Saturday, January 11, 2014
Length 00:25:28
Christmas season malware, you better watch out santa is bringing.
Christmas is the most favorite time to distribute malware
Top 12 scams from xmas:
1.
Charity phishing scam
2.
Fake invoice to confirm delivery
3.
Fake social networking email request
4.
Malicious holiday e-card
5.
Luxurious jewelries discounted malicious site
6.
On-line identitify theft
7.
Cristmast carol lyric / ring tone
8.
Job related email scam
9.
On-loin action site scam
10.
Password stealing scam: malware/email/spam
campaign
11.
Email banking scam, because of the more shopping
12.
Ransom ware scam
CPE: McAfee AudioParasitic: Episode 75: M$ patch tuesday
Length 00:07:02
6 bulletins
15 vulnerabilities
Most critical: all code execution vulnerabilities
MS09-063: web service
MS09-064: license logging
server
MS09-065: lot parsing vulnerability <- nasty one
Kernel vulnerability exploited through GDI
MS09-067: 6 excell CVEs : code execution vulnerability
AD DoS
CPE: McAfee AudioParasitic: Episode 74: New Mac protection product.
Length 00:17:33
Mac protection
Mac has a lot less malware
These are DNS changes poppers
Popper alone is not a good reason to have mac protection
Popper family is written by a group that has a lot of
experience in windows malware, and they are professional
Ed Medcalf from McAfee sales marketing:
McAfee is one of the first vendor that provide Mac
Protection:
-
Application control
-
Anti-spyware
Managed by cerntralied ePO
Mac market is growing,
4.5 years ago Mac share was 3.5%, now 8%
Mac is becoming interesting target.
Mac can be a vector, malware may be dormant in Mac but
causing problem in M$
Hightlight: traditional AV, anti-spyware, desktop FW,
application protection
+ deploy and managed using centralized ePO <-
compliance.
CPE: McAfee AudioParasitic: Episode 73: M$ Tuesday patch
Length 00:12:45
Biggest ever M$ patch Tuesday
12 bulletins
37 vulnerabilities
<- included kill bit
Nothing that really old, nothing older thatn 3-4 months,
all recent stuff
Most critical:
MS09-050: SMB v2 <- worm candidate
MS09-053 not critical but a lot of PoC in the wild
MS09-060 ATL
MS09-062 image based vulnerability, the biggest
collection -> vulneralbit on GDI.
Specially crafted file can cause b0f while browsing.
+ Adobe vulnerability patch.
CPE: McAfee AudioParasitic: Episode 72: Tax SPAM
length 00:15:26
Tax time SPAM campaign
IRS fake trojan site apparently works because every year
it happens again and again just like clockworks
Social engineering using malicious PDF or Active-x.
The URLs are actually previously know malicious websites,
mostly are Trojan with botnet capability.
It’s web-based bot , not using IRG
These malwares leverage the “smart thing”, by now most
companies block IRC port, but web-based command/control bot can still work
nowadays.
To make things even more complicated with DNS poisoning
<- even knowing the URL will not provide 100% protection
Several dozes fake IRS website actually are associated to
the same IP address.
And this same IP address will be used for other false
website, such fake mother’s say website.
If there is any doubt, pick up the phone and call
10-20% google result on IRS are malicious website.
Friday, January 10, 2014
CPE: McAfee AudioParasitic: Episode 71: DoS & trends in Hacktivism
length 00:22:04
FB, twitter, South Korean, Aussie gov website <- SoS
pseudo sponsored political attacks.
Aussie gov D0S'd by group that does not like government decision to filter the Internet
- there was an IRC channel for 12hours
there was a count down, but the coordination fall apart
because they didnt know with time zone was used, even when they had a count down.
the after clearing the timing issue they could not agree on the target
they actually managed only to knock down 3 websites
they had created the tools, they had created a wiki, but all fall a part on the coordination.
the one that really works are the one under the radar & well organized - there were too many cooks in the kitchen.
OR there is a reason why people use bots <- no worries about coordination
Pro-Giorgian blogger, his twitter got blasted. They just targeted 1 guy account causing twitter DoS.
They tried to know his FB, but FB didnt go down
Plus, spam his email.
we see little piece of message hidden in the malware....
New version of mac protection is available.
FB, twitter, South Korean, Aussie gov website <- SoS
pseudo sponsored political attacks.
Aussie gov D0S'd by group that does not like government decision to filter the Internet
- there was an IRC channel for 12hours
there was a count down, but the coordination fall apart
because they didnt know with time zone was used, even when they had a count down.
the after clearing the timing issue they could not agree on the target
they actually managed only to knock down 3 websites
they had created the tools, they had created a wiki, but all fall a part on the coordination.
the one that really works are the one under the radar & well organized - there were too many cooks in the kitchen.
OR there is a reason why people use bots <- no worries about coordination
Pro-Giorgian blogger, his twitter got blasted. They just targeted 1 guy account causing twitter DoS.
They tried to know his FB, but FB didnt go down
Plus, spam his email.
we see little piece of message hidden in the malware....
New version of mac protection is available.
CPE: McAfee AudioParasitic: Episode 70 M$Patch Tuesday Special Edition
length 00:09:46
short & sweet
5 bulletins
8 vulnerabilities all critical
most critical:
MS09-048: vulnerability in TCP/IP
could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service.
MS09-049: wireless LAN autoconfig <- no user interaction
MS09-047: vulnerabilities in Windows Media Format , malicious MP3 for example.
2 more web-based:
MS09-045: vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script.
MS09-046: vulnerability in the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page.
short & sweet
5 bulletins
8 vulnerabilities all critical
most critical:
MS09-048: vulnerability in TCP/IP
could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service.
MS09-049: wireless LAN autoconfig <- no user interaction
MS09-047: vulnerabilities in Windows Media Format , malicious MP3 for example.
2 more web-based:
MS09-045: vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script.
MS09-046: vulnerability in the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page.
CPE: McAfee AudioParasitic: Episode 69 M$ patches
length 00:11:09
9 bulletins <- 5 critical/remote code exec
19 vulnerabilities
most critical: (via web/very critical because of ease to exploit):
MS09-037: same as MS09-035 - vulnerabilities in Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website.
ATL library issue applicable to Adobe products & other vendors.
Affecting commercial product and home grown SW (web pluggin)
MS09-038: vulnerabilities in Windows Media file processing.
MS09-039:vulnerabilities in the Windows Internet Name Service (WINS). Either vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service.
WINS b0f, remote desktop , ASP Net DoS
workstation memory corruption <- privilege escalation
messaging service <- privilege escalation
MS09-043: vulnerabilities in Microsoft Office Web Components that could allow remote code execution if a user viewed a specially crafted Web page. in the wild.
MS09-045: vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
HIPS will help patching manageable
the bulk of today: ATL & web component
we had out of bad releases MS09-034 & MS09-35 <-updated today.
9 bulletins <- 5 critical/remote code exec
19 vulnerabilities
most critical: (via web/very critical because of ease to exploit):
MS09-037: same as MS09-035 - vulnerabilities in Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website.
ATL library issue applicable to Adobe products & other vendors.
Affecting commercial product and home grown SW (web pluggin)
MS09-038: vulnerabilities in Windows Media file processing.
MS09-039:vulnerabilities in the Windows Internet Name Service (WINS). Either vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service.
WINS b0f, remote desktop , ASP Net DoS
workstation memory corruption <- privilege escalation
messaging service <- privilege escalation
MS09-043: vulnerabilities in Microsoft Office Web Components that could allow remote code execution if a user viewed a specially crafted Web page. in the wild.
MS09-045: vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
HIPS will help patching manageable
the bulk of today: ATL & web component
we had out of bad releases MS09-034 & MS09-35 <-updated today.
CPE: McAfee AudioParasitic: Episode 68 MS patch tuesday
length 00:07:24
the zero patch Tuesday
compare the last 2 months is is fairly light
6 bulletins
9 vulnerabilities, including the activeX killbit
most critical:
1. MS09-028: MS Directshow 3 CVEs 2009-1537: directX null byte vulnerability
specially crafted quicktime <- very easy to exploit
2. MS09-032: vulnerability in Microsoft Video ActiveX Control killbit update on IE <-exploited in the wild
3. MS09-029: opentype overflow
exploitable via webpage, remote code exploit: CVE 2009-0231, CVE 2009-0232
the rest are important:
- RSA server
- publish
- virtual PC < privilege excalation
the zero patch Tuesday
compare the last 2 months is is fairly light
6 bulletins
9 vulnerabilities, including the activeX killbit
most critical:
1. MS09-028: MS Directshow 3 CVEs 2009-1537: directX null byte vulnerability
specially crafted quicktime <- very easy to exploit
2. MS09-032: vulnerability in Microsoft Video ActiveX Control killbit update on IE <-exploited in the wild
3. MS09-029: opentype overflow
exploitable via webpage, remote code exploit: CVE 2009-0231, CVE 2009-0232
the rest are important:
- RSA server
- publish
- virtual PC < privilege excalation
Thursday, January 9, 2014
CPE: McAfee AudioParasitic: Episode 67: Risk management part 2/2
lenght 00:23:21
how user's malaise or lack of malaise quantifiable?
One way to check it it: during login: prompt a security related challenged question randomly.
User has to answer 10 questions correctly before they can login.
Then check if it is getting faster or longer for the average user to login.
At the end of the day it is the user who put the network at risk.
Once you got the metric is it really difficult to get the message to the CxO.
latest trends:
1. Application white listing
similar to PCI
McAfee acquired SolidCore.
the world of bad stuff is HUGE and it is growing
BUT the number of known good is relatively small
idea: blended solution <- white listing that blending 2. File integrity monitoring monitors file system, registry, directory tree. preventing changes in real time white listing and file integrity is nothing new, but finally folds realize: all these stuff that people had been screaming may be it was a good idea <- full blown product. is it amazing how long it takes before people realize that 10 ago people were saying the same thing: TCP wrappers, tripwire, pgp... in the future we will be able to make a better quantitative metric compare to qualitative. big part of SOX: cyber control government is getting more and more involved -> there will be more regulation
at the time time cyber crime will adapt to new regulation
risk management role:
- make things as much automated as possible
- killing the 80/20
but 1% left will be the professions malware write getting more sophisticated and more esoteric
risk and compliance: is all about auditing.
-> if you do it properly you can do it once and reporting many many times
-> the effort will be reduced
solidcore: when product and technology works out of the box.
how user's malaise or lack of malaise quantifiable?
One way to check it it: during login: prompt a security related challenged question randomly.
User has to answer 10 questions correctly before they can login.
Then check if it is getting faster or longer for the average user to login.
At the end of the day it is the user who put the network at risk.
Once you got the metric is it really difficult to get the message to the CxO.
latest trends:
1. Application white listing
similar to PCI
McAfee acquired SolidCore.
the world of bad stuff is HUGE and it is growing
BUT the number of known good is relatively small
idea: blended solution <- white listing that blending 2. File integrity monitoring monitors file system, registry, directory tree. preventing changes in real time white listing and file integrity is nothing new, but finally folds realize: all these stuff that people had been screaming may be it was a good idea <- full blown product. is it amazing how long it takes before people realize that 10 ago people were saying the same thing: TCP wrappers, tripwire, pgp... in the future we will be able to make a better quantitative metric compare to qualitative. big part of SOX: cyber control government is getting more and more involved -> there will be more regulation
at the time time cyber crime will adapt to new regulation
risk management role:
- make things as much automated as possible
- killing the 80/20
but 1% left will be the professions malware write getting more sophisticated and more esoteric
risk and compliance: is all about auditing.
-> if you do it properly you can do it once and reporting many many times
-> the effort will be reduced
solidcore: when product and technology works out of the box.
CPE: McAfee AudioParasitic: Episode 66: Risk management
00:20:53
With Stuart McClure Part 1/2
Policy compliance -> risk metric -> reporting of risk management start with vulnerability management - > security risk management -> eventually policy & compliance management.
Vulnerability management: looking at the design flaws of SW & HW, looking for policy that will prevent those vulnerabilities to be exploited even if the vulnerabilities exist.
Risk management: combine vulnerability management with risk management (identification, assessment, and prioritization of risks)
A head of time finding policies -> good computer hygiene practice & guidelines
If there is a critical vulnerability of a critical system, patch immediately or mitigate immediately
Need to know which assets/systems matter most.
Match the countermeasure vulnerability with the criticality
It has to be good timing
Not enough enterprise really understand the importance … It’s depressing, especially bigger enterprise.
Most enterprise have no clue what asset is most critical to them
Got to do tangible to them: “what happen if they loose A, B, C…”
Disaster recovery: if our network goes down what it means to us?
Availability - Confidentiality -
Noways many policies that requires accountability and reporting.
Top 2 ways that drive policy:
1. To be attacked
2. Having compliance mandate
Such HIPAA: I’m going to have jail time or lose my job if I don’t do this…
CardSystems: went bankrupt at the same year that they got hacked.
Sometime to people say malaise that is the most difficult thing to deal.
If you just do 2 things:
1. Do not click link that you don’t trust
2. Do not open attachment
You’ll eliminate 80% of the problem.
IF YOU CANT TRAIN USERS – SECURITY PRODUCT CANNOT HELP
With Stuart McClure Part 1/2
Policy compliance -> risk metric -> reporting of risk management start with vulnerability management - > security risk management -> eventually policy & compliance management.
Vulnerability management: looking at the design flaws of SW & HW, looking for policy that will prevent those vulnerabilities to be exploited even if the vulnerabilities exist.
Risk management: combine vulnerability management with risk management (identification, assessment, and prioritization of risks)
A head of time finding policies -> good computer hygiene practice & guidelines
If there is a critical vulnerability of a critical system, patch immediately or mitigate immediately
Need to know which assets/systems matter most.
Match the countermeasure vulnerability with the criticality
It has to be good timing
Not enough enterprise really understand the importance … It’s depressing, especially bigger enterprise.
Most enterprise have no clue what asset is most critical to them
Got to do tangible to them: “what happen if they loose A, B, C…”
Disaster recovery: if our network goes down what it means to us?
Availability - Confidentiality -
Noways many policies that requires accountability and reporting.
Top 2 ways that drive policy:
1. To be attacked
2. Having compliance mandate
Such HIPAA: I’m going to have jail time or lose my job if I don’t do this…
CardSystems: went bankrupt at the same year that they got hacked.
Sometime to people say malaise that is the most difficult thing to deal.
If you just do 2 things:
1. Do not click link that you don’t trust
2. Do not open attachment
You’ll eliminate 80% of the problem.
IF YOU CANT TRAIN USERS – SECURITY PRODUCT CANNOT HELP
pinpoint... the wget on steroid
this is a cool stuff
drive-by download analyzer to find the malware object faster
http://www.kahusecurity.com/2014/pinpoint-tool-released/
<snip>
Pinpoint works like wget/curl in that it just fetches a
webpage without rendering any script. Pinpoint will then try to determine which
links are used to make up the webpage such as Javascript, CSS, frames, and
iframes and downloads those files too
It's great that there are security researchers like darryl making this this world more secure. kudos.
Labels: secblog
yahoo! spreading malware
bad enough some search result point to driveby... this is terrible
Labels: secblog
Wednesday, January 8, 2014
"Attacks only get better" ~ a guy named Robert
The Cryptographers' Panel - Ari Juels - RSA Conference US 2013
Labels: secblog