know that security by obscurity doesn't work? Sound a bit like a conspiracy, considering who owns the transport card company and who subsides the university. But we can't say for sure.

Some details could still be found via google:

http://www.uclouvain.be/sites/security/download/slides/Avoine-2009-iwrt-slides.pdf

From the PDF:

Personal data are stored in the clear in the card.
Data stored in the card during its personalization: name of the holder, birthdate, zipcode, language, etc.
Data recorded by the card when used for validations: last three validations (date, time, bus line, bus stop, subway station, etc.), and some additional technical data.

How can this not be an issue? This can totally be abused by stalkers with a good antenna and a laptop in their backpack, just to name one of the obvious abuses. Fathers, lock up your wife and your daughters.

So I hope that the MIVB/STIB, minister Hilde Crevits and other parties involving the Belgian Mobility Card (BMC) will do the right thing and NOT store this sensitive information in the clear before launching this card!!!

Claiming that our national ID contains the same public information is true but it is not on a contactless card. Meaning I have to take it out of your wallet and physically put it in a reader. Comparing those two and claiming there is no issue with cleartext information on a wireless chip is a fantasy story.

There is enough information and other tools available to read the info on the card. e.g.

Other online articles mentioning the issue:

Met Mobib op het openbaar vervoer in Brussel: uw gegevens te grabbel? (Permanent Gecontroleerde Zones)
Gekraakte Mobib-kaart doet vragen rijzen naar privacy (Brussel Nieuws)

(Photo under creative commons from Jools of Sweden's photostream)

Flu epidemic already announced in Belgium

2009-10-12T12:41:00.003+02:00

First of all, this is about the general flu epidemic which occurs every year. It's nothing H1N1 specific, which has been overhyped. Act normal and use common sense. But this is relevant information. Apply good hand hygiene, eat healthy and get enough sleep. Enough said.

The Belgian center for Flu Control announced a flu epidemic in their latest week report (pdf) mentioned in their weekly newsletter. Here is the interesting bit translated to English.

Influenza Surveillance for week 40 (28 September tot 4 October)

The epidemic findings for week 40 are: The surveyed data show a heightened circulation of the Influenza virus and a moderate activity for the flu symptoms. According to the determined criteria, the flu epidemic has started.
...
The number of H1N1 cases have doubled compared to last week and was estimated at 4160 in week 39 with a cumulative total of 12678.

Google search results and other online sources are also a good indicator and they do confirm the results of the Belgian flu center. Have a look at the B.V.L.G blog for a detailed analysis (Dutch) with some nice graphs.

Related posts:

Business continuity and useful resources about the N1H1 Swine Flu.

Null character MITM Certificate released

2009-10-01T12:42:00.008+02:00

This year Dan Kaminsky and Moxie Marlinspike discovered that when requesting a certificate for example "Paypal.com\0.phishing.com" that some CAs would approve the request. What made it worse is that SSL client (and browsers) would ignore the characters after the null character, leading to an effective SSL Man in the Middle attack.

Although it isn't possible to request these certificates anymore, Jacob Appelbaum released such a certificate yesterday together with the private key, stating that everybody had time enough to fix the issue. If you're a developer, you might want to look into this issue. For example Blackberries were still vulnerable to the attack.

Firefox patched the issue a few days after the initial presentation but other browsers like IE and Chrome rely on Microsoft's CryptoAPI to process the certificate and are still vulnerable.

"There are thousands of products on Windows right now that are still vulnerable to this SSL attack, and if someone were to publicly publish a targeted null prefix certificate, they'd be in trouble," said the white-hat hacker, who goes by the moniker Moxie Marlinspike. "Basically, everything that runs on Windows would be vulnerable with that one certificate." (source: Theregister.co.uk)

Note: The wildcard SSL certificate that Jacob Appelbaum released tricks older versions of the Network Security Services library into authenticating any website on the internet. But a lot of other applications using CryptoAPI might still be vulnerable to similar SSL MITM attacks. Time to patch the API like Firefox did.

Security bloggers meetup London @ RSA

2009-09-29T21:52:00.004+02:00

Well, like last year us securitybloggers (-twits) are coming together for a drink and meet the people behind the avatars. It was a small but fun beginning last year and we hope to see even more people this year.

Details on location etc... can be found on securityactive.co.uk.

SMBv2 exploit for Vista and Server 2008 released

2009-09-29T12:56:00.004+02:00

While I was too busy with BruCON, it seems that a SMBv2 vulnerability was published: Security Advisory 975497. While it affects Windows Vista and Server 2008, other versions are not vulnerable (including Windows 7 and Windows Server 2008 R2).

Port 445 needs to be open for the service to be exploited. Microsoft hasn't released an (out of band) patch since there was no working exploit code but promised to do so if the threat landscape changed. Blocking ports 135 and 445 is one of the recommended countermeasures. You can also disable SMBv2 through a registry key if not needed.

So far it was only possible to crash the service, but that changed today. Working code has now been added to Metasploit. Although the code still needs improvement, it worked on several machines.

So, will we see new worms coming our way? Although Conficker was well written, fortunately it wasn't really used to it's full potential. Will we be that lucky again?

Discuss vulnerabilities instead of patches at your patch meetings, because only patching doesn't cut it. Have a look at NIST's Creating a patch and vulnerability management program.

CERT.be is hiring

2009-09-25T00:43:00.001+02:00

As was told during BruCON, we can stop complaining about a missing CERT in Belgium. BELNET is looking for people to extend their team and the team should be up and running by January 2010. A big applause for their introduction!

If you are interested, look at their website cert.be/jobs.

International Action Day “Freedom not Fear 2009 – Stop the Surveillance Mania!” on 12th September 2009

2009-09-08T18:36:00.003+02:00

I somehow completely missed any communication about this International Action Day “Freedom not Fear 2009.

Unfortunately, it seems that it is on the 12th of September already and that there is nothing planned in Brussels. Bad communication? Or is there nobody in Belgium at least a little bit interested in their privacy and civil rights?

More info on http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2009

(Photo under creative commons from maha-online's photostream)

Possible 0-day in IIS5 and IIS6 FTP (updated x3)

2009-08-31T20:51:00.006+02:00

A zero day for IIS5 & 6 was posted today to the Full Disclosure mailinglist. Yes, we are talking shellcode. This seems to be real.

According to Thierry Zoller, it doesn't work reliably for IIS6 but it's not impossible (source: twitter) and confirmed by this comment on the mailinglist. But it will crash the service on Windows2003 as such. Seems an issue in the MKDIR command.

US CERT is advising:

US-CERT encourages administrators to disable anonymous write access to the FTP server to help mitigate the vulnerability, although a proper impact analysis should be performed prior to taking defensive measures.

So the impact seems limited to servers that allow anonymous (write) access. Unless you don't trust authenticated users or fear they can be easily compromised. Stay tuned for updates.

UPDATE: Thanks to a NMAP script from Xavier, you can now scan you environment for vulnerable servers.
UPDATE 2: If you need a snort signature for the milw0rm IIS-FTP
exploit. Emergent threats released signature tarballs and a history is available in CVS:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
Wiki: http://doc.emergingthreats.net/bin/view/Main/2009828
UPDATE 3: Developers of the Backtrack played with the exploit and created an enhanced version that opens a listening port on a fully patched Windows 2000 system running IIS 5. They made a video.

HAR2009: where to get the presentation videos

2009-08-28T00:09:00.003+02:00

Well, HAR2009 was a blast. It was fun meeting a lot of other people, doing some workshops and some soldering. I missed some of the talks I wanted to see but luckily there were recordings of the presentations. They are about 24GB and you can find them at:

These are raw, unedited videos. Some edited videos are available on http://rehash.nl/ by streaming. But I prefer to have my videos offline.

Collection of Defcon 17 articles, videos, pictures and podcasts

2009-08-05T00:02:00.003+02:00

This is a list of articles and other fun stuff that people were tweeting about in the last week. This list is of course not exhaustive but a nice place to start reviewing the things that happened at the conference.

Articles:

Announcing the Warzone Project (uncommonsensesecurity.com)
DefCon Updates (A Day in the Life of an Information Security Investigator )
Defcon: New Hack Hijacks Application Updates Via WiFi (Darkreading)
Researchers offer tools for eavesdropping and video hijacking (CNet.com)
Korean 'journalists' booted from Defcon (computerworld.com)
Fake ATM doesn't last long at hacker meet (Computerworld)
Electronic High-Security Locks Easily Defeated at DefCon (Wired.com)
Fake ATM, skimmers found in Las Vegas hotels (Zero Day)
ATM scam at DEFCON clearly the work of ironic criminals (engadget.com)
The Best (and Worst) Hacks of Defcon Computer Security Conference 2009 (fastcompany.com)
Hacker demos persistent Mac keyboard attack (Zero day)
Hack-Proofing The Hackers (forbes.com)
DEFCON 17 Badge Hackers (infosecevents.net)
Defcon air traffic control hacker: Excuse me while I change your aircraft’s flight plan (deals.venturebeat.com)
Our Favorite XSS Filters and how to Attack them (sirdarckcat.blogspot.com)
Feds at DefCon Alarmed After RFIDs Scanned (wired.com)
Opinion: Irresponsibility runs amok at Black Hat, Defcon (computerworld.com)
Ax0n's DefCon 17 Wrap-Up (www.h-i-r.net)
Defcon talk: 0-day, gh0stnet and the Adobe JBIG2Decode disclosure debalce – Steven Adair (cupfighter.net)
Blackhat USA 2009: Reverse Engineering by Crayon (offensivecomputing.net)
Black Hat: Social Networks Reveal, Betray, Help Users (informationweek.com)

Video:

SSL rebinding video (stub.bz)
#defcon podcast meetup (youtube)
Hacking The Defcon 2009 Badge (youtube)
Metasploit Oracle videos (vimeo.com)
Hacker Charlie Miller on how he compromised the iPhone (venturebeat.com)

Podcast:

Defcon Microcast 1 – Johnny Long, Hackers for Charity (Network security)
Defcon Microcast 2 – Dark Tangent (Network security)
Defcon Microcast 3 – Saturday Wrapup (Network security)

Pictures:

http://www.defconpics.org/

(Photo under creative commons from ggee's photostream)

Get the #DEFCON 17 CD Archive (updated x2)

2009-08-01T14:16:00.004+02:00

The Defcon 17 CD Archive is up. Get it at https://media.defcon.org/dc-17/DEFCON-17-CD.rar

Update: The following file triggered some Antivirus engines

"Extras/bin/crackmes/manifest.exe". (in Sean Taylor's Extras.zip) - Detects as TR/Crypt.ZPACK.Gen

But it was confirmed by the Defcon team that it contained no trojan. Better be safe then sorry.

Related posts:

Day 2: A collection of #Blackhat articles: keeping remote track of the event

2009-07-30T22:43:00.007+02:00

As a follow up to my article of yesterday "BlackHat slides available and first blogposts", the following is a additional collection of articles I kept track off by staying glued to tweetdeck all day.

Articles:

Wildcard certificate spoofs web authentication (The Register)
Blackhat US – Roundup Day 1 (c22.cc)
How To Hijack 'Every iPhone In The World' (Forbes)
Researchers take control of iPhone via SMS (Zero Day)
HP researchers reveal details of browser based darknet (Heise)
Black Hat: PKI Hack Demonstrates Flaws in Digital Certificate Technology (Darkreading)
Vulnerabilities Allow Attacker to Impersonate Any Website (Wired)
Google Safe Browsing Feature Could Compromise Privacy (Darkreading)
Live Blog: Blackhat 2009 Day 1 (A Day in the Life of an Information Security Investigator)
Live Blog: Blackhat 2009 Day 2 (A Day in the Life of an Information Security Investigator)
Microsoft explains why killbits are needed (internetnews.com)
Black Hat 2009: Breaking SSL with null characters (Hackaday)
Google Safe Browsing Feature Could Compromise Privacy (Darkreading)
Verisigns' Tim Callahan's response to the SSL certificate issue #blackhat (verisign.com)
Researcher pressured to pull 'Conficker' talk (reuters.com)
Security researchers: Online transactions aren’t as safe as we thought (venturebeat.com)
Dan Kaminsky's New PKI Hack Discovery - The EMC/RSA viewpoint (RSA blog)

Slides:

Official Blackhat website with most of the presentations
Laws of Vulnerabilities 2.0 - Black Hat 2009 Edition (qualys.com)
Mo' Money Mo' Problems - Making even more money online the black hat way - Jeremiah Grossman (Slideshare)
"Smart" Parking Meter Implementations, Globalism, and You (crypto.nsa.org)

Videos:

More Tricks For Defeating SSL by Moxie

Pictures: live pictures from the event (hat tip to mubix)

(Photo under creative commons from angelsk's photostream)

BlackHat slides available and first blogposts

2009-07-30T00:01:00.004+02:00

Blackhat was really fast to upload some of their content. You can already get it at http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html.

I have already glanced at lockpick forensics, sniffing keyboards with lasers and Breaking the security myths of Extended Validation SSL Certificates. Some really interesting stuff in there!!

Here are some blogposts fresh of the shelf as well:

Speeding up MD5 collision hashing on GPUs, breaking EV SSL, or just breaking SSL all together, I see a trend that says that public PKI is completely broken. Oh, wasn't there a study today that said users ignore SSL warnings anyway?

Keep tuned, I'm seeing tweets that Dan Kaminsky is having a go at X.509 as well. #ssl #epicfail??

Related posts:

(Photo under creative commons from Ben+Sam's photostream)

IE Killbits don't work, or why MS released an OOB Patch yesterday (updated)

2009-07-29T13:06:00.007+02:00

Now we know why Microsoft rushed out an out-of-band patch. It seems that shutting down a defective component is not as effective as fixing it. During the upcoming Blackhat talk of Ryan Smith, Mark Dowd and David Dewey it will be demonstrated how to bypass the "kill-bit" mechanism. A measure used by Microsoft to patch an ActiveX vulnerability on June 14th. So Microsoft rushed out to release an out of band patch before the presentation.

Smith has posted a video that demonstrates how they were able exploit a kill-bit copy of IE.

Halvar Flake mentioned the following on his blog:

"The bug is actually much 'deeper' than most people realize, [and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue,"

So this is why Microsoft is patching the vulnerability within ATL (the msvidctl.dll issue) . This has resulted in vulnerabilities in other crucial Windows files, and perhaps third-party applications whose developers had also used ATL. The following post from Adobe PSIRT blog confirms this:

We evaluated the impact of the vulnerable versions of the Microsoft Active Template Library (ATL) / CVE-2009-0901, CVE-2009-2395, CVE-2009-2493 / Microsoft Security Advisory (973882) on the Adobe product portfolio. We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL. A Security Advisory for Flash Player and a Security Bulletin for Shockwave Player have been posted to our security bulletins and advisories page.

According to their bulleting, only Internet Explorer plug-ins are vulnerable. Firefox users as well as all other Windows-based browsers are not vulnerable. Macintosh, Linux and Solaris versions of Flash Player and Shockwave Player are not vulnerable.

So have a look at MS09-034 and MS09-035!! So until we have details on the Blackhat presentation, I wouldn't recommend using the killbit as only countermeasure for vulnerabilities.

If you want to delve deeper into this matter, the following two articles from the Microsoft Security and Defense blog are worth a read!

Update: A Slashdot story was running on this with this remarkable quote: "What's really scary is that Microsoft has issued 175 killbits fixes so far."

According to this Heise online article, Cisco extensions are also vulnerable. Google hasn't released any details yet.

Last but not least, the verizon business security blog has a very good article on the entire issue, a risk summary and a tool for developers to check their code.

(Photo under creative commons from jlkinsel's photostream)

Microsoft July 2009 Out-of-Band Releases

2009-07-28T01:52:00.002+02:00

If you haven't noticed it, Microsoft will release two out-of-band patches tomorrow. Which usually means they have a good reason for doing this. Apply them ASAP.

From the MSRC blog:

We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009.
While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

1. One Security Bulletin for Visual Studio

2. One Security Bulletin for Internet Explorer

How to follow Blackhat/Defcon without being there

2009-07-28T01:26:00.004+02:00

Well, I'm one of the poor souls who couldn't make it to the Blackhat/Defcon fun. Although going to HAR2009 makes up for a lot of it, there are some ways to follow the events in Vegas (real time). ;-)

The first tool is to use twitter and follow the hashtags #defcon and #blackhat. If you have a twitter account, I would recommend installing tweetdeck and setting up two search columns. For those without a twitter account, you can use the Twitter search (and import it through RSS) or even better: twitterfall.com which is more interactive.

