Friday, April 24, 2009

| Brett D. Arion |
Passwords probably are the most commonly used method of authentication for access to information technology resources, but despite their apparent simplicity, they can be difficult to manage. Long, complex passwords should be more secure than simpler ones, but they also are more difficult for the user to remember, leading to the increased possibility they will be improperly stored.

Password resets also are notorious consumers of help-desk resources.

To help agencies select and implement proper controls, the National Institute of Standards and Technology (NIST) has released a draft version of Special Publication 800-118 , titled “Guide to Enterprise Password Management,” for public comment. Comments should be e-mailed by May 29 to , with “Comments SP 800-118” typed in the subject line.

Password management, as defined by NIST, is “the process of defining, implementing and maintaining password policies throughout an enterprise.” Because passwords are used to control access to and protect sensitive resources, organizations need to protect the confidentiality, integrity and availability of passwords themselves. The goal is to ensure that all authorized users get the access they need, while no unauthorized users get access.

“Integrity and availability should be ensured by typical data security controls, such as using access-control lists to prevent attackers from overwriting passwords and having secured backups of password files,” NIST states. “Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls along with decisions involving the characteristics of the passwords themselves.”

Threats to confidentiality of passwords include capturing, guessing or cracking them through analysis. Password guessing and cracking become more difficult with the complexity of the password. The number of possibilities for a given password increases with the length of the password and the possible number of choices for each character. The possible choices for each character of a numerical password are 10 (0 through 9). Possible choices for passwords using letters are 26 for each character. By combing upper and lower case letters, numerals and special characters, there can be as many as 95 possibilities for each character.
A four-digit numerical personal identification number has keyspace of 10,000; that is, there are 10,000 possible combinations. An eight-character password using 95 possibilities for each character has a keyspace of 7 quadrillion. Increasing the length of the password increases the keyspace more quickly than increasing the number of possibilities for each character, NIST states.

One method of password management is to use a single sign-on (SSO) tool, which automates password authentication for the user by controlling access to a set of passwords through a single password. This can make it more feasible for a user to use and remember a single, complex password.

However, “in nearly every environment, it is not feasible to have an SSO solution that handles authentication for every system and resource — most SSO solutions can only handle authentication for some systems and resources, which is called reduced sign-on,” NIST states.

NIST recommends protecting the confidentiality of passwords:

* Create a password policy that specifies all of the organization’s password management-related requirements, including Federal Information Security Management Act and other regulatory requirements. “An organization’s password policy should be flexible enough to accommodate the differing password capabilities provided by various operating systems and applications.”
* Protect passwords from attacks that capture passwords. “Users should be made aware of threats against their knowledge and behavior, such as phishing attacks, keystroke loggers and shoulder surfing, and how they should respond when they suspect an attack may be occurring. Organizations also need to ensure that they verify the identity of users who are attempting to recover a forgotten password or reset a password, so that a password is not inadvertently provided to an attacker.”
* Configure password mechanisms to reduce the likelihood of successful password guessing and cracking. “Password guessing attacks can be mitigated rather easily by ensuring that passwords are sufficiently complex and by limiting the frequency of authentication attempts, such as having a brief delay after each failed authentication attempt or locking out an account after many consecutive failed attempts. Password-cracking attacks can be mitigated by using strong passwords, choosing strong cryptographic algorithms and implementations for password hashing, and protecting the confidentiality of password hashes. Changing passwords periodically also slightly reduces the risk posed by cracking.”
* Determine requirements for password expiration based on balancing security needs and usability. Regularly changing passwords “is beneficial in some cases but ineffective in others, such as when the attacker can compromise the new password through the same keylogger that was used to capture the old password. Password expiration is also a source of frustration to users, who are often required to create and remember new passwords every few months for dozens of accounts, and thus tend to choose weak passwords and use the same few passwords for many accounts.”

Reblog this post [with Zemanta]

Wednesday, April 22, 2009


| Brett D. Arion |

U.S.Image via Wikipedia

Arlington, Va.- The Defense Department's newest collaborative software development tool just took another crucial step today in reaching full operational capability. The Defense Information Systems Agency declared its is now at initial operational capability for unclassified use within DoD.

"The community's response to our LOA capability has been phenomenal," said Dave Mihelcic, DISA's Chief Technology Officer. "The initial adoption rate was far greater than our initial predictions. Based on the positive feedback that we've received from our early adopters, we know that it's time to open the site for general availability," he added.
Creating a new approach to delivering and deploying technology within the DoD, enables collaborative software development and cross-program sharing of software, system components, and services in support of net-centric operations and warfare. It capitalizes on concepts proven in open source software development that have already reaped tremendous benefits for software and technology development communities.

The IOC decision coincides with release 2 of SoftwareForge, providing significant performance improvements. "The platform scaled very well during the rapid growth we experienced during the LOA period," said Rob Vietmeyer, Project Director. "We've achieved even greater performance with the new release and automated many of the system administration functions to ensure dependable capability as the user community grows," noted Vietmeyer.

SoftwareForge, the initial capability, enables sharing and collaborative development of open source and community source software within DoD software development community. Building on the best practices and technologies used in the open source community, SoftwareForge delivers a secure and reliable platform that meets DoD's requirements. This initial release comes after three months of limited operational availability, during which SoftwareForge rapidly grew to over 1300 users and 60 development efforts.

For open source and community source software developers, SoftwareForge provides the tools needed for distributed development including software version control, bug tracking, requirements management, and release packaging, along with collaboration tools, such as wikis, discussion forums, and document repositories. Following SoftwareForge, will be deploying a Software as a Service version of these tools designed to meet the application development needs of restricted access and classified development effort. In addition, will be deploying tools and services to enable the rapid testing and certification of the software components being develop within the environment.

Along with DISA's Rapid Access Computing Environment, provides a key component of DISA's move to provide cloud computing services. Together they provide unique capabilities to accelerate DoD technology development, RACE providing a rapidly deployable hardware environment and providing the supporting software development environment. RACE provides users and customers with a secure, flexible, and scalable software ecosystem that's the future of DoD IT infrastructure.
Reblog this post [with Zemanta]

Tuesday, April 21, 2009

ISECOM Co-Founder Pete Herzog Releases Draft of "Real Audit Guidelines" (RAG)

| Brett D. Arion |
Pete Herzog, co-founder of ISECOM has released a draft paper of audit guidelines to bolster security for entities. If you have never heard of ISECOM or Pete himself, then you should familiarize yourself with their work for it is truly community and consensus driven, and provides a wealth of information for security auditors and testers. In his paper, Pete outlines 12 controls that if applied, will result in a "Truly Secure and High Functioning Network Infrastructure". The draft contains 5 of the 12 controls with more to be released later. The 12 controls to be discussed in this paper are:

1. Identification (Who the hell are you?!)
2. Non-repudiation (I know you did it!)
3. Authorization (I didn't say you could do it!)
4. Subjugation (Do what I say not what I do!)
5. Privacy (None of your damn business what I do!)
6. Confidentiality (None of your damn business what I say!)
7. Alarm (Now you've done it!)
8. Resilience (Happy now? You've ruined it for everyone!)
9. Continuity (Never mind, I got a spare.)
10. Integrity (It wasn't like this when I left!)
11. Indemnification (I told you so!)
12. Authentication (Stop ringing the damn bell and let yourself in!)

The paper can be found here.

Sunday, April 19, 2009

F-Secure Releases Malware Analysis Course Materials

| Brett D. Arion |
F-Secure is releasing course materials they have been teaching recently at Helsinki University of Technology. The material focuses on Maleware Analysis and Anti-Virus Technologies and can be found here. They course syllabus features the following topics:
Introduction, Malware Situation in 2009

Reverse Engineering

Windows Operating System

Reverse Engineering

Mobile Malware


Emulators and Disassemblers

Reverse Engineering

Unpacking and Decrypting Malware

Windows Kernel Malware

Antivirus Engine Design, Assignment

Saturday, April 11, 2009

Nessus 4 Released by Tenable

| Brett D. Arion |
A little gift for the holiday weekend, Tenable announced Thursday that Nessus 4 has been released. Some of the updated functionality includes:

Nessus Engine

  • Uses the same engine on Windows and Unix-based systems for a unified experience on all platforms and more consistent results
  • Fully thread-based (as opposed to process based) for better scalability and reduced memory usage
  • Performance improvements to reduce CPU usage on all platforms

