Saturday, July 28, 2007

Delicious Information Warfare, Saturday, 28th

Here are some of the most interesting security papers, tools and services I stumbled upon during the week. Enjoy, and stay informed!

Papers and Publications :

- Exploiting the iPhone - Paper + Video
"Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device. Within two weeks of part time work, we had successfully discovered a vulnerability, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker. We have notified Apple of the vulnerability and proposed a patch. Apple is currently looking into it."

- The Evolution of GPCode/Glamour RansomWare
"This report contains a description of the more obscure, previously undocumented traits belonging to the GPCode/Glamour trojan. The code is a modified version of the Prg/Ntos family which was detailed in depth during our Encrypted Malware Analysis in November 2006. While a majority of the functionality has not changed since then, this recent variant is distinctive enough to warrant additional research. In
particular, the trojan is now equipped with the ability to encrypt a victim’s files on disk. The motive for adding this feature is clearly monetary, as the victim is advised that the files will remain encrypted unless $300 is turned over to the authors, in exchange for a decryption utility
."

- A Guide to Security Metrics
"In the face of regular, high-profile news reports of serious security breaches, security managers are more than ever before being held accountable for demonstrating effectiveness of their security programs. What means should managers be using to meet this challenge? Some experts believe that key among these should be security metrics. This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program."

- Secure File Deletion - Fact or Fiction?
"This paper will deal with how and where some of these files are created and how to securely remove them from a system. Microsoft Windows operating systems and associated applications will be the main focus. This paper is divided into two main sections, the first section is designed to be a primer on the types of information that can be found on a hard drive. It is not designed to be a fully detailed data recovery/computer forensics tutorial, but is designed to show security professionals how much information can be found on a hard drive. The second section deals with the concepts behind securely deleting files and associated data from a hard drive."

- Group Policy Extensions in Windows Vista and Windows Server 2008 - Part 1
"Some of the more useful new group policy settings included in Windows Server 2008 and Windows Vista."

- Hooking CPUID - A Virtual Machine Monitor Rootkit Framework
"One of the fascinating debates taking place around the web is whether or not an OS can detect if it is running inside a VM. Surely a VMM will never be able to fool an external clock but discounting that, who knows? In any regard, I have written a small VMM that attempts to place the host OS into a VM and then handles the basic subset of unconditional VM-exits. Great. Now what?"

- BIND 9 DNS Cache Poisoning
"This weakness can be turned into a mass attack in the following way: (1) the attacker lures a single user that uses the target DNS server to click on a link. No further action other than clicking the link is required (2) by clicking the link the user starts a chain reaction that eventually poisons the DNS server?s cache (subject to some standard conditions) and associates fraudulent IP addresses with real website domains. (3) All users that use this DNS server will now reach the fraudulent website each time they try to reach the real website."

- Secure Programming Best Practices for Windows Vista Sidebar Gadgets
"Today, the Windows Vista Sidebar hosts Gadgets built from HTML, JavaScript, and potentially ActiveX controls, and because Gadgets are HTML, they are subject to Cross-site Scripting style bugs. These bugs are extremely serious because script in the Sidebar is capable of running arbitrary code in the context of the locally logged-on user. This document outlines some of the secure programming best practices that should be considered when building Windows Vista Sidebar Gadgets."

- Wardriving Bots
"wardriving-bot's are autonomous systems that are installed in a train, car, bus, taxi or truck and collect wardriving data's, like SSID, GPS-data, MAC address and all other stuff, that kismet can handle. after collecting this data, encrypting, the bot try to send this information back to the Bot-Handler with using a "open" accespoint or a HotSpot."

- KYE: Fast-Flux Service Networks
"This whitepaper details a growing technique within the criminal community called fast-flux networks. This is an architecture that builds more robust networks for malicious activity while making them more difficult to track and shutdown. This is the first KYE paper we are releasing in both .pdf and .html format."

Security Tools :

- Atsiv v1.01 - load, list and unload signed or unsigned drivers on 32 and 64 bit versions of Windows XP, 2K3 and Vista
"Atsiv is a command line tool that allows the user to load and unload signed or unsigned drivers on 32 and 64 bit versions of Windows XP, Windows 2K3 and Windows Vista. Atsiv is designed to provide compatibility for legacy drivers and to allow the hobbyist community to run unsigned drivers without rebooting with special boot options or denial of service under Vista."

- Secunia Personal Software Inspector - Checks Over 4,200 Applications for Latest Patches
"The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors."

- HIHAT - High Interaction Honeypot Analysis Toolkit
"The High Interaction Honeypot Analysis Toolkit (HIHAT) allows to transform arbitrary PHP applications into web-based high-interaction Honeypots. Furthermore a graphical user interface is provided which supports the process of monitoring the honeypot and analysing the acquired data."

- GPCode Ransom Trojan Decoder
"Recent reports of GPCode, a Ransom Trojan that encrypts files and asks for $300.00 to unlock the victim files have been hitting headlines in the news. Secure Science has offered a freely available decoder for freeing up the files without any problems. This program was written as open source software in the interest of support for other researchers. If you have become a victim of the GPCode Ransom trojan, please download a copy and run it on your systems and it will decrypt the files back to the state they were in before the trojan infected the computer."

- Rootkit Detective v1.0
"McAfee Rootkit Detective is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system."

- CSRF Redirector
"Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated."

- WordPress Security Scanner
"The WordPress version survey was largely successful; it was released on both Slashdot and SecurityFocus which I am quite pleased about, but now onto something even more interesting - that was just the appetizer. I received alot of questions regarding how my survey was conducted. I was going to write an aftermath post (which I still may do), but decided to release my tool, "wp-scanner" instead."

- WAZ v 1.0 - Windows Anti DDoS Tool
"Through my study and research I found lots of networks that are under the hood of Ddos attacks.WAZ is a solution to this. The tool is fully functional and effective in stopping the Ddos agents. You can find lots of Ddos agents like Trinoo, WinTrinoo, Shaft, Mstream, Stacheldhart Ver 1 & 2, Trinity, Entitee etc. They are considered to be the best agents to launch distributed denial of service attacks."

- The Ultimate Distributed Cracker
"The main purpose of UDC is the recovery of the passwords by the given hash-values (NTLM, MD5, SQL, SHA1 and 40+ other). The typical user can recover own forgotten passwords, for example, Windows NT/XP/2003 authorization passwords. Multithreaded and distributed recovery modes are supported. The new method for precalculating Hybrid Attack using Rainbow Tables is introduced. Now there's nothing unbreakable"

- MITRE Honeyclient Project
"Honeyclients can proactively detect exploits against client applications without known signatures. This framework uses a client-server model with SOAP messaging as the primary communication method, and uses the free version of VMware Server as a means of virtualizing the client environment."

- PSA3 - PHP Source Auditor III
"PHP Source Auditor III (or PSA3) was created in order to quickly find vulnerabilities in PHP source code. Written in Perl."

- Javascript LAN scanner
"Any information obtained using the scanner will not be logged in any way. All new router form submissions are anonymous"

Services & Misc :

- 10 Free Services to Send Self-Destructing/Auto-Expiring Emails
"Self Destructing emails delete the original message once it has been read by the recipient. While they are not completely fool proof, for example, someone can take a photo of the message with the camera, the record on the Internet does not remain. Here are a few self destructing email providers that you might find useful for sending emails. Some even provide free plug-ins for sending emails through a desktop based email client such as Outlook or Thunderbird."

- Video - Using Darik's Boot and Nuke (DBAN) to Totally Wipe a Drive
"Another continuation of my file carving video and selective file shredding (DOD 5220.22-M) to thwart forensics tools video, this video shows how to use Darik's Boot and Nuke (DBAN) to totally wipe a drive. DBAN is a great tool to add to your anti-forensics tool box."

- Videos from the ToorCon Information Security Conference

- CISSP Certification Verification Site
"Check (ISC)? credential status for an individual or find credential holders within a company or geographic area."

No comments:

Post a Comment