Keep an eye on the Security Bloggers Network (RSS) and a Technorati search (RSS). A lot of security bloggers will be covering the event.

You can also monitor Flickr for the tag 'defcon17' (RSS) (couldn't find the one for Blackhat).

I think that's more then enough to follow the event except for a live video stream. ;-)

If you have some tips of your own, please mention them below.

Related posts:

How to follow The Last HOPE conference without being there (updated)

(Photo under creative commons from Kyle Wegner's photostream)

Preparing your laptop (or iPhone) for a security/hacker conference

2009-07-27T21:47:00.006+02:00

With Blackhat and Defcon about to begin, I thought it might be a good idea to review an old article from last year: "Preparing your laptop for a security conference".

The 2 main resources from that article are still online:

digital self-defense article from Didier Stevens
How to survive part of the 25C3 Wiki (Going from having your laptop lock tested by the lockpicking clubs to setting up a VPN for your iPhone)

The general advice is saw other bloggers give was:

Don't use the wireless, try to stick to 3G (and use tethering if possible)
Even if you use 3G, encrypt it (VPN, SSH-tunnel).... I read that an UMTS mitm was going to be demo'ed at Vegas next week.
Leave your data at home, backup the drive, reinstall a clean OS, reimage when you come back (also applies to iPhones)

Remember that even when using the wired access, there are risks (arp poisoning). So be careful or you'll end up on the wall of sheep. I'll mention one last article:

10 Tips for iPhone Users at DEFCON 17

But never never use a service that doesn't encrypt all the traffic. The safest still is to leave your gear at home. Have fun.

Now if you'll excuse me, I have some preparing to do for HAR2009!

Feel free to suggest additional tips below.

Update: Try to get a fixed IP. Running a DHCP client can get you in trouble. Two days ago, a vulnerability was found in dhclient. (hat tip to Jon). I'm guessing a lot of linux boxes will get owned in Las Vegas.

http://milw0rm.com/exploits/9265
http://vrt-sourcefire.blogspot.com/2009/07/dont-read-this-post.html

(Photo under creative commons from Blog Story's photostream)

Remote root exploit in DD-WRT httpd daemon.

2009-07-23T00:52:00.003+02:00

Due to a meta-character vulnerabilityin the httpd servers, users that run DD-WRT on their routers are vulnerable to a remote root exploit.

More information can be found on the DD-WRT Forum at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173&postdays=0&postorder=asc&start=0

Although this daemon usually listens on the internal interface only, there are still ways to exploit it:

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it. In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell (For details, see Pauldotcom)

DD-WRT developer Sebastian Gottschall says the bug fixed firmware version "DD-WRT V24 preSP2" can already be downloaded.

(Photo under creative commons from patrick h. lauke's photostream)

0-Day in Adobe Flash, also executable from Acrobat Reader (updated)

2009-07-23T00:30:00.006+02:00

SANS ISC is one of the first to report on this:

First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.

And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal).

It appears that even when JavaScript support is disabled in Adobe Reader that the exploit still works, so at the moment there are no reliable protection mechanisms (except not using Adobe Reader?). Regarding Flash, NoScript is your best help here, of course.

An alternative FF plugin is Flashblock. For IE, you can deploy a killbit.

Applying the kill bit for the following CLSID will prevent the Flash plugin from running:

{D27CDB6E-AE6D-11cf-96B8-444553540000}

More information about how to set the kill bit is available in Microsoft Support Document 240797.

So be careful with handling pdf files for now. According to some tweets from AV experts, this exploit is being used in PDFs in targeted attacks.

Update: Adobe has a summary on their website on the issue including a way on how to disable the swf component on Acrobat Reader)

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date. (Source: Adobe PSIRT)

Adobe hopes to release a patch for the issue by the 30th of July.

(Photo under creative commons from Arthaey's photostream)

Nmap 5.00 Released with new additions: ndiff, ncat; nse and better performance!!!

2009-07-17T00:50:00.003+02:00

This is awesome news. Nmap version 5.00 has been released. It is the first major release since 4.50 in 2007. Here is a more detailed overview of the changes.

