Justin.MadIrish.net

This week Google entered the web browser wars with a vengeance, releasing their own web browser, dubbed Chrome, as a free beta. Chrome sports some impressive features and is being released as entirely free, open source software. Of particular interest are the new security features that are built in to chrome. Two extremely interesting security features are the browser privacy mode and the tabs in Chrome.

On September 1, OSSEC announced the release of the latest version of the OSSEC-HIDS tool (version 1.6). This release includes many notable new features including:

• Support for Microsoft Vista/Server 2008
• Performance and stability enhancements on Windows
• Active response on windows
• Upgraded rootkit checking
• Added support for more log formats

For a full list of upgrades and enhancements check out the change log. OSSEC can be downloaded from http://www.ossec.net/main/downloads.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a widely used verification system that forces users to look at images of obscured text and enter the text into a field. This system was designed to defeat automated computer based systems that were often used by spammers to set up bogus accounts or send spam. The idea was that the images weren't machine readable and Optical Character Recognition (OCR) technology wouldn't be able to decipher the image thereby defeating automated tools that spammers used. This raised the bar significantly for spammers. Many turned to micro payments, enlisting humans to decipher CAPTCHA code for a small fee. This isn't nearly as effective as using a computer though and both academic researchers and spammers alike have been searching for programmatic ways to defeat CAPTCHA, even as the technology evolves.

So this story has been floating around for a while, but if you haven't heard already several Red Hat servers, including some used for Fedora, were compromised in the last couple of weeks. Details were slow in emerging, but Red Hat has finally confirmed that some OpenSSH packages for Red Hat Enterprise (RHEL) 4 and 5 could have been compromised. Full details, including how to detect bad packages and updates, can be found at http://www.redhat.com/security/data/openssh-blacklist.html. The full Red Hat advisory can be found at https://rhn.redhat.com/errata/RHSA-2008-0855.html.

A host of computer security certification exist, covering quite a range of topics. At some point in every security professionals career they look at certification and begin to weigh their value. I have given my own take on certification some thought and come up with the following recommendations based on my own experience.

Certification hinges on two things, the test and the certifying body. Certification, in the end, stands as independent verification that you passed a test. The test criteria and the respectability of the certifying body determine the value of the test to others.

Personally, when I interview someone I don't give a second look at the certifications they have. I look for experience that proves the assertions the certifications make. Proving you can apply knowledge that a certification tests is much more difficult than just getting a certification.

Two days ago OWASP announced the release of a new version of their DirBuster tool. DirBuster is a Java based web application scanner. Basically you give it a host and it scans that host for directories on the host. DirBuster can utilize a list of directories and files or it can brute force them. DirBuster is nice because it can find files directories that might not be directly linked to. This can be used to expose information on the host that you might not find otherwise. DirBuster will also parse the HTML of files that it does discover, allowing it to follow links present in discoverable files as well. You can find more information about DirBuster at the OWASP site at https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project.

The CERT for Germany`s National Research and Education Network (DFN-CERT – Deutsches Forschungsnetz) is warning of a new spate of attacks using a variant of the Phalanx Linux rootkit. Once installed this rootkit harvests SSH keys and other credentials which an attacker can use to access other victims. Fortunately the rootkit seems fairly easy to detect if you know what to look for. The rootkit creates a hidden directory, /etc/khubd.p2/, that is used to collect information. This directory is hidden, and the rootkit uses methods to hide its running processes and other telltale signs of its existence. Sometimes the name of the hidden directory is changed, but if you try to 'cd' into the directory and it doesn't exist, you can try creating the directory and doing an 'ls' .

I just got word that I passed by CEPT (Certified Expert Penetration Tester) certification. CEPT is a certification offered by the IACRB (the Information Assurance Certification Review Board), a "An industry standard organization," "Formed by information security professionals.,"A not-for-profit legal entity with a sole mission to certify individuals.," which "Requires all exam candidates to pass a hands-on practical examination." I became familiar with the IACRB after attending a class offered by InfoSec Institute. I had never heard of the IACRB before, but the class included certification based on passing an exam that was given at the end of the class. The exam had two parts - the first was a multiple choice exam, which is standard for most certifications. The second part was a take home practical that was extremely challenging.