Thursday, 2 December 2010

Security Weekly News 02 December 2010 - Full List

Category Index

Hacking Incidents / Cybercrime

According to a recent study by the security firm Dasient, the number of malware infected websites has doubled from the 2009 levels and has crossed the mark
of 1.2 Million in Q3-2010.
Commenting on the issue, Dasient CEO, Neil Daswani stated that, during Q3-2009, nearly 560,000 were found to be infected with malware. He further added that,
although researchers were expecting the number to augment, the fact that it increased two fold was a shock, as reported by eWEEK on November 22, 2010.
Rather than just augmenting in terms of volume, malware has also modified its propagation techniques. Though spam and e-mail attachment techniques are still
popular, netizens getting infected without opening an attachment or link is becoming more popular.

* Iran says for first time that cyberbug caused problems
* Ahmadinejad says experts found out enemies of Iran
* Those enemies unable to create problems any more, he says
(Adds details, background)
TEHRAN, Nov 29 (Reuters) - Enemies of Iran used computer code to make 'limited' problems for centrifuges involved in uranium enrichment at some of its
nuclear sites, President Mahmoud Ahmadinejad said on Monday.
'They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,' he told reporters at
a media conference, the first time Iran has said a cyberbug affected its centrifuges.

Wikileaks Cablegate Attack  []
Yesterday morning, a DDoS attack temporarily disrupted traffic to Wikileaks hours ahead of the "Cablegate" release of leaked US documents. Wikileaks
announced the outage on a Facebook update and Twitter post around 11:00am EST while simultaneously derogating the attack and insisting "El Pais, Le Monde,
Speigel, Guardian & NYT will publish many US embassy cables tonight, even if WikiLeaks goes down".

Recently, at Websense Security Labs, we have seen Facebook being used to display phishing pages for different services, as well as to redirect to phishing
pages hosted elsewhere. Below are two examples of what the phishing attempts look like:

Oficla downloads MBR Ransomware  []
We discovered a new ransomware threat which is downloaded by a Trojan of the Oficla family. This downloaded threat replaces the MBR (master boot record) of
the hard disk with its own MBR which asks the user for a password and thus blocks the loading of the operating system.
Upon starting the Oficla Trojan and successive execution of the downloaded payload the system will be rebooted and the user will be presented the ransom

Savannah, the open source software forge run by the GNU Project, is currently down following an SQL injection attack. According to a notice on the site, the
attack lead to the 'leaking of encrypted account passwords, some of them discovered by brute-force attack, leading in turn to project membership access'.
The developers say that 'While effort was made in the past to fix injection vulnerabilities in the Savane 2 legacy code base, it appears this was not
enough', adding that they're currently in the processes of reinstalling the system and restoring the data from a backup from the 23rd of November. All
changes between the 23rd and the 27th will be audited to see exactly what was compromised.

Unpatched Vulnerabilities

McAfee Released Security Bulletin SB10013 this morning. The bulletin pertains to a potential code execution vulnerability for VirusScan Enterprise 8.5i and
earlier versions. According to the information from McAfee they are investigating the publicly disclosed security issue and will publish a hotfix as soon as
the investigation is complete. They have listed his as a Severity Rating of Medium.

Software Updates

Sun security updates  []
Just in case you missed this on Friday, Sun have released details of three vulnerabilities with Solaris components:
PERL 5.8 - Safe Perl Modules ( - Covers CVE-2010-1168
Apache - Apache Portable Runtime utility library - Covers CVE-2010-1623
BZIP2 - Interger Overflow vulnerability - Covers CVE-2010-0405

VMWare Security Advisory  []
It's an update for VMware ESX 4.1 without patch ESX410-201011001.
Here's the problem description right off of their website:
a. Service Console OS update for COS kernel package.
This patch updates the Service Console kernel to fix a stack pointer underflow issue in the 32-bit compatibility layer.
Exploitation of this issue could allow a local user to gain additional privileges.
The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2010-3081 to this issue

But plugged firmly in latest release
Winamp media player users need to update their software following the discovery of multiple security holes, some of which provide a means to distribute
malware via booby-trapped media files.
Version 5.6 of the software for Windows fixes a critical integer overflow vulnerability in the the 'in_nsv.dll' plug-in library that leaves users exposed to
viral attack - provided, of course, that they are first tricked into opening a maliciously constructed stream or media file. The update from developers
Nullsoft also addresses a potentially nasty, but probably less easy to exploit, bug involving the handling of midi files. The release also includes a number
of performance and stability tweaks.

Business Case for Security

With the US holiday season quickly approaching and the excitement being generated with topics like WikiLeaks and change to the US Government soon to take
place (new Speaker of the House, etc) I felt it might be a good time to gently remind our readers not to click too quick. Every year around this time we
start seeing a barrage of emails trying to trick unsuspecting recipients into getting the latest gossip or viewing that e-greeting card and the next thing we
know we have a whole bunch of new spam zombies or other backdoor trojans out clogging up the works. US Cert has issued a reminder to this affect with some
really good advise on what to watch out for and things you need to know to protect your computer. So proceed with caution but have lots of fun.

Snow Go  []
A few people have asked me about what they should do regarding business continuity as a result of the recent heavy snow falls. I have pointed many of them
to the excellent business continuity plan template that the Department of Enterprise Trade and Employment published recently for the H1N1 flu virus and which
is equally applicable to the current weather conditions.
So why not take a look at your own organisation and try and figure out what would you need to have in place should some of your key staff be unable to get to
their place of work? Some key questions to ponder;
* How many concurrent remote users can your VPN support?
* If a large number of staff were to try to work from home on the same day would the VPN be able to cope with the traffic?
* Should you have a VIP VPN that can only be used by those staff in such scenarios?
* Do your staff have work laptops or PCs to work from home? If not how will you secure any data they may have on them while working from home?
* Can staff use alternative mean to meet with clients such as online conferences or conference call facilities?

Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company. As I am
preparing to handle more of such engagements (including ones not focused on PCI DSS, but covering other compliance or purely security log reviews), I decided
to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged "PCI_Log_Review." It was written to be a complete and
self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and log analysis in order to enable them to
do the job and then grow their skills. It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and
with any regulation or without any compliance flavor at all.

Security Awareness Topic #3 - Email and IM  []
- Attachment: Threats often send attachments that are infected. We need to make end users aware of these attacks, that attackers send emails that build
trust with the victim, then fool them into clicking on the attachment. The behavior we need to change is to get people to think before opening attachments.
Was the attachment expected? If not sure, contact the sender or forward the email to your security team.
- Links: These attacks work by fooling end users clicking on a link. The link then sends the user to a phishing site, a drive by attacking site, or has
them download and open an infected file (such as .pdf ). The behavior we need to change is to get people to think before clicking on links. Was the link
expected? If not sure, contact the sender or forward the email to your security team.
- Scams: These attacks fool people out of their information or money by simply asking for it (the classic lottery attack). The behavior we need to change
is if something sounds too good to be true, it probably is.
- Spear Phishing: For many high value organizations, they can be targeted or singled out by specific attackers. End users need to understand that attacks
can be customized specific to them and their organization.

ISO27001 - Keeping It Current  []
Many of our customers have committed the time and effort to become compliant with the ISO/IEC ISO27001:2005 standard. Following the 'resource intensive'
phase of the Information Security Management System (ISMS) implementation, it is of course crucial to review and attenuate all aspects of this system at
regular intervals.
As with other management standards, the Plan, Do, Check, Act cycle mandates a process of continual assessment and improvement to the information security of
your organisation.

Web Technologies

There are a million ways to do a code review, but there's one component that's common to all-a single developer critically examining code. So it makes sense
to ask what the data tells us about developers diving into code by themselves, without distraction and without discussion.
What are the best practices during quiet contemplation?
Focus Fatigue
How much time should you spend on a code review in one sitting?
Figure 18-1 maps how efficient we are at finding defects over time [Dunsmore 2000]. The horizontal axis plots time passing; the vertical is the average
number of defects a person found at this time index.
Figure 18-1. After 60‒90 minutes, our ability to find defects drops off precipitously

[WEB SECURITY] Cookie protection  []
Here are a couple of things I either know or assume are true:
1. HTTPS is better than HTTP for the safekeeping of cookies. Again not that they can't be stolen, but that it takes a more concerted effort, and network
sniffing (ex. 'Firesheeping') is rendered useless.
2. The SECURE cookie attribute, along with SSL, prevents the cookie from crossing encryption boundaries. This is fine, but wouldn't a modern browser
typically warn a user that something outside the encrypted session was requesting information?
3. The HTTPOnly cookie directive prevents scripts from seeing cookie contents. This can help to mitigate some XSS exploits, but not all. Also, not every
browser supports this directive, so you have to deal with that.
4. Encrypting a cookie doesn't really solve anything but to make the contents unreadable on an unencrypted connection. Consequently, outside of SSL, unless
there's some unique mechanism to both share/transmit a secret key to/with a specific user/browser, and a way for the browser to utilize that key for cookie
encryption, then stealing an encrypted cookie is as good as stealing a plain text cookie in terms of session high jacking. Any clientside encryption and/or
hashing mechanisms are essentially useless as anything on the client side can be manipulated

This post is long overdue. I will cover the current state of exception handling options within both ModSecurity and the OWASP Core Rule Set (CRS).
Exception Handling Methodologies
Before continuing with this blog post, I highly recommend that you review the blog post describing the Traditional vs. Anomaly Scoring Detection Modes. Your
detection operating mode will directly impact your exception handling options.
False Positives and WAFs
It is inevitable; you will run into some False Positives (FP) when using web application firewalls. This is not something that is unique to ModSecurity. All
web application firewalls will generate some level of false positives, especially when you first deploy them or when your application changes. Continuous
application profiling, where the WAF learns expected behavior helps to reduce FPs however negative security model (blacklist) rule sets will always generate
some level of FP as they have no idea what input is valid. The following information will help to guide you through the process of identifying, fixing,
implementing and testing new exceptions to address false positives within the OWASP ModSecurity CRS.

Category: Vulnerability Writeups / Tag: csrf, google, google calendar, google vulnerability reward program, security / Add Comment
Google Calendar was vulnerable to a series of CSRF vulnerabilities. In two separate instances, I found that existing countermeasures (CSRF tokens) were not
being validated by the application.
Example #1
In the first instance, I found it was possible to add an arbitrary event to a user's calendar. I used Google Calendar's "quick add" feature: it allows users
to click on a space on the calendar and type in the name of an event, which adds it to the calendar. By monitoring the HTTP traffic between my browser and
Google, I determined that the calendar entry was being created by a GET request that looked something like this (I've broken up the URL for the sake of

After all the press around Wong Onn Chee and Tom Brennan's version of a HTTP DoS attack, I think people started taking HTTP DoS a tad more seriously. Yes,
there are lots of variants of HTTP based DoS attack, and I'm sure more tools will surface over time. The really interesting part is how both Apache and IIS
has disagreed that it is their problem to fix. So we are left to fend for ourselves. Enter mod_security (at least for Apache).
When I originally tested Slowloris against mod_security, it had no chance of solving the problem. I spoke with Ivan Ristic who said that it simply ran too
late (same thing with .htaccess, and many other things built into Apache). So the world was at a bit of a loss when the DoS originally came out. Now with the
latest changes in mod_security at least we now have a viable (non experimental) solution other than using alternate webservers, load balancers or networking
solutions. Very cool stuff!

One of the recent additions to the SSL Labs test was the detection of various chain issues. The feature is still marked as experimental, and it will remain
so until we conclude that the advice we give there is safe.
Certificate chains are a PKI feature that allows root certificate authorities to delegate the work of certificate signing. Roughly one half of all sites have
certificates that are signed by a trusted CA. Such sites need only provide the server's certificate in the handshake. The remaining half (of the sites) uses
intermediate certificates (usually only one; it is rare to see a site with more than one such certificate). Such sites need to provide all the intermediate
certificates in addition to the server's certificate

de Jeremiah Grossman
Each year the web security community produces a stunning amount of new hacking techniques documented in white papers, blog posts, magazine articles, mailing
list emails, etc. Within the thousands of pages are the latest ways to attack websites, web browsers, web proxies, and so on. We are NOT talking about
individual vulnerabilities with CVE numbers, nor any particular system compromise, but the actual new methods of Web-based attack. To keep track of all these
discoveries and encourage information sharing, the Top Web Hacking Techniques acts as both a centralized knowledge base and a way to recognize researchers
who contribute excellent work.
The selection process for 2010 will be a little different. Last year in 2009, where over 80 new attack techniques were recorded, the winners were selected
solely by a panel of panel of distinguished security experts. This year we'd like you, the Web security community, to have the opportunity to vote for your
favorite research. From the voting results the most popular 15 entries will be those judged by our panel of experts on the basis of novelty, impact, and
overall pervasiveness to decide the Top Ten Web Hacking Techniques of 2010. Researchers topping the 2010 list may expect to receive praise amongst their
peers as have those in past years (2006, 2007, 2008, and 2009). Right now I'm working on a really cool set of prizes for #1.

XSS Exploitation demo  []

DVWA CSRF Exploitation demo  []

Network Security

Two years ago I published a table of Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora. Now that we've released Red Hat
Enterprise Linux 6, it's time to update the table. Thanks to Eugene Teo for collating this information.
Between releases there are lots of changes made to improve security and we've not listed everything; just a high-level overview of the things we think are
most interesting that help mitigate security risk. We could go into much more detail, breaking out the number of daemons covered by the SELinux default
policy, the number of binaries compiled PIE, and so on.
Note that this table is for the most common architectures, x86 and x86_64 only; other supported architectures may vary.

Top 25 SED Commands  []
Sed is a stream editor. A stream editor is used to perform basic text transformations on an input stream While in some ways similar to an editor which
permits scripted edits (such as ed), sed works by making only one pass over the input(s), and is consequently more efficient. But it is sed's ability to
filter text in a pipeline which particularly distinguishes it from other types of editors.
Here are the top 25 SED commands voted by everyone

If you like monitoring, you might want to receive notifications at every (or only root) login, in addition to logs.
/etc/profile, bashrc, etc.
One can first think of a script in /etc/profile - I saw that solution on many websites - but it is wrong because the user can connect with ssh /bin/sh and it
will not run any login script. Also, this kind of login does not appear in last/wtmp but only in auth.log by sshd (because it's not considered as an
'interactive login').
Parse logs
Second solution is to parse the auth.log - for instance with SEC, Simple Event Correlator - and use a notify script. It should work, yet I prefer the third

I received an email from a private mailing list recently, asking for some help in reviewing the contents of a packet capture file:
"I have a 2.5 GB pcap file which I want to verify that it contains only encrypted content. [...] I'm wondering if anyone knows of a way that I can accomplish
this using Windump or some other Windows utility."
This kind of analysis happens frequently when performing a black-box pentest against a protocol. Over the years I've used a couple of techniques to evaluate
the content of packet captures to determine if the traffic is encrypted or just obfuscated.

Mobile Security

Is iPhone identifiable on WiFi network?  []
Your iPhone is very 'loud', disclosing not only its own identity (as an iPhone), but also your identity as well. I thought I'd list the various things it
When your iPhone connects to the wifi, it starts broadcasting a name like 'Robert Graham's iPhone'.
This name is created the first time you run iTunes. It takes your current account name on your computer XXX, then builds the name 'XXX's iPhone' for the
phone. This is often a person's full name or first name, though sometimes I see things like 'Administrator's iPhone'.

Popular web browsers today do not allow arbitrary websites to modify the text displayed in the address bar or to hide the address bar (some browsers may
allow popups to hide the address bar but in such cases the URL is then displayed in the title of the window). The reasoning behind this behavior is quite
simple: if browsers can be influenced by arbitrary web applications to hide the URL or to modify how it is displayed, then malicious web applications can
spoof User Interface elements to display arbitrary URLs thus tricking the user to thinking he or she is browsing a trusted site.
I'd like to call your attention to the behavior of Safari on the iPhone via a proof of concept demo. If you have an iPhone, browse to the following demo and
keep an eye out on the address bar

More holes in Palm's WebOS  []
Researchers Orlando Barrera and Daniel Herrera, who both work for security firm SecTheory, have discovered a gaping security hole in Palm's WebOS smartphone
operating system. According to a report from Dark Reading, the experts found the critical hole in the Contacts application of WebOS 1.4.x. Entries in the
'Company' field can apparently be exploited to inject malicious code. Barrera and Herrera managed to access such personal data as victims' emails, email
addresses and contacts, and were even able to install a key logger.


YouPorn is one of the most popular sites on the Web, with an Alexa ranking of 61. Those who visit the homemade-porn featuring site - essentially, a YouTube
for porn enthusiasts - are subject to scrutiny, though, of the Web tracking variety. When a visitor surfs into the YouPorn homepage, a script running on the
website checks to see what other porn sites that person has been to.
How does it work? It's based on your browser changing the color of links you've already clicked on. A script on the site exploits a Web privacy leak to
quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color "purple," meaning you've clicked
them before. YouPorn did not respond to an inquiry about why it collects this information, and tries to hide the practice by disguising the script with some
easy-to-break cryptography.*


The United States struck its first blow against WikiLeaks today after (NSDQ: AMZN) pulled the plug on hosting the whistleblowing website in an
apparent reaction to heavy political pressure. The main website and a sub-site devoted to the diplomatic documents were unavailable from the US and Europe on
Wednesday, as Amazon servers refused to acknowledge requests for data. The plug was pulled as the influential senator and chairman of the homeland security
committee Joe Lieberman called for a boycott of the site by US companies.
"(Amazon's) decision to cut off WikiLeaks now is the right decision and should set the standard for other companies WikiLeaks is using to distribute its
illegally seized material," he said in a statement. "I call on any other company or organization that is hosting WikiLeaks to immediately terminate its
relationship with them."


Autoruns for Windows v10.06  []
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run
during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run,
RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects,
Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web
Arachni is smart,it trains itself by learning from the HTTP responses it receives during the audit process.Unlike other scanners,Arachni takes into account
the dynamic nature of web applications and can detect changes caused while travelling through the paths of a web application's cyclomatic complexity.

+security-shell+%28Security-Shell%29  []
TwitterPasswordDecryptor - First ever Twitter Password Recovery Tool
TwitterPasswordDecryptor is the FREE tool to instantly recover Twitter account passwords stored by popular web browsers. Most web browsers store the login
credentails for visited websites so that user don't have to remember and enter the password every time. Each of these web browsers use their own proprietary
encryption mechanism to store the login passwords including Twitter account passwords.TwitterPasswordDecryptor automatically crawls through each of these
browsers and instantly recovers all of the stored Twitter passwords.

%28Security-Shell%29  []
UPDATE: Malware Analyzer v2.7
Malware Analyzer is an open source tool for analyzing malwares. It can perform the following functions:
* String based analysis for registry, API calls, IRC Commands, DLL's called and VMAware.
* Display detailed headers of PE with all its section details, import and export symbols etc.
* On distros, can perform an ASCII dump of the PE along with other options (check -help argument).

Runasil  []
Filed under: My Software,Windows 7,Windows Vista - Didier Stevens @ 9:56
Because I didn't find a program to start an application with a given integrity level from "Image File Execution Options", I wrote runasil.
The following command launches notepad.exe with a low integrity level, instructing notepad to open test.txt:
runasil.exe notepad.exe test.txt

Jreversepro  []
JREVERSEPRO is a Java Decompiler / Disassembler written entirely in Java. This reverse engineering utility is issued under the GNU GPL.
The utlimate objective of this project is to provide a decompiler that generates a Java object-based structure that can be programmatically inspected using a
specific API.
* The software is written 100 % in Java which implies you can seamlessly integrate your java applications with this.
* The .class files could be disassembled to examine the Java Virtual Machine(JVM) bytecode.
* Command-line version now has the option to view constant pool.
* Three flavours of the software - namely the Swing-based, AWT-based and the command-line based UI are available all with the same decompiling engine for
people with different needs.
* The contents of the ConstantPool could be examined as a dialog in the Swing-flavour.
* Command-line version now has the option to view constant pool. Please see FAQ for more details regarding the same.


2010-11-26 - Nine out of ten UK contact centers do not understand the requirements and penalties of the Payment Card Industry Data Security Standard (PCI
DSS), according to research from communication solutions provider Connected World - although 37 percent judged themselves to be fully compliant with the PCI
A third of all contact center respondents claimed at best to be years away from full PCI DSS compliance, with a fifth stating that their processes will never
be in full accordance with the standard's stringent requirements.
PCI DSS Requirements for telephony payments are stringent and regarded as one of the most challenging aspects for contact centers to comply with. More than a
quarter of survey respondents (28 percent) said they had some safeguards in place to protect sensitive data but felt they would benefit from tighter security
measures to better protect their customers.

A leading Mozilla executive has attacked Google, Apple and Microsoft for installing browser plugins without permission.
Asa Dotzler, the co-founder of the Spread Firefox project and a member of Mozilla's leadership team, claims all three of the 'evil' computing giants are
installing plugins into Firefox without users' prior permission.
'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Dotzler
asks on his blog.

OSK-E3 is proved useless
The credibility of photographic evidence becomes vital in numerous situations for insurance companies and courts, as they may accept digital image as
indisputable evidence if it can be proven genuine. However, the discovered vulnerability in Canon Original Data Security system proves that verification data
can be forged and, thus, the whole verification system cannot be relied upon.
In brief, modern DSLR (Digital Single-Lens Reflex) cameras produced by Canon feature Original Data Security system which is meant to securely validate the
authenticity of image data and prove image genuineness. Accordingly, one can use OSK-E3 (Canon Original Data Security Kit) which comprises smart card and
special software to verify a digitally signed image.
ElcomSoft discovered the vulnerability which allows producing images that will be positively validated by Canon's own Original Data Security Kit (OSK-E3)
regardless of whether or not the images are, in fact, genuine.

By two teenagers:
Mikalah uses Facebook but when she goes to log out, she deactivates her Facebook account. She knows that this doesn't delete the account that's the point.
She knows that when she logs back in, she'll be able to reactivate the account and have all of her friend connections back. But when she's not logged in, no
one can post messages on her wall or send her messages privately or browse her content. But when she's logged in, they can do all of that. And she can delete
anything that she doesn't like. Michael Ducker calls this practice "super-logoff" when he noticed a group of gay male adults doing the exact same thing.


When Wikileaks released thousands of classified US diplomatic cables this week, a familiar criticism was repeated by the project's foes: these leaks could
harm innocent people. There's no evidence of that yet, but within the documents there is evidence the American government has harmed innocent people.
One of them is Khaled El-Masri, a German citizen of Lebanese descent, and a victim of so-called 'extraordinary rendition.' He was a car salesman in Germany,
a father of six. The CIA kidnapped him by mistake (his name sounds and looks identical to that of an actual terror suspect), and sent off to receive months
of torture in Afghanistan.
When the CIA realized he was innocent, he was flown to Albania and dumped on a back road without so much as an apology.


How Alice and Bob got married  []

What is Cloud Computing?  []