Category: Network Security


A memory leak is an unintentional form of memory consumption whereby the developer fails to free an allocated block of memory when no longer needed. The consequences of such an issue depend on the application itself. Consider the following general three cases:

Case Description of Consequence
Short Lived User-land Application Little if any noticable effect. Modern operating system recollects lost memory after program termination.
Long Lived User-land Application Potentially dangerous. These applications continue to waste memory over time, eventually consuming all RAM resources. Leads to abnormal system behavior
Kernel-land Process Very dangerous. Memory leaks in the kernel level lead to serious system stability issues. Kernel memory is very limited compared to user land memory and should be handled cautiously.

Memory is allocated but never freed.

Memory leaks have two common and sometimes overlapping causes:

* Error conditions and other exceptional circumstances.
* Confusion over which part of the program is responsible for freeing the memory

Most memory leaks result in general software reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing the program) or take advantage of other unexpected program behavior resulting from a low memory condition

Advertisements

While looking for a freeware tool or plug-in to check current session level cookies I found a firefox extension that allows me to watch selected cookie in a statusbar.
It is a simple extension. It helps testing web applications – it quickly can wipe ‘session’ cookie or it helps to identify cluster node in clustered environments using cookie value.

Download it here.

~Himanshu~

There is an ongoing phishing scam going on these days that is hitting  Facebook users that can result in crashing your computers or mobile phones and steal your passwords? If not, beware, do not open the files ending with “.at” or “.be”.
The phishing scam is being run through the spam messages which steals the sensitive information of the users. In the attack, the messages are circulated with a subject line of “Hello” and a prompt to check out “areps.at” or other URLs ending in “.at”.
The mails with the subject line “Look at This” and links like — goldbase.be, greenbuddy.be, silvertag.be, picoband.be — leads tomalicious websites, which if visited, could download malware onto computers through a “driveby download” application.
The URL connectivity, before being blocked directs the visitor to a fake Facebook page and the mail ID and password are stolen as soon as it is logged-in again. According to the blog.Facebook the password in such cases should be changed immediately and the same message should be sent across to one’s Facebook acquaintance.

Here is one Security Testing Checklist that may help you
1. Are all the Internet-facing servers within the system registered with the corporate web office?
2. Do the test plans for the system include tests to verify that security functionality has been properly
implemented?
3. If the system is rated high on the business effect assessment or if it is Internet facing, has the
company security office been consulted to determine whether or not additional security testing
is required?
4. Has the security test covered the following?
a. application testing
b. back doors in code
c. denial of service testing
d. directory permissions
e. document grinding (electronic waste research)
f. exploit research
g. firewall and application control list
h. intrusion detection systems
i. manual vulnerability testing and verification
j. network surveying
k. password cracking
l. PBX testing
m. port scanning
n. privacy review
o. redundant automated vulnerability scanning
p. review of IDS and server logs
q. security policy review
r. services probing
s. social engineering
t. system fingerprinting
u. trusted systems testing
v. user accounts
w. wireless leak tests

Regards,

Himanshu

A serious security flaw is found in Internet Explorer 7.0 and Everybody is advised by experts not to use Internet Explorer for any confidential banking transactions until the new patch is released.

The new patch would be released at the earliest and experts adviced everybody to use the browser from their rivals until the patch is released.

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

MICROSOFT SECURITY ADVICE
Change IE security settings to high (Look under Tools/Internet Options)
Switch to a Windows user account with limited rights to change a PC’s settings
With IE7 or 8 on Vista turn on Protected Mode
Ensure your PC is updated
Keep anti-virus and anti-spyware software up to date

Source:

http://news.bbc.co.uk/2/hi/technology/7784908.stm

W32.Downadup is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
CVE References: CVE-2008-4250

Once executed, the worm copies itself as the following file:
%System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\”ServiceDll” = “[PathToWorm]”

The worm connects to the following URLs to obtain IP address of the compromised computer:

Next, the worm downloads a file from the following URL and executes it:
[http://]trafficconverter.biz/4vir/antispyware/loada[REMOVED]

The worm then creates a http server on the compromised computer on a random port, for example:
http://%5BEXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

The worm then sends this URL as part of its payload to remote computers.

Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.

Next, the worm connects to a UPnP router and opens the http port.

It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

The worm then attempts to download a data file from the following URL:
[http://]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]

The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Next, the worm attempts to contact the following sites to obtain the current date:

It uses the date information to generate a list of domain names.

The worm then contacts these domains in an attempt to download additional files onto the compromised computer.

Remove W32.Downadup:

Visit the Microsoft Website to fix the problem:
http://support.microsoft.com/kb/958644/en-us

You can also use antivirus software with latest updates to remove the worm quickly

Removal using the W32.Downadup Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Downadup. Use this removal tool first, as it is the easiest way to remove this threat.

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.
  4. Delete any values added to the registry.

Bhuvan, India’s response to Google Earth, will be launched in March 2009 and will provide high resolution imagery data of the order of five metres which would be of great help for real-time exercises, including disaster management and military operations.

“Google Earth is providing high resolution data in the order of less than a metre. But the data is two to three years old. But Bhuvan will provide the relevant data for any real-time exercise,” SK Pathan, head, Geo Informatics Data Division, Isro, told PTI.

For real-time exercises, the latest data is a guiding force, he said. It can show the topography, altitude and other features of a location. The data could be of use to manage public services, internal security, town planning and infrastructure development activities.

However, it is not yet decided whether the data can be put on the web as it could be misused. Some locations can, however, be blurred or blocked due to security reasons.

From Rediff