Archive for March, 2010
Network Device Vulnerability Allows a Remote Access
Posted by Mourad Ben Lakhoua in News, Vulnerabilities, Vulnerabilities & attacks on March 28, 2010
At the annual international conference CanSecWest in Vancouver, ANSSI The French Network and Information Security Agency members demonstrated how an intruder can gain a complete control over a system remotely.
Speakers explained how an attacker may use certain vulnerability in the network devices to execute arbitrary commands on the victim machine. The presentation called: “Can you still trust your network card?”. The attack uses packets sent by the network device of the victim and enables attacker to conduct: Man in the middle Attack, access to the host cryptographic keys, and execution of malicious program on victim computer.
The presentation included a full description of the vulnerability, as well as a demo of the attack while the tool used for conducting this attack and the proof of concept exploit remains not published.
Here you can find the presentation: http://www.ssi.gouv.fr/site_article186.html
The attack is possible on certain network devices model (Broadcom NetXtreme), with a certain condition (by enabling remote control Alert Standard Format 2.0) which is by default disabled. And According to the manufacture there is an update released to patch this vulnerability.
make sure you subscribe to my RSS feed!
Fake Software Updates Infecting Computers
Posted by Mourad Ben Lakhoua in News on March 26, 2010
New malware has been observed by Vietnamese computer security company Bach Khoa, The Malicious software overwrites programs update to bypass antivirus software.
W32.Fakeupver.trojan is the name of this new Trojan, first what the malware do is replacing automatic update system process for Adobe, Java, Deep Freeze or even Windows operating system to trick AntiMalware. By executing the Malware it will open services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.
The malware can get to any system over the email, instant messengers or infected website. Once the computer gets infected attacker will be able to take control of the infected machine.
Currently to avoid being a victim for this Malware it is important to update all applications installed on the Operating system and the OS itself and make sure to have the latest antivirus definition.
make sure you subscribe to my RSS feed!
It’s Time to fix your Agenda: 2010 Hacking parties
Posted by Mourad Ben Lakhoua in Security events on March 26, 2010
2010 will be remarkable year with many Interesting events, conferences and Underground Security meetings.
I tried to list some of the well known security meeting, if you are looking not to miss these events it’s time to start making your plans.
So this is what I have so far;
Hack In The Box (19 to 22 April at Dubai UAE and from 29 June to the second of July at Amsterdam Netherland)
HITB is the first serious conference this year and was created since 2003 with two parts conf. the spring in Dubai and the second part in Malaysia. This event is considered the largest conference on Information security in Asia. This year we find for the first time that the second part will be held in Europe Amsterdam.
The program is available on the official website and you can find among the conference speaker John Viega (CTO, SaaS, McAfee), Laurent Oudot senior IT Security consultant, who founded TEHTRI-Security and Marc Schoenefeld (Independent Network Security Specialist). At the HITB there is a Web Hacking Challenge + Bin Rev to participate you can follow this link.
BlackHat Europe (12 to 15 April at Spain Barcelona)
BlackHat is the most important and biggest hacking event on the planet, it attracts thousands of experts around the world. This year BlackHat celebrates the 13 Years Anniversary, among the topic we can find: SAP Backdoors, Virtual Forensics and new vulnerabilities in Popular Archives Formats). Widely known speakers will contribute to the event including Moxie Marlinspike, Haifei Li, Christian Papathanasiou , Paul Stone and many others.
For beginners there will be a Training program about ways for writing exploits, how to discover vulnerabilities and bugs, while for the skilled visitors there is a complete training sessions on web application vulnerabilities and brute force attack on IEEE 802.11 protocol and many others.
Notacon (15 to 18 April at Cleveland USA)
This event was firstly created on 2003 and aims to promote a culture of exploration, participation and positive contributions. With open discussion on different information security topics so that others can learn from the experience and create something good, fun or interesting from it.
BlackHat USA 2010 (24 to 29 July Las Vegas)
There still no information about the conferences, topics and speakers but this event comes to complete the Black Hat DC 2010 and Black Hat Europe 2010 series.
Hackers on Planet Earth (HOPE) (16 to 18 July at New York City USA)
The event has been firstly initiated on 1994.this year the event take place at the Hotel Pennsylvania in the middle of New York City , and will be the largest creative technology conference on the U.S. East Coast. Among speakers in the past years we can find Steve Wozniak, Kevin Mitnick and Adam Whitney Savage.
DEFCON (30 July to 1 August at Las Vegas, USA)
Largest hacking event, There has been roughly 5,000-7,000 attendees in the last few years of DEFCON. DEFCON is not just a conference it is almost the place where hackers may publish their work of months and years. Hardware hacking, privacy enhancing technology, reverse engineering, forensics, web app attacks and more DEFCON is all about thinking differently and showing off what you have been working on. Currently there is still no list of speakers but there is no doubt of speakers Quality because it is simply DEFCON!
make sure you subscribe to my RSS feed!
Secunia Releases Patch Management Utility
Posted by Mourad Ben Lakhoua in Software Security, Tools on March 26, 2010
Secunia Danish computer security service provider announced the final version of the Secunia Corporate Software Inspector 4.0 (CSI 4.0). This tool may identify vulnerabilities for about 13 000 applications from 2300 developers.
CSI 4.0 has a free trial version which can be downloaded from the official website. And brings CSI 4.0 with Microsoft server operating system updates (WSUS) and the Center for configuration management (SCCM) to make it possible to perform a full corporate devices scan and identify any unpatched application at the enterprise and manage all Microsoft and third-party software installation and configuration.
According to Secunia all computer users have to install about 76 patches per year from 22 different software developers. And this task at the corporate environment is complicated. Especially that the client on companies LAN are more exposed to new outstanding gaps, so it I important to check there system frequently.
make sure you subscribe to my RSS feed!
7 Month Vulnerability in Windows Virtual PC
Posted by Mourad Ben Lakhoua in News, Vulnerabilities, Vulnerabilities & attacks on March 17, 2010
Core Security Technologies (CST) has discovered a critical vulnerability in windows virtual PC allows an attacker to bypass security measures and run a malicious code on the guest machine. the concerned platform for this vulnerability is Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC, Virtual Server 2005 and Virtual Server 2005 R2 SP1.
The flaw lies in the management memory level (Virtual Machine Monitor). By leveraging this vulnerability it is possible to bypass security mechanisms of the operating system such as Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH) and Address Space Layout Randomization (ASLR) designed to prevent exploitation of security bugs in applications running on Windows operation systems.
Microsoft has been notified about this gap 7 months ago, but it has refused to fix it till the release of next service pack, that made CST to issue the security advisory publically.
Today Microsoft answered on a Blog post that this advisory does not affect the security of Windows 7 systems directly. The security safeguards (DEP, ASLR, SafeSEH, etc.) that are in place remain effective at helping protect users from malware on that system. In addition,Windows Server virtualization technology, Hyper-V, is also not affected by this advisory. Applications running inside a Hyper-V guest continue to benefit from these same security safeguards.
You can read Microsoft complete post here.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for March, 2010
SUBSCRIBE
Latest Comments