The FISMA paradigm

Security policies remain a burden to federal IT managers, but they are producing results

There is no question that the Federal Information Security Management Act has changed the way information technology managers do their jobs. It has changed the way agencies write requests for proposals and set standards for vulnerability and configuration scanning — and it eats up days and weeks in the production of reports.

The question remaining is whether federal IT systems are more secure now.

More

Courtesy of Government Computer News.

NIST revises IT security guides

The National Institute of Standards and Technology has released final revisions to three of its 800 series of special publications on information technology security.

More

Courtesy of Government Computer News.

(IN)SECURE Magazine Issue 17 released

The latest version of (IN)SECURE Magazine has been released. Download it over here.

The covered topics are:

* Open redirect vulnerabilities: definition and prevention
* The future of security is information-centric
* Securing the enterprise data flow against advanced attacks
* Bypassing and enhancing live behavioral protection
* Security flaws identification and technical risk analysis through threat modeling
* Migration from e-mail to web borne threats
* Security training and awareness: strengthening your weakest link
* Assessing risk in VoIP/UC networks
* Building a secure wireless network for under $300
* Reverse engineering software armoring
* Point security solutions are not a 4 letter word
* Corporate due diligence in India: an ICT perspective
* Hacking Second Life
* AND MORE!

New Trojan Leverages Unpatched Mac Flaw

A tool for exploiting an unpatched security hole in Mac OS X systems has been developed and until earlier today was being distributed through an online forum that caters to Mac hackers, Security Fix has learned.

The exploit tool, labeled "Applescript Trojan horse template" by hackers at Macshadows.com, appears to be a collective and ongoing effort to create a package of malicious software that capitalizes on the ARDagent security hole first publicized last week. The vulnerability essentially allows any program to run on a Mac user's machine without first prompting the user to enter his or her user name and password.

Currently, the Macshadows user forum appears to have been wiped clean, both from the Macshadows.com Web site and from Google's cache. However, Security Fix obtained screen shots of forum postings from the code's authors, which are sprinkled throughout this blog entry. It appears that development of this malware started back in mid-May.

More

Courtesy of Security Fix.

Two New Mac OSX Trojans

Trojan number one:

A report of an Apple Remote Desktop Agent vulnerability recently surfaced. Now there's news of a trojan that can exploit the flaw.

The exploit tool, called "Applescript Trojan horse template" was crafted by forum participants of MacShadows.com. These guys appear to have been hobbyist hackers interested in testing the ARDAgent vulnerability. It doesn't appear to be in the wild at present. We detect it as Backdoor.Mac.Hovdy.a.

What's the ARDAgent flaw? In a nutshell, ARDAgent runs Applescript with root privileges. So once the victim is tricked into installing Hovdy, no user passwords are required for it to do its thing, which is provide backdoor access to the attacker.

You can read more details from Security Fix here and here. SecureMac's advisory is here.

Trojan number two:

There was also another Mac OSX trojan discovered last week.

This one was found by Intego. We detect it as Trojan-PSW:OSX/PokerStealer.A.

More

New danger from PDF files

Adobe reports that a hole in its Acrobat and Adobe Reader products is actively being exploited. It appears that the programs do not check the parameters of a JavaScript method adequately. As a result, attackers can use crafted PDF files to execute code at the privilege level of the logged-on user or at least to crash the system. The vendor gives no further details.

Similar holes have often been exploited in the past to deploy malicious software via web pages on a large scale. Only at the beginning of June, F-Secure warned about targeted attacks involving PDF trojans which were sent out via emails.

Versions up to 7.0.9 and versions 8.0 to 8.1.2 of Reader and Acrobat are affected. Adobe has released updated versions which no longer contain the flaw. Due to the imminent danger it is advisable to update immediately.

See also:

* Security Update available for Adobe Reader and Acrobat 8.1.2, Adobe security bulletin
* Web pages infecting PCs via vulnerabilities in Adobe Reader heise Security news

Courtesy of heise Security.

Exploits appear for holes in MS Word and WordPad

Demo exploits have been released for as yet unpatched vulnerabilities in Microsoft Word and WordPad which cause the programs to crash. In his advisory, exploit author Ivan Sanchez claims that he was able to reproduce the vulnerability in Word with Office 2000 and 2003 under Windows XP with SP2 and SP3. The vulnerability is said to be caused by the flawed processing of unordered lists. No details are available about the hole in WordPad, which is said to affect version 5.1 under XP with SP2 and SP3. Other product versions are also likely to be affected.

Sanchez suspects that attackers may also be able to exploit the two vulnerabilities to inject and execute arbitrary malicious code. In addition, he warns that the hole is currently being exploited actively but gives no further details. WordPad is part of the standard Windows installation. Until Microsoft has released patches users are advised not to trust DOC files from unknown sources even if they have installed all the previous updates.

Courtesy of heise Security.

BackTrack Final 3 Hacking LiveCD Released For Download

If you don’t know, BackTrack is a top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

Back in January we mentioned the BackTrack Live Hacking CD BETA 3 was released, at last the final version is ready for download!

New Stuff

SAINT
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus on BackTrack 3.

Kernel
2.6.21.5. Yes, yes, stop whining….We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN’ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability

For the first time we distribute three different version of Backtrack 3:

* CD version
* USB version
* VMWare version

You can download BackTrack 3 Final here:

http://remote-exploit.org/backtrack_download.html

Or read more here.

Nessus 3.2.1 Released

Tenable Network Security has released version 3.2.1 of the Nessus vulnerability scanner. This point release includes a variety of small bug fixes as well as a new report filtering interface for the Nessus client. This blog entry will discuss the new Nessus features, bug fixes and reporting filters for the Nessus Client.

More

(IN)SECURE Magazine Issue 16 released

The latest version of (IN)SECURE Magazine has been released. Download it over here.

The covered topics are:

* Security policy considerations for virtual worlds
* US political elections and cybercrime
* Using packet analysis for network troubleshooting
* The effectiveness of industry certifications
* Is your data safe? Secure your web apps
* RSA Conference 2008 / Black Hat 2008 Europe
* Windows log forensics: did you cover your tracks?
* Traditional vs. non-tranditional database auditing
* Payment card data: know your defense options
* Security risks for mobile computing on public WLANs: hotspot registration
* Network event analysis with Net/FSE
* Producing secure software with security enhanced software development processes
* AND MORE!

(IN)SECURE Magazine Issue 15 released

The latest version of (IN)SECURE Magazine has been released. Download it over here.

The covered topics are:

* Proactive analysis of malware genes holds the key to network security
* Advanced social engineering and human exploitation
* Free visualization tools for security analysis and network monitoring
* Internet terrorist: does such a thing really exist?
* Weaknesses and protection of your wireless network
* Fraud mitigation and biometrics following Sarbanes-Oxley
* Application security matters: deploying enterprise software securely
* The insider threat: hype vs. reality
* How B2B gateways affect corporate information security
* Reputation attacks, a little known Internet threat
* Data protection and identity management
* The good, the bad and the ugly of protecting data in a retail environment
* Malware experts speak: F-Secure, Sophos, Trend Micro
* AND MORE!

METASPLOIT UNLEASHES VERSION 3.1

Austin, Texas, January 28th, 2008 -- The Metasploit Project announced today the free, world-wide availability of version 3.1 of their exploit development and attack framework. The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits. "Metasploit 3.1 consolidates a year of research and development, integrating ideas and code from some of the sharpest and most innovative folks in the security research community" said H D Moore, project manager. Moore is referring the numerous research projects that have lent code to the framework.

These projects include the METASM pure-ruby assembler developed by Yoann Guillot and Julien Tinnes, the "Hacking the iPhone" effort outlined in the Metasploit Blog, the Windows kernel-land payload staging system developed by Matt Miller, the heapLib browser exploitation library written by Alexander Sotirov, the Lorcon 802.11 raw transmit library created by Joshua Wright and Mike Kershaw, Scruby, the Ruby port of Philippe Biondi's Scapy project, developed by Sylvain Sarmejeanne, and a contextual encoding system for Metasploit payloads. "Contextual encoding breaks most forms of shellcode analysis by encoding a payload with a target-specific key" said I)ruid, author of the Uninformed Journal (volume 9) article and developer of the contextual encoding system included with Metasploit 3.1.

More

Four Out of 10 Networks Not Secure

One in four IT executives want senior management to have a better understanding of security issues

JANUARY 4, 2008 | ST. AUGUSTINE, Fla. -- A new survey shows that nearly half of small companies in the United States believe that employees with a better knowledge of security issues and the part they play in a company's IT set-up would help to improve network security, while one in four say that even management should be more aware of security issues and threats.

The survey of 455 IT executives at small and medium sized businesses in the United States found that 48 percent said that awareness on security issues among employees -- the "weakest link" -- was a key factor that could lead to better overall security.

The research was carried out by polling company eMediaUSA on behalf of GFI Software. Coolcat Inc is a solution provider and discount reseller of network security, content security, and messaging software. The survey also found that employees are not the only people who need to be "educated." One in four IT executives want senior management to have a better understanding of security issues as this could have a bearing on the overall level of network security, and possibly, the range of security measures that could be implemented. Only 10 percent of SMBs said they would need more human resources, while 12 percent said network security would improve if they had larger budgets. Seth Oxhandler contends that you don't need larger budgets, you just need to spend your money better.

The survey shows that four in 10 SMBs feel their networks were not secure enough, with email viruses named as the biggest security threat. When asked about their major daily concerns, 71 percent of respondents cited downtime and tackling security issues, while 51 percent said user support was a daily concern. Both could be taken care of through services provided by COOLCAT INC.

Courtesy of Dark Reading

First Serious Facebook Hack?

Researchers at security gateway vendor Fortinet uncover an adware-distribution scheme on Facebook, considered to be the first attack propagated on the wildly popular online portal.

Matt Hines, Infoworld
Thursday, January 03, 2008 4:00 PM PST

Researchers at security gateway vendor Fortinet have uncovered an adware-distribution scheme being carried out on the Facebook social networking site considered to be the first attack propagated on the wildly popular online portal.

Disguised as a legitimate "Secret Crush" request on the site designed to inform Facebook users about other members who find them attractive, the application instead attempts to secretly install an adware program made by Zango after it has been successfully downloaded.

The Secret Crush program also tries to lure people who download the file to pass it along to other Facebook members they know, according to Fortinet's research.

The security vendor also contends that as many as 3 percent of Facebook's almost 60 million registered users have already downloaded the adware-bearing program.

More

Courtesy of PC World

Firefox Hit With Spoofing Bug

A serious flaw in how Firefox handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a noted security researcher says.

Gregg Keizer, Computerworld

A serious flaw in how Firefox handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a noted security researcher said Wednesday.

Aviv Raff, an Israeli researcher best known for ferreting out browser flaws, revealed the Firefox spoofing vulnerability on his personal blog, and posted a demonstration video there. He did not go public with any proof-of-concept code or working exploit, however.

According to Raff, Firefox 2.0.0.11 -- Mozilla Corp.'s most current version -- fails to sanitize single quotation marks and spaces in what's called the "Realm" value of an authentication header. "This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," said Raff.

Raff outlined a pair of possible attack vectors. One would rely on a malicious site that included a link to a trusted site -- a well-known bank, say, or a Web e-mail service such as Gmail or Hotmail -- that when clicked would display its usual log-on dialog. In the background, however, the attacker would have crafted a script that exploited the Firefox vulnerability to redirect the username and password entered by the user to the hacker's server instead of the real deal.

Alternately, a rigged image could be delivered via e-mail or embedded in a blog or MySpace page that when clicked generated a legitimate-looking log-on dialog.

Raff's video -- a lower-resolution version is on YouTube -- shows a spoof of Google Inc.'s Checkout payment system; it can be downloaded from here.

"Until Mozilla fixes this vulnerability, I recommend not to provide username and password to Web sites which show this dialog," said Raff in his blog.

The company last patched Firefox in late November when it updated the browser to 2.0.0.11. Thursday, Mozilla's chief of security, Window Snyder, would only say that her team is investigating Raff's claims.

Courtesy of PCWorld