Proof of concept taken from above URL:

GET /prot%c0%afected/protected.zip HTTP/1.1
Translate: f
Connection: close
Host: servername

Adobe version 8-9.1 have been smacked with more JavaScript command execution bugs. A lot of vendors are starting to recommend disabling JavaScript, something I suggested back in 2007 when I released the Adobe JavaScript DB backdoor. Here are links to the 5 Adobe exploits released on Milw0rm thus far (2009):

You can disable Adobe Javascript as follows:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Products that have TFTP services enabled and that run CiscoWorks
Common Services versions 3.0.x, 3.1.x, and 3.2.x are vulnerable.
Only CiscoWorks Common Services systems running on Microsoft Windows
operating systems are affected.

CiscoWorks TFTP Directory Traversal Vulnerability. According to Cisco the following software types and versions are vulnerable:

• Cisco Unified Service Monitor versions 1.0, 1.1, 2.0, and 2.1
• CiscoWorks QoS Policy Manager versions 4.0 and 4.1
• CiscoWorks LAN Management Solution versions 2.5, 2.6, and 3.0
• Cisco Security Manager versions 3.0, 3.1, and 3.2
• Cisco TelePresence Readiness Assessment Manager version 1.0
• CiscoWorks Voice Manager versions 3.0 and 3.1
• CiscoWorks Heath and Utilization Monitor versions 1.0 and 1.1
• Cisco Unified Operations Manager versions 1.0, 1.1, 2.0 and 2.1
• Cisco Unified Provisioning Manager versions 1.0, 1.1, 1.2 and 1.3

Workarounds
To mitigate this vulnerability, administrators can disable TFTP services by completing the following steps:
Step 1. Choose “Start > Settings > Control Panel > Administrative Tools > Services to access the Services window.
Step 2. Right-click “CWCS tftp service” and select “Properties”.
Step 3. Set the “Startup Type” to “Disabled”.
Step 4. Click the “Stop” button to stop the TFTP service.

Still waiting for details on a proof of concept for this.

The United Kingdom’s Centre for the Protection of National Infrastructure has just released the document “Security Assessment of the Transmission Control Protocol (TCP)”.

I find the document title a little ambiguous, as a security assessment generally refers to active research where from my brief overview, is in fact more of a whitepaper giving an excellent overview of existing and well-known TCP/IP vulnerabilities (i.e. SYN flooding, Weak sequence numbers, port scanning techniques and more). It must be one of the best TCP/IP security overview whitepapers I’ve seen. Worth a read. Very nice work.

FreeBSD Telnet 0-Day

Kingcope Kingcope released a zero-day telnetd vulnerability, affecting FreeBSD 7.x. Telnetd allows environment variables to get passed to a remote session. FreeBSD made some recent changes which allowed Kingcope to set malicious environment variables using dynamic linker files (LD_PRELOAD). Interesting seeing Telnet in the news again after the 2007, Solaris 10 Telnet exploit (telnet -froot host). FreeBSD have made a fix available.

RainbowCrack 1.3 Released

RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. In short, the RainbowCrack software is a hash cracker that use time-memory tradeoff algorithm.

RainbowCrack 1.3 has been formally released. It has some nice features including multicore processor support, improved hash algorithm and overlapped computation and harddisk read.

Nokia N95 DoS

jplopezy released a proof of concept exploit that supposedly crashes the Nokia N95. The vulnerability uses JavaScript’s setAttributeNode function, which is part of JavaScript’s XML DOM suite of functions. The PoC looks like this:

script
r=document.getElementById('c');
a=r.setAttributeNode();
/script


$250,000 reward for Microsoft Worm Writer

A bounty has been set by Microsoft for information leading to the arrest of the Conficker worm author.

Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.

The guys at Backtrack have released Backtrack 4 BETA. Cool changes include Kernel 2.6.28.1 with better hardware support, Pico e12, e16 support, better wireless injection support, RFID support and a bunch of new tools.

Fasttrack security tool gets spotlight

David Kennedy’s Fasttrack tool got high reviews after Shmoocon. It provides CLI and a cool web frontend. You can automate Metasploit, brute force weak sa passwords on MS SQL serve IP ranges, find SQL injection vulnerabilities with an INJECTME placeholder and more more. The tool is only available in Backtrack. A nice demo here.

SQL Map 0.6.4 released

Bernardo Damele releases Sqlmap version 0.6.4. New features include a better string comparison engine and some major bug fixes.

Monster gets hacked

Monster got hacked and had millions of hob seeker data stolen. Would hate to be the infosec manager. I don’t think data has been released about how the hack occured, however, contact and account details were lost, including user IDs, passwords, email addresses, names, phone numbers, and basic demographic data.

Next-Gen WordPress Vulnerability Scanner released

BlogSecurity releases next-gen WordPress scanner. The tool is still BETA but has some cool new features like an XML driven test engine allowing anyone to contribute tests. We hope to split this project off to other open source apps. as resources permit.

DNS DDoS Saga Continues

For those who haven’t heard, a few weeks ago reports started coming in of odd (.) DNS queries. It has since been found to be a distributed denial of service vulnerability targetting the Internet ROOT nameserver. The attack was actually working and the ROOT nameservers began to slow… SANS have released  a tool to test your DNS server and include some config advice to fix it.

There are rumours that this attack may have been part of some mass DNS poisoning attack inspired by Dan Kaminsky’s DNS vulnerability research released last year.

Laramies Corner’s gives some nice links to web services pentesting

Christian Martorella over at Laramies Corner has put together some nice links for web services testing. Definately a page to keep bookmarked for quick reference.

Automated Web Vulnerability Scanner Comparison

anantasec posted a scanner comparison to the web security mailing list. I found it quite an interesting read. Its really useful if anyone is planning on forking out for one of these tools. A copy of the report is here.

If you want a laugh, the defcon 16 badge is in the open.

Also have a look at Bruce Schneier’s thoughts on security certifications, along with Marcus Rankum’s counterpoint.

Then there are government certifications. In the UK, they apply to security companies and personnel that may work on government projects, which usually are not for public consumption. These accreditation allow cleared companies to work on these projects whilst adhering to some stringent rules. The thought process for this is that the government get an independent review of their systems from their pool of accredited testers. The Communications-Electronics Security Group (CESG) set the precedence for security of communications and data. They have a number accreditation schemes for companies. They include CESG Listed Adviser Scheme (CLAS), which focuses in the audit and policy side of security and CHECK which provides a more technical audit and healthcheck of systems. Although the latter is being phased out by Council of Registered Ethical Security Testers (CREST)
On the other side of the pond, it is a bit unclear who would be allowed to work on government projects but it appears they have agencies just for that very thing. For example, the states have National Institute of Standards and Technology (NIST) who offer services including Federal Information Processing Standard Publications. Canada have a similar agency setup in Communications Security Establishment Canada (CSEC).

Big players like Checkpoint, Cisco, IBM, Microsoft, Oracle, Redhat and Sun (Java) have established programs. Other players (particularly open-source) are still setting up such as PHP and Perl.

Let’s take it from security assessment point of view. You have been given a firewall configuration. You can use the above guides to make some suggestions about policies. Now I don’t profess to be a know-it-all at firewalls but you should look for and be suspicious of any traffic that is permitted between two interfaces. Permit and any rules are always suspicious! Is the traffic encrypted? Is it using a standard port? Are the interfaces in question externally interfacing? Any non-standard/unfamiliar ports should be looked into and establish what they are exactly used for, if this is possible. It maybe that these ports are related to the vendor software. In which case, you should look up any weaknesses relating to the port service offered by the vendor. For example, if there is a rule for SIP (port 5060) then they maybe vulnerable to this cisco advisory.

1. Missing: 25 million child benefit records
2. Q&A: Bruce Schneier, CTO of BT Counterpane
3. Top 10 weird data disasters
4. Police: There’s no piggybacking crackdown
5. ID cards will be secure, insists Home Office
6. Full Disclosure – silicon.com launches data breaches campaign
7. Nasa hacker granted Law Lords appeal
8. Businesses call for police cyber crime unit
9. Cyber criminals turn pro
10. Warning over ‘Storm Worm’ email

Another top 10 that maybe advisable to see is the skills stories top 10

10. All in a spin: A customer who told engineers she had ‘washed away all her data’ after putting a USB stick through a cycle in her washing machine.
9. Feeding time: A father who, while feeding his baby daughter, forgot about the USB stick in his top pocket. As he leant over the high-chair the device fell into a dish of apple puree.
8. Row, row your boat: A fisherman took his laptop in his rowing boat. Both he and the laptop went overboard, taking all his data to the bottom of a lake.
7. Honeymoon hell: One wedding photographer overwrote the photos of one wedding with another event – and needed to escape the wrath of the newly weds.
6. Melting point: During an experiment, a scientist spilt acid on an external hard drive and burnt away his important data.
5. Shattering blow: In the middle of an argument, a businessman threw a USB stick at his partner, with the device ending up in several pieces on the floor. Unfortunately it contained valuable company plans.
4. Fire alarm: A fire destroyed an office, sparing only a few CDs which had melted to the inside of their cases.
3. Ooooops: A scientist was fed up with his hard drive squeaking, so drilled a hole through the casing and poured in oil – which stopped both the squeaking and the hard drive.
2. Here goes…: To test the functionality of a parachute, a camera was dropped from a plane. The parachute failed and the camera shattered into several pieces but the device’s memory stick was reassembled and the footage was recovered.

And the number one weird and wonderful data disaster is…
1. Data repellent: After discovering ants had taken up residence in his external hard drive, a photographer took the cover off and sprayed the interior with insect repellent. The ants were killed off and the data was eventually recovered.

All the hardware on the list was recovered, the company said.