Category Archives: Security

Hacking – The Card Game

 

An interesting and fun way to teach ethical hacking.

Control-Alt-Hack is based on Steve Jackson Games’ Ninja Burger, but from the characters to the mission cards to the entropy cards, the demystification of white hat computer security is the name of this game. Game co-designer, security researcher, and University of Washington Computer Security and Privacy Research Lab honorary member Adam Shostack said at the Black Hat 2012 confab here that when it comes to teaching ethical hacking, also known as white hat hacking, not enough educators “use carrots, not sticks.”

“Humor creates an open atmosphere,” that helps break down the shyness of learning, he said during the conference session about the game. He explained that people are more likely to ask questions about things that they think they should’ve already learned if it’s part of a game.

Games, he noted, have a spectrum from being as easy to learn as Go or dice games, all the way through Dungeons and Dragons or Settlers of Catan. Choosing a game to base Control-Alt-Hack on that involved humor and a bit of complexity would help keep the subject matter interesting for the target audience of teens and young adults.

In Control-Alt-Hack, you work as a researcher for a computer security company that gets hired to stress-test other companies. The deck of 156 cards includes 16 “person” cards to give you an identity during the game. The characters were given realistic traits, so there are no stereotypes of the obese, unkempt researcher covered in potato chip debris and pizza grease. Instead, you can play as one of eight men or eight women who have interests as varied as martial arts or rock climbing, and all are snazzily dressed in their artwork.

Source: Hacking, the card game, debuts at Black Hat | Security & Privacy – CNET News.

Look for it on store shelves later this year.

 

Advertisements

150 Ways To Bypass Web Application Firewalls In One Tool

 

A tool for testing if Web application firewalls (WAFs) are vulnerable to around 150 protocol-level evasion techniques was released at the Black Hat USA 2012 security conference on Wednesday.

The tool and the research that went into its creation are the work of Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall.

Web application firewalls are designed to protect Web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload.

However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented, Ristic said.

The researcher tested the evasion techniques he found primarily against ModSecurity, an open source Web application firewall, but it’s reasonable to assume that other WAFs are vulnerable to some of them as well.

In fact, Ristic said he shared a few of the techniques with others during the research stage and that they had tested them successfully against some commercial WAF products.

Erwin Huber Dohner, head of research and development at Switzerland-based WAF vendor Ergon Informatik, confirmed after seeing Ristic’s presentation that the evasion methods are a problem for the industry.

Source: Tool released at Black Hat contains 150 ways to bypass Web application firewalls | Security – InfoWorld.

The question is will this public release of research kick-start a discussion as Mr. Ristic hopes?

 

Easy Cracking of Microsoft Crypto

Another day, another set of cracking tools.

Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.The tools crack WPA2 Wi-Fi Protected Access and VPN passwords used by corporations and organizations running networks that are protected by the PPTP Point-to-Point Tunneling Protocol, which uses MS-CHAPv2 for authentication.ChapCrack captures the MS-CHAPv2 handshakes, or SSL Secure Sockets Layer negotiation communications, and converts them to a token that can be submitted to CloudCracker.It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES Data Encryption Standard keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.

Source: Tools boast easy cracking of Microsoft crypto for businesses | Security & Privacy – CNET News.

Yet another reason for businesses that haven’t done so yet to move beyond PPTP and Windows XP

Innovations Continue At Symform

 

Symform, a revolutionary cloud storage and backup service, today announced enhancements to its Cloud Storage Network that improve the performance, security and international capabilities of Symform’s innovative peer-to-peer backup model. The new version accelerates data upload times for large data sets, offers more options for privacy control and supports long file path names and international characters. These features are in direct response to the global adoption of Symform’s Cloud Network by small and medium businesses in 150 countries and the continued explosive growth of digital data needing to be protected and stored.”At Symform, we are constantly searching for new and better ways to serve our fast-growing global customer base by offering a solution that is widely accessible and more affordable than costly, traditional cloud storage models,” said Praerit Garg, president and co-founder of Symform. “We take pride in offering the industry’s first decentralized cloud back-up and storage solution, and are continuing to innovate and perfect that model with each new release.”In a recent Symform survey, respondents overwhelmingly cited the cost of cloud storage as a top concern, particularly among resource-strapped small and mid-sized businesses SMBs. Symform offers a dramatic alternative to traditional ‘data center-reliant’ cloud storage models, using a peer-to-peer network of contributors and consumers that keeps costs to a minimum while ensuring the highest levels of security and reliability.

Source: Symform Continues to Innovate Cloud Storage Network and Peer-to-Peer Model With Faster Data Backup and Enhanced Security & Privacy | Virtual-Strategy Magazine.

One of the keys with technology is to improve and enhance while remaining secure and reliable.  It looks as if Symform is doing that while also keeping their service cost-effective.  Check the source to see what innovations came with the latest release.

 

NIST Updates Guidelines for Mobile Device Security

Mobile devices allow workers, including government employees, to work in multiple locations and to improve their efficiency. But the same features that make these devices desirable make them a security challenge. Mobile

logo of National Institute of Standards and Te...

(Photo credit: Wikipedia)

devices can easily be lost or stolen, and users may be tempted to download nonsecure apps that might conceal “malware” that could be used to steal confidential data. Since security is minimal for mobile devices, a thief can retrieve sensitive data directly from the device, or use the phone or tablet to access an organization’s computer network remotely.

The revised guidelines recommend using a software technology that centralizes device management at the organization level to secure both agency-issued and personally owned devices that are used for government business. Centralized programs manage the configuration and security of mobile devices and provide secure access to an organization’s computer network. They are typically used to manage the smart phones that many agencies issue to staff. The new NIST guidelines offer recommendations for selecting, implementing, and using centralized management technologies for securing mobile devices.

“Mobile devices need to support multiple security objectives: confidentiality, integrity and availability, so they need to be secured against a variety of threats,” explains co-author and NIST guest researcher Karen Scarfone.

Source: NIST Updates Guidelines for Mobile Device Security | DFI News.

What are your thoughts on the proposed update? 

“Android susceptible to sophisticated clickjacking malware”

Due to the loose restrictions Google places on it’s app-marketplace?

Clickjacking rootkits could pose the next big threat for the Android platform, according to a research team out of North Carolina State University. Led by computer science professor Xuxian Jiang, the team has developed a prototype clickjacking rootkit that’s more sophisticated than the other Android-oriented malware already out there.

This new prototype rootkit — which attacks the Android framework, rather than the kernel — differs from other malware in key ways, according to Jiang. “Unlike other rootkits for the platform, this one can function without a restart and without deep modification of the underlying firmware,” Jiang explained in a video in which he demonstrates the rootkit in action. “But it can still do all the things that a rootkit wants to do, such as hide or redirect apps.”

Source: Android susceptible to sophisticated clickjacking malware | Mobile security – InfoWorld.

In other words just as with other computing devices keep anti-virus software up-to-date.

Widely used Web attack toolkit exploits unpatched MSXML flaw

English: A candidate icon for Portal:Computer ...

(Photo credit: Wikipedia)

An exploit for an unpatched vulnerability in the MSXML (Microsoft XML Core Services) has been incorporated into Blackhole, one of the most widely used Web attack toolkits, according to security researchers from antivirus firm Sophos.

The security flaw is identified as CVE-2012-1889 and is what security researchers call a zero-day vulnerability — an actively exploited vulnerability for which an official patch doesn’t yet exist.

Source:  Widely used Web attack toolkit exploits unpatched MSXML flaw | Security – InfoWorld.

Be sure to keep that anti-virus up-to-date and also utilize the Fix-It tool Microsoft has made available.

“Top sites are covertly cramming cookies down users’ throats”

If you don’t like cookies …

“The number of websites that allow visitors to be tracked by third parties may be surprising to some, but as consumers begin to understand that their online behavior can be recorded, enterprises will have to work even harder to ensure that consumers’ privacy expectations are met,” said Ray Everett, Keynote’s director of privacy services.

According to Keynote, much of the data that companies collect via cookies is used for behavioral advertising. Third-party trackers place cookies to track a user’s clicks and path through the Web and to know what a visitor buys at any given site.

The problem here is, users don’t have a clear way of knowing which third parties are planting cookies, how they’re using the data they collect (beyond, say, providing more expensive travel offers to Mac users), or how well those third parties are protecting potentially sensitive data. Given that users are becoming increasingly concerned about their online privacy, site operators may feel greater pressure from customers, advocacy groups, and the feds to do a better job.

Consider this:

Looking at the 2,500 most popular websites, the researchers discovered that 87 percent had cookies and found a total of 442,055 cookies in all.

In other words there’s lots of baking and distributing of cookies going on.

Read more:  Top sites are covertly cramming cookies down users’ throats | Internet privacy – InfoWorld.

How to Break Into Security

Excellent interview over at “Krebs on Security” with security rock star, Christian Schneier.

First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don’t have to be a coder to be a security expert.

In general, though, I have three pieces of advice to anyone who wants to learn computer security:

Read the entire interview:  How to Break Into Security, Schneier Edition — Krebs on Security.

“Cybercrime moves to the cloud”

Proof that there is always risk with technology despite advances.

The same flexibility and freedom companies get from having their software and services hosted in the cloud is enabling cybercriminals to conduct highly automated online banking theft — without doing much of the necessary information processing on their victims’ own computers.Security and privacy experts have long worried that criminals would launch attacks on the servers storing the data in cloud environments. But, a report released this week from McAfee and Guardian Analytics shows that criminals are now using the cloud infrastructure itself to get more capability out of their campaigns.”They are leveraging the cloud,” Brian Contos, senior director of emerging markets at McAfee, said in an interview. “This is the first time we’ve ever seen this.”

Read all the details:  Cybercrime moves to the cloud | Security & Privacy – CNET News.

%d bloggers like this: