SecurityFocus
Admin
|
April 1st, 2009
by Stephen Barish
We all remember the early days of intrusion-detection systems — IDS was supposed to be the silver bullet that ensured the security of our enterprises against every conceivable attack. It was the same premise that the firewall industry and the giant antivirus conglomerates were built around: Buy our product and your worries are over.
Obviously this hasn’t proven to be the case. Even though intrusion-detection systems are readily available, many organizations still don’t use them effectively. Too often the IDS sits without maintenance or updates, poorly monitored, generating alerts that are completely irrelevant to the daily work of the security and staff.
The key to realizing the benefits an IDS offers is to focus less on the technology, and more on how it will be used by a security analyst. This article explores the discipline of intrusion analysis, focusing primarily on techniques to extend IDS capabilities beyond simple alert data into a tool for...
0 comments
Admin
|
December 3rd, 2008
by Jamie Riden
It was a bad start to a Monday morning: I arrived at work to find the intrusion detection system so bogged down in alerts that it was barely responsive.
Something bad had happened over the weekend. The IDS — in this case, a couple of snort sensors logging to a postgresql database — had been extremely busy logging alerts over pretty much the whole weekend. To review the alerts, I used the BASE front-end, and it was this latter that was taking such a long time to tell me anything, since it was querying a database which was around ten times as large as I had originally envisaged using in production.
A few minutes digging in the BASE console suggested that most of the 200,000 alerts had been generated by the potential SSH scan rule from Bleeding Threats. Since the usual daily load was nearer 20,000 alerts, it was a fair guess that a lot of malicious activity had been going on over the weekend. The snort rules that were firing were mainly the latter out of the...
0 comments
Admin
|
October 2nd, 2008
by Abe Getchell
This article discusses the process of recovering deleted data from an ext3 partition, on a system running Linux, using a process called data carving. This basic technique is useful in any number of situations, such as recovering data that has been accidentally deleted by a user, information removed in an attempt to erase signs of a system intrusion that could be used to track the source, or data erased by an end-user attempting to cover up an acceptable use policy infraction.
This article assumes that you have a basic understanding of ext3 and the inner workings of filesystems. It is important to note that there is a certain amount of risk associated with this process. When performed improperly, the data you are attempting to recover, or other data stored on the system, could be permanently lost. While this technique is quite accurate most of the time, and very useful in any number of different situations, it is not "forensically sound" and will not hold up legally...
2 comments
Admin
|
August 25th, 2008
by Stephen Barish
Wireless networks have long been hailed as easily deployed, low-cost solutions for providing broadband services to an increasingly mobile population. As with any emerging technology, however, it wasn't long before attackers were exploiting it.
The popular version of wireless networking, known as WiFi, revolutionized the ways that both small home-offices and larger facilities work, making it trivial to extend bandwidth into areas where it was impractical or too expensive to run Ethernet cable. For a while it seemed as if WiFi offered instantly deployable, easily configurable, and most importantly mobile communications to the masses.
Soon, however, over-the-air sniffers, such as kismet and airsnort, allowed attackers to capture and decode data transmitted via WiFi. Rogue access points -- often illicitly deployed by users seeking easier access -- opened security holes deep within companies' enterprises, allowing attackers to completely circumvent traditional...
0 comments
Admin
|
July 15th, 2008
by Timothy M. Mullen
When I originally posted to Bugtraq regarding the use of country-by-country sets to control traffic to or from any particular country, I knew that it was not a new idea. However, applying the concept for use with Microsoft's ISA Server was at least a new application for it, and apparently has had some utility for people based on the thousands of downloads that have been made of the free sets from the Hammer of God Web site.
As promised in that post, here is some more detailed information on the use of country-by-country data sets in firewall configurations, where it may be appropriate, and methods by which one may use the sets to create traffic reports. While the methods listed and tools available are created specifically for ISA, the concept can be applied to any product that supports the necessary data elements.
Before we begin, I will post a disclaimer: This is a technical discussion. Nothing in the following dissertation is motivated by any political,...
0 comments
Admin
|
March 12th, 2008
by Don Parker and Ryan Wegner
Consider how a preprocessor can be used to introduce learning into our intrusion detection system (IDS). One can use the problem defined in Part I of this article, where the IDS is encouraged to adapt to changes in the type of traffic seen and alert administrators if the traffic is anomalous.
Before Snort, or any IDS, is able to identify what is considered anomalous, it has to learn what normal network traffic for the network it is deployed on should look like. In artificial intelligence (AI) it is called the baseline, or training. The IDS observes the traffic for some period of time and takes statistics to use later to compare the expected traffic to the seen traffic. If the network traffic is significantly different then usual traffic, an alert can be generated to indicate to the user that something strange is happening.
Since this is meant to be a proof of concept, let's consider an IDS that is monitoring Web traffic where traffic is expected to be...
0 comments
Admin
|
March 5th, 2008
by Don Parker and Ryan Wegner
The more an intrusion detection system (IDS) knows about the network it is trying to protect, the better it will be able to protect the network. This is the fundamental principle behind target-based intrusion detection, where an IDS knows about the hosts on the network.
This article explores how artificial intelligence (AI) is influencing IDS development, and what capabilities a popular IDS has with respect to intelligent intrusion detection. Snort is the IDS in question and this article describes some of its features that users might not be taking advantage of that would allow the IDS to adapt to networks and detect anomalies. AI alleviates some of the security professionals' work load by first learning about a network and gauging reactions from a security professional to reduce false positives, and second, by adapting to changes in the network to identify new attacks.
Such knowledge is important, for example, in identifying packet fragmentation...
0 comments
Admin
|
February 14th, 2008
by Jamie Riden and Christian Seifert
Honeypots come in many shapes and sizes and are available to mimic lots of different kinds of applications and protocols. We shall take the definition of a honeypot as "a security resource whose value lies in being probed, attacked, or compromised"[Spitzner02]. That is, a honeypot is a system we can monitor to observe how attackers behave, a system which is designed to lure attackers away from more valuable systems and/or a system which is designed to provide early warning of an intrusion to the target network. A honeypot may be used for all three applications at the same time.
The first appearances of honeypots in computer science are possibly in "The Cuckoo's Egg" by Clifford Stoll and in An Evening with Berferd by Bill Cheswick. In the former fake military reports were used as bait for the attackers. The latter is more recognisable as the sort of honeypot we know today, where an attacker is monitored and diverted away from production...
0 comments
Admin
|
November 7th, 2007
by Naresh Verma, Yih Huang, and Arun Sood
The information technology revolution has changed the way business is transacted, governments operate, and national defense is conducted. Protection of these systems is essential and continuous efforts to protect them have resulted in exponential growth in reported security incidents. There are threats from hackers, spies, corporate raiders, terrorists, professional criminals, and vandals -- all of whom have a vested interest and well defined objectives for challenging the technology for financial and political gain, leading to damages to the enterprise infrastructure.
The current approach to security is based on perimeter defense and relies on firewalls, intrusion detection systems, and intrusion prevention systems. These approaches depend on a priori information. However, the increasing speed at which new exploits and attacks are being devised mandates a new layer of security defense for enterprise IT infrastructures -- a layer that...
0 comments
Admin
|
October 15th, 2007
by Rohit Sethi
Aspect-oriented programming (AOP) is a paradigm that is quickly gaining traction in the development world. At least partially spurred by the popularity of the Java Spring framework [1], people are beginning to understand the substantial benefits that AOP brings to development. While several others have tied AOP to security [2][3], I aspire to raise awareness amongst my information security colleagues that AOP can have a substantially beneficial impact on application security. I'm convinced that, if more of us understand it, we'll be in a better place to work with developers to create secure applications and perhaps, more importantly add security into existing insecure applications.
What is AOP?
Many people don't really understand what AOP is. I used to think that AOP was a replacement for object-oriented programming (OOP), so I categorically rejected it without further examination. This notion is completely wrong: AOP compliments OOP. It centers on cross-cutting...
0 comments
Anonymous
|
September 27th, 2007
by Stephen Barish
In sports, it's pretty much accepted wisdom that home teams have the advantage; that's why teams with winning records on the road do so well in the playoffs. But for some reason we rarely think about "the home field advantage" when we look at defending our networks. After all, the best practice in architecting a secure network is a layered, defense-in-depth strategy. We use firewalls, DMZs, VPNs, and configure VLANs on our switches to control the flow of traffic into and through the perimeter, and use network and host-based IDS technology as sensors to alert us to intrusions.
These are all excellent security measures – and why they are considered "best practices" in the industry – but they all fall loosely into the same kind of protection that a castle did in the Middle Ages. While they act as barriers to deter and deny access to known, identifiable bad guys, they do very little to protect against unknown threats, or attackers that are already inside...
0 comments
Anonymous
|
September 11th, 2007
by Nicolas Falliere
This paper classifies and presents several anti-debugging techniques used on Windows NT-based operating systems. Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger. They are used by commercial executable protectors, packers and malicious software, to prevent or slow-down the process of reverse-engineering. We'll suppose the program is analyzed under a ring3 debugger, such as OllyDbg on Windows platforms. The paper is aimed towards reverse-engineers and malware analysts. Note that we will talk purely about generic anti-debugging and anti-tracing techniques. Specific debugger detection, such as window or processes enumeration, registry scanning, etc. will not be addressed here.
