0wned by Anti-Virus

Posted on March 10, 2008 by Brent Huston

A quick review of vulnerability postings to the emerging threats content of this blog is sure to make clear just how popular the anti-virus as exploitation vector has become. Major levels of security research and exploit development continue to be aimed at the anti-virus vendors and their products. And, why not? It stands to reason from the attacker view point. All of these years infosec folks have been staging education and awareness programs to make sure that nearly every PC on the planet has anti-virus software installed.

It stands to reason, that given the near ubiquity of AV tools, that it would be a very easy, albeit traditional, way to compromise systems at large. Vulnerabilities in anti-virus tools are an insidious mechanism for attack, often run with enhanced privileges and carry enough “in your face” and “gotcha” temptation to be a very interesting target. No wonder they have become a favorite attack vector.

On the other hand, from the security standpoint, who else besides anti-virus vendors and purveyors of critical applications linked into the defensive infrastructure should be the poster children for secure development. Every piece of code has bugs, mine included. But, shouldn’t anti-virus vendors be doing extensive code reviews, application assessments and testing? Isn’t this especially true of vendors with large corporate names, deep budgets and pockets and extensive practices in application security and testing?

Anti-virus tools are still needed for nearly every PC on the planet. Malware still remains a large concern. AV has its value and is still a CRITICAL component of information security processes, initiatives and work. Vendors just have to understand that, now more than ever, they are also a target. They have to do a better job of testing their AV applications and they have to embrace the same secure coding tools and processes that many of their own consultants are shouting from the virtual hills to the cyber-valleys. We still need AV, we just need better, stronger, more secure AV.

Panda Dos

Posted on March 10, 2008 by Nathan Grandbois

Panda Antivirus and Firewall is vulnerable to a denial of service and system compromise. The kernel driver included with Panda Antivirus and Firewall 2008 does not handle IOCTL requests correctly. This can result in a local denial of service or execution of code on the local system. There is currently a hotfix available for this issue. If you, or anyone you know, runs Panda Antivirus give them a heads up to run the update utility.

Your New TSA Approved Laptop Bag????

Posted on March 7, 2008 by Brent Huston

I read this article this morning about a movement by TSA to create “approved” laptop bags that would allow passengers to go through airport security without removing their laptop from their laptop case.

This appears to be really true. It really isn’t a joke. In fact, at first blush, it might even seem like a good idea. But…

The interesting part is that it is literally only a bag for your laptop. No power cords, media or other devices.

Now I don’t know about you, but I carry a LOT more stuff than just my laptop in my backpack. If you want an example, here is one from an article a while back in ITWorld.

Pack Contents

As you can see, there’s a lot more than my Mac in there.

While the idea of not removing my laptop seems like a good thing to me and I am sure that it would save us all time in the security line in a perfect world, I am completely unconvinced that even the most basic of laptop users only carries their laptop in these things. I can’t imagine that there would be any real time savings as the TSA explains that only “approved” laptop cases bearing the official TSA seal will be allowed and that you can’t have any folders, paper clips or anything else tucked around the laptop… Blah, blah, blah…

Ordinary citizens still can’t seem to figure out if they can take their makeup, water or beer on the flight, let alone whether or not they need to remove their shoes for the not-so-nice man with the badge. I still routinely have to wait behind people asking the same questions and others hopping around like a pogo-stick rider while they unbuckle, untie and wiggle off their shoes/boots/leggings/etc.

How on earth will special laptop bags even have a prayer of saving us time? Even worse, the whole idea of creating the bags, testing them, approving them and controlling counterfeits or unapproved bags with look alike seals – seems to be a place for a HUGE amount of tax payer dollars to get wasted. Can you imagine the large-scale bureaucracy that would take?

I say forget it. Just keep the same process going of laptop removal. It seems a lot easier, cheaper and as Bruce Schneier would remind us – just as useless in terms of real risk reduction anyway….

Ruby on Rails Directory Traversal

Posted on March 7, 2008 by Nathan Grandbois

Ruby 1.8.6 (Webrick Httpd 1.3.1) is vulnerable to a directory traversal flaw. The Ruby on Rails web server, Webrick Httpd 1.3.1, is vulnerable to directory traversal on systems that accept the backslash as a path separator and on case insensitive systems. Patches for the 1.8 and 1.9 code branches are available.

What’s On Your Key?

Posted on March 6, 2008 by Brent Huston

As a follow up to yesterday’s post about the Windows management tool, several people have asked me about what Windows tools I use most often. I, like many technical folks, carry a simple USB key in my pocket and it is packed with the core critical tools I use whenever I run into a support-type issue.

This led me to ask – what’s on your key?

USBKey graphic

Mine has some pretty interesting stuff. Here is a sample of the contents focused on Windows tools.

I keep an installs directory with some of the basic tools that I need, like to use and would want people to use. It has stuff like:

Cain and Able – you never know when you may need to recover or crack a basic password

Comodo Firewall – I try to never leave a home system without a firewall installed and configured, this one is free, easy to manage and with a quick 5 minute lesson – even basic Windows users can keep it going safely…

Filezilla – a pretty great Win32 FTP GUI

FoxitReader – a quick replacement for the bloated Adobe PDF reader

Genius – an old swiss army knife tool for Win32 that has a ton of Internet and network clients, plus some basic power tools for users

and of course the ubiquitous FireFox, WinZip, freeware Anti-virus and SpyBot Search & Destroy installers!

I also keep some basic tools for troubleshooting, security and analysis:

BinText – a GUI “strings” for Win32

Filealyze – a file analyzer, great for looking at unknown pieces of software and doing potential malware analysis on the fly

FPipe – Foundstone’s port redirector

Scanline – a quick and dirty command line port scanner for Win32 from Foundstone

Various Windows resource kit elements – kill, netdom, sysinternals tools, shutdown, etc.

Of course, netcat, the do it all with sockets tool 😉

winvi – easy to use text editor

whosip and whoiscl – two whois emulators for Windows

a tools simply called Startup – a really easy to use GUI for managing what is starting up each time the system starts and the various users login

Those are really the essentials… I carry a bunch of normal stuff around too, but the basics are here for those quick fix scenarios that invariably start with something like “My computer is acting kinda funny ever since I …”

So, I have shown you some of mine. Now you do the same, let us know what’s on your key that you carry in your own pocket. Use the comment system to tell us all about your own set of indispensable tools!

Checkpoint VPN XSS, Multiple Java Vulns

Posted on March 6, 2008 by Nathan Grandbois

Checkpoint VPN-1 UTM Edge is vulnerable to cross site scripting. This particular XSS vulnerability allows for reflective cross site scripting pre authentication. This could allow attackers to embed the login form in an html form for deceptive and malicious purposes. The latest firmware version, 7.5.48, reportedly does not contain this vulnerability.

There are multiple vulnerabilities in Java. This includes Java Web Start, the JRE and SDK. These vulnerabilities could lead to a Denial of Service or system compromise. All of the more recent versions of Java are vulnerable, so if you haven’t updated your Java install in a few weeks, now would be the time to do so.

Lighttpd, a popular light open source web server, is vulnerable to CGI source exposure and potential denial of service. Version 1.4.18-r2 is affected and a newer version is available.

A Great Windows Maintenance Find for FREE

Posted on March 5, 2008 by Brent Huston

A few days ago I stumbled onto a pretty decent Windows maintenance tool I wanted to share. It is called Advanced WindowsCare Personal and is available from snapfiles.com here.

Overall, this is a pretty great tool. It is very easy to use and does a lot of tuning and preventative maintenance for Windows systems – especially home and end-user systems that might not have a corporate IT person to take care of them. It does a good bit of clean up around the system, helps to protect it against spyware and some malware. While not a full anti-malware solution, it does make some basic registry changes to help prevent installation of the most common spyware and other bad stuff.

It did a very nice job of helping me tune a Windows system that I was messing with and in running basic management functions and maintenance tasks. I am not sure I would upgrade to the “Pro” version, but for a free utility, this one is pretty good.

If you still have Windows systems to manage, especially for family members and the like, this may be worth the time to install for them and spend 15 minutes teaching them to use it. Likely, they can repair most of their own problems using the tool, instead of calling you over to Aunt Millie’s for tech support. 😉

Ohio Votes Today

Posted on March 4, 2008 by Brent Huston

The day for the Ohio primary is here. With a ton of media attention focused on our state, a new voting process in place and the removal of the touch-screen systems our primary is certain to have its ups and downs today.

When we reviewed the security of the Ohio voting system, we did find some serious issues. However, the optical scanning systems from our review were less prone to problems under normal voting use than the touch screens. Therefore, we agree that the optical scanners are a more secure choice, especially in the way that our Secretary of State has outlined their use.

Voters in Ohio today should expect some lines and a small amount of confusion and hype. But, careful review of your ballot, care marking of your selections and following the published procedures should make the process easy, reliable and interesting. Our only words of caution are to ask for another ballot if you make a mistake and refrain from marking anywhere except in the square of your chosen candidate. Again, take a few moments and review the ballot before you turn it in.

The Secretary of State has taken great measures to ensure oversight and accountability for all votes and voters around our state. The various boards of election and other officials have also taken great steps toward improving the security of the process. They are all to be commended for achieving the progress we have made thus far, in such a short amount of time.

While there is still quite a bit of work to be done around electronic voting and elections security; today is a good day to look at the work we have done so far. Together, citizens, politicians and government can work to find a useful, reliable and secure way to continue the wonderful democracy that we, as Americans, enjoy.

Do your part. Vote. Stay engaged in the debate about electronic voting and don’t be afraid to let others know what you think…

New Advanced Botnets Discovered

Posted on March 3, 2008 by Adam Hostetler

Previously undetected botnets have been found to be running under the radar. The largest one has gained the name “MayDay”. MayDay has not infected a lot of systems yet, like Storm has, but has advanced capabilities to evade detection. Notably, it’s able to send HTTP traffic through an enterprises proxy. The bot also uses peer-to-peer technology, through two channels, to stay in contact. The bot appears to be using both TCP and ICMP for data transmission.Even though this bot isn’t a large threat yet, it shows that bot development isn’t going to stop any time soon. Bot writers are getting smarter and more clever, while detection and analysis techniques are lagging behind.

Increase in European “Options” HTTP Scans from Linux Systems

Posted on March 3, 2008 by Brent Huston

Over the weekend, we saw a large increase in HoneyPoint captures of HTTP fingerprinting scans using the “Options *” technique. Even more interesting was that nearly all of these scans originated in Europe. The scans were all originated from Linux boxes and simple port probes show all of the boxes to be running OpenSSH 4.3 (some with p2). Other ports show no consistency on the originating systems.

Clearly, it could be a coincidence, but for multiple hosts to show only that correlating port, it could also be a specific exploit for OpenSSH 2.4. Additional research shows a few known issues with this version of OpenSSH. Perhaps a new bot-net is being launched by leveraging this vulnerability?

We are deploying additional SSH HoneyPoints to try and capture more data about possible exploitation of systems meeting these implementations.

Editor’s Note: The current version is OpenSSH 4.7/4.7p1 – so if you are using older versions (including 4.2/4.3) you should upgrade as soon as possible to the current revision.

Post revised to update for identified existing OpenSSH issues.

MSI :: State of Security

Insight from the Information Security Experts

Monthly Archives: March 2008