2006 Operating System Vulnerability Summary

Excellent summary of the 06 security scene and system vulnerabilities.

"The summarized coverage of 2006 vulnerabilities by SANS showed the most prevalent attack vectors were not directly against the operating systems themselves.4 However, this article approaches the operating system as an entity in and of itself for analysis of only the vulnerabilities of core features. As such, vulnerability scans were conducted against 2006's flagship operating systems in various configurations to determine weakness from the moment of installation throughout the patching procedure. From Microsoft, testing included Windows XP, Server 2003 and Vista Ultimate. Examinations against Apple included Mac OS9, OSX Tiger and OSX Tiger server.5 Augmenting Apple's UNIX representation, security tests were also performed on FreeBSD 6.2 and Solaris 10. Rounding up the market share, Linux security testing included Fedora Core 6, Slackware 11, SuSE Enterprise 10 and Ubuntu 6.10. Before delving into the specifics of the vulnerabilities, it is helpful to understand the security scene of 2006."

A Security Vendor Don't

One of the vendors (Core Impact) at ShmooCon got some unwanted attention this past weekend - they had a pretty string of USB light up hubs strung along the front of their table. Since the hubs needed to be powered to light up, they plugged the string into one of their laptops on the table...

RenderMan noticed this and happened to have a USB toolkit in his pocket. He was subsequently able to plug his USB key into the string of USB hubs unnoticed and retrieved it a bit later after it had collected password files and other assorted goodies.

The whole event was relayed to the entire audience at the closing ceremonies. It's a nice lesson on what not to do when exhibiting at events such as a "hacker" con...

Firefox Add-on - Tamper Data

Tamper Data 9.8.1 Kind of a handy dandy add-on - use tamperdata to view and modify HTTP/HTTPS headers and post parameters, trace and time http response/requests and security test web applications by modifying POST parameters, etc...

24-Point Identity Theft Recovery Checklist

Step 1: Take a deep breath and act rather than react.

The rest here.

Metasploit 3 is Out

http://framework-mirrors.metasploit.com/msf/download.html

ShmooCon 07 - Day 3

Last but not least the final day of ShmooCon 07. Not as many sessions today, but I wanted to hear Chuck Willis from Mandiant - Assess the Security of Your Online Bank (Without Going to Jail).

While his talk didn't really focus on Online Banking that much, it was a good primer on non-evasive testing of web facing applications. Chuck fits the Mandiant profile - clean cut - smart guy... The tool that Chuck used in many of his examples is Paros. Hs slides should be posted on his site soon.

I also sat in on on Joel Bruno and Eric Smith's (PSKL) talk on - VOIP, Vonage, and Why I Hate Asterisk. They have done some neat work on RTP playback and in particular Vonage VOIP calls. You can find the SIPinator v1.0 code here. They also made a nice/funny commercial for ShmooCon.

The work the folks at the OLPC project are doing is way cool. Not going into details here, but ck them out.

Quick Summary -

Can't say enough about what a great value ShmooCon is and while not every session was exceptional, the event as a whole was. More highlights in the coming days as I parse thru notes etc...

ShmooCon 07 - Day 2

First things first, the Wirefly Marathon messed-up traffic this AM royally!

The rest of the day was good - any Shmoo day is a good day...

One session was a bit different - Michael Schearer from The Church of WiFi presented: A Hacker in Iraq. A Naval Flight Officer - theprez98 talked about his experiences during his 9-month tour in Iraq embedded with Army units on the ground. He put his expertise in electronic warfare to good use against the biggest threat to coalition forces - the improvised explosive device (IED).

He also mentioned on how one of the best sources of real news from the war are the military blogs.

The Hacker Arcade was in full swing today along with Deviant and company's lock picking area. There are a couple of Nitro boxes running in the conf. NOC wonder who gave them that ideal.

Some of the security podcast folks were recording - I saw the CyberSpeak folks in action... look for Shmoo reports from Sploitcast and Hak.5.

More fun on Sunday...

ShmooCon 07 - Day 1

ShmooCon 07 started today and things got off to a good start - bigger space, more folks, but overall same great con. After Bruce Potter's opening remarks @ 15:30 there were six approx 20 min. long presentations before Aviel Rubin's keynote @ 19:00.

Eoin Miller and Adair Collins Auditing Cached Credentials with Cachedump and Johnny Long's No-Tech Hacking were probably my two favorites. Johnny's no-tech hacking talk was excellent in both content and presentation. A good deal of it focused on physical security and on demonstrating what an important hacking tool the power of observation can be.

Aviel Rubin ended things nicely with an exelent keynote. A copy of his presentation can be found here.

Dr. Rubin vs. Dr. Cole... my money is on Dr. Rubin

Tool Time - Nessj

Nessj is an application/network security scanner client for Nessus and Nessus compatible (OpenVAS etc.) servers. In addition to an improved user interface, it provides session management with templates, report generation using XSLT including charts/graphs, and vulnerability trending. It is cross-platform, with platform specific releases available for Linux, OSX, and Windows, written in Java using SWT for a native experience, and it is open-source. It's provided by Intekras, Inc. under the Clarified Artistic License.

Get it here.

Top 10 U.S. Government Web Break-ins of All Time

Network Security Journal has an interesting list of when hackers take on the feds.

Identity Theft is Getting more Businesslike

Speaking of business - can you think of a better way to sell your security products than to preach doom and gloom? How neutral do you think Symantec is when the worse things are, the better life is for them?

Via their semiannual Internet Security Threat Report - Symantec reported that much of the malicious computer code they identified was compiled, or translated into usable software, during standard, 9-to-5 work shifts in the country of origin.

"The hobby-horse hacker is a thing of the past. These guys work business hours,'' Huger said. "It's pretty organized, which is the scary part. Now we're seeing a well-oiled machine for stealing data.''

Among the other items reported was that China had 26 percent of the world's bot-infected computers, more than any country, a statistic mostly explained by the torrid growth of the Chinese technology industry. Also noted was that more than half of all underground economy servers known to Symantec were based in the United States.

However, a recent report from Symantec competitor McAfee tells us that Internet domains from Romania, Russia, and the tiny island of Tokelau are among the riskiest.

What we do know is that phishing and spam is up... now apparently we just need a way to figure out where it is coming from. Unfortunately it is more often the destination that counts, not the journey and the US might be the way and/or the means, but it certainly isn't the end.

Super Bowl Hack?

Prank or Hoax? What do you think? If a hoax, it's was a very nice job. If a prank, it was quite the stunt. Either way, it's worth a look.

"To promote the new ZUG book, PRANK THE MONKEY, we wanted to show how easy it would be to broadcast a secret terrorist message not just on national TV, but on TV's biggest event. "

Absolut

Friday Fun - WiFi Vibrator

I Make Projects posted plans for "giving yourself a sixth sense for wireless networks" through a small wearable device. It's made from a cannibalized Wi-Fi detector, microcontroller, vibrating motor, and a bit of custom electronics.

Hackers get bum rap for corporate America's digital delinquency

This is good stuff...

If Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame.

Howard and Erickson also found that:

• Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches.
• Likely as a result of California's law and similar legislation adopted by other states, the number of reported incidents more than tripled in 2005 and 2006 (424 cases) compared to the previous 24 years (126 cases).
• The education sector, primarily colleges and universities, amounted to less than 1 percent of all lost records, but accounted for 30 percent of all reported incidents.

Article here more related material at www.wiareport.org

File-sharing Software could Jeopardize National Security

A recently released report from the U.S. Patent and Trademark Office suggests that networked file and music sharing could harm children and threaten national security. The 80 page November, 2006, report, entitled "Filesharing Programs and Technological Features to Induce Users to Share," can be found here.

"This report also reveals that these filesharing programs threaten more than just the copyrights that have made the United States the world’s leading creator and exporter of expression and innovation: They also pose a real and documented threat to the security of personal, corporate, and governmental data."

"But such condemnations just beg a more fundamental question: Why do children, grandparents, and poor single mothers end up sharing hundreds or thousands of infringing files inadvertently?"

The Silver Bullet Security Podcast

How can you go wrong? When you have vicodin, music and security...

On the 12th episode of The Silver Bullet Security Podcast, Gary talks with Becky Bace, Advisor to Venture Capital firm Trident Capital. Becky spent twelve years at the NSA working on intrusion detection and cryptography from 1984 until 1996, followed by a stint at Los Alamos National Laboratory. Gary and Becky discuss growing up in rural America, explosives, and Becky’s Jimmy Hoffa sponsored college funding situation. They also talk about the evolution of security cirricula in academia, rampant commercialization of computer security, Becky’s involvement in tracking down the notorious Kevin Mitnick, vicodin-induced creativity, and eclectic music.

French Pick Ubuntu

Well they finally got something right... Ubuntu is a great Linux distro!

When French MPs and their assistants return from their summer break this June, they will conduct parliamentary business on PCs running Ubuntu. From the next session of parliament, 1,154 desks will feature the Linux-based PCs.

More here.

The 50 Most Important People on the Web

PC World's list of the 50 most important people on the web.

Personal favorites:

31. Bruce Schneier - Cryptographer
32. Kevin Rose - Founder, Digg
47. Leo Laporte - Creator, This Week in Tech (TWiT) podcast

Who did they miss?

Independent Comparatives of Anti-Virus software

The AV Comparatives Web site tested 17 AV products - including several free anti-virus programs as well.

Surprise! Microsoft's OneCare was on the bottom of the list...

BTW when the was the last time you had a virus on your system? Seems that a little common sense can go a long way in keeping a system clean, but don't tell the AV vendors that.

Network Information with Javascript

This is the second article in a series focusing on retrieving system (or client) information using JavaScript and presenting the same on a web page. You can directly copy and paste all of the code samples present in this article into a file with extension “.htm” and open them in Internet Explorer 5.5+.

Securing Dinner - Finding Nemo 2

Police use MySpace

He's about 60, with graying hair and a bald spot on the crown of his head -- and he looks forward to meeting "more bank tellers so that I can continue my crime spree!!!"

As police continue searching for a suspect in four bank robberies across Arkansas, one local department has taken the unusual step of creating the man a profile on the social networking Web site MySpace, hoping someone will recognize him.

Story here.

5,000 years of conquest in the Middle East.

See 5,000 years of history in 90-seconds...

True? BBC Reported Building 7 Had Collapsed 20 Minutes Before It Fell

Revealing, shocking video shows reporter talking about collapse with WTC 7 still standing in background. Google has removed the clip.

More here.

"Paranoia"

From here.

Friday Fun - School Security

Meth selling Principal Found Naked With Sex Toys Watching Gay Porn In Office...

As authorities stormed into a middle school office to arrest an alleged meth-dealing principal inside, they found an even more surprising scene inside.

Sources said 50-year-old John Acerra, of Allentown, was naked and watching gay pornography when they arrived at Nitschmann Middle School in Bethlehem to arrest him on Tuesday.

Acerra also had sex toys, drugs, cash and a pipe in his school office when authorities stormed his office, the sources added.

Story here.