(IN)SECURE Magazine issue 1.5 released

Issue 1.5 of (IN)SECURE Magazine has been released. The table of contents includes:

• Web application firewalls primer
• Review: Trustware BufferZone 1.6
• Threat analysis using log data
• Looking back at computer security in 2005
• Writing an enterprise handheld security policy
• Digital Rights Management
• Revenge of the Web mob
• Hardening Windows Server 2003 platforms made easy
• Filtering spam server-side

Happy reading

Speaking at EUSecWest end of February

I have been informed that I have been selected to speak about Network Security Monitoring at EUSecWest in London, UK, end of February. I will cover both the theory and practice of the NSM methology and demo the Sguil NSM framework.

If you plan to attend the conference and want to meet up over a beer please do contact me.

Learn reverse engineering and cheat in MS Pinball at the same time

This is just a very cool hack. “Mr. Speaker” documented how he reverse engineered MS Pinball to find a previously undocumented cheat mode. Very cool intro to reverse engineering, and if you are thinking of getting into that it’s definatly worth a visit.

Initial thoughts of CORE FORCE

I decided to take CORE FORCE from CORE Security Technologies (of CORE IMPACT fame) out for a spin in one of my fresh Windows 2000 Professional environments. It’s an out-of-the-box eval version with all the latest patches from Microsoft installed. The only additional software is VMWare tools, as I am running it under VMWare. I also have to mention that CORE FORCE is still under development and is not recomended for production use yet. The version I have tried out is 0.70.111.

From the CORE FORCE homepage:

CORE FORCE is the first community oriented security solution for personal computers. CORE FORCE is free and provides a comprehensive endpoint security solution for Windows 2000 and Windows XP systems.

The security framework provided by CORE FORCE is leveraged by a community of security experts that share their security configurations for a growing list of programs. These security profiles can be downloaded by any user of CORE FORCE from the community Web site and they’re also completely open so that they can be peer-reviewed to minimize security hazards. The community approach to endpoint security also allows end-users who are not security experts to work in a secure environment.

CORE FORCE can be used to:

• Protect your computer from compromises by worms, virus and email-borne malware
• Prevent your computer from being used as a staging point to amplify attacks and compromise others
• Prevent exploitation of known bugs in the operating system and applications running on your computer
• Prevent exploitation of unknown bugs (0-day) in the operating system and applications running on your computer
• Detect and prevent execution of adware, spyware, trojan horses and other malware on you computer

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD’s PF firewall, granular file system and registry access control and programs’ integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

The installation was very easy and after a reboot and some additional wizards CORE FORCE was up and running. I decided to take Internet Explorer out for a test ride: first visit some well-known news sites like Aftonbladet, Swedish IDG and CNN, and later go to the more dark side on the internet where the risk of getting spyware, trojans etc is more a fact then a possibility.

Already at my first stop at Aftonbladet I got into trouble. As I mentioned this is a fresh, never been used before, installation of Windows 2000 Professional and as such it lacked Macromedia Flash plugin. Although I had set CORE FORCE on the “Medium (recommended)” security level it stopped me from installing the Flash plugin. I decided to temporarly turn CORE FORCE off so I could install the Flash plugin. Once I installed the Flash plugin I re-activated CORE FORCE and continued to surf around. After checking out the news sites listed above I thought that it would be a good idea to see how Windows Update works with CORE FORCE installed. It turnes out that it didn’t work at all.

At this stage I stopped the testing. Security software are good as long they don’t get in the way of productivity, which in this case it did. I am looking forward to see this software mature and become usable for Joe Average, but at the moment it is only useful for serverly locked down workstations like Internet kiosks or advanced users who really knows what they are doing.

Cheating in games can give you more then you asked for

Over the christmas break I’ve been spending some time playing a free MMORPG called Silkroad Online. Yesterday there was a bot on the server advertising about a cheat/trainer for the game called Legend Of Silkroad (or L.O.S. for short). I took interest of the advertisement because I wanted to know how those MMORPG cheat programs work (although the leveling of a character can be pretty boring at times, it is usually entertaining enough and does not interest me to cheat. It’s the journey, not the destination, that is the goal of the game). I downloaded the advertised zip file and decided to pass it through a virus scan before doing anything else with it, and as almost expected the cheat program had some unadvertised features, namely a backdoor program. Due to the fact the anti-malware community has not yet got the common naming scheme in place yet, the backdoor has almost as many names as there are scanners.

Now, I don’t know how many people who got their computers compromised by this tool, but my guess would be “quite a few”. Among the people I talk to on the server it seems that there are quite a few who have put their character on “autopilot” mode to level up.

Hopefully I will get a few minutes over for myself this weekend to unleash this malicious software in an virtual environment for a scientific study.

Below I have included the scan result from Virus Total.

For obvious reasons I have not included any links or mirrors to the infected file.