So, SANS has set it’s InfoCon level to yellow to increase the visibility of this update, and hopefully to encourage people to patch it sooner rather than later. All I can say is that I hope that it does actually get people to apply this patch quickly.

Apparently MSFT are aware of “active attacks”, which begs the question as to why is this only rated as an “Important” patch? I’m sure they have their reasons though, but if you are running any web applications, you are really advised to patch sooner rather than later on this one.

The details of the patch, taken from Microsoft’s website are the following:

—————————–

Executive Summary

This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

———————-
As always people, be safe and patch asap, the Internet is a dangerous place….

This is just so very very wrong! Original e-mail can be found here.
“Hi, all

I have two machines that show very different performance numbers.

After digging a little I found out that the first machine has, in
/proc/cpuinfo:

model name      : Intel(R) Celeron(R) M processor         1.00GHz

while the other has:

model name      : Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz

and that seems to be the main difference.

Now the problem is that /proc/cpuinfo is read only. Would it be possible
to make /proc/cpuinfo writable so that I could do:

echo -n “model name      : Intel(R) Core(TM)2 Quad CPU    Q6600  @
2.40GHz” > /proc/cpuinfo
in the first machine and get a performance similar to the second machine?”

Aviram said in a recent blog about Stuxnet and SCADA here:

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

And sure enough, half the security world has done just that, and the rest will be talking about it at Virus Bulletin next week. Good fun, maybe, if you don’t think too hard about some of the political implications, but I’m not sure it’s been productive or useful. Which is why I blogged today here.

I’d love to cover the same ground again here, but frankly I’m just too dispirited…

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

The post that I wrote the other day about Foursquare and Facebook Places really got me thinking, and well, then it got me into doing mode very quickly.

So, putting on my reconnaissance hat, I logged into Facebook to see what I could find out about a complete stranger, and well, to say that it was interesting is to put it mildly. Bear in mind that I had no idea who this person was, or where in the world they were located before I started digging around.

The details that I managed to dig up about this person were the following:

- D.O.B

- In a relationship

- Hometown

- Religion

- Last 3 employers, as well as current

- Current Job Title

- Universities attended and relevant dates

- Schools attended and relevant dates

- Work e-mail address

- Private e-mail address

- Work phone number

- Home phone number

- Cell phone number

- Home address

- Work address

- Car make and model

- Car registration number

- Roughly how long it takes him to get from home to the office (average of 33 minutes)

- Roughly how long it takes him to get from home to his son’s school.

- Musical tastes

- Photo’s of his house, his dogs and his children

- He spends a lot of time (and I mean a lot) playing World of Warcraft

- He used to run Windows XP, but has recently upgraded to Windows 7

- I managed to map out the first two layers of his family tree

I then decided to do a bit more digging outside of Facebook now that I had all the above knowledge, and managed to find out a bit more about him.

- He goes running each day, and also uploads his routes and stats via Runkeeper

- He’s been in the newspapers a couple of times for good deeds and charity work

- He coaches a kids soccer team at his sons school every other weekend

- He spends a fair amount of time on forums relating to legal highs

- There’s some video’s of him and his family on YouTube

- He has a personal web site, with a photo gallery of his travels with his family

- He runs a server from home, it’s running Windows 2003, IIS, and Exchange

- He’s currently an MCP studying towards his MSCE for Windows 2003, and I have his MCP ID, so far he’s done 3 exams

- He’s been married once before, and looking at photo’s of his ex-wife and his children, and their respective ages, one of the children is from his previous marriage.

- His citizenship

I managed to find all this information in about 10 minutes, now if I really wanted to go all out on this one, I’m pretty sure I could find a lot more information about him and his lifestyle.

Already with the information that I’ve managed to obtain I could quite easily use this for social engineering purposes, and not just against this person, but against most the people in his family. It really does make me wonder why people are so open with all the details that they share online, with just a little bit of effort I feel like I know this person. I also know that if I wanted to attack his company it would be a pretty trivial thing to do.

