Ouch, another great web site that is shutting down or drasticly reducing their activities.   I think this was expected considering they were acquired by a giant who has their own information forum and advisories.   It is sad to see this happening, it was really a great site for many, many years.  However, reality is that it does cost money to maintain such a portal and if you do not make enough revenues your are left with one choice:  Closing down

As seen on the HSecurity website:

SecurityFocus to partially shut down

Symantec has announced that it plans to shut down part of its SecurityFocus security information portal. The company says that only the Mailing Lists, including Bugtraq, and its Vulnerability Database will remain online. Starting on the 15th of March, SecurityFocus will begin transitioning its content to the Symantec Connect site.

Founded in 1999, SecurityFocus was acquired in 2002 by Symantec, the company behind another acquisition the popular Norton range of security products. In addition to its various mailing lists and vulnerability database, SecurityFocus maintains a comprehensive collection of articles and papers on a number of security issues. The site has also served as a reliable source for news from security experts on the latest security threats and problems.

See also:

• Change in Focus, a SecurityFocus news post.

See original post at:  http://www.h-online.com/security/news/item/SecurityFocus-to-partially-shut-down-952967.html

Developer Joshua Wright[1] intends to release KillerBee, an open source collection[2] of Linux tools intended for testing the security of ZigBee networks. According to Wright, many ZigBee implementations are a mess – he hopes that his tool, which is coded in Python, will ultimately lead to more secure products.

Wright lists ZigBee applications which include controlling water flows in dams and natural gas control valves. The technology is also widely used in building automation; many thousands of ZigBee devices have been used in the brand-new MGM CityCenter in Las Vegas, for example. Some intelligent electricity meters in use in the US also communicate using ZigBee in a mesh network.

ZigBee[3] (IEEE 802.15.4) is far more popular than Bluetooth, Wi-Fi or DECT for these kind of scenarios, as it is simpler to implement – the complete stack requires only 120 KB of space – and because the wireless technology uses significantly less energy. Wright, however, concludes that "When both simplicity and low cost are goals, security suffers."

KillerBee includes a number of tools which, taken together, look at lot like the sort of attack programs familiar from Wi-Fi environments. According to Wright, the security problems and the errors that underlie them, are reminiscent of the design problems which dogged Wi-Fi. ZigBee offers no protection against replay attacks, in which an attacker simply resends recorded packets to the network. Wright's succinct comment, "Wi-Fi was dogged by the same errors – but that was 15 years ago."

KillerBee includes applications for sniffing out any ZigBee devices in the surrounding area (zbid), for recording data streams from the wireless network (zbdump) and for replaying recorded data streams (zbreplay). Replaying packets could, according to Wright, be useful in contexts such as locks networked using ZigBee. An attacker would merely need to record the data transmitted from the lock to a control server located in the building at the moment at which a door is opened. Sending this sequence to the server via ZigBee at a later date should cause the lock to open again.

KillerBee also includes a program for cracking the secret key stored in ZigBee devices. Since many ZigBee devices have no display or keypad, the code required for encryption is frequently stored in factory-set Flash memory. Where keys are exchanged over the air (OTA), they are exchanged in unencrypted form and can easily by recorded using zbdump. Recordings can be subsequently analysed in Wireshark without difficulty.

zbgoodfind uses a memory dump generated using sniffer hardware developed by Travis Goodspeed to crack stored keys. Wright's tools all work with the Atmel AVR RZ USBStick[4] ZigBee USB stick, which costs just under $40, though if you want to record and be able to replay data simultaneously, you'll need two. To replay data, you'll also need to overwrite the device's firmware, for which you'll need an on-chip debugger and programmer, such as Atmel's AVR JTAG ICE mkII[5], a clone version of which can be picked up for around 50 euros. Wright is not officially selling pre-flashed sticks, but intimated to heise Security, The H's associates in Germany, that he was sure he could help out in 'individual cases'.

(Uli Ries)

URL of this Article:
http://www.h-online.com/security/news/item/ZigBee-attack-of-the-killer-bees-949111.html

Links in this Article:
  [1] http://www.willhackforsushi.com/
  [2] http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
  [3] http://en.wikipedia.org/wiki/ZigBee
  [4] http://www.atmel.com/dyn/Products/tools_card.asp?tool_id=4291
  [5] http://www.atmel.com/dyn/Products/tools_card.asp?tool_id=3353

Oechslin has fitted an elderly Athlon 64 X2 4400+ with an SSD and the optimised tables. This system can, with only a 75% CPU utilisation, crack a 14 digit password with special characters, in an average of 5.3 seconds. Oechslin says that, worst case, it should be able to search arithmetically through 300 billion passwords per second, a speed that is a factor of 500 faster than an Elcomsoft cracker supported by a modern Tesla GPU from NVIDIA.

Calculations with rainbow tables achieve the acceleration by pre-computing the intermediate steps of all possible password hashes for a specific algorithm and then storing those results as a table. The more steps that are stored, the bigger the tables and the faster the cracking process. Once the tables no longer fit in memory, the less-used parts of the tables are saved on mass storage devices, previously this would have been a hard disk, which in turn leads to slower access times while searching them.

See also:

• Cheap cracks: Of dictionaries and rainbows, by Karsten Nohl

Clement

21st Century Hacking Techniques

Release Date: 2009-05

• Free Issue to Download! 05/2009 05_2009.ZIP Click HERE to Download

  ---

  
  Articles in this issue
  
  
• Windows Timeline Analysis

  The increase in sophistication of the Microsoft (MS) Windows family of operating systems (Windows 2000, XP, 2003, Vista, 2008, and Windows 7) as well as that of cybercrime has long required a corresponding increase or upgrade in incident response and computer forensic analysis techniques.

  ---

  - Harlan Carvey
  
• Analyzing Malware Introduction to Advanced Topics

  In this final article in our three-part series on analyzing malware we will discuss more advanced topics. The topics we are going to include are: polymorphic code, metamorphic code, and alternative data stream.

  ---

  - Jason Carpenter
  
• Hacking ASLR & Stack Canaries on Modern Linux

  This article will demonstrate methods used to hack stack canaries and Address Space Layout Randomization (ASLR) on modern Linux kernels running the PaX patch and newer versions of GCC.

  ---

  - Stephen Sims
  
• Mashup Security

  Mashups will have a significant role in the future of Web 2.0, thanks to one of the most recent data interchange techniques: JSON. But what about security

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Damn Vulnerable Web App (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Version v1.0.6

• Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r)
• Removed ’current password’ input box for low+med CSRF security. 03/09/2009 (ethicalhack3r)
• Added an article which was written for OWASP Turkey. 03/10/2009 (ethicalhack3r)
• Added more toubleshooting information. 02/10/2009 (ethicalhack3r)
• Stored XSS high now sanitises output. 02/10/2009 (ethicalhack3r)
• Fixed a ’bug’ in XSS stored low which made it not vulnerable. 02/10/2009 (ethicalhack3r)
• Rewritten command execution high to use a whitelist. 30/09/09 (ethicalhack3r)
• Fixed a command execution vulnerability in exec high. 17/09/09 (ethicalhack3r)
• Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (ethicalhack3r)
• Added the upload directory to the upload help. 17/09/09 (ethicalhack3r)

Vulnerabilities

• SQL Injection
• XSS Stored/Reflected
• LFI (Local File Inclusion)
• RFI (Remote File Inclusion)
• Command Execution
• Upload Script
• Login Brute Force
• Full Path Disclosure
• PHP-IDS
• And much more...

Installation

• Installation video: YouTube
  
  Default username = admin
  Default password = password
  

Database Setup To set up the database, simply click on the Setup button in the main menu, then click on the ’Create / Reset Database’ button. This will create / reset the database for you with some data in.

If you receive an error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php

$_DVWA[ 'db_user' ] = 'your_database_username';
$_DVWA[ 'db_password' ] = 'your_database_password';
$_DVWA[ 'db_database' ] = 'your_database_name';

Everyone is welcome to contribute and help make DVWA as successful as it can be. With out the DVWA community DVWA would not be what it is today.

More information, Official Web Site: DVWA

The goal of Xplico is extract from an internet traffic capture the applications data contained.

For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer.

Xplico is an open source Network Forensic Analysis Tool (NFAT).

Xplico is released under the GNU General Public License (see License for more details).

Features

• Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
• Port Independent Protocol Identification (PIPI) for each application protocol;
• Multithreading;
• Output data and information in SQLite database or Mysql database and/or files;
• At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
• Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
• TCP reassembly with ACK verification for any packet or soft ACK verification;
• Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
• No size limit on data entry or the number of files entrance (the only limit is HD size);
• IPv4 and IPv6 support
• Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
• The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

Xplico version 0.5.5: WebMail

Posted by: Gianluca C. on the Xplico web site

Ryan Linn has started a project to bridge Nmap Scans all the way to exploitation using Metasploit.

Similar to the db_autopwn via fasttrack script (available in Backtrack 4), Nsploit does even more granular service level Nmap scanning to identify versions and exploits. Then passes of these to Metasploit and launches the pain at your target box.

It Uses Nmap’s NSE’s to trigger Metasploit commands via XMLRPC. Anything we can identify with an Nmap Script we can launch and get a shell… hopefully a meterpreter shell

Check out Ryans blog http://blog.happypacket.net/ and learn more about Nsploit from the 2009 SecToor Presentation Nsploit-(Popping-boxes-with-Nmap) hosted by securitytube.com.

PDF slides here

To Download Click HERE

Usage videos below:

Nsploit Multi-Host Ownage from Ryan Linn

Nsploit Single Host Ownage from Ryan Linn

Also see the wiki at:  http://www.happypacket.net    They are supporting two projects BeEFSploit and Nsploit.

In my previous column, I said that the No. 1 way to reduce IT security risks [1] in your organization is to "simply" prevent end-users from installing stuff they shouldn't. This, of course, is much easier said than done.

