IPv6 enable on SSHd.

I’ve my server running on multiple Ipv6 and Ipv4. However, after several years, never crossed in my mind to enable Ipv6 on my sshd.

One of my host hooked up to my server have quite interesting host and with short char. By adding ipv6 enable on my sshd, able to reduce my lil time whenever i want to connect to my server without typing long char host running on the same server with Ipv4.

sshd_ipv6

I did some comparison between Ipv4 and Ipv6 authentication, and found out there are some latency from Ipv6 compare then Ipv4 on sshd. By logic Ipv6 does not give any impact on speed up or slow down the network layer.

My wild guess, this should be the sshd itself. I will try to find it out and update this post.

Web security framework – Websecurify.

Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.

Multi-OS supported

Considered as one of good tools to help developers to secure their web environment, this tool works as what it supposed to be with multi-OS supported.

Good interface design

Good and straight forward interface design make this tools user friendly and easy to use.

Reporting

Once a scanning completed, websecurify will generate report of scanning activity initiated by the user. Vulnerabilities, mis-configed or bug found will get classified and sort in priority risk. Divided to 3 categories within High, Medium and Low make administrator saved a lot of time.

websecurify-reportExample of report.

You can download Websecurify 0.3 here:

Windows – Websecurify 0.3.exe
Linux – Websecurify 0.3.tgz
Mac – Websecurify 0.3.dmg

FreeBSD local exploit

It’s been a long time since we’ve heard about a problem with FreeBSD, partially because the mass of people using it isn’t that large and secondly because BSD tends to be pretty secure as operating systems go.

It’s a pretty serious flaw this time with root escalation, thankfully it’s only a local exploit though and not remotely exploitable.

Although a user could get user access on the system through an exploit in a web facing application, and use some kind of PHP/Python web shell to exploit and get root.

A security researcher has uncovered a security bug in the FreeBSD operating system that allows users with limited privileges to take full control of underlying systems.

The bug in FreeBSD’s kqueue notification interface makes it trivial for those with local access to a vulnerable system to gain full root privileges, Przemyslaw Frasunek, an independent security consultant in Poland, told The Register. It affects versions 6.0 through 6.4 of the operating system, the last two versions of which enjoy wide use and continue to be supported by the FreeBSD Foundation.

Versions 7.1 and and beyond are not vulnerable.

If you’re using the latest production release (at this time 7.2) you aren’t vulnerable to this problem, I hope to see them backport the patch to the previous versions as they still have a sizable following.

You should see an advisory hitting the mailing lists soon, and I’d expect it to be fixed pretty quickly too.

Beware if you are using FreeBSD and have users with local access you don’t trust.

SWFScan – Free Flash Security Tool

HP SWFScan is a free security tool to developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform. The tool is the first of its kind to decompile applications developed with the Flash platform and perform static analysis to understand their behaviors. This helps developers without security backgrounds identify vulnerabilities hidden within the application which cannot be detected with dynamic analysis methods.

In addition, HP SWFScan offers several other features to help developers, code auditor/reviewers, and pen-testers examine the contents of Flash applications, including:

* Highlighting the line of source code that contains the vulnerability to help better understand the context of the issue.
* Providing summaries, details, and remediation advice for each vulnerability in accordance with Adobe’s recommendation for secure Flash development.
* Generating a vulnerability report to share and solve the detected issues.
* Exporting the decompiled source code for use with other external tools.
* Revealing all the URLs and web services the Flash Application contacts.
* Flagging class names, function names, or variable names that may be of interest such as loadedUserXml or crypt()

How SWFScan works and what vulnerabilities it finds:

  • Decompiles applications built on the Adobe Flash platform to extract the ActionScript code and statically analyzes it to identify security issues such as information disclosure.
  • Identifies and reports insecure programming and deployment practices and suggests solutions.
  • Enables you to audit third party applications without requiring access to the source code.

You can download SWFScan here:

SwfScan.msi

An Innovative Control and Lame – Twitter Being Used As Botnet Command Channel

Controlling bots from IRCD not a fashion anymore. That’s my conclusion on Jose Nazario towards one of the Twitter’s analysis report.

Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysy before he can be sure. he bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.

The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.

According to Nazario, one of the tweet pointed to one of the bank in Brazil. I’m not sure either the bank aware on this activity or completely invisible from their security monitoring.

This file looks like an infostealer. Here are some of the URLs it will send data to:

hxxp://64.79.197.110/friends/alert/new.php
hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim
hxxp://64.79.197.110/friends/post.php
hxxps://www2.bancobrasil.com.br/aapf/
hxxps://www2.bancobrasil.com.br/aapf/

I didn’t see this method really accurate and efficient in order to launch or control any botnets.

Read more on Arbor Network blog:

Twitter-based Botnet Command Channel

Note: Security is not a fashion nor a business.

Stone bootkit – attacks Sever 2003, Windows Vista, Windows XP, Windows 7.

Something interesting.

What is Stoned Bootkit?

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one’s secure!

IMHO, blackhats and malware analysts  really interested to go deep and to know in detail how this stone bootkit has been engineered.

Why is Stoned something new? Because it is the firts bootkit that..

  • attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
  • attacks TrueCrypt full volume encryption
  • has integrated FAT and NTFS drivers
  • has an integrated structure for plugins and boot applications (for future development)

You can download the source code here:

Open Source Framework – Stoned Bootkit Framework.zip
Infector file – Infector.exe

While I am trying to play with this bootkit, my computer at home which running full version Avira Antivir Professional detected http://www.stone-vienna.com containing malicious code. At least I know my webguard (one of the module inside Avira Antivir) is protecting me from any malicious activities.

Avira blocked-stonned-vienna-dot-com

However, don’t make this issue to become your resistance.

Do your homework, know your network.

Apache.org hacked

Not the 1st time and as what i remembered, there are more than 3 times apache.org has been hacked. Site been down and most network belong to this project has been disconnected from other servers.

The website of Apache was taken offline for several hours on Friday after the SSH remote administration key on one of its servers was compromised.

SSH is a widely used technology for remote administration, so in the worst scenario the compromise created a means for hackers to upload Trojanised code onto the download section of Apache’s website. Around 50 per cent of webservers run Apache, according to the latest stats from Netcraft, so any problem would be extremely widely felt.

It’s unclear at present whether any code on the Apache website was actually modified. Nor do we know how the attack was carried out or who was behind it.

According to the Apache Infrastructure Team, in their own words:

“To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines.”

Technically this time their ssh-key has been compromised from one of the user’s computer.

What’s the motive behind the attack, money, politic or just to get famous among them?  Good to know.