The "new", "improved" SecurityFocus (I reacted on the changes in the previous post) houses an interesting article - Study: Flaw disclosure hurts software maker's stock. This study, performed by some researchers from Carnegie Mellon University, shows that a vulnerability disclosure of a companies products have significant effects on the companys stock changes. So, a vulnerability will have direct economic effects, besides those that come from customers choosing other products due to possible lack of security.

In average, a vulnerability causes a 0.91 percent stock price falling, -but- Microsoft seems to be far less punished by their vulnerabilities, 0.28 percent. Why is this? This is to me chocking, as they are manufacturers of an operatingsystem, that in turn is responsible for a stable and secure "foundation"-platform. A flaw in Windows should be, according to me, seen as far more serious than a similar one in a third party application. Have customers got used to flaws in Microsofts software? Is that it? I wouldn't be surprised.

Another thing that the article shows is that a if a patch is available at the time of disclosure, the stock course will be less punished. This is more or less ovious, but I find it a little worrying. This kind of information might lead to more manufacturers holding in on found vulnerabilities, and an flourishing situation for companies like Immunisec (who buy and sell vulnerabilities under Non-disclosure agreements, keeping them from the public). I think it's essential that vulnerabilities are disclosed in public, otherwise zero-day exploits and vulnerabilities will have a new definition. It will become impossible for a company to know of their vulnerabilities, without suscribing to various services. I argue that network security equipment, such as IDSs and IPSs, should be used to protect machines and services in the time frame of disclosure to patch. But they do need a vulnerability to build their signatures from.

I remember reading about a incident a couple of years ago that involved a hacker, once penetrated a company's network, encrypted their database of customer information, and removed the original unencrypted data. The decryption key was then offered for a ransom… and probably a big one.

Today, news.com posted an article about a similar case, where data on the victims computer are encrypted and an is offered in return for a ransom of $200. The biggest difference from the one that I have in memory, is that this one is undirected, and unstructured. This specific attack is performed when the user visits a specially crafted website, which utilises a flaw in IE (guessably an old one, as the article doesn't state anything further specific about it), that in turn executes the code that performs the encryption and ransom-procedure. Symantec labels this as a trojan horse, and have named it "Trojan.Pgpcoder"

While I'm not very interested in virus-related news/technologies/buzz etc, I thought this attack was a bit "fun".

A few months ago I attended a seminar/presentation from a guy from Panda software (developers of antivirus software). I posted my responses to that presentation, and more specificly on Panda's application TruPrevent in the middle of March.

Anyhow, Panda has released TruPrevent 2.0, and promises an 100% detection-rate of zero-day attacks, for instance unknown viruses. I'll quote an article at NewsFactor Technology

Panda's TruPrevent software automatically does a real-time analysis of programs as they execute. It then detects new viruses that have a malicious intent with what the company calls event-correlation algorithms. If malicious code is detected, the software kills it then notifies the user.

Most heuristics- and rules-based approaches still largely rely on signature files, which can take hours or days to develop and distribute to customers. Panda Software's approach is based on what the company calls "neural scanning" — a relatively new approach that uses a kind of artificial intelligence to identify whether a computer is being breached.

I'm interested in hearing on how TruPrevent meets their claims. I don't give much for all those "independent reviews" that just "happens" to be presented at the same time as the release of a new product.

This months edition of the swedish security-magazine Säkerhet & Sekretess features an article from me. The article, available at page 62, introduces anomaly detection of different forms - Besides debating about general advantages/disadvantages to traditional signature-based technologies, it presents various usage-cases; Such as traffic anomaly detection, used by IDSs to detect and alert from abnormal network activity; Protocol anomaly detection, used by IDSs to detect and react on traffic and packets that is different from the protocol-specification… and more. The article also introduces SPADE, a preprocessor that gives Snort traffic anomaly detection-capabilities.

I'm quite happy about the article, and I hope I'll get to write more IDS/IPS-related articles in the future. I actually wrote an article in the past issue too; That one introduced the vulnerability-scanner Nessus.

infoworld Infoworld posted a great debating article two days ago; Marc Willebeek-LeMair from 3com's security-divison TrippingPoint and Marty Roesch from SourceFire, debates on the use of intrusion prevention systems. Marc and Trippingpoint, who sell "hardware-based" IPS-appliances claims that IPSs (their IPSs more specificly) solve problems of blended threats fully. Marty and SourceFire on the other hand, sees the IPS as another security-appliance, not just the only. This thought is commonly referenced as defence in depth - An idea well known, and widely adopted.

Marty (who founded Snort and practicly invented several commonly used features seen at IDSs today, like vulnerability-targeted signatures, instead of exploit-targeted), according to me, beats Marc by his overwhelming knowledge of intrusion detection.

An interesting read, to say the least..

Some of you might remember I'm currently writing my final thesis. It's (currently) titled Sensitive Data on a Handheld Device - An Analasys of Risk, Vulnerabilities and their mitigations; It might however change. It's doing kind of well - The paper currently weights in at 67 pages, and I'm scheduled to be finished in next week. I've made a few nice observations and drawn several conclusions in the thesis, and I'll present a paragraph that I wrote this morning. The section is "scissored" from the introduction of chapter 4, that deals with vulnerability assessment. As It's directly copied from the paper, mind the various references stated.

