The co-opting of APT by the marketing folks have led to the point that people are classifying any malware, rootkit or bot as “APT”.  Zeus is not APT, Aurora is not APT.  APT is a level of threat, a description of the sophistication, patience and talent behind an attack.  The attacks are targeted, typically involving both an exploit and social engineering.  Emails containing PDF exploits don’t get spammed to everyone in the organization, they are sent to key individuals with convincing messages.  Bots aren’t your commercial, off-the-shelf variety.  They are custom built, hard to detect and typically have multiple instances and functions so an initial remediation sweep will appear successful but miss the deeper, quieter processes.

The attackers monitor the state and success of their attacks and channels.  As one channel goes down, they activate another.  If a node containing valuable data is cleaned, they’ll reinfect it from another computer.  They know what they are doing.

Or, to use my own, barbaric way of describing things:

“APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.”

Damn sales people.

Zynamics builds reverse engineering tools (BinDiff, BinNavi, VxClass, BinCrowd and PDF Dissector) for both offensive and defensive security that help find and prevent security vulnerabilities and issues within software applications. The startup’s tools are used to help understand security updates, identify FOSS code in binaries and identify flaws in closed-source software and build input to trigger them. The company’s software will also cluster malicious software and generate signatures as well as share information remotely.

A nice acquisition for Google.

BSQL Hacker

For Feature Requests, Feedback and Bug Reports use: http://bsql.uservoice.com/

See SQLIBench project to compare BSQLHacker with other SQL Injection tools.

BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

This is a friend of mine who lives risk. Great guy, great asset for infosec. ::

Anyone got a good analogy to describe SQL Injection to people who don’t understand what a “back end” is, much less a SELECT statement?

Here’s my response:

SQL Injection is like a telephone operator who has to phonetically relay verbal speech between two people who cannot be connected, in a language the operator doesn’t understand. The problem is that the operator has no way of knowing if she’s telling the person on the other side, “Happy Birthday”, or giving them instructions on how to kill themselves.

An old explanation, but I like it ok…

Last year, after two full days of hacking, only one web browser emerged from Pwn2Own unscathed: Google Chrome. IE8, Safari 4, Firefox 3, and even Safari on iOS actually all fell after just one day, but no one could seem to penetrate Chrome. In fact, despite a $10,000 bounty to crack their “sandbox”, no one even tried, likely figuring it was futile. And so this year, Pwn2Own wasn’t even going to invite Chrome back. Then Google stepped in with wads of cash.

While the lineup for Pwn2Own 2011 was announced a few days ago, Google took the time today to give a bit more details about their role in the event. Of note, they write: “Chrome wasn’t originally going to be included as a target browser in the competition, but Google volunteered to sponsor Chrome’s participation by contributing monetary rewards for Chrome exploits.”

In other words: bring it, hackers.

Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year, and federal investigators are trying to identify the perpetrators and their purpose, according to people familiar with the matter.

The exchange’s trading platform—the part of the system that executes trades—wasn’t compromised, these people said. However, it couldn’t be determined which other parts of Nasdaq’s computer network were accessed.

Investigators are considering a range of possible motives, including unlawful financial gain, theft of trade secrets and a national-security threat designed to damage the exchange.

Infrastructure, bitches.

Here I’ll be attempting to capture most primary items one will need to set up a webappsec environment. I’ll be grouping by:

• Suites and Frameworks
• Standalone Scanning Tools
• Vulnerable Web Applications
• Online
• Download
• Utilities
• Additional Resources

A collection of web application security resources.

Careful ATM users know enough to give a hasty visual check to the machine before using it and to hide the keyboard while entering their PIN.

Unfortunately, sometimes even that is not enough to prevent the fraudsters, and the worst part of it is that they continually think of new ways of stealing your credit and debit card data.

A type of attack that can’t be detected by ATM users because there’s nothing off on the machine or close enough to it to make them suspicious has been pointed out by Brian Krebs. According to him, criminals have devised a very clever tactic – one that is usually employed to steal the information from users who prefer to use the ATMs located in the antechamber of a bank or building lobby.

Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan.osx.boonana.a, the bot made waves in October when researchers discovered its Java-based makeup allowed it to attack Mac and Linux machines, not just Windows PCs as is the case with most malware. Once installed, the trojan components are stored in an invisible folder and use strong encryption to keep communications private.

The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

Stunning.

Ok, not really.

The White House has instructed every US government department and agency to create “insider threat” programmes that will ferret out disgruntled or untrustworthy employees who might be tempted to leak the sort of state secrets recently made public by the website WikiLeaks.

A 13-page memo detailing the new policy urges senior civil servants to beef up cyber security and hire teams of psychiatrists and sociologists who can “detect behavioural changes”. They will then monitor the moods and attitudes of staff who are allowed to access classified information.

Researchers frοm thе Computer Security Group οf thе University οf California аt Santa Barbara hаνе taken control οf thе Torpig botnet fοr ten days. Thеіr report reveals thаt thе Trojan stole 8,310 accounts frοm 410 different financial institutions, аѕ well аѕ thе details οf 1,660 credit cards during thе 10 day period alone.

Torpig, аlѕο known аѕ Sinowal, іѕ a 3 year-ancient banking trojan, whісh ranks pretty high amongst thе mοѕt resilient аnd complex pieces οf malware. Thе Trojan іѕ being spread through Mebroot, a rootkit thаt installs itself аt thе low level οf a computer, inside thе Master Boot Record , mаkіng іt very resilient tο av detection.

A further state-οf-thе-art malicious technique employed bу Torpig іѕ thе domain flux, whеrе a list οf domain names іѕ periodically generated bу each infection according tο аn algorithm, whісh аrе thеn queried іn order tο locate a command аnd control server. Thе researchers hijacked thе botnet bу registering ѕοmе οf thе domains іn advance, previous tο іtѕ owners succeeded іn regaining control ten days later.

Sickness.

In 2007, when Estonia’s government, financial and media computer networks were attacked by unknown Russian hackers following the government’s decision of relocating a Soviet war memorial, it must have been hard to believe that something good would come from it at the end.

With that attack, Estonia became the first country ever to actually be engaged in a cyberwar, but that didn’t make them despair. If anything, that incident was what spurred them to institute their own Cyber Defense League – an organization that gathers computer scientists, programmers, software engineers and cybersecurity specialists and would, in time of war, be under the direct command of the military.

So far, all the members are part of the organization because they volunteered, and they spend part of their weekends carrying out simulated exercises of cyber attacks in order to keep their skills honed and ready. But, Estonia’s Defense Minister Jaak Aaviksoo and the authorities are thinking about the possibility of instituting a draft for all skilled cyber experts and instituting a real cyber army.

L33t.

David Albright, president of the Institute for Science and International Security, told the Post that during a study of the Stuxnet code, he discovered that the virus caused the engines in Iran’s IR-1 centrifuges to increase and decrease their speed. The report cited an unnamed government official who claimed that Iran usually ran its motors at 1,007 cycles per second to prevent damage, while Stuxnet seemed to increase the motor speed to 1,064 cycles per second.

True information warfare: An infosec attack that crippled a foreign country’s ability to make war.

Wicked cool.

“A new Information Security conference has come to the Bay Area. BayThreat is a two day event at the Hacker Dojo in Mountain View, CA on December 10th and 11th. The theme for BayThreat is as simple as black & white: “Building & Breaking Security.” There will be two tracks, each tackling opposite sides of the security fence. As Security Professionals, it is up to us to take that dichotomy and mold it into =the shades of gray we use to protect our environment.

The speaker line-up includes new material and also brings some of the big speeches that were well received earlier in the year to a west coast venue. Jeremiah Grossman will be talking about Website Security Statistics over 3 years, Dan Kaminsky will be talking about DNSSEC and the coming Domain Key Infrastructure, Dino Dai Zovi will be giving his Mach RPC talk, Anton Chuvakin will be discussing lessons learned while implementing SIEM, and Allen Gittelson will demonstrate mindhacking.

There’s also several activities planned for BayThreat, such as a lockpicking village and an Escalation of Privileges card tournament. Check out the website for the full list of speakers and activities planned for this exciting event at www.baythreat.org.

-Marisa Fagan”

I’m there. Who else?

There’s often a significant amount of debate between internal appsec groups and developer groups around the topic of false positives. What exactly determines whether something is or is not a true false positive? And how can appsec groups synchronize so as to reduce confusion on the topic?

Semantics lie at the center of many arguments, and the debate around “false positives” offers no exception. What I’ve found is that there are often two different meanings that are being used in a single discussion about false positives, and if each side doesn’t realize which definition the other is using, chaos will ensue. Here are the two definitions I most commonly encounter:

 

1. The tool is claiming something that isn’t true, i.e. the vulnerability that it says it found actually was not found. One example of this might be the presence of a secretfile.aspx.bak file. The tool says it found the contents of this .aspx file, but when you look at the response you see that it’s no more than a custom 404 page.
2. The finding is technically correct, but nobody cares, i.e. a finding comes back saying that a password value is being passed via GET request to a given application, and the issue has been fully explained to the development team and management; they’ve simply decided not to change it.

This is a post of mine over at the HP AppSec blog. Check it out.