Irregular Expressions


July 26, 2010  3:24 PM

CVE-2009-3555 Cisco update



Posted by: Dan O'Connor
CVE-2009-3555

http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml

This is something I covered at the start of the year, I just noticed today that Cisco has updated the their advisory for the vulnerability with patch information and additional products.

This was the issue that could allow a malicious user to use the renegotiation in SSL / TLS to preform a MIM / Man In The Middle attack on secure sessions.

I created somewhat of an explanation from a variety of sources, you can read it here http://itknowledgeexchange.techtarget.com/Irregular-Expressions/ssl-tls-renegotiation/

It’s a pretty interesting attack, the RFC has excellent information about renegotiation and why the protocol has the ability to do it.  Also I think there is payload in Metaspoit to test it out, if there is not I know it’s out there if you look.

July 26, 2010  2:56 PM

Wikileaks releases new documents



Posted by: Dan O'Connor
wikileaks

The rumored documents that wikileaks had are real and they were released, the main site is overloaded at http://wikileaks.org.  But you can go to  http://wardiary.wikileaks.org if you really want to see them.

Not that I am going to pick a side on this, but I really don’t like the idea of all of this information being released into the wild, you never know if there is something that should not be in there. Also someone being hurt on top of that is not something I am comfortable with.

I have not really looked through any of the documents, but here they are if you are interested.  There is over 75,000 documents and 91,000 reports, I don’t even know how one would go about looking at all of that.


July 26, 2010  11:44 AM

UAE and the black berry security threat



Posted by: Dan O'Connor
Black Berry UAE

I can see how some countries and organizations could have a problem with a way the data on your black berry is stored.  It’s much like cloud computing, and everyone has their own opinion on if they like the idea of their data being in another datacenter.  It’s another step further to have that data in another country, both are not something that I would do, but everyone has their own line on what is acceptable.

On the other hand you never really know who’s intentions are the best, is it the person outside the country that wants to read your mail or the one inside the country.  The last two paragraphs are really interesting, a local telco asked the users to install a “service” upgrade that RIM discovered was spyware…

http://www.npr.org/templates/story/story.php?storyId=128767715


July 22, 2010  12:28 PM

REMnux



Posted by: Dan O'Connor
malware engineering, remnux

This is a little old, but I needed to use it the other day so I though I would share.

http://zeltser.com/remnux/

REMnux is a linux distro build from Ubuntu that is for reverse-engineering maleware.

It’s not the be all and end all of it, but if you need something for you jump pack, its a good choice.


July 22, 2010  11:31 AM

Opensource Event Correlation System – Part 3



Posted by: Dan O'Connor
sagan

Here is the rc file that I created for it.

#!/bin/sh

# PROVIDE: sagan
#

. /etc/rc.subr

name="sagan"
rcvar=${name}_enable

load_rc_config $name

: ${sagan_enable="NO"}

start_cmd=${name}_start
stop_cmd=${name}_stop
sagancmd="/usr/local/bin/sagan"

sagan_start() {
        chown sagan:sagan /var/log/sagan/log.fifo
        ${sagancmd} &
}

sagan_stop() {
        killall sagan
}

run_rc_command "$1"

Just make sure you enable the service in your /etc/rc.conf file, or you might have a problem :)

You can also start making your own rule sets and rules, the how-to has a good deal of information on this.  I created one already.

It was really quick and if you are used to created rules for snort it should not be a problem.


July 22, 2010  11:21 AM

Opensource Event Correlation System – Part 2



Posted by: Dan O'Connor
cisco mars, sagan, syslog

Ok I got it installed on FreeBSD.

Download the latest version, it should be 0.1.3 right now.

fetch http://sagan.softwink.com/download/sagan-0.1.3.tar.gz

Unpack where yo want it,

tar -xvf sagan-0.1.3.tar.gz

Next do the old configure make, but you need to add some environmental settings. (The install file does not handle this yet)

LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure && make && make install

Once that is completed you need to download the rule sets and configure sagan, check out the how-to on the site.

Also you will need to install syslog-ng and setup a fifo, again this is covered in the how-to.

Once you have the rules setup and the the fifo, you are basically ready to go. I am using the email output to send the alerts for now, but I am going to need to start tuning soon.

I also setup a rc script to control the service.


July 19, 2010  2:57 PM

Opensource Event Correlation System



Posted by: Dan O'Connor
sagan event correlation

This application was mentioned on the isc.sans.edu blog, I finally had some time to read it and it looks really nice.

http://sagan.softwink.com/

It’s the same idea as a Cisco Mars or RSA Envision system, it uses snort styled rules to parse syslog information and generate alerts and logging.

I am going to be installing this soon, I can’t wait to start going through my logs and generating alerts!


July 19, 2010  8:48 AM

Windows lnk file vulnerability



Posted by: Dan O'Connor
windows lnk

You will want to follow this thread.

http://isc.sans.edu/diary.html?storyid=9181

Really great idea, the lnk just points to the malware and all you have to do is a file scan of the directory with the file and your done.  This also works on remote shares.

Here is the same link from the sans article, http://www.microsoft.com/technet/security/advisory/2286198.mspx.

And here is a link to the code if you are interested!

http://inj3ct0r.com/exploits/13390


July 18, 2010  12:33 AM

Excellent work up of a facebook vulnerability



Posted by: Dan O'Connor
facebook, facebook sql, inj3ct0r, inj3ct0r facebook

The inj3ct0r team did a real good job with this write up,

http://inj3ct0r.com/exploits/11638

In the next few days I will pull a few quotes out of it and try to expand a little more on whats going on.

Enjoy!


July 9, 2010  11:46 AM

VMWare VM Redundancy



Posted by: Dan O'Connor
SAN redundancy ESXi, VM redundancy ESXi, vmware

Have you ever had a VM that you needed to keep running if your SAN was not?

This problem came across my desk at one point and it took a bit of thinking but I think I got a pretty good solution figured out.

The ESXi host will be booting off a local disk, it will also have a local datastore.  The VM will have one 100GB disk on the local datastore and a second 100GB disk will be on the SAN.  Once the install of the VM is completed I setup a software mirror in the OS across the two datastores, so in the event of a failure of the SAN the VM will keep running, and if the host dies you are able to take the disk of the VM and assign it to another host and start it back up.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: