Information Security News

While the media at large is all agog at Stuxnet, they probably would do better to keep their writers looking at Zeus. Zeus/Zbot must be one of the most successful banking trojans ever. It's been around for three (four?) years, and no doubt has made some of its originators very very rich.McAfee last week published a write-up on the capabilities that come with the recent Zeus Build-kit. Yes, there's an actual application that allows to create custom versions of Zeus. If you're an online banking user who feels safe because your online bank uses one-time passwords, or because it sports one of these cute on-screenkeyboards, think again: Zeus got them all in the bag.Brian Krebs regularly reports about the latest frauds linked to this family of malware. Recently, he wrote about a church that lost 600k$ from their accounts to key-logging malware.
Somehow, it looks like the banks either don't care, or don't grasp the concept of defense in depth, or both. Here's four simple measures that would make online banking fraud a whole lot harder:
* Changing my email address on file can only be done by visiting my bank branch in person

* Changing the email address triggers an email to the old address

* Adding a new payee that was never before used triggers an email

* A new payee can only be used for a payment or transfer 7 days after it has been added
There, dear banks: All of this can be implemented basically for free. You can even allow your customers to opt-in voluntarily. You'll be surprised how many of them do so - you know, folks and organizations who actually earn their money the hard way seem to oddly enough care a whole lot about keeping it safe.
I have no doubts that a new Zeus version would find a way around these measures eventually.But if you don't fight, you already lost. Banks, get off your collective behinds, and evolve, please. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft is rushing out a fix for a Windows Web server flaw that is starting to be exploited by online attackers.

Microsoft is going to release an Out-of-Band Security bulletin tomorrow, 28 September 2010, which will address a security vulnerability in ASP.Net affecting all current versions of Windows.
References:
http://www.microsoft.com/technet/security/advisory/2416728.mspx
http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx
http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx
Keep an eye on this one folks! More information is surely to follow.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Research in Motion launched its first tablet PC on Monday, sporting a new OS from QNX. Here's a visual tour.

Gulf Times

SEC and QNRF sign pact to promote research culture
Gulf Times
... could apply for being considered for research. More information could be had on 44540991/44559555 or e-mail: [email protected] and [email protected].gov.qa.

RIM unveiled an "enterprise-ready" BlackBerry Playbook tablet on Monday that features front and rear high-definition cameras, a dual-core 1 GHz processor and a new BlackBerry Tablet OS.

U.S. Web users are increasingly asking for tougher online privacy protections, even as they give more of their personal data to Web sites, a U.S. official said Monday.

After 12 years in business, Google has become the dominant company in the online world, the one that other technology giants, like Microsoft, Apple and Yahoo, have to fend off and react to.

The radical redesign of the Digg Web site in August appears to have prompted many users to abandon social news site, according to Hitwise.

IT shops push BlackBerry smartphones on workers for added security, but a new survey shows workers are less likely to be highly satisfied with them, compared with phones that the users choose themselves.

A security researcher today revealed yet another way that the Stuxnet worm spreads, a tactic that can re-infect machines that have already been scrubbed of the malware.

Study finds the need for more oversight of state agencies and recommends new laws that hold agencies and third-party service providers accountable for their security programs.

Service provider - Security - United States - Business - Government

In previous parts of this series we discussed nmap parsing in Part I http://isc.sans.edu/diary.html?storyid=9091, and nessus parsing in Part II http://isc.sans.edu/diary.html?storyid=9328. The nessus parse script has been updated as a number of people have recommended changes or improvements. The latest version of the .nessus v2 report parsing script is here: parsenessusv2mysql.pl
The majority of the examples I give use a command line interface and are typically run on Linux. They can be ported to Windows or other platforms quite easily.
For Part III of vulnerability assessment testing automation and reporting we will discuss:

using nmap results to configure nessus scans;
using the nessus XMLRPC interface to kick off nessus scans;
converting .nessus v1 files to .v2;
and splitting up large .nessus v2 files.

Using nmap results with nessus
A good reference for using nmap with nessus is the documentation at the following:

http://www.nessus.org/documentation/index.php?doc=nmap-usage
The first step is to download the nasl files to use nmap with nessus:

wget http://www.nessus.org/documentation/nmapxml.nasl

wget http://www.nessus.org/documentation/nmap.nasl

Copy them to the nessus plugins directory:

sudo cp nmapxml.nasl /opt/nessus/lib/nessus/plugins/

sudo cp nmap.nasl /opt/nessus/lib/nessus/plugins/

Stop the nessus daemon (on Ubuntu):

sudo /etc/init.d/nessusd stop

Recompile the nessus plugins:

sudo /opt/nessus/sbin/nessusd -R

Start nessus back up (on Ubuntu):

sudo /etc/init.d/nessusd start
One way to tell is the above was successful is to log into https://localhost:8834 (nessus XMLRPC interface using a web browser, requires Flash) and create a new policy, if Nmap (NASL wrapper) and Nmap (XML file importer) show up under the preferences it worked. The script to make use of the nmap XML files as part of the nessus configuration via the XMLRPC interface is shown in the next section.
Using the nessus XMLRPC interface to kick off nessus scans
If in the past you kicked off your nessus scans on the command line it probably looked something like this:
/opt/nessus/bin/nessus -V -T nessus -q localhost 1241 username password $host.ip $host.nessus
Which was great for scripting and running cron jobs. The side effect of using this method is that the output formats typically used were .nbe or . nessus v1 files. .nbe files were easily parsed however they contained very little of the wealth of metadata available in the .nessus formats. The .nessus formats being XML are even easier to parse, and contain much more information than previous nessus reports. Tenable has indicated that .nbe file and the old nessus command line tool are being phased out. In order to achieve the same output format as the GUI clients (v2) and still be able to run scans and interact with the nessus server via a command line interface the XMLRPC interface was introduced. The Net::Nessus::XMLRPC perl module is a great way to script nessus scans. I also use it to convert the many .v1 files I have to the .v2 format, as in the script in the next section. The perl module can be found here: http://search.cpan.org/~kost/Net-Nessus-XMLRPC-0.30/ and often installed like this: sudo cpan Net::Nessus::XMLRPC
The script is located here: http://handlers.dshield.org/adebeaupre/runscannessusxmlrpc.pl
Usage: runscannessusxmlrpc.pl [options]

Options:

-u, --user Nessus username (string)- defaults to nessus

-p, --password Nessus password (string) - defaults to password

-s, --scanname Name to give the nessus scan (string) - defaults to XMLRPC scan

-n, --policyname Name of the nessus policy template to use - defaults to first in list

-l, --list Text file containing a list of targets (string) -required

-x, --nmapxml File containing nmap xml results (string) - optional

-c, --copy Flag to copy the policy (flag) - optional

-q, --quiet Only print errors (flag)

-h, --help Brief help message (flag)
Example: ./runscannessusxmlrpc.pl -u nessus -p password -s scan-name -l targetlist
Converting .nessus v1 files
If you run (or used to) your nessus scans using the old cli interface the reports generated follow the .nessus v1 file format. These can be parsed using a variety of scripts and tools, however the .nessus v2 file format contains much more data and is easier to process. One simple method to convert them is simply to upload them via the nessus XMLRPC interface. This can be achieved using the GUI, or an easier solution is to create a text file that contains the names of the .v1 files to upload and run a script.
The script is located here:http://handlers.dshield.org/adebeaupre/uploadreports2nessusxmlrpc.pl
Usage: uploadreports2nessusxmlrpc.pl [options]

Options:

-u, --user Nessus username (string)- defaults to nessus

-p, --password Nessus password (string) - defaults to password

-q, --quiet Only print errors (flag)

-f, --file List of Nessus version 1 results files (string)

-h, --help Brief help message (flag)
Example: ./uploadreports2nessusxmlrpc.pl -u nessus -p password -f list-of-nessus-v1-files.txt
When the upload and scans are complete the reports are here: /opt/nessus/var/nessus/users/nessususername/reports/
Splitting up large .nessus v2 files
One of the issues with parsing XML files is their format, another is choosing an XML parser, and a third is their size. In the case of nessus reports they can get quite large if you either scan a large number of hosts or have a large number of findings per hosts. This can happen quite easily with a credentialed scan for example. If you parse a large report with the parsenessusv2mysql.pl script you can get out of memory errors. The script uses the XML::DOM module, there are other XML parsers that do not load the entire XML document into a tree structure. There are a few ways to avoid this issue, one of which is to split the nessus report into smaller chunks. The script below uses xml_split which is part of the XML::TWIG perl module. It is a simple bash script which takes a single parameter of the .nessus file to split.The number of hosts per report is configured to 10 in the script, but can easily be changed (divisor). If the number of hosts in the original report is equal to or less than the divisor the new report is identical to the old.
The script is located here: http://handlers.dshield.org/adebeaupre/splitnessusv2.sh
Example: ./splitnessusv2.sh nessusv2-test.nessus
I am more than open to suggestions, or better ways of doing things. Part IV will be parsing other tool outputs for database import that don't have a fancy XML format. Part V will be the scripts and techniques to wrap all of the other parts together following a reasonable methodology. Let us know if you use this script, something like it, or some other technique to manage security test data. Contact us or use the comment fields below.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The Obama Administration is reportedly considering a statute that would make it easier for federal authorities to intercept communications over Facebook, Skype and BlackBerry -- an idea that's stoking anxiety within the privacy community.

Reader G. Michael is having a problem with Internet Explorer and other programs: when he runs them, they open in a non-full-size window. What he wants is for them to run maximized, meaning in a window that fills the screen.

Microsoft has partnered with Wordpress to move the millions of blogs hosted on the Windows Live Spaces blog publishing platform, which will be closed, the companies announced Monday.

Google Apps APIs can now be accessed by the emerging OAuth authentication protocol

OCZ today unveiled its second generation of consumer-class solid state drives, the Onyx 2, which sports read/write speeds of 270MB/sec and 265MB/sec, respectively.

A majority of mobile application developers see Google's Android as the smart bet over the long run even as they vote for Apple's iOS in the short term, according to a survey published Monday.

The Droid R2-D2, a special edition of the Droid 2 smartphone from Motorola, will be for sale Thursday for $249 after rebate online and at Verizon Wireless stores.

HP has completed its $2.35 billion merger with 3Par, just weeks after thwarting rival Dell in a bidding war for the storage vendor

The Millennial generation increasingly streaming into the workforce is less focused on money and more on being challenged and contributing to the larger good, preferably at a job where technology is important and where it's acceptable to chat with friends via IM and Facebook.

The European Union is currently losing the race to fund and foster research, but the game isn't over, says Europe's digital agenda commissioner.

Orange Business Services has formed an alliance with Cisco, EMC and VMware to help enterprises adopt private clouds, the company said on Monday.

Technology journalists stumble over each other to praise Apple, while Microsoft goes neglected

Hewlett-Packard, Intel and Yahoo have recruited more backers for Open Cirrus, their joint, open source project for cloud computing research.

The Two Most Important Questions in Cybersecurity
Forbes (blog)
The reason why this bizarre situation exists is due in large part due to the fact that InfoSec is a hugely complex field addressing sometimes frightening ...

IBM is buying privately held data center switching company Blade Network Technologies to expand its data center portfolio into networking and heighten competition with rivals Hewlett-Packard, Dell and Cisco.

One of the biggest threat organizations face is losing sensitive information to theft from systems and network administrators with privileged access to vast amounts of corporate data.

Although some computers at Iran's Bushehr nuclear reactor were infected by the Stuxnet worm, none of the facility's crucial control systems were affected, Iranian officials said.

Tami asked the Antivirus & Security Software forum why friends are receiving spam that appears to come from her.

Virgin's Australian airline brand, Virgin Blue, experienced a system outage over the weekend, leaving thousands of passengers stranded.

InfoWorld's guide to driving a hard, smart IT bargain in a tough economy

The Pirate Bay copyright-infringement appeals trial will start on Tuesday, after being delayed for about a year due to allegations of bias directed at the two judges who will hear the case.

Google has been found guilty of libel by a French court as a result of the company's automated search suggestions. Google plans to appeal the ruling, a company spokeswoman said.

As interest in software-as-a-service grows, so too do concerns about SaaS security. Total cost of ownership used to be the most frequently cited roadblock among potential SaaS customers. But now, as cloud networks become more frequently used for strategic and mission-critical business applications, security tops the list.

Twitter has put a stop to a worm that posted obscene messages to victims' Twitter feeds. It's the second worm attack the site has suffered in a week.

CIO and author Steve Romeo persuaded Breg's executives to expand into the software-as-a-service business, offering physicians a Web-based inventory management system called Vision that has generated over $350,000 year-to-date in revenue.

While many large financial services firms recognize the intrinsic benefits of cloud computing, they're still hesitant to embrace it wholeheartedly because they have security and regulatory concerns about it.

The IT employment outlook is starting to improve, but the industry shed jobs last year at a much faster pace than it is now adding them.

The National Science Foundation announces four research projects aimed at developing a more robust and secure Internet architecture.

A W3C project may lead to Internet browsers that can read the content of Web pages aloud and allow users to fill in online forms via voice commands.

Intel CTO Justin Rattner describes a future with context-aware computing devices that learn their users' habits and preferences.

A good process has much in common with good code, but code is executed by machines, not humans.

IT vendors are facing ethical controversies over actions they take around the world, in countries like Russia, China and Africa.

Yes, says Frank Hayes, reliability is a problem with cloud computing. But an even bigger issue is all those round trips between your apps and your data.

InfoSec News: Iran confirms massive Stuxnet infection of industrial systems: http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_infection_of_industrial_systems
By Gregg Keizer Computerworld September 25, 2010
Officials in Iran have confirmed that the Stuxnet worm infected at least 30,000 Windows PCs in the country, multiple Iranian news services [...]

InfoSec News: FBI joins investigation into MI6 spy's death: http://www.telegraph.co.uk/news/uknews/8024998/FBI-joins-investigation-into-MI6-spys-death.html
By Gordon Thomas and Patrick Sawer Telegraph.co.uk 25 Sep 2010
The bureau has employed face recognition technology at US airports in a bid to establish whether Gareth Williams travelled in and out of the US any stage with a couple answering the description of two people Scotland Yard have appealed to come forward in connection with his death.
The couple, of 'Mediterranean' appearance, were thought to have visited Mr Williams's flat in Pimlico sometime in June or July. Scotland Yard believes the pair, in their thirties, were known to Mr Williams since neighbours do not recall buzzing them into the address.
So far no trace of the couple has been found and detectives believe they could be significant to the inquiry.
Mr Williams, a computing and maths prodigy whose funeral on Friday was attended by Sir John Sawers, the head of MI6, had made regular trips to the United States, where he worked on secondment to the US National Security Agency (NSA) in Fort Meade, Maryland, helping to create defences against cyberattack on banking and infrastructure systems.
[...]

InfoSec News: 3 million gov't websites assailed by vicious hidden links: http://english.people.com.cn/90001/90782/90872/7150848.html
By People's Daily Online September 26, 2010
Shen Yang, a doctorial tutor at School of Information Management under Wuhan University, showed reporters on Sept. 22 at his office that there [...]

InfoSec News: An army of tech-savvy warriors has been fighting its battles in cyberspace: http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092303000.html
By Ellen Nakashima Washington Post Staff Writer September 23, 2010
They were Air Force fighter pilots, Army rangers and Marine tank commanders. There was even a Navy fighter jet radar officer who had been [...]

InfoSec News: Cyber terrorism hits Nigeria: http://www.sunnewsonline.com/webpages/features/special-%20reports/2010/sept/25/special-report-25-09-2010-001.htm
By Emmanuel Mayah Daily Sun September 25, 2010
Life in Nigeria is pretty much becoming a video war game. In the past, you could choose to bump off an individual or an enemy organisation using letter bomb, price-tag assassins, corporate spies or attack dogs in white collar. Today, the thin line between reality and science fiction is blurred, so much so that a cripple with the right computer know-how can sit in one corner of his room and mobilise millions of zombies to cause an oil spillage in the Niger Delta or to hold a multinational hostage until a huge ransom is paid.
In Italy, not too long ago, a mob boss was shot but survived the shooting. That night, while he was in the hospital, the assassins hacked into the hospital computer and changed his medication so that he would be given a lethal injection. He was a dead man a few hours later. They then changed the medication order back to its correct form, after it had been incorrectly administered, to cover their tracks so that the nurse would be blamed for the “accident.”
Elsewhere in Nigeria, shockwave swept across the city of Lagos last year after a television house became the target of a bomb attack. The same effect was achieved three weeks back, as mainstream newspaper websites were brought down by unknown hackers.
One of the first people to discover the cyber siege was Nigerians in Diaspora, who rely on online newspapers to follow news and political developments back home. One of the sites affected was the sunnewsonline.com. Virtually all the sites were blank or had one stagnant old page that refused to move an inch no matter how hard you hit at the keys. In desperation, long-distance calls were coming in from the US, Europe, Australia, Asia, and other parts of the world. Everyone wanted to find out what was going on and, in the process triggered a cycle of panic that looked like the aftermath of a coup d’état.
[...]

InfoSec News: Lock Picking Popularity Growing: http://www.darkreading.com/blog/archives/2010/09/lock_picking_po.html
By John Sawyer Evil Bytes Dark Reading Sep 24, 2010
As security professionals, it is easy to get focused only on the technical side of security and forget about the importance of physical security. [...]

InfoSec News: Corporate espionage on the rise in India: http://economictimes.indiatimes.com/news/news-by-company/corporate-trends/Corporate-espionage-on-the-rise-in-India/articleshow/6617591.cms
By Shilpa Phadnis & Mini Joseph Tejaswi The Economic Times 24 Sep, 2010
BANGALORE: Corporate espionage is on the rise in the country, with the [...]

Either because server disks are full or because virtualization is a natural growth path, organizations large and small are moving toward shared storage. For large enterprises, high-capacity storage-area networks make sense, but what about small or mid-sized enterprises new to shared storage?

We assessed the Netgear ReadyNAS 3100 RNRP4420 in terms of usability, features, and NFS and iSCSI I/O performance.

We used two Dell 1950s (8 core Intel Xeon server running XenServer), one as a host for a Vyatta router and the other clustered to the HP DL580 G5 (16 core Intel Xeon server), along with another non-clusterd HP DL585 G5 (16 core AMD server as Sharepoint VM host), all running VMware ESXi 4.1.

Despite the widespread availability of wired broadband, there are still scenarios where an enterprise might consider satellite connectivity. And that led us to conduct a groundbreaking test of the HughesNet VSAT service.

Big Media needs to change its thinking; Mark Gibbs has a program for them

Apple didn't become Apple by taking its brand lightly and lawyers will be lawyers … always.

The keynote speaker at the recent Network World IT Roadmap conference in Dallas emphasized the importance of going green by highlighting this fact: IT accounted for 4% of electricity consumption in 2008 and will account for 40% by 2030, according to the International Energy Agency.