Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills

IE6 & IE7 zero day published in Microsoft Security Advisory 981374

2010-03-10T08:43:00.004+01:00

Another 0-day in Internet Explorer is being exploited as reported by Microsoft in Security Advisory 981374 yesterday. IE versions 6 and 7 are affected and according to reports, it's only being used in targeted attacks. Which makes it even more dangerous if you are a potential target since IDS and AV signatures might not be available at this point.

No patch is available. User are recommended to upgrade to IE8 or use alternative browsers like Firefox with an add-on that blocks script by default like Noscript. Allowing Flash and Java by default nowadays is not a safe practice anymore.

Related posts:

Some great whitepapers on the Aurora attacks

2010-03-10T07:47:00.003+01:00

While the Aurora attacks were a good user awareness situation, it has become a lot of hype and three letter acronyms about something that has been happening for a longer period of time.

A few whitepapers have appeared that give us some juicy details about the dropper and backdoor and domain names used in the attacks. As well as the information they were after. Although ending with some vendor pitches, some are interesting read.

1. The first one is a report from HBGary which you can download here. It contains some good technical information about the dropper and malware used.

2. Then there is this McAfee whitepaper which has a lot more marketing fluff and more suited for CISA/Auditors (personal information will be asked for downloading but is not verified). A few good points but less technical details. It's mainly about the SCM they targeted.

Specifically, we have concluded that, in several cases, the attackers executed precision strikes to gain access to source code configuration management systems (SCMs) at targeted companies. SCMs are used by software engineers to manage their projects and are used to store source code, the crown jewels of any tech company.

In our analysis of the attacks we found that the perpetrators went through several hoops to ultimately compromise the systems of the SCM users at the targeted organizations. This means that the attackers now had access to the SCM system and could siphon out source code or, worse, modify and add code. (Source: McAfee)

Link to whitepaper.

It might also be worth mentioning that there is a LinkedIN group were articles and information about Aurora is being shared.

Related posts:

Time to step up your Acrobat Reader patching. Attacks are on the rise.

2010-03-09T22:24:00.005+01:00

If you haven't patched the latest Acrobat Reader from two weeks ago, it might be time to step up the pace. If you look at this blogpost from F-secure, you'll see that the PDF format has become the choice for targeted attacks. Within the security community, it's being nicknamed Penetration Document Format.

Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (Microsoft also).

Our sample was submitted by a European financial organization and the file name includes a reference to the G20. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G. (source: fsecure)

If patches/upgrades are not possible, think about using the usual workaround like disabling javascript or installing alternative clients.

PDFs can easily be used for info stealing purposed that evades AV, HIDS, etc... the victim doesn't event have to have admin privileges. Have a look at this explanation from security expert Didier Stevens on how such an attack is performed. Didier has written numerous analyses of PDF malware in the past and is a known researcher in this field.

On a small side note, Didier is going to give a malware analysis workshop at the BruCON conference. This is the occasion to learn some PDF malware analysis techniques from him!!

Related posts:

(Photo under creative commons from Ludmila Tavares' photostream)

Hackerspace Ghent (Whitespace or 0x20) will have their Open weekend on 19 - 21 March

2010-03-08T00:30:00.004+01:00

I was happy to see that a second Hackerspace was starting in Belgium after the one in Brussels. And now after finding a location, they are ready to open their doors.

More info at
http://hsg.bn2vs.com/Opening_Weekend

There will be presentations or workshops on topics like openWRT and IPv6. Let's not forget the opening drink (pssttt, they have Club Mate). Since it's a complete weekend, you don't have any excuse and have to drop by!!!

Related posts:

(Photo under creative commons from Laughing Squid's photostream)

The Icelandic Modern Media Initiative addresses the key issues for free expression in the digital age

2010-03-08T00:13:00.003+01:00

The goal of the IMMI proposal is to task the government with finding ways to strengthen freedom of expression around world and in Iceland, as well as providing strong protections for sources and whistleblowers. To this end the legal environment should be explored in such a way that the goals can be defined, and changes to law or new law proposals can be prepared. The legal environments of other countries should be considered, with the purpose of assembling the best laws to make Iceland a leader of freedoms of expression and information. We also feel it is high time to establish the first Icelandic international prize: The Icelandic Freedom of Expression Award.