[1] Intro This paper classifies and presents several anti-debugging techniques used on Windows NT-based operating systems. Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger. They are used by...
0 comments
Anonymous
|
September 9th, 2007
by Jason Ostrom, John Kindervag
“You can’t access our corporate data network from the IP Phones."
Testing Protection Controls on a VoIP Network – A Case Study and Method
The Business Risk
Convergence - the integration of voice and data into a single network. It promises to reduce costs, improve quality, and simplify management. But as voice should exist on the network as yet another application, it poses new challenges to the enterprise and new potential security risks arise.
We have found that there is a relatively low awareness throughout corporate America as to the various risks posed by Converged VoIP solutions. In a converged VoIP deployment, a single Ethernet cable provides both the phone service and the computer connection. As most IP Phones have an Ethernet jack on the back to plug in the computer, this provides the enterprise cost savings on both cabling and moves/adds/changes. However, this same...
0 comments
Anonymous
|
June 25th, 2007
by Jamie Riden
The problem of sensitive data being leaked through the re-use of storage media is by now well-documented. This is unfortunately a reasonably common occurrence, as shown by various stories of sensitive media being lost or sold ( [1], [2], [3]). However the problem isn't just limited to those files which are left intact when the media is disposed of. To quote Wikipedia: "Slack space or file slack is the area between the end of a file and the end of the last cluster or sector used by that file. This area is simply wasted storage potential, so file systems that use smaller clusters utilize the disk space more effectively." [4]. You will notice this if you have lots of files which are very small; a correspondingly large amount of space on your disk will be wasted. However a greater problem is that some of your data which you thought had been overwritten, is still available to any casual snoopers who come into possession of your storage media. This includes attackers who...
0 comments
Anonymous
|
April 12th, 2007
by Jamie Morris
Introduction
In part one of this series [ref 1] we looked at the different editions of Vista available and discussed the various encryption and backup features which might be of interest to forensic examiners. In this article we will look at the user and system features of Vista which may (or may not) present new challenges for investigators and discuss the use of Vista itself as a platform for forensic analysis.
User files and applications
One of the first things to note about users' data files is that they're not where they used to be! Instead of the familiar "Documents and Settings" folder we must instead look to a new folder called "Users". Other folders which typically fall under the scope of an examination have also moved [ref 2] so examiners running scripts which expect certain files or folders to be in specific locations may need to do some editing. Another interesting change is that Vista is configured by default to not update the last access time on files...
0 comments
Anonymous
|
March 8th, 2007
by Jamie Morris
Introduction
While the fundamental principles of computer forensics remain largely unchallenged, the landscape upon which investigators operate is constantly changing. A combination of new technologies and changing habits of use means that forensic examiners must always strive to keep up to date with the latest developments. One of the most anticipated new product releases this year is the Microsoft operating system Windows Vista. Vista was under development for a long time with Microsoft promising a raft of new features together with major improvements to security.
Regardless of how quickly Vista is adopted by existing businesses and consumers - and there are good reasons to suppose that its uptake will be somewhat slower than Microsoft's early estimates - it seems almost certain that this new OS will continue the trend of Microsoft's dominance in the operating system market and wise computer forensics professionals will want to start thinking about the...
0 comments
Anonymous
|
February 26th, 2007
by Rohit Sethi and Nish Bhalla
Introduction
This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time detection of attacks. An idea of a practical implementation is discussed, along with an examination of some of the associated risks and costs.
The application security push
Development and security staff alike are beginning to place a great deal of emphasis on secure coding practices. Indeed, vendors are capitalizing on the trend by promising secure off-the-shelf applications and infrastructure. Unfortunately, many people consider access control and encryption to more or less comprise the domain of application security.
In reality, several other domains are integral to application security. The...
1 comments
Anonymous
|
February 2nd, 2007
by Tony Bradley, CISSP-ISSAP
This article takes a look at the Windows Integrity Control (WIC) capabilities in Windows Vista by examining how it protects objects such as files and folders on Vista computers, the different levels of protection offered, and how administrators can control WIC using the ICACLS command-line tool. WIC is intended to protect a system from malware and user error by helping to establish different levels of trust on objects.
System integrity - Who can you trust?
When the developers at Microsoft set out to create the latest version of their operating system, Windows Vista, they set out to ensure it was the most secure version of Windows yet. One of the functions that has been built in to Windows Vista which helps to make it more secure is Windows Integrity Control, or WIC.
The purpose of WIC is to protect objects, whether they are files, printers, named pipes, registry keys, and so on from attacks, malware or even innocent user error. The concept of WIC is...
0 comments
Anonymous
|
January 23rd, 2007
by Chris Wysopal, Lucas Nelson, et al.
This article is an excerpt from the book, "The Art of Software Security Testing," and focuses on the approach and techniques used to test the security of local applications. It begins by describing local resources and interprocess communication, which make up a local application’s attack surface. After describing how to enumerate the local resources an application depends on, the text then describes methods of testing several of those types of resources. It also describes how to test ActiveX objects, command-line programs, and applications’ use of local files and shared memory.
Local Resources and Interprocess Communication
Modern operating systems offer a number of facilities for data input, sharing, and storage. An application’s threat model must identify the local system resources that the application depends on and identify which of those may be controlled or affected by an attacker. We refer to this as the application’...
0 comments
Anonymous
|
January 8th, 2007
by Raul Siles, GSE
Introduction
In part one of this series, we discussed the technical challenges for wireless traffic acquisition and provided design requirements and best practices for wireless forensics tools. In this second article, we take it a step further and focus on the technical challenges for wireless traffic analysis. Additionally, advanced anti-forensic techniques that could thwart a forensic investigation are analyzed. Finally, apart from the technical details, as a forensic write-up, the article covers some legal aspects about wireless forensics for both the U.S. and Europe.
Wireless forensics: Technical considerations for traffic analysis
Once the traffic has been collected by the forensic examiner, it must be analyzed to draw some conclusion about the case. The main technical considerations, tools and challenges associated to the analysis of 802.11 traffic from a wireless forensics perspective are presented below.
The scope of the article is to focus on wireless...
0 comments
Anonymous
|
January 2nd, 2007
by Raul Siles, GSE
Introduction
The huge adoption of wireless technologies over recent years has placed wireless data (or Wi-Fi) networks, based on the 802.11 specifications, as one of the major attack vectors for organizations nowadays. Incident handlers and law enforcement have been forced to deal with the complexity associated with these technologies when managing and responding to security incidents.
This two-part series looks at the issues associated with collecting and analyzing network traffic from wireless networks in an accurate and comprehensive way; a discipline known as wireless forensics.
Part one of this article focuses on the technical details and challenges for traffic acquisition, and provides design requirements and best practices for wireless forensics tools. The second part will address the main considerations and challenges for wireless traffic analysis, including advanced anti-forensic techniques and some legal aspects associated with this discipline.
The...
0 comments
Anonymous
|
December 11th, 2006
by Mikhael Felker
Introduction and review of part one
This article presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems: those found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:
Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).
Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially address in part 1; continued now in part 2)
False sense of security: Users employing password managers without any awareness of the risk factors.
Usability: Features that enhance or deter the usability of security features.
Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk.
Part one of this article concluded...
0 comments
Anonymous
|
December 8th, 2006
by Mikhael Felker
1. Introduction
This two-part paper presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems for web browsers, found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:
Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).
Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially addressed in part 1; continued in part 2).
False sense of security: Users employing password managers without any awareness of the risk factors (discussed in part 2).
Usability: Features that enhance or deter the usability of security features (discussed in part 2).
Mitigation and Countermeasures: Actions that can be taken by users and corporations to...
0 comments
Anonymous
|
November 27th, 2006
by Shreeraj Shah
Introduction
Web 2.0 applications are a combination of several technologies such as Asynchronous JavaScript and XML (AJAX), Flash, JavaScript Object Notation (JSON), Simple Object Access Protocol (SOAP), Representational State Transfer (REST). All these technologies, along with cross-domain information access, contribute to the complexity of the application. We are seeing a shift towards empowerment of an end-user's browser by loading libraries.
All these changes mean new scanning challenges for tools and professionals. The key learning objectives of this article are to understand the following concepts and techniques:
Scanning complexity and challenges in new generation Web applications
Web 2.0 client-side scanning objectives and methodology
Web 2.0 vulnerability detection (XSS in RSS feeds)
Cross-domain injection with JSON
Countermeasures and defense through browser-side filtering
Web 2.0 scanning complexities
The next...
0 comments
Anonymous
|
November 7th, 2006
by Jamie Riden
Introduction
In the past few years, a number of serious flaws in Windows have been exposed, including MS03-026 [ref 1], the flaw that Blaster [ref 2] used to spread in 2003, right up to the recent Mocbot/Wargbot worm [ref 3] which exploited MS06-040 [ref 4] from August 2006. The number of distinct pieces of malware exploiting these flaws has rapidly increased over the same time period. There are several variants of most worms and many more than that of most of the bot families, such as Agobot, Phatbot, Sdbot, and so on. As is now well-known, bots are collections of compromised "zombie" computers used together in a botnet network for nefarious purposes.
In "The Nepenthes Platform: An Efficient Approach to Collect Malware" [ref 5] Baecher et al note the following:
"In a four month period, we have collected more than 15,500 unique binaries, corresponding to about 1,400 MB of data. Uniqueness in this context is based on different MD5 sums of the collected binaries."
In...
0 comments