Archive for category Software Security
Symantec: Tapsnake Game Tracks Your Location
Posted by Mourad Ben Lakhoua in Anti-Viruses, News, Software Security on August 18, 2010
Symantec researchers reported a new malicious application in the virtual store Android Market, this application can determine users location in real time on AndroidOS.
Tapsnake is the name of the game which is a version of the popular game “Snake”. Game developers did not provide any information that the application sends each 15 minute victims specific location to a special server without the knowledge of user.
According to Symantec Developers describe the application as follows:
“Download and install the free Tap Snake game app from the Market to the phone you want to spy on. Press MENU and register the app to enable the service. Use the GPS Spy app with the registered email/key on your own phone to track the location of the other phone. Shows the last 24 hour of trace in 15 min increments.”
While the Trojan uploads the GPS data every 15 minutes to an application running on Google’s free App Engine service. GPS Spy then downloads the data and uses this service to conveniently display it as location points in Google Maps.
Well to have Tapsnake working attacker’s needs to have access to smartphones what is difficult and Android installation program notify users about any suspicious activities on the smartphone which is also a very good security measures.
For the best protection it is important to be careful during installing any third-party application on your mobile devices.
make sure you subscribe to my RSS feed!
Microsoft to Fix 34 Vulnerabilities on Next Tuesday
Posted by Mourad Ben Lakhoua in Software Security, Vulnerabilities on August 6, 2010
Microsoft Security Response Center released an advance notification regarding new patches that are intended to fix 34 vulnerabilities, there will be about 14 security bulletins the severity rating for eight of them are critical and the other six are important .
Impact of the critical vulnerabilities is under the status of allowing an attacker to perform a remote code execution on the targeted system, as a result a hacker can gain a complete control over victim machine. For all patches a restart is required or maybe required.
List of products affected are all windows operating systems, all Microsoft office versions and Silverlight 2 and 3 while last version 4 are not affected by this vulnerability.
For detecting and deploying these updates Microsoft advice to use Windows Update (WU) and Windows Server Update Services (WSUS), Microsoft Windows Malicious Software Removal Tool and the Microsoft Download Center.
Microsoft Security Bulletin Advance Notification for August 2010 is available over here.
make sure you subscribe to my RSS feed!
TrueCrypt 7.0 New Release
Posted by Mourad Ben Lakhoua in Encryption, Software Security, Tools on July 19, 2010
TrueCrypt one of the popular tools for encrypting and hiding partition under Linux, MacOS and Windows system has released a new version.
The new features at this release include:
* AES Hardware-accelerated encryption this function is supported by some processors and helps to accelerate encryption performed in a faster way than by purely software implementations on the same processors.
* Now it is possible to configure TrueCrypt container on a USB flash drive to mount the drive automatically whenever you insert the USB flash drive into the USB port. This is cool.
* Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes.
* Favorite Volumes Organizer this means that now you can organize your mounted device upon logon to system as read only or removable medium
* The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted.
It is always recommended to use Truecrypt instead of other built in encryption system because it can hide your volumes and make it impossible for anyone to note the file existing on the HD, plus it provides a flexible way to choose encryption algorithms.
With TruCrypt your data remains encrypted until you need it. Go get your copy by following this link.
make sure you subscribe to my RSS feed!
Mozilla Sniffer Add-on Blocklisted for Security Purposes
Posted by Mourad Ben Lakhoua in Browser, Software Security, Vulnerabilities & attacks on July 15, 2010
Mozilla has blocklisted a malicious plugin that has been submitted on their official website as an add-on since 6th of June, the add-on named Mozilla Sniffer and contains a serious security vulnerability.
According to a blog post the plugin includes a code that intercepts all login data on any website and sends this credential to a remote location. Mozilla security specialists informed that All current users should receive an uninstall notification and invite all users to remove the plugin and change all web authentication credential they are using.