More info can be found on http://immi.is/

Have a look at this video. It's interesting to see what Wikileaks has inspired and this could mean a lot to free expression in the digital age and a good step towards fighting censorship.

Related posts:

Call for Papers: BruCON 2010, 24-25 September

2010-02-16T12:43:00.005+01:00

2009 was the first edition of BruCON, a non-profit conference meant to unite all the people in and around Belgium interested in discussing computer security, privacy and computer technology related topics. It was a great first edition thanks to all the help of our partners and volunteers in the community.

I'm happy that this event is moving towards a yearly gathering of like-minded people. Do you have an interesting topic to present or a cool workshop? Have a look at the full Call of Papers below.

http://blog.brucon.org/2010/02/brucon-2010-call-for-papers.html

I hope to see you in September, if only to taste some Belgian beer or chocolate together. By preference not in combination! Although I heard of the existence of chocolate beer. ;-)

Hackerspace Antwerp in bootstrap mode

2010-02-15T14:31:00.003+01:00

It seems that Hackerspace Antwerp is taking on form. We don't have a final name yet but we found a possible location to begin. It needs some work but it has loads of possibilities.

Since my last post, we have a wiki and a mailinglist. Weekly meetings are now on Wednesday to keep things going. You'll find all the information on our wiki. Feel free to join us next Wednesday to help (& clean our new space). ;-)

Wiki
http://antwerp.hackerspace.be/mw/index.php?title=Main_Page
Mailinglist
http://discuss.hackerspaces.be/listinfo.cgi/antwerp-hackerspaces.be

The date for the Hackerspace Antwerp Startup Meeting

2010-01-05T13:54:00.004+01:00

A lot of people responded for a startup meeting in Antwerp and are really divided over two possible dates. So I decided I will be there on both dates, although I can't stay very late.

So on Saturday the 9th or Friday the 15th, please join us. Here is the original doodle: http://doodle.com/pci5yiksm5nwimg6

Feel free to comment and to share the link to others!!!

(Photo under creative commons from "Scott Beale / Laughing Squid")

Download the #26C3 videos and bonus material

2010-01-04T01:09:00.005+01:00

So the 26th Chaos Communication Congress is over and it was a blast. For those that missed some talks (like me) or couldn't watch the live streams, you can download the video of almost all presentations.

Best location to find the lastest videos is:
ftp://mirror.fem-net.de/CCC/26C3/

There you will find the videos in mp4-format, in mp3 or ogg audio files or mp4-ipod formatted videos.

You can also watch the videos online thanks to CCC-TV. No need to download everything.

I made some recordings of some the things happening around the conference. Check my Ustream.

Related posts:

Discussing about Hackerspace Antwerp

2009-12-23T22:27:00.003+01:00

Some people have been thinking aloud about also starting a hackerspace in Antwerp. I decided to gather all these people and have a beer. Let's see if there are enough people to set the first step. If you know people that could be interested, please let them know.

If you want to join us, have a look at http://doodle.com/participation.html?pollId=pci5yiksm5nwimg6&0

A hackerspace is an interdisciplinary community for learning, teaching, and creating. Instead of starting with a defined range of projects or programming, a hackerspace is driven by its members. It is a place where members have the infrastructure and resources to work on projects that interest them. Hackerspaces promote people to be hackers in the broadest sense: to learn all they can about the fields that interest them, explore their bounds, and create new and interesting ways to apply that knowledge.
The people in a hackerspace also share their knowledge with others who share their interests, through classes, working groups, or day-to-day discussion while working on projects. That is where the fascinating educational potential of the hackerspace lies: there is no finite list of the skills that can be taught and exchanged. People share what they know with members and the community at large, and it results in more people having the knowledge to make something new and tangible out of their ideas and interests. (source: pumping station one)

(Photo under creative commons from mightyohm's photostream)

#26C3 Mobile Schedule for Android and iPhone

2009-12-19T23:30:00.005+01:00

In less then a week, it will be time for the biggest hackerconference in Europe: The Chaos Communication Congress (which I will be visiting). I will be covering the event and documenting some tips. Let's start with a few good ones.

