After years Microsoft finally release an update for its sniffer: Network Monitor (aka NetMon) 3.0.

As already said at beta 2 time, this new major release (build 3.0.372) doesn't have limitations network professionals use to damn in 2.x versions: it works in promiscous mode and is released as stand alone package. And it's free of charge.

Plus NetMon 3 introduces several improvements:

• Real time capture and display of frames


• Simultaneous capture on multiple network adapters


• Multiple simultaneous capture sessions


• Network conversations and a tree view displaying frames by conversation


• Enhanced capture/display filtering (with boolean expressions and intelli-sense)


• A new script-based protocol parser language (NPL), and script-based parsers


• Scriptable execution (and packets capture) through NMcap command line tool

The new filtering system is pretty flexible and allows to write filters in similar you do with Wireshark (formerly Ethereal).
For example filtering HTTP traffic reaching or departing from IP address 192.168.0.1 can be written:

• ip.addr==192.168.0.1 and http (Wireshark)


• ipv4.Address==192.168.0.1 && protocol.HTTP (NetMon)

Filters can be written on multiple lines and comments are allowed, permitting to write complex analysis on packets in an easy way.

Download it here (it's unclead why Microsoft is still hosting it on Connect instead of Download website).
Check the development team blog here.

Italy, my country, is the first european state to adopt Microsoft Child Exploitation Tracking System (CETS), launched in 2005 and offered for free to worldwide governments.

CETS will be used by our police department dedicated to online crimes, the Polizia Postale e delle Comunicazioni.

CETS offers a national repository, powered by Microsoft SharePoint and SQL Server, where investigators can register suspected online identities, upload child exploitations images, link suspicious web sites, store seized emails, etc.
It then syncronizes informations with other national databases in adhering countries.

Efficacy of the tool is actually limited because apart Italy only Canada and Indonesia are using it.
US, Japan and Australia are evaluating CETS adoption, but until more countries will share informations on the system there are few chances to improve tracking capabilities.

It also worth to consider that masquerading an online identity is not too complex and these sexual criminals are used to computer technologies. Their level of know-how is surely improving fast, to adapt new countermisures and tools like CETS could be useless in few years.


Right in these days Microsoft is expanding its offering for defending children and launched a parental control tool called OneCare Family Safety.

Last issue of MSDN Magazine is dedicated to security.

Among top articles:

• Secure Habits: 8 Simple Rules For Developing More Secure Code (Michael Howard)


• Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach (Shawn Hernan, Scott Lambert, Tomasz Ostwald, Adam Shostack)


• Single Sign-On: A Developer's Introduction To Active Directory Federation Services (Keith Brown)


• Smart Storage: Protect Your Data Via Managed Code And The Windows Vista Smart Card APIs (Dan Griffin)


• Extending SDL: Documenting And Evaluating The Security Guarantees Of Your Apps (Mark Pustilnik)


• SQL Security: New SQL Truncation Attacks And How To Avoid Them (Bala Neerumalla)

Last one seems particularly interesting:

Exploits using SQL injection have drawn a lot of attention for their ability to get through firewalls and intrusion detection systems to compromise your data layers. Whether it's a first-order or second-order injection, if you look at the basic code pattern, it is similar to any other injection issue where you use untrusted data in the construction of a statement. Most developers have started mitigating these vulnerabilities in Web front ends by using parameterized SQL queries in conjunction with stored procedures at the back end, but there are some instances where developers still use dynamically constructed SQL, like in the construction of Data Definition Language (DDL) statements based on user input or for apps written in C/C++.

In this article I will discuss some new ideas that can result in either modifying SQL statements or injecting SQL code even if the code has escaped the delimiting characters. I will start with some best practices for constructing delimited identifiers and SQL literals, and then I'll show you new ways attackers can inject SQL code in order to help you protect your applications...

Read the whole MSDN Magazine November 2006 issue here.

Check Point continues to release new minor updated of its platform on regular basis, not changing the strategy already adopted with previous NG platform and its Feature Packs.

In NGX the company doesn't call new updates Feature Pack anymore but continue to release them every 4 months or so.

In the new R62 there are some interesting changes:

• Integry removing from Media Kit
  Integrity, the endpoint security solution Check Point obtained with ZoneLabs acquisition over 2 years ago, has been removed from package.
  Check Point included it in the R61 package but now already changed its mind, only allowing resellers to distribute it to interested customers.
  
  This is possibly to reduce piracy of the new product, already available in warez circuits.
  If so I don't think it's a very effective countermisure, only slowing down customers evaluation and adoption.



• Support for Windows Server 2003 Service Pack 2
  NGX R62 supports Windows Server 2003 Service Pack 2 even if at the moment of writing the SP2 is not yet released by Microsoft.
  
  While I'm sure Check Point has access to new builds much earlier than other beta tester, I don't remember the company ever supported a new operating system update so early.
  I strongly recommend to not install SP2 on your Windows Server 2003 machines at release time without extended testing for reliability and compatibility with Check Point products.



• Multiple SmartDefense profiles
  Finally customers are able to create several SmartDefense configurations from SmartDashboard and bind them to different gateways in the object database.
  In the same fashion SmartDefense can be disabled on gateway basis.



• Enhanced Log Forwarding
  Depending on your configuration Check Point gateways forward local log entries to the default SmartCenter Server log server, or to additional Log Servers configurated as stand-alone tiers.
  In this process log entries are stored locally, forwarded to the right location, and finally deleted locally.
  
  In the NGX R62 all logs can be forwarded directly, without local storing.
  I don't see this feature particularly safe to use, because it's necessary to evaluate what happens if, during the forwarding, link goes down.

The NGX R62 supports backward compatibility down to NG FP3.
Older installations have to be upgraded to NG AI [R54] and then migrated to NGX R62.


A last note about build version: tracking Check Point platform updates can be very hard because every single component has a different build numering.
NGX R62 has following build numbers for major components:

• VPN-1 (Power / UTM on any OS) - 120


• SmartCenter Server - 021


• SmarConsole - 618000131



• SecurePlatform - 031

This blog's readers know how much I love Symantec. No other company in the security space provides me so much concern like this one.

Symantec spent last years acquiring one after another quite dozen of valid security firms, trying to reach a leadership position thanks to marketshare, not quality of products.
The company has been so successful in acquiring and so unsuccessful in integrating that I usually refer to it with the name of Symantec of Borg.

This strategy never really worked so the company could just maintain a leadership in its own market segment: antivirus.

Unfortunately this segment is going to be saturated by the biggest competitor possiible, Microsoft, which has interest and economical power to offer multiple anti-malware products for free to consumer and business audience if needed. And will eventually do.

In my years of experience I cannot remember meeting a single user, system administrator, security professional, CTO or CIO, not complaining about Symantec core product performances or lack of innovation.

Fearing Microsoft competition and knowing its own weakness, Symantec is now trying to create new (non-existent) markets where it can escape.
So it just launched Security 2.0 (I knew someone sooner or later would have this bad idea).

Its CEO, John Thompson, launched the initiative declaring worms and viruses problems is solved. Or at least this is what InformationWeek reports.

Security 2.0? But if we still are far away to reach a stable 1.0...

The new wave of products forming the Symantec Security 2.0 is incredible:

• Norton Confidential Online Edition
  An anti-phising tool (we are plenty of these tools. All 1.0) able to block keyloggers (something the anti-virus should already do)?
  
  In any case a very poor approach to the problem: if banks want to offer a safe environment to customers could simply send them a USB key filled with VMware Player (free) and a custom Linux distribution (free as well), able to only connect home-banking site. Nothing could be more 2.0 than this.



• Symantec Database Security
  A behavioral host IDS? Thanks, we are working on them since years, still addressing false positives and false negatives issues.



• Symantec Mail Security 8300 Series
  The dear old Brightmail Anti-spam engine in a shining new case? It also features content filtering? Thanks, we do that since 10 years, and WebSense is still leader in this segment.

I prefer to not further comment remaining 2 announcements of this wave: partnership for services with VeriSign (for 2-factors authentication) and Accenture (for risk assessment and management).


If this is Security 2.0 I want to directly skip next major release.

3Sharp published an interesting 37-pages comparison between anti-phishing tools available on the market today.

Not only it's interesting because it provides a useful compendium to the lastest Internet Security Threat Report published by Symantec, but also because it includes some unexpected results, distinguishing between recognition rate (detailing false positives) and blocking rate.

GeoTrust TrustWatch is the most capable in recognition but has 2 big issues: has a 32% rating of false positives and is unable to block any phishing attempt.

Microsoft Phishing Filter included in Internet Explorer 7 Beta 3 is the best in class, able to recognize 89% of threats without false positives, and a 83% capability to block phishing attempts (remaining 6% is only warned) .

The much popular Google Toolbar included in Firefox is only at 4th place, able to recognize without false positives and block only 53% of threats.

The interesting SiteAdvisor, which claimed a 90% worldwide websites coverage before being acquired by McAfee in April, has been included in the comparison even if McAfee clearly states the product doesn't recognize phishing (read comments for more details).
No surprise it was the last one with a mere 3%.


Read the whole report here.


Update: As every report it should read with due aloofness: the study has been committed by Microsoft, 3Sharp founders are former Microsoft employees and the company is mainly skilled on Microsoft technologies.

Symantec released the 10th edition of its much appreciated Internet Security Threat Report.

The very first edition of this report has been published in 2002 by Riptech, a company focused on intrusion detection which Symantec of Borg acquired in these years.

The most recent versions of the report are developed by over 1600 Symantec security analysts, the company claims. While results could be manipulated to justify old and new products, or to discredit competitors like Microsoft (and near the Windows Vista launch Symantec has all interests in doing so), it remains a useful tool for evaluation of attack and vulnerability trends.

The September 2006 edition offers a 120-pages coverage of threat activity between January 1st and June 30th.
Below significant highlights divided in categories.


Attack Trend

• Microsoft Internet Explorer was the most frequently targeted Web browser, accounting for 47% of all Web browser attacks


• Symantec observed an average of 6,110 DoS attacks per day


• The United States was the target of the most DoS attacks, accounting for 54% of the worldwide total


• The Internet service provider (ISP) sector was the most frequently targeted by DoS attacks


• China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total


• The United States had the highest percentage of bot command-and-control servers with 42%


• Beijing was the city with the most bot-infected computers in the world


• The United States ranked as the top country of attack origin, accounting for 37% of the worldwide total


• The home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks

Vulnerability Trend

• Symantec documented 2,249 new vulnerabilities, up 18% over the second half of 2005. This is the highest number ever recorded for a six-month period


• Web application vulnerabilities made up 69% of all vulnerabilities this period


• Mozilla browsers had the most vulnerabilities, 47, compared to 38 in Microsoft Internet Explorer


• In the first six months of 2006, 80% of vulnerabilities were considered easily exploitable, up from 79%


• Seventy-eight percent of easily exploitable vulnerabilities affected Web applications


• The window of exposure for enterprise vulnerabilities was 28 days


• Internet Explorer had an average window of exposure of nine days, the largest of any Web browser. Apple Safari averaged five days, followed by Opera with two days and Mozilla with one day


• In the first half of 2006, Sun operating systems had the highest average patch development time, with 89 days, followed by Hewlett Packard with 53 days, Apple with 37 days and Microsoft and Red Hat with 13 days

Malicious Code Trend

• Eighteen percent of all distinct malicious code samples detected by Symantec honeypots were new


• Five of the top ten new malicious code families reported were Trojan horse programs


• The most prevalent new malicious code family this period was that of the Polip virus


• Worms made up 38 of the top 50 malicious code samples


• Worms made up 75% of the volume of top 50 malicious code reports


• Symantec documented 6,784 new Win32 viruses and worms


• Bots accounted for 22% of the top 50 malicious code reports, up slightly from the 20% reported in the last period


• Thirty of the top 50 malicious code samples exposed confidential information


• Modular malicious code accounted for 79% of the volume of top 50 malicious code, down from 88% in the second half of 2005

Phishing, Spam and Security Risks

• The Symantec Probe Network detected 157,477 unique phishing messages, an increase of 81%.


• Financial services was the most heavily phished sector, accounting for 84% of phishing activity.


• Spam made up 54% of all monitored email traffic, up from 50% in the last period.


• The most common type of spam detected in the first six months of 2006 was related to health services and products.


• Fifty-eight percent of all spam detected worldwide originated in the United States


• Eight of the top ten reported security risks were adware programs.


• Three of the top ten new security risks are what Symantec calls misleading applications

Two of these results are quite expected but still the most interesting: an average of 28 days for vulnerability exposure, and 54% of mail traffic made by spam.
While I'm well persuaded preventing new threats is impossible at the moment, I wonder why the security industry is failing so miserably in mitigating damage.