Although infected innocent Web sites results in a large percentage of security breaches, fraudulent emails still abound. Unfortunately, long gone are the days when it was easy to identify malicious phishing [2] email by their strange subject lines and horrible grammar.

[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention [3], which covers the tools and techniques used by experienced security pros. | Learn how to secure your systems with InfoWorld's free security newsletter [4].]

Today's phishers, at the very least, are grammatically correct. The ones without enough education or experience to use language correctly naturally made less money and fell out of the criminal business early on; either that, or they hired smarter people.

The next generation of phishing messages, which is still prevalent today, strongly resembles legitimate messages from our banks, cable companies, online electronic payment services, and credit card companies. Everything in the emails looks legitimate, including the graphics that originate from the real company's Website. (The ones that included a notice to watch out for fake phishing messages always made me giggle.) The only thing that's fake in the entire message is the link that victims are required to click to complete the requested action.

This form of phishing is pretty effective, but the messages at least contain a small clue (the bogus URL link) to users that they should evaluate the legitimacy of the request. Today's browsers, with antiphishing features, might even warn an end-user against loading the bogus site.

But now end-users are being targeted by a new form of phishing, called "spear phishing," which specifically targets a user or company. Spear-phishing emails look more authentic than the aforementioned breed, often including the user's complete name or referring to a real project that the user is working on. Spear phishers often gather this information by doing tactical research or even breaking into a database, and it's effective enough to fool even the savviest end-users.

Often these forms of phishing attempt to entice the end-user into running a Trojan horse program, which then compromises the computer and the company's network. Most of the companies I work with these days have been exploited by one of these spear phishing e-mails. If the end-user is running antimalware [5] scanning software, the product may block the Trojan install.

To get around that previous mentioned potential blocks, phishing writers are now creating emails that do not contain any obvious malicious links. They don't ask users to visit bogus Websites or to install unexpected software. Rather, they attempt to fool a user or system admin into opening up holes in the company's network defenses.

Here's an example of one of these messages, sent to me by my friend and CISSP, Bob McCoy. It was addressed to him directly and appeared to come from his company's email service provider. (For brevity and safety, I've removed the vendor names, authentic-looking graphics, and links from the message.)

Dear Valued Customer,

We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.
Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:xxx.xxx.xxx.xxx/xx (xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx)xx.xxx.xxx.xx/xx (xx.xxx.xxx.xx - xx.xxx.xxx.xxx)

If you have settings on your e-mail server which control the IPs which are allowed to connect for e-mail relay please confirm that those settings are updated as well.

We will be able to test and verify connections one week prior to April 19, 2010. Additionally, we will be proactively running connection tests prior to the launch on behalf of all customers, and contacting you directly if we are unable to connect to any of your domains from ALL specified IP addresses for that domain.

Prior to the launch of the new IP addresses, we recommend that you set up and configure the Deferral Notification alerting feature for your domains using the Deferral Notification option on the Domain properties page in the Admin Center. The Deferral Notification alert feature sends a message to you when a customized threshold has been met or exceeded for deferred e-mail in your domain. After the new IP addresses are launched, this feature will help to ensure that e-mail sent to your domains is not deferred because of unsuccessful connection attempts to your network, and that you alerted in the event that e-mail is being deferred beyond your acceptable limits. For more information on how to set up the Deferral Notification alert feature, see the Admin Center Guide in the Resource Center.

Please refer to the Configuration subtab of the Administration Center for a complete list of IPs which should be allowed to connect to your environment at any time.

Simply analyzing the phishing message's contents would not reveal anything out of the ordinary. Unlike regular phishing e-mails, all links and e-mail addresses were legitimate. There were no bogus Web sites and no Trojan horse executables to install. Rather, the attackers are essentially instructing the victims to open up their e-mail server for spam relaying.

Upon opening this message, Bob suspected the scam immediately. His suspicions were confirmed 10 minutes later when he received an identical message from another vendor. Others users have not been as lucky.

I'm already aware of several clients who've fallen for this scam. In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate -- especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.

Other phishing messages have instructed users to disable their host-based firewalls [6] and to open up unprotected network shares and enable overly permissive peer-to-peer file sharing. It makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.

As with any suspected phish email, recipients should contact the purported senders using another out-of-band method to confirm the legitimacy. Moreover, you should update your end-user education materials to include these sorts of phishing e-mails.

This story, "Fraudsters hone their attacks with spear phishing [7]," was originally published at InfoWorld.com [8]. Follow the latest developments in security [9] and read more of Roger Grimes's Security Adviser blog [10] at InfoWorld.com.

They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.  The Top 25 list is a tool for education and awareness to help programmers to
prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.  

Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses.

Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software. 

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/).

MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and
architecture errors that can lead to exploitable vulnerabilities.

The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more
concrete weaknesses. This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The new version introduces focus profiles that allow
developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also adds a small set of the most effective "Monster Mitigations," which help developers to reduce or eliminate
entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented by CWE.

Finally, many high-level weaknesses from the 2009 list have been replaced with lower-level variants that are more
actionable.

Get your own copy at:  http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf