Archive for July, 2010

Web Exploits: There’s an App for that

Posted in IT Security on July 14, 2010 by cobra

In the last few years M86 Security Labs has seen a dramatic increase in attack or exploit kits. These easy-to-use kits are the backbone of exploits in the “wild”. M86 Security Labs research reviews how exploit kits are developed, distributed and monetized globally. The turnover of exploits is quick. The success rate is high. And, all of this for very minimal cost for the exploit kit users and operators. The details in this report will provide a fundamental understanding of how exploits operate and give the reader a true sense of the business behind the crime. In the Internet security industry, the terms “exploit kit” or “attack toolkit” are commonly known and understood by security researchers. However, to the average Internet user, these exploit kits are unfamiliar. So, what exactly are these tools? Why are they written? Who uses them and what makes them so popular — especially, in the wrong hands?

Please enter here to read the complete report on this research. (Please note: the Doc can be downloaded by clicking on the download link on the top right of the page)


Please scan softly – your router could crash

Posted in IT Security on July 14, 2010 by cobra

An nmap scan with certain parameters is apparently sufficient to temporarily cripple a whole corporate network. On the Full Disclosure mailing list, a network admin reported that he used the following command to establish the SNMP versions of his routers and servers:
nmap -sU -sV -p 161-162 -iL target_file.txt
where target_file.txt contained his systems’ IP addresses. However, the scan caused most of his network devices to crash and reboot, including several Cisco routers. There were very varied responses to his question on the list whether this problem was caused by a DoS vulnerability within the devices or by a flawed configuration.
Roland Dobbins of anti-DDoS specialist Arbor Networks considers crashes caused by scans quite normal and thinks that the real issue is more likely to be the insufficient isolation of the management network. This apparently allows attackers, and not just admins, to access the routers. Florian Weimar of the Debian project at least agrees in terms of what caused the problem: Fingerprinting is a known method for remotely compromising devices, he said. In his opinion, however, the flaw should be reported and fixed regardless.
Opinions differ about what caused the crashes. While Dobbins thought that the reason was a flooded port which caused the CPU to reach 100% capacity, security specialist Thierry Zoller disagreed and said this wasn’t the case. Apparently, only a few packets are sufficient to provoke a reboot. In any case, said Zoller, it is a vulnerability whether the management network is isolated or not. Dan Kaminsky added that such behaviour could perhaps be expected in a cheap Linksys router, but not in such expensive devices as those used in the current case.
Cor Rosielle of security specialist Outpost24 went only slightly off topic with his suggestion to use the Unicorn scanner instead of nmap. The nmap option -sV for retrieving the version of a service is a dangerous switch and has been known to crash devices, he said.
Whether any of the discussion partners found the time to inform Cisco remains unclear. We can conclude that admins should be careful when scanning their (management) networks and that they should keep these networks away from the remaining staff members.

Enter the link (reported) for more info