search menu icon-carat-right cmu-wordmark

Archive: 2013

Hacking the CERT FOE

Hacking the CERT FOE

• CERT/CC Blog
Will Dormann

Hey folks, it's Will. Every now and then I encounter an app that doesn't play well with FOE. You don't have to throw your hands up in defeat, though. Because FOE (and BFF) are written in Python, it's pretty easy to modify them to do what you like....

Read More
Prioritizing Malware Analysis

Prioritizing Malware Analysis

• CERT/CC Blog
Jose Morales

Hi, this is Jose Morales, researcher in the CERT:CES team. In early 2012, a backdoor Trojan malware named Flame was discovered in the wild. When fully deployed, Flame proved very hard for malware researchers to analyze. In December of that year, Wired magazine reported that before Flame had been unleashed, samples of the malware had been lurking, undiscovered, in repositories for at least two years. As Wired also reported, this was not an isolated event....

Read More
Analyzing Routing Tables

Analyzing Routing Tables

• CERT/CC Blog
Timur Snoke

Hi, Timur Snoke here with a description of maps I've developed that use Border Gateway Protocol routing tables to show the evolution of public-facing autonomous system numbers. Organizations that route public internet protocol (IP) addresses receive autonomous system numbers (ASNs), which uniquely identify networks on the Internet. To coordinate traffic between ASNs, the Border Gateway Protocol (BGP) advertises available routing paths that network traffic could take to access other IP addresses. BGP tables select and...

Read More
BFF 2.7 on OS X Mavericks

BFF 2.7 on OS X Mavericks

• CERT/CC Blog
Will Dormann

Hi folks, it's Will. Apple has released OS X Mavericks. Because BFF 2.7 was released before Mavericks, BFF doesn't work right out of the box. But it's actually quite simple to get it working....

Read More
Working with the Internet Census 2012

Working with the Internet Census 2012

• CERT/CC Blog
Timur Snoke

Hi, it's Timur Snoke of the CERT NetSA group, posting on behalf of Deana Shick and Angela Horneman. It's not every day that 9.6 terabytes of data is released into the public domain for further research. The Internet Census 2012 project scanned the entire IPv4 address space using the Nmap Scripting Engine(NSE) between March and December of 2012. The engineer of this data set (identity unknown) saved and released the collected data in early 2013....

Read More
Vulnerabilities and Attack Vectors

Vulnerabilities and Attack Vectors

• CERT/CC Blog
Will Dormann

Hi, this is Will Dormann of the CERT Vulnerability Analysis team. One of the responsibilities of a vulnerability analyst is to investigate the attack vectors for potential vulnerabilities. If there isn't an attack vector, then a bug is just a bug, right? In this post, I will describe a few interesting cases that I've been involved with....

Read More
Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. As Will Dormann's earlier post mentioned, we have recently released the CERT Basic Fuzzing Framework (BFF) v2.7 and the CERT Failure Observation Engine (FOE) v2.1. To me, one of the most interesting additions was the crash recycling feature. In this post, I will take a closer look at this feature and explain why I think it's so interesting....

Read More
Signed Java Applet Security Improvements

Signed Java Applet Security Improvements

• CERT/CC Blog
Will Dormann

Hi folks, it's Will Dormann. A few months ago I published a blog entry called Don't Sign that Applet! that outlined some concerns with Oracle's guidance that all Java applets should be signed. The problem is that with Java versions prior to 7u25, there is nothing that prevents a signed applet from being repurposed by an attacker to execute with full privileges. As it turns out, Java 7u25 introduced features to prevent a Java applet...

Read More
One Weird Trick for Finding More Crashes

One Weird Trick for Finding More Crashes

• CERT/CC Blog
Will Dormann

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry I will describe some of the major changes with these tools....

Read More
One Weird Trick for Finding More Crashes

One Weird Trick for Finding More Crashes

• CERT/CC Blog
Will Dormann

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry I will describe some of the major changes with these tools....

Read More
Practical Math for Your Security Operations - Part 2 of 3

Practical Math for Your Security Operations - Part 2 of 3

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division again. In my earlier blog post, I offered some ideas for applying set theory in your SOC (Security Operations Center). This time I introduce you to statistics, specifically standard deviation. Mathematical terms such as standard deviation can seem mysterious for daily security operations. However, I've provided some simple examples to help you analyze network security data using this measurement....

Read More
Mining Ubuntu for Interesting Fuzz Targets

Mining Ubuntu for Interesting Fuzz Targets

• CERT/CC Blog
Jonathan Foote

Hello, Jonathan Foote here. In this post I'll explain how to use information from databases in stock Ubuntu systems to gather the parameters needed to perform corpus distillation (gathering of seed inputs) and fuzzing against the installed default file type handlers in Ubuntu Desktop 12.04. This technique applies to most modern versions of Ubuntu....

Read More
Domains That Are Typos of Other Domains

Domains That Are Typos of Other Domains

• CERT/CC Blog
Jonathan Spring

Hello, this is Jonathan Spring. I've been investigating the usage of domains that are typos of other domains. For example, foogle.com is a typo of google.com, and it's a common one since 'f' is next to 'g' on the standard keyboard. The existing hypothesis has been that typo domains would be used for malicious purposes. Users would commonly mistype the domain they are going to, and some of the less scrupulous domain owners could take...

Read More
Practical Math for Your Security Operations - Part 1 of 3

Practical Math for Your Security Operations - Part 1 of 3

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division. Mathematics is part of your daily tasks if you're a security analyst. In this blog post series, I'll explore some practical uses of math in your SOC (Security Operations Center). This pragmatic approach will hopefully help enhance your use of mathematics for network security....

Read More
A ccTLD Case Study: .tv

A ccTLD Case Study: .tv

• CERT/CC Blog
Leigh Metcalf

Hello, this is Leigh Metcalf and Jonathan Spring. In this post, we first examine some of the usage patterns in the .tv top-level DNS zone via passive DNS. In the second half of the post, we explore the economic importance of the .tv domain to its owner, the small South Pacific island nation of Tuvalu. Combining these two analyses, it seems that suspicious domain names could be one of Tuvalu's more valuable exports....

Read More
The Risks of Microsoft Exchange Features that Use Oracle Outside In

The Risks of Microsoft Exchange Features that Use Oracle Outside In

• CERT/CC Blog
Will Dormann

The WebReady and Data Loss Prevention (DLP) features in Microsoft Exchange greatly increase the attack surface of an Exchange server. Specifically, Exchange running on Windows Server 2003 is particularly easy to exploit. It's public knowledge that Microsoft Exchange uses Oracle Outside In. WebReady, which was introduced with Exchange 2007, provides document previews through the use of the Oracle Outside In library. Outside In can decode over 500 different file formats and has a history of...

Read More
Keep Calm and Deploy EMET

Keep Calm and Deploy EMET

• CERT/CC Blog
Vijay Sarvepalli

CVE-2013-1347, the Internet Explorer 8 CGenericElement object use-after-free vulnerability has gotten a lot of press lately because it was used in a "watering hole" attack against several sites....

Read More
Don't Sign that Applet!

Don't Sign that Applet!

• CERT/CC Blog
Will Dormann

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies, suggests that all Java developers sign their applets, regardless of the privileges required. In this blog entry, I explain why this practice is a bad idea....

Read More
Don't Sign that Applet!

Don't Sign that Applet!

• CERT/CC Blog
Will Dormann

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies, suggests that all Java developers sign their applets, regardless of the privileges required. In this blog entry, I explain why this practice is a bad idea....

Read More
Finding Patterns of Malicious Use in Bulk Registrations

Finding Patterns of Malicious Use in Bulk Registrations

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf with my colleague Jonathan Spring. In 2011, .co.cc [1] and .co.tv [2] were removed from Google's search results because of the high incidence of malicious domains (.cc is the TLD for the Cocos Islands and .tv is the TLD for Tuvalu). Neither of these domains is an official TLD of its respective country of origin, but is a zone in which the owner happens to make single subdomains freely available...

Read More
GeoIP in Your SOC (Security Operations Center)

GeoIP in Your SOC (Security Operations Center)

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Program. Today, whether you're shopping for a new house or trying to find a babysitter, you end up using Google maps or a similar service to assist your decision making. In this blog post, I discuss GeoIP capabilities that can be built into your SOC to provide a spatial view of your network threats and how this view can help your network situational awareness....

Read More
Second Level Domain Usage in 2012 for Common Top Level Domains

Second Level Domain Usage in 2012 for Common Top Level Domains

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf with my colleague Jonathan Spring. Here is a look at second level domain (SLD) usage in 2012 for the most common generic Top Level Domains (gTLDs): biz, com, info, mobi, net, and org. We used two data sources: (1)the master zone files (RFC 1035 sec. 5) and (2) the SIE (http://sie.isc.org), a passive DNS data source. From these sources we examined three features of global gTLD usage--the number registered, the...

Read More
The Growth of IPv6 Announcements

The Growth of IPv6 Announcements

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf again with my colleague Rhiannon Weaver. IPv6, the replacement for IPv4, has been heavily marketed. To consider exactly how popular IPv6 is on the internet, one method is to examine the number of autonomous systems (ASes) that announce IPv6....

Read More
An Alternate View of Announced IPv4 Space

An Alternate View of Announced IPv4 Space

• CERT/CC Blog
Leigh Metcalf

In my previous post, I examined the total amount of IPv4 space announced and presented cumulative graphics. While this view is useful in determining how much IPv4 space is announced, it doesn't say much about which IPv4 space is announced....

Read More
The Growth Rate of IP Addresses That Are Advertised as Usable on the Internet

The Growth Rate of IP Addresses That Are Advertised as Usable on the Internet

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf of the Network Situational Awareness Team. Recently, I have been considering the amount of IPv4 space that is announced on the Internet. All blocks have been allocated, but how many are actually being used? To investigate this, I examined the routing tables to determine which networks were announced on the internet as usable from January 1, 2009 through December 31, 2012....

Read More
Watching Domains That Change DNS Servers Frequently

Watching Domains That Change DNS Servers Frequently

• CERT/CC Blog
Leigh Metcalf

Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains that change their name servers frequently....

Read More
Anatomy of Java Exploits

Anatomy of Java Exploits

• CERT/CC Blog
Art Manion

On behalf of the real author, my colleague David Svoboda (and a couple others who work on the CERT Secure Coding Initiative), here's a post analyzing recent Java exploits....

Read More
Java in Web Browser: Disable Now!

Java in Web Browser: Disable Now!

• CERT/CC Blog
Art Manion

Hi, it's Will and Art here. We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers. However, after investigating the Java 7 vulnerability from August, I realized that completely disabling Java in web browsers is not as simple as it should be....

Read More