CrashMe, from the WinDbg developpers, may be a helpful application for those in the process of learning how to use a debugger or a disassembler.
It simulates several crash situation that you will be able to easily reproduce and examine within these tools.
The SIEM planet has recently gone crazy. Following the acquisition of the leader, Arcsight, by HP last year, IBM just acquired Q1 Labs… and Mc Afee, Nitrosecurity !
With RSA and Norton having their own solutions, we know have 5 big players in the arena (see Gartner 2011). This is a good proof that the correlation market is growing and that the solutions are getting mature.
BNAT stands for “Broken NAT“. In the scope of Jonathan Claudius work, a NAT is considered broken when the client receives a reply from a server behind a NAT with a different IP than the one it sent the request to.
It happens with bad implementations where the DNAT (destination NAT) and the SNAT (source NAT) use a different IP because of a wrong rule or because the outbound and inbound interfaces are separated.
As a result, the operating system of the client will discard right away such a reply (with a TCP RST), because it does not match an existing TCP session.
The idea is that a pentester auditing such an infrastructure with a classic scanner will miss some entry points. A typical scanner relies on the network stack of the system : it will not receive the reply and will consider the port as filtered.
So Jonathan came with a proof-of-concept to illustrate his purpose.
It is composed of a B-Router and a client. The B-Router will intercept the reply and maintain the session by sending an ACK. This way, it handles an asymetric routing scheme for the client. Just add a filtering rule to block your system’s RST (iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP ), and you are good to go.
Simple but brilliant, isn’t it ? The great thing is that the code has now been included in Metasploit, so it is even more straightforward.
Check the slides of Jonathan at DEFCON for more info. You can download the source there (or just update your Metasploit and look for it in auxiliaries).
Didier Stevens “benchmarked” the efficiency of ALSR as implemented by the EMET tool.
The conclusion is that it is pretty weak, whereas I thought it was on pair with true ALSR (as advertised). Very instructive.
On his website, Aza Raskin calls it Tabnabbing. Don’t miss the video there and the test web page. It is so simple and probably efficient with most users. Certainly another dangerous phishing attack.
I recently attended to the 2011 edition of the SSTIC conference (a major security conference in France), where I had a good time and where the slides of Joanna Rutkowska somehow inspired me.
I shamelessly decided to reuse and extend her mind-map style diagram from a system security centric view into something more generic and operational on IT security.
Then, I came with this first version of the diagram:
A the moment it is probably quite incomplete and incoherent on some aspects, but I am quite satisfied of the shape it is taking. I will certainly update it quite often, as soon as I think about something new.
I find it convenient as a memo summarizing goals, steps and tools to achieve security. It may also help clarifying some points during a presentation.
Feel free to use it (as long as you keep the credit to this website). I am waiting for your comments and suggestions on how to improve it.
I found multiple vulnerabilities in software from Schneider Electric, used to monitor industrial monitoring devices. It reveals a very poor security design.
The editor was informed and I am waiting for its acknowledgement. I will disclose more details once the issues are patched.
FFFjacking is new web browser hacking technique discovered by Roman Kümmel (aka .cCuMiNn.).
Even though it requires a little of social engineering, it is quite dangerous. Yet another string to add to the bow.
