Sunday, October 26, 2008

Open Hack

From the official HITBSecConf2008 page @ http : // conference . hackinthebox . org / hitbsecconf2008kl / ? page_id = 197 ):

For the second time ever in a HITBSecConf we will be organizing an Open-Hack competition with a slight twist inspired by the Pwn-to-0wn contest run by the guys at CanSecWest.

The purpose of an Open Hack is to uncover new and previously unknown software vulnerabilities in operating systems and software. This year’s Open Hack will involve 4 fully patched Macbook Air’s with a default install of Leopard with all patches applied and the firewall set to default settings. Similar to the contest in CanSecWest, the machine will be accessible via wired cross-over ethernet connections. Be the first to hack in and you walk away with a brand new machine!

To claim a laptop as your own, you will need to read the contents of a designated file on the system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs). Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team’s exploit remains private. Slots will be available for sign up in 30 minute increments at the beginning of each day. Any WiFi or Bluetooth exploits will be verified offsite in a secure lab to prevent snooping. The first winner of each laptop gets to keep it (one laptop per vulnerability entry).

Attack Vectors

Day 1 - 29th October 2008 - Default client-side applications
Day 2 - 30th October 2008 - Popular 3rd party apps

** Depending on the outcome on Day 1, we may extend the competition to submissions from remote (i.e. you don’t have to be on-site). More details will be posted next week.

Once a laptop is won however, no more exploits may be submitted. All winning exploits will be handed over to the affected vendors at the conference through WabiSabiLabi with the appropriate credit given to the contestant. All contestants must agree to the responsible disclosure handling of their vulnerability/exploit.

Phishing Updates

EvilFingers is trying to be active in the community. Phishing is one of the major streams that is being looked at, due to the amount of loss that has been happening because of the phished sites. Phishtank is one such group that has been doing such stuff (as discussed in older postings). EvilFingers has contributed 5000+ Phishing links verification/review so far. If you are active or would like to something for community, kindly contact us at contact.fingers @ gmail.com.

The following is the graph representing our contributions to Phishtank:



Thank you for your time.

- EF

Thursday, October 23, 2008

HITBSecConf2008 has announced their schedule

Agenda for the entire conference has been announced.

On 29th Oct 2008, Jeremiah Grossman will start with a Keynote Address on "The Art of Click-Jacking", which is the current hot topic at ZDNET and various other sites. Marcus Ranum follows this by his Keynote Address on "Cyberwar is Bullshit". Once the keynotes are done, the rest of the day is split into 3 tracks.

The second day of the conference(Oct 30th, 2008) starts with a Keynote Address on "Welcome to the 0wned World" by Dr. Anton Chuvakin followed by Peter Sunde [brokep] and Fredrik Neij [TiAMO] on "Dissolving an Industry as a Hobby". Once again the day is divided into 3 tracks after the keynote speeches.

The best part of HITB is that they give ample conference presentations beyond which they also have contests and trainings. HITB Rocks hard!!!

- EF

Wednesday, October 22, 2008

Last Call for DeepSec IDSC 2008 in Vienna

The DeepSec In Depth Security Conference is happy to announce the planned
schedule for this year's event from November 11th to 14th in Vienna, Austria.

The schedule (which can be found at https://deepsec.net/schedule) covers a
range of topics including botnet analysis, web application security, malware
detection/analysis, legal and administrative issues, secure coding and code
review, hardware and firmware attacks, attacking/hardening databases, social
engineering, dealing with rich Internet applications (RIAs) and, of course,
the Digital Armageddon (coming soon to a server near you).

Key speakers include:

- Adam Laurie (http://rfidiot.org/)
- Ivan Krstić (http://radian.org/)
- Johnny Long (http://johnny.ihackstuff.com/)
- Gadi Evron (http://gadievron.blogspot.com/)

In addition Matt Jonkman will present a new project about the development of
a next-generation intrusion detection and prevention engine. Feedback of the
community is highly welcome!

Registration is open at: https://deepsec.net/register/
Please make sure to book your tickets in time, we have only a _limited_ number!

We also offer two days of in-depth workshops on selected topics, designed for
software developers, security researchers and sysadmins:

‣ Improving Code with Destructive Data (Heikki Kortti and Jukka Taimisto)
‣ Security Audit and Hardening of Java based Software (Marc Schoenefeld)
‣ The Exploit Laboratory (Saumil Udayan Shah)
‣ Design and Implementation of Security Awareness Campaigns (Stefan Schumacher)
‣ Advanced Malware Deobfuscation (Scott Lambert)
‣ Protocol and Traffic Analysis for Snort Signature (Matt Jonkman)
‣ Secure Application Coding for Enterprise Software (Vimal Patel)

The DeepSec IDSC is sponsored by CERT.at, Cisco, Microsoft, Sec Consult, Global
Knowledge Austria/Germany and IronPort.

DeepSec Organisation Team.
https://deepsec.net/contact

Internet Access at the conference is provided by: http://www.nets.at/

Tuesday, October 21, 2008

EvilFingers.com: The Phoenix bird

We are in the midst of rebuilding the entire site. We are taking down few parts of the site and reorganizing ourselves into channels. There could be few delays in this blog and the site itself. Kindly, excuse us for any such delays.

- EF

Saturday, October 18, 2008

OISF Receives Funding for Open Source Next Generation IDS/IPS

October 16, 2008 (LAFAYETTE, Ind.) – The Open Information Security Foundation (OISF, www.openinfosecfoundation.org) is proud to announce its formation, made possible by grant funding. The OISF has been chartered and funded to build a next-generation intrusion detection and prevention engine. This project will consider every new and existing technology, concept and idea to build a completely open source licensed engine. Development will be funded through these grants, and the end product will be made available to any user or organization.

Over the next six months, members of OISF will be leading brainstorming sessions at key conferences and meetings as well as through mailing list discussions. These sessions will function as open forums to bring up ideas, ask questions and, most of all, let OISF know what YOU need for YOUR network. Any idea, any technology – anything – will be considered for integration. This project will solicit input, code and support from all interested parties, academic groups, vendors and projects.

Intrusion Detection and the Security field in general is at a crossroads. We collectively have more data about hostile sources available than we can effectively act upon using existing tools. This engine we hope will allow feeding these disparate sources of information into a single tool to assist in decision making and protection.

Any vendor, group, academic institution, government agency or individual may be part of the consortium that will manage this project long-term. Members may support development and maintenance with financial donations, coding support, technology support, infrastructure, etc. Members will be rewarded with licensing that will allow integration of this engine into their products and services.

Initial project members are Matt Jonkman of Emerging Threats as Project Manager (http://www.emergingthreats.net), Victor Julien (http://www.inliniac.net) and Will Metcalf (http://node5.blogspot.com) both of Snort_Inline (http://snort-inline.sourceforge.net) as Technical Leads.

We will be recruiting many new members for this project over time. If you are interested in participating or contributing to the project please contact us at\n team@openinfosecfoundation.orgThis e-mail address is being protected from spambots. You need JavaScript enabled to view it This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

If you have ideas to contribute please join our discussion mailing list:
http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

or join oisf-announce to stay in touch:
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-announce

Thursday, October 16, 2008

PRESS RELEASE: OWASP European Summit - Portugal

This was sent by Dinis Cruz to all OWASP members:

Hello OWASP ! ! !

It is with great pleasure and pride that I'm officially launching today the OWASP European Summit 2008

This is an event 100% focused on OWASP and will have the highest concentration of OWASPers per square meter (OWASP is flying 80+ of its Leaders and key contributors to Portugal). If you ever wanted to be more involved with OWASP or wanted to know more about certain OWASP projects, this Summit is for you. Please join us in Portugal and help to 'Set the AppSec Agenda for 2009'.

I would like to personally acknowledge the work done by an amazing team of OWASP collaborators that have been working non stop for the past 3 months on everything related to the Summit's organization: Thank You! (and if you want to be involved, please join asap this great OWASP virtual team)

Below is the official Press Release containing detailed information about the Summit's organization and objectives.

Obtaining media visibility for our events is an historical challenge for OWASP. It would be great if you could help us by personally distributing this Press Release to your media contacts and influential bloggers.

Looking forward to seeing you all in Portugal :)

Dinis Cruz

OWASP Board Member



PRESS RELEASE: OWASP European Summit - Portugal
Portugal/Algarve - 4th - 7th November 2008

Setting the Web Application Security Agenda for 2009: OWASP Invites You to Join Our Summit in Portugal

http://www.owasp.org/index.php/OWASP_EU_Summit_2008

With the theme 'Setting the AppSec agenda for 2009', the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.

OWASP is a not-for-profit organization with the purpose of supporting the Web Application Security community around the world, and has granted $250,000 USD for web application security research. In addition to over 40 presentations from the OWASP Leaders and grant recipients, the OWASP Summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and identify roadmaps for OWASP projects, chapters, and the OWASP community itself.

To facilitate this event, OWASP is investing $150,000 USD which will be used to cover air travel and accommodation expenses for OWASP leaders, active contributors, and select key industry leaders. With their confirmed presence, the OWASP Summit will provide a relaxed but professional environment to meet, discuss, influence and contribute to OWASP projects.

There are still funds available! If you are interested in attending and you meet the profile of the current OWASP supported attendees (see list here: http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA) contact Paulo Coimbra (paulo.coimbra@owasp.org). Please note that you should do so only if you meet the paid attendance criteria (see herehttps://www.owasp.org/index.php/OWASP_EU_Summit_2008_paid_participation_rules) and are unable to get corporate support to attend this event (for other corporate sponsorship opportunities see http://www.owasp.org/index.php/OWASP_EU_Summit_2008_Sponsors).

The OWASP Summit will also host a large and diverse selection of training courses, covering multiple OWASP specific and Web Application Security Topics.

The remarkable impact of OWASP is made possible only by the collaboration of many dedicated people and organizations worldwide. In that spirit of cooperation, OWASP invites all its members (who have 20% discount + 1 VIP Ticket) and interested individuals and companies to attend this thrilling event. Please join us and help to set the Web Application Security Agenda for 2009!

Please see below for additional details about the OWASP Summit or visit the OWASP Summit website: http://www.owasp.org/index.php/OWASP_EU_Summit_2008.

Projects

OWASP projects selected for Summit presentation include new documentation and innovative tools to help developers, architects, and security specialists ensure that applications are secure:

* Application Security Verification Standard,
* Code review guide, V1.1,
* Ruby on Rails Security Guide v2,
* Securing WebGoat using ModSecurity,
* Testing Guide v3,
* GTK+ GUI for w3af project,
* Access Control Rules Tester,
* AntiSamy .NET,
* Live CD & DVD Project,
* OpenPGP Extensions for HTTP,
* Orizon Project,
* Python Static Analysis,
* WebScarab-NG,
* And many, many others.

Working Sessions

Expecting the presence of the application security industry key players, the Working Sessions will cover a wide range of issues such as:

* OWASP Top 10 2009,
* Browser Security,
* Web Application Framework Security,
* Enterprise Security API Project,
* Best Practices for OWASP Chapter Leaders,
* OWASP Documentation Projects,
* OWASP Tools Projects,
* OWASP Education Project,
* OWASP Strategic Planning for 2009,
* OWASP Certification,
* OWASP Winter of Code 2009
* Two-way Internationalization of OWASP Content
* And many more.

Training

These 2-day, 1-day or 1/2-day training courses cover a wide range of OWASP specific and Web Application Security Topics:

* OWASP Top 10 - What Developers Should Know on Web Application Security
* Uncovering WebScarab's Secret Treasures
* Securing WebGoat with ModSecurity
* Secure Programming with Java
* Advanced Web Application Security Testing
* Building Secure Web 2.0 Applications
* Building Secure Web Services
* Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI)
* Classic ASP Security using OWASP tools
* Web Application Assessments
* Hacking Owasp Orizon Project v1.0
* Ajax Security
* Practical Penetration Testing: Think Like an Attacker to Stop Attacks
* Linux Software Exploitation
* Web server/services hardening using SELinux


Main Contact:

Kate Hartmann
OWASP Operations Director
9175 Guilford Road, Suite 300
Columbia, MD 21046, USA
Phone: +1-301-575-0189
Facsimile: +1-301-604-8033
Email: kate.hartmann@owasp.org

Wednesday, October 15, 2008

Bluehat Security

Based on the official listing:

Microsoft BlueHat Security Briefings: Fall 2008

BlueHat v8: C3P0wned kicks off October 16-17, 2008, at the Microsoft corporate headquarters. BlueHat v8 will consist of two full days of great content from both internal and external security experts presented in a lecture theater environment. The presentations will offer speakers the opportunity to showcase ongoing research and collaborate with peers while educating and highlighting advancements in security products and techniques. A sneak peak of content sessions includes:

Day 1: Thursday, October 16th – General Sessions

Sessions will be a hybrid of content from in-depth technical security issues to innovative techniques and best practices to use in the information security realm.

* Morning Session: Bounty Hunting and Mind-Control in the Internet Age
* Afternoon Session: We Sense a Great Disturbance in the Force

Day 2: Friday, October 17th – BlueHat v8: SDL Sessions

The Microsoft Security Development Lifecycle (SDL) team will host sessions emphasizing secure development and testing practices, as well as how to develop with security in mind from the beginning of the software development lifecycle. The BlueHat SDL sessions will focus more on appropriate defense strategies and less on attack techniques. Sessions might include demonstrations of secure coding techniques or methods of using various security tools.

* Morning Session: A Death Star Is Born
* Afternoon Session: The Circle Is Complete

BlueHat is a by-invitation-only Microsoft security conference aimed at bringing Microsoft security professionals and external security researchers together in a relaxed environment to promote the sharing of ideas and social networking. BlueHat is a cutting-edge conference aimed at improving the security of Microsoft products. BlueHat continuously seeks out new and innovative material, highlighting important emergent technologies, techniques, and industry best practices.


- EF

Tuesday, October 14, 2008

Anti-Phishing Updates

Following is the graph that shows EvilFingers contribution at Phishtank.



Phishtank has been a good portal to upload and share phishing links in a very easy way. We have been reviewing the newly submitted links (1,450 Phishing links so far) and planning to submit our findings soon (for which a framework is coming soon).

- EF

Monday, October 13, 2008

Overwriting Hard Drive Data: The Great Wiping Controversy

Myself, Dave Kleiman and Shyaam Sundhar R.S. have a paper submitted
and accepted for ICISS08 (the Fourth International Conference on
Information Systems Security (2008)). The paper is titled,
"Overwriting Hard Drive Data: The Great Wiping Controversy".

The abstract follows:
"Abstract. Often we hear controversial opinions in digital forensics
on the required or desired number of passes to utilize for properly
overwriting, sometimes referred to as wiping or erasing, a modern hard
drive. The controversy has caused much misconception, with persons
commonly quoting that data can be recovered if it has only been
overwritten once or twice. Moreover, referencing that it actually
takes up to ten, and even as many as 35 (referred to as the Gutmann
scheme because of the 1996 Secure Deletion of Data from Magnetic and
Solid-State Memory published paper by Peter Gutmann) passes to
securely overwrite the previous data. One of the chief controversies
is that if a head positioning system is not exact enough, new data
written to a drive may not be written back to the precise location of
the original data. We demonstrate that the controversy surrounding
this topic is unfounded."

The paper is to presented in December this year and is being published
under the LNCS (Lecture notes in Computer Science) series from
Springer Verlag.

The answer is simple. Actually scientifically test the proposition
that data can be recovered using an electron microscope. We have done
this and the paper provides a definative report on both PRML drives
(such as where used by Dr. Gutmann) as well as the differences in
modern ePRML drives.

Regards,
Craig
--
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...

EvilFingers Web Design - outsourced to Novacore.in

Novacore is an India based web-design company. They are our new designers, who are planning to tear down the current site and give EvilFingers a new look. Novacore has been designing many websites for the past few years.

If you have any questions or ideas, fell free to contact us at contact.fingers @ gmail.com

PS: Some of the old posting were deleted by mistake. We are trying to retrieve them.

- EF

Sunday, October 12, 2008

Phishing & anti-phishing

Phishing has always been a payload for malicious stuff such as client-side exploits, gathering credit-card and other client-side information, zombies & Trojans, etc. Phishme is a project run by the Intrepidus Group at NewYork (though this is not a open-source or community project, EvilFingers wanted to list this as the implementation of this project is quite different than collecting and analyzing phish alone and hence we believe that it is worth mentioning such projects). Phishtank is "thee" open community project that has been successfully running for the past 2 yrs. They have won the PC World award for Top Product of 2008 (we have had a prior discussion of this thread before). EvilFingers have started its contribution at Phishtank.org and in future there are plans to perform statistical analysis for phishes found by phishing communities around the world. Hopefully, it should be possible for us to do so with the help and support of all such communities.

Contact us at contact.fingers @ gmail.com, if you have any questions or if you wish to volunteer in any of our projects.

- EF

Saturday, October 11, 2008

Does vulnerability exposure scare common people?

Microsoft, Apple, Adobe and many other well known organizations have been developing Operating systems, software’s, tools, etc. that has been releasing rapidly filled with fun and bugs. These bugs are threats when they become security vulnerabilities. Security community and its users have always been aware of such vulnerabilities ever since the release of products. This has now expanded and common people are now getting access to such information and updates on threats and preventing them. It is good to have such an exposure for everyone to understand reality, though do these scare them too.

Common people who are unaware of the reality that they are “not” secure might put in all the information in certain places where they are not supposed. People exposing their info in public websites have been one level of threat and can be controlled through awareness training. Though, it is impossible to expect every man and woman in this world to become security analysts of their own computer. Are they really secure? Do they know that if they have confidential documents in their system that is still not secure? Are they aware that anyone and everyone can see what they see on their browsers? Are they sure which site to access and which ones not to?

Well, the easiest answer to all these questions is “NO”. Wouldn’t, educating common people with vulnerability info, PoC’s and exploits cause panic among them? Wouldn’t this make them feel that they are better off without a computer, rather than having one and become a popper in spending on software, and later in securing the software that sits on their system? Well, is it good to call such vulnerabilities as features (many big companies call their vulnerabilities as features)?

Think, think, think… keep thinking…

- EF

Friday, October 10, 2008

Oct 2008 - MS Patch Tuesday - Advance Release

Microsoft released the details on its Patch Tuesday release, which can be found here. John Smith from EvilFingers is currently working on creating PoC's for the previous one(Sep 2008) and the current one. Ion Visser would analyze John's PoC and the various other publicly released PoC's.

There is a new member who has joined the EvilFingers PatchTuesday team. We would talk more about him in the next blog.

- EF

Thursday, October 9, 2008

MS Windows GDI+ Proof of Concept (MS08-052) Version 2

John Smith from EvilFingers released the second version of MS Windows GDI+ Proof of Concept (MS08-052). This can be found at http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability_ver2.txt. The entire list of PatchTuesday PoC's can be found here. PatchTuesday Analysis page can be found at http://www.evilfingers.com/patchTuesday/analysis.php, where Ion Visser published an analysis document on analysis of MS08-053 Windows Media Encoder wmex.dll ActiveX Control Buffer Overflow. Ion is also coming up with overall analysis document on the GDI+ PoC's that released last month and that will be releasing in future.

If you have any questions regarding this or any other stuff, contact us at contact.fingers @ gmail.com.

- EF

Tuesday, October 7, 2008

New Tools - releasing in EF

EvilFingers just released a base64 - Encoder/Decoder. Kindly, test it and let us know if you wish something to be changed or something to be added to the existing stuff.

We are currently working on releasing a subnet calc. We understand that these tools already exist, though our aim is to integrate such tools with other tools that would make the real time job faster for certain professionals who are into this.

Kindly do stay in touch at contact.fingers @ gmail.com


- EF

Monday, October 6, 2008

Rishi Narang - The first Google chrome exploit writer

Rishi Narang (Founder, Greyhat) Team Lead, EvilFingers Community was the one and only gentleman who released the first exploit for Chrome in EvilFingers and brought EvilFingers into media and to the world's attention. We thank him for all his contributions to the community and our best wishes for him to continue the same.

Rishi is a Vulnerability Specialist and looking at his experience, he has has been doing the same for 3+ yrs. He is also a forum moderator, writer, beta-tester and proof-reader for Hakin9 magazine.

Thank you for choosing our community.

- EF

Friday, October 3, 2008

Phishtank - Thee Anti-phishing Portal

Phishtank is a project that is in existence since 2006. Phishtank wins the PC World award for Top Product of 2008. EvilFingers.com did its first release of anti-phishing effort by submitting its first find at Phishtank, which can be found here.

We wish that such an effort continues to the extent of collaborating with such teams in building a secured information infrastructure. Our best wishes to Phishtank in all its efforts.

- EF

Wednesday, October 1, 2008

EvilFingers Team Lead - Ion Visser

Ion is a really good engineer and a cool analyst. His way of performing analysis in the reverse has always yielded many publications and analysis materials to our team. Ion is also good at vulnerability assessment and has been doing all of these for years. He is volunteering for only one team in the entire world.

Thanks to Ion for contributing lively and solely for EvilFingers.

- EF

Association of Certified Fraud Examiners (ACFE)

ACFE certifies the anti-fraud professionals with the Certified Fraud Examiner(CFE) after testing them with 4 domains as listed on their official site.

Based on the info in the official website, " The mission of ACFE Foundation is to increase the body of anti-fraud knowledge and support future anti-fraud professionals worldwide through the funding of scholarships, endowments, research, and other educational projects. ACFE Foundation works to encourage students to pursue careers in fraud examination and provide resources for research on the detection and deterrence of fraud. "

ACFE has been there for decades, and to be precise they were here even before the information era or the Dot-Com world. There are many CPA's and CFA's who used to get certified as CFE and right now, many information security professionals are getting themselves certified with CFE.

EvilFingers thought of talking about anti-fraud section, since we thought that it was interesting to start some projects on the same. If you have any ideas or would like to collaborate in any similar stuff or in any other projects, kindly contact us as soon as possible as we work on FCFS(First-come-first-served) basis.

Thank you & Regards

- EF

EvilFingers Team Lead - Aditya K Sood

Aditya K Sood (Founder, Secniche) is a team lead at EvilFingers community. Aditya has been publishing articles at Hakin9 for the past few years and he has also been really active in practical implementation of information security. Unlike many Security Evangelists, Aditya doesn't consider himself as one. In his belief, it is a title that other should believe that you are and not a title that you could coin yourself with. He has published papers in many issues of USENIX journal and has been really active with Vulnerability Assessment. Aditya has been speaker for many well known conferences such as OWASP, XCON and so on.

We would like to acknowledge Aditya for his work and dedication.

- EF