M32 Security » Security

Snort 2.9 Beta & 2.8.6.1 update released

Kyle — Fri, 30 Jul 2010 04:46:51 +0000

Snort is a registered trademark of Sourcefire, Inc

Sourcefire has been busy as ever keeping their second-to-none Snort® IDS/IPS system at the forefront of network security technology. Yesterday they released an update to the 2.8 family of Snort®, bringing it to version 2.8.6.1. It brings some fixes to the installer package, fixing some issues with detecting false-positives in pattern matching & FTP string format verification, and incorrect handling of empty FTP response codes to data transfer commands commands.

Snort® 2.9 has officially gone Beta. 2.9 includes a myriad of new features such as a robust IPS mode for inline deployments, a new common API for all active response, a new response module that is backward-compatible with resp and resp2 syntax, a new preprocessor for inline deployments to interpret packets the same way a host would, and a new Data Acquisition API that supports multiple packet access methods for better & easier integration with existing infrastructure, updated HTTP Inspect, updated & more robust SMTP preprocessor, the ability to test drop rules for inline mode before implementation, and greatly improved overall IPv6 support. Also new is integration with Intel’s Quick Assist technology.

Find it all and more on the release page over at Sourcefire

Microsoft LNK vulnerability exploit spreading quickly

Kyle — Thu, 29 Jul 2010 05:14:41 +0000

At last writing, the Microsoft LNK vulnerability that was originally used to target SCADA systems by the Stuxnet worm in Iran, India, and Indonesia was slowly gaining speed and the exploit had a proof-of-concept in the open. Now it is accelerating. It is now being picked up by old virus/worm/malware families and incorporated into their arsenals to take new victims; some using social engineering, some using their own unique tactics. While the exploit method itself hasn’t changed, the exploiters using it are vigorously churning out new versions of their software. I think it’s safe to say Madagascar will be closing its ports soon. (warning: Addictive)

New detected malwares are Chymine, Vobfus, Sality, Zeus, and most recently, Downloader-CJX

Technet article on Vobfus

The Register on LNK exploit activity

F-Secure blog entry

LNK Zero-Day Exploit: Siemens WinCC SCADA systems targeted

Kyle — Mon, 26 Jul 2010 05:20:59 +0000

It turns out that the original targets for the highly-dangerous Windows Shell LNK Zero-Day Exploit were Siemens WinCC SCADA systems with hard-coded credentials used in large infrastructure systems like factories and power grids. Once the attacker had successfully executed the LNK exploit, they accessed the Siemens WinCC program and extracted sensitive data from the database the software uses. It is highly suspected that the exploit was explicitly used for espionage toward Iran and Indonesia at the very least, but by whom or what exact purpose is not clear. What is clear is that the Siemens WinCC software was targeted. The Wiemens WinCC software has what is considered one of the top vulnerabilities in software according to CWE/SANS, which is the use of fixed-credentials. This type of vulnerability has been publicly disclosed for over two years and the password to this specific software (2WSXcder) has been publicly known since at least 2008. Siemens was made aware of the issue on July 14 and shortly started to asses the problem and notify customers.

In the meantime, a security researcher known as Ivanlef0u has posted a proof-of-concept of the exploit (site is in French), while Win32/TrojanDownloader.Chymine.A and Win32/Autorun.VB.RP are in the wild already actively actively using this exploit according to ESET. Expect to see this exploit to be a bit prolific due to its new and unique nature combined with the relative ineffectiveness of detection/removal systems thus far.

Wired Article on password’s public exposure

ESET Blog on new Zero-day exploit in the wild

Highly-Dangerous Zero-Day Windows Shell LNK Exploit Discovered

Kyle — Sat, 17 Jul 2010 19:38:22 +0000

This one isn’t good. In fact, it’s downright scary. This exploits a vulnerability in Windows’ handling of LNK files. It affects ALL versions of Windows; at least all currently supported versions. No mention all unsupported versions, but assume they are affected as well. It is already being exploited by the Stuxnet rootkit and most likely many more nasty things very, very soon. Microsoft’s solution in Security Advisory 2286198 is to disable AutoRun completely, disable displaying of icons for programs, and disabling the WebClient service. That means disabling WebDAV and pretty much disabling icons for program links. It currently has an extremely high level of impact due to the simple nature of exploit. It is advised that antivirus is updated immediately (as in yesterday) as well as firewall inspection signatures are kept up-to-date to mitigate this.

