Category Archives: Security
An interesting and fun way to teach ethical hacking.
Control-Alt-Hack is based on Steve Jackson Games’ Ninja Burger, but from the characters to the mission cards to the entropy cards, the demystification of white hat computer security is the name of this game. Game co-designer, security researcher, and University of Washington Computer Security and Privacy Research Lab honorary member Adam Shostack said at the Black Hat 2012 confab here that when it comes to teaching ethical hacking, also known as white hat hacking, not enough educators “use carrots, not sticks.”
“Humor creates an open atmosphere,” that helps break down the shyness of learning, he said during the conference session about the game. He explained that people are more likely to ask questions about things that they think they should’ve already learned if it’s part of a game.
Games, he noted, have a spectrum from being as easy to learn as Go or dice games, all the way through Dungeons and Dragons or Settlers of Catan. Choosing a game to base Control-Alt-Hack on that involved humor and a bit of complexity would help keep the subject matter interesting for the target audience of teens and young adults.
In Control-Alt-Hack, you work as a researcher for a computer security company that gets hired to stress-test other companies. The deck of 156 cards includes 16 “person” cards to give you an identity during the game. The characters were given realistic traits, so there are no stereotypes of the obese, unkempt researcher covered in potato chip debris and pizza grease. Instead, you can play as one of eight men or eight women who have interests as varied as martial arts or rock climbing, and all are snazzily dressed in their artwork.
Look for it on store shelves later this year.
- Control-Alt-Hack: Can You Teach Hacking with a Card Game? (tomshardware.com)
- Card Game Turns You Into a White Hat Hacker (pcworld.com)
- Old-school card game delves into the dark world of computer security breaches (geekwire.com)
A tool for testing if Web application firewalls (WAFs) are vulnerable to around 150 protocol-level evasion techniques was released at the Black Hat USA 2012 security conference on Wednesday.
The tool and the research that went into its creation are the work of Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall.
Web application firewalls are designed to protect Web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload.
However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented, Ristic said.
The researcher tested the evasion techniques he found primarily against ModSecurity, an open source Web application firewall, but it’s reasonable to assume that other WAFs are vulnerable to some of them as well.
In fact, Ristic said he shared a few of the techniques with others during the research stage and that they had tested them successfully against some commercial WAF products.
Erwin Huber Dohner, head of research and development at Switzerland-based WAF vendor Ergon Informatik, confirmed after seeing Ristic’s presentation that the evasion methods are a problem for the industry.
The question is will this public release of research kick-start a discussion as Mr. Ristic hopes?
- Vulnerabilities in open source WAF ModSecurity (net-security.org)
- Protocol-Level Evasion of Web Application Firewalls (community.qualys.com)
- Web Application Firewalls and the False Sense of Security They can Create (acunetix.com)
Another day, another set of cracking tools.
Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.The tools crack WPA2 Wi-Fi Protected Access and VPN passwords used by corporations and organizations running networks that are protected by the PPTP Point-to-Point Tunneling Protocol, which uses MS-CHAPv2 for authentication.ChapCrack captures the MS-CHAPv2 handshakes, or SSL Secure Sockets Layer negotiation communications, and converts them to a token that can be submitted to CloudCracker.It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES Data Encryption Standard keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.
Yet another reason for businesses that haven’t done so yet to move beyond PPTP and Windows XP
- Stronger password hashing in .NET with Microsoft’s universal providers (troyhunt.com)
- Wireless Internet Security (techhelpertoday.wordpress.com)
Symform, a revolutionary cloud storage and backup service, today announced enhancements to its Cloud Storage Network that improve the performance, security and international capabilities of Symform’s innovative peer-to-peer backup model. The new version accelerates data upload times for large data sets, offers more options for privacy control and supports long file path names and international characters. These features are in direct response to the global adoption of Symform’s Cloud Network by small and medium businesses in 150 countries and the continued explosive growth of digital data needing to be protected and stored.”At Symform, we are constantly searching for new and better ways to serve our fast-growing global customer base by offering a solution that is widely accessible and more affordable than costly, traditional cloud storage models,” said Praerit Garg, president and co-founder of Symform. “We take pride in offering the industry’s first decentralized cloud back-up and storage solution, and are continuing to innovate and perfect that model with each new release.”In a recent Symform survey, respondents overwhelmingly cited the cost of cloud storage as a top concern, particularly among resource-strapped small and mid-sized businesses SMBs. Symform offers a dramatic alternative to traditional ‘data center-reliant’ cloud storage models, using a peer-to-peer network of contributors and consumers that keeps costs to a minimum while ensuring the highest levels of security and reliability.
One of the keys with technology is to improve and enhance while remaining secure and reliable. It looks as if Symform is doing that while also keeping their service cost-effective. Check the source to see what innovations came with the latest release.
- We Need More Peer-to-Peer Shared Cloud Infrastructure (sys-con.com)
Mobile devices allow workers, including government employees, to work in multiple locations and to improve their efficiency. But the same features that make these devices desirable make them a security challenge. Mobile
devices can easily be lost or stolen, and users may be tempted to download nonsecure apps that might conceal “malware” that could be used to steal confidential data. Since security is minimal for mobile devices, a thief can retrieve sensitive data directly from the device, or use the phone or tablet to access an organization’s computer network remotely.
The revised guidelines recommend using a software technology that centralizes device management at the organization level to secure both agency-issued and personally owned devices that are used for government business. Centralized programs manage the configuration and security of mobile devices and provide secure access to an organization’s computer network. They are typically used to manage the smart phones that many agencies issue to staff. The new NIST guidelines offer recommendations for selecting, implementing, and using centralized management technologies for securing mobile devices.
“Mobile devices need to support multiple security objectives: confidentiality, integrity and availability, so they need to be secured against a variety of threats,” explains co-author and NIST guest researcher Karen Scarfone.
Due to the loose restrictions Google places on it’s app-marketplace?
Clickjacking rootkits could pose the next big threat for the Android platform, according to a research team out of North Carolina State University. Led by computer science professor Xuxian Jiang, the team has developed a prototype clickjacking rootkit that’s more sophisticated than the other Android-oriented malware already out there.
This new prototype rootkit — which attacks the Android framework, rather than the kernel — differs from other malware in key ways, according to Jiang. “Unlike other rootkits for the platform, this one can function without a restart and without deep modification of the underlying firmware,” Jiang explained in a video in which he demonstrates the rootkit in action. “But it can still do all the things that a rootkit wants to do, such as hide or redirect apps.”
In other words just as with other computing devices keep anti-virus software up-to-date.
- Researchers create prototype Android clickjacking rootkit (androidauthority.com)
- “Clickjacking” Android could lead to app level phishing (h-online.com)
An exploit for an unpatched vulnerability in the MSXML (Microsoft XML Core Services) has been incorporated into Blackhole, one of the most widely used Web attack toolkits, according to security researchers from antivirus firm Sophos.
The security flaw is identified as CVE-2012-1889 and is what security researchers call a zero-day vulnerability — an actively exploited vulnerability for which an official patch doesn’t yet exist.
Be sure to keep that anti-virus up-to-date and also utilize the Fix-It tool Microsoft has made available.
- Hackers exploit Windows XML Core Services flaw (infoworld.com)
- Danger! Unpatched Microsoft security vulnerability being actively exploited (nakedsecurity.sophos.com)
- CVE2012-1889: MSXML use-after-free vulnerability (eset.com)
Excellent interview over at “Krebs on Security” with security rock star, Christian Schneier.
First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don’t have to be a coder to be a security expert.
In general, though, I have three pieces of advice to anyone who wants to learn computer security:
Read the entire interview: How to Break Into Security, Schneier Edition — Krebs on Security.
Proof that there is always risk with technology despite advances.
The same flexibility and freedom companies get from having their software and services hosted in the cloud is enabling cybercriminals to conduct highly automated online banking theft — without doing much of the necessary information processing on their victims’ own computers.Security and privacy experts have long worried that criminals would launch attacks on the servers storing the data in cloud environments. But, a report released this week from McAfee and Guardian Analytics shows that criminals are now using the cloud infrastructure itself to get more capability out of their campaigns.”They are leveraging the cloud,” Brian Contos, senior director of emerging markets at McAfee, said in an interview. “This is the first time we’ve ever seen this.”
Read all the details: Cybercrime moves to the cloud | Security & Privacy – CNET News.
- Q&A of the Week: ‘The current state of the cybercrime ecosystem’ featuring Mikko Hypponen (zdnet.com)
- Debunking cybercrime myths (lightbluetouchpaper.org)
- Cybercriminals build massive banking fraud system in the cloud (pcadvisor.co.uk)