Tricks with Google!

This write up is nothing related to Information Security. But, it is good to know information for. There are three tricks in all:

1. FastFlip through articles: Google recently launched a new service: FastFlip, which can help you read online pages just as you flip through a magazine. These pages are indexed by the Google bot from many Google partner websites and presented to you for a quick read. You also have an option to choose the stuff you read by logging in to your account and customizing the application.

FastFlip can be found here.

2. Play Monopoly with Google Maps: This can be a leisure activity on those days when you do not have anything that’s fun to do. So, Google has teamed up with the worlds largest Monopoly board game manufacturer (!), so that you can use Google Maps as a board for Monopoly. The rules are similar to what we normally play. You initially get paid out 3 million Monopoly dollars (!) to play.

You can play this game here.

3. Search real time indexed pages on Google: So, you wish to keep up with your favorite web site as soon as Google has indexed its recently updated/added page? You can now do so using a parameter that we observed recently. This parameter is- tbs=qdr:

You can get results with a seconds delay, i.e., after it being indexed! According to us, ‘tbs’ stands for ‘to be scanned’ and ‘qdr’ stands for ‘query data range’! This might not be the true meaning. It can take the following units – s (second), n (minute. We don’t know why they do not have a m instead), h (hour), d (day), w (week) , m (month) and y (year). For example,

tbs=qdr:s1 [1 second delay]
tbs=qdr:n1 [1 minute delay]
tbs=qdr:h1 [1 hour delay]
tbs=qdr:d1 [1 day delay]
tbs=qdr:w1 [1 week delay]
tbs=qdr:m1 [1 month delay]
tbs=qdr:y1 [1 year delay]

For example, http://www.google.com/search?q=Javier%20Echaiz&tbs=qdr:d1

Source: pentestit.

Comodo Internet Security – Free All-in-one Firewall & Antivirus

Comodo Internet Security is the free, multi-layered security application that keeps hackers out and personal information in.

Built from the ground upwards with your security in mind, CIS offers 360° protection by combining powerful Antivirus protection, an enterprise class packet filtering firewall, and an advanced host intrusion prevention system called Defense+.

Features of Comodo Internet Security

- All-in-one Firewall & Antivirus
- Defends your PC from Internet attacks
- Detects and eliminates viruses
- Prevents malware from being installed
- Easy to install, configure and use
- Free to both business and home users
- Default Deny Protection (DDP)
- Prevention-based protection
- Personalized protection alerts
- Real-time access to updated virus definitions
- One-click virus scanning
- Uncluttered, user-friendly interface
- Thorough security “wizards”
- Unique “slider” to easily change your current security level
- Exclusive access to Comodo’s “safe-list”

Comodo Internet Security Includes:

Firewall: Slam the door shut on hackers and identity thieves.
Antivirus: Track down and destroy any existing malware hiding in a PC.
Defense+: Protects critical system files and blocks malware before it installs.
Memory Firewall: Cutting-edge protection against sophisticated buffer overflow attacks.
Anti-Malware Kills malicious processes before they can do harm.

Operating system:

Windows XP (SP2) or Vista 32 bit
64 MB RAM / 70 MB hard disk space
Windows XP (SP2) or Vista 64 bit
64 MB RAM / 105 MB hard disk space

We have published and revied anti virus and firewalls, this one is effective and proctects you from bad guys and their malwares. Tested on windows XP full of internet virus it manged to clean 98 % of known virus and 70 % modified malwares. As it also has firewall so browser hijack was also detected but was not cleaned. overall we were protected and its also Free !!!. So we had some soft corner.

Download Comodo Internet Security Here

Source: pentestit.com.

Twitter DM Phishing Scam

As Twitter gains momentum there are more and more attacks on it, it’s users and the most recent is a phishing scam via DM (Direct Message).

It was uncovered recently that it was being used as a Botnet Control Channel, shortly before that it was subjected to a DoS attack.

This isn’t the first time DMs have been used in a Phishing attack too.

Phishers are targeting Twitter users in a new attack involving direct messages sent to Twitter users containing a link to a site requesting user log-ins.

There are reports of a new phishing scam making the rounds on Twitter. The attack seeks to steal user credentials by sending tweets out with links to a phishing site. The attack site requests the user’s log-in information; once the attackers have that, they can take over the account of the victim and use it to send out more messages.

According to messages from Twitter users, the tweets with the link to the phishing site have to do with the sender supposedly making a certain amount of money. Such periodic phishing attacks on users of the popular microblogging service have become a fact of life.

I’m not exactly sure why anyone would want to steal a bunch of Twitter accounts? Perhaps to monetize them somehow with spam/affiliate schemes.

But the current threat on Twitter is a phishing scam executed via DM with a link to various things including ways to make money, a video of you or some other juicy gossip.

The cornerstones of social engineering in phishing attacks.

In May, researchers at Sophos reported that a number of Twitter users were lured to a phishing site via a tweet with the message: “check this guy out [tinyurl address leading to the attack site].” As was the case in that instance, URL shortening services are increasingly being abused by attackers to mask the Websites they are sending their victims to.

Besides drawing attackers as it has grown, Twitter has also gotten the interest of security researchers, as shown by the “Month of the Twitter Bugs.”

Twitter warned users about the attack, stating in a message: “A bit o’ phishing going on—if you get a weird direct message, don’t click on it and certainly don’t give your log-in creds!”

If you are using Twitter you should follow @spam and keep up to date with what is happening on the network.

Source: eWeek

Windows Software

Avast: Another free Anti-Virus software. Just as good as AVG. However this one is more system intensive than AVG or NOD.
Bitdefender: Popular anti-virus software- Free of charge. Free- NOT real time scanning -only manual scanning)
ClamWin: Small and non-intrusive anti-virus. Like Bitdefender (Free- NOT real time scanning -only manual scanning)
AntiVir: An anti-virus that has been around for a long time – still free for home use.
Blink: First security solution to build all of the necessary protection layers into a very lightweight package. (Contains a software Firewall)
NOD32: The absolute BEST anti-virus protection. (I know, I clean scumware for a living). 30day trial. Or purchase.
Kaspersky: A very sweet anti-virus software with a 30day trial. Be sure to JUST get the AV, not the full suite of bloatness.

TheCleaner: This finds/prevents trojan horses. This is on a 30day trial, however very recommended – try it.
DiamondCS: Many high-end programs for worm/Trojan detection, 30day trial.
Windowsecurity: Free online Trojan scanner.