For your convenience, two applications were made with the 26C3: Here be Dragons Schedule (Fahrplan), one for Android and one for the iPhone (iTunes link). Kudos for the people who made them.

If you don't have PDA/Smartphone but are bringing a DECT phone: Call Voicebarf on DECT#7666 to know the upcoming talks at that moment.

There will also schedules displayed throughout the conference center so don't print them and save some trees.

If you can't make it to the conference, several locations around the world will be displaying the live video streams. Go out and meet some new people. Check "Dragons everywhere" for locations.

If it's your first time to this conference, have a look at: Preparing your laptop (or iPhone) for a security/hacker conference.

For all other matters, read through the 26C3 wiki and their FAQ.

Follow @security4all on Twitter for live tweets about the conference or follow the #26c3 hashtag in general. Some clients like tweetdeck support following hashtags or you can use http://search.twitter.com. Either online or through an RSS feed.

If you want a free BruCON sticker, find me at the conference. ;-)

Related posts:

(Photo under creative commons from wili_hybrid's photostream)

Ways to bypass the Big Belgian firewall

2009-10-31T19:53:00.000+01:00

Yes, the Belgian government can decide which websites we visit and which we don't. The first step on a road that will lead us to situations like we have seen in Australia (According to Child Support groups, Net filtering is a waste of money)

Here is the best Belgian article I have read to date about this issue which covers all aspects : "zwarte lijst voor belgische surfers omstreden" by Els Bellens (Zdnet.be)

Like Tim Berners-Lee, inventor of the WWW stated, the internet was designed to be used without limitations. The main argument of government officials to start with this blacklist, is that "average users won't be able to stumble upon these bad websites anymore. It's for their own protection. "

And in a typical Belgian fashion, (luckily for us), it's implemented in the least efficient manner: a DNS blacklist.

And as expected, a lot of internet users (e.g. blogologie, lvb.net, belgiancowboys.be, tik vzw) have started listing ways to bypass this filter just as a matter of principle (like the Streisand effect).

So let's hope that this blacklist will go away and the government will stop throwing away money on an inefficient systems that will never work.

Sign against Dataretention - bewaarjeprivacy.be

2009-10-28T19:42:00.004+01:00

Finally something in Belgium to be proud of. Several organizations in Belgium representing internet users, lawyers, journalists, etc.... have started a petition against the Belgian adaptation of the EU Dataretention law.

Why should you sign this petition?

It's an invasion on your privacy
It makes 10 million Belgians potential suspects
It invades the professional confidentiality between lawyers and their clients, journalists and their sources etc....
The necessity of Dataretention has yet to be proven
Dataretention provides no guarantee against terrorism or crime
It will result in a high price that consumers will have to pay....

So go to http://bewaarjeprivacy.be/ and sign the petition.

Automated Social Networking Surveillance Systems

2009-10-27T21:14:00.005+01:00

Last week, I noticed the existence of an EU surveillance project called "Intelligent information system supporting observation, searching and detection for security of citizens in urban environment" better known as "INDECT". You can have a look at their official website.

According to Wikileaks, INDECT’s “Work package 4″ is designed “to comb web blogs, chat sites, news reports, and social-networking sites in order to build up automatic dossiers on individuals, organizations and their relationships.” Ponder that phrase again: “automatic dossiers.” (source)

Automatic dossiers? Doesn't that give you a warm fuzzy feeling inside? There are a lot more reports and articles mentioned about similar projects (including network monitoring and data mining suites designed by Nokia Siemens, Ericsson and Verint) on this website.

I enjoy and believe in the benefits of social networks as long as commons sense prevails about what you publish. But how many people are aware of the potential issues? Not that mass surveillance should be expected and allowed.
Say a word online out of context and be labeled a potential 'problem' case. I don't believe in a technological magic wand who will correctly filter information. Too much possible false positives. Hasn't the world of IDS taught us that? Question is, who is making the alert filters for this systems? Who is going to watch the watchers?

Some time ago, the Social Media Security blog and podcast was founded. While I haven't really had time to spend some time on it, I highly advice to have a closer look at it.

So apart from cybercriminals, must we also fear our governments?

Related posts:

(Photo under creative commons from matthileo's photostream)

Privacy and the 'Belgian Mobility Card' (BMC)

2009-10-27T14:10:00.004+01:00

It has been some while since we blogged about the "Privacy failure in the Belgian RFID transport card", but the card will still be introduced nationally.

See Chipkaarten De Lijn niet voor volgend jaar (datanews)

Testing will occur in 2010 and the rollout will happen during 2011 and 2012. Time to go over some past facts.

Some researchers of the UCL published a report about a privacy issue together with opensource tools that they used to test the card. On http://www.uclouvain.be/sites/security/mobib.html

But the details of the research were removed soon after, together with the tool. Why? Were they pressured in removing it? What would the benefit be in removing it? Don't people know that security by obscurity doesn't work? Sound a bit like a conspiracy, considering who owns the transport card company and who subsides the university. But we can't say for sure.

Some details could still be found via google:

http://www.uclouvain.be/sites/security/download/slides/Avoine-2009-iwrt-slides.pdf

From the PDF:

Personal data are stored in the clear in the card.
Data stored in the card during its personalization: name of the holder, birthdate, zipcode, language, etc.
Data recorded by the card when used for validations: last three validations (date, time, bus line, bus stop, subway station, etc.), and some additional technical data.

How can this not be an issue? This can totally be abused by stalkers with a good antenna and a laptop in their backpack, just to name one of the obvious abuses. Fathers, lock up your wife and your daughters.

So I hope that the MIVB/STIB, minister Hilde Crevits and other parties involving the Belgian Mobility Card (BMC) will do the right thing and NOT store this sensitive information in the clear before launching this card!!!

Claiming that our national ID contains the same public information is true but it is not on a contactless card. Meaning I have to take it out of your wallet and physically put it in a reader. Comparing those two and claiming there is no issue with cleartext information on a wireless chip is a fantasy story.

There is enough information and other tools available to read the info on the card. e.g.

Other online articles mentioning the issue:

Met Mobib op het openbaar vervoer in Brussel: uw gegevens te grabbel? (Permanent Gecontroleerde Zones)
Gekraakte Mobib-kaart doet vragen rijzen naar privacy (Brussel Nieuws)

(Photo under creative commons from Jools of Sweden's photostream)

Flu epidemic already announced in Belgium

2009-10-12T12:41:00.003+02:00

First of all, this is about the general flu epidemic which occurs every year. It's nothing H1N1 specific, which has been overhyped. Act normal and use common sense. But this is relevant information. Apply good hand hygiene, eat healthy and get enough sleep. Enough said.

The Belgian center for Flu Control announced a flu epidemic in their latest week report (pdf) mentioned in their weekly newsletter. Here is the interesting bit translated to English.

Influenza Surveillance for week 40 (28 September tot 4 October)

The epidemic findings for week 40 are: The surveyed data show a heightened circulation of the Influenza virus and a moderate activity for the flu symptoms. According to the determined criteria, the flu epidemic has started.
...
The number of H1N1 cases have doubled compared to last week and was estimated at 4160 in week 39 with a cumulative total of 12678.

Google search results and other online sources are also a good indicator and they do confirm the results of the Belgian flu center. Have a look at the B.V.L.G blog for a detailed analysis (Dutch) with some nice graphs.

Related posts:

Business continuity and useful resources about the N1H1 Swine Flu.

Null character MITM Certificate released

2009-10-01T12:42:00.008+02:00

This year Dan Kaminsky and Moxie Marlinspike discovered that when requesting a certificate for example "Paypal.com\0.phishing.com" that some CAs would approve the request. What made it worse is that SSL client (and browsers) would ignore the characters after the null character, leading to an effective SSL Man in the Middle attack.

Although it isn't possible to request these certificates anymore, Jacob Appelbaum released such a certificate yesterday together with the private key, stating that everybody had time enough to fix the issue. If you're a developer, you might want to look into this issue. For example Blackberries were still vulnerable to the attack.

Firefox patched the issue a few days after the initial presentation but other browsers like IE and Chrome rely on Microsoft's CryptoAPI to process the certificate and are still vulnerable.

"There are thousands of products on Windows right now that are still vulnerable to this SSL attack, and if someone were to publicly publish a targeted null prefix certificate, they'd be in trouble," said the white-hat hacker, who goes by the moniker Moxie Marlinspike. "Basically, everything that runs on Windows would be vulnerable with that one certificate." (source: Theregister.co.uk)

Note: The wildcard SSL certificate that Jacob Appelbaum released tricks older versions of the Network Security Services library into authenticating any website on the internet. But a lot of other applications using CryptoAPI might still be vulnerable to similar SSL MITM attacks. Time to patch the API like Firefox did.

Security bloggers meetup London @ RSA

2009-09-29T21:52:00.004+02:00

Well, like last year us securitybloggers (-twits) are coming together for a drink and meet the people behind the avatars. It was a small but fun beginning last year and we hope to see even more people this year.

Details on location etc... can be found on securityactive.co.uk.

SMBv2 exploit for Vista and Server 2008 released

2009-09-29T12:56:00.004+02:00

While I was too busy with BruCON, it seems that a SMBv2 vulnerability was published: Security Advisory 975497. While it affects Windows Vista and Server 2008, other versions are not vulnerable (including Windows 7 and Windows Server 2008 R2).

Port 445 needs to be open for the service to be exploited. Microsoft hasn't released an (out of band) patch since there was no working exploit code but promised to do so if the threat landscape changed. Blocking ports 135 and 445 is one of the recommended countermeasures. You can also disable SMBv2 through a registry key if not needed.

So far it was only possible to crash the service, but that changed today. Working code has now been added to Metasploit. Although the code still needs improvement, it worked on several machines.

So, will we see new worms coming our way? Although Conficker was well written, fortunately it wasn't really used to it's full potential. Will we be that lucky again?

Discuss vulnerabilities instead of patches at your patch meetings, because only patching doesn't cut it. Have a look at NIST's Creating a patch and vulnerability management program.

CERT.be is hiring

2009-09-25T00:43:00.001+02:00

As was told during BruCON, we can stop complaining about a missing CERT in Belgium. BELNET is looking for people to extend their team and the team should be up and running by January 2010. A big applause for their introduction!

If you are interested, look at their website cert.be/jobs.

International Action Day “Freedom not Fear 2009 – Stop the Surveillance Mania!” on 12th September 2009

2009-09-08T18:36:00.003+02:00

I somehow completely missed any communication about this International Action Day “Freedom not Fear 2009.

Unfortunately, it seems that it is on the 12th of September already and that there is nothing planned in Brussels. Bad communication? Or is there nobody in Belgium at least a little bit interested in their privacy and civil rights?

More info on http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2009

(Photo under creative commons from maha-online's photostream)

Possible 0-day in IIS5 and IIS6 FTP (updated x3)

2009-08-31T20:51:00.006+02:00

A zero day for IIS5 & 6 was posted today to the Full Disclosure mailinglist. Yes, we are talking shellcode. This seems to be real.

According to Thierry Zoller, it doesn't work reliably for IIS6 but it's not impossible (source: twitter) and confirmed by this comment on the mailinglist. But it will crash the service on Windows2003 as such. Seems an issue in the MKDIR command.

US CERT is advising:

US-CERT encourages administrators to disable anonymous write access to the FTP server to help mitigate the vulnerability, although a proper impact analysis should be performed prior to taking defensive measures.

So the impact seems limited to servers that allow anonymous (write) access. Unless you don't trust authenticated users or fear they can be easily compromised. Stay tuned for updates.

UPDATE: Thanks to a NMAP script from Xavier, you can now scan you environment for vulnerable servers.
UPDATE 2: If you need a snort signature for the milw0rm IIS-FTP
exploit. Emergent threats released signature tarballs and a history is available in CVS:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
Wiki: http://doc.emergingthreats.net/bin/view/Main/2009828
UPDATE 3: Developers of the Backtrack played with the exploit and created an enhanced version that opens a listening port on a fully patched Windows 2000 system running IIS 5. They made a video.

HAR2009: where to get the presentation videos

2009-08-28T00:09:00.003+02:00

Well, HAR2009 was a blast. It was fun meeting a lot of other people, doing some workshops and some soldering. I missed some of the talks I wanted to see but luckily there were recordings of the presentations. They are about 24GB and you can find them at:

These are raw, unedited videos. Some edited videos are available on http://rehash.nl/ by streaming. But I prefer to have my videos offline.

Collection of Defcon 17 articles, videos, pictures and podcasts

2009-08-05T00:02:00.003+02:00

This is a list of articles and other fun stuff that people were tweeting about in the last week. This list is of course not exhaustive but a nice place to start reviewing the things that happened at the conference.

Articles:

Announcing the Warzone Project (uncommonsensesecurity.com)
DefCon Updates (A Day in the Life of an Information Security Investigator )
Defcon: New Hack Hijacks Application Updates Via WiFi (Darkreading)
Researchers offer tools for eavesdropping and video hijacking (CNet.com)
Korean 'journalists' booted from Defcon (computerworld.com)
Fake ATM doesn't last long at hacker meet (Computerworld)
Electronic High-Security Locks Easily Defeated at DefCon (Wired.com)
Fake ATM, skimmers found in Las Vegas hotels (Zero Day)
ATM scam at DEFCON clearly the work of ironic criminals (engadget.com)
The Best (and Worst) Hacks of Defcon Computer Security Conference 2009 (fastcompany.com)
Hacker demos persistent Mac keyboard attack (Zero day)
Hack-Proofing The Hackers (forbes.com)
DEFCON 17 Badge Hackers (infosecevents.net)
Defcon air traffic control hacker: Excuse me while I change your aircraft’s flight plan (deals.venturebeat.com)
Our Favorite XSS Filters and how to Attack them (sirdarckcat.blogspot.com)
Feds at DefCon Alarmed After RFIDs Scanned (wired.com)
Opinion: Irresponsibility runs amok at Black Hat, Defcon (computerworld.com)
Ax0n's DefCon 17 Wrap-Up (www.h-i-r.net)
Defcon talk: 0-day, gh0stnet and the Adobe JBIG2Decode disclosure debalce – Steven Adair (cupfighter.net)
Blackhat USA 2009: Reverse Engineering by Crayon (offensivecomputing.net)
Black Hat: Social Networks Reveal, Betray, Help Users (informationweek.com)

Video:

SSL rebinding video (stub.bz)
#defcon podcast meetup (youtube)
Hacking The Defcon 2009 Badge (youtube)
Metasploit Oracle videos (vimeo.com)
Hacker Charlie Miller on how he compromised the iPhone (venturebeat.com)

Podcast:

Defcon Microcast 1 – Johnny Long, Hackers for Charity (Network security)
Defcon Microcast 2 – Dark Tangent (Network security)
Defcon Microcast 3 – Saturday Wrapup (Network security)

Pictures:

http://www.defconpics.org/

(Photo under creative commons from ggee's photostream)

Get the #DEFCON 17 CD Archive (updated x2)

2009-08-01T14:16:00.004+02:00

The Defcon 17 CD Archive is up. Get it at https://media.defcon.org/dc-17/DEFCON-17-CD.rar

Update: The following file triggered some Antivirus engines

"Extras/bin/crackmes/manifest.exe". (in Sean Taylor's Extras.zip) - Detects as TR/Crypt.ZPACK.Gen

But it was confirmed by the Defcon team that it contained no trojan. Better be safe then sorry.

Related posts: