"Our main result is that we are in possession of a “rogue” Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the “root CA certificates” present in the so called “trust list” of the browser."
Notícia completa no blog ZeroDay:
SSL broken! Hackers create rogue CA certificate using MD5 collisions
MD5 considered harmful today - Creating a rogue CA certificate
It’s unanimous, Web application security has arrived
O artigo tem uma série de citações de diversas fontes a suportar a afirmação, com diversas listas das principais vulnerabilidades encontradas.
Software [In]security: Software Security Top 10 Surprises
By Gary McGraw, Brian Chess, Sammy Migues
As 10 surpresas:
9. Not only are there are no magic software security metrics, bad metrics actually hurt.
8. Secure-by-default frameworks can be very helpful, especially if they are presented as middleware classes (but watch out for an over focus on security "stuff").
7. Web application firewalls are not in wide use, especially not as Web application firewalls.
6. Involving QA in software security is non-trivial... Even the "simple" black box Web testing tools are too hard to use.
5. Though software security often seems to fit an audit role rather naturally, many successful programs evangelize (and provide software security resources) rather than audit even in regulated industries.
4. Architecture analysis is just as hard as we thought, and maybe harder.
3. Security researchers, consultants and the press care way more about the who/what/how of attacks than practitioners do.
2. All nine programs we talked to have in-house training curricula, and training is considered the most important software security practice in the two most mature (by any measure) software security initiatives we interviewed.
1. Though all of the organizations we talked to do some kind of penetration testing, the role of penetration testing in all nine practices is diminishing over time.
0. Fuzz testing is widespread.
10 GPS Vulnerabilities
by Lieutenant Colonel Thomas K. Adams, US Army, Retired
For centuries explorers have navigated by fixed stars. Today our increasingly expeditionary military navigates by orbiting emitters. Satellites enable flexible communication and precise navigation that were unimaginable a generation ago. Space-based technologies reach down into everyday military business so much that interrupted service immediately and fundamentally degrades operations. Adams describes various threats to US satellites, systems that use their signals and a military that depends on falling stars.
Rethinking computing insanity, practice and research
do CERIAS blog
We have crippled our research community as a result. There are too few resources devoted to far-ranging ideas that may not have immediate results. Even if the program managers encourage vision, review panels are quick to quash it. The recent history of DARPA is one that has shifted towards immediate results from industry and away from vision, at least in computing. NSF, DOE, NIST and other agencies have also shortened their horizons, despite claims to the contrary. Recommendations for action (including the recent CSIS Commission report to the President) continue this by posing the problem as how to secure the current infrastructure rather than asking how we can build and maintain a trustable infrastructure to replace what is currently there.
Breaking Google Gears' Cross-Origin Communication Model
do blog IBM Rational Application Security Insider
"To help protect users from malware and to maintain portability, we have defined strict rules for valid modules. At a high level, these rules specify 1) that all modules meet a set of structural criteria that make it possible to reliably disassemble them into instructions and 2) that modules may not contain certain instruction sequences. This framework aims to enable our runtime to detect and prevent potentially dangerous code from running and spreading"
mas está-se mesmo a ver que é uma fonte de problemas inesgotável. Aliás, o problema até deve ser insolúvel pois consiste em olhar para um programa e determinar se é ou não seguro.
Adenda a 22/12/08: Está disponível um relatório da Google sobre o NaCl.
A ideia parece-me original mas certamente que outros aparecerão a fazer o mesmo: um motor de busca para procurar termos dentro das configurações de malware. A ideia é permitir por ex, que uma instituição financeira veja se os seus sites são alvos das versões correntes de certos worms e outro malware. A versão actual procura dentro de apenas três estirpes:
SilentBanker configuration file (Q1 2008)
WSNPOEM/Zeus/PRG/Zbot configuration file (Q4 2008)
Torpig configuration file (Q2 2008)
mais informação: http://www.trusteer.com/FIsearch/open_search.php
no NIST (projecto SAMATE): https://samate.nist.gov/index.php/Source_Code_Security_Analyzers
na wikipedia: http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
"I may be in the minority by stating the following, however, I believe that web defacements are a serious problem and are a critical barometer for estimating exploitable vulnerabilities in websites. Defacement statistics are valuable as they are one of the few incidents that are publicly facing and thus can not easily be swept under the rug.
The resulting risk of a web defacement might be low because the the impact may not be deemed a high enough severity for particular organizations. What most people are missing, however, is that the threat and vulnerability components of the equation still exist."
do blog Tactical Web Application Security (post)
... Before I begin, know that I believe that there is no silver bullet to application security. Nor do I think static source code analysis is the "best" method of finding vulnerabilities. Here are some of the valid or most important reasons that static analysis should not stand alone:
* Static analysis is really best at finding semantic flaws - bad API use or failure to use certain API's, etc.
* Static analysis doesn't give compelling pretty pictures and videos of your application giving up information. The results of a static analysis are only meaningful to developers, and then, only meaningful to developers who understand the real risk of the types of findings.
* Static analysis almost always requires really expensive tools to do a really, really good job. There are grep types of analyzers, but they don't follow taint through an application.
* Static analysis may analyze components of your code that don't get used. There are still prioritization decisions to be made.
* Static analysis tools can't find logical flaws such as privilege escalation or XSRF.
* Static analysis has different requirements than black box testing:
o Developers who understand the code and can fix it
o The source code
o For many tools, the code needs to at least build (doesn't have to run)
However, there are some really, really good reasons static analysis should be a part of your security toolbelt:
* Static analysis can find vulnerabilities that dynamic analysis can't - corner cases. "This cross-site scripting flaw only exists on Tuesdays" - if your application was tested in a running state on Monday, you won't know that the flaw exists. Thread safety issues are very bad for an application, but a black box test of an application might never cause one to come up, and if it does, it's nearly impossible to reproduce, and the results don't say to the oracle that it was that type of vulnerability. (For example, the application gave you access even though you used the wrong password.)
* The results of static analysis are meaningful to developers. They get lines of code back where untrusted data enters the application, where it flows through the application, and when it exits the application. These are the exact lines that the developers need to fix, which a black box test alone can't give you.
* Since the results of a static analysis are geared toward the developers, it provides "instant training" for developers. "What does it take to make this shut up?" (While I prefer developers understand why you want it to shut up, finding all the places is pretty good, too.)
* Static analysis can happen much earlier in the development process, long before the application is functional. This gives black box testers more time to test the really cool stuff that static analysis can't find.
* Static analysis can take place as part of a build process, automatically generating problem tickets and/or preventing the promotion of code with high-probability, high-risk findings. This can be done with automated black-box tools, but it requires a running environment - many more moving parts.
Powerfuzzer is a highly automated web fuzzer based on many other Open Source
fuzzers available (incl. cfuzzer, fuzzled, fuzzer.pl, jbrofuzz,
webscarab,wapiti, Socket Fuzzer) and information gathered from numerous
security resources and websites. It is capable of spidering website and
Currently, it is capable of identifying these problems:
- Cross Site Scripting (XSS)
- Injections (SQL, LDAP, code, commands, and XPATH)
- HTTP 500 statuses (usually indicative of a possible
misconfiguration/security flaw incl. buffer overflow)
Designed and coded to be modular and extendable. Adding new checks should
simply entail adding new methods.
texto directamente pilhado daqui
Bulding A Web Application Security Program: Part 3, Why Web Applications Are Different
no blog Securosis
a lista das razões:
Custom code equals custom vulnerabilities
You are the vendor
Firewalls/shielding alone can’t protect web applications
Eternal Beta Cycles
Reliance on frameworks/platforms
Heritage (legacy) code
New vulnerability classes
When you have to display html from the user
do blog Code Insecurity
O problema claro é que refletir input dos utilizadores é meio caminho andado para permitir ataques de cross site scripting (XSS). Se o input é HTML, ainda pior. Um resumo:
Step 1: Explicitly define the set of allowed tags.
Step 2: For each tag defined above, explicitly define the set of allowable attributes.
Step 3: Define a set of regexes to test the input from the user against the defined tags and attributes.
Step 4: Remove anything that does not pass the regex test. (This is the sanitization part)
Step 5: Be diligent. (Just like always)
Input Validation - Not That Important no blog manicode
O post começa por dizer que validar o input é menos importante do que codificá-lo:
When I bring up almost any category of web application injection attacks, most folks in the field almost instinctively begin talking about "input validation". Sure, input validation is important when it comes to detecting certain attacks, but encoding of user-driven data (either before you present that data to another user, or before you use that data to access various services) is actually a great deal more important for truly stopping almost any class of web application injection attack.
mas depois há uma interessante discussão com argumentação a favor da validação:
Encoding is the best way to protect against injection based attacks, as it is always safest to make sure the content you are handing off elsewhere is well formed and safe (...)
Input validation is the best way to protect your own app and its logic, while output encoding/sanitization is the best way to protect components you communicate with (clients, other servers, the system you are one, etc).
que redunda no post:
Output Sanitization no blog Analytical Engine
Um caso interessante é o da second-order injection que creio não ser resolvido pela codificação.