Ad-Aware SE: Great for getting rid of spyware and malware – the items that can cause annoying pop-ups.
SpyBot: Similar to Ad-Aware, however more aggressive. Clean up spyware and hijack attempts.
SpyCatcher: Active Protection. One of the most advanced antispyware solution available as a free service.
AVG AntiSpyware : Clean annoying malware such as spyware, Trojans and hijackers. Great compliment to an anti-virus.
MalwareBytes: Since programs like Ad-Aware have become.. crap, this is a GREAT replacement for cleaning.
CounterSpy: Probably the best shield against spyware. The best database cleaner there is. Period. 30day trial.
Comodo BOClean: This is more of a “real time” (run the the background) anti-spyware. Not a fan of TSR’s, but this works.
CWShredder: Takes care of many hijacking software – run if you get many pop-ups/redirecting pages.
HijackThis: Tool to find out if there is “hijack” software on your system. Use the logfile analyzer if your not sure.
Kill2me: Another stomper of spyware – bring it on.
KillBox: Very nice for taking care of “Abetterinternet” and other n00bish software.
a² free: This bridges the gap with anti-virus and malware. This free scanner cleans Trojans, worms, spyware (all malware).
SpywareBlaster: Active prevention against spyware, adware, browser hijackers and dialers.
HitmanPro2: Incorporates all major Anti-Spyware software and updates/runs them all for you. Too cool.
WinDiz: Windows updates with FireFox. Great if ActiveX is damaged by spyware.

POPfile: Perfect/Free ani-Spam tool. Involved installation, but once it’s set – it’s good.
IHateSpam: For Exchange (V5.5, 2000 and 2003) was uniquely developed to be both user and admin-friendly. 30day trial.
Spamihilator works between your E-Mail client and the net. Useless spam mails (Junk) will be filtered out.
SpamBayes: is a tool used to segregate unwanted mail (spam) from the mail you want (ham).
SpamPal: Mail classification program that separates your spam from the mail you really want to read.
OSpam: A great and simple spam solution for any POP account.

Sygate. Just bought by Symantec – now it’s going to be crap. Hurry and get this before it happens.
Tiny: Tiny is a free firewall. It is designed for the more advanced due to the heavy features included.
Comodo: Great little personal firewall. This is pretty new and robust.
OutPost: An Opensource based firewall. Works very well protecting against worms, trojans and hackers.
Kerio: Smart, easy-to-use personal security technology that fully protects PC’s against hackers and internal misuse. The best.
Protowall: Very small application that blocks IP address. Very cool.
Prevx: Stops the attacks that bypass anti-virus and firewall products.

PowerCrypt 2000: Encrypted files, folders and E-mails. This free file lets you hide all your data.
PGP: “Pretty Good Privacy”. Actually it’s probably the best encryption software out there. Free – PC/MAC
Cryptainer LE: Secure your data and ensure absolute privacy with Cypherix’s powerful 128bit encryption.
BitCrypt: A sophisticated tool allowing for encryption of plain text within a bitmap image.
EasyCrypto: Encrypt both standalone files and entire folders. Many cool options here.
Truecrypt: Free open-source disk encryption software for Windows XP/2000/2003.
MD5HashGen: Simple application that can generate one-way MD5 hashes – Great for password generations.
PerfectPasswords: GRC’s Ultra High Security Password Generator.
RoboForm: A free password manager and one-click web form filler. Just be carefull who uses your PC.
Password Safe: Allows you to have a different password for all the different items that you deal with – remembers for you.
CutePasswordManager: Form filling software that auto fill user/password. Stores info with 256-bit AES encryption – 1click login. *
PIN’s: Storing of any secure information like passwords, accounts, PINs etc. 448 bit Blowfish. Does not install.

Eraser: FBI just kick in the door? This little program will erase data to a level that the Dept. Of. Defense uses.
KillDisk: KillDisk conforms to US Department of Defense clearing and sanitizing standard DoD 5220.22-M.
AutoClave: Hard drive sterilization on a bootable floppy.
SuperShredder: Shred’s individual files. It’s stronger than DOD specs.
DBAN (”Darik’s Boot and Nuke”) is a self-contained boot floppy that makes it an appropriate utility data destruction.

Anonymizer: Installs a small toolbar into your browser. Moves your connection to proxies around the word. Slows connection.
Proxify.com Spoof your IP address without installing software. The paid version is much faster.

SpeedFan: Allows you to see your CPU temperature. Good for overclockers and modders.
Motherboard Monitor: Like speedfan, reads temperature and fan RPM data – alerts you when there’s trouble.
Si Meter: Great/free/small application that does live monitoring on system resources.
TDIMon: Lets you monitor TCP and UDP activity on your local system.
InterMapper: Gives a visual in real-time view of traffic flows through and between critical network devices and links.
WinBar: A compact program that lets you monitor your system and provides easy access to frequently used controls.

RegSupreme: Clean up the registry from old entries, speed up your system. 30day trial.
RegSeeker: Very tiny – does not install. I have tested this and trust it. Many tweak options with it.
RegscrubXP: A great free registry cleaner for XP. Fix those “weird issues” with Windows.
Beclean: is the complete suite of system cleaner. Registry to history – cleans many things.
CCleaner: Removes unused and temporary files from your PC – allowing it to run faster, more efficiently and saving space.
MyUninstaller 1.0: Uninstall anything,clean out old video drivers, uninstall programs that are not in “add/remove”.
DriverCleaner: Made to fully clean out the drivers of ATI and NVIDIA.
MSconfig: Get rid of startup programs that slow your PC down. This would be for Windows 2000.
Starter: It’s better than Msconfig. Also works with Windows 2000, which is nice due to the fact that 2k doesn’t have msconfig.
PreFetch cleaner: A pre-fetch scrubber to clean out files that are used commonly – can be corruption or spyware hiding.

Belarc: Takes a snap-shot about a PC (hardware-software) with a full profile report. This is very handy.
SIW: A small .exe that when ran – gives you all kinds of info about your PC and software. Need this on your tools disk.
PcpBios: Very tiny script that looks at all BIOS related information. RAM, CPU and motherboard instant info.
EVEREST: (recently AIDA32). Like Belarc, gives full system summary of hardware and software/keys.
SpaceMonger: A tool for keeping track of the free space on your computer. It shows a graph of files and sizes.
IP subnet calculator: A diagnostics tool to calculate your network latency and subnet information.
CPUid: A very small application that tells you about your specific specs. (FSB, core clock, dual channel etc.).
PC Pitstop: A good site to check how your doing on fine tuning your computer. It will also help you fix your issues.
PowerMax: Diagnostics for hard drives made by Maxtor. Download, put on a floppy or CD and test your HDD.
MemTest86: Diagnostics for your RAM. Download, put on a floppy or Cd and test your RAM.
Monitor Asset Manager: A Plug and Play monitor information utility. Provide detailed technical information about the target display.
ShieldsUP: Port scanning of all ports or custom scans. See how good your firewall is doing.
BandwidthTest: Test your internet connection speed.

TweakUI: Perfect for somebody who really wants to customize there XP. Made my Microsoft
X-Setup: Like TweakUI but with more functionality and options. Very slick.
ResourceHacker: Get in and really tweak or fix Windows. Great registry GUI hacking.
RenameRecycleBin: I made this registry value in notepad, download/double-click/”yes”/throw away, rename your recycle bin.
Matrix Screensaver: Best (only) Matrix screensaver out on the web. Great options. Here is actual text (change name for you)
FOOOD’s Icons: Great free icons for XP. Default is boring.
Strokit: Advanced mouse gesture recognition engine and command processor.
ReForce: Windows 2k and XP have an issue with Hz in games. This will allow you to set all games at a specific Hz setting.
Keyboard Remapper: Remap your keyboard keys. Easy enough.
ClocX: Analog clock for the desktop.
Xpadder: Map your game pad or RC TX to keyboard keys. Wokrs great for customized controllers.
Alarm: A digital clock that you can set to display a message and play a sound at a time of your choice. AlarmClock
WeatherPlus: Display satellite images and video around the globe, stay updated on current and expected weather conditions.
Nlite: Remove or add Windows components to your Windows CD – for next time you re-install Windows.
AutoStreamer: Just like Nlite, this is specifically for adding Service Packs to your Windows install CD’s.
Digital Blasphemy: Probably the best wallpapers and images on the net.
Konfabulator: Engine that lets you run little files called Widgets that can do pretty much whatever you want them to.