Port scanners

  • Local and remote port scanners can now be combined. For example, if you select the Nessus SYN scanner and the netstat WMI portscanner , Nessus will try to log in via WMI to enumerate the ports first, then to fall back to the SYN scanner
  • The TCP SYN port scanner has been rewritten entirely and operates the same between Windows and Unix-based systems
  • Native UDP port scanner (ProfessionalFeed Only)

Compliance Checking

  • The database compliance checks can now log into MSSQL over SSL
  • The PCI-DSS plugins are now fully supported

NASL (Nessus Attack Scripting Language)

  • Added support for Perl Compatible Regular Expressions (PCRE) to NASL
  • NASL scripts can now share results between hosts via a global knowledgebase
  • New NASL functions (XML parsing, the bignum library, new packet forgery functions, new socket-related functions and more)


  • Support for XLST transformations of the reports - This is one of the most exciting features and will be described in more detail in upcoming blog posts.
  • The ability to export a .nessus file based on a filtered report
  • Unlimited number of filters for the NessusClient on Windows and Unix-based systems


  • No external libraries are required, eliminating the need to tamper with your system configuration in /etc/
  • Added support for the newest Linux distributions (Debian 5, Fedora 10, etc.)
  • New "linux-generic32" and "linux-generic64" builds for additional linux distributions
  • 64-bit native builds of Nessus/NessusClient for FreeBSD, Windows and Linux
  • All the Unix command-line tools (e.g., nessus-fetch, 'nessus', nessuscmd) now also run on Windows

Be sure to check it out today. I know I'm going to be playing with it this weekend...

Wednesday, April 8, 2009

DOWNAD/Conficker Watch: New Variant in The Mix?

| Brett D. Arion |
DOWNAD/Conficker Watch: New Variant in The Mix?

TrendLabs is following Conficker as it "Wakes UP" and begins transferring an encrypted payload via P2P sharing between infected nodes. The fact that the data is encrypted is slowing down the analysis. Keep up to date at the TrendLabs Maleware blog:

"Days after the April 1st activation date of Conficker, nothing interesting was seen so far in our Downad/Conficker monitoring system except the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes.

Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder. Checking on the file properties reveals that the file was created exactly on April 7, 2009 at 07:41:21.

Checking also on traffic captures show that there was no HTTP download that occurred somewhere around that time frame, which was from April 7, 2009 at 07:40:00 up to April 7, 2009 at 07:42:00. However, we noticed a huge encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea.

The size of the encrypted TCP blob pretty much matches the size of the binary that got created in the aforementioned folder. There are some additional bytes, which could be the headers and keys that Conficker/Downadup has been known to use.
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

  1. (Un)Trigger Date – May 3, 2009, it will stop running
  2. Runs in random file name and random service name
  3. Deletes this dropped component afterwards
  4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
  5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
  6. Connects to the following sites:

It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.

Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file. This coincidentally happened just after the creation of the new Downad/Conficker binary described below (07:41:23):

IP download file

The domain resolves currently to an IP that is hosting a known Waledac ploy in HTML to download print.exe, which has been verified to be a new Waledac binary.

Two things can be summed up from the events that transpired:

  1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
  2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

Research and collaboration is currently ongoing in our own labs as well as within the Conficker Working Group, and will update this blog post for new findings.

Thanks to Joseph Cepe and Paul Ferguson for working on additional information for this entry.

© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice"

The Academy Pro - Real World Site for Real World Security Professionals

| Brett D. Arion |

I would like to take a moment to introduce everyone to a HackersCenter affiliate, The Academy Pro. The Academy Pro is the brainchild of Security Consultant Peter Giannoulis who is also a Security Hero at SANS. The site Peter and other security experts created is a one of a kind as it is a site for Security Related Videos to help security professionals by showing real world tasks with popular software. Realizing the daunting task of maintaining such a site, Peter and the other contributors of The Academy Pro are always seeking community contributed content.

So, if you prefer seeing real-world security solutions in action, or if you have a security video to contribute, please visit The Academy Pro. It is definitely a site where that the seasoned professional or novice can learn valuable insight into a whole world of security related activities. Be sure to check it out today!!

Saturday, April 4, 2009

OWASP Releases Code Review Guide

| Brett D. Arion |
The Open Web Application Security Project (OWASP) released a new (and FREE) 216 page guide on how to review application code for vulnerabilities. Below is the project description for the Code Review Guide:

OWASP Code Review Guide V1.1
Short Project Description The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0

The book is available for FREE here....

winAUTOPWN v1.7 Released

| Brett D. Arion |
An auto exploit framework with original exploit code, winAUTOPWN is a little unique in that it is self contained and is continually updated. Future updates are to include a server that will autoupdate the exploits. From the winAUTOPWN site:

"Features :

- Contains already custom-compiled executables of
famous and effective exploits alongwith a few
original exploits.
- No need to debug, script or compile the source
                - Scans all ports 1 - 65535 after taking the IP
address and tries all possible exploits according
to the list of discovered open ports
- PortScan is multi-threaded.
- Doesn't require any Database at the back-end
like msf
- Can be also be used to test effectiveness of
- Launched exploits are independent and doesn't
rely on service fingerprinting (to avoid evasion,
if any)

                The aim of creating winAUTOPWN is not to compete
with already existing commercial frameworks like
Core Impact (Pro), Immunity Canvas, Metasploit
Framework (freeware), etc. which offer autohacks,
but to create a free, quick, standalone
application which is easy to use and doesn't
require a lot of support of other dependencies.
Also not forgetting that winAUTOPWN unlike other
frameworks maintains the original exploit
writer's source code intact just as it was and
uses it. This way the exploit writer's credit and
originality is maintained. The source is modified
only when required to enable a missing feature or
to remove hard-coded limitations. Under these
circumstances also, the exploit writers credits
remain intact.

Newer exploit modules are added as and when they
release and older ones are also being daily
Binaries of perl, php, python and cygwin DLLs
(included) are required to exist either in a
common folder or should be properly installed
with their paths registered for those exploits
which are cannot be compiled into a PE-exe.

Some anti-viruses might falsely detect the
exploits as malicious.
Future :
- A separate DragonflyBSD-server is being set up
which will hold the exploit repository and the
next version will autosync the exploits from them
in the appropriate folder.

NOTE : In case of emergency, Press "Q"
/ "q" anytime to EXIT the program.

NOTE : This program winAUTOPWN is released under
the WTFPL ("

Much like the other automagic hacking/pen-testing tools we have featured, this one is surely worth a try!!

Friday, April 3, 2009

Use the Conficker Eye Chart to see if you are infected

| Brett D. Arion |
Joe Stewart from Secureworks, a researcher working for the Conficker Working Group, has developed a simple site Eye Chart test that may indicate if you are affected by the Conficker worm. Here is a snap of the site:

It's nice when researchers make it "FUN" to find out if you are infected!!!

Issues with DDoS against Internet Name Servers

| Brett D. Arion |
There are emerging reports of some issues with some Internet Name Servers. On Tuesday, NeuStar was attacked which resulted in the disruption of Amazon's S3 Cloud computing service. Wednesday and Thursday saw interruptions of, on of the largest website providers, which posted this message on the front page of their site:

Service Notice
For the past three days has been experiencing intermittent service disruptions as a result of a distributed denial of service (DDoS) attack – an intentionally malicious flooding of our systems from various points across the internet. We know the disruption of business this has caused our customers is unacceptable, and we are working round the clock to combat it. (For more information about DDoS attacks, please see

While we are still under attack, our counter-measures are currently minimizing the disruption to your services. We are using all available means to halt this criminal attack on our business and our customers' business.

We are committed to updating you in as timely manner as possible, please continue to check back here for additional updates or go to

Thank you for your patience. "

I checked both the Internet Health Report and the Team Cymru dns monitoring, and while there appear to be some issues, it has not been that wide spread. We will continue to monitor the situation over the weekend to see what we can come up with.....additional reports and info can be found at the following links as well:

SC Magazine

Update: Further research has revealed that is now under the protection of Prolexic Technologies at this time

Wednesday, April 1, 2009

Conficker Update - Humor and Analysis

| Brett D. Arion |
If you have not yet seen it, you have to look at the Conficker War Room site posted by WIRED. I know I laughed until my sides hurt when I saw it today.....Given all the hype, WIRED's humor was spot on.

Although we have yet to see the fallout in full from what this worm will do, it was a pretty uneventful "update". Some of the best coverage on what was actually going on, can be found at AvertLabs. These guys definitely put in some time analyzing what was happening. I have a feeling we haven't heard the last of this menace, but at least there is good data available to help fight it along the way.

Free Security Magazines