Domain: ncircle.com
Stories and comments across the archive that link to ncircle.com.
Comments · 8
-
Consider an easy to use commercial webapp scanner
Check out https://purecloud.ncircle.com/solutions/en/WebApp/. It is not free, but it covers common web applications, and it is very easy to use. Disclaimer: I work for nCircle
-
Re:It is Internet Connection SHARING
That link is a bit off, try this for the blog
-
It is Internet Connection SHARING
The article didn't sound right calling it Internet Connection Service so I did some poking around on the blog the article referenced: http://blog.ncircle.com/archives/2006/10/microsof
t _ics_d.htm/ICS == Internet Connection Sharing.
-
Better article: no FUD-OpenBSD demo-Theo comment
From : http://blog.ncircle.com/ (scroll down)
cansecwest/core06: "security issues related to Pentium SMM"
Loic Duflot
Title: Security Issues Related to Pentium System Mgmt Mode
It is day 2 at Cansecwest and this talk wins for 'so frightening that you want to hide under your desk in the fetal position'.
I'll go through the high level technical and then end with pointing out a principal that is one of those universal truths I carry around with me everywhere.
This entire exploit is based on documented x86 functions.
Your CPU runs in a few modes, one of those modes is known as Protected mode, other known as System Mgmt Mode. When your OS is running, your in Protected mode and this is how much of the security is performed and you'll hear of ring0 and ring3. Just know that your in-world universe is in protected mode.
System Management Mode (SMM) is used so that when there is something external to your OS world like say a thermal condition that needs to communicate some message, the CPU saves all its protected mode state out, does all this SMM stuff and then return to its regular scheduled program in protected mode.
There are details that evolve registry addresses and very low level operations but for the most part, a system in a very secure state can be circumvented via this SMM facility. I'm talking free access to all memory and IO.
The song goes a little like this:
Enable SMI
Open SMRAM space
Replace default SMI Handler by custom one (do your duty)
Close SMRAM space
Trigger SMI
Gain access to restricted operations.
In the wider picture: works on most systems. Turns out that Linux and the *BSD's will fall victim to this attack strategy, however, Windows XP is not known to be exploitable because of a few system calls that are not present and more importantly a certain memory range in protected mode is not shared addresses to SMM.
So, for the demo, they did not pick some shabby OS to exploit. How about OpenBSD at level2 (high security) with allowaperture=1
Ummm...it worked. Theo, microphone please?
Theo spoke to this OPENBSD issue and said he and the team have known about it for a year. They are between a rock and a hard-place because Xserver is really the core of the problem. It has too much damn access to regesters and is in the most unfortunate address space in protected mode because when in SMM, what is in that address range can be used to exploit.
Solution is for Xserver people to abstract sufficiently so that the kernel can have more governance on the Xservers logic.
Closing TK comments:
A system or a world that has a policy governed by in-world mechanisms cannot be effective when a process in-world can reach to the out-world to cause in-world change. You could also say that since a problem cannot be resolved at the same logical realm it has been created, then it is also the case that the most effective governance of a world can only come from outside that world. Think about all the crazy things we do in the physical world. As soon as we could get to the strong and weak forces at the atomic level, we created a incredibly destructive device. I just hope that if string theory is right and there really are energy strings at the lowest level of the universe, that no one in our world get control of them. The negative outcome caused by the power hungry is too high a risk to even consider the positive benefits.
Its late and I have been blogging way too much today I am certain that my mental packet loss is abnormally high. I'll return to this in-game out-game concepts later in another blog entry, when I am less sleep deprived.
--tk -
A few more details
I can't find the actual paper anywhere, but this blog posting has way more details than the article originally linked
... Very interestingly, Windows XP is not vulnerable, but OpenBSD is. -
Re:RTFA - Nothing to See . . . Move Along
Not only is it not a new 'feature', but it's not a new reporting of it either.
Dino and K2 demonstrated this and some other fun quirks that can be abused in windows wifi selection process (including getting a windows laptop to associate without wep even if it's supposed to be on). I can't find the slides handy, but here's a summary:
http://blog.ncircle.com/archives/2005/05/cansec_we st_day_3.htm -
Can't beat 'em? Join 'em!
SafariShane needs to get onboard with a company that does this kind of work. A buddy of mine ran a one-guy development/network admin company for several years, and got into security as well, picking up a cert or two.
Due to the economic downturn (and his bread and butter client not falling under the Prompt Payment Act), he had to get a job with The Man.
He got a job with these people, as the tech half of a two-guy sales team, by leveraging his knowledge of Windows and *nix networking and security.
He's working like a sled dog, can't say anything about what clients he's seeing, or much about the product. But he's a very, very well paid sled dog in terms of base salary, benefits and commission; he went out and got a 32" TV and laser-corrected his eyes.
-
IDS Performance, False Positives, and The Future
So, having read both of the articles, I don't see anything in here about the "future" of IDS. Everything in the IDS world relates to pattern matching and speed.
The problem with that is that the number of alerts does not determine the efficiency and efficacy of an IDS does. As Stefan Axelsson points out in his paper "The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection, the real limiting factor in IDS performance will ALWAYS be the number of false positives generated.
Unfortunately, not many people seem to be working in the direction to deal with that problem. Most of the major IDS vendors are talking only in terms of getting faster, and having more rules.
The only company I've actually seen that is looking at any new paradigm to deal with this problem is nCircle. Their system has an IDS and a vulnerability scanner working together to accomplish the reduction in false positives.
It's not a perfect system, but it performs significantly better than any of the IDS products that I've seen. And it definitely shows some sort of vision into the future, and into dealing with the real problems with the way IDS is currently done.
Just my $0.02...