Base de dados de ADN está pronta a arrancar e promete diminuir crimes por resolver
Foi dado o passo que faltava para a criação da base de dados portuguesa de perfis de ADN para identificação civil e criminal. O regulamento e as regras de funcionamento que faltavam para pôr em prática aquele instrumento foram publicados, anteontem, em Diário da República, pelo que o Instituto Nacional de Medicina Legal (INML) está agora apto a recolher a informação genética de todos os condenados por crimes dolosos com penas de prisão concreta igual ou superior a três anos de prisão.
Um número surpreendente fornecido pela Secunia. Convém notar que o número diz respeito a não ter todo o software patched, o que é diferente de não ter o sistema operativo patched. No entanto, mesmo em relação ao sistema operativo os números não haverão de ser brilhantes pois segundo o post no blog da Secunia:
Number of insecure programs per PC/user:
0 Insecure Programs: 1.91% of PCs
1-5 Insecure Programs: 30.27% of PCs
6-10 Insecure Programs: 25.07% of PCs
11+ Insecure Programs: 45.76% of PCs
Entretanto, há quem comece a sugerir que os patches sejam obrigatórios:
I am 100 percent aware of how unpopular an idea forced updating is, but that instinctive revulsion (I cringed, too) is itself an important part of the security problem. At what point do the very real costs of fighting and destroying botnets and the loss of productivity of the individual user begin to outweigh our collective desire to completely control how and when updates are performed? For Microsoft, that question isn't an intellectual exercise, but a real concern—how do you solve a security problem that's caused by users refusing to update their machines?
‘Dumbing down’ the security profession
Excerto: "The usefulness of analysis tools for augmenting security reviews is undeniable. On large code bases it can reduce time investments. It provides insight into the code analysis process and can be used as a guide for reviewers. However, a negative trend is emerging where enterprises are relying solely upon automated approaches to gain insight into risk. This invokes a false sense of security as the relying party is likely unaware of the deficiencies associated with security guarantees that tools promote."
Breaking the zero-day habit
Excerto: "I think that security professionals can spend their time more effectively by NOT chasing after the latest exploit, vulnerability or other attention-grabbing issue. Very small minorities of security folks actually have adequate defenses in place right now. The majority still has a lot of blocking and tackling to complete before they should be worried about the latest and greatest exploits."
Excerto: "A Comissão Nacional de Protecção de Dados (CNPD) considerou ontem que não está garantido o direito à privacidade dos condutores na proposta de lei para tornar obrigatória a instalação de um dispositivo electrónico nas matrículas dos veículos motorizados, num parecer que compromete o objectivo do Governo de avançar com o novo sistema já no início de 2009."
The Big Four Cloud Computing Providers: Security Compared (Part I)
"The point here is that the quantification of what "security" means in the cloud is as abstracted and varied as the platforms that provide the service. We're essentially being asked to take for granted and trust that the underlying mechanicals are sound and secure while not knowing where or what they are. "
The CRUTIAL way of Critical Infrastructure Protection
Alysson Bessani, Paulo Sousa, Miguel Correia, Nuno Ferreira Neves, Paulo Veríssimo
IEEE Security & Privacy, Nov/Dec 2008.
Movimento exige ao Governo medidas de combate à pirataria
26.11.2008, João Pedro Pereira
O Movimento Cívico Antipirataria na Internet (MAPiNET), formado recentemente por representantes do sector musical e audiovisual, critica a ausência de meios em Portugal para o combate à pirataria e entrega esta tarde, ao primeiro-ministro e aos grupos parlamentares, um manifesto em que defende a criação de novas medidas para evitar a descarga de ficheiros ilegais.
O movimento traça um cenário negro para as indústrias culturais em Portugal. A pirataria na Internet, sobretudo de filmes e música, tem causado o encerramento de pequenas empresas e a perda "acentuada" de ganhos, argumentou ontem, em conferência de imprensa, Alexandre Bravo, um dos porta-vozes do movimento e representante dos videoclubes portugueses.
A solução, defende o MAPiNET, pode passar por algo semelhante ao acordo Olivennes, adoptado há cerca de um ano em França (...)
A estratégia francesa passa por despenalizar criminalmente os pequenos piratas informáticos (tipicamente, os que descarregam para consumo caseiro) e fazer com que os fornecedores de acesso vigiem actividades suspeitas e suspendam a ligação a quem descarregar conteúdos ilegais. O sistema é simples: se, depois de avisados três vezes, os utilizadores não deixarem de descarregar ilegalmente, a ligação à Internet é cortada. (...)
Lei dificulta investigação de muitos cibercrimes
A lei portuguesa para os crimes informáticos é de 1991 e está desactualizada, defendem os representantes do Movimento Cívico Antipirataria na Internet, que hoje se queixam ao Governo.
Em 2001, o Conselho da Europa elaborou uma convenção para o cibercrime (de que Portugal é um dos signatários) que poderia resolver alguns dos problemas e dar novos instrumentos de investigação às autoridades - mas o texto ainda não foi transposto para a legislação portuguesa (o que também não aconteceu em muitos outros países que assinaram o documento).
Cheira a teoria da conspiração, mas não é impossível e a tentação é óbvia. Sob o ponto de vista técnico há uma série de questões interessantes. Não é evidente como é que um chip colocado dentro da memória ou até do CPU pode ser contactado a partir da rede. Se o objectivo for roubar informação, não é claro como é que pode ler o disco a partir de um chip (para aceder ao disco é preciso ter drivers que são software várias camadas de abstracção acima doo hardware). Etc.
O artigo no Daily Artisan:
AND NOW THE MANCHURIAN MICROCHIP
Nada de novo mas tem uma explicação simples de cada ferramenta e de porquê usá-la para proteger uma máquina Linux:
Turn Linux into Fort Knox: 10 Tools for a Safer Web Server
Não vai revolucionar a segurança informática, mas se todas as máquinas Linux usassem essas 10 ferramentas não se perdia nada.
Artigo na eWeek.com: Script Fragmentation Attack Could Allow Hackers to Dodge Anti-virus Detection
Security researcher Stephan Chenette opened up to eWEEK about a new Web attack vector that could potentially render desktop and gateway anti-virus products useless. (...) Similar to TCP fragmentation attacks, it involves breaking down Web exploits into smaller pieces and distributing them in a synchronous manner to evade anti-malware signature detection.
"What this attack enables you to do is really get exploit code from the server into the browser memory and trigger the exploit (...) Once you actually are able to trigger that exploit, you own that machine, so that means you can disable anti-virus, you can disable any protection mechanism after the fact."
The attack (...) has not been seen in the wild (...) works on all the major browsers (...) however, it is not a browser vulnerability—it merely takes advantage of the way browsers work.
- Information Security: An Integrated Collection of Essays
- Edited by Marshall D. Abrams, Sushil Jajodia, Harold J. Podell
- IEEE Computer Society Press, Los Alamitos, CA USA, 1995
- ISBN: 0-8186-3662-9, LoC CIP: 94-20899, DDN: QA76.9.A25I5415
- Building a Secure Computer System
- Morrie Gasser
- Van Nostrand Reinhold, New York, NY USA,1988
- ISBN: 0-442-23022-2, LoC CIP:87-27838, DDN: QA76.9.A25G37
- Security Engineering
- Ross Anderson
- John Wiley & Sons, Inc., 2001
- ISBN: 9780471389224
no site do IATAC - Information Assurance Technology Analysis Center. Não li mas fiquei impressionado com as suas trezentas e tal páginas: Software Security Assurance .
Overview: The objective of software assurance is to establish a basis for gaining justifiable confidence that software will consistently demonstrate one or more desirable properties. These include such properties as quality, reliability, correctness, dependability, usability, interoperability, safety, fault tolerance, and-of most interest for purposes of this document-security.
um documento fresquinho do Software Assurance Forum for Excellence in Code (SAFECode) :
"The Software Assurance Forum for Excellence in Code (SAFECode) has released its second member report, "Fundamental Practices for Secure Software Development." Based on an analysis of the individual software assurance efforts of SAFECode members, the paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security. "
Download Development Practices Paper (pdf) 2.1M
Politically Motivated Computer Crime and Hacktivism
News and information on the misuse of technology for political reasons. Politically motivated computer crime covers a wide range of activity promoting the objectives of individuals, groups or nations supporting a variety of causes such as: Anti-globalization, trans-national conflicts, terrorism and 'hacktivists'.
"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing."
O artigo completo no blog Zero Day:
Why did Microsoft wait 7 years to fix SMBRelay attack flaw?
Bad seed ISP Atrivo cut off from rest of the Internet
Spam sees big nosedive as rogue ISP McColo knocked offline
O programa está disponível em http://sino2008.dei.uc.pt/index.php?file=programa e as inscrições ainda se encontram abertas.
Quantum key distribution meets the real world, fails
Obviamente não pretendo dizer que a cripto quântica não tenha valor e que não possa fornecer de facto um grau de segurança elevado: provavelmente sim. O que ficou agora claro é que não basta dizer que é "quântico" para a segurança vir por magia.
- fuzzer para apps web
- parece mais sofisticado do que o WebScarab (como fuzzer); configurável, suporta sessões, tem em conta a localização dos recursos nos servidores mais comuns
- status alpha, 100% operacional
Ruby on Rails Security project
- guia (documento) sobre segurança do Ruby on Rails e tecnologias relacionadas (MySQL, servidor)
- ferramenta para "análise passiva" de vulnerabilidades de web apps, ou seja, executada sobre os logs depois da exec de um security scanner
- proxy web
- nao é novo mas perguntando ao autor fiquei (finalmente) a saber como o correr com mais memória, ficando portanto capaz de lidar com mais mensagens: basta indicar ao Java um tamanho da heap superior a 64M. Por ex., para 512M, dependendo das versões acrescentar -Xm512M ou -Xms512000000 -Xmx512000000 (por ex alterar o link para o webscarab)
ModSecurity - an open source web application firewall that runs as an Apache module
ESAPI - a free and open collection of all the security methods that a developer needs to build a secure web application
Firebug - um plugin para o Firefox que permite ver e modificar todos os elementos de uma página
Burp Suite - an integrated platform for attacking web applications
e finalmente: um comic book sobre o Google Chrome (!)
OWASP LiveCD 2008 - similar to BackTrack but focused on web applications
Damn Vulnerable Linux (DVL) - is a Linux-based tool for IT-Security; is a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. As well it can be run within virtual machine environments, such as qemu or vmware. There is no need to install a virtual machine if you use the embedded option. Its sole purpose in life is to put as many security tools at your disposal with as much training options as it can. It contains a huge ammount of lessons including lesson description - and solutions if the level has been solved by a community member at crackmes.de.
Samurai Web Testing Framework - is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
(para os links --> Google)
Black market for zero day vulnerabilities still thriving
Fonte: Zero Day
Cloud-computing zombies for $299 per month
Fonte: ZDNet News
ArsTechnica: Researchers disclose deadly cross-platform TCP/IP flaws
ZeroDay: Infamous vendor of “AntiVirus XP” badware sued
Um artigo longo e interessante que discute diversos mecanismos de segurança do Chrome. O fio condutor do artigo é uma alegada violação do EULA da Microsoft, mas a discussão dos mecanismos de segurança é que é realmente interessante.
Na ArsTechnica: Chrome antics: did Google reverse-engineer Windows?
Sempre que se fala em ataques contra routers, há quem diga "impossível." Pois aqui vai: um "mega patch" da Cisco para corrigir várias vulnerabilidades críticas.
No blog ZeroDay: Cisco mega patch plugs serious IOS vulnerabilities
Do blog ZeroDay: Clickjacking: Researchers raise alert for scary new cross-browser exploit
na Wired: http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
slides da apresentação na DEFCON: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf
(com agradecimentos ao Wagner Dantas)
"A new open-source project called OpenVAS has emerged to take the place of Nessus, the popular vulnerability assessment system that closed its source a few years ago."
Notícia no blog ZeroDay: http://blogs.zdnet.com/security/?p=1715
Site do OpenVAS: http://www.openvas.org/
Os resultados são interessantes mas é preciso perceber que valem o que valem. Por exemplo, os jornais referem (com preocupação) que 1 em cada 5 computadores em Portugal estão vulneráveis. Esse número é super-optimista! Olhando para a lista de vulnerabilidades indicada acima, é fácil perceber que um PC que não tenha os últimos patches do Windows, Real Player, Acrobat ou Firefox pode perfeitamente não ser dado como vulnerável, e se o é... Por outro lado, qualquer máquina com software complexo é certamente vulnerável, mesmo que ainda não se saiba.
Contas feitas, e mais uma vez dando como certa a lista de vulnerabilidades disponibilizada, o Nonius testa dois tipos de problemas: vulnerabilidades de configuração (versões de protocolos conhecidas como vulneráveis, permissões permissivas, etc.) e a existência de certas estirpes de malware.
da wikipedia: http://en.wikipedia.org/wiki/Russian_Business_Network
Nota (28/7/2008): obrigado pelo comentário. Faltou o link: http://www.pse.com.pt/
Package managers partially automate the process of installing and removing software packages. Most package managers use cryptographic signatures to verify the integrity of packages. In the article Attacks on Package Managers, the authors describe how an attacker can abuse package managers that use digital signatures.
Kaminsky to discuss DNS flaw at Black Hat sponsored webcast
It’s all over the news: Dan Kaminsky found a major, fundamental flaw in DNS that renders practically any name server vulnerable. He’ll be speaking in depth on this discovery in August at BH USA, but he’s agreed to discuss it a few weeks early.
Has Halvar figured out super-secret DNS vulnerability?
Ambas as notícias são do blog Zero Day
Texto premiado: http://www.di.fc.ul.pt/Informatica/Special:Abstracts?key=Sousa:SegurancaEDisponibilidade:2008
Site do prémio: http://www-05.ibm.com/pt/events/pc/premio.html
Site com cobertura dos media: http://premiocientificoibm2007.blogspot.com/
Remote code execution through Intel CPU bugs
Blog Zero Day
A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
Google Online Security Blog: http://googleonlinesecurity.blogspot.com/
Site do Ratproxy: http://code.google.com/p/ratproxy/
Zero Day: http://blogs.zdnet.com/security/?p=1388
Outros proxies interessantes: WebScarab, Paros (o WebScarab é muito bom para fazer pequenos testes mas enche rapidamente a memória e fica bloqueado)
A própria Google há tempos publicou também um fuzzer, Bunny the Fuzzer:
A closed loop, high-performance, general purpose protocol-blind fuzzer for C programs.
Uses compiler-level integration to seamlessly inject precise and reliable instrumentation hooks into the traced program. These hooks enable the fuzzer to receive real-time feedback on changes to the function call path, call parameters, and return values in response to variations in input data.
This architecture makes it possible to significantly improve the coverage of the testing process without a noticeable performance impact usually associated with other attempts to peek into run-time internals.
Site do Bunny the Fuzzer: http://code.google.com/p/bunny-the-fuzzer/
Mais informação na ArsTechnica:
"GHH is the reaction to a new type of malicious web traffic: search engine hackers. GHH is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources.
(...) Google (...) allows for searching on an immense amount of information. The Google index has swelled past 8 billion pages [February 2005] and continues to grow daily. Mirroring the growth of the Google index, the spread of web-based applications such as message boards and remote administrative tools has resulted in an increase in the number of misconfigured and vulnerable web apps available on the Internet.
These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users. GHH is a tool to combat this threat. "
GHDB - Google Hacking Database
"We call them 'googledorks': Inept or foolish people as revealed by Google. Whatever you call these fools, you've found the center of the Google Hacking Universe!"
Peach is a cross-platform fuzzing framework written in Python. Peach can fuzz just about anything from COM/ActiveX, SQL, shared libraries/DLL's, network applications, web, you name it.
Alguns posts sobre o assunto no blog Zero Day:
Blackmail ransomware returns with 1024-bit encryption key
Who’s behind the GPcode ransomware?
PHP Shell is a shell wrapped in a PHP script. It’s a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote webserver. This replaces, to a degree, a normal telnet connection, and to a lesser degree a SSH connection.
You use it for administration and maintenance of your website, which is often much easier to do if you can work directly on the server. For example, you could use PHP Shell to unpack and move big files around. All the normal command line programs like ps, free, du, df, etc… can be used.http://phpshell.sourceforge.net/
European Committee for Strandarization (CEN)
Software Assurance: An Overview of Current Industry Best Practices
Software Assurance Forum for Excellence in Code (SAFECode)
SCADApedia - a resource for control system security and IT related issues in control systems
Vulnerability Notes - explicações detalhadas das vulnerabilidades em sistemas SCADA do US-CERT
SCADA security resources
Honeypots para SCADA
SCADA HoneyNet Project
"The study (...) is notable for its breadth. Unlike many security reports, which focus on a single issue or type of threat, OECD examines how various types of malware function, the changing shape of the industry's business model, the role governments and international governmental organizations play in halting malware distribution (or, in some cases, facilitating it), and the various incentives and disincentives that might effectively retard the growth and reduce the impact of malicious software."
StopBadware.org is a "Neighborhood Watch" campaign aimed at fighting badware.
There are several commonly recognized terms for specific kinds of badware - spyware, malware, and deceptive adware. Badware is malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads. If your every move online is checked by a pop-up ad, it's highly likely that you, like 59 million Americans, have spyware or other malicious badware on your computer.
Relatório: Trends in Badware 2007, What internet users need to know is StopBadware's 2007 update on the state of badware on the web.
O texto introdutório é particularmente interessante.
Fonte: SANS NewsBites
Patches pose significant risk, researchers say
A notícia discute um artigo publicado este mês por investigadores de Carnegie Mellon e mais duas universidades. Passe a propaganda, mas formação Carnegie Mellon em segurança está disponível na FCUL em Lisboa, através dos Mestrado em Segurança Informática e Doutoramento em Informática.
Automatic Patch-Based Exploit Generation
David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng
The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.
In many cases we are able to automatically generate exploits within minutes or less. Although our techniques may not work in all cases, a fundamental tenet of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch. Thus, we conclude update schemes, such as Windows Update as currently implemented, can detract from overall security, and should be redesigned.
What does this mean?
Attackers can simply wait for a patch to be released, use these techniques, and with reasonable chance, produce a working exploit within seconds. Coupled with a worm, all vulnerable hosts could be compromised before most are even aware a patch is available, let alone download it. Thus, Microsoft should redesign Windows Update. We propose solutions which prevent several possible schemes, some of which could be done with existing technology.
Strike that out, Sam
do autor do livro Silence on the Wire, que não sendo académico é uma leitura leve e interessante.
"Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP's Systems Security Lab, has identified a potential security flaw within a network's physical hardware rather than a typical desktop or server system. Smith's report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as "phlashing." Attacking system firmware isn't a new tactic—the CIH/Chernobyl virus was capable of overwriting BIOS firmware back in 1998—but focusing such attacks on network hardware would be an unusual step, and could prove quite successful in at least the short term."
Artigo completo: http://arstechnica.com/news.ars/post/20080520-phlashing-attacks-could-render-network-hardware-useless.html
Fonte: Ars Technica
TPM Reset Attack
Há (pelo menos) 3 tipos:
1. XSS Reflectido:
2. XSS Armazenado
3. XSS baseado em DOM
• An HTML or XML page is represented by a DOM object (Document Object Model, W3C)
• HTML can contain references to attributes of that object, which are interpreted in the browser: F document.URL, document.location, document.referer,…
• Vulnerability: site with HTML page with JS script that does client-side logic with document.URL or another attribute
"FISMA provides a set of specific guidelines for federal agencies on how to plan for, budget, implement, and maintain secure systems. These new, stricter security guidelines replaced an expired set of rules under the Government Information Security Reform Act (GISRA)."
"NIST has several security programs in place with this goal in mind, such as the following:
Diversos aspectos interessantes:
-- se surge uma vulnerabilidade destas no Google que tem uma grande preocupação com a segurança, quanto mais não acontecerá com inúmeros sites feitos por curiosos por todo o mundo.
-- a vulnerabilidade é bastante sofisticada, não o típico XSS no qual é citado o nome do utilizador (o blog recomenda a leitura deste artigo)
-- a vulnerabilidade XSS está associada a um problema na gestão das sessões no Google, já que ao ser apanhado um cookie o atacante fica com acesso às demais aplicações do Google que a vítima use
(com agradecimentos ao Ricardo Oliveira que me enviou a notícia)
Recentemente eu e alguns colegas publicámos um trabalho sobre um serviço --que talvez pudesse ser instanciado como um servidor de email-- que garante a confidencialidade da informação mesmo que alguns servidores sejam atacados com sucesso. No entanto o problema de um administrador que não seja de confiança não foi abordado. Interessante...
Entretanto a administração da AR assegurou que "não há mínima possibilidade de aceder ao conteúdo dos ‘e-mails’" e que o sistema informático da Assembleia da República "está bem" e a preservação da confidencialidade dos dados garantida", "existindo sistemas de segurança, como "firewalls"". Não estou a ver como é que as firewalls resolvem o problema, mas acho que isto de trabalhar em segurança cria um certo cepticismo...
P.S. O artigo:
Alysson Bessani, Eduardo Alchieri, Miguel Correia and Joni Fraga.
"A Byzantine Fault-Tolerant Coordination Service."
Proceedings of the European Conference on Computer Systems (EuroSys 2008). April 2008. (pdf) (software)
Deputados queixam-se de violação de “e-mails” no Parlamento
11.04.2008 - 10h21 PÚBLICO
Deputados de todos os partidos queixam-se da violação de correio electrónico ("e-mail") no sistema da Assembleia da República.
O vice-presidente do Grupo Parlamentar do PS, António Galamba, diz mesmo que “existem e-mails que chegam abertos e outros que não chegam”, segundo noticia o “Diário Económico” de hoje.
António Galamba conta também que já não é o único deputado que utiliza um disco rígido portátil para trabalhar os documentos mais importantes, pois tem “dúvidas sobre a segurança do sistema informático” do Parlamento.
Na mais recente reunião da Comissão de Ética do Parlamento, terá mesmo sido unânime o sentimento de insegurança relativamente à utilização do sistema, mesmo da parte do seu presidente, o social-democrata Luís Marques Guedes.
