NetWars CyberChallenge

US Companies and government agencies face a critical shortage of cybersecurity experts with sufficient technical skills to protect their systems, and military organizations have a similar shortage of people who can fight and win in cyberwar.

An initiative by US government of having some Cyber Challenge competitions to discover these talented people. One of the competition was NetWars by SANS institute. Below is the video of an interview with the winner (Alan Paller) of NetWars at Gov 2.0 Summit 09.

Hope this video can motivate talented kids who is interested in IT Security.



Related Links:
- US Cyber Challenge
- NetWars Competition
- Interview with Top talent from Round 2

MS09-048 Critical Vulnerability with NO PATCH??

Microsoft recently release a Security bulletin (MS09-048 - Critical), announcing on several vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. These vulnerabilities could allow Denial of Service(DoS) or remote code execution if specially crafted TCP/IP packets were sent over the network to a computer with a listening service.

It have been a very HOT discussion in the Internet. Microsoft vulnerability is nothing new in IT security world. But what makes the commotion is that Windows 2000 SP4 and Windows XP were listed as affected product, but Microsoft was not issuing any updates for them. I had saw some very interesting comments and I think i should share some of those including my own comments. Below are the extract from Microsoft Security bulletin MS09-048.



- Extract from bulletin FAQ -
If Microsoft Windows 2000 Service Pack 4 is listed as an affected product, why is Microsoft not issuing an update for it?
The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. Microsoft recommends that customers running Microsoft Windows 2000 Service Pack 4 use a firewall to block access to the affected ports and limit the attack surface from untrusted networks.

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Does this update completely remove the vulnerabilities, TCP/IP Zero Window Size Vulnerability - CVE-2008-4609 and TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926?
Since the denial of service vulnerabilities, CVE-2008-4609 and CVE-2009-1926, affect the TCP/IP protocol itself, the updates for Windows Server 2003 and Windows Server 2008 do not completely remove the vulnerabilities; the updates merely provide more resilience to sustain operations during a flooding attack. Also, these denial of service vulnerabilities can be further mitigated through the use of NAT and reverse proxy servers, further lowering the severity of this issue on client workstations.
- End of Extract -

From the bulletin, they are saying that it is "technically infeasible" to build a fix for Windows 2000. It also mention that they did not patch XP because the client firewall (by default) mitigated the problem (if no ports is listening). It is not because XP is not vulnerable. As XP's TCP/IP stack uses the same underlying code as Windows 2000. It seems too hard for them to fix XP too.

Some Microsoft fans may rebutted that ALL should be upgraded to Windows 2003 or 2008. But the updates do not really fixed the issue, "the updates for Windows Server 2003 and Windows Server 2008 do not completely remove the vulnerabilities; the updates merely provide more resilience to sustain operations during a flooding attack". So they still do not fixed the issue, right?

There was also a statement that i find it comical:
- "The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases".
For DoS, isn't the system always "become unresponsive" and most of the time always recover once the flood ceases , isn't it?

Customers should start looking into their support maintenance contract. Start thinking and asking on refund or cost incurred (on additional protection for vulnerable systems) from your software vendor when no patch was created according to the support contract. Also think of the possible cost and damages on your company in the event of a breach or exploit of these unpatched vulnerabilities occurs.

Nessus had released a plugin to detect this vulnerabilities.

Book review : CISSP All in One by Shon Harris VS Official ISC2 guide to the CISSP CBK edt by Harold F.Tipton & Kevin Henry

If you are studying for CISSP, I'm quite sure you will be reviewing which CISSP book is the best (since anyone of these books can costs a bomb). Happened that I used these 2 books for my study. So let do a review

Let first look at AIO by Shon Harris (4th ed). If you are very new to security, I would not recommend AIO. I remember the first time I started reading this book and it took merely 15 min for me to go to hibernation mode (Zzzz). This is especially for those domains which you are not familiar. However after taking an additional 6 month diploma course in IT security, things make more sense. This book has a lot of useful information on security (beyond the exam). It is a good security reference book. It is highly recommended for people will wants to know more. The CD provides a testing engine (Total Seminars' Test Software) which is quite useful to "simulate" how a CISSP professional would answer the questions. It does have the pdf version of the book, allowing you to read on the go.

For Official ISC2 guide to the CISSP CBK, I do find the writing style more easily understood and more interesting. This is highly due to each chapter is contributed by expert for that particular domain. Note the book credit on the authors are "edited by Harold F.Tipton & Kevin Henry" not just "by Harold F.Tipton & Kevin Henry". However, easily understood does not mean the book is sufficient for the exam. You still need to do "google research" (search your unknown in google search engine) to learn things; especially those out of your domains. This book is geared towards the exam objectives. The CD provides a demo version of transcender for CISSP. It contains about 50% of the question in the full version. It does NOT provide pdf version of the book.

In conclusion, if you have only enough cash to get 1 book then I would recommend AIO. If buying 2 books does not make any difference in your weekly allowance, why not purchase 2 books. They are really good.

OpenMR: Open Mail Relay

I have recently written a simple tool that check for Open mail relay server. I used to wrote Object Oriented Programming using Java and C++ during my Uni days. But they were like almost 10 yrs ago. But i still work on Unix shell script and Windows script host in these few years, writing system maintanance (backup, health alerts, etc) and hardening script.

This is my first time writing a program in Perl. This tool will check if the mail server of a domain is configure as an open relay. It can also query the IP address of those servers.

Running OpenMR:


Running OpenMR with "info" option:


OpenMR found open relay:


Feel free to download the tool and give comments by emailing to me.

Go to this link - OpenMR.zip to download the tool.
(MD5:55175a530923967ee5eeeca83ffe63e7)


New Update - 14/09/09
Thanks for the feedback. I have improved and added the feature that uses IP address, instead of just domain.

* Version 0.2.0
- Add feature to check open relay using IP address

Running OpenMR version 0.2:


Running OpenMR using IP address with "info" option:


Download version 0.2.0 - OpenMR_0.2.zip
(MD5:14a61ea4e3c5bbff2f54e983b7d9e4f5)

Other Link:
- SecurityTube Tools - OpenMR

Book review : Cisco Routers for the Desperate by Michael W. Lucus

Cisco Routers for the Desperate
by: Michael W. Lucas

Came across this book and decide to sneak a look at it.

It is a good book for people who need just the bare minimum to manage their Cisco router and switch. Of course, if you have a CCNA, I'm quite sure you have learnt more than the book. But if you have obtain your CCNA for a while and have not been using your "Cisco skill" this book may be helpful.

There is a chapter about BGP & HSRP which I feel the explanation is really clear. It give readers a good explanation of what BGP is and how easy it is to deploy it.

Emerging Internet Security Threats: Spring 2009

Saw this video by Lenny Zeltser, the instructor for my GIAC Reverse-Engineering Malware(GREM) certification. Most of the stuffs presented may not be new to you, but it provide as a reminder with real life examples on some of the "attacks".

This video explores today's emerging Internet security threats to help organizations fine-tune their defenses. He examines attack patterns that have included the use of email as a gateway for fraud, the mighty power of network bots, the fertile ecosystem for web-based attacks, and the increased precision of modern attacks. The presentation presents lots of real-world examples of cyber attacks, and discusses the financial incentives behind the malicious activities that occur on the Internet.

He also covers:

• What is driving modern-day attackers to large-scale and targeted attacks
• Which recent breaches exemplify threat categories organizations need to track
• The approaches Internet criminals employ to trick victims and bypass defenses
• Whether you should adjust security architecture to match today's threat landscape

Part 1


Part 2


Part 3


About the speaker: Lenny Zeltser leads a security consulting team at Savvis. He is also a board of directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the SANS Internet Storm Center. Lenny frequently speaks on information security and related business topics at conferences and private events, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who has earned the highly regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania. For more information about his projects, see www.zeltser.com.