The Edge of I-Hacked

from Network Security Blog

Stop reading this and go update your NoScript plugin to get the latest version with ClearClick enabled And if you’re not already using Firefox with NoScript, there’s nothing I can do to help you. :-

Seriously, with all the talk about clickjacking over the last couple of weeks and proof of concept code being released yesterday, you do need to do something to protect yourself. One option is to follow Adobe’s suggestions for disabling the camera and microphone by default, but that’s only a stop-gap measure and only addresses a small part of the issue. NoScript in Firefox offers protection from clickjacking along with a host of other script-related issues. If you’re a security professional and you’re not already using this combo, I’m curious as to why. Really.

Clickjacking isn’t the end of the world, but it does add a new, set of vulnerabilities and concerns that the average user can’t be bothered to understand. It won’t OPEN the Internet to the Apocolypse, but it will give the bad guys one more weapon to use in the malware wars. And one more thing we have to make sure to protect against. big sigh>

from

As shown in this blog posting, two Swedish security researchers at Outpost24, Jack C. Louis and Robert E. Lee, were recently interviewed by Brenno de Winter for the De Beveiligingsupdate site about their proof-of-concept “SockStress” tool which evolved from their development and use of their open source Unicorn Scan network scanning tool.

“SockStress” (not publicly released) reportedly uses several new techniques to create a low-bandwidth (as low as ten packets per second) local resource depletion attack resulting in denial of service (DoS) by TCP servers (www, ftp, smtp, pop, etc.) running Windows, Linux, BSD, undisclosed routers, and other Internet appliances.

Although the researchers plan to demonstrate their techniques on October 17th, at the end of the second day of the forthcoming T2′08 conference in Helsinki, Finland, their 44 minute interview on September 30th, 2008 for the De Beveiligingsupdate site (see original and edited audio links below) provided far too much detail — enough so that any informed packetsmith who understands the TCP protocol would be able to easily recreate their attacks.

As a consequence, they effectively “went public” with their discovery of these vulnerabilities after informing other vendors only a few weeks beforehand (see rough time line below).

• Outpost24’s Press Release
  Dated October 2nd, 2008, this is Outpost24’s official web site press/news release.
• Robert E. Lee’s Blog
  Robert is keeping his blog current as events unfold. Therefore, this would be a useful place for keeping an eye on this developing saga.

As I mentioned in an earlier post, I was able to attend the second Integrated Cyber Exercise (ICE II) hosted by White Wolf Security this weekend in Las Vegas. ICE II puts a group of Red Cell hackers against multiple teams of Blue Cell defenders. Each defending team is given a small network infrastructure with a router, firewall, servers and desktops. The Blue Cells are responsible for keeping their network alive and functional with real services such as email, e-commerce and DNS. The Red Cell is responsible for attacking the Blue Cell network.

As a “Security Professional”, I know that training is a VITAL component to staying a razor sharp asset to my company, however I have found that without constant practice a lot of the learned techniques can be lost over time. The US Military is well known to constantly run “drills” that simulate an active attack in order to keep their soldiers ready & know how to handle themselves when the real thing occurs. Since most of our companies wont allow you to attack them “to learn”, most in the security field either make virtual machines or illegally attack IPs hosted in other countries such as Brazil or Canada. The problem with VMs is that since you set it up, you immediately know how to attack it, and how to properly defend, they problem with attacking Canada is that they only have three computers. (I kid I kid). It is still good practice but most leave wanting more. This is where ICE2 Came in.

The guys at White Wolf setup up a fictitious company (3 actually) whose System Admins were likely fired for incompetence. There are all kinds of servers, RedHat 7.2, Windows 2000 SP0, Windows2003 and everything in-between hosting all kinds of services. Web Servers, internet aware daemons, applications, telephony & power (SCADA) are hidden behind a firewall with an ANY/ANY/ANY PERMIT rule waiting to be discovered by either team. Who will find it first to either be harden it or exploit it? Sound fun yet? Let me throw this last little bit in, neither team (Red or Blue) knows exactly what they have to protect or attack until the game gets started, and their is no means of patching via the internet. Yes you heard me correctly, as a defender you have to harden your boxes WITHOUT PATCHING.

The first night I chose to team with Larry Pesce, and be on the defending team mostly due to the fact that I am a defender during the day. Starting at 5:30pm my night was full of stress and panic as we set to hurriedly disable unneeded services & general system hardening. In the beginning the odds are stacked in the attackers favor, as the defenders do not have any access to network devices, only the systems and servers they have identified. As the night progresses the odds finally shift to the defenders, as they one bye one granted access to their firewalls & Intrusion Prevention Systems. Sheer hatred burned in me as I heard the Red team shout “WOOT I GOT A ROOT SHELL”, and as the night concluded @ 10pm I was exhausted. What a night.

The second night I was surprised to see many of the same defenders back, this time prepared to battle. I wont give any secrets away — but George had come-up with a brilliant plan that could give the Blue team a slight advantage at the beginning, a crucial time for the Red team to score. Wanting the full experience, I decided it was time to jump ship and go hang-out w/Paul Asadoorian and the rest of the Red Team. Immediately you could feel the environment difference, the red team was still very busy, but relaxed — with Beer & bumping techno. (I-Hacked Sponsored of course =) Cheer replaced rage at the notion of root shells, red team was working Metasploit, Immunity Canvas, & Core Impact with skill. Sure it is frustrating when your shell session gets dropped by those Blue Cell guys, but its ok, they still have not found your rootkit yet. Best part of the night was watching the carnage as @surbo unleashed old school Nimda on the blue teams network. As the game came to a close for night 2 I felt refreshed, aware I needed to brush up on some metasploit kung-fu but mostly ready to hit the town. (and boy did we!).

Night three: I intended to sit this one out and simply observe. But Asadoorian made some comments and wrote some pimp core agents that got me thinking.. I wasnt done making the lives of that blue team hell yet — bring it. Red Cell again! The AirForce was there observing — and a few times right over my shoulder. It is an ODD FEELING pivoting to box #3 off of a netcat reverse shell over port 80 with the military behind you.

The games were over and I left with a ton of experience. It is VITAL that you practice your craft as much as possible so when a real attack comes at you, you are prepared. By night three the blue cell was operating as finely tuned machine. They knew what they needed to do, and what took priority. I was constantly amazed by the ingenuity they showed, and how well they did. The same with the Red Cell, after three days they learned what to attack, what will be successful and what is important to hold. By the end of night three, I am happy to say that I brought home the wakizashi sword trophy for attacking. (Paul still kicked my ass though)

I would encourage anyone reading this to attend the ICE III — I know I will be there, this time much more prepared and ready to battle, but which side will I choose? =)

Special Thanks To: White Wolf Security, PaulDotCom, Fortinet, SANS, Immunity Canvas, Core Impact, And the US Airforce As well as all the other sponsors that gave away great prizes!

More info tonight!

* Welcome to the most complex cyber exercise competition of its kind hosted at the top information security training event in the world.
* Defenders must protect complex networks including power grid nodes, phones, cameras and servers.
* Attackers are given free rein to attack whatever they want, however they want. Come see how real hackers operate when there are no consequences for their actions.
* Choose your Pack: Defend, Attack or Field Op. They all have missions and only some will survive.
* Three evenings of competition. October 1st - 3rd, 5pm to 10pm at Caesar’s Palace.

from malwarechallenge.info

Malware has become an ever-present danger in today’s computing world. Due to the constantly changing nature of malware, analysts cannot rely on the traditional means of protection, anti-virus software, to identify and protect their systems.

Analysts now need to be able to analyze malware that anti-virus software does not detect.

This is what the challenge is about.

The 2008 Malware Challenge is the first of what we hope to be an annual challenge where participants will be given a chance to analyze a piece of malware, use their skills to see what they can determine about the malware and win some prizes in the process

I heard about this on Security Justice Episode #5 (http://securityjustice.com/) sounds really interesting!

from XBMC Media Center //

Team-XBMC is proud to announce the first cross-platform Beta version of XBMC media center for Linux, Mac OS X Leopard and Tiger , Windows, and Xbox, in preparation for the upcoming stable release of XBMC, code NAMEd ‘Atlantis’. There are three important news items associated with this release:

1. The first item that is new in this release is the brand new skin “PM3.HD”, a high-definition tribute to Project Mayhem III, which will be gracing screens as the default skin on Linux, Mac OS X, and Windows. Xbox users can, of course, choose to use this skin if they wish as well, and the original Project Mayhem III skin is still packaged with Beta 1 for those who prefer the old-school look. This is in addition to the already awesome selection of skins available for XBMC.

2. The second item is the initial release of “XBMC Live“, a bootable CD which gives users the opportunity to try XBMC on their computer, without touching their harddrive. In addition, XBMC Live allows installation of XBMC, complete with an operating system, onto a USB flash memory sticks for a permanent, fast booting, dedicated set-top-box style installation of XBMC. XBMC Live is designed to support Microsoft’s MCE Remote and USB receiver out-of-the-box.

3. The third item is that the XBMC for Mac release now has initial support for integrating iTunes and iPhoto media into XBMC. For more information on this, please read this developers blog entry; “iTunes and iPhoto integration in XBMC“. The Mac release of Beta 1 also comes bundled with a bonus skin for XBMC, and that is MediaStream by Team Razorfish, this skin can, of course, be downloaded and installed on all XBMC platforms, like all other XBMC skins .

You should know that XBMC ‘Atlantis’ is still in a feature freeze, the final release of which is scheduled for October, and we really need your help in order to make ‘Atlantis’ as stable as possible. We encourage all users to download and use this Beta release in preference to using SVN or the Alpha builds, and test it thoroughly, reporting all bugs to our tracking system.

fromValleywag

Microsoft announcement tomorrow: No more Seinfeld ads!
Microsoft flacks are desperately dialing reporters to spin them about “phase two” of the ad campaign — a phase, due to be announced tomorrow, which will drop the aging comic altogether. Microsoft’s version of the story: Redmond had always planned to drop Seinfeld. The awkward reality: The ads only reminded us how out of touch with consumers Microsoft is — and that Bill Gates’s company has millions of dollars to waste on hiring a has-been funnyman to keep him company.

Ok, say what you will about the ads: Sure they were

1. About nothing
2. Weird
3. Didn’t sell anything?

But what they did was create buzz.. There are only a HANDFUL of commercials that as I am forwarding through my DVR that I will stop and watch. Previously, only the Apple ads, however lately these new Microsoft Ads finally got this distinction as well.

What these ads did, was get people talking about Microsoft again, I mean think about it — for some reason it is **NEWS** that a company is now longer going to be making an AD. That means the ADs were WORKING.

Oh, for those who follow me on twitter, I do not LOVE VISTA. (But Mojave kicks ass)

from Wikileaks

Circa midnight Tuesday the 16th of September EST activists loosely affiliated with the group anonymous gained access to U.S. Republican Party Vice-presidential candidate Sarah Palin s Yahoo email account gov.palin@yahoo.com and passed information to Wikileaks. Governor Palin has come under criticism for using private email accounts to conduct government business and in the process avoid transparency laws. The zip archive made available by Wikileaks contains screen shots of Palin s inbox, two example emails, address book and a couple of family photos. The list of correspondence, together with the account NAME tends to re-enforce the criticism.

The list of emails include an exchange with Alaskan Lieutenant Governor Sean Parnell about his campaign for Congress.

Another screenshot shows Palin s inbox and an e-mail from Amy McCorkell, whom Palin appointed to the Governor s Advisory Board on Alcoholism and Drug Abuse in 2007.

The e-mail, a message of support to Palin, tells her not to let negative press get to her and asks Palin to pray for McCorkell, who writes that I need strength to 1. keep employment, 2. not have to choose.

According to Kim Zetter of Wired Magazine, McCorkell CONFIRMed that she did send the e-mail to Palin.

Following the release of this story, both Sarah Palin s better known account gov.sarah@yahoo.com and the gov.palin@yahoo.com account have been suspended or deleted as revealed by a test email sent to these addresses by Wikileaks. Although the reasons for the deletion of both accounts can not not yet be established, one interpretation is that Palin is trying to destroy her email records.

Wikileaks may release additional emails should they prove be of political substance.
Nb. The ctunnel.com reference in the browser screen shots is to a proxy service used to prevent the activists from being traced.

hmm.. dear evil hackers, please stay away from my yahoo account.

from digininja.org

Jasager is an implementation of Karma designed to run on OpenWrt on the Fon. It will probably run on most APs with Atheros wifi cards but it was designed with the Fon in mind as it is a nice small AP which gives it a lot of scope for use in pentration tests and other related fun.

A quick highlight of features:

1. Web interface showing currently connected clients with their MAC address, IP address if assigned and the SSID they associated with
2. The web interface allows control of all Karma features and can either run fully featured through AJAX enabled browsers or just as well through lynx
3. Auto-run scripts on both association and IP assignment
4. Full logging for later review
5. Basic command line interface so you don t have to remember the different iwpriv commands

from PC Pro: News: & CCCKC

Asus is accidentally shipping software crackers and confidential documents on the recovery DVDs that come with its laptops.

The startling discovery was made by a PC Pro reader whose antivirus software was triggered by a key cracker for the WinRAR compression software, which was located on the recovery DVD for his Asus laptop.

He discovered a number of other suspicious files, including:

* A directory called “Crack” that appears to contain serial numbers for other software packages

* A directory containing a large number of confidential Microsoft documents for PC manufacturers, including associated keys and program files

* Various internal Asus documents and source code for Asus software

Also, apparently The MSI Wind linux version was shipping with some screeners on it. http://msiwind.net/linux-version-of-the-wind-delayed-by-ripped-movies/