Professional Documents
Culture Documents
Introduction
Security News
Corporate Servers Spreading IE Virus
Akamai DDoS Attack Whacks Web Traffic, Sites
Unpatched IE vuln exploited by adware
US moves towards anti-spyware law
Gates Defends Microsoft Patch Efforts
Astalavista Recommends
Password Tips for Users
HOWTO Bypass Internet Censorship
Securing your Windows Laptop
A Cryptographic Compendium
Assembly Language Tutor
Site of the Month - Web Searchlores - http://searchlores.org/
Tool of the month - Echelon for Dummies
Paper of the month - Understanding Virtual Private Networking
Free Security Consultation
I've suddenly started receiving many port scan attempts..
How useful are honeypots, really?!
Are managed security providers better than in-house risk responsilibity?
Enterprise Security Issues
The Nature of the Game - Hackers' Attack Strategies and Tactics Part 2
Home Users Security Issues
Web E-mail Security Tips
Meet the Security Scene
Interview with Prozac, http://www.astalavista.com/
Security Sites Review
Programmersheaven.com
VPNlabs.com
Slashdot.org
Sysinternals.com
Securitytracker.com
Astalavista needs YOU!
Astalavista.net Advanced Member Portal Promotion
Final Words
01. Introduction
-----------Dear Subscribers,
Welcome to Issue 7 of Astalavista Security Newsletter.
During the past month we've witnessed several very important actions, one of the
m was the Spyact, in terms of
the U.S Government paying attention to the threats possed by spyware and adware.
The attacks/dns problems on Akamai's
global network shut down MSN, Yahoo, Google, Microsoft and pretty many of the mo
st highly visited sites in the world. Serious
criticizm has been going around the industry about Microsoft's Internet Explorer
level of insecurity.
Astalavista's comments:
Responding to a threat from a 0-day IE vulnerability by advising users to modify
settings, instead of providing them
with a patch on time isn't the best strategy at all.
[ AKAMAI DDoS ATTACK WHACKS WEB TRAFFIC, SITES ]
An apparent DDoS (distributed denial of service) attack on the DNS run by Akamai
Technologies Inc.
slowed traffic across the Internet early Tuesday and brought the sites of the fi
rm's major customers to a screeching
halt for roughly two hours.
More information can be found at:
http://www.eweek.com/article2/0,1759,1612740,00.asp
Astalavista's comments:
Let's don't forget the following, Akamai is a global leader in providing computi
ng solutions and it has the
most widely used on-demand distribution computing platform in the world. They're
prone to be online, and DDoSing
them is not going to happen that easy. Although we'll probably never find out th
e truth, as the feds urge secrecy over
these network outages, we shouldn't exclude the possibility of an insider breach
at Akamai or this could have been one
of the most sophisticated attacks we've seen lately.
[ UNPATCHED IE VULN EXPLOITED BY ADWARE ]
Detailed information on a brace of unpatched vulnerabilities in Internet Explore
r has been posted onto a
Full disclosure mailing list. The flaws involve a cross-zone scripting vuln and
a bug in IE's Local Resource
Access and pose an "extremely critical" risk to Windows users, according to secu
rity firm Secunia. The
vulnerabilities affect both Internet Explorer 6 and Outlook.
More information can be found at:
http://www.theregister.co.uk/2004/06/10/ms_inpatched_ie_flaw/
Astalavista's comments:
Although it's again privacy invasion (even data modification), just imagine the
implications of a couple of million e-mails
send to Outlook and IE users, containing the 0-day vuln inside?
[ US MOVES TOWARDS ANTI-SPYWARE LAW ]
A US House subcommittee on Thursday (17 May) approved what would be the first fe
deral law
to specifically target Internet spyware.
The SPY Act, for "Securely Protect Yourself Against Cyber Trespass," would oblig
e companies
and individuals to conspicuously warn consumers before giving them a program cap
able of automatically
transmitting information gathered from a user's computer. Though the bill carrie
s no criminal penalties,
and doesn't allow users to sue spyware merchants, anyone in the US caught upload
ing such a program
without obtaining the consumer's consent could face civil prosecution by the Fed
eral Trade Commission (FTC).
More information can be found at:
http://www.theregister.co.uk/2004/06/20/us_anti_spyware/
Astalavista's Comment:
Finally the gov guys found it necessary to address this issue seriously, and alt
hough the act itself needs improvements,
it's the beginning of something.
[ GATES DEFENDS MICROSOFT PATCH EFFORTS ]
Microsoft chairman Bill Gates defended the company's handling of security patche
s Monday following widespread
attacks on the Internet by suspected Russian organized crime gangs.
Last week's attacks used unpatched vulnerabilities in Internet Explorer to deplo
y a Trojan horse program
on the victim's machine, which could capture the users' Internet banking passwor
ds. The SANS Institute's
Internet Storm Center reported the attacks were launched through a large number
of websites, some of them
"quite popular," which had been penetrated and modified to deliver malicious cod
e.
More information can be found at:
http://securityfocus.com/news/9004
Astalavista's comment:
Nobody can deny that there's a significant delay of MS's patching process, the l
ack of awareness about a new update,
now, the updates aren't actually working.
03. Astalavista Recommends
---------------------This section is unique with its idea and the information included within. Its
purpose is to provide you with direct links to various white papers covering
many aspects of Information Security. These white papers are defined as a "must
read" for everyone interested in deepening his/her knowledge in the Security fie
ld.
The section will keep on growing with every new issue. Your comments and suggest
ions
about the section are welcome at security@astalavista.net
" PASSWORD TIPS FOR USERS "
Tips for users in order to improve the quality of their current passwords
http://astalavista.com/index.php?section=dir&cmd=file&id=1891
it is often as likely that authorized traffic is responsible for the alerts that
you receive from your IDS,
as it is that these alerts are the result of unauthorized traffic. (This is typi
cally referred to as a 'false positive',
and network attackers sometimes purposefully attempt to generate apparent 'false
positives', in order to lull the
defender into ignoring indications of a genuine attack in progress.) Additionall
y, users of IDS systems are often
not nearly so familiar with a potential attack profile, as the IDS is, itself, a
nd therefore are left ill-equipped
to react to an intrusion, when it occurs. Such a user may, in fact, misinterpret
the alert, to represent one situation,
when in fact the alert represents a different situation, altogether. (This repre
sents a defender who is subject to a
range of social engineering tactics; their perceptions and reactions can be mold
ed, by manipulating the alerts that
appear on their IDS.) An IDS user may also recognize an attack, but lack the mea
ns to respond in a useful way.
In the example, above, a useful response might be to examine the MAC (Media Acce
ss Control) address, or hardware address,
of the device that is sending out the erroneous data. If that address can be con
nected to a specific network device,
and that device associated with a specific user, then it may be possible to cont
act the user, and offer them assistance,
or take disciplinary action, as may be appropriate to the situation at hand. Mos
t organizations, however,
do not maintain such closely managed asset management systems, as to be able to
track a hardware address
down to an individual user. Furthermore, if the scenario represents an actual at
tack, the hardware involved
is unlikely to appear in any asset management system. Also, a sophisticated atta
cker, having planted a device on
a target network, may well be capable of programming the hardware address - and
will change the address, at
unpredictable intervals, in an effort to thwart attempts to locate the device. I
n fact, such a device might well
be designed to attempt to disguise itself as some other device, which does appea
r on the asset management inventory.
It may even change identities, between several such devices, and/or detect when
such devices are shut down,
in order to have some idea when to change identities, and what identities to use
.
This could represent an extremely difficult situation to respond to, even when i
t is possible to clearly
identify as an attack. And, therein lies the challenge; even with sophisticated
tracking tools, information,
and training, it can be extremely difficult, time-consuming, and resource-consum
ptive (often translating to 'expensive')
to make use of the information that an IDS provides to it's user. Many IDS users
do so, not only as part of an
effort to respond tactically, to network attacks, but also as part of an effort
to gather intelligence for
subsequent legal action. This is often also fruitless, since the identity of the
attacker may be well-concealed,
and the attacker may not be subject to either the legal jurisdiction of the defe
nder, or may be in some way immune
to prosecution. Perhaps, for example, their activities are not against the law,
in the legal jurisdiction that
they are subject to. Perhaps the attacker is viewed by the leagal system, as a '
minor', and the penalties for their
actions are therefore not worth much law enforcement effort, to pursue. Some def
enders use IDS systems,
in the hope of responding to an attack, with a counterattack - this too is ill-a
dvised. Such efforts only
subject the defender to legal action, as well as legitimizing the actions of the
attacker. Additionally,
a particularly cagey attacker might well attempt to trick one victim into believ
ing that the attack came
from another, intended victim - causing the first victim to perpetrate an attack
against the second.
