/var/log/messages (2010)
This section contains the latest news, announcements and thoughts from the MWR InfoSecurity team.
Forensic Readiness: A Primer
Dec 24, 2010
Incident Readiness with forensics is becoming rapidly established as an integral part of information security, forming parts of standards and guidelines such as PCI DSS and CESG’s Information Assurance Maturity Model. Security had long been seen as a financial black hole, a necessary requirement or a compliance hurdle. Now as the maturity of organisations shift to investing in security is a business enabler, so too should forensic readiness be seen as a core tenet of successfully managing information securely. A poorly managed security incident can heavily impact an organisation, from increased downtime and sanctions or fines, to increased negative publicity and public exposure. This article presents an overview of some basic measures to take toward preparing for security incidents and forensics investigations, in short allowing organisations to effectively manage the identification, containment and follow up of an investigation.
How should organisations ensure that they are best equipped to prepare for incidents so that they do not have a significant impact on their business? The following key points have been successfully implemented by MWR InfoSecurity’s clients and are a starting point for all Security Managers.
A Postcard From Finland!
Nov 17, 2010
Finland is known for many things, its’ fabulous cuisine, the salty liquorish, the tasty Salmiakki and Lunkaros, the saunas and the people’s hospitality. But within the security industry, it is also known for hosting one of the top security conferences in the world!
T2’10 security conference was held in Helsinki at the end of October. This year’s schedule promised technically excellent talks with a great line up of well known security researchers. The schedule lived up to the high expectations, in a very comfortable and relaxing environment where the primary focus was the sharing of information. Talks were always followed up with open discussions between the attendees and the speakers, and there were always opportunities to chat with speakers and attendees, during breaks, lunch and dinner time or at the networking cocktails.
Career Opportunities at MWR
Sep 14, 2010
Have you ever wondered what goes on behind the scenes at MWR Labs? Would you like to know what it takes to work as a consultant with MWR InfoSecurity’s clients? What question would you ask Max Pwnage if you had the chance to meet him?
If they are the type of questions you find yourself asking you should consider the current opportunities to join the Technical Consultancy Team at MWR InfoSecurity.
We are now looking for consultants to join the company to perform security testing and consultancy for our clients and to engage on projects within MWR Labs. If you have great technical skills, a passion for information security and a desire to make a difference in this industry please send a CV and covering letter to recruitment2010@mwrinfosecurity.com.
A Reason to Visit Stockholm in September?
Sep 14, 2010
The SEC-T security conference was held in Stockholm last week. This event which is now in its 3rd year is a major reason to visit the city at this time of year. SEC-T may be a newcomer compared to some of the more established events but it has nothing to fear from them as the high quality of the talks has proven over the past three years. This year heralded a new venue on the city’s Southern Island of Södermalm which provided a cosy and relaxing atmosphere to talk shop with some of the World’s finest security professionals.
This is the second year that MWR InfoSecurity have presented at the event and to make up for not speaking last year there were two talks and three members of the team at the conference. After a rigorous selection process the talks that were selected by the organisers were on Deployment Solutions and Physical Security Penetration Testing and Social Engineering. Both talks combined frontline research performed by MWR Labs with real world experience and enabled the audience to understand how findings from the lab can be used to assess security in the field.
Assessing the Tux Strength: Part 2 - Into the Kernel
Sep 02, 2010
The previous article in this series on Linux security described different userspace protection mechanisms that can be applied to protect binaries on a Linux system. Unsurprisingly, without additional kernel settings and protections most of the previously described mechanisms cannot be utilised to their full extent. This article will therefore focus on kernel features that have a direct impact on security of running binaries. Specific security frameworks such as SELinux, Grsecurity RBAC, AppArmor and others will not be discussed here although they may feature in future articles.
Most of the kernel features described here will be related to the addition of protection within userspace; however, a few of them will also have a direct impact on the security of the kernel itself. The security of the kernel is also very important as once an attacker is able to execute their own code in the kernel space there’s very little that can be done to maintain the security of the system. The Linux kernel is subject to rapid development with many new features being added or existing functionality being amended and support for new devices is added on a regular basis. It should be noted that the direct and indirect impact of these issues on the security of the kernel can be easily overlooked. It is also not uncommon for a security feature that is enabled in the kernel to have an impact on its performance and the overall performance of the system as well.
Recent Palm webOS Vulnerabilities - MWR InfoSecurity Clarification
Aug 16, 2010
MWR InfoSecurity have recently published information about vulnerabilities affecting several mobile platforms. Owing to errors in the reporting of these issues MWR are publishing this statement to clarify the situation and answer questions that have arisen about the issues and their current status.
In May 2010 MWR Labs identified and reported two vulnerabilities in Palm’s mobile operating system “WebOS”. One of these vulnerabilities has recently been used by us to demonstrate the impact of security flaws in smartphones to the press. Following on from the publications, articles and blog posts published by various sources have led to some confusion regarding the response to these issues by Palm and their current status. Both vulnerabilities reported by MWR were originally identified in Palm WebOS 1.4.1 and were immediately reported to Palm’s Security Team. They speedily responded to our reports, acknowledging the vulnerabilities. Since the disclosure of these issues to Palm MWR InfoSecurity have taken the decision to discuss the presence of vulnerabilities in smartphone platforms. This decision was taken to highlight the risk to users of smartphone vulnerabilities and to ensure the issues are correctly represented within the public domain.
With the WebOS 1.4.5 release Palm fixed one of the vulnerabilities reported to them by MWR InfoSecurity. This vulnerability is an issue in a local service running on the phone and full details of this are yet to be released by MWR. This information will be released once all users have had a chance to install Palm’s fix.
The issue that Palm has not currently addressed is the vulnerability in the vCard parsing, which was demonstrated by MWR InfoSecurity on the 11th of August. However in recent conversations with members of Palm’s security team they stated that a fix is planned for Autumn 2010. Owing to the current situation users are therefore advised to exercise caution until an appropriate vendor supplied patch has been provided.
Just Arrived! - Max Pwnage
Jul 16, 2010
After much anticipation we are pleased to announce that the new Max Pwnage cards from MWR Labs are now available. The cards highlight the impact of a number of high profile security vulnerabilities that have affected systems and networks over the past 30 years. It has also been identified that the Max Pwnage cards can also be used to play an exciting game of skill and chance although this is purely a coincidence.
Palm webOS 1.4.5 fixes security issue found by MWR InfoSecurity
Jul 07, 2010
Palm has released version 1.4.5 of its mobile operating system, this release fixes an issue found by MWR InfoSecurity. Most mobile carriers have started to push the update to their customers. As soon as the majority of devices have been fixed we will release a detailed advisory on this issue.
The Palm release notes are available here:
http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/68919_en.html#145
Assessing the Tux Strength: Part 1 - Userspace Memory Protection
Jun 29, 2010
This is a first of a series of articles describing different security mechanisms and exploitation mitigation techniques available in Linux environments and their use across various Linux distributions. This article focuses solely on userspace protections. Subsequent articles will focus on specific software such as web browsers or network daemons and their security exposure as well as additional kernel security mechanisms and frameworks that are available.
Memory corruption attacks are still a very common way to compromise a modern computer system. However, the once basic techniques of buffer overflows have evolved into more sophisticated memory corruption attacks and at the same time the mechanisms to protect the integrity of processes and system memory has also improved.
Probably every attack mitigation technique that has been developed over time to mitigate memory corruption exploits can be implemented and used in one form or another in a Linux operating system. Many people argue that some of the protection mechanisms are more effective than others, for example by mitigating against a larger number of different attacks. Furthermore, a number of them arguably have a performance impact on the system and could also produce some challenges in terms of compilation of the specific software as well as in ensuring compatibility with the rest of the system.
CanSecWest 2010
Mar 30, 2010
Vancouver, Canada.. Home to this year’s winter Olympics but more importantly to CanSecWest 2010! Whether participating to present their latest research to the community or simply to observe, the three day security conference attracts highly respected security professionals from around the globe. The conference consists of a single track of presentations, varying from issues which have been discussed for many years previously to the cutting edge in security research.
Video: How To Be An RSol: Effective Bug Hunting in Solaris - ShmooCon 2010
Mar 08, 2010
The video of Matt’s ShmooCon 2010 talk presenting a Ruby based Solaris debugging library, and the PoC tools developed with it thus far is now on the ShmooCon website at:
http://www.shmoocon.org/2010/videos/RSol-Hillman.m4v
The slides for the presentation can also be found here. These are slightly different from the version on the ShmooCon website and also include the demos.
Aurora and Web Browser Security
Jan 25, 2010
Germany’s BSI (Federal Office for Information Security) recently warned web users not to use Microsoft Internet Explorer. The BSI advised users to switch to an alternative browser in the mean time until a patch was made available. Shortly after this release France’s Certa agency also issued a similar warning to users.
What is the implication of these statements? It would seem like an 0day for an “alternative browser” has just substantially increased in value.
Solaris Debugging and Bug Hunting at ShmooCon 2010
Jan 18, 2010
Matt Hillman will be presenting the fruits of his Solaris research thus far at ShmooCon in Washington DC on the 6th of February. The abstract for his talk is shown below:
“Lately there has been a lot of excitement over the use of DTrace for bug hunting and reverse engineering purposes on platforms that support it such as Solaris. But there are a plethora of advanced tools and techniques out there for other more common x86 based platforms, so does DTrace really add that much? In this talk that question is examined by introducing RSol, a Ruby based debugging component for Solaris in a similar vein to PyDebug for Windows. RSol allows powerful bug hunting tools to be coded quickly, and using this the pros and cons are investigated of using DTrace vs more traditional debugging techniques to achieve different goals in different circumstances. The ultimate plan is for RSol to become a suite allowing debugging and DTrace based techniques to be used together in a complimentary way.”
If you can’t make it to DC to see the talk, it will also be streamed live (along with the rest of ShmooCon) via uStream. This is the first year ShmooCon have done this, so lets hope it goes without a hitch!
Google Forensics (...beta)
Jan 18, 2010
File carving is a technique that can be used by forensic investigators to recover files from a disk. Forensic software can search through the raw data against a set of known file header signatures and extract items based on content rather than metadata.
This is particularly useful when examining the free space on a disk, as files that may no longer exist within the file system can be recovered. This can be particularly useful if the file system has changed, such as when a Windows system has been rebuilt as a Linux box.
It will not always be possible to recover the full path or original creation dates by file carving, as only the data contained within the file might remain. But the data itself can sometimes contain more information than timestamps could provide…
Adobe Reader Exploit on Vista and 7
Jan 14, 2010
In response to the recent vulnerability in Adobe Reader MWR InfoSecurity conducted some additional research in this area. We were able to confirm that the issue, otherwise referred to as Adobe Reader “media.newPlayer” vulnerability, is also exploitable on Vista and Windows 7 with ASLR and DEP enabled.