HOPE 2008: Cold Boot Attack Tools Released


The team from Princeton has released their cold boot attack tools at The Last HOPE. Earlier this year they showed how to recover crypto keys from the memory of a machine that had been powered off. Now they’ve provided the tools necessary to acquire and play around with your own memory dumps. The bios_memimage tool is written in C and uses PXE to boot the machine and copy the memory. The package also has a disk boot dumper with instructions for how to run it on an iPod. There’s also efi_memimage which implements the BSD TCP/IP stack in EFI, but it can be problematic. aeskeyfind can recover 128 and 256bit AES keys from the memory dumps and rsakeyfind does the same for RSA. They’ve also provided aesfix to correct up to 15% of a key. In testing, they only ever saw 0.1% error in there memory dumps and 0.01% if they cooled the chips first.

Continue reading “HOPE 2008: Cold Boot Attack Tools Released”

ARDAgent.app Still Vulnerable


When Apple pushed their most recent security update, the first thing we checked was whether the ARDAgent issue was fixed. It’s not. This vulnerability lets anyone execute code as a privileged user and versions of this attack have already been found in the wild. While several Ruby, SMB, and WebKit issues were addressed it, ARDAgent is still unpatched. [Dino Dai Zovi] has published the method by which ARDAgent actually becomes vulnerable: when it starts, it installs its own Apple Event handlers and calls AESetInteractionAllowed() with kAEInteractWithSelf. This should restrict it only to its own events, but for some reason that’s not the resulting behavior. He also pointed out that SecurityAgent has displayed similar weirdness; it is vulnerable to Apple Events even though it doesn’t calls an Apple Events function. We can see how this unexpected behavior could make patch development take much longer and may end up uncovering an even bigger problem. Check out [Dino]’s post for more information.

U.S. And China Host Majority Of Malware


StopBadware.org has released their May 2008 Infected Sites Report(PDF). They took their current list of 213K active badware websites and resolved the IP addresses. These addresses were used to determine the network block owner and country. The results could be skewed to networks Google scans more often, but they should give a decent overall picture. China hosts 52% of all the badware sites while the U.S. has 21%. There weren’t any other countries maintaining over 4% of the total. They also calculated the number of infected sites per capita, which China also led. Last year’s report resulted in several AS block maintainers cleaning up to the point that they don’t even make the top 250 this year.

Crawling + SQL Injection With Scrawlr

Scrawlr is the latest tool to come out of HP’s Web Security Research Group. It was built in response to the massive number of SQL injection attacks happening on the web this year. Most of these vulnerable sites are found through googling, so Scrawlr works the same way. Point it at your web server and it will crawl all of the pages and evaluate the URL parameters to see if they’re vulnerable to verbose injection. It reports the SQL server and table names if it comes across anything.

It only supports 1500 pages right now and can’t do authentication or blind injection. It’s still a free tool and a great way to identify if your site is vulnerable to automated tools finding you website via search engines.

[via Acidus]

Open Source Data Recovery Tools


InformationWeek has great article on open source data recovery tools. What type of tools you use will depend on the severity of the situation. You can use live Linux distros designed for recovery like SystemRescueCD or Partedmagic (the latter being more user friendly). Security tools distrubutions like BackTrack can also be helpful; Helix in particular was designed for forensics work. dd is a standard *nix tool for imaging drives, but something like TestDisk can help you repair partition tables for whole disk recovery. Most deletion operations don’t overwrite the data which means you can use file carving to capture the lost files. PhotoRec is able to find files in a number of common formats. Finally, if you’ve got some serious forensic work ahead of you there’s The Sleuth Kit and many other command line tools.

As an addendum, OStatic put together a list of 5 freeware tools for protecting your system.

BackTrack 3 Final Is Out


OpenSuse and Ubuntu are perfectly serviceable Linux distros, but we’ve had a soft spot for BackTrack from the very start. Good news for us, since yesterday was the long awaited release of BackTrack 3 Final. It uses the same 2.6.21.5 kernel as before (to maintain WiFi injection compatibility) and Nessus is still out, but it is not without a great deal of other improvements. Its forensic capabilities are better than ever, largely due to included apps like a fully functional version of SAINT and a special version of Maltego made just for BackTrack. The download is free, but Remote-Exploit is asking users not to distribute it without notifying them first, because they’re trying to keep track of the number of downloads.

[via Midnight Research Labs]

Finding Sensitive Data With Freeware


When an organization’s network grows to a certain size, its difficult to keep track of every single piece of sensitive information like credit card numbers or social security numbers. In order to find and secure this data, companies often turn to data loss prevention (DLP) services. This is not a viable option for many organizations, though, as DLP services can often be expensive and time-consuming to deploy.

Such organizations are not entirely without options: a recent article on Dark Reading lists several DLP tools authored by teams from various universities, all free to download and use. Programs like The University of Texas at Austin’s Sensitive Number Finder and Virginia Tech’s Find_SSN were designed to find pieces of data on computers and servers formatted in ways typical to sensitive information (xxx-xx-xxxx for SSNs, for example). This approach can often lead to false positives, so some measure of human control is required. They are also incapable of scanning application servers or other forms of data in transit. Cornell’s Spider can scan various application server types using different protocols. When used in conjunction, all of these apps can help secure your data without the expense of outsourcing the job.