In behavioral science arenas - or social engineering circles - such an individua
l might be referred to
as an 'instigator'.
Finally, it is worth pointing out that an IDS exists only to identify possible i
ntrusion attempts.
It does not usually prevent them - and given that such events often turn out not
to represent an attack,
it is probably just as well that an IDS not be responsible for responding to the
event. In the example above,
the typical response would come from the router that notified the IDS of the unu
sual traffic; that router
should probably drop the packet, as if it were malformed, or otherwise unroutabl
e. The notification that is
sent to an IDS, may very well wind up being ignored, for the reasons outlined ab
ove - making the usefulness of
the IDS, for this scenario, highly questionable.
Policy:
(to include policies to protect the defender from both operational and informati
onal exposures)
"Network Security Policy" is a buzz-phrase that has been growing, in popularity
and usage, in recent years.
Network users seem to have the impression that it refers to something obscure, t
echnical, and related mostly
to network equipment and configurations - something for the boys in Network Mana
gement to worry about, not the users.
In fact, Network Security policy covers not only the network security, but also
the operational security procedures,
within an organization.
Sadly, users typically do not want to be bothered. It is a sad truth that a user
with no vested interest in
the security of a resource, is unlikely to take steps to protect that resource.
No amount of cajoling, meetings,
memos, or training, is likely to convince a user to do something that makes thei
r life more difficult, for no
perceptible benefit to them. Even offering financial incentives and/or penalties
seems to rarely be effective;
the typical user response is to cover up violations of the security policies, ra
ther than to prevent them.
A person assigned to protecting a resource, must actually have a vested interest
in protecting that resource,
in order for it to be reasonable to assume that they will do so, reliably.
This is clearly demonstrated by military organizations, where the high statistic
as a communication, at all.
Encrypted data may potentially be deciphered through the use of some sort of key
, or through the use of an algorithm,
or possibly both. There are many types of encryption, and the factors which lead
to the selection of one type
over another, may include the legal export implications of the use of one type o
ver another. Decisions may also
be based upon the difficulty of implementing one cipher, over another, or the co
st, in terms of computing power,
to cipher and/or decipher it. Another factor might be the value of the data bein
g protected.
Users tend to be largely ignorant of the quality of encryption, and if told that
their data is encrypted,
they will typically equate that to a belief that their transmissions are secure.
Sometimes that is true,
and sometimes not; the basis for that assessment comes in the comparison of the
value of the data being transmitted,
to the value of the effort involved in compromising it. The Electronic Frontier
Foundation recently designed and
constructed a device designed to defeat the U.S. federal government's recommende
d public cipher system;
the Data Encryption Standard (DES) through brute-force tactics.
The device costs (at the time) approximately $250,000 to construct, and the desi
gn specifications are available to the
public. It may not be reasonable to believe that a hacker would go to that much
effort, to intercept credit card
transactions, over the web (although such transactions typically use stronger ci
phers, in any event), but it might
be reasonable to expect such equipment to be put to use in industrial or interna
tional espionage efforts. If you are
an executive officer, at a bank, and your email is DES-encrypted, it might not b
e safe to assume that your email is
secure, in transit.
Most hackers, of course, operate on a much smaller scale, and will typically onl
y rely upon brute-force
cipher-cracking techniques, when they can do so with a reasonable chance of succ
ess. This means that they will
typically apply such tactics against bulk data, such as password files, and then
they will limit their key
searches to such things as dictionary words, popular names, numbers
(like social security, birthdate, and/or telephone numbers, or subsets thereof).
Any successful intrusions or
revelations based upon this approach, result in exposures that are typically lim
ited to the users who chose cipher
keys or passwords, so poorly, to begin with. These attackers will often attempt,
instead, to intercept data
before it is ciphered - or after it is deciphered - or intercept cipher keys, at
the time that they are used.
They rely upon the fact that users will rarely go to the trouble of ciphering th
eir data, unless they perceive
it to be valuable, and therefore the data to concentrate on, is the data that th
e user went to the trouble to try
to protect.
Network attackers will often also take advantage of cipher tactics, themselves,
to protect data that they perceive
to be valuable, or to disguise their activities. The classic example of this is
culture. Other 'hackers' at the time attempted to distance themselves from this
reputation, by referring to
these people as 'crackers' (for their efforts to crack encryption keys, algorith
ms, and passwords), but the public
media never really accepted this terminology, and the 'hackers' of the time, wer
e, on the whole, not serious
societal participants, to push the issue.
Today, the word 'hacker', in popular usage, refers to someone that penetrates co
mputer and network
security systems. True 'hackers' (under the more traditional definition) may dis
agree with this definition
- even be offended by it; nevertheless, it is what it is. In this document, in t
he interests of communicating
with the largely non-technical audience that it is intended to target, I defer t
o the more common, and admittedly,
less correct usage. I use the term interchangeably with network or host 'attacke
r'. So sue me. :)
09. Home Users Security Issues
-------------------------Due to the high number of e-mails we keep getting from novice users, we have
decided that it would be a very good idea to provide them with their very
special section, discussing various aspects of Information Security in an
easily understandable way, while, on the other hand, improve their current level
of knowledge.
If you have questions or recommendations for the section, direct
them to security@astalavista.net Enjoy yourself!
Web E-mail Security Checklist
This Checklist tries to summarize the most common security related issues for we
b based e-mail providers like
Hotmail, Yahoo etc.
1. Always use the secure (SSL) mode when available. Unencrypted data can be snif
fed much more easily than encrypted.
Using the SSL mode, you ensure that the login data between your computer and Yah
oo is transmitted securely.
2. Make sure that the computer you're using is free of keylogers and other monit
oring programs.
3. Keep an eye on the Sent folder. Sometimes the attacker is activating the "Sav
e in the Sent folder" feature, so that
he/she can read all the e-mails sent, then of course place them in the Trash
4. Whenever a pop or another windows asks you about your login data, make sure t
hat you revisit your provider's web site,
instead of just entering there. The majority of e-mail hacks happen through logi
n spoofs like the ones mentioned.
5. When storing sensitive data in your e-mail, consider encrypting it before tha
t, PGP is a good start. Just think about
the implications of having your mailbox hacked into?
6. Limit the use of public POP3 checkers and the use of proxies with the idea to
"check my e-mail anonymously", as the
majority of these are often better monitored than your e-mail provider's servers
Prozac: The majority of people still think Astalavista.com is a Crack web site,
which is NOT true at all.
Astalavista.com is about spreading secutity knowledge, about providing professio
nals with what they're looking for, about
educating the average Internet user on various security issues; basically we try
to create a very well segmented portal where
everyone will be able to find his/her place. We realize the fact that we're visi
ted by novice, advanced and highly advanced
users, even government bodies; that's why we try to satisfy everyone with the fi
les and resources we have and help everyone find
precious information at astalavista.com.Although we sometimes list public files,
the exposure they get through our site is always impressing for
the author, while on the other hand, some of the files that are listed at Astala
vista.com sometimes appear for the first time at our site.
We try not to emphasize on the number of files, but on their quality and uniquen
ess.
Dancho: Everyone knows Astalavista, and sooner or later everyone visits the site
. How did the image of Asta become so
well-known around the world?
Prozac: Indeed, we are getting more and more visitors every month, even from cou
ntries we didn't expect. What we think is
important is the quality of the site, the lack of porn, the pure knowledge provi
ded in the most professional
and useful way, the free nature of the site, created "for the people", instead o
f getting it as commercial as possible. Yes,
we work with a large number of advertisers, however, we believe to have come to
a model where everyone's happy, advertisers
for getting what they're paying for, and users for not being attacked by adware
or spyware or a large number of banners.
Dancho: A question everyone's asking all the time - is Astalavista.com illegal?
Prozac: No! And this is an endless debate which can be compared to the Full Disc
losure one. We live in the 21st century,
a single file can be made public in a matter of seconds, then it's up to the who
le world to decide what to do with the information
inside. We're often blamed because we're too popular and the files get too much
exposure. We're often blamed for serving
these files to script-kiddies etc. Following these thoughts, I think we might al
so ask, is Google illegal, or is Google's
cache illegal?! Yes, we might publish certain files, but we'll never publish "Th
e Complete Novice Users on HOWTO ShutDown
the Internet using 20 lines VB code". And no, we don't host any cracks or warez
files, and will never do.
Dancho: Such a popular secutity site should establish a level of social responsi
bility - given the fact how popular it is
among the world, are you aware of this fact, or basically it's just your mission
that guides you?
Prozac: We're aware of this fact, and we keep it in mind when appoving or adding
new content to the site. We also realize that we still
get a large number of "first time visitors", some of them highly unaware of what
the security world is all about; and we try
to educate them as well. And no, we're not tempted by "advertising agencies" eag
er to place adware/spyware at the site, or
users submitting backdoored files, and we have a strict policy on how to deal wi
http://www.securitytracker.com/
Security Tracker is a site devoted to tracking security vulnerabilities.
12. Astalavista needs YOU!
--------------------We are looking for authors that would be interested in writing security related
articles for our newsletter, for people's ideas that we will turn into reality w
ith their help and for anyone who
thinks he/she could contribute to Astalavista in any way. Below we have summariz
ed various issues that might
concern you.
- Write for Astalavista What topics can I write about?
You are encouraged to write on anything related to Security:
General Security
Security Basics
Windows Security
Linux Security
IDS (Intrusion Detection Systems)
Malicious Code
Enterprise Security
Penetration Testing
Wireless Security
Secure programming
What do I get?
Astalavista.com gets more than 200 000 unique visits every day, our Newsletter h
as more than
22,000 subscribers, so you can imagine what the exposure of your article and you
will be, impressive, isn't it!
We will make your work and you popular among the community!
What are the rules?
Your article has to be UNIQUE and written especially for Astalavista, we are not
interested in
republishing articles that have already been distributed somewhere else.
Where can I see a sample of a contributed article?
http://www.astalavista.com/media/files/malware.txt
Where and how should I send my article?
Direct your articles to dancho@astalavista.net and include a link to your articl
e. Once we take a look
at it and decide whether is it qualified enough to be published, we will contact
you within several days,
please be patient.
Thanks a lot all of you, our future contributors!
13. Astalavista.net Advanced Member Portal Promotion
------------------------------------------------- June offer Save 30% until 06/30/04 $69 - PREMIUM (Lifetime)
Astalavista.net is a world known and highly respected Security Portal offering
an enormous database of very well-sorted and categorized Information Security
resources, files, tools, white papers, e-books and many more. At your disposal
are also thousands of working proxies, wargames servers where all the members
try their skills and most importantly - the daily updates of the portal.
- Over 3.5 GByte of Security Related data, daily updates and always working
links.
- Access to thousands of anonymous proxies from all over the world, daily update
s
- Security Forums Community where thousands of individuals are ready to share
their knowledge and answer your questions, replies are always received no matter
of the question asked.
- Several WarGames servers waiting to be hacked, information between those
interested in this activity is shared through the forums or via personal
messages, a growing archive of white papers containing info on previous
hacks of these servers is available as well.
http://www.Astalavista.net
The Advanced Security Member Portal
--- Thawte Crypto Challenge V --Crypto Challenge V Now Live!
Pit your wits against the code - be the first to crack it and win an Archos Cine
ma to Go.
Click here to grab the code and get started:
http://ad.doubleclick.net/clk;8130672;9115979;t
--- Thawte Crypto Challenge V --14. Final Words
----------Dear Subscribers,
Thanks for your interest in our Newsletter! We hope you've enjoyed Issue 7, and
that we've provided you with an extensive
amount of well categorized security info on what has been going on during June,
2004.
Watch out for our upcoming HTML based Issue!
Editor - Dancho Danchev
dancho@astalavista.net
Proofreader - Yordanka Ilieva
danny@astalavista.net