Artigo do Expresso: http://aeiou.expresso.pt/gen.pl?p=stories&op=view&fokey=ex.stories/284972
Site do Mestrado:
Mais informação sobre o Mestrado em Segurança Informática:
Com o aproximar do fim de mais um semestre a ensinar segurança de software, vale a pena pôr aqui um grande livro (no duplo sentido do termo):
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
Mark Dowd, John McDonald, Justin Schuh
Addison-Wesley Professional; 1 edition (November 30, 2006)
Outro sem nada a ver mas que li recentemente com gosto:
Geekonomics: The Real Cost of Insecure Software
Addison-Wesley Professional; 1 edition (December 9, 2007)
O livro é uma crítica ao estado da segurança do software comercial e ao papel desempenhado pela indústria que o produz. Interessante.
1- Static Analysis For safe Execution of Code
SAFECode project aims at providing memory safety guarantees to programs written in unsafe languages like C and C++.
As a part of this project, we developed a relatively simple compilation strategy that for standard C programs guarantees sound semantics for an aggressive interprocedural pointer analysis (or simpler ones), a call graph, and type information for a subset of memory. These provide the foundation for sophisticated static analyses to be applied to such programs with a guarantee of soundness. Our work builds on a previously published transformation called Automatic Pool Allocation to ensure that hard-to-detect memory errors (dangling pointer references and certain array bounds errors) cannot invalidate the call graph, points-to information or type information. A technical report on this work is available from here
Second, we developed a backwards-compatible run-time array bounds checking solution that has very low overhead. More information on this work is available from here
Finally, we also developed a novel technique that can detect dangling pointer errors (accesses to freed memory) with low over head in some applications. More information on this work is available here
2- Improving Program Robustness via Static and Dynamic Analysis
Our research project aims to help programmers in writing more reliable programs, detecting errors in their programs and diagnosing errors. Our project includes fundamental research to improve our ability to analyze programs, such as pointer alias analysis, and applying static and dynamic techniques to address specific kinds of errors such as buffer overruns and memory leaks. Our emphasis is to develop techniques that can handle large real-life programs without imposing an onerous burden on the users. Here are a list of publications and an overview of the research results:
* Integrated Static and Dynamic Analyses for User-Defined Error and Security Flaw Detectors
* Static Tools
o An unsound path-sensitive pointer alias analysis for C.
o Clouseau: Detecting memory leaks in C++ programs automatically by static analysis.
o Metacompilation: Detecting critical errors in system software by static analysis
+ Using redundancy to find errors.
+ RacerX: static detection of race conditions and deadlocks
* Dynamic Tools
o DIDUCE: Tracking down software errors using dynamic anomaly detection.
o CRED: A Practical Dynamic Overflow Detector.
* Static and Dynamic Analysis:
o Automatic extraction of object-oriented component interfaces using static and dynamic techniques.
o Speculative threads: Architectural support to improve software reliability.
CCured is a source-to-source translator for C. It analyzes the C program to determine the smallest number of run-time checks that must be inserted in the program to prevent all memory safety violations. The resulting program is memory safe, meaning that it will stop rather than overrun a buffer or scribble over memory that it shouldn't touch. Many programs can be made memory-safe this way while losing only 10–60% run-time performance (the performance cost is smaller for cleaner programs, and can be improved further by holding CCured's hand on the parts of the program that it does not understand by itself). Using CCured we have found bugs that Purify misses with an order of magnitude smaller run-time cost.
Ataque ao MacOS - http://blogs.zdnet.com/security/?p=984
Ataque ao Vista - http://blogs.zdnet.com/security/?p=988, http://blogs.zdnet.com/security/?p=993
Quem ganhou? - http://blogs.zdnet.com/security/?p=995
Um excerto para aguçar o apetite:
"Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.
I replied: "What's really interesting is that these people will send a tube of live ants to anyone you tell them to." "
1. Adware on the Decline
2. Botnets Piggyback on Storm’s Success
3. Crimeware and Phishing Move on to Secondary Targets
4. Instant Malware: A Different Kind of IM
5. Parasitic Crimeware Takes Root
6. Virtual Threat Growth to Outpace Real-World Growth
7. Virtualization Radically Changes Security
8. Windows Vista Joins the Party
9. VoIP Attacks Speak Up
10. Web 2.0: Interactivity Yields More Productive Malware
McAfee Threat Center: http://www.mcafee.com/us/threat_center/default.asp
Como é evidente, o termo correcto é o segundo (como modelar a ameça a que está sujeito um sistema?).