If you’ve ever wondered if your computer has a rootkit installed or if programs are doing things they shouldn’t, the RootKit Hook Analyzer might come in handy.

According to their website:

RootKit Hook Analyzer is a security tool which will check if there are any rootkits installed on your computer which hook the kernel system services. Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system rely on.

Rootkits often hook kernel services which enable them to do stealthy things like hide files and processes, passively log keystrokes, and examine network traffic. They typically do this by changing pointers in the system call lookup table so that foreign code is executed when a system call is requested. However, not all hooks are bad– most software firewalls and antivirus products utilize system call hooks as well in order to do sensitive low-level tasks.

The Hook Analyzer simply examines the system call lookup table to find system call module addresses pointing outside of the kernel memory area. This indicates that a service has been hooked. It also gives users some details about what foreign module/device driver is responsible for handling the system call. Used properly, this can help identify malicious rootkits.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

This from BetaNews (link opens in new window):

Giving a nod to developers who’ve apparently given a lot of feedback, as well as “certain commercials,” Microsoft’s platform chief Steven Sinofsky acknowledged that perhaps User Account Control in Windows Vista may have been…a little annoying. In turn, Windows 7 has additional UAC settings.

Fortunately for my own sanity, I haven’t had to jump through any hoops with UAC to get my code working, but that’s mostly because I deal with server-side code now.  While the developer perspective is interesting, it’s really the user perspective that’s important to me, as someone who is concerned with the overall state of desktop security.  Developers are not only in the minority, we also don’t have the option of just turning UAC off on client machines…we have to deal with it or simply not write software for Vista.  In the current incarnation of Vista, however, UAC is so obtrusive that many users opt to disable it entirely to get the warnings to stop.

Sinofsky said that with UAC, Microsoft had what he described as “the best intentions” in mind. But its attention to informing the user about what’s going on and getting consent “possibly went too far.”
…
For now, in the Pre-Beta version of Windows 7, there are now four settings for configuring how intrusive UAC will be: Never notify me, Only notify me when programs try to make changes, Always notify, and Notify and wait for my approval.

I think this is the right approach.  UAC doesn’t really bother me too much as an end user, but then again, I know what it means and what it’s actually doing.  I think that Microsoft took a big step in the right direction security-wise with UAC, but those pop up windows can be a real turn-off.  I’m glad to see that rather than abandoning the model and starting over from scratch, they’re trying to make the “security vs. usability” tradeoff for users less of an all-or-nothing proposition.

Sending an encrypted e-mail in Microsoft Outlook is normally not as simple as clicking the icon, especially if you and the recipient do not belong to the same organization. You can try, but you will most likely be given the following message:

In order to send encrypted mail, Outlook needs a certificate with the recipient’s public key. A common way to get a hold of the certificate is by asking the person to send you a signed e-mail. It is also possible to send a certificate as a file. Here are step-by-step instructions for each case.

Read the rest of this entry »

Bulletin MS08-067 has been released along with its fix, and it’s a doozy.  By releasing it outside of a “patch Tuesday” it is apparent that Microsoft wants to see this fixed as soon as possible.  It affects every version of Windows from 2000 on through the latest beta of Windows 7.

This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability over RPC without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.

Get yourself over to Windows Update and patch it up as soon as possible. Or download the standalone update from knowledgebase article 958644.

The OS X keychain is where all of the trusted Certification Authorities, certificates, keys, and stored passwords are kept in OS X (Tiger and Leopard). All Apple software, and a lot of third-party software use it. The notable exceptions are Firefox and Thunderbird, which use their own built-in stores. You can access Keychain through Applications -> Utilities -> Keychain Access.

Left side bar of Keychain

On the top left hand side bar, you’ll have at least two “keychains”: login and System Roots (X509Anchors on Tiger). Depending on what other software you have installed (*cough* Microsoft Office *cough*) and what configuration options you choose (joined to a Windows domain), you may have more. On the bottom left side bar, you can filter on the types of items stored in Keychain. You may notice the “Secure Notes” option – you can store any text in Keychain, and it’ll be encrypted and synced with the rest of Keychain’s data. Unless you’ve used Mail.app to send or receive signed and encrypted e-mail, you likely only have items under “Passwords”.

Keychain stores all of this sensitive information for you – in 3DES, 3-key, EDE encrypted format (the sensitive parts only – known public information, such as public keys, are not encrypted). The keys are tied to your login password, so it’s automatically unlocked for you when you log in (you can change this in the Keychain preferences). If you have .mac/MobileMe, you can have Keychain synchronize itself across your macs, again – encrypted.

If you use S/MIME mail (encrypted with certificates), all of the certificates of the people who have sent you signed messages are located here. If you double click on a certificate file (usually .cer or .der), Keychain will walk you through importing that certificate.

Clicking on a certificate

Usually, you want to add the certificate to the login keychain. If, however, you want all users on a system to be able to use that certificate, you can add it to the system keychain. The final task is to determine how much (or little) you trust the certificate. By double clicking on the certificate you just added (in Keychain), you can adjust your trust settings.

Trust Settings

For the most part, with regular certificates (not CA certificates), “Use System Settings” is sufficient (and the default). You only need to change this for CA certificates or when you want to restrict how the certificate can be used. CA certificates that you add must be explicitly trusted, by choosing “Always Trust” or “Use Custom Settings” on Leopard, or by adding it to the X509Anchors keychain in Tiger. Adjusting the trust settings allows you to say that you’ll trust a certificate (CA) for certain things, like e-mail or iChat, but not for IPSEC (VPN).

For whom it matters: Keychain is not currently FIPS 140-2 level 1 certified. It is however in the process, and current details can always be found at http://www.apple.com/itpro/federal/. It’s also Common Criteria Certified (http://www.apple.com/support/security/commoncriteria/) for Jaguar, and it looks like for Tiger and Leopard as well, but that’s not clear.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Although controversial, Firefox 3′s secure connection failed warning, shown when a website’s digital certificate is invalid or self-signed, can be easily disabled.

1. In the address bar, type about:config > click ‘Enter’.
2. You’ll get a warning message, This might void your warranty!, click I’ll be careful, I promise!
3. Double-click browser.ssl_override_behavior and change the value from ’1′ to ’2′.
4. Restart Firefox.

Instead of disabling the notice all together, you can have a warning displayed – without having to add an exception.

• browser.xul.error_pages.expert_bad_cert = true

Firefox’s anti-phishing warnings will still warn users if a specific site is suspicious. I’m not convinced that the secure connection failed warning really helps the average user, since they won’t know what it is. Either way, you can now get around it.

Each Tuesday, Security Musings features a topic to help educate our readers about security.  For more information about Gemini Security Solutions’ security education capabilities, contact us!

I’m sure if you’ve been paying attention to any of the tech/geek news blogs you’ve seen the attention given to the “COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED KEYBOARDS” article. So you already know the buzz, and are probably all running out to build Faraday cages around your offices or workstations. But there really isn’t anything terribly new or ground breaking here. It’s simply a further spin on an old trick.

Anyone who can remember back might recall a little something about “TEMPEST“. It’s the codename given to compromising emanations (CE). This research dates all the way back to 1985 when the security risks of emanations from computer monitors was analyzed.

By no means do I want to take away from the research and proof of concept that Martin Vuagnoux and Sylvain Pasini have put together. I simply want to focus on the fact that a lot of us, especially those young in the tech and security fields, are forgetting some of the roots. We’ve already pointed out some other old-school hacks that are still relevant today. So while everyone is hardening their systems for super stealth ultra-sensitive attacks against their systems, let’s not forget where we came from, and proper education of old-school attacks deserves some attention as well.

The example I used to segue into this might not be the most stellar example of outdated attacks, as with technology growing, it might even become more of a common-day attack. But the fact that this goes way back, and technology is only making it easier goes to show – things that we think are out of reach today, aren’t  far from reach in the not-so-distant future.

So what do you think? What other areas of our past or even present do you think won’t hold any grounds for security in the not-so-distant future? What old-school hacks are still present today that many might be overlooking? Let us know in the comments…

An article from Dark Reading touched on some very valid points with regards to the security at financial institutions. According to the article:

Penetration testers who work with bank clients say the fragile state of the banking community is making it easier for them to dupe understandably anxious bank employees. Bank employees are overly eager or easily coerced into cooperating with “auditors,” or into clicking on links purportedly from the bank about its own financial welfare.

Even though this is very bad from a security standpoint, it seems like a natural human response. However, if someone is able to walk into a bank merely posing as an auditor and without having their credentials checked or challenged, it’s possible for them to make off with a lot of sensitive information.

This type of behavior isn’t limited to just bank employees. Economy-induced anxiety can also affect the judgment of regular users. The most successful phishing attacks prey on a user’s familiarity or interest in the subject presented as bait. So a phishing email claiming to request important information from a bank customer might be more likely to succeed when the economy and specific financial institutions are in a state of flux.

In fact, it would be wise for both bank employees and bank customers to be MORE cautious during times of economic uncertainty, as attackers are notorious for taking advantage of such situations. It just goes to show– when it comes to security, we can’t afford to be careless.

PKI, or public-key infrastructure, is a method of associating a cryptographic key with a user by way of a trusted third party. Its usefulness can be found in various areas of security such as assuring that data has not been modified, verifying that data was sent by the person who claims to have sent it, making certain that the sender cannot deny having sent a particular set of data, and scrambling data for the sake of confidentiality. In this post, we will be looking into public-key cryptography, its benefits and how it works. Other aspects of PKI will be explored in future installments. Read the rest of this entry »

Adobe has released an advisory about a series of critical vulnerabilities in flash player 9.0.124.0 and earlier.  The fix is to install the just-released flash player 10.0.12.36.  The interesting thing is that the architecture of some security related things has changed wholeheartedly with player 10 – so things that used to work with 9, may stop working with 10.

Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

The bulletin is here, and the updated player is here.  Happy patching!