The number of XSS, XSRF, command injection, and SQL injection vulnerabilities in popular web applications has seemed to be increasing alot over the last year and I am left wondering why these things keep popping up (and I also wonder why it’s take me a month to finish this rant 
).
Eric Paris of the SELinux project announced the creation of the SELinux sandbox, a method to confine untrusted binaries on the LKML today.
The idea is to allow administrators to lock down tightly untrusted applications in a sandbox where they can not use the network and open/create any file that is not handed to the process. Can be used to protect a system while allowing it to run some untrusted binary.
This definitely appears to be an interesting new development for SELinux. A great place to run suspect code or maybe even windows binaries via WINE.
I’ve used SELinux a little bit in the past, but usually found it incredibly complex to learn for the basic home network uses I wanted to have it for. This new feature may get me to put some real effort towards actually making the leap and committing myself to learn how to properly implement and use it.
Related books:
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Austrian physicists announced a breakthrough in the transmission of quantum cryptography messages. They have devised a method that will may allow for the messages to be bounced off of satellites as a means of transmission which removes the current limitation of using only optical fiber for transmission. Quantum cryptography uses light particles to transmit the message which allow for users to detect tampering or eavesdropping on their messages. This property comes from quantum indeterminacy (similar to Heisenberg’s uncertainty principle) which says that measuring or looking at the light particle will cause it to change its state and that leaves evidence that someone either looked at or tried to change the message.
Anthony Lineberry is presenting a new linux kernel rootkit technique at the BlackHat conference in Amsterdam. From the article:
This offers rootkit developers a new way to hide files or processes, or interfere with network traffic. The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory. For example XServer and DOSEmu, both use it. Lineberry says introducing rootkits via /dev/mem is also less obvious than the established route via loadable kernel modules (LKMs).
….
Lineberry also gives some tips on how the Linux world can protect itself against rootkits of this kind. He believes it should be enough to modify the memory driver so that it doesn’t allow the write/read pointer lseek to look for more than 16 kilobytes in the memory area. Current versions of Red Hat and Fedora are inherently secure, because their kernel already incorporates the features of SELinux (Security Enhanced Linux).
Lineberry says there are also corresponding improvements in version 2.6.26 of the mainline kernel. For that purpose, the kernel was given two new functions: range_is_allowed() and devmem_is_allowed(). But this protection, he says, won’t be effective unless the preprocessor directive CONFIG_STRICT_DEVMEM has been enabled when the kernel is compiled. Otherwise, range_is_allowed() always gives returns success. Lineberry says that the kernel configuration setting STRICT_DEVMEM, which sets CONFIG_STRICT_DEVMEM, is not activated by default during kernel compilation. He was unable to say when libmemrk would be available for downloading, as he was still engaged in eliminating its last weaknesses.
Using /dev/mem was previously theorized in a Phrack article about using /dev/kmem, but Lineberry is the first to implement this technique.
Time to start recompiling my gentoo kernels!
The OSSEC team has announced the released of OSSEC v2.0. The new features include (quoted from the announcement):
- Compiled Rules – Per popular demand, we are introducing the capability in the product to be able to use pre-compiled rules written in “C”. Customers who felt that the XML format for writing rules was very limiting, can now use the strong programming capabilities of C.
- Agentless Monitoring – Lot of enterprises are faced with the requirement to monitor devices where there are restrictions on Agents to be installed either because of scalability requirements or due to the lack of the native operating system support. In version 2.0, Ossec customers can perform integrity checking and real time logs inspection on remote systems (such as Linux based devices, firewall devices such as PIX and routers etc).
- New Language Support – We added support for the Dutch language in the install
- New Log Rules Support – We added support for Yum logs and fixed/improved many of the other rules for different messages.
- New reporting tool – We added a new tool to create and help generate reports
OSSEC is a multiplatform, open-source Host Intrusion Detection System (HIDS) that I have used before and have been pleased with the results. I’d recommend at least testing it out to see if it meets your needs. The new features definitely make it even more appealing as a solution to help monitor the security of your systems and I’ll definitely be investigating ways to integrate it into my current setup.
The remote-exploit guys released a beta for the anticipated (well, anticipated by us security geeks) BackTrack 4 at Shmoocon this past weekend for those that were able to attend. In a comment on the BackTrack 4 blog, Muts commented on some questions about Shmoocon attendees uploading the BT4 beta and also revealed that they will be releasing to the public soon (maybe even the final version?):
The list of new features that are coming include:
- Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines.
- Support for PXE Boot – Boot BackTrack over the network with PXE supported cards!
- SAINT EXPLOIT – kindly provided by SAINT corporation for our users with a limited number of free IPs.
- MALTEGO – The guys over at Paterva did outstanding work with Maltego 2.0.2 – which is featured in BackTrack as a community edition.
- The latest mac80211 wireless injection pacthes are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional.
- Unicornscan – Fully functional with postgress logging support and a web front end.
- RFID support (thanks to Adam Laurie)
- Possible CUDA support…
- New and updated tools – the list is endless!
I can’t wait to get my hands on an official release. Great job guys, keep up the awesome work!
UPDATE: The BackTrack team released the beta to the public earlier today! [read article ]
Keep your pants on, we’re almost there….just getting the mirrors ready, and all will be good! Stick to official releases!