US-CERT Vulnerability Note VU#940193

F-Secure Notice & Info

Discovered by VirusBlockAda on June 17

CVE-ID CVE-2010-2568

NVD-ID CVE-2010-2568

Article in The Register

CYBERCOM’s Secret Code Demystified

Kyle — Sat, 10 Jul 2010 01:27:36 +0000

As I posted earlier this week, a hexadecimal code was discovered on the gold ring encircling US Cyber Command’s newly released logo. That code was 9ec4c12949a4f31474f299058ce2b22a and it sent the NetSec community on a challenge. To the untrained eye, it looks like just a bunch of numbers and letters. To those in the InfoSec/NetSec field, it looks like a 128-bit MD5-hash. MD5 hashes are derived from an algorithm that “digests” the data into a hexadecimal result like the one here. They are often used in file integrity checks to ensure the data is exactly what it should be without any corruption or tampering.

Around 2004, the MD5 algorithm had started to show vulnerabilities and signs of age. It is now fairly easy to reverse these hashes to reveal the original data. Obviously this is a big security problem. The NIST and DHS has a policy that requires all government agencies to use more complex hashing functions after 2010. Considering US CYBERCOM is one of the most secretive and secured entities of the publicly known US Government and intimately tied to the NSA, I would imagine there may be more than meets the eye to the new logo and we’ll come across more interesting things the g

eeks over there threw in to challenge us.

CYBERCOM’s Secret Code Demystified.

9ec4c12949a4f31474f299058ce2b22a

Kyle — Wed, 07 Jul 2010 23:51:22 +0000

http://www.niconnect.com/9EC4C12949A4F31474F299058CE2B22A.jpg

Poder Cibernetico = Cyber Power

39 6 31.38,-76 46 12.66 Put that into Google Maps. Haha.

Reverse MD5 comes out as this:

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

WASC Threat Classification 2.0 Published

Kyle — Sun, 03 Jan 2010 01:24:08 +0000

The The Web Application Security Consortium Threat Classification version 2.0 has been published. It is a document that attempts to classify common web application vulnerabilities and attacks so they can be referred to with a WASC (v2.0) number to keep documentation uniform across the industry; akin to how HTTP status codes are referenced. This vastly simplifies auditing of web application security audit reporting; creating a simple way of referencing attacks and weaknesses. This update adds many new useful features and fills-in missing attack types and weaknesses associated with them.

The post over at cgisecurity.com explains WASC v2 in more detail.

WASC Threat Classification 2.0 Project Site

Laptop stolen from MoD with encryption key that could open highly sensitive files

Kyle — Mon, 14 Dec 2009 04:03:16 +0000

The Sun and now the BBC have reported that a laptop used by a high-ranking RAF Officer at the UK’s Ministry of Defence was stolen in late November; possibly much more recently that included an encryption key with the potential to open highly sensitive files. The laptop was said to be stolen from a highly secure area has arisen fears that a Mole is operating within the Ministry. If the severity of the breach is as serious as has been reported, this could be be one of the largest breaches of data security in a very long time.

It is not known if the laptop in question has been secured with disk encryption or any other type of techniques used in attempt to keep data from unauthorized parties.

As of writing this, the MoD has been bluntly quiet on the incident saying only that “An investigation is ongoing.”

Heads up to The Spy Blog UK for highlighting this

Microsoft adds free root certificate authority to Windows

Kyle — Wed, 18 Nov 2009 20:30:06 +0000

Microsoft adds free root certificate authority to Windows

Posted using ShareThis

IBM Creates Algorithm For Fully Homomorphic Encryption

Kyle — Sun, 04 Oct 2009 05:22:45 +0000

IBM has claimed that it has made a breakthrough in data security that could potentially usher in a new era of manipulation of sensitive encrypted data without revealing what the data actually is. The idea isn’t new, Ronald Rivest (the R in RSA) thought it up thirty years ago; thinking it to be too infeasible to ever implement. The future implications on data security are very promising to say the least.

Read the whole story over at SmartPlanet