File Recovery: This is free software made by PC Inspector. Really, Really nice if you lost or trashed a file and need it back.
Smart Recovery: Recover data from flash drives: CF, SM, Thumbdrives, micro drives – etc.
Disk Investigator: Discover all that is hidden on your computer hard disk, recover lost data.
File Scavenger: Undelete and data recovery utility for NTFS volumes. 64KB or smaller files can be recovered with free trial.
CDCheck: Utility for the prevention, detection and recovery of damaged files on CD-ROMs and error detection.
Restoration: Tiny program that doesn’t install. Perfect if you trashed a file (even emptied the recycle bin) and you need it back.
RecoverOutlookMail: A little trick for recovering those corrupted .PST files.

FireFox: Drop Internet Explorer and get a superior browser. Check out the add-ons.
Google Chrome: A great webkit based browser by Google. Very fast. *
Opera: If you don’t use FireFox, use Opera. Now that it is free and Ad-free – it is now recommended.
Safari: Apples web browser now for Windows. Great web browser next to Firefox.
Reload Every: Extension for FireFox. Allows you to set reload times on your browser windows so you won’t be logged out.

FileZilla: An FTP program that is superior to “Cute”, and is Free.
WinSCP: Open source SFTP client for Windows using SSH and SCP protocol’s. Secure FTP.
FireFTP: If you use FireFox browser (like you should be) – use this plug-in for FTP functionality in your browser.
Hamachi: Setup two or more computers with an Internet connection into their own virtual network for direct secure communication. How-to’s
FolderShare: Securely keep files synchronized between your devices and remotely download your files from any browser.
LogMeIn: Easy to log into a PC from a PC, MAC or linux machine. No port forwarding involved! Just like terminal services but easier.
Avvenu: Remote connect to your PC from another PC or any web-enabled handheld. Perfect for getting those files you forgot.
Crossloop: Secure screen sharing utility designed for people of all technical skill levels. Basically, TightVNC but no port forwarding needed.
TightVNC: Remote control software- see the desktop of a remote machine and control it with your local mouse and keyboard.
RemoteDesktop: Microsoft remote desktop client side installer for older Windows versions.
RDPortX: A small app I made to change the defualt 3389 port that Remote Desktop ueses. Great for multiple RD servers on the same network.
eMando: Client/server package which you can use to control and manage a computer over a LAN or the Internet.
DirectUpdate: Get an Email of your WAN IP address changes even behind a router (for dynamic ISP’s). 60day trial ($15.00 – buy).
DynDNS: A full list of dynamic IP administration software tools.

CDBurner-XP Pro: Just like it sounds, burning program for Windows. Free.
ImageBurn: A lightweight CD / DVD / HD DVD / Blu-ray burning application.
ISORecorder: Small program to burn images of CD’s. Once installed, right click an .ISO’s or a ROM drive and “create CD image”.
DeepBurner: A full featured Burning app for CD’s, DVD’s and ISO’s. Much like Nero only totally ~~Free

Source: nycgraphix.com.

Malware Analysis Tools and Techniques

Malware Analysis Tools and Techniques

Apart from what guidelines have been published in various books and articles. My this post will summarize the overall manual and automated techniques to simulate and test the samples of malwares collected and their behavioral activities. To be noted that a "Malware" could be delivered in the form of trojan, virus or worm.

Manual Toolset
These tools require the collaboration of other toolset used in conjunction, to support depth analysis of a malware.

Foundstone BINTEXT
Malzilla (Analyzing Web-Based Malwares - JavaScript/iFrame)
HTTP Proxy Debuggers (Paros, WebScarab)
Nepenthes
iDefense SysAnalyzer, HookExplorer and MAP (Malcode Analyst Pack)
RegShot
SysInternals Tools
PEiD Tool (Very important to detect packers/compilers/cryptors)
UPX
FireBug
OllyDbg
WinDbg
GDB GNU (Linux)
OllyDump
OllyScript
SoftICE (Reversing)
IDA Pro (Reversing)
Salamander Decompiler (.NET Applications)
Reflector.Net Tool
DaFixer's DeDe (Delphi)
Backerstreet.com REC
HeavenTools PE Explorer
HijackThis

Automated Online Tools
These online submission services automatically analyze the malware in a very restricted environment(simulate) and record their activites and produce results on the basis of various Anti-Virus/Malware detection.

CWSandbox.org
ThreatExpert.com
VirusScan.jotti.org
Norman.com/microsites/nsic/
Malwareinfo.org
VirusTotal.com
VirScan.org

Source: EthicalHacker.

Windows autorun may autoinfect

Nothing beats a USB port for convenience, whether you want to quickly transport a couple gigabytes of files for work, refresh the lineup on your MP3 player, or view the pictures from your recent trip to Boise. Unfortunately, USB ports also provide an overly convenient bridge for malware to creep from a portable media device onto an unsuspecting user's system. In fact, it seems nearly every client I visit these days has numerous computers carrying USB-infecting malware -- even trusted clients with otherwise stellar security histories. It's getting so bad that I'm scared to share USB keys with my clients.

The primary culprits here: Microsoft Windows' autorun and autoplay features for portable media devices (USB keys, USB hard drives, camera memory flash cards, and so on). To make users' lives easier, Microsoft coded Windows to seek and deploy autorun and autoplay files on removal media. A user connects his or her device, and the program it contains launches automatically, if so designed by the software developer. It's what allows a CD or DVD to start playing the moment it's inserted or a new software program's install routine to automatically commence.

[ Already infected by malware? Starting from scratch is the best course of action [1]. | Are you up to snuff in your security regimen? Get your defenses in tip-top shape with InfoWorld's Security Boot Camp [2], a 20-lesson course via e-mail that begins Sept. 21. ]

Unfortunately, malware writers have co-opted autorun and autoplay to spread rogue code. An unsuspecting user inserts a portable media device containing the code, which is often invisible to the casual user. The malware then uses autorun and autoplay -- and maybe the desktop.ini file -- along with the hidden core malware program to pull off the overall exploit. The malware can then go on to infect the computer and network using other vectors, such as network shares, password guessing, and normal infection vectors, or it can stick to infecting removal media devices. Either way, it's not a good thing.
[3]

My recommendation: Protect your systems and your network by disabling the autorun and autoplay functionalities and by educating users on how to manually launch any needed program. Disabling this functionality has become easier and easier with each new version of Windows. It can be done using Group Policy or registry edits. In many cases, you might have to install an additional software hotfix to get all the needed disabling functionality.

Specifically, to disable the autorun functionality in Vista or in Windows Server 2008, you must have security update 950582 installed (security bulletin MS08-038). To disable the autorun functionality in Windows XP, Windows Server 2003, or Windows 2000, you must have security update 950582, 967715, or 953252 installed. (See Microsoft's Web site [4] for more details. It covers what software fixes to install, if needed, and the related registry keys and group policies that can be configured.)

My friend Jesper Johannson has an excellent description [5] -- and solution discussion -- of the problem, which I highly recommend.

Even if you fix your computers, you have to be careful as to where you stick your USB device. It's truly similar to sex advice: You are sharing your USB device with every USB device that has shared the same port.

Of course, it doesn't hurt to run antimalware software, even if it isn't 100 percent accurate, configured to autoscan all autolaunching code or inserted media devices.

Also, if I share my USB key, I always look for any added autorun.inf, desktop.ini, or newly appearing executable files. I configure Windows Explorer to show all files (hidden, system, and registered extensions) so that any hidden files are shown. You can disable USB ports (or any devices or ports) physically or by using Group Policy, registry edits, or third-party software. Last, check all your removal media to make sure they haven't been silently infected and you aren't spreading the disease.

Practice safe computing and disable autorun and autoplay -- so we can go back to fighting Internet-based malware.

Are your network defenses feeling a little flabby? InfoWorld's Security Boot Camp will whip your IT operation into shape in next to no time. Get Roger Grimes’ advice delivered to your in-box in a special, four-week e-mail-only course. Sign up now [6].

* Security Central
* Malware
* Windows

Source URL (retrieved on 2009-09-29 12:18PM): http://www.infoworld.com/d/security-central/windows-autorun-may-autoinfect-266

Links:
[1] http://www.infoworld.com/d/security-central/starting-scratch-only-malware-cure-451?source=fssr
[2] http://www.infoworld.com/security-boot-camp?source=fssr
[3] http://www.infoworld.com/security-boot-camp?source=editinline
[4] http://support.microsoft.com/kb/967715
[5] http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx
[6] http://www.infoworld.com/security-boot-camp

Source: Roger A. Grimes.

Análisis forense de cola de impresión de Windows

Es posible recuperar el último archivo impreso en Windows y visualizarlo. Para realizar esta técnica es necesario saber el funcionamiento de la cola de impresión en Windows.

En el momento que se envía un archivo a imprimir, se crea un archivo de almacenamiento intermedio en formato EMF, donde se almacena lo que se envía a la impresora y las opciones de impresión, su extensiones son: *.SPL y *.SHD. Cuando la impresión finaliza, Windows borra estos archivos que se almacenan en:

c:\windows\system32\spool\printers

Para hacer un análisis forense del último documento impreso, hay que usar un software de recuperación para obtener los archivos *.SPL y *.SHD.

Una vez recuperado estos archivos con la herramienta EMF Spool Viewer es posible: descifrar estos archivos, visualizar el último archivo impreso y obtener las propiedades de impresión utilizadas

Para la cronología de la escena podemos usar los metadatos del archivo o la fecha de eliminación ya que corresponde con la fecha de impresión. Esta técnica funciona para Windows NT/2000/XP/VISTA.

Más información y descarga de EMF Spool Viewer:
http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx

Más información sobre la cola de impresión y archivos EMF:
http://www.microsoft.com/india/msdn/articles/130.aspx

Autor: Alvaro Paz
Fuente: Guru de la informática

Microsoft IIS FTP 5.0 Remote SYSTEM Exploit

A remote Microsoft FTP server exploit was released today by Kingcope, and can be found at http://milw0rm.com/exploits/9541,

A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a ”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited to around 500 bytes.

After a bit of tinkering around, we saw that the PASSWORD field would be most suitable to shove a larger payload (bindshell). A quick replacement of the original “user add” shellcode with a secondary encoded egghunter – and a bind shell was presented to us! I wonder how long this 0day has been around…As Rel1k would say to logan_WHD…”it’s OK, it’s OK…”.

The exploit can be downloaded from BackTrack's exploit archive. To entertain the masses, they also made “Microsoft IIS 5.0 FTP 0 Day – The movie“

Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

A continuación va la receta de cómo llevar nuestras distribuciones de seguridad preferidas en una sola memoria USB/pendrive, todas funcionando correctamente.

Primero de todo nos descargamos las herramientas que necesitamos.

• PeToUsb
• WinGrub
• Una llave USB.

Una vez nos hayamos descargado PeToUsb iniciamos y procedemos a formatear la llave USB.

Ahora nos pedirá confirmación:

Y aqui entonces nos avisa de que se eliminarán todos nuestros datos.

Entonces empezará el formateo:

Cuando acabe el formateo nos saldrá un mensajito:

Una vez tenemos preparado nuestro dispositivo vamos a instalar GRUB en él.

Abrimos la aplicación WinGrub que ya hemos instalado antes. Nada mas iniciarlo nos pedirá sobre que dispositovo USB instalaremos GRUB

Ahora instalaremos GRUB en el USB.

Ahora ya tendremos GRUB instalado.

Ahora cojeremos cualquier LIVE-CD y copiaremos su contenido en la raíz del USB.

Yo lo he echo con Backtrack.

Una vez hayamos copiado el contenido del CD dentro de la llave USB. Creamos un archivo en blanco que sea menu.lst

Dentro del archivo de configuración del Menú le ponemos como ha de arrancar la distribución en sí.

Ejemplo para backtrack:

title BackTrack 4
root (hd0,2)
kernel /boot/vmlinuz vga=0×317 ramdisk_size=6666 root=/dev/ram0 rw quiet
initrd=/boot/initrd.gz
boot

Con esto ya tendríamos el GRUB configurado.

Nota: Cada LIVE -CD se estructura normalmente con dos carpetas, una carpeta boot, y otra con el nombre de la distribución.

Si queremos poner mas de un LIVE-CD podemos renombrar la carpeta boot con otro nombre.

Ejemplo, backtrack4 le ponemos el nombre de bootbt4, kon-boot a bootkon y asi sucesivamente.

Si se cambia el nombre de boot, recordad de cambiarlo en el menu.lst también.

Yo por ejemplo ya he configurado mi grub y las distrubuciones que quería.

Me ha quedado algo así.

Y si lo ponemos desde mas cerca…

Y como veis podremos poner las distribuciones que queramos en nuestro USB.

Fuente: DragonJar.

Damn Vulnerable Web App

Ryan Dewhurst desarrollador del DVWA (Damn Vulnerable Web App) ha liberado hoy una nueva versión (1.0.5), de esta excelente herramienta para testear diferentes vulnerabilidades web.

4v4t4r ya nos había comentado sobre esta aplicación que tiene como finalidad ofrecer a los profesionales, estudiantes e investigadores en seguridad informática un conjunto de utilidades con las cuales podemos exploter y entender un amplio grupo de vulnerabilidades web.

Algunos cambios en esta nueva versión:

• Se re escribió completamente el codigo.
• Se rediseño completamente el aspecto de la aplicación.
• Se agrego la vulnerabilidad CSRF.
• Ahora las vulnerabilidades XSS se almacenan.
• Se agrego la vulnerabilidad Full Path Disclosure.
• Cuenta con un nuevo sistema de logueo.
• Ahora tiene manejo de secciones.
• Algunos bugs arreglados.
• Se implemento el PHPIDS.
• y muchas cosas mas…

Si te intereso la pasada versión del Damn Vulnerable Web App, no dudes en descargar esta nueva versión los dejo en compañía de este vídeo tutorial de instalación de Damn Vulnerable Web App.

Descargar Damn Vulnerable Web App

Mas Información:
Sitio Oficial de Damn Vulnerable Web App

Fuente: DragonJar.

Microsoft minimiza la vulnerabilidad de SQL Server

Microsoft pone en duda la gravedad de una vulnerabilidad en su servidor SQL de base de datos que los investigadores de seguridad dicen expone contraseñas administrativas. La vulnerabilidad, descubierta por Sentrigo, puede ser explotada remotamente en SQL Server 2000 y 2005.

Microsoft minimiza el defecto de seguridad en SQL Server que podría ser explotado por alguien con privilegios administrativos para ver las contraseñas de los usuarios que están sin cifrar.

La vulnerabilidad se descubrió el año pasado por el fabricante de seguridad de base de datos Sentrigo; cuando uno de sus investigadores notó que la cadena única de su contraseña personal era visible en la memoria. Desde entonces, se contacto a Microsoft y se desencadeno una de idas y vuelta entre Sentrigo y Microsoft, que sostiene que la vulnerabilidad no es un problema porque se requiere acceso administrativo.

Mientras funcionarios de Sentrigo admiten que acceso administrativo es necesario para un explotar al trabajo, también sostienen que muchas aplicaciones están desplegadas con privilegios administrativos, lo que significa que hackers podrían utilizar una inyección de SQL y con esta vulnerabilidad para acceder a contraseñas administrativas.

"Las contraseñas utilizadas para conectarse al servidor del MS SQL se almacenan en memoria con texto claro" explicado por el CTO de Sentrigo, Slavik Markovich. "Estas no se borran hasta que se reinicia el servidor del SQL, así que puede en quedar en memoria durante semanas o meses en ambientes de producción. Es algo fácil descargar la memoria y ver su contenido en busca de nombres de usuario y contraseñas".

En el caso de SQL Server 2000 y 2005, los atacantes puede explotar la situación remotamente. Hay algunos procesos de mitigación para los usuarios de SQL Server 2008 porque Microsoft eliminó la utilidad DBCC. Sin embargo, con conexiones locales todavía se puede explotar.

Pese a ello, Microsoft sostiene que la vulnerabilidad es mucho ruido y pocas nueces.

Microsoft ha investigado a fondo reclamaciones de vulnerabilidades en SQL Server y encontraron que estos no son vulnerabilidades que requieren de Microsoft emita una actualización de seguridad. Como se ha mencionado por los investigadores de seguridad, en el escenario en cuestión, un atacante necesitaría derechos administrativos en el sistema atacado.

"Un atacante que tiene derechos administrativos ya tiene completo control del sistema y puede instalar programas; ver, cambiar o borrar datos; o crear nuevas cuentas con plenos derechos de usuario", agregaron desde Microsoft.

Si bien los administradores pueden normalmente restablecer una contraseña de usuario si es necesario, mejores prácticas de seguridad no permiten incluso a los administradores ver la verdadera contraseñas de otros usuarios, oficiales de Sentrigo dicen: este es un problema aún mayor ya que muchas empresas necesitan cumplir con diversas normas y reglamentos que exigen estricta separación de funciones, algo que es claramente violado por compartir todos las contraseñas de los usuarios con los administradores.

En respuesta a la situación, el fabricante de seguridad ha publicado un utilitario gratuito para borrar estas contraseñas. La utilidad puede ser descargada a partir de hoy de la pagina Web de Sentrigo.

Fuente: SeguInfo.

Auditar SAP – Introducción

A lo largo de varios post en este blog vimos desde artículos introductorios, hasta algunas pequeñas herramientas que SAP nos brinda para ayudarnos a configurar su seguridad.

En este post, y los subsiguientes sobre “Auditar SAP“, trataremos de abarcar paso a paso, las tareas a realizar para evaluar la seguridad de un sistema. En algunos casos repitiéndo conceptos ya definidos en anteriores artículos del blog, e incorporando otros nuevos.

Lo principal a fines de empezar, es entender el alcance de la auditoría que vamos a realizar. Metodológicamente, una auditoría del sistema se concentra en revisar la configuración del mismo, con el fin de exponer las falencias que puedan poner en jaque la seguridad de la información que en el reside.

Tenemos que comenzar entendiendo que el sistema SAP como ERP, es un sistema que puede aportar un alto grado de seguridad en las operaciones, y posee un buen número de controles embebidos en el mismo, tanto configurables como inherentes. Pero esta seguridad tiene que ser configurada, para que sea efectiva.

Y también es importante destacar una característica particular de SAP a la hora de auditarlo, y es que en el mismo no solo se configuran y por consiguiente, se revisan, los controles de aplicación (controles internos del negocio, validaciones de datos, etc) si no que también un gran número de controles de base o generales deben efectuarse en el mismo, ya que desde dentro de un sistema SAP es posible acceder directamente a las tablas de base de datos, ejecutar programas, ver código fuente, ejecutar comandos de sistema operativo, apagar el servicio, realizar debugging, y un largo etc de actividades que en otros sistemas deben controlarse “por fuera de la aplicación” y en el caso de SAP deben controlarse en “ambos lugares”. Y resaltamos “ambos lugares” porque incluso en muchas revisiones de seguridad se pierde el foco y se controlan los permisos dentro del sistema con el fin de verificar controles generales y de aplicación, abandonando un poco el control sobre los servidores de base de datos, de aplicación, etc.

Igualmente como corresponde a este blog, nos ocuparemos, al menos en principio, a la revisión de la seguridad específica en la plataforma SAP y posteriormente incorporaremos tips a verificar en las plataformas subyacentes (pero es tan variado este control, como plataformas y bases de datos sobre las que puede instalarse SAP).

Antes de empezar efectivamente con la auditoría sobre el sistema, hay cierta información que uno debería recopilar, y vamos a explicar porque:

- Versión, o versiones de SAP sobre la que se va a trabajar - Distintos parámetros y configuraciones son posibles dependiendo de la versión del sistema, como así también nuestras recomendaciones varí an según la versión de SAP, salvo que nuestra recomendación se actualizar la versión

- Cualquier informa de auditoría previo – Nos puede dar una idea general del sistema, aunque la revisión deba hacerse de cero.

- Landscape, número y nombre de instancias - Por motivos obvios es necesario conocer el landscape sobre el que se trabaja, servidores involucrados, application servers lógicos, físicos, ambientes de desarrollo, pruebas, producción etc. Es importante que los ambientes se encuentren correctamente aislados el uno del otro.

- Sistema operativo y Base de Datos (Nombre, versiones, etc) – Averiguar el sistema operativo sobre el que está instalado el application server y la base de datos sobre la que corre es importante tanto para la revisión de software de base, como para algunas transacciones específicas del sistema según donde se instale.

- Mandantes - Conocer los mandantes existentes y el objetivo de los mismos es necesario por las mismas razones que las instancias, y para conocer las necesidades de auditoría.

- Cantidad de usuarios - Complejidad y extensión de la revisión.

- Módulos utilizados/implementados - Para conocer el alcance de la revisión, una aproximación del número de roles involucrados y complejidad, la cual puede depender de los módulos (sobre todo si son incluidos módulos de industria específicos que si bien pueden no agregar muchos controles de seguridad, pueden ser desconocidos para nosotros)

- Esquema general de Sociedades, Centros, Sociedades CO, y otros datos funcionales - Resultan útiles a la hora de evaluar un esquema de roles acorde a las necesidades de la organización.

- Número de desarrollos ABAP o Z - Nos servirá como dato sobre la complejidad del sistema y de su diferencia con el sistema estándar. Este dato es de suma importancia a la hora de saber lo complejo del análisis de roles y en un posible caso de reingeniería de los mismos.

- Toda la documentación del área de sistema definiendo procedimientos, misiones y funciones, organigrama, nómina de empleados del área de sistemas con funciones, monitoreo, etc - Es útil con el fin de confirmar que estos procedimientos y puestos se vean reflejados en la estructura del sistema, y que los permisos de usuarios en el sistema no excedan o limiten sus responsabilidades. Es importante conocer el procedo de gestión de usuarios y accesos, para ver que el mismo se refleje de manera adecuada en el sistema.

- Procedimiento de cambios, y cambios de emergencia – Es importante contar con este procedimiento escrito y de no ser así relevar el proceso que debería ser, para comprobar que el sistema de transporte y los permisos estén configurados de manera acorde.

- Usuarios de Interfaz o no nomenclados - Es importante conocer de antemano cuales son estos usuarios para verificar su correcta parametrización o recomendar su eliminación.

- Esquema de Nomenclatura de roles - Como son nomenclados los roles es vital para entender la estructura de los mismos.

- Nomenclatura de usuarios - Para verificar que se cumpla y comprender la misma.

- Metodología de Acceso al sistema - A través del SAP GUI, Web, interfaz desde otras aplicaciones, usuarios de internet, externos, SAP Router, Citrix. Es importante determinarlo con el fin de verificar el alcance y saber con que estamos tratando.

- Implementación de Seguridad a través de la estructura organizativa, o la utilización de perfiles estructurales - Cambio nuestro punto de vista sobre como revisar la seguridad del sistema.

- Topología de Red del sistema SAP - Realizar un análisis preliminar de la instalación y su seguridad

- Planes de continuidad del sistema - Además de lo obvio, para conocer la redundancia, el riesgo y otros sistema que debamos verificar.

- Existencia de permisos de visualización para auditar el sistema - Lo dejamos para el final, pero es de suma importancia poseer permisos a todo lo que necesitemos, pero sin modificación, para poder trabajar con tranquilidad sobre el sistema. Ya que de ser negado el acceso interactivo al sistema tendremos que encarar una auditoría COMPLETAMENTE DISTINTA.

Evidentemente todavía no abordamos nada técnico, pero es un paso esencial el de recopilar toda la información que sea posible. Si a ustedes se les ocurre alguna otra información específica a recopilar no duden en hacer comentarios en este artículo.

En el próximo abordaremos ya más en detalle los temas técnicos y cómo proseguimos con una auditoría del sistema.

Artículos relacionados:

• Acceso a Tablas (S_TABU_DIS y otros)
• AIS - Sistema de Información de Auditoría
• Auditoría de Tablas en SAP
• Tips: Auditoría sin activar la auditoría
• SAP y las tres capas

Fuente: SeguridadSap.

Securing Application Infrastructure: The analysis of Application Security Methodologies

The trend of security threats has recently gained a prominent attention in media and industry reports. This article will briefly examine the methodologies and approaches that most organizations follow to address security issues by giving examples, test cases, strengths and weaknesses. Today's widely known solutions involve vulnerability scanning, static code analysis, penetration testing, binary analysis, fuzzing etc. Which of them are more or less reliable and which of them can address specific type of application problems, is mainly discussed here.

As many software vendors think that 'security issues' may never laid them out of business but in reality it does affect the sales as well as market reputation. Deploying proper application security not only rest assure the clients but also lead to increase the productivity. Let us take an example of interesting equation:

X=Applications developed
Y=Vulnerabilities exist in those applications
Z=Cost of repair (patch and fixes)
Now; X.Y.Z=A (answer)

If 'A' is less than the cost of third-party QA auditor, cost of training the developers and conducting additional security audits then it make more sense to write an insecure code.

Application vulnerabilities (in broad sense) can be divided into following sections but not limited to:

Operation/Platform Vulnerabilities
-Asset information disclosure
-Buffer Overflows
-Misconfigurations
-Error Handling
-Resource specific threats

Design Vulnerabilities
-Logic Flaws
-Access Control (Authentication/Authorization

Implementation Vulnerabilities
-Code Injection
-Information Disclosure
-Command Execution
-Functionality Abuse
-Input Validation
-Time and State

Now to test the security of the application, one may apply either of these methodologies:

Automated
-Automated Dynamic Tests (Fuzz Testing, Vulnerability Scanning)
-Automated Static Tests (Source or Binary Code Scanning)

Manual
-Manual Dynamic Tests (Parameter Tampering and Social Engineering)
-Manual Static Tests (Source or Binary Code Auditing)

Although each of these methods have their own strengths and weaknesses. Thus, we assume not the best, but atleast more efficient and reliable method can be judged by looking into their specific testing process.


Automated Dynamic Testing
While approaching to disclose application vulnerabilities under this method, the complexity ratio increases when moving from vulnerability scanning to the fuzz testing.

Strengths
-Less false positives (inherent benefits of run-time analysis)
-Programmatic approach to ensure reliable and consistent tests output

Weaknesses
-Threat assurance, No Fault != No Flaw
-Only the part of code audit may provide baseline for measurement.
-Unexpected conditions cannot be tested without additional programming.

Use Cases
-Fuzz Testing (complex input, informal SDLC, observable indicators)
-Application Scanning (strongly typed flaw classes, deterministic and observable behavior, known inputs only)
-Vulnerability Scanning (known transaction sequences, one to one mapping of triggers to specific conditions)


Automated Static Testing
This method can disclose the set of vulnerabilities present in the application by examining the code (source/binary) without user interaction. Several commercial and open source tools are available to perform automated static analysis. The complexity of such tools increases from normal flaw identification to the formal verification process.

Strengths
-Assessment of low-context flaws (parameters, DB query statements, etc)
-Automated scans required little or no human interaction
-Can get good placement during development lifecycle

Weaknesses
-Applications without presence of their source code.
-High ratio in false postives or negatives, tuning is harder.
-Critical issues with formal verification

1. Developing and correctly expressing a set of security invariants.
2. Developing an interpretation of the application that lends itself to proving/disproving invariants.

Use Cases
-Timely and resource-specific detection of simple flaws
-Detection of regression as a part of development lifecycle
-False assumption on strong assurance of the critical application
-In the hands of a developer who cannot interpret or filter the results correctly


Manual Dynamic Testing
The manual dynamic assessment apporach can be achieved by human-navigated application usage followed by assurance validation process and fuzz testing. A critical background information on application design can be provided by the developers. The complexity of manual dynamic testing process increases with its level of common criteria, assurance validation to parameter tampering.

Strengths
-Parallel capacity in execution of tests
-Pattern recognition
-Testing the live implementation may reduce false positives
-Capable of emulating the malicious attack process

Weaknesses
-Time consuming for large and complex applications
-May require the tester to hold a steep learning curve
-Test envrionment may not mirror production

Use Cases
-High risk applications require highly experienced security auditor to understand and scope the attack surface
-Wrong application type or the wrong tester background
-A case where the requirements of assessment does not match the expected risk profile of an application


Manual Static Testing
This process involves the interaction of human reviews, understanding application design and architecture documentation, use of offline toolset (such as, disassemblers, code browsers, etc).

Strengths
-Known data and code points
-Without any resource specific considerations
-Adaptability with skills and toolset

Weaknesses
-Accuracy issues (falst positives, human mistakes)
-High resource requirements
-Inconsistency in interpretation of same flaw in different ways

Use Cases
-Manual code audit (skilled resources, minor findings before automated tests, custom-coded scripts)
-Configuration review (low risk in changing values at runtime, known data sources and formatings)


Thus, from the application security assessment methods mentioned above and the statistics from "WASC Statistics Project" prove that the probability in detection of high risk vulnerabilities can be higher if combined set of methodologies are used. And this combined approach is almost 12.5% higher than automated scanning (specific to web applications).

Source: EthicalHacker.

Exploiting SAP Business Platforms: The Pen-Testing Analysis

SAP simply stands for "Systems, Applications and Products in data processing". SAP as a unique business solution developer integrates range of solutions including ERP, CRM, GRC, PLM, SCM and many more. The ease of usage, implementation and market reputation has put forward a strong basis for the company (german based) worldwide. Deploying SAP solution is a bit lengthy and complex process and that's why a core security settings left default or unattended. This could results in serious exposure of the SAP platforms and flag a high risk to the organization.

SAP Basic Components

ClientID - Business unit or Corporation with unique identifier.
Transaction - A conversation between client interface and backend database.
Authorization - Users assigned roles/profiles.
ABAP - SAP high-level programming language.
Reports - A component to generate report on user requests.
Functional Modules - A set of remote or local procedures.
RFC Interface - Remote funtion call library.


SAP Security

Talking in the specific context of SAP platform, many auditors would like to harden the SAP authorization subsystem (roles and profiles). While hardening the authorization process and segregation of duties is considered vital but there is also another aspect of security which involves technical assessment of all the networked components within SAP environment. Conducting "Penetration Testing" using industry-proven methodology gives more clear outlook for security vulnerabilities and threats in the existing infrastructure. Such as, weakness in configuration may result in business frauds. The typical number of steps followed under SAP Pen-Testing are:

-Discovery (Find the target)
-Enumeration (Services running on the platform)
-Vulnerability Assessment (Check for the presence of known/unknown vulnerabilities)
-Exploitation (Try to gain administrator privileges on the defined system)

The main goal is to achieve the highest possible privileges in the production environment which can be accomplished by:

-Getting SAP Administration access
-DBA privileges
-SAP_ALL access privileges

Though obtaining any of the above access may give complete control over SAP systems.


SAP Penetration Toolkit

Following are some of the key tools necessary to assess the SAP infrastructure.

-NMap
-rsh,rlogin,rexec
-BurbSuite
-W3af
-Nessus
-JTR (John The Ripper)
-THC Hydra
-SQL Client Tools
-NFS Client Tools
-Sapyto
-Metasploit

It worth to mention that "Sapyto" is specially designed as SAP Penetration Testing Framework to cover all aspects of Pen-Testing methodology. And because it is developed in python and C, it is easier port plugins.

Countermeasures

1.Restrict connections to the SAP gateway.
2.Restrict access to shared resources. Such that, allow only internal connections.
3.Harden the configuration settings.
4.Remove/Change the default user accounts.
5.Enable "SNC" to protect against evasdropping.
6.Good password security should be enforced.
7.Access to transactions should be restricted.
8.Use SAP authorization object "S_Program" to protect report confidentiality.

Source: EthicalHacker.

Cloud Computing: A Security Outlook

A 'cloud' in computing environment is the combination of Infrastructure as a service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) components. Well, most of us may confuse it with ASP (Application Service Provisioning) strategy, which is completely wrong. In simple terms, cloud is a virtualized, dynamically scalable, shared fabric and shared hardware solution to the users. It avoids capital expenditure (CapEx) on purchasing expensive hardware, software and other services by renting the usage from a third-party provider under SLA (Service-level Agreement). For more information, a cloud taxonomy is attached below.

When taking insights of security within Cloud Computing domain give a clear view of risks involved from consistency, interoperability, confidentiality, availability and integrity point of view, such as:

-Host visibility within cloud
-Trust Exploitation
-Data Privacy issues
-Immature logging process
-Data center tripwire
-Application security vulnerabilities
-Backdoored filesystem/virtualized operating systems/applications
-Virtualization security issues
-Content ownership/Intellectual property rights
-Cleartext data storage and transfer vs SSL/EV-SSL
-Use of weak encryption technology
-Centralized approach

Hence, before approaching any cloud computing vendor its better to investigate their policies and procedures regarding security of your company's data transactions. This can be analyzed on the following basis:

-Data segregation and use of strong encryption technology
-Data hosting location
-Recognized under industry standards and regulatory compliance.
-Disaster recovery and business continuity assurance
-Privileged access control
-Availability of resources and data
-Viability of data in case if the vendor goes out of business

A good set of cloud service can be differentiated under agility, sustainability, cost, multi-tenancy, reliability, scalability and security. Additionally, from security perspective, a 'focused penetration testing' may rest assure a vendor from any false sense of security and thus save the cost of any data loss or liability issues.

For more information on current security initiatives, visit:
[1]Cloud Security Alliance - http://www.cloudsecurityalliance.org
[2]ENISA Cloud Security Working Group - http://www.enisa.europa.eu

Source: EthicalHacker.

Escalating from PHP Hardend Environment

There are number of PHP threats and vulnerabilities which have been reported during the past few years. These include, file inclusion attacks, remote file upload vulnerability, insecure function injection (eval,create_function,preg_replace), etc. Executing malicious shellcode over vulnerable web servers is still easier but it is quiet challenging when "post exploitation" topic is highlighted.

