Microsoft Patch Disclosure - March 2010 Out-of-Band

March 2010, brings Microsoft an out-of-band patch by Microsoft with a total of ten vulnerabilities.

MS10-018 - Cumulative Security Update for Internet Explorer (980182)

The update covers nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

CVE-2010-0267 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0488 - Post Encoding Information Disclosure Vulnerability
CVE-2010-0489 - Race Condition Memory Corruption Vulnerability
CVE-2010-0490 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0491 - HTML Object Memory Corruption Vulnerability
CVE-2010-0492 - HTML Object Memory Corruption Vulnerability
CVE-2010-0494 - HTML Element Cross-Domain Vulnerability
CVE-2010-0805 - Memory Corruption Vulnerability
CVE-2010-0806 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0807 - HTML Rendering Memory Corruption Vulnerability

Microsoft rates the Severity of the risk: Critical

Mitigating Risks of the IT Disaster Recovery Test

The IT Disaster Recovery Test as part of the Business Continuity testing is becoming an annual event for most IT departments. It is mandated by a lot of regulators, nearly insisted upon by internal audit and ofcourse a very healthy thing to do.

But performing the IT DRP test without proper risk management can put your organization at significant risk.

To put things into perspective, let's analyze the steps, risks and countermeasures of an IT Disaster Recovery test:

DRP Test StepActivityRisksCountermeasures
1. Failure of primary systemsIn order to perform a disaster situation, the Primary systems need to be caused to fail on some level
  1. Databases not closed properly/damaged due to forced shutdown or forced power failure
  2. Hardware components failing due to forced shutdown or power failure
  3. Spilt-brain cluster due to uncontrolled sequence of failures of servers and storage
  1. Full backup prior to the initiation of the DRP test
  2. Backup components and Vendor presence at ready during the entire test.
  3. Not performing a direct forced shutdown but forcing a network level isolation at the routers
2. Activation of Disaster Recovery systemsSevering any relation between the DR and the primary systems and running the DR systems as temporary primary
  1. Actual failure of primary system during the test
  2. Failure of the primary system while the DR system is concluded to be non-functional
  1. Full awareness of the test of every interested party - business custodians, directors of divisions and top management to initiate the real Business Continuity Plan
  2. Full backup prior to the initiation of the DRP test at DRP site, and full vendor support.
3. Reconfiguring the user environmentIntervening in the end-user environment in a way that will make them use the DR system
  1. Error in reconfiguration which may cause the end-user to input test data into the primary systems
  2. Error in reconfiguration which may cause the primary system to stop functioning.
  1. , 2. Scripted and documented steps of reconfiguration. All steps should be performed by 2 persons - one observing the others actions
4. Reverting to the primary systemsResuming the primary systems at some level and reestablishing the relation between the DR and the primary systems
  1. Error in reconfiguration which may cause the primary system to stop functioning.
  2. Copying of test data that was input into the DR test system back into the primary location3. Failure of primary systems during resumption
  1. Scripted and documented steps of reconfiguration. All steps should be performed by 2 persons - one observing the others actions.
  2. Fully controlled and documented process of resumption, which guarantees that only the primary system is data master.
  3. Full backup prior to the initiation of the DRP test, Backup components and Vendor presence at ready during the entire test.

With all these risks, is it more prudent to never perform an IT DRP test? - Absolutely NOT, and here is why:
  • Performing the IT DRP test actually confirms that things are running, and if something breaks, you are much more prepared for the next time.
  • Not performing the test will just make you think everything is great, until the incident occurs. And the incident is just as certain as death and taxes
So, perform the IT DRP test regularly, but with a whole set of countermeasures for the possible risks which can happen during the test. Of course you will miss some risks, but if you plan for 10 and miss 1 is much better then not planning at all!

Talkback and comments are most welcome

Related posts
iPhone Failed - Disaster Recovery Practical Insight
Business Continuity Analysis - Communication During Power Failure
Business Continuity Plan for Brick & Mortar Businesses
Example Business Continuity Plan For Online Business

Internet Marketing - Attracting Good Numbers Of Customers

In this 21st century, the boom of the Internet medium is offering ample of opportunity to everyone. If you look 10 to 15 years back, then you can know that people were widely using the Internet for chatting, downloading, emailing and grabbing information. Today, people are hugely using the World Wide Web for Internet marketing. Certainly, the Internet marketing has become the buzzword of this millennium. This marketing system is totally different from other types of marketing in which individual have to move the market place to promote or sale products.

In Internet marketing, all types of advertising and promotion are done right on the online medium. This method of promotion offers increase in sales, traffic and can attract good numbers of customers from all around the world. It has been found that many small and big companies are taking help from good online marketing company, to create their presence. If you are looking forward to hype your sales, then you need to look for some good online marketing company. One of the most important tools in Internet marketing is Search Engine Optimization.
These days, lots of websites are using SEO technique to boost sales and traffic. There are off-page and on-page search engine optimization techniques that can offer you outstanding results. At present, Internet marketing is also offering good jobs with high pay scale.
There are hundreds and hundreds of software companies those are providing training on Internet marketing.

It is true that the rise of online marketing is offering quality jobs that can make your entire dream come true. If you are having a website and thinking to drag good numbers of visitors, then online marketing is a must. There are lots of activities done to promote a website and they are directory submission, article submission, PR networking, social bookmarking and others.

About the Author:

This is a guest post from Davide Smith, an author is from SelfTestEngine which is Exam Preparation Tool for IT Certification Exams.

Compiling the latest Skipfish for Windows

Seeing that skipfish releases are changing twice a day, Shortinfosec is starting a persistent post to publish the latest versions of skipfish compiled for Windows.

Here you'll find the latest compiled versions, as well as a historical trail of the previous versions

In order to run it, just unzip the archive - it contains the cygwin run-time libraries needed for running skipfish. The compiled code is tested on Windows 7 and Windows XP Pro

Download the latest version of skipfish for windows - skipfish 1.29b

Previous versions

Download skipfish 1.26b for windows
Download skipfish 1.25b for windows
Download skipfish 1.22b for windows
Download skipfish 1.18b for windows
Download skipfish 1.13b for windows
Download skipfish 1.11b for windows

Related posts
Skipfish - New Web Security Tool from Google
Ratproxy - Google Web Security Assessment Tool

Skipfish - New Web Security Tool from Google

Personal data - Publish only what you can afford to get leaked

The security and privacy risks of social networks were the hot topic of many forums and experts for years. And it appears that the worst fears are now materializing - not only someone can troll for your personal data, they can now purchase it!

Myspace is selling data through the reseller InfoChimps. The data that InfoChimps has listed includes 'user playlists, mood updates, mobile updates, photos, vents, reviews, blog posts, names and zipcodes.'

So, for everyone that still has some illusions: On the Internet, you should only post data about yourself that you want distributed, or at least which won't hurt you in any way when they get leaked.

Talkback and comments are most welcome

Related posts
A Simplified Analysis - Can you Forge a Biometric ID?
Privacy Ignorance - Was Eric Schmidt thinking?
Google Voice - No Privacy Remains?

Management Reaction to Failed Cloud Security

After all the risk assessments, cost analysis and decisions, you decide to send your data into the cloud. And things are good - at least until the security breach.

When that happens, every security professional and IT management will get grilled by top management. Youtube has a mockup video that just might give you the feeling of how this will look like.

Ofcourse, a video of Hitler reacting to a hacked cloud computing service is a bit of an overkill. But be sure that you'll hear a lot of the sentences that are mocked up, even if not in that tone.

You can see the video here

Talkback and comments are most welcome

Related posts
Security Concerns Cloud “Cloud Computing”< How to Trust Cloud Computing
Cloud Computing - Premature murder of the datacenter

Microsoft Patch Tuesday - March 2010

The March update brings two advisories, with eight vulnerabilities covered.

: Potential Remote Code Execution in

  • Windows Movie Maker, covering one vulnerability:
CVE-2010-0265 (Buffer Overflow in Movie Maker and Producer).

Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.

MS10-017: Potential Remote Code Execution in
  • Excel
  • Excel Viewer
  • Office for Mac
  • Office Compatibility Pack,
  • Excel Services
covering 7 vulnerabilities:
CVE-2010-0257 (Record Memory Corruption)
CVE-2010-0258 (Sheet Object Type Confusion)
CVE-2010-0260 (MDXTUPLE Record Heap Overflow)
CVE-2010-0261 (MDXSET Record Heap Overflow)
CVE-2010-0262 (FNGROUPNAME Record Uninitialized Memory)
CVE-2010-0263 (XLSX File Parsing)
CVE-2010-0264 (DbOrParamQry Record Parsing).

Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.

Cloud Computing Data Protection World Map

Security and privacy in cloud computing are hot topics, and everyone has a take on it. Cloud computing providers deliver their levels of security and privacy by their internal policies and procedures, but the rigidity of these policies are strongly influenced by government regulations.

If the country within which a cloud computing provider resides or is registered has lax provisions on privacy, do not expect wonders in the protection of your hosted data - especially since such lax provisions may even be created to allow government agencies to gain access to hosted data.

Forrester research felt the pulse of things by investigating the regulatory frameworks of countries throughout the world. Here is a brief of the results of this research

Country-specific regulations governing privacy and data protection vary greatly. To help you grasp this issue at a high level, Forrester created a privacy heat map that denotes the degree of legal strictness across a range of nations.

You can investigate the map here. To be very sincere, i would like my data to be either in Germany or Argentina. Oh, and USA just got a proverbial slap on the face by being classified in the same category with Colombia, Paraguay and Russian Federation.

The esteemed senators and congressmen in the USA should think hard about moving up the ladder of privacy and data protection if they don't want to be soon classified in the same category as China :)

Talkback and comments are most welcome

Related posts
Security Concerns Cloud “Cloud Computing”
How to Trust Cloud Computing
Cloud Computing - Premature murder of the datacenter

Accelerating Security Assessment with MS Security Assessment Tool

When working on a security assessment, it is always helpful to use an automated tool that compares the key elements to the known best practices, and generates an overview result set.
Among other tools which can be used, Microsoft has released a tool titled Microsoft® Security Assessment Tool.

The assessment of this tool strives to identify the business risk of the organization and the security measures deployed to mitigate risk.
The assessment takes the form of a questionnaire, with Yes/No answers that cover the following areas

  • Infrastructure - Infrastructure security collects information on how the networks function, what business processes (internal or external) it supports, how hosts are built and deployed, and how the network are managed and maintained.
  • Applications - Applications security reviews applications within the organization and assess them from a security and availability standpoint. It examines technologies used within the environment, and reviews the high level procedures an organization can follow to help mitigate application risk
  • Operations and People - This section reviews those processes within the enterprise governing corporate security policies, Human Resources processes, and employee security awareness and training. It also focuses on dealing with security as it relates to day-to-day operational assignments and role definitions.
The resulting comparison to best practices generates a summary report, as well as much more useful detailed report with areas which are lacking in comparison to the best practices. The report contains a lot of suggestions and links to related products and best practices published by Microsoft.

The MS Security Assessment Tool and it's report isn't a replacement for a full blown analysis, nor it can be a used as a one stop shop for a realistic security analysis. When performing a real analysis, an in-depth review of process and technology is needed.
MSAT is just a helpful tool to generate a security posture overview and some automated recommendations, so it is a nice start. For everything else, you will need to bring in expert professionals.

Talkback and comments are most welcome

Related posts
WMI Scanning - Excellent Security Tool
Risk Assessment with Microsoft Threat Assessment & Modeling
Google's Ratproxy Web Security Tool for Windows
Analysis of Windows Security Logs with MS Log Parser
How To - Malicious Web SIte Analysis Environment

Man In The Middle Attack - Explained

"That’s vulnerable to a man in the middle attack!"

You've probably heard this before, but let’s dive into the details of this attack and understand exactly how it works.

First, a quick definition, a man in the middle (MitM) attack is an attack where the communication which is exchanged between two users is surreptitiously monitored and possibly modified by a third, unauthorized, party. In addition, this third party will be performing this attack in real time (i.e stealing logs or reviewing captured traffic at a later time would not qualify as a MitM)

While a MitM could be performed against any protocol or communication, we will discuss it in relation to HTTP traffic in just a bit.

Requirements for Attack
A MitM attack can be performed in two different ways:

  1. The attacker is in control of a router along the normal point of traffic communication between the victim and the server the victim is communicating with.
  2. The attacker is located on the same broadcast domain (e.g. subnet) as the victim.
  3. The attacker is located on the same broadcast domain (e.g. subnet) as any of the routing devices used by the victim to route traffic.

We will discuss 2. This is a likely attack that can be used against your neighbors or the person sitting next to you at a coffee house.

The Attack
A MitM attack will take advantages of weaknesses in network communication protocols in order to convince a host that traffic should be routed through the attacker instead of through the normal router. In essence, the attacker is advertising that they are the router and the client should update their routing records appropriately. This attack is called ARP spoofing.
The (greatly simplified) purpose of ARP (Address Resolution Protocol) is to enable IP address to MAC address translations for hosts. This is required so that the packet can reach their final destined host.

By design, ARP does not contain authentication. Therefore, any host can reply to an ARP request or send an unsolicited ARP response to a specific host. These ARP response messages are used by the attacker to instruct the victim’s machine that the appropriate MAC address for a given IP address is now the MAC address of the attacker’s machine. More specifically, the attacker is instructing the victim to overwrite their ARP cache for the IP->MAC entry for the router. Now, the IP address for the router will correspond to the MAC address for the attacker’s machine.

What does this mean? Now, all of the victim’s traffic will be routed through the attacker. Of course, we don’t stop here. In order to allow the traffic to reach the Internet, the attacker must configure his system (or attack tool) to also forward this traffic to the original router. In addition, the attacker performs a similar ARP spoofing attack against the router. This way the router knows to send traffic, that was destined for the victim machine, to our attacker instead. The attacker then forwards on the traffic to the victim. This completes the “chain” and places the attacker “in the middle” of the communication.

Impacts on HTTP

At this point, the attacker has the ability to view and modify any TCP traffic sent to or from the victim machine. HTTP traffic is unencrypted and contains no authentication. Therefore, all HTTP traffic can be trivially monitored/modified by the attacker.

What about HTTPS?

Everything we have talked about thus far is related to getting in the middle of the network communications. This enables the attacker to view most exchanged data, but does not enable the attacker to intercept data exchanged of protocols that implement their own authentication and encryption (e.g. SSH, SSL/TLS)
But, this is where the fun starts. The purpose of HTTPS is to create a secure communication over top of HTTP by the use of SSL or TLS. On its own SSL/TLS can be very effective and secure. However, there are significant problems in the implementation of SSL/TLS which effectively renders it useless. In addition, the browsers handling of SSL/TLS can lead to issues when both HTTPS and HTTP sites are visited by the user.

More devious means are needed to perform a MitM against SSL/TLS. At this point the attacker could attempt to intercept HTTPS traffic by using a custom certificate. This would present a certificate warning message in the user’s browser and likely alert the user to the attack. Luckily for the attacker, most users would ignore the warning and continue – thus exposing all of their data.

Alternatively, the attacker could try and use tools such as SSLstrip to leverage poor application design with regards to SSL/TLS. This could also enable the attacker to obtain the victim’s password over clear text HTTP.

How concerned should you be?

The attack scenario described in 2a can be performed by any user on the same broadcast domain as your machine. This means that anyone sitting in the same coffee house on the wireless network could be an attacker. Also, if you connect directly to your Comcast/RoadRunner/ATT/whatever home connection, then many of your neighbors could also perform this attack against you. And if you use a home router instead of directly plugging the connection into your machine - well, then the attack is still possible via 2b (essentially the same attack).

Really the only reason this isn’t a bigger deal is because of the requirement to be on the same subnet. Right now we have so many other issues, such as XSS, SQL injection, etc, which can all be exploited remotely by attackers. The attackers just sit in their remote locations and destroy web sites from a far. However, the point is this, if an attacker wants to steal YOUR specific bank data then all they need to do is sit next to you at a coffee house or sign up for Internet service in your area.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
How To - Malicious Web SIte Analysis Environment
Security Information Gathering - Brief Example
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction

Minimize Impact of Online Intelligence Searches

In our previous article - Digging for information with Open Source Intelligence we looked at the generic process of information gathering. But what is this process looking for? The answer to this question is important to all parties:

  1. to the investigator - for proper focusing of his/hers efforts
  2. to the possible targets - in order to properly defend against Open Source Intelligence
So here are the items that the investigator is looking for when employing Open Source Intelligence against a potential target, and the methods of minimizing the possibility of someone discovering something:

The final goal of any intelligence action is to obtain information that can be sold or used as competitive advantage. This can be as simple as a password, or as complex as plans for a corporate takeover.

At the information gathering level, this translates into:
  1. Content of files indexed by search engines - In the ideal intelligence world, everything is contained in a single page document that can be scanned or downloaded from the internet. Although such documents won't surface on the internet unless someone is utterly dumb, bits and pieces of information can be found from files that have found their way on the web and got indexed by the search engines. In order to make such pieces of info useless, hire a person to perform regular 'Google Hacking' to find such documents. Bear in mind that once documents are on the internet and get indexed, you cannot destroy all publicly available copies. Instead, change the information within your company to render the public information useless or false. .
  2. Operational or Potential Business Relationships - web sites, news articles, corporate newsletters of partners and providers can contain names and sites of the target company, even forum and support site posts . While these are harmless by themselves, using these names the investigator can establish that there is some relationship between them, even the nature of the relationship. This can be used in a competitive bid, in social engineering or simply leaked to the public. There is no real protection over such information, except of being aware that such information is 'in the wild'
  3. Real Person Identities - Publicly available names and contact info of any personnel related to the target are a potential gold mine. With the advent of social networks, once you know some one's name, the investigator can proceed with detailed investigation of such persons, and attempts at breaching of their credentials by trying common password combinations (pet names, birthdates, phone numbers etc). Most companies actually prefer to publish real person's names and contacts in the effort to appear closer to their potential clients and partners, so there is no direct protection. Much like in point 1, youshould hire a person to perform regular analysis of which names are publicly available, and what information is available on such persons, with a combined penetration test on their accounts. You can also institute a policy and awareness trainings for such persons to make them aware of their exposure.
  4. Relationship Context - this is merely an extrapolation of real identities, business contacts and online communication. It can give the investigator an insight into 'who receives order from whom' or 'who is close to whom'. Such insight is crucial for social engineering attacks. Controlling is actually controlling the previous 3 points.

In summary, Open Source Intelligence is going to collect information about you and/or your company. You can do little to prevent it, but you can do much to render such information of very little value to anyone.

Talkback and comments are most welcome

Related posts
Digging for information with Open Source Intelligence
Security Information Gathering - Brief Example
Corporate Security - Are the hackers winning?

Digging for information with Open Source Intelligence

Wikipedia defines Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.

In reality, the methodology used in OSINT is the information gathering phase of every penetration phase. They only stuck a fancy name to the process.

Regardless of the name, OSINT is very useful, and it's results can be very well used even outside of the penetration testing process.

The information gathering, or OSINT process can be summarized in the following steps:

  1. Identify your point of interest - who/what is your target of investigation. Start broad, and then narrow down to the interesting elements. For instance, start with a domain name or an IP address pool for a provider, until you find the contacts and names of actual persons. Then you can start drilling for material left on the Internet by them for further useful clues
  2. Collect information from multiple sources - consult search engines corporate sites, mailing list servers, even the old and forgotten Usenet might be useful
  3. Sift through the gathered information to form a useful result- Identify interesting pieces of intelligence for further use

The process looks very simple on paper, but bear in mind that most searches generate tons and tons of possible clues and/or false leads. It takes

Here is what you'll have to deal with:
  • Irrelevant/false hits on a keyword - URL links or sites that contain the same sequence of words but in totally different context. The more generic the terms that you are searching for, the more of these there will be.
  • Fake contacts placed during registration process - looking for that all important 'Who' behind some site or document? Bear in mind that contact information on the web is usually fake to avoid pestering sales persons. And anyone can use your target's name for an alias on a registration.
  • Hundreds or thousands of archived messages from forums and mailing lists - much like the previous one, aliases and nearly useless communication can be found and needs to be sifted through. And you cannot be certain that you are looking at something written by your target of investigation
  • Documents with irrelevant word matching - a large enough digital book will contain all the words of virtually any phrase

There are a lot of tools that will help you on your quest for information, but I'll sum-up those that I find useful

Google hacking - The title says it all. Choose your keywords and then drill for data on google
Maltego CE - a client side program that drills the Internet for information on the element that you have chosen as source. It will return all kinds of possible information for further drill down. Produces a lot of false positives
Silobreaker - an information correlation and pattern recognition system that returns results as summarized information clusters related to your search query. Not always very accurate, so always use other sources.

Talkback and comments are most welcome

Related posts
Security Information Gathering - Brief Example
Corporate Security - Are the hackers winning?

Designed by Posicionamiento Web