What is a vulnerability?
We stated in chapter 3 that a vulnerability is an weakness in an asset that could lead to exploitation. A weakness, or a flaw, can be as a result of poor design, poor implementation or through containment. Poor design might be a flaw in a protocol, such as Bluetooth; Poor implementation might be a flaw in the implementation of a otherwise secure protocol, such as weak encryption-keys; And containment refers to the ability for an product to be used in unintended ways, such as reading other applications data (Bejtlich, 2004, p. 8-9). We will in this chapter see how all these cases are exploitable.

Why are PDA-vulnerabilities so hard to adress?
We recently stated that the vulnerabilities that will be presented are in general pasé. How can they still pose a threat then? Vulnerabilities always pose a threat towards the specific software (aplication, version) it was targeted for. Generally, vulnerabilities become less significant by time, as software is updated and patched. But how is this done on handhelds? Is there a common place to announce Palm OS vulnerabilities? Is there a common way to release patches? Is there a general way to patch these devices? These are the essences of a problem that will only get bigger, as these devices will probably be targeted to a greater extent in the future. All the vulnerabilities will be presented below are more or less mythical, and information on them is hard to come by. PalmSource inc, who maintenance and develops Palm OS, has no information about vulnerabilities, and no area of their website dedicated to them. The handheld industry has not yet come up with a good solution to announce vulnerabilities, such as those existing for computer-targeted vulnerabilities; Like various mailing lists and dedicated websites. All major software, and hardware, vendors that have applications for computers take this action seriously, and often announces patches and/or work-a-rounds to the public by various means. The absence of information from vendors about exploits and attacks targeted at their devices, makes it hard to know exactly what devices that are vulnerable. Does the new version of Symbian OS address a specific flaw? Have Symbian even realised it's existence? Likewise, can an advisory released on a computer-related mailing lists that include statements of vulnerable systems be trusted if it doesn't state Palm OS? Can we take for granted that these devices are included in their evaluation of vulnerable systems, after all, these devices aren't computers? Due to these factors, these devices may be seen as permanently vulnerable ? after all, where can I find out if they aren't?

A friend of mine yesterday announced that he got accepted to a international masters-programme here in Sweden. So I won't be worse - I got in too!

The programme is taught in the outer boundaries of Stockholm, Kista (supposed to be something like the Silicon Valley of Sweden). If I choose to attend, I'll be awarded the degree Master of Science with a major in Information Technology, specialised in Information and Communication Systems Security . Sounds rather neat :)

Right now, I'm finishing up the thesis for my Bachelor of Science-degree. I have two weeks to decide whether or not I want to catch a ride on this train..

Google news has posted a article and interview with the founder of Immunisec, who does their living on keeping vulnerability-disclosures for them selves and paying customers. I wrote my thoughts on this a couple of weeks ago.

When reading the article i learnt that the security-consulting firm @Stake is actually based on the former hacking group l0pth, the producers of the famous hacking-tool l0pth-crack. Didn’t know that.

I’ve been ranting about security in wireless networks some times lately. While doing some research for my thesis, specificly on wlan security issues, i got hold of the presenation-dvd from RSA 2005. This included some presentations about wireless security.

Among other things, one presentation talked about WIDSs, or Wlan Intrusion Detection Systems. I think I’ve seen a preprocessor for Snort that does this. When I come to think of it, practicly all attacks on WLANs are more or less (often more) automated with use of (often highly sophisticated) applicatons; Such as AirSnort, WepCrack, Kismet et cetera. These "automated" attacks are ideal for an Intrusion Detection System, as they follow a certain pattern, thus easily "signaturized" and detected. In addition to automated attacks, these systems also detect Rouge Access-points by looking for abnormal association requests et cetera. The author of the presentation states that a WIDS is necessery for all corporate wlans. I’ll try to investigate this a little bit further when I get time ..

Another thing that cought my eye was a presentation on WLAN security issues. The presentation covered the normal and general aspects of this, including descriptions of WEP, WPA and WPA2. I did a presentation about WLAN-security some months ago at school, and I got a question stated somewhat like this: "But how does WPA2 solve the security issues that WPA has?". The questionairre referred to the DoS, Dictionary atacks and MiTM (man in the middle) attacks that are appliable to WPA. I think I answered that it doesn’t, but I had no real explination of why not. The real answer is that WPA2 (otherwise know as 802.11i) is implemented merely to encorporate the strong AES-cipher. This does deal with the issue of TKIP (that WPA uses) and it’s weak cipher, but not the other attacks stated above. So, should WPA2 be considered insecure? By employing it in enterprise mode, I think not, but I’m not sure.

The DVD has alot of presentations (50-100), and I’m eager to view those that are strictly intrusion-related (detection, attacks et cetera). I’ll probably do a post if I do find something interesting.

While doing some reseach on Bluetooth for my upcoming thesis. I discovered this great paper by a fellow named Sil Janssens. It covers all the (media-hyped?) bluetooth related hacks, like BlueBugging, BlueSnarfing and BlueJacking. These techniques can among other things let a attacker gain access to personally stored data, such as adressbook and locally stored files, but also make calls and other AT-related commands. It very well organised, scientific and detailed.
Some months ago I did a short presentation on bluetooth-security at school, and this was the kind of document I was searching for then, but didn’t find it.. Recommended