Join us on the 10th to hear and participate in this interview.

Live Stream: http://radio.packetsense.net:8000/listen.m3u

IRC Chat: irc://irc.freenode.net/securabit

About Brian Krebs: http://www.krebsonsecurity.com/about/

Listen in as we discuss Sunbelt Software’s CWSandbox and other products, along with in-depth malware detection and analysis!

#BSidesSF – Tuesday/Wednesday, March 2-3, 2010 @ 10am – 5pm
#BSidesAustin – Saturday, March 13, 2010
#BSidesBOS – Saturday/Sunday, April 24-25, 2010
Chat with us on IRC at   irc.freenode.net #securabit

Hosts:
Anthony Gartner – @anthonygartner
Christopher Mills – @thechrisam
Chris Gerling  – @chrisgerling
Jason Mueller – @securabit_jay
Andrew Borel –  @andrew_secbit

Guests:
Brian Jack – Sunbelt Software
Chad Loeven – Sunbelt Software

Links:

http://www.sunbeltsoftware.com/

http://www.sunbeltsoftware.com/Malware-Research-Analysis-Tools/Sunbelt-CWSandbox/

http://www.securitybsides.com/

To that end Andrew Hoog of viaForensics has announced the first release of their Android Forensics application. Better yet, the application has been released under the GPL, so other developers will be free to tinker with the source, and hopefully expand the app’s capabilities.

The app is an APK file (currently unsigned, so to use it untrusted sources would need to be allowed on the device) which can be loaded on the device by using the Android SDK.  Once loaded it can compile information from various sources on the device including:

• Browser history
• Call logs
• Contacts (including the different contact methods and other contact data)
• SMS messages

The information is compiled into CSV files which can then be downloaded onto a workstation for review.  From the announcement it appears there are high hopes that more information can be gathered from the device, but this is certainly a start.

Announcement at the SANS Digital Forensics Blog

Google Code Project Page

viaForensics Blog

Everyone has a Microsoft Windows system, and most of us have a lot of them.  How can you know whether or not your systems are configured securely?  How do you know that users are following security policies that apply to systems in your domain?  How can you manage the security of thousands of systems at the same time?

In this two hour class David Hoelzer, SANS’ IT Audit Curriculum Chair, will cover fundamentals that will get you up and running with automated security compliance.  You will learn how to scale important tests out to thousands of systems in an effective way and how to produce useful reports.  Additionally, David will provide tips on how to automatically generate useful alerts from the data collection processes that are covered.

The course will be on Tuesday, March 16th 2010 from 5:00 PM – 7:00 PM EDT.

Register at http://www.sans.org/vlive/details.php?nid=21568 and use coupon code BIT20 to save $175 on this course!  You will pay only $20!

David Hoelzer will also be teaching Audit 507: Auditing Networks, Perimeters, and Systems, a 36-hr course, on vLive! beginning March 29.  https://www.sans.org/vlive/details.php?nid=20748

Mozilla released Firefox 3.5.8 and 3.0.18 which fix multiple vulnerabilities, but the same day Intevydis dropped 0-day for Firefox 3.6 for the VulnDisco add-on for Immunity’s Canvas. There seems to be some debate on the validity of the exploit, so keep that in mind.  It does not appear that Mozilla has officially responded to this yet or provided a patch.

Cisco has released a trio of advisories for Firewall Services Modules, ASA 5500 appliances and the Cisco Security Agent.  The FWSM advisory is for a DoS attack when Skinny Client Control Protocol inspection is enabled.  The ASA and Security advisories both list multiple vulnerabilities, including SQLi, DoS, and Auth Bypass.

Updates are also available for OpenOffice and Google’s Picasa to close holes in file handling bugs among other vulnerabilites.

In other vulnerability news, 2X Software, who sell thin client/server/terminal software appear to have become accidental security researchers, as they claim to have found a vulnerability in Windows (according to them Windowas 2000 and up) which can be exploited for a DoS.  There is controversy around this, as other security researchers (non-accidental ones) argue that the same can be done without an exploit, and that the announcement is a publicity stunt and Microsoft appears to have this listed more as a bug than a feature, er vulnerability.  I’ve provided a few links so you can decide for yourself.

• Adobe: Security update available for Adobe Download Manager
• Mozilla: Firefox 3.5.8 Release fixes multiple vulnerabilities
• Mozilla:  0-day for Firefox 3.6
• Cisco: Cisco Firewall Services Module Skinny Client Control Protocol Inspection DoS
• Cisco: Multiple vulnerabilities in ASA 5500 Series Appliances
• Cisco: Multiple Vulnerabilities in Cisco Security Agent
• OpenOffice: Multiple vulnerabilities in versions prior to 3.2
• Google: Picasa JPEG Processing Integer Overflow Vulnerability
• Microsoft: Possible DoS in Windows 2000 and up:
  • The Register: Creaky old Windows flaw rises, divides doommongers
  • SC Magazine: Malta researchers find Windows bug that crashes PCs
  • SC Magazine: Microsoft operating system vulnerability claims refuted

His latest video is Metasploit Tricks 1.  Check it out!

We’re looking forward to more videos, and if you don’t learn something every time, make sure to punch him at the next conference

Cisco has also posted updates, this set for their IronPort Appliances.  It looks like there are some serious vulnerabilities covered here, including accessing files on the appliance, as well as executing malicious code.

In the world of hardware hacking a researcher named Christopher Tarnovsky has managed to extract the encryption keys from the Trusted Computing Module.  There’s a lot of different chemicals, hardware and a Focused Ion Beam microscope involved.  Very impressive.

Google has released a new version of Chrome which fixes a large number of security issues, including one which earned some cash from the new Chrome bug bounty.  Of course there has been a lot of talk about privacy (or the lack thereof) in Google’s new Buzz service, but RSnake posted what appears to be a vulnerability in the service.

In an update to last week’s vuln roundup, some people have been having problems with update MS010-15, causing some XP machines to BSoD.  Turns out, those with the BSoD may also have another problem; a rootkit.  In other Microsoft matters, I’ve included an article on using Windows Communication Foundation services to perform a remote portscan, but which may also lead to other types of attacks against internal hosts.

Closing things out, TippingPoint’s Zero Day Initiative has announced the 2010 version of its Pwn2Own contest at the CanSecWest conference.  The targets of choice for this year are Web Browsers and Smart Phones.  I’m sure you’ll be reading about the outcome, or the patches from the outcome, after March 24th.

• Adobe: Security updates available for Adobe Reader and Acrobat
• Adobe: Security update available for Adobe Flash Player and Adobe AIR
• Adobe: Security update available for BlazeDS
• Cisco: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance
• Infineon: Crypto Key from TPM chip extracted
• Google: XSS in Buzz
• Google: Chrome 4.0.249.89 released
• Microsoft: Abusing WCF to Perform Remote Port Scans
• TippingPoint Zero Day Initiative: Pwn2Own 2010

• What is SANS vLive?
• Forensics
• DOD Cyber Crime
• How the forensics classes are structured.
• 508 course and how it’s changed. Divided up into essentials and then follow on courses.  6 total courses for all of the info.
• APT – Advanced Persistant Threat
• Q & A from the IRC

If you haven’t taken the Security 508 course yet we have an excellent  opportunity for you!  Rob will be teaching the SEC508 (Forensics) course  via the SANS vLive! platform beginning 3/23/2010.  Classes will occur  every Tuesday and Thursday until 4/29/2010 from 7-10PM EDT.

Use code SB508 to get a free GCFA certification attempt with the  purchase of the full course.
Chat with us on IRC at   irc.freenode.net #securabit

Hosts:
Anthony Gartner – @anthonygartner
Christopher Mills – @thechrisam
Chris Gerling  – @chrisgerling
Jason Mueller – @securabit_jay
Andrew Borel –  @andrew_secbit

Guests:
Rob Lee – @robtlee

Links:
http://phishme.com/
http://phishtank.com/

We should be live around 8pm EST tonight, join us on IRC or listen in live at this link!

If you haven’t taken the Security 508 course yet we have an excellent opportunity for you!  Rob will be teaching the SEC508 (Forensics) course via the SANS vLive! platform beginning 3/23/2010.  Classes will occur every Tuesday and Thursday until 4/29/2010 from 7-10PM EDT.

Chris Gerling has taken the 508 course and recommend anyone who is interested in computer forensics take it as well.  Even if you aren’t a full-time forensic examiner, the information you take away from the class will help you in all aspects of information security.  Understanding how file systems and memory work can be crucial.

Please check out the course and register at this link!  Use code SB508 to get a free GCFA certification attempt with the purchase of the full course.