Friday, August 22, 2008

RedHat Linux Compromised

Last night Red Hat Inc. announced that their main distribution servers were compromised and this morning patches were released to fix apparently modified OpenSSH packages.

This is an incredibly interesting vector of attack, both releases of Red Hat Enterprise Linux v4, v5 and Fedora were modified with attackers essentially including their own key to the front door (ssh) into the operating system. If you have installed RHEL or Fedora from ftp or http sources recently you will certainly need to: "yum update"

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
https://rhn.redhat.com/errata/RHSA-2008-0855.html
http://www.redhat.com/security/data/openssh-blacklist.html

Thursday, August 21, 2008

Blackhat / Defcon 2008 Security Tool Round-up

Now that Blackhat and Defcon are over and most of us have recovered from the associated hang overs, it's fine time we review some of the great projects released at the events:

Karmasploit



This addition to the SVN tree of Metasploit includes the KARMA wireless hacking toolkit enabling many fake-AP hijacking and side-jacking attacks. If you thought your CEO was in danger at Starbucks before, now you really have to look out! Karmasploit makes hijacking sessions, capturing passwords and redirecting traffic mind numbing easy. In addition a universal wireless driver with injection support was added called "airbase" to allow you to complete attacks with most off the shelf wireless cards.

http://metasploit.com/dev/trac/wiki/Karmetasploit


Grendelscan



A new cross platform full featured web application penetration tool. Grendelscan is has filled the void in a free open source tool thats cross platform (Win/Linux/OSX) nice GUI and very advanced feature set including XSS, SQL Injection, HTTP fuzzing and standard misconfiguration checks powered by an updated set of Nikto signatures. With HP and many others releasing watered down applications I see Grendelscan quickly becoming THE defacto tool in web app vulnerability testing.

http://grendel-scan.com/

Beholder



An open-source wireless IDS system, with detection for injection, replay attacks, rouge AP's and hijacking attempts. Sounds like a promising tool especially for small-medium business to get a view into their wireless space and little budget for the mostly commercial WIDS systems. Yes Kismet does some of this but it was originally designed for wardriving and is not as featured as Beholder claims to be.

http://www.beholderwireless.org/

Nmap



Obviously not a new tool but Fyodor announced extensive upgrades to the newest development version of nmap at Defcon. Most interesting upgrades are the faster scanning techniques based on common ports, better OS detection and last but not least a rockin new revamed GUI version Zenmap which has a mind blowing network mapping function which auto-creates a 3D network map showing host associations and ability to pan and tilt (the demo of this feature had the crowd in an uproar of excitement). Zenmap supports OSX in addition to Windows and Linux

http://nmap.org/zenmap/


Voiper



Voiper is a toolkit for fuzzing and attacking VOIP protocols and devices. It currently only supports the SIP protocol but seems like a promising tool for penetration testing VOIP.

http://sourceforge.net/projects/voiper/

Tuesday, August 5, 2008

Defcon 2008 Party Round Up

Compiled a list of parties going on at Defcon 16 this year so I am tracking them here to share with the security/beer lover's community.

Core Security Customer Briefing and Cocktail Party
Date: Thursday, August 7
Cocktail party: 6:30-8:30pm
Location: Sushi Roku in The Forum Shops at Caesars
Info: Requires RSVP and Pass obtained at Core booth at Blackhat

Ethical Hacker Network Party
When: Thurs evening, Aug 7, 2008 from 8:00 - 11:00pm
Where: Hofbrauhaus Las Vegas

Microsoft Party
When: Thurs night 12pm
Where: Location TBD
Info: Invite only, bring your glowsticks and they will supply alcohol and bluescreens

StillSecure Freakshow Party
When: Sat Aug 9th 9pm-1am
Where: Top of the Riviera (roof?)
Info: Free booze and prizes if you dress up like a freak?

What: theSummit EFF/THF Fund Raiser
When: Thursday Auguest 7th, 2008 9pm-12am
Where: TBD (Either the Skyboxes OR Top of the Riv)


Non corporate sponsored:

Hacker Pimps
When: Fri Aug 8th 9pm-2am
Where: Riviera Skybox 207 and 208

Spiders are Fun Party
When: Fri Aug 8th ?pm-?am
Where: Riviera Skybox 206


Email me if you know of any others which are not listed here: gregm @ econet dot com



Oh and if you were curious about the female attendance at Defcon make sure to read this wired article

Monday, August 4, 2008

ASPROX Latest Attack Vector: JS.JS

Most ASPROX SQL Injection attacks are now using js.js

Grab our ASPROX toolkit for information on cleaning and defending from this threat.

Here are the latest ASPROX domains detected:

www.porv.ru/js.js
www.ncbw.ru/js.js
www.98hs.ru/js.js
www.nwj4.ru/js.js
www.bywd.ru/js.js
www.bgsr.ru/js.js
www.ibse.ru/js.js
www.uhwc.ru/js.js
www.ojns.ru/js.js
www.8hcs.ru/js.js
mo98g.cn/q.js
abc.verynx.cn/w.js
www.bosf.ru/js.js
www.bnsr.ru/js.js
www.ch35.ru/js.js
www.jve4.ru/js.js
www.nmr43.ru/js.js
www.bce8.ru/js.js
www.ncwc.ru/js.js
www.njep.ru/js.js
www.bjxt.ru/js.js
www.b4so.ru/js.js
www.kj5s.ru/js.js
www.oics.ru/js.js
www.po4c.ru/js.js
www.kjwd.ru/js.js
www.bsko.ru/js.js
www.pfd2.ru/js.js
www.iroe.ru/js.js
www.gty5.ru/js.js
www.kpo3.ru/js.js
www.ncb2.ru/js.js
www.kr92.ru/js.js