Tuesday, August 31, 2004

RedHat to Add ExecShield, NX and Other Security Technologies in Next Update

I just read this whitepaper about new security features in RedHat Enterprise Linux Update 3. I use this distro extensively at work, and it's pretty good. I'm happy to see that NX support, ExecShield and other technologies they've already added to Fedora will finally be coming to RHEL.

There's a section at the end of the paper that claims these additional security measures would have stopped 75% of all the security issues for which patches were released from November 2003 to August 2004. That's a pretty impressive number. Of course, you still need to apply the vendor security patches in a timely fashion, but this looks to be a very handy safety net.

Wednesday, August 25, 2004

An Illustrated Guide to Cryptographic Hashes

Hey, this is pretty cool! UnixWiz.net has a great article entitled An Illustrated Guide to Cryptographic Hashes. If you're having trouble following the recent talk about cryptographic hash collisions being found, this might be just the thing to show you why this could be a big deal someday.

[Thanks to joatBlog for pointing this out.]

e-Jihad? "e-Yeah, right."

Well known Russian anti-virus vendor Kaspersky Labs is feeding the FUD machine. Its head, Yevgeny Kaspersky, is quoted in this article about the coming cyber-jihad. Apparently, tomorrow (Thursday, August 26) there will be a "large scale virus attack" that "might be delivered by Islamic terrorists".

I don't know about you, but I go through every day thinking, "There might be a large-scale virus attack today." And a lot of the time, I'm right. Either I've somehow got a psychic connection with Islamic terrorists, or this isn't news because it happens all the time. You choose. Kaspersky, you are better than this.

Update 08/26/04: Although this story was widely reported, Kaspersky Labs says it was just a misunderstanding of what Mr. Kaspersky was actually saying. See this story for more details.

Friday, August 20, 2004

XP SP2 ADS Feature No Cause For Alarm

F-Secure's AntiVirus Research Weblog has a good article explaining one of the less publicized features of SP2. Now, whenever you download a file through IE, it creates an Alternate Data Stream (ADS) attached to that file that specifies which network zone the file came from. The idea here is that if you download an executable file from an untrusted zone (ie, the Internet) and save it on your hard drive, the system won't later let you run it unless you first submit to a popup dialog acknowledging that you know it might be dangerous.

This feature only works on NTFS filesystems, so floppy disks and USB dongles are still vulnerable, but it seems like a good idea overall. Unfortunately, as this advisory points out, there are ways to get around this restriction.

Thanks to joatBlog for pointing out the F-Secure article.

Thursday, August 19, 2004

Will a firewall at the South Pole melt through?

Ok, this is a little weird. Apparently, a National Science Foundation research station at the South Pole was hacked earlier this year. Although the NSF disputes the claim, US Attorney General John Ashcroft and the FBI have at various times claimed that the attack placed the lives of the scientists there at risk, because the life support system was compromised. That may or may not be true, but it's certainly a convenient excuse for them to tout the USA PATRIOT Act and how they say it saved 58 lives.

I have no way to verify the claims on either side, but if you're interested in more information, SecurityFocus.com has the scoop.

Wednesday, August 18, 2004

CIS Releases FreeBSD Scoring Tool

The Center for Internet Security is well known for their series of security benchmark tools. They've recently released their new FreeBSD tool, as well as an update to their Solaris version.

If you're not familiar with them, you should be. They scan a system for common configuration errors and provide you with plenty of good feedback about what you can do to improve your security posture. Perhaps more importantly, they also calculate a numeric "score" you can use to as an executive educational tool.

Versions of the scanner are available for various Unix and Windows systems as well as Cisco's IOS and the Oracle database.

Tuesday, August 17, 2004

SHA-0 Broken. SHA-1, MD5 Next?

Here's another story that's been widely reported. Apparently the SHA-0 cryptographic hash function has been broken. In this sense, "broken" means that somone found a way to take a message and it's associated hash, then create a different message that has the same hash. This could be a Very Bad Thing, since these sorts of functions are used as the basis for a lot of encryption and digital signature protocols. Check out the /. version of this story here.

Monday, August 16, 2004

NIST PDA Forensics Guidelines Posted

Everyone and their brother is posting about this, but
what the heck, it's good stuff and you should read it.
The National Institute of Standards and Technology (NIST) has posted a draft of their new Guidelines on PDA Forensics. They cover analysis of PalmOS, PocketPC and Linux-based PDAs. Give it a read, and be
sure to comment on the draft if you have anything to

Friday, August 13, 2004

Emergency Alert System Vulnerable

Ok, this one is actually a little scary. You know about the Emergency Alert System that allows the government to
interrupt radio and TV broadcasts to put out... well... Emergency Alerts. According to an article over at SecurityFocus.com, this thing has more holes than Swiss cheese, and is vulnerable not only to Denial of Service, but to spoof attacks which might allow someone to inject false messages that are sent out without any sort of human review whatsoever. I can only speculate about what sort of havoc this could cause in the wrong hands and under the wrong circumstances.

Monday, August 09, 2004

Metasploit Framework 2.2 released

Metasploit is a great tool, and version 2.2 promises several soon-to-be indispensable features, including DLL injection payloads, VNC support, and support & documentation for creating your own custom exploit modules.

Friday, August 06, 2004

Tor: Anonymous TCP

Tor is an anonymizing layer on top of TCP. It uses a concept called "onion routing" to keep your online activities anonymous. Basically, packets are routed at random through a network of Tor servers (provided by the Tor user community), making it very difficult to trace their real origin. The contents are encrypted separately for each server, so only the final Tor server will be able to read your payload data, just before it is sent to it's final destination, but by that time the IP information tying that packet to you will be lost.

In short, Tor is to TCP what Mixmaster is to email.

If this all sounds too confusing, check out the nice article on Wired's website.

Thursday, August 05, 2004

Hack the Vote

I don't think much of hacking challenges in general.
They can prove a system is vulnerable, but they cannot
prove that it is not. In other words, if you're successful, there's obviously a problem, but if you're unsuccessful, maybe you just didn't hit on the magic combination.

That being said, here's a hacking challenge that might be worth looking into. Rebecca Mercuri's challenge to e-voting machine vendors to open themselves up to scrutiny by the security community is on the money, even without the $10,000 prize.

Wednesday, August 04, 2004

Singapore needs hackers... why?

I'm more than a little suspicious of this AP article. It seems that Singapore is holding a national hacking contest to "help shed light on ways to prevent actual computer attacks". They could do this more cheaply and effectively by visiting their local bookstore and picking up a copy of Hacking Exposed or something. It's just a feeling I have, but their stated reason doesn't seem on the level.

Monday, August 02, 2004

HTTP tunneling for pen testers

SecurityFocus has published a nice article detailing the basics of HTTP tunneling. Tunneling is a technique that encapsulates network traffic inside other network traffic. In this case, you can encapsulate your attack traffic inside HTTP traffic, which is most likely allowed through your target's perimeter defenses.