I strongly recommend to read the whole Internet Security Threat Report - September 2006.

I already wrote the parental control / Internet filtering security tools are so rare, mentioning free solutions available today on the market and considering possibility Google could release something in this space.

While waiting for Google, I wanted to try what Microsoft is doing at least in the home market with its new Windows Live OneCare Family Safety (I bet parents out there already got confused trying to understand which is the name of the product).

The new solution has just been released in beta and it's offered under the umbrella of Windows Live initiative. So this is just a first look at features, I didn't try to find bugs, test workarounds or evaluate URL database consistency in the product (for a public attack at a beta product you better ask Symantec an help...).


After enrolling for the beta, the very first thing to do is download the OneCare Family Safety (OFS from here) and install it on all home PCs.
Then it's time to go online with a browser and reach the OFS Settings Manager, where I need to add my children accounts and decide how to practice my despotic control over my family (but with so much love):


I don't have children yet but let's imagine I have a 20 years-old son and a little 13 years-old daughter. OFS helps me monitor and protect both of them despite different needs and interaction with Internet they have.

For my brave son I want to allow maximum freedom, but remember him he's still young. So I allow his account to surf the whole Internet without limitations, but enable a warning screen when he reaches porn sites.

For my sweet little daughter I still want maximum protection, so I block all categories except Sexual Education (this is a default setting...I doubt a father would allow such category without being obliged with blackmail).
I also add a custom site to be blocked, MySpace, which I heard being so dangerous in these days.
Finally, I also enable web monitoring so anything my daughter will do, blocked or not, I will know:


Done. At this point I have absolutely nothing else to do: my home computers are protected by the OFS client so nobody can access Internet without logging in with his/her OFS account.
Obviously I installed the client with administrative permissions but my children don't use that Windows account to work on the machine (otherwise could be simple to vanish all my efforts).


The first one to approach the new locked machine is my son.
He logs in the OFS client and launch the browser. As configured is free to surf around but after few minutes his restless curiosity for the world brings him to a well-known porn site.
He receives the expected warning:


which quickly turns to be a very annoying remind because every single popup summoned by the porn site, is considered porn itself, and the warning window appears every 2 seconds.
He'll eventally give up, closing the browser and signing out from OFS client, embracing the hacking career within few months, just to have his free amount of daily obscene action.


It's time for my little daughter to sit in front of screen: she logs in the OFS client, opens the browser and the very first thing she tries to do is reaching last website my son visited, the porn one.
Luckily OFS recognized her and immediately block access:


The very second thing she tries is reaching a wonderful site to meet new friends, which she heard at school: MySpace.
As expected she gets another block but this time she's very committed to reach the site and create a permission request:


Few hours later, from the same computer, or remotely from the office, I will be able to see which sites she tried to visit:


and will be able to see and evaluate her request to reach MySpace:



Leaving the role of severe daddy and going back serious, I can say OneCare Family Safety is a very promising tool, filling a big void in current market offering, but has a couple of isses to be addressed:

• Users management
  The whole system works only if every family member has a Windows Live ID (the former Passport account), which obliges parents to create new mailboxes and provide passwords to children.
  This is a counter-sense considering the amount of malicious spam arriving by email every day.
  It's also very annoying and has could be a pain trying to use very old Passport accounts (I had to create a new one to perform this preview), even if they are supported.



• Speed
  Since all web requests have to be transmitted to Microsoft (or at least seems so) and verified against the defined policy before allowing the user to reach a site, there are moments where the navigation is unacceptablly slow, even on a 4MBits ADSL line.

When the final product will be released we'll see how wide its database will be and how smart the filtering engine will be blocking access to unallowed sites from browser and other applications.

Rainbow Table method works great with Windows password hashing algoritms. But it can be applied to other hashing algorithms, like the ubiquitous MD5.

A new website, Free Rainbow Tables, just started its business and the first offering is a great set of 36 tables for lower alphanumeric strings hashed with MD5, from 1 to 8 characters. For free obviously.

And it's just the beninning since creators developed a Windows distributed application to spend free computation time generating new or extended tables.

This year I'll be present at the italian event SMAU 2006.

I'll attend the October 6th day only, Friday (whole day), and I'd be happy to meet some Security Zero italian readers.
So if you partecipate at the exhibition look for me at the Microsoft booth, along with other Most Valuable Professionals (MVP).

See you there!