Call for Participation

The European Network and Information Security Agency (ENISA) and the Institute of Computer Science (ICS) of the Foundation for Research and Technology – Hellas (FORTH) invite you to the jointly organised 3rd ENISA-FORTH Summer School on Network and Information Security (NIS’10).

The “Future Internet” promises an exciting new world of services and capabilities: Devices that will  automatically exchange information to facilitate users, services that transparently and seamlessly combine information from different and multiple sources, protocols and systems that are able to handle complex interactions. At the same time, however, concerns about privacy and security increase for individuals, organizations, and the society in general. This gives rise to a number of question such as where should responsibility be placed and how should solutions be enforced and verified in a world of complex infrastructures and services?

Following the success of NIS’08 and NIS’09, the 3rd edition of the Summer School on Network and Information Security (NIS’10) will cover topics that address legal, technical, and policy issues in this emerging world. The Summer School aims to provide a forum for experts in Information Security, policy makers from EU Member States and EU Institutions, decision makers from the industry, as well as members of the research and academic community, for interacting on cuttingedge and interesting topics in NIS.

Keynote Speakers

• Dr. Jorgo Chatzimarkakis, Member of the European Parliament, EU
• Dr. Silvia Adriana Ticau, Member of the European Parliament, EU
• Mr. Mario Campolargo, Director of the Emerging Technologies and Infrastructures, DG INFSO, European Commission, EU
• Mr. Bruce Schneier, Chief Security Technology Officer of BT, UK
• Mr. Mikko Hypponen, Chief Research Officer, F-Secure, FI
• Mr. Peter Hustinx, Supervisor, European Data Protection Supervisor, EU

Steering Committee

• Dr. Udo Helmbrecht, Executive Director of ENISA, EU
• Prof. Constantine Stephanidis, Director of FORTH-ICS, GR, Member of ENISA Management Board

Venue

NIS’10 will take place in Hersonissos, Crete, Greece. Hersonissos is a small town approximately 30km from Heraklion and its airport. For instructions of how to get to the conference venue, please visit the travel information section on the NIS web page. The venue of the Summer School is Aldemar Knossos Royal Village. Aldemar Knossos Royal Village hotel is a magnificent resort located on the north coast of the island of Crete in Hersonissos.

Online resources

• Website
• Full Program
• Committees
• Registration

Adobe’s popular PDF viewer, Adobe Reader, always attracts large amount of hackers who try to exploit its vulnerabilities. Some reports found that Adobe Reader is at the top list for having the most exploits for web-based attacks. Now, the company wants to “turning to sandboxing technology designed to isolate code from other parts of the computer.” A “protected mode” will be added to the Adobe Reader for Windows which will be enabled by default and release later this year. Because of minor attack against Macintosh system, there is no plan to implement this feature to Mac OS yet.

Several changes will be made due to sandbox mechanism. The PDF processing will be confined, such as executing JavaScript, parsing JPEG image etc. Application running in the Adobe Reader will not be able to communicate with the operating system any more. “This is an additional layer of defense that will help protect users in case they encounter a malicious or corrupted PDF.” said Brad Arkin, the director of product security and privacy of Adobe. The new feature could limit the number of exploits, but not all of them. Some attacks like phishing and weak cryptography still exist.

Some experts believe that Sandbox can not prevent code execution vulnerability, but it makes attacks much hard to success. With Sandbox, the attackers need to find vulnerability in both programs, Reader and Sandbox.

Just by opening a directory containing the infected shortcut will get user infected. Once the infected shortcut icon is displayed in Windows Explorer, malicious code is launched without any further user interaction. Hackers have already developed malware that spreads via USB sticks, using this vulnerabilities.  Independent security researcher Frank Boldewin had found the attack is currently targeted toward the WinCC SCADA system by Siemens. “Looks like this malware was made for espionage,” Boldewin writes.

On Sunday, a researcher known as “Ivanlef0u” published aproof-of-concept code to several locations on the Internet. There is already a Metasploit module that implements the exploit with the WebDAV method.

To protect yourself from the attack, Microsoft suggests disabling the displaying of icon for shortcut and turning off WebClient service as workarounds against possible attacks. Please reference Microsoft advisory for details of how to “Disable the displaying of icons for shortcuts“. Another way to protect yourself is to use Didier Stevens’ tool Ariad .

Additional information on the flaw can be found in a blog post by the SANS Institute’s Internet Storm Centre here.

source:

Experts Warn of New Windows Shortcut Flaw

MS confirms Windows shortcut zero-day flaw

Preempting a Major Issue Due to the LNK Vulnerability – Raising Infocon to Yellow

The classical approach to analyze malware is to set up a virtual machine on a computer specifically designed for that purpose and then release the malware and monitor how it affects the system. The drawback of this protocol is that much of the malware’s behavior can remain hidden, while deeper analysis is not a convenient option.

REMnux comes as a solution to these disadvantages and offers an alternative approach for taking apart a malicious code. Typically, infection of another laboratory system with the malware sample is followed by direction of the potentially-malicious connections to the REMnux “monitoring” ports.

This approach combines a generous number of popular malware-analysis, reverse-engineering, network monitoring, and memory forensic tools. Amongst them, REMnux contains three tools for analyzing Flash-specific malware, namely SWF tools, Flasm, and Flare. Furthermore, it contains several applications for analyzing malicious PDFs, such as the Didier Steven’s analysis tools. The OS also provides a lot of tools for de-obfucating JavaScript, including Rhino debugger, a NoScript-version of Firefox, JavaScript Deobfuscator and Firebug, and Windows Script Decoder. In addition to the above analysis tools, a small Web server, an IRC server, and a pseudo-DNS server are also included. Further, several tools for network monitoring and interactions, such as the virtual honeypot server, HoneyD, as well as Wireshark, INetSim, fakedns and fakesmtp scripts, and NetCat are also part of REMnux.

Behind the development of REMnux stands the idea of providing a useful set of tools for people interested in the field, rather than a be-all reverse-engineering environment. As Zeltser himself puts it: “This doesn’t have every tool in it, because I think people can get distracted with too many tools in there”. On the contrary, Zeltser states that this OS targets beginners or people that are not Linux experts. He also hopes that users’ input and comments will aid in further development of REMnux to reach an improved version of the OS.

Any interested and adventurous potential developers, who would like to contribute to the improvement of REMnux,  are welcomed to contact Lenny Zelter directly.

John Aycock who co-authored a paper with assistant professor Mea Wang and students Daniel Medeiros Nunes de Castro and Eric Lin have come up with solutions which support computers with security defences against threats of various Adwares like the Typhoid Adware.

Click here for more information.

In that paper the researchers demonstrated the technique to continuously spy on BitTorrent users for 103 days. They collected 148 million IP addresses and identified 2 billion copies of downloads, many of them copyrighted.

From this research most important is that identified the IP addresses where much of the content originated. This means that the individuals that creating the torrent files are few. Therefore, the question is why the anti-piracy groups try to stop millions of downloaders instead of a few content providers.

However, with social networking sites, those addresses include data which advertisers can use to look up individual profiles and discover users’ personal information and interests, contrary to their privacy policy and their promises they don’t share such information without consent.

After Wall Street Journal’s questions, Facebook and MySpace moved to make changes to stop the handover.

“If you are looking at your profile page and you click on an advertisement, you are telling that advertiser who you are”, an assistant professor at Harvard Business School said.

See the graphic about Internet sites that share information that could be tied to individual profiles.

Source: The Wall Street Journal

http://news.cnet.com/8301-27080_3-20005420-245.html?tag=mncol;title

http://www.microsoft.com/technet/security/advisory/2028859.mspx

http://secunia.com/advisories/39577

The scripts on the page check for installed plugins and compare the version of the installed plugin with the latest version that is offered officially by the developer of the plugin. Some supported plug-ins (among others) are Apple Quicktime, Shockwave Flash, Adobe Acrobat, Java, RealPlayer and Windows Media Player plugins. Furthermore the Mozila Firefox development team now extends the page to support all the popular browsers.

The service checks the browser plug-ins on Internet Explorer, Chrome, Opera, Safari and Firefox. This special page promises to check these plug-ins for you, and advise you of when it is time to update. Johnathan Nightingale, director of Firefox development, claimed that in the months since the page was deployed, it had seen over 60 per cent of Adobe Flash users with the most recent version, with the number growing to more than 75 per cent if the second most recent update is included.He said: “We believe that plug-in safety is an issue for the web as a whole, so while our initial efforts focused on building a page that would work for Firefox users, the team has since expanded plug-in check coverage to work with Safari 4, Chrome 4 and Opera 10.5.“We have added support for Internet Explorer 7 and 8 for the most popular plug-ins, as well, but since IE requires specific code to be written for each plug-in it will take us a little longer to get to full coverage.“This has been a phenomenal amount of work to develop and test, and the matrix of browser, plug-in and OS grows very quickly.”

Plugins are either rated as safe or potentially vulnerable (there might be a third rating for vulnerable plugins). An update button is displayed next to potentially vulnerable plugins which should lead to a download page to update the latest version of the plugin. Some plugins do not reveal their full version which means that they will be shown as potentially vulnerable even if the latest version is installed.

Graham Cluley, senior technology consultant at Sophos, said: “It’s great that Mozilla has extended its service to offer an additional security check for users of other browsers. Hopefully it will encourage more computer users to keep their systems patched, and make life more difficult for hackers.”

You can check your plugins here and you can find more on this project here.

References : scmagazineuk

The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.

For the most part, this neutering mechanism is effective at blocking certain types of XSS attacks from occurring. However, altering a server’s response before it gets rendered by the browser may have unintended consequences.
The researchers figured out a way to use IE8′s altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS attacks. Moreover the filter can be used in order to disable client-side security functionality from working by faking a XSS attack in the incoming string. Additionally it can be used to inject HTML code because the browser will improperly interpret the “malicious” JavaScript.

The researchers who discover these vulnerabilities are suggesting techniques to close the hole in IE 8 filter.One way is to disable execution of a filtered string found to be an attack by the users browser. Another possible technique is to utilize site-wide anti-CSRF tokens that prevent any sort of XSS from being exploited in the first place.

Microsoft will update the IE cross-site scripting (XSS) filter in June to fix the hole that researchers discover.

For more information on the IE8 filter vulnerabilities you can read the researchers documentation here.

References: Slashdot , Cnet, ZDnet