To have a quick glance, here are the top 5 improvements in Nmap 5:

The new Ncat tool. It will do data transfer, redirection, and debugging.
Ndiff is a scan comparison tool. It will make it easy to automatically scan your network daily and report on any changes
Nmap's 5.0 performance has improved dramatically.
Nmap Network Scanning, the official Nmap guide to network discovery and security scanning.
The Nmap Scripting Engine (NSE) . It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries, and vulnerability probes; open proxy detection; whois and AS number lookup queries; brute force attack scripts against the SNMP and POP3 protocols; and many more.

This just looks awesome. Playing with NMAP 5.0 goes on to my TODO list for the next month!

(Photo under creative commons from libraryman's photostream)

According to Child Support groups, Net filtering is a waste of money

2009-07-15T11:34:00.000+02:00

Australia was one of the first countries to deploy massive Net filtering. The main reason was to fight online child pornography (as usual reason). Now the Children support groups are criticizing the measure.

In a joint statement with lobby group GetUp, both Save the Children Australia and the National Children's & Youth Law Centre believe the resources could be better spent on law enforcement agencies battling to eradicate child pornography on the internet. (from Australian IT)

So why have these Net filters at all? The following wikileaks article caught my eye: Australia secretly censors Wikileaks press release and Danish Internet censorship list, 16 Mar 2009

The first rule of censorship is that you cannot talk about censorship.

In late 2008, Wikileaks released the secret Internet censorship list for Denmark, together with a press release condemning the practice for lack of public or judicial oversight. Here's an extract from the press release:

The list is generated without judicial or public oversight and is kept secret by the ISPs using it. Unaccountability is intrinsic to such a secret censorship system.

Most sites on the list are still censored (i.e must be on the current list), even though many have clearly changed owners or were possibly even wrongly placed on the list, for example the Dutch transport company Vanbokhorst.

The list has been leaked because cases such as Thailand and Finland demonstrate that once a secret censorship system is established for pornographic content the same system can rapidly expand to cover other material, including political material, at the worst possible moment -- when government needs reform.

Two days ago Wikileaks released the secret Internet censorship list for Thailand. Of the 1,203 sites censored this year, all have the internally noted reason of "lese majeste" -- criticizing the Royal family. Like Denmark, the Thai censorship system was originally promoted as a mechanism to prevent the flow of child pornography. (Source: wikileaks)

Emphasis added by myself. So why do these lists need to be kept secret? When wikileaks released the secret Australian censorship list, it seemed that "half of the sites on the list are not related to child porn and include a slew of online poker sites, YouTube links, regular gay and straight porn sites, Wikipedia entries, euthanasia sites, websites of fringe religions such as satanic sites, fetish sites, Christian sites, the website of a tour operator and even a Queensland dentist." (source: boingboing.net)

So who decides what gets on this list. If they have the possibility, they WILL use these systems as "they" see fit. So common sense hasn't set in yet. The next country to jump into the deep end is New Zealand.

If you thought that net filtering and grandiose firewalls were the exclusive preserve of West Island (or "Australia", as the locals like to call it), think again. New Zealand is showing that it, too, is ready to play its part in the great Antipodean censorship stakes.

Last week, the Department of Internal Affairs (DIA) announced it was setting up a filter system that will allow internet service providers to stop people accessing child pornography.

The filter system has already been trialled in hundreds of thousands of New Zealand households, and Internal Affairs deputy secretary Keith Manch confirmed that the voluntary system will block access to around 7000 websites carrying images of child sexual abuse. (Full story at The Register)

In the end, criminals will circumvent these filters and citizens will be limited by secret black lists in what they can view and what not. Money down the drain. And a step closer to totalitarian states.

Related posts:

(Photo under creative commons from S@Z's photostream)

Oracle & Microsoft Patch Tuesday and a Firefox 0-day

2009-07-15T01:26:00.003+02:00

Yes, only a day after the discovery of an Internet Explorer ActiveX (Office) 0-day, it's time for black Tuesday with a surprise. (see previous post)

For the Microsoft patch overview, the one from Swa Fransen over at SANS ISC is still advisable.

Then Oracle followed suit with their quarterly patch cycle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

And to finish, an exploit was posted to milw0rm (who came back) that affects Firefox 3.5 and possible earlier versions. The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config. Additionally, using NoScript stops it as well, successfully detecting the PoC’s attempt to access file://.

Be safe.

Related posts:

(Photo under creative commons from Libby's photostream)