Deeper Matter

[Asyn]

Killing the zombie cookie (evercookie)

How to kill Samy Kamkar's 'evercookie'...
Happy killing...!!
asyn

- Google Chrome: http://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html

- Firefox: http://www.monirulislam.com/general-web-desktop-application-security-news/how-to-remove-evercookie-from-firefox-3/

- Safari: http://singe.za.net/blog/archives/1014-Killing-the-Evercookie.html

- Safari Mobile: http://singe.za.net/blog/archives/1016-Killing-the-Evercookie-Part2-MobileSafari.html

Related Links:
http://www.h-online.com/security/news/item/The-zombie-cookie-1095232.html
http://samy.pl/evercookie/

[YoKenny]

Killing the zombie cookie (evercookie)

Please read nikki605's post in the CCleaner (Piriform) forum:
Evercookie... Will CCleaner be able to combat this...
http://forum.piriform.com/index.php?showtopic=29862&st=20&p=178641&#entry178641nikki605

[StrawHat]

Woa, lot's of good information here! Thanks for sharing! It should be very useful... 

[Asyn]

Java replaces Adobe Reader as the most frequent attack target

Microsoft Malware Protection Center (MMPC) monitoring shows a dramatic increase in recent months in the number of attempted attacks on Java vulnerabilities. According to Holly Stewart of MMPC, since the middle of the year about six million attacks were registered attempting to exploit three older Java holes. This exceeds, by a large margin, the number of attacks on Adobe reader, the former leading attack target.

Stewart speculates that Java is now a more tempting target for criminals because, like Adobe's software, the Java Runtime Environment (JRE) is installed on almost every PC, but most users don't pay it much attention to it. The majority of these users don't bother with frequent security updates: one of the holes reportedly being exploited is two years old.

Adobe's efforts to make Reader more secure may well be proving effective. Among various improvements for Reader, Adobe has introduced the automatic update feature, which could be encouraging criminals to shift their efforts to Java as an attack face. This is supported by Brian Krebs observations. Krebs has determined that many commercially available attack tools for criminals now contain Java exploits and these exploits are now frequently the most successful.

Only recently, Oracle as part of its October Patch Day, updated Java releases. 29 holes spread over versions 6.0, 5.0 and 1.4.2 for all supported platforms were closed. Oracle classified 15 of these vulnerabilities as critical.

Author: Daniel Bachfeld

Related Links:
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

[Asyn]

Inside Adobe Reader Protected Mode - Part 2 - The Sandbox Process

We continue our technical tour of Adobe Reader Protected Mode with a closer look at the sandbox process. (Check out part one of this series, if you missed it.) In today’s blog post we will look at all of the different ingredients the Windows operating system provides for a sandbox and see how those ingredients are used in the sandbox process to restrict access.

Article: http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-%E2%80%93-part-2-%E2%80%93-the-sandbox-process.html

Authors: Liz McQuarrie, Ashutosh Mehra, Suchit Mishra, Kyle Randolph, and Ben Rogers

Related Links:
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html
http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html

[Asyn]

Honeypot role reversal

Security firm Tllod (The Last Line of Defense) reports in its blog that some botnet control servers are apparently equipped with functions to mislead and monitor inquisitive researchers, and to complicate their analyses. According to the researchers, such servers present a fake, basic web interface after pretending to accept easily guessed log-in credentials.

For instance, in one case the combination admin/admin was sufficient for an apparently successful log-in. The examined server was even prepared for attempted SQL injection attacks on the password field and pretended to fall for such strings as 'or 1=1--". After a successful log-in, the server recorded all activities. In Tllod's opinion, this deceptive mechanism could serve the purpose of analysing the methods of potential intruders. Previously, such honeypots were only known to be used by security researchers who wanted to investigate the methods of criminals.

When analysing the source code of a control server set up by criminals, Tllod also noted that the statistics presenting the number of infected PCs (bots) and successful exploits were simply random figures. Such figures are obviously useless – and botnet researchers should be sceptical when examining the statistics presented by the control servers of other botnets. In the past, security researchers often released the internal statistics of hacked control servers.

The examined server's web interface also pretended to allow users to upload executable files to the bots. However, the files were only stored – probably for subsequent analysis.

Author: Daniel Bachfeld

Related Links:
http://blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/
http://en.wikipedia.org/wiki/Honeypot_(computing)

[Asyn]

Inside Adobe Reader Protected Mode - Part 3 – Broker Process, Policies, and Inter-Process Communication

In part three of our technical tour of Adobe Reader X Protected Mode, we’ll examine the broker policies and the inter-process communication (IPC) the sandbox process uses to communicate with it.

Article: http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html

Authors: Liz McQuarrie, Ashutosh Mehra, Suchit Mishra, Kyle Randolph, and Ben Rogers

Related Links:
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html
http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html
http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-%E2%80%93-part-2-%E2%80%93-the-sandbox-process.html

[Asyn]

Tracker for SpyEye control servers launched

Swiss anti-spam activist Roman Hüssy has launched the SpyEye Tracker service. It's designed to provide an overview of the SpyEye-based botnet control servers currently active around the globe. Hüssy already successfully operates the ZeuS Tracker service, which has tracked the ZeuS online-banking trojan, for quite some time.

Administrators can download a blacklist Hüssy creates from the tracker results and use this blacklist to protect their own networks. A similar service has now become available for SpyEye. Like ZeuS, SpyEye is a trojan toolkit used by criminals to build their own botnets. Trend Micro has released pictures of the control server's user interface on their blog.

SpyEye has long tried to outmatch ZeuS in the digital underworld. It appears to have been unsuccessful so far, because current tracker statistics suggest that there are 10 times as many controls servers for ZeuS than there are for SpyEye. However, this could be about to change, as research by security specialist Brian Krebs suggests that the ZeuS developer, "Slavik", has passed on all his source code to the SpyEye developer, "Harderman", and that Slavik has withdrawn from the toolkit's ongoing development. However, the SpyEye developer said that the ZeuS code was handed over on the condition that Harderman takes over the support for paid toolkits.

Talking to Krebs, Hüssy was sceptical about SpyEye's ability to usurp ZeuS: "Why should they give up something which works and pay for a new tool?", asked Hüssy. The developer said that he created the SpyEye Tracker to put SpyEye into the spotlight before it becomes a "big" threat like ZeuS was in the past. Botnet specialist Damballa is currently registering the Ukraine as the location with the largest amount of SpyEye activity.

Author: Daniel Bachfeld

Related Links:
https://spyeyetracker.abuse.ch/index.php
https://zeustracker.abuse.ch/index.php
http://krebsonsecurity.com/2010/11/keeping-an-eye-on-the-spyeye-trojan/
http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/
http://blog.damballa.com/?p=951
http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/

[Asyn]

Inside Adobe Reader Protected Mode - Part 4 – The Challenge of Sandboxing

Hi, Scott Stender from iSEC Partners here. I was invited by the Adobe Secure Software Engineering Team (ASSET) to comment on our analysis of the sandbox through several stages in its development.  Of course, numerous individuals — at Adobe, iSEC and Matasano — were involved in its assessment, so please take this as one person’s perspective.  Even so, I would be remiss if I didn’t acknowledge the great work of Andreas Junestam, Andrew Becherer, Alex Vidergar, Chris Clark, and Justine Osborne of iSEC Partners, as well as the good folks at Matasano and Adobe who worked closely with us.

Creating a sandbox is perhaps the most difficult security engineering task one can undertake.   Some readers will take immediate objection to that statement – documentation is readily available online for using restricted tokens, chroot jails, and other sandbox building materials.   While it is indeed simple to place a restricted wrapper around a minimal service or piece of demonstration code, placing large applications, with all of their dependencies, in a sandbox presents an entirely different challenge...

Article: http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-4-the-challenge-of-sandboxing.html

Authors: Kyle Randolph, Scott Stender

Related Links:
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html
http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html
http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-%E2%80%93-part-2-%E2%80%93-the-sandbox-process.html
http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html

[Nesivos]

Anti-Clickjacking
Busting Frame Busting - a Study of Clickjacking Vulnerabilities on Popular Sites

Article: http://seclab.stanford.edu/websec/framebusting/framebust.pdf

Authors: Gustav Rydstedt, Elie Bursztein, Dan Boneh and Collin Jackson

According to the developer of NoScript, NoScript in its default settings protects against all Clickjacking attempts.

see answers to questions #7.1 - 7.5 on link

7 - ClearClick and Clickjacking

http://noscript.net/faq#faqsec6

[Nesivos]

Microsoft hardening tool with graphical user interface

Version 2.0 of Microsoft's Enhanced Mitigation Experience Toolkit  (EMET) offers easier access through a brand new graphical user interface (GUI) and supports new protective functions. EMET gives developers, administrators and users who are willing to experiment the ability to activate certain protective mechanisms in existing binaries, even if a program's source code isn't available.

EMET can prevent or mitigate various attack techniques. Microsoft's Structured Exception Handler Overwrite Protection (SEHOP) feature is designed to prevent (Structured) Exception Handlers (SEH) from being overwritten on the stack or in a data segment. This is in contrast to return addresses being overwritten via buffer overflows and involves attackers executing arbitrary code by redirecting function pointers.

EMET 2.0 is also designed to prevent null-page allocations that can be exploited in connection with null-pointer dereferences. Microsoft's tool also allows users to enable Dynamic DEP (DDEP) in applications. This allows the Data Execution Prevention feature to be enabled and disabled at run-time.

Compared to the previous version, the latest release includes new Address Space Layout Randomisation (ASLR) and the Export Address Table Access Filtering (EAF) features that prevent injected shell code from accessing certain APIs. However, if the settings are too strict, this can cause some applications to malfunction. The company freely admits in the documentation that some of the protective mechanisms can be bypassed. Microsoft has released a video tutorial for EMET 2.0 to explain the basics as well as the specifics of EMET's operation.

In case of compatibility issues, selected protective functions can be enabled for individual applications. Vergrößern The toolkit is also designed to harden those applications against attacks that don't automatically use any of the exploit protection mechanisms available in modern versions of Windows. In early July, security firm Secunia had been criticical of the fact that many third-party applications use neither DEP nor ASLR although these mechanisms can make exploits less effective.

This was also confirmed by independent security experts and exploit writers such as Charlie Miller, Jon Oberheide and Dino Dai Zovi in an interview with Dennis Fisher on Threatpost. The experts said that it is becoming increasingly difficult to exploit traditional security holes, and that the anti-exploit features are one of the reasons for this. Apparently, attackers increasingly need to use a multi-stage approach and also exploit logical flaws to be successful.

Author: Chris von Eitzen [crve@h-online.com]

Related Links:
https://www.microsoft.com/downloads/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04&displayLang=en
http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx
http://threatpost.com/en_us/blogs/easily-exploitable-bugs-becoming-precious-commodity-090110
http://blogs.technet.com/b/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx

Update: http://www.h-online.com/security/features/Damage-limitation-Mitigating-exploits-with-Microsoft-s-EMET-1102501.html

When I clicked on the MSFT link it said the file I was looking for could not be found.

It is I believe here, though this could be a different video

http://technet.microsoft.com/en-us/security/ff859539.aspx

Also, I believe that XP does not support all the features of EMET 2.0

[Asyn]

According to the developer of NoScript, NoScript in its default settings protects against all Clickjacking attempts.

That's true, Nesivos..!!
And another good reason to use FF with NoScript..!!
I use it, too...
asyn

[Asyn]

1. When I clicked on the MSFT link it said the file I was looking for could not be found.
2. Also, I believe that XP does not support all the features of EMET 2.0

1. Thanks a lot, Nesivos..!! I updated the link. (But it's no video, it's the link to download EMET...)
2. XP SP3 is supported...

EMET 2.0 supports the following operating systems and service pack levels:

Client Operating Systems
• Windows XP service pack 3 and above
• Windows Vista service pack 1 and above
• Windows 7 all service packs

Server Operation Systems
• Windows Server 2003 service pack 1 and above
• Windows Server 2008 all service packs
• Windows Server 2008 R2 all service packs

[Ranudumb]

PS3 hack source code published

Nearly four years after its launch, hackers have finally succeeded in jailbreaking the Playstation 3 (PS3) game console and ....

The real problem is today most hacks are about stealing your identity.  I just posted new info...old for some of us keeping up on the PSN forums...about what file structures are being targeted on the PS3 to get virus(injectable code and redirects) thru to whats known as an Operating Enviroment.  Strangely enough me and a few others have been treying to get SCEA to deal with this but only get stopped by a very aggressive marketing force,  While I wont risk my own freedom decompling the PS3 data to find exactly what it is, the fact remains there is an unmonitored line straight into your gameing console...the audio and video chat lines.  Thats what they actually mean by 'Online play is not rated...' when the only change occuring is the audio.video content you may be subjected to.  The game play itself remains unchanged.

I just posted some facts here:
http://forum.avast.com/index.php?topic=34093.msg570918#msg570918

The PS3 is more suseptible to these as you cannot block 'NON FRIEND MESSAGING'    .  Thats mess't when you consider how many under age users are on the thing.  Look at the facts that the COD series is more 'unstable', or hackable on the Playstation vs. the XBox(where they do allow for blocking nonfirend messaging...thanks for getting one thing right MS  )

Bottom line is its more about the money  (I need to use my CC when I buy stuff from their store) than anything, but also there seems to be a group trying to impress younger users with their "extra-ordianry" abilities in these games.  Now, anyone think they will start monitoring these channels for code 

[Asyn]

Thanks for your interesting feedback, Randumb..!!
asyn