Today many of PHP-based web servers are hardened by default and running with low privileges. Thus, it is extremely challenging for the attacker to gain full control over the server. Let's take a brief overview on common type of protection schemes used to hardened PHP environment:

1. Limit the PHP code (i.e. control each input/output)
2. Limit the PHP interpreter
3. Harden the code against buffer overflow + memory corruption
4. Limit the possibility of arbitrary code execution
5. Non-writable filesystem
6. safe_mode (disable access to configuration settings, limit access to files/directories, limit environmental variables)
7. disable_function/disable_classes (remove un-necessary functions and classes)
8. Use memory manager (malloc/mmap) to apply safe_unlink feature and three canaries (metadata,buffer(before/after)
9. Kernel-level protection with ASLR (address space layout randomization), mprotect(), Apparmor, SELinux, GRSecurity

Now take some highlights on PHP vulnerabilities and exploitable condition:

1. Caller of the PHP application can force parameter to be passed by reference

function increase($a)
{
$a++;
}
$z = 7;
// pass $z as a reference
increase(&$z);
echo $z,"\n";
?>

This happens because we are unable to disabled the internal "allow_call_time_pass_by_reference" function.

2. executor_globals() to find the interesting target, it contains list of functions/ini entries/jmp_buf but the memory position is unknown and
it changes the structure with every single PHP version.

3. To execute the user choice of code, function dl() comes in handy but it requires:
-platform independent library
-a writable directory
-enable_dl should be activated
-setting extension_dir to the shared library directory

4. Attacking under x86 linux platform:
-PHP array leaks the pDestructor pointer which points to PHP code segment
-scan until we find ELF header in memory
-once ELF header discovered, we can also find imported functions
-select the function which have been imported from libc (memcpy)
-from there we can look any function within libc and access their addresses
-address to shellcode can be written and executed
-copying shellcode into the writable text-segment and execute it

Source: EthicalHacker.

ISO 27799:2008, un paso más en la Seguridad de la Información del sector sanitario

En el sector sanitario en este momento nadie debería tener ninguna duda sobre la necesidad de implantar un PLAN DIRECTOR DE SEGURIDAD. Debería ser una premisa en el IT Government de un centro sanitario, tanto público como privado.
Para conseguir este hito, como decimos los que trabajamos con normas ISO, está ya “todo inventado”. En este caso, el número a estudiar se llama 27001

El amplio concepto de la seguridad no sólo comprende la parte tecnológica sino la organizacional, el marco jurídico y sobre todo la gestión. En este sentido es más que útil conocer con detalle las familia de norma ISO 27000, encabezadas por ISO 27001 que nos marca los requerimientos para implantar un SGSI, y tener así un sistema de trabajo y gestión para poder acometer esta cambiante y dificil disciplina de la seguridad

Para el sector sanitario tenemos una muy buena noticia, la norma ISO 27799 aparecida en 2008, parece estar teniendo buena acogida en los profesionales de este sector y ya es una lectura obligada para los profesionales y consultores que trabajen en este tipo de organizaciones. ISO 27799 ha sido creada contemplando las mejores prácticas llevadas a cabo en diversos centros de atención primaria, en clínicas, por equipos de atención domiciliaria, en hospitales, en consultas de especialistas, etc… con la única finalidad de incorporar una aproximación a la realidad de los problemas que actualmente existen y de cómo gestionarlos.

Fuente:ISO/IEC 27000.Elaboración propia del autor.


La SEGURIDAD DE LA INFORMACIÓN EN SANIDAD

Seguridad de la información es la suma de tres conceptos:
CONFIDENCIALIDAD+INTEGRIDAD+DISPONIBILIDAD

Proteger la confidencialidad se hace obligatorio, puesto que los datos personales referentes a la salud deben de ser tratados con el nivel más alto de protección. En esta variable conviene recordar que existen mayores riesgos cuando la información no está informatizada
Por otra parte, es indispensable mantener la integridad de la información médico-sanitaria, para garantizar la seguridad de los pacientes,
Por último, la disponibilidad de información referente a la salud también es fundamental para la eficacia de la prestación de servicios médicos. Los sistemas informáticos sanitarios deben de cumplir con la única premisa de permanecer en funcionamiento tanto en situaciones de desastre natural, como en fallos del sistema o durante eventuales ataques de denegación de servicio.
En el sector sanidad la integridad y disponibilidad de una historia clínica es mucho más importante que la confidencialidad. La falta de integridad o disponibilidad de datos sanitarios en una historia clínica puede llegar a suponer la pérdida de vidas humanas

¿POR QUÉ GESTIÓNAR LA SEGURIDAD?
Gran reto tenemos los consultores para convencer a nuestros clientes y a nuestro equipo de trabajo que “apagando fuegos con jeringuillas no se extingue un incendio”. Se me ocurre juntar una serie de frases, “tagueando experiencias” para poder explicar lo que significa gestionar la seguridad:
“ gestionar el trabajo de proveedores, marcar pautas y procedimientos, no dejarse agujeros, desarrollar software de manera ordenada, trabajar en equipo, actuar ante incidencias, gestionar adecuadamente un problema, aprender de los errores, contratar a gente válida, transmitir obligaciones según los roles, hacer que la seguridad sea más fácil y transparente al usuario, no volver a cometer los mismos errores, sensibilizar a los usuarios, pedir responsabilidad a la dirección, saber cuanto cuesta la seguridad, preveer los problemas, crear metodología de trabajo, mejorar…”

La mejor manera de “Gestionar la seguridad” es implantar un SGSI, un sistema de gestión de seguridad de la información e ISO 27001 y su familia de normas nos proporcionan este marco de trabajo


ISO 27799:2008
La norma no es nueva. Desde 2003 ya viene trabajando el grupo de trabajo TC215 WG4 y desde finales de 2006 la norma ya era pública en la comunidad científica

La norma ISO 27799:2008 especifica para el ámbito sanitario define las directrices que pueden apoyar la interpretación y la aplicación al sector de las ya mencionadas ISO 27001 y 27002. Especifica un conjunto detallado de controles para la gestión de la seguridad de la información específicas para el ámbito específico y nos proporciona una serie de claras directrices de seguridad sobre las mejores prácticas a seguir en los temas relacionados con la salud.

ISO 27799:2008 es aplicable a la información sanitaria en todos sus aspectos y en cualquiera de sus formas (palabras, números, grabaciones sonoras, dibujos, vídeo e imágenes médicas o radiografías), sobre cualquier medio de almacenamiento (escrito o impreso en papel y electrónico) y a través de cualquier medio de transmisión (valijas o mensajería, faxes, redes informáticas o correo electrónico).

El contenido de la norma refleja la evolución positiva y práctica de la familia ISO 27000. Razona y especifica los riesgos propios del sector sanitario variando el orden de importancia de los factores de seguridad. Especifica además por ejemplo 25 vulnerabilidades típicasy sobre todo nos da una guía de como implantar ISO 27001 y los controles ISO 27002. Por tanto implantar esta norma sin disponer de un sistema de gestión no tiene mucho sentido. Por ejemplo podemos implantar un sistema de incidencias pero si no lo analizamos y no aprendemos de él, es más que probable que se abandone y caigamos en una burocracia tecnológica que no repercuta en mejorar en seguridad.

Esta norma no es certificable, unicamente representa directrices sobre el sector y se implanta y desarrolla bajo el sistema de gestión definido sobre ISO 27001.

ISO Web Site: ISO 27799:2008 Health informatics -- Information security management in health using ISO/IEC 27002

Fuente: cryptex.