• ALERT windows exploit(s) attack even kernel off latest versions - no patch but workaround

    The attack bypasses all securitymechanism of windows (except if you have a good updated antivirus, Intrusion detection prevention on your network or your host and it is updated to stop this kind of attacks) and uses a bug in the registry to give the attacker the possibility to install any code on your machine with the privelege of the machine itself (god in fact).

    It is one of the zeroday vulnerabilities that are being used by stuxnet but that wasn't patched (yet) by Microsoft. It wouldn't surprise me if they will get an automated workaround or patch out in the coming weeks.

    There is a workaround but it is unofficial and it has not been tested yet (sophos)

    There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:

    1. As an Administrator open Regedit and browse to HKEY_USERS[SID of each user account]EUDC
    2. Right-click EUDC and choose permissions
    3. Choose the user whose account you are modifying and select Advanced
    4. Select Add and then type in the user's name and click OK
    5. Click the Deny checkbox for Delete and Create Subkey
    6. Click all the OKs and Apply buttons to exit

    Registry permissions for mitigation

    The registry keys being changed by this mitigation should not impact a user's ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.
    http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac

    The bad news is that not only can you use malware code to inject also this control on the targeted machine (if you can fool the antivirus if there is one in place) but you can also combine it with other non-patched attackroutes like CVE: 2010-3962 for Internet Explorer.

    It could be nothing it could become big.

    For all those under targeted attack or which are normal targets for such attacks, you better watch out for this one.

  • New upgrade of the Belgian EID reader

    As there is no automatic auto-update and no obligation in all applications that use EID and so on (you may call it the Firefox update-process) it will be a problem for network administrators to keep their EID middleware updated in an organised manner. There is talk that this would be integrated into the windows update process and that would be a good thing (and by the way, give the whole management of the code to Microsoft so they can implement their Secure Development Lifecycle and information processes around it)

    The limited description of the updates does give few reasons to update for securityreasons by as security is treated Applewise by the EIDpeople (don't talk about it untill it hits you right in your face for everyone to see) there are maybe hidden securityfixes (DLL injection anyone ?).

    You can find the patch here

    http://eid.belgium.be/nl/Achtergrondinfo/De_eID_technisch/

    By the way your EID is not a bank card - the securitystandards, technologies and support and monitoring are two totally different worlds. Using your EID as a bank card is like buying an electronic device that hasn't been tested and certified. Do it at your own risk.

    And that your EID may hold information about your shopping, medical situation and more without additional certified encryption and protection of the data on the card and during the way they travel with and in EID enabled online applications is something you should be informed about. Do it at your own risk.

     

  • Belgian Electronic Identity cards - all masks fall off

    They have been saying in the beginning that there was no reason to think that we should use the EID for banks, for payments, for social security and medical information. It would only be used for identification and authentification - so why are you making such a fuzz about the total lack of procedure, governance and oversight ? Because it will be used for other means as well.

    The minister responsable for Economy has visited (and so he is supporting) the firms that want to make it useful for payment and soon banking.

    There was the announcement that the social security card will be stopped and that we will use the EID in our pharmacy (instead of this card).

    Another firm wants to use it for loyality points.

    So with one card I will know

    * your bank information

    * your medical information

    * your shopping information

    * your egov information

    * your personal addresses

    * your access to all EID enabled access points

    * in many cases your access at your local networks or EID protected systems

     

    So stop calling all those with doubts about all of this rushing in unknown fields as paranoïds. It is not because it didn't happen that it can't happen. And if it can happen on paper than there are possibilities that it may happen. And the more information and uses you add to the EID, the higher the risk because the more it becomes a lucrative target.

    Noboby thought in the US that the number of the social security was risky as identification untill it now has been the number one method of ID theft.

    I will have more trust if

    * there are public penetration and security tests

    * there are public cerfitications and controls and published norms

    * there are yearly tests

    * there is an automated obliged upgrade process for the software

    * every expansion is accompanied with new tests and obligations

    * all code is made only available for 'certified EID developers'. Anyone can fuzz it now.

    And don't say in a few years, I didn't know. Those who know don't want to do anything about it and those who can do anything about it don't seem to be interested and those who can report this want to wait untill something spectacular happens (and it is too late)

    by the way

    did you know that the software of the EID had probably some DLL injection vulnerabilities. I suppose they are fixed in the new update because I informed the CERT about it. I hope this is the case as the description of the updates is scarce.

    You have to earn trust or you can lose it in a snap.

  • Securing XP and higher better against targeted zeroday no-defense attacks (IE, PDF, flash,....)

    Microsoft gives some workarounds if you want to secure older versions of their Internet Explorer and windows XP and Vista and 7 and server2003 and 2008 in general

    1. Define your own CSS file.

    THis means that scripts that are defined in the CSS stylefile of the websites that are trying to install stuff on your computer or use vulnerabilities to take control are neglected.

    To apply a custom cascading style sheet (CSS) for formatting documents loaded in Internet Explorer, save the following text to a file with a .CSS extension, such as KB2458511.CSS:


    TABLE
    {
        POSITION: relative !important;
    }

    Note The "" literal that appears between "POSI" and "TION" above is intentional.

    Impact of workaround. Applying a user-defined CSS may cause Web site style sheets to malfunction.

    My opinion : not usable in a network

    2. Install the Enhanced Mitigation Experience Toolkit

    What is it

    The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult to perform as possible. In many instances, a fully-functional exploit that can bypass EMET may never be developed.

    How to install it

    You will need at least  XP or windows2003

    Configure EMET for Internet Explorer from the EMET user interface

    To add iexplore.exe to the list of applications using EMET, perform the following steps:

    1.

    Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and EMET 2.0.

    2.

    Click Yes on the UAC prompt, click Configure Apps, then select Add. Browse to the application to be configured in EMET.

    For 32-bit installations of Internet Explorer the location is:
    C:Program Files (x86)Internet Exploreriexplore.exe

    Note For 32-bit systems, the path is c:program filesInternet Exploreriexplore.exe

    For 64-bit installations of Internet Explorer the location is:
    C:Program FilesInternet Exploreriexplore.exe

    3.

    Click OK and exit EMET.

    Read and use : http://support.microsoft.com/kb/2458544

    My opinion : It may not work with all software and you should test it before installing it in a network. In a network it may be very applicable if you have a very limited number of images or if you just limit it to those important departments or persons who have critically important information on their computers (also administrators)

    Also there are already some attacks that bypass this protection, so it is not a perfect solution but one that makes the security situation of your computer better.

    3. Enforce Data execution Protection in IE8 or install it in IE7

    This means that drive-by attacks and downloads against vulnerabilities in the browser or some of its plugins can be stopped.

    If you use IE8 you already have the database and you just have to activate it.

    If you are still running IE7 for some odd reason you can install it

    See Microsoft Knowledge Base Article 2458511 to use the automated Microsoft Fix it solution to enable or disable this workaround.

    My opinion : a must for networks. It may crash some other plugins in the browser but this means that they were not sufficiently safe in the first place.

    4. Setting secure internetzones the browser

    That is so traditional that it probably will already be done since long.

  • It becomes impossible to defend old windows machines on the internet

    It is strange to see when you are scanning the internet (through public available vulnerability scanners) that there are still windows2000 machines running public websites

    It is also best to remember that XP is in fact being phased out and that Vista is just a messed up version of Windows7.

    Running anything older than windows7 just makes you vulnerable for a high number of attacks that have more or less become impossible with DEP and Protected Mode (that you have to activate - especially on executive computers)

    but I know it is not always that simple to explain

    For those who have older code and applications that just works fine under xp, you have to remember that there is a virtualxp version in some Windows7 versions that may extend the lifetime of that older (probably messed up) code untill you have put it up for review and securisation (Secure Development Lifecycle)

    The newest exploit against the older Internet Explorer shows this another time but it also shows that you should always lock down the browser and (as I pretend) have a sandbox policy for all internetdownloads. This means that all your internet installations and downloads should be done in one locked folder. It is only after a manual action that things may be installed on the computer.

     

  • Adobe the total mess with security-updates puts egov in danger

    It is going from bad to worse with Adobe (flash, pdf, shockwave)

    not only are the exploits following each other at an ever increasing speed and are they being used in more and more targeted attacks (lock down your executive computer even if you don't want to touch these you will have no choice if you want to protect them sufficiently)

    but the update cycle that they did want to install is becoming a total mess in which even the security advisors don't know anymore what it latest available version

    reading the posting about this total confusion is just staggering

    it also says something for other firms who will have to go into security overdrive from a situation in which they presumed they had nothing to fear or didn't want to talk about it (apple, mobile firms)

    you will have to set up an unique download center and a simple and unique information process

    otherwise it will not work

    it will also send waves through all these egov services that have been built around Adobe Forms. For one thing all these forms will now need certificates to be sure that people only open PDF forms and attachments that are proven to be yours (and safe). Yes, this makes another form of socially engineered and ssl and certificate attacks possible, but it can weed out some less complex attacks.

    which stock to buy ? Certificate companies.

     

  • back after some reading time and famility moments

    what do you know if you don't read

    what do you have if you don't have family and friends around

    a blog

    that is nothing exceptional

    except for yourself and some readers

    so yes from time to time I am spending more time with family and books

    it is not my job to set up a security information portal on the internet - that is for the Belgian CERT - which does a good job in keeping the attack levels down in Belgium (compared to the situation when there was nobody to call) but who - in my modest opinion - is lacking a good securitytips and information service

    now will follow some posts