The Plugin code has not been verified as it has been submitted online directly, it was just checked against malware without reviewing the functionality before make it public. While a new method of work will be considered in the future with a purpose to Review Process & Delightful Add-ons.
On the same post security vulnerability in CoolPreviews version 3.0.1 has been reported. This plugin help users in previewing a link in a website by just putting the cursor on it. The Bug allows an attacker to execute a malicious JavaScript code with local privileges, potentially gaining access to the file system and allowing code download and execution.
Currently, 177,000 users have a vulnerable version installed. All users are invited to update the plugin while the vulnerable versions will be blocklisted soon.
make sure you subscribe to my RSS feed!
Keep Your Unix-Based System Safe This Summer (Part2)
Posted by Mourad Ben Lakhoua in Best Practices, Open-Source, Operating System, Safety rules, Software Security on July 5, 2010
System monitoring is the most important method for detecting all kinds of Trojans, viruses and any malicious activities on the system.
Maintaining control over file integrity can be acheived by installing a tripewire which has the ability to detect changes on each system on which it is installed, checks the integrity of normal binaries and reports any changes to syslog or by email, and alerting users to intrusions and unexpected changes with the available source code.
After installing the tripwire (using command: $ Sudo apt-get install tripwire) you will need to answer some questions regarding the configuration, and by the end you need to enter a password of at least 8 characters (twice).
The script generates keys for your site (host) and then asks you to enter a password (twice) for local use. You should then back up and delete the original plain-text files installed on the system.
Developers have made the appropriate policy for all files and configurations, but if you need to update or change something you can make the change at the file in /etc /tripwire/tw.pol.
Actually, the tripwire creates a database with snapshot of your file system, it uses this baseline along with the encrypted configuration and policy settings under the /etc/tripwire directory to monitor the status of your system.
Now you can perform a test scan:
$ Tripwire – check
The check will be on a daily bases and will report all changes, including the normal tasks allowed once like editing system configuration files, installing packages, etc … and all reports on the changed files will be sent to the root by email.
Final three points are:
* Keeping track of all access accounts, all important system configuration files should be readable and writable only by root. Home directory can be accessed only by you (600).
* Do not place users in many groups because group membership gives users special access to files and directories which are permitted to that group. Such as operator, audio, etc, this can creates a hole and gives user a special privilege not needed.
* Root privileges are needed only when they are really required. No need to run commands as root and if you really need to install or manipulate something, use sudo.
So make sure to apply all these security rules for a safe 2010 Summer.
make sure you subscribe to my RSS feed!
(Picture from Scott Ableman)
Finding the Hidden
Posted by Mourad Ben Lakhoua in Computer Forensics, Software Security, Tools on June 6, 2010
If a hacker managed to compromise a server, it can be used for several things like spreading viruses, sending spam, attacking other hosts or steeling and destroying sensitive information stored on the server.
Restoring a previous copy of the system will not guarantee that the incident do not happens again. That’s why it is now important to learn how to conduct a forensics and determine what really happened.
Forensic investigation will help in solve situation after a breach to help ensure the situation does not occur again, because updating software packages and antivirus definition will not prevent a hacker from using the same method to break into the system one more time.
And it’s very important to determine when the attack occurred, because at some moment it is possible to restore a non-clean copy which could contain a backdoor, but it will look a normal copy.
Collected evidence will also play a big role in identifying where has been the vulnerability (can be a system/ human error or insider breach).
Technology has a good face and at the same time it also has a bad face, as some modern malwares do not leave traces on your hard disk.
As an example, the SQL slammer worm works only on the RAM level and can be detected only on the network activity (port 1434). Encryption is also widely used as a protecting measure (Bitlocker, EFS…) and no key to have access to this information
Forensic tools can help in handling these situations by analyzing and collecting information on the compromised host, this includes:
- Tools for cloning the system and save a copy of partitions
- Tools to create checksums and digital signatures files
- Tools for network activity analyzing and system configuration.
- Tools for analyzing system (processes, libraries…)
Depending on the situation, today we have on the market very few commercial Forensics tools such as ProDiscover from technology pathways, EnCase Forensics and Forensic Toolkit.
Some tools provide a limited versions like ProDiscover Basic Edition Freeware, which is available for download but do not includes network capabilities. On the other hand we can find a special linux distribution where all required tools integrated and configured such as DEFT Linux, FCCU GNU / Linux Forensic Boot CD, Helix3 and others.
Now let’s start browsing some forensics tools.
The first one is TCT (The Coroner’s Toolkit), which allows for both Dead and Live Analysis. The project was replaced by The Sleuth Kit. TSK allows performing analysis on Linux, Mac OS X, Cygwin, FreeBSD, OpenBSD and Solaris for data stored on NTFS, FAT, Ext2, Ext3, UFS1 and UFS2. It includes 24 utilities under following groups:
- File system Layer (f*)- to work with the file system,
- Meta Data Layer (i *) – describes a file or directory
- Data Unit Layer (blk *) – the actual content of blocks, clusters, fragments;
- File System Journal (j *) – log file system;
- Volume System (mm *) – analysis of sections, disk utilities (disk_ *).
For recovering or searching deleted files on partition, we can use fls and icat, to see a list of deleted files using a utility fls:
# Fls-rd / dev/***
-r – makes the program go on all directories; while -d : show only the deleted files.
To find a particular file you can use grep as follows:
# Fls-rd / dev/sda1 | grep-v
‘(Realloc)’ | grep file.doc
For the encrypted volume we can use hfind which looks up hash values in a database using a binary search algorithm. This allows one to easily create a hash database and identify if a file is known or not.
It works with the NIST National Software Reference Library (NSRL) and the output of ’md5sum’.NSRL projects is supported by reputable organization like the National Institute of U.S. Department of Justice (NIJ), National Institute of Standards and Technology (NIST).
For example to create an MD5 index file for NIST NSRL:
# hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
To lookup a value in the NSRL:
# hfind /usr/local/hash/nsrl/NSRLFile.txt 76b1f4de1522c20b67acc132937cf82e
76b1f4de1522c20b67acc132937cf82e Hash Not Found
Steulth Kit contain a large number of utilities, which makes it difficult to manage, but for this there is a on the official website a visualization tool – Autopsy Forensic Browser, it is an HTML-based graphical interface for the command line tools in The Sleuth Kit. This makes it much easier and faster to investigate a system.
Sysinternals is also very important for conducting forensics operation. To have the whole package you should get the Sysinternals Suite. The sysinternal can helps you to get comprehensive information on everything loaded at the system level such as logs and processes. The tool displays all the registry keys, drivers, DLL, codecs…
PsInfo, PsLogList and ProcessExplorer can get complete information on the system and running processes. List of DLL with their versions, as well as where they were launched, look through ListDLLs. Handle Utility shows a list of open files with an indication of what processes they opened.
Learn about different LogonSessions, PendMoves, PSFile, PsLoggedOn, TCPVcon, TCPView, as well as the standard – ipconfig, netstat, arp, openfiles, systeminfo.
Tool are distributed under the Freeware license and it is possible to maintain the state of memory with ManTech Memory DD which supports Microsoft® products (Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008) which gives user non free functionality in EnCase.
These are quick list of free tools to help us in conducting a forensics analyses.
make sure you subscribe to my RSS feed!
Windows7 New Utility for Meeting Security Compliance
Posted by Mourad Ben Lakhoua in Operating System, Software Security, Tools on April 12, 2010
A new tool has been introduced by Microsoft for analyzing Windows 7 and Internet Explorer 8 security level. Security Compliance Manager is the name of this tool which is designed to simplify protection standard usage and security requirement at the IT environment.
Security Compliance Manager provides a single application to automate system management configuration and eliminate potentially dangerous situations such as missing service pack, account wrong configuration or a risky software vulnerability…
Microsoft Security Compliance Manager allows IT specialist to create, deploy, execute and manage client and server windows editions, including windows7 as well as related applications. The tool allows an access to a full Microsoft recommended settings database to perform changes on system directly by M$FT. The format of downloads can take different kinds —including Desired Configuration Management (DCM) packs, Security Content Automation Protocol (SCAP), XLS, or Group Policy objects (GPOs)—to export the baselines to your
environment and automate the security baseline compliance verification process.
For more details you can visit Microsoft TechNet page.
make sure you subscribe to my RSS feed!
Open-source All in one Security Solutions (Part 2)
Posted by Mourad Ben Lakhoua in Network security, Software Security on April 10, 2010
These days there are a great variety of security software designed to organize and manage global networks. Protecting internal resources from external threats, monitoring the network and blocking certain suspicious services is as a priority for any IT security professional.
One available solution is Smothwall.
Smothwall is a free, open source, customized distribution that includes a firewall, port forwarding features, VPN support, Web/DNS/POP3/SIP proxy, IM-proxy (MSN / AIM / ICQ / Yahoo) with pre-filters and traffic monitoring (based on IMSpector), and DHCP- server, NTP, QOS support. This is in addition to antivirus traffic scanning using Clamav.
After installing Smothwall you can configure it using the web page by accessing http://ip-address:81/ or https://ip-address:441/ where you will find the Control, About, Services, Networking, VPN, Logs, Tools, Maintenance, and you can adjust the settings as you wish.
By default the IDS is not activated unless you choose the option under the services to enable it. By using the Ajax admin, you can see the changes in real-time, and you can upgrade the distribution by clicking on the Maintenance and Update option
IPCop is another open-source security solution that has been focusing on SOHO users (Small Office, Home Office),and the includes everything you need to do packet filtering, IDS / IPS, Web and DNS proxy, DHCP Server / Client, Openswan, OpenVPN, and NTP-server.
The current version is IPCop Firewall 1.4.20 and available for download here.
The last solution in this series is Vyatta. Vyatta is Linux-based open source software providing routing, firewalling, VPN, intrusion prevention, anti-virus, and WAN load balancing services. The developer has managed to integrate in the Debian operating system the freely distributed routing platform XORP (eXtensible Open Router Platform) which is developed by ICSI (International Computer Science Institute) Berkeley.
Vyatta gives users a getway with IDS / IPS (Snort) functions, a caching proxy and filter URL (Squid & SquidGuard), network policies (Network Access Policies), OpenVPN, DNS Forwarding. And what makes it exclusive from all previous solutions is that you can perform configuration using Cisco commands.
As you can see there is a lot of network traffic controller solutions, if you want to work with Cisco commands you can use Vyatta, but for the linux distribution you have to untangle and Endain. for quick and easy usage , you can try IPcop and Smothwall.
make sure you subscribe to my RSS feed!
Secunia Releases Patch Management Utility
Posted by Mourad Ben Lakhoua in Software Security, Tools on March 26, 2010
Secunia Danish computer security service provider announced the final version of the Secunia Corporate Software Inspector 4.0 (CSI 4.0). This tool may identify vulnerabilities for about 13 000 applications from 2300 developers.
CSI 4.0 has a free trial version which can be downloaded from the official website. And brings CSI 4.0 with Microsoft server operating system updates (WSUS) and the Center for configuration management (SCCM) to make it possible to perform a full corporate devices scan and identify any unpatched application at the enterprise and manage all Microsoft and third-party software installation and configuration.
According to Secunia all computer users have to install about 76 patches per year from 22 different software developers. And this task at the corporate environment is complicated. Especially that the client on companies LAN are more exposed to new outstanding gaps, so it I important to check there system frequently.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Software Security category.
SUBSCRIBE
Latest Comments