People, it’s a scary world out there, and you really don’t need to publish all this sort of information, the people that know you and will already know this information, do you really need to advertise it to the world.

I’d like to thank George for taking part in my little experiment

Stuxnet is a worm that focuses on attacking SCADA devices. This is interesting on several levels.

First, we get to see all of those so-called isolated networks get infected, and wonder how that happened (here’s a clue: in 2010, isolated means in a concrete box buried underground with no person having access to it).

Then, we get to see how weak SCADA devices really are. No surprise to anyone who has ever fuzzed one.

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

Hello folks,

I didn’t  imagine someone on *my* friends list will succumb to this attack, but apparently someone did… The URL is http://www.facebook.remove$me.com/pages/br-mhtwknyt-sms-zwkrym-qblw-yk-hw-nyrh-hywm/155174351168661

To fall for the attack, if you can’t read Hebrew - click on the right-most box in the page, then click on the big purple box with the green writing. You will notice a page with instructions, that translates to: “Dear viewer, due to the high number of hits we must make sure you’re human. Press the blue button, then the green then orange and finally red”. If you look at the lower left side, in characters 8px high, it has a disclaimer saying that by clicking on these buttons you allow the site to “like” in your behalf and publish in your profile. Completing the picture is the Facebook logo making the whole affair somewhat official. Nice social engineering job.
Firefox’s NoScript plugin successfully prevents the attack from taking place and also reveals the hidden UI underneath. The first button hides a “Like” button,  so the attack is self-perpetuating. Does that make it a worm? On one hand, it does self-perpetuate with the aid of the unsuspecting user (much like the user-assisted email worms). On the other hand, it doesn’t copy itself (the payload), so deleting it in one location will render the entire infection void.

Another, more interesting question is the follow-the-money question: Why would the attacker follow through with this attack? What is the incentive? The target link seems to be an SEO created website, so the incentive seems to be higher ranking and therefore higher revenue.

– Arik

We recently received a couple of press passes to some security conferences in Europe from the event organizers and this got me to thinking.

Firstly thank you to the organizers that sent the passes through, it really is appreciated and it shows just how far Securiteam’s reach is.

So if there are any other security event organizers reading this, and you want the in’s and out’s of your conference published here, then please get in touch with us, a press pass for a security conference doesn’t cost you anything, and we can make sure that we can do all we can to let others know how good or bad it really was.

As I’m sure that you’re aware of by now, here at Securiteam we right honestly and give thanks where thanks is due.

If you’re at all interested in Social Engineering as I’m sure that most of our readers are, then you will probably be very interested in the report over at the Social-Engineer.org site.

At DEFCON 18 this year, held in Las Vegas there was a Social Engineering Capture The Flag event held. This proved to be quite a success, well more so for the participants, than the actual companies targeted, but hey. All’s fair in love and war.

Some of the rules for this event were the following:

- Contestants may not ask for or obtain financial data, passwords, or personal identifying information such as social security numbers or bank account numbers;
- Contestants may not attempt to falsify or falsify employment records;
- The list of target organizations will not include any financial, government, educational, or health care organizations;
- Contestants must keep it clean, for example, use of any pornography is banned.

Even the FBI were extremely weary of this contest and contacted the organizers beforehand, so this was getting a lot of press coverage. I am also aware that quite a few companies sent out internal communications about this event to their employees, warning them not to give out any sensitive information.

I’d personally just like to thank the team over at Social-Engineer.org for doing so much to bring social engineering into the public’s eye, and also for all the hard work they’ve put into SET and the Social Engineering Framework. Keep up the amazing work guys!
So without further ado, you can read the full report here.

High-bandwidth Digital Content Protection (HDCP) is a form of copyright protection developed by Intel. It is designed to prevent the copying of digital audio and video as it travels accross media interfaces such as HDMI, DisplayPort or Unified Display Interface (UDI).

The system is meant to stop HDCP-encrypted content from being played on devices that do not support HDCP or which have been modified to copy HDCP content. Before sending data, a transmitting device checks that the receiver is authorized to receive it. If so, the transmitter encrypts the data to prevent eavesdropping as it flows to the receiver.

Manufacturers who want to make a device that supports HDCP must obtain a license from Intel subsidiary Digital Content Protection, pay an annual fee, and submit to various conditions.

On 14th September 2010 the HDCP Master Key was somehow leaked, and published online in various sources. At present it is unknown how this Master Key was obtained, or whether Intel is doing any investigations as to how this happened. Intel has however threatened to sue anyone.

The leaked master key is used to create all the lower level keys that are stored within devices, so you can see what a nightmare this must be for Intel.

Intel have threatened to sue anyone that makes use of this key under intellectual property laws. However it will now only be a matter of time before we start seeing black market devices appearing.

If anyone’s at all interested though, you can find the key here.

If anyone has been following the recent news about anti-piracy companies trying to take torrent sites offline by DDoSing them, then you’ll know that this was a bad idea from the start, if not here’s a brief recap.

Aiplex Software is a company that has been trying to take down torrent sites for a while now. As they weren’t getting anywhere, they decided to take on a new approach, and DDoS the torrent sites instead. It was suspected that this was the case for a while, but then to save everyone the effort, the nice guys over at Aiplex Software openly admitted that they were doing it, big mistake!

As the Internet is a wonderful medium for communication, there was a scheduled DDoS attack against Aiplex Software which took their site offline for a fair amount of time, until all the attackers then decided that moving onto the MPAA website was a better idea. The MPAA was forced to move it’s site to a new IP address after being down for 18 hours.

Yesterday an attack was launched against the RIAA in the same manner, and knocked the web site of the Internet for a good few hours.

All this was done via various means of communication, using the tool LOIC (Low Orbit Ion Cannons) and a bunch of anonymous supporters that weren’t afraid to stand up for what they believed in. Whether these attacks were right or wrong is purely a matter of opinion, but more to the point is the amount of damage that can be done.

In the past, if people wanted to protest, they would all gather in groups with placards and march around yelling various slogans, this usually happened outside the offending parties premises. If it got out of hand, the police would be called in to disperse the crowd, and everything was back to normal. However now in the age of the Internet, people are free to participate from the comfort of their own homes, just by downloading a program, typing in an IP address or hostname and clicking “Attack”. These people won’t be traced if the attack is coordinated properly, as it’s next to impossible to trace where all the packets are coming from if you have a large amount of people doing this at the same time. Even if people were traced, there is always the “Botnet defense” (My PC must have been infected by something and become part of a botnet, I ran my anti-virus program and removed some things, and now it all seems fine).
As security professionals we need to look at this as the shape of things to come, what if an online retailer annoyed a few of it’s customers, or if an online gambling or finance site was just “asking for it”. All it takes is the right form of communication and a few thousand people, and poof, the site is off the Internet if it doesn’t have the correct protection mechanisms in place.

As security professionals, do you do your best to protect your companies online assets from DDoS attacks? Or are you mainly concentrating on making sure the web sites are coded securely, that the web servers have been hardened and patched up to date…

I’m really interested to hear everyone’s comments on this one, so please leave them below.

For those of you who have never used the Social Engineering Toolkit (SET), you really are missing out on an amazing tool, and one that is guaranteed to make your lives simpler in the social engineering realm.

SET was written by David Kennedy a.k.a ReL1K, and you can find this amazing tool in either the BackTrack Linux distro, or you can get it via svn directly from Dave’s site. Full info on how to download this via svn can be found here.

SET is also tightly integrated with the Metasploit Framework, so you can easily make use of all the exploits within MSF to perform some really technical social engineering attacks.

I’m guessing that if you’ve never heard of SET before, you’re probably wondering what it can do, well, let’s put it this way, in the context of social engineering, what can’t SET do?

I would say that the best way to familiarize yourself with SET and all it’s features would be to download it and have a play with it. Then to go through some of the many tutorials available online.

There is now a section dedicated to SET over at Offensive Security’s free Metasploit Unleashed training page, which you can find here.

Dave has also kindly put up a load of tutorial videos to walk you through the basics, and then some on his site. To check these out just head over to the Tutorials section on his site.
If you’d like to see a video of all the new features in SET 0.7, then have a look here.

Ever since I first became aware of Foursquare I thought that it was a bad idea, and that it wouldn’t last long. Well I still think that it’s a really bad idea, but I was definitely wrong about how long it would last.

I have to wonder about people.

I know that security folk are more paranoid than most other people. I also know that comes with the territory, but who ever though that it would be a good idea to advertise where you are at any given point in time? Now Facebook has gone and launched Places, which does pretty much the same thing as Foursqaure.

Call me extremely paranoid, but when your average user publishes personal details on Facebook, such as their home address, where they work, their work and home e-mail addresses, photo’s of themselves and their family (sometimes including photo’s of their home and car), do they really need to let the world know exactly where they are at any given point?

I am also betting that it’s some of these very same people that tend to get all up in arms, when someone reads over their shoulder on the tube, or stands at their desk waiting for them to finish their phone call. The same people that will complain about having their privacy violated!

Now imagine the following scenarios:

1. You’ve just arrived at the office, so you decide to “check in” to one of these applications, so that everyone knows that you’re at work. You’ve also just given out the exact location of where you work. In some cases this can be a major risk, if you work in an unmarked building for example, where the location of the building is supposed to not be that easily known, well now everyone knows. This also lets any would be breaking and entering specialist know that you are now no longer at home, or that your wife and kids are now home alone.

2. You call in sick for the day, and forget that you happened to befriend your boss on Facebook, you then take a nice trip to some art gallery, or to a shopping mall to catch that newly released film, and you “check in” (Yes, I’ve seen this happen!). Then you’re all shocked when you get called into your bosses office because he knows that you weren’t really sick, you were out having fun on company time. I’ve got no problem with people taking a day off, but if you’re going to be stupid about it, then you deserve what you get.

3.From a social engineering perspective, this is amazing, as if I’m going to target someone working for a company, it means that I get to see where they hang out, what type of things that they’re into, when they’re in the office or out of the office. Picture this, the head of IT security is using Facebook Places, he checks in when he reaches the station on his way to work, then he updates his Twitter status to say that the train is running an hour late. This means that I now have the perfect opportunity to phone the company helpdesk, and impersonate him, and get my remote login password reset. Then voila, I have all the access that he does, I also know that I have about an hour to grab whatever information I please, before I need to log off. Once he gets into the office, he’ll have some password problems, phone the helpdesk and get it reset, and be none the wiser.

C’mon people, please all I’m asking for is that you have some common sense, if you need people to know where you’re going, let them know, don’t tell the whole world and his dog.

Bletchley Park, also known as Station X, is where the Enigma cipher was cracked during World War II, and if you have never been, it’s a really worthwhile visit.

However this post is not about Bletchley Park, more so, it’s about the Bletchley Park 2010 Security Conference. Confirmed speakers this year are the following Bruce Scneier, Whitfield Diffie, Andy Clark and David Khan, so it should make for a rather interesting conference. Something else that makes attending this conference worthwhile is the fact that all proceeds from this even will be divided equally between the Bletchley Park Trust and the National Museum of Computing.

As I’m sure a lot of you are aware Bletchley Park is in desperate need of support, and as a security community we can help to support this establishment that has already done so much for what we do today. I often wonder that if it wasn’t for the time and effort spent at Bletchley Park during World War II, where would cryptography be now? Would we be as advanced as we now are? Somehow I think not.

For more info, and registration information point your browser here, if you can make it, let me know via the comments and it’d be good to hook up for a beer or 2.

After the conference there will also be a fireworks display and a fun fair. What more could you ask for a security conference, a bar, fireworks and a funfair sounds like a great evening to me!

1.      Login to the server using Root account.
2.      Create a new account:
groupadd squid
useradd -g squid -d /var/spool/squid -s /sbin/nologin squid
3.      Install the following RPM files from the CentOS DVD:
rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh cpp-4.1.2-48.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libstdc++-devel-4.1.2-48.el5.i386.rpm
rpm -ivh gcc-c++-4.1.2-48.el5.i386.rpm
4.      Download the latest Squid source files from:
http://www.squid-cache.org/Versions/
5.      Copy using SCP (or PSCP), Squid source files into /tmp
6.      Move to /tmp
cd /tmp
7.      Extract Squid source file:
tar zxvf squid-3.1.8.tar.gz
8.      Move to the Squid source folder:
cd /tmp/squid-3.1.8
9.      Run the commands bellow to compile Squid from source files:
./configure –bindir=/usr/sbin –sbindir=/usr/sbin –libexecdir=/usr/lib/squid –with-logdir=/var/log/squid –with-pidfile=/var/run/squid.pid –with-default-user=squid –sysconfdir=/etc/squid –datarootdir=/usr/share/squid  –enable-http-violations
make all
make install
10.  Move one folder up and remove Squid source files and default content:
cd ..
rm -rf /tmp/squid-3.1.8
rm -f /tmp/squid-3.1.8.tar.gz
rm -rf /usr/share/squid/man
rm -f /etc/squid/cachemgr.conf.default
rm -f /etc/squid/errorpage.css.default
rm -f /etc/squid/mime.conf.default
rm -f /etc/squid/msntauth.conf.default
rm -f /etc/squid/squid.conf.default
rm -f /etc/squid/squid.conf.documented
11.  Change ownership and permissions on the log folder:
chown squid:root /var/log/squid
chmod 770 /var/log/squid
12.  Edit using VI, the file /etc/squid/squid.conf and add the following lines to the end of the file:
cache_access_log /var/log/squid/access.log
cache_store_log none
shutdown_lifetime 1 second
icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
visible_hostname server1
maximum_object_size 4096 KB
minimum_object_size 1 KB
dns_nameservers DNS_value
client_lifetime 360 minutes
pconn_timeout 360 minutes
Note 1: Replace “server1” with the Squid server DNS name.
Note 2: Replace “DNS_value” with IP addresses of DNS servers
13.  Run the command bellow to initialize the Squid:
/usr/sbin/squid -z
14.  In-order to manually start the Squid service, run the command bellow:
/usr/sbin/squid
15.  In-order to start the Squid service at server startup, add the command bellow to the /etc/rc.local file:
/usr/sbin/squid
16.  Uninstall the following RPM:
rpm -e gcc-c++-4.1.2-48.el5
rpm -e libstdc++-devel-4.1.2-48.el5
rpm -e gcc-4.1.2-48.el5
rpm -e cpp-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49

rpm -e kernel-headers-2.6.18-194.el5

The article can also be found at:
http://security-24-7.com/hardening-guide-for-squid-3-1-8-on-centos-5-5/

Hi,

Since the dawn of our species (well 2005, if you want to be picky about it) t2 has been granting free admission to the elite of their kind, the winners of the t2 Challenges. Don’t be suckered in by all the cheap imitations out there, their snooze-fest la-di-da dog and pony shows, because t2 is back! And we’re pleased to announce the release of the
t2’10 Challenge!

Now is your chance to join the past elites (http://t2.fi/challenge/) by winning free admission to this year’s t2’10 Infosec Conference!

This year’s t2’10 Challenge is based on multi-staging (much like good shell code), which will be powered by a scoreboard (http://t2.fi/ext/scoreboard) so that you can see — (almost) in real time — how the other participants are fairing out there in the land of the living.

The rules are simple: t2 will release the t2’10 Challenge and the first one to solve it will win free admission to the t2’10 Infosec Conference. But don’t stop just because you weren’t the first one to solve it: The Advisory Board will select another winner among the next ten correct answers, paying particular attention to the elegance of the solution rather than the speed. In other words you can win with either speed or style

The t2’10 Challenge will be released 2010-08-28 10:00 EEST at http://t2.fi/

Good luck

UPDATE: A solution for the challenge has been posted, you can see it here: http://t2.fi/2010/09/07/t210-challenge-solution/ or you attend the conference and talk to the winner for yourself