|
Archive for the ‘Penetration testing’ Category
Thursday, July 24th, 2008
A google search for poison still returns a top result for one of the tackiest 80s pouty lipped glam bands around. They are still on tour, and they probably haven’t even heard of Dns.
Dns cache poisoning (there is a fine wiki for it) vulnerabilities have been all the rage on various security research mail lists for the past couple weeks and should be at the top of any search result list now. New working exploits targeting those vulnerabilities have been created and distributed. Coincidentally, Blackhat is being held next week, where Dan Kaminsky will present his original findings on it. Dan Kaminsky reportedly grouped together a huge number of dns providers and got a patch properly worked out and distributed for this thing.
What does “DNS Insufficient Socket Entropy Vulnerability” really mean to the average end user? Before you ask, there is a hitch. What was supposed to remain mysterious and closeted within the shadowy network security and dns administrator community has been released full force via full disclosure and Metasploit, the open source pen testing tool project run by HD Moore and friends. This addition means that this potentially dangerous information is public and potentially freely usable.
So now go ahead and ask. What does “DNS Insufficient Socket Entropy” really mean to me? If you are a standard user, you’re probably not administering a Dns server, but you (possibly unknowingly) are using Dns. Your ISP maintains these DNS servers, or the routes to them, for you. It is these systems that tell your browser what server to connect with when you are visiting “www.google.com”. They need to send your browser’s requests to your bank’s authentic web site when you attempt to browse it, instead of some creaky old mock up hosted in the furthest reaches of the planet. While you are dependent on Dns servers working properly and supporting “sufficient entropy”, there most likely is nothing you directly can do to administer and patch them.
In the meantime, visit the Microsoft Update site to check for new updates and ensure that third party software on your system is patched. Dns admins need to get their servers patched.
You can check Dan Kaminsky’s own site here or another tool here for information to present to your ISP, if they haven’t yet patched.
Update: Dan Kaminsky posted additional information that “DNS clients are at risk, in certain circumstances”, and that microsoft is patching multiple other dns client-side vuln (”has received two MSRC fixes in the past six months”). So, while the major focus is on the Dns servers, be sure to visit the windowsupdate site and patch away!
Posted in Disclosure, Dns, Exploit, Penetration testing | No Comments »
Wednesday, May 14th, 2008
Another open source fuzzing toolkit update was released today, the “Peach Fuzzing Platform v2.0″.
Fuzz. As in Peach. Ha!
Anyways, how does fuzzing effect the security of one’s computer? Directly, it does not. Indirectly, it does.
Fuzzing an application or service is the process of introducing malformed and unexpected input, often in combination with expected input, to an application consuming data. This process can identify bugs or flaws in software, and lead to the identification of buffer overflows, format string errors. Once these bugs are uncovered, determined individuals may sometimes write code to exploit these bugs. Not all bugs are exploitable.
The easier, more open and popular it is to fuzz applications, the more likely it is that vulnerabilities are found in applications. The frequent hotfixes and updates that Microsoft releases to patch the vulnerabilities in their OS and browser software sometimes are found by individuals performing fuzz testing (and, most likely, some amount of reversing). Rumor has it, the largest fuzzing project in the history of software development was performed by the Microsoft developers and security teams themselves over the past couple of years on their own compiled code.
The Peach platform can fuzz data consumers of many types, including file format parsers, network services, third party plugins like those from Quicktime and Adobe, most any software.
ImmunitySec and Dave Aitel has been releasing this sort of software for years, with SPIKE, SPIKE proxy, and Sharefuzz.
What do our readers think of ethical hacking, exploit development and the spread of these sorts of tools? Please post a comment if you have an opinion on the subject. We’d love to hear from you.
Posted in Blackhat, Exploit, Penetration testing, Software Release | No Comments »
Monday, December 31st, 2007
A “Strategy” thread was started on the DailyDave mail list by Dave himself, criticizing information warfare papers:
“If you’re reading an information warfare book or paper you’ll invariably see a lot of:
1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd)
2. Declarations that information warfare is an “asymmetric attack”
Dave goes on to drop a couple product names and then describe the money saving mono-culture Microsoft technology implementations within the US .com and .mil communities, and describes it as poor strategy:
“Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric.”
Unfortunately, this past year was a record year for data breaches, according to a couple of groups. (Although, I’m not sure that statement is completely true. It seems more to have been a record year for reporting breaches, due to a number of new factors. Incident reporting has always provided only a cloudy window into actual events.)
Any way you slice it, in light of the sheer volume of security breaches, Dave’s statement about the mono-culture of .com and .mil communities is a troubling one — in spite of a year of record profits for the .com community and record budgets for the .mil community, it seems that technology implementations still are not getting the budget or focus that they require when it comes to effectively addressing security needs.
Another poster on the list responded to Dave’s complaints by posting a book review about “Spec Ops: Case Studies in Special Operations Warfare: Theory and Practice” by William McRaven, a U.S. Navy SEAL commanding officer. I got a chance to check it out this past week and the eight case studies McRaven analyzes really are fascinating (if you’re a bit of a military history buff). The theory and principles at the beginning of the book (summarized on the DailyDave post) can be applied to analysis of the targeted attacks that have become much more commonplace on the net. It’s a stimulating read for security enthusiasts, and applies well to the ongoing security breaches around the world:
“If you can’t draw the parallels to general security practices from those principles then the book is not for you, otherwise you might find yourself ripping through the book and thinking in an entirely different light by the final chapter.”
Posted in Book/Doc review, Penetration testing, Security breach, Strategy | No Comments »
|
|
|
|
