Thursday, 20 January 2011

Security Weekly News 20 January 2011 - Summary

In case you missed it I recently put together this quick blog post regarding how to fix Skype when the call button is just disabled and does not let you ring anybody.

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
""We accept the risk" shouldn't be magic words that exempt you from basic infosec practices. If they are, your org is doing it wrong." - Aloria
"We have seen attackers that have been there [inside organizations] for months and years" - Sean Coyne
"It takes a security breach to make an organization start to understand security" - Josh Abraham
"a data-breach isn't the worst thing in the world. hell you might just learn something or start understanding security..." - Josh Abraham
""Keyless systems on cars easily hacked" ok so I appreciate people doing cool research and finding vulns but is this really a surprise?" - David Rook
"Okay, if you are using Javascript to validate passwords, don't use a function that fails on pasted passwords." - Rich Mogull
"As exhaustion nears, APNIC reclaiming old, unused IPv4 allocations - over 200 netblocks in past week. Are you IPv6 ready?" - Team Cymru

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Wireless Security, Forensics, Cloud Computing, Privacy and human rights, Mobile Security, Physical Security, General, Tools, Funny
Highlighted news items of the week (No categories):
Not patched: Firefox 4, A Huge Pile of Bugs, ICQ can be fed crafted updates
Updated/Patched: Oracle patches 66 vulnerabilities, AST-2011-001: Stack buffer overflow in SIP channel driver, Sybase plugs holes in Application Server, Tor project releases update to close critical hole, Mono developers close security hole
Although this is very funny I have to praise Gareth Heyes for summarising this well the overall feel about HTML 5 in the security community, the new HTML version will bring numerous attack opportunities:
HTML 5 logo  [www.businessinfo.co.uk]
 
Top Performers Invest More Annually in Their Application Security Initiatives, but Realize a Higher Return by Identifying and Remediating More Vulnerabilities Prior to Deployment
In the finale of a four-part study on application security by Aberdeen, a Harte-Hanks Company (NYSE: HHS), Aberdeen's analysis of companies adopting the 'secure at the source' strategy -- i.e., the integration of secure application development tools and practices into the software development lifecycle, to increase the elimination of security vulnerabilities before applications are deployed -- found that they realized a very strong 4.0-times return on their annual investments, higher than that of both the 'find and fix' and 'defend and defer' alternative approaches. Although the secure at the source approach is currently the least common to be implemented, Aberdeen's research confirms that it is maturing and transitioning from early adoption to mainstream use.
As part of its benchmarking process for the Security and the Software Development Lifecycle: Secure at the Source report, Aberdeen adapted a simplified version of the Microsoft Software Development Lifecycle (SDL) as a yardstick for measuring current practices. 'To be clear, few companies may be in a position for full-scale adoption of the Microsoft SDL framework -- nor would they necessarily want to do so,' said Derek Brink, vice president and research fellow for IT Security, Aberdeen Group. 'In Aberdeen's view, the pragmatic approach is to leverage the best features of the Microsoft SDL as they apply to your organization, just as one would leverage the best of any other time-tested industry standard. Discard the rest.'
 
The company released results of a new study which it says shows large enterprises are still relying on traditional password policies as opposed to stronger, two-factor authentication technologies
Two-thirds (67 per cent) of large North American organizations have not implemented two-factor authentication for the partners and contractors that access their corporate network, according to a Symantec Corp. report.
The study which polled 306 large enterprises was conducted by Forrester Research Inc. on behalf of the security giant. The respondents included companies from both Canada and the U.S., with all of the companies employing at least a thousand people and 30 per cent of the organizations comprising more than 5,000 employees.
 
The recent security breaches on the Fine Gael and DUP websites has once more brought information security to the fore with extensive coverage of both incidents in the media. One of the questions I keep getting asked after such incidents is "how to I ensure my company is secure?". Making your company, or website, secure is a matter of ensuring the appropriate information security risks have been properly identified and managed. The ISO 27001:2005 Information Security standard provides companies with a structured and proven way to implement and manage an Information Security Management System and provide management and the business with confidence in the security measures that are in place.
 
Security Art's Iftach Ian Amit discusses targeted attacks and how you should go beyond just technology to defend against them.
Some people might be surprised to hear that most targeted attacks aren't directed at a specific individual or item of equipment. Although some strive to reach such victims, normally they focus on a small group of individuals or systems in order to carry out their task.
Targeted attacks are also tasked with greater goals than a traditional attack. For instance, they may intend to steal specific documentation, access custom systems, control or modify information, etc.), but they're not actually that technologically different from 'traditional' attacks.
In my experience of the clients we have helped at Security Art, some attacks do utilize some of the most ingenious technologies and techniques. But at the end of the day, when you scrape off the 'cool cloak' (custom hiding techniques to make the code bypass security technologies), you realize that we are still dealing with the same vulnerabilities, and the same rootkit and Trojan techniques.
 
The EU's 'cyber security' Agency ENISA, (the European Network and Information Security Agency) has today issued a report on Data Breach Notifications. The EU data breach notification (DBN) requirement for the electronic communications sector in the ePrivacy Directive (2002/58/EC) is vital to increase in the long term the level of data security in Europe. The Agency has reviewed the current situation and identified the key concerns of both the telecom operators and the Data Protection Authorities (DPA)s in its new report.
Recent high profile incidents of personal data loss in Europe have prompted wide discussion about the level of security applied to personal information shared, processed, stored and transmitted electronically.
The Executive Director of the Agency, Prof. Udo Helmbrecht, commented:
'Gaining and maintaining the trust of citizens of that their data is secure and protected is an important factor in the future development and take-up of innovative technologies and online services across Europe.'
 
By mid-2010, Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.
Unsurprisingly, this massive and committed user base is heavily targeted by scammers and cybercriminals, with the number and diversity of attacks growing steadily throughout 2010 - malware, phishing and spam on social networks have all continued to rise in the past year, with a Sophos survey finding that:


Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):
 
 
You often read about people who use many different security applications to protect their systems. Not only anti-virus, anti-spyware, firewall, HIPS, ..., but also some other tools like anti-keyloggers, ... And sometimes, when they argue about the additional protection such tools bring, you can read the following: "it does no harm...".
Well, this time, I've a clear example where using a supplemental security tool does harm, even when it adds real protection.
When installed, this tool (which I'm not going to name here because of SEO reasons), installs a Windows explorer shell extension (we've discussed the risks of these shells before). The problem with this tool's shell extension (a DLL), is that it is compiled without the dynamic base flag set. In other words, it doesn't support ASLR.
 
Researchers provide rare inside peek at the exfiltration methods used in targeted attacks
Incident-response experts specializing in targeted, advanced persistent threats (APTs) here today revealed some common exfiltration techniques by these typically nation-state sponsored attacks.
It's difficult to know for sure just how many APT attacks actually occur -- mainly because victim organizations aren't required to report them as long as customer data isn't breached, and many prefer to keep it under wraps. 'A large percentage of organizations don't report it to law enforcement. They want to remediate, keep it quiet, and move on,' says Sean Coyne, a consultant with Mandiant. 'We have seen attackers that have been there [inside organizations] for months and years,' for example, he says.
 
Netflow for Incident Response  [blogs.cisco.com]
This is the Forth part in the series "Missives from the Trenches." (Here are the (first), (second), and(third) parts of the series.) In today's blog post we will be discussing Cisco IOS Netflow. Netflow has an interesting position as being both the most useful and least used tool. When meeting with other companies I often ask them "do you use Netflow?" By asking this question I am actually asking several different questions-Do you care about the security of your site? Or do you have any hopes in managing/responding to events at your site? Answers to these questions unfortunately tend to be as follows: What is Netflow? The network guys use it but we don't. I think we capture it somewhere but not really sure where - and so on. I then mention that Netflow is free, they don't have to buy anything to start using it, and it's used for every large case we do. At that point they start looking angrily at the sales engineer asking why this is the first they are hearing about it. So what is Netflow and why does Cisco CSIRT say its critical to daily event management? Read on to find out!
 
Cisco Systems is beefing up wireless transaction security with new software features for its Wi-Fi access points. The vendor says the changes add needed protection over and above that mandated by the Payment Card Industry (PCI) standard.
 
VABL 101  [www.infiltrated.net]
The VoIP Abuse Blacklist has been a work in progress as I sought a mechanism to document attackers. With that said, the new layout will hopefully be more beneficial to PBX administrators. Rather than reinvent wheels, VABL looks up an attacker's information via Shadowserver's lookup and appends three new fields: type of attacker, address and the letters VABL and a number dialed (when appropriate.)
The type of attacker field may make the biggest difference to those who decide to use this list. There are two specific entries that will appear: BRU, ADN and COM. BRU means that the host attempted to bruteforce a PBX while COM signifies that the attacker managed to compromise either a honeypot or a live machine. ADN is when an attacker places a call and is short for Attacker Dialing Numbers. Whenever you see an entry with ADN, there will be an additional field at the end with the number dialed by the attacker appended to it.
 
The impact of IPv6 on message filtering systems  [www.emailsecuritymatters.com]
An interesting article was posted on Slashdot in December:
"As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify 'undesirable' hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt."
In the short term, this is definitely going to be a problem for email security companies that rely strongly on DNSBLs or reputation-based systems.


Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):
 
Top Ten Web Hacking Techniques of 2010 (Official)  [jeremiahgrossman.blogspot.com]
Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. Now it its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.
 
Spot the Vuln - Sleep  [blogs.sans.org]
It is a common experience that a problem difficult at night is resolved in the morning after a committee of sleep has worked on it.
- John Steinbeck
 
Spot the Vuln - Vegetables  [blogs.sans.org]
People need trouble - a little frustration to sharpen the spirit on, toughen it. Artists do; I don't mean you need to live in a rat hole or gutter, but you have to learn fortitude, endurance. Only vegetables are happy.
- William Faulkner
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.


Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

Application availability

Understanding what the application criticality is and who will be accessing the application needs to identified and if there are any SLA’s service level agreements. This section goes hand in hand with the criticality of the application. If there is a need for 99.9% uptime then consideration should be given to hosting the application within a Data Center environment (owned by your or hosted in a 3rd party Data Center) with redundant power (UPS’s and generators), failover network equipment, interconnections, etc. versus hosting the application on your developers desk on the same breaker as the coffeemaker and connected to a shared hub.

-Consideration to all the infrastructure components involved in all the data flows should be understood. For example are there any single points of failure within the application data flow such as only one network firewall, web server, router, single internet connections, etc.

-If there are SLA’s or needs for constant up time failover for network equipment and load balancers involved to distribute the load to many web or application servers should be considered.

-Additional consideration should be given to bandwidth requirements of the application. Such as will this application be taking on a constant load or will there be spikes of usage as certain times. Bandwidth that the applications needs should be estimated so that spikes in usage can be planned for to ensure that there isn’t any packet loss when under excessive load, such as during a nightly batch process or seasonal load for shopping site during Christmas. Total bandwidth should also be considered at every point along the applications data flow also. For example are business partner servers accessing this application over a segment that is already over utilized? --Latency should also be considered such as will this application housed in a data center in North America be accessing databases in Singapore over an MPLS vpn?

Source: link

Have a great week and weekend.

Security Weekly News 20 January 2011 - Full List

Category Index

Hacking Incidents / Cybercrime
 
The European Union locked all accounts in its carbon market today, after a security breach, seeking to protect the battered reputation of the EU's main weapon against climate change.
The United States, Japan, and Australia have all delayed implementing similar cap-and-trade programs, and the latest glitch to the EU system could detract further from carbon trading as a global policy.
The trading scheme limits the carbon emissions of all big EU factories and power plants by issuing permits for each tonne of carbon emitted, which companies can then trade among themselves.
 
Trapster is an online service that notifies users of road hazards and helps them avoid speeding tickets. Now it has notified its users of a possible compromise to over 10 million email addresses and passwords -- that number is based upon the posted total users on the site.
 
A former TSA worker has been found guilty and has been sentenced to two years in prison and a $60,587.07 fine to be payed to the TSA.
He was accused of tampering with the agency's databases and trying to inject malicious code into a server containing the Terrorist Screening Database.
 
Spammers have exploited a cPanel vulnerability at a hosting company in order to abuse high profile domains belonging to educational, financial and public institutions.
The compromises began in April 2010 at Hostmonster, an Utah-based hosting company owned by Bluehost, and lasted until earlier this month
Bluehost co-founder Danny Ashworth told Krebs on Security that an attacker exploited the vulnerability to create rogue subdomains on dozens of domain names hosted by the company.
The subdomains pointed to pages used in black hat search engine optimization (BHSEO) campaigns to poison search results.
This method involves creating pages filled with keywords for a particular search topic, a technique referred to as keyword stuffing, on domains with a solid PageRank.
 
Vodafone Customer Database Breached  [www.liquidmatrix.org]
It appears that Vodafone had a rough go of things over the weekend. Apparently a ne'er do well breached their 'secure' customer database. No news as to the extent of the damage as a result.
 
Fine Gael's general election campaign got off to a disastrous start last week when hackers broke into its new website.
Days after the party launched the new site, the personal details of 2,000 members of the public were accessed, resulting in investigations by the gardaí and the FBI.
Before the attack, data privacy experts had expressed concern about the site's compliance with data protection regulations.
Fine Gael billed the new website as ''the biggest consultation exercise to date with the Irish electorate''.
 
A Trojan that tries to obstruct cloud-based antivirus technology present in major AV solutions offered by Chinese security firms is targeting users by posing as a video player and other popular software.
According to Microsoft's researchers, the attackers use social engineering techniques to get the victims to install the Trojan - called Bohu - on their system.
 
A ransomware-based malware scam allowed Russian cybercrooks to fleece an estimated 2,500 surfers to the tune of almost $30k.
Unwary smut-seekers visiting a porno site found their machines disabled by a Trojan. They were told to solve the problem by sending an SMS to a premium-rate number at a cost of $12 (360 roubles), and a substantial minority did so.
 
An office server on which the New Hampshire Seacoast Radiology had stored sensitive personal and medical information of more than 230,000 patients has been breached in November by hackers who used its bandwidth to play Call of Duty: Black Ops.
 
First Fine Gael, now the DUP. The website of the largest unionist party in Northern Ireland was hacked yesterday by an Irish language activist who replaced the text of the front page with an Irish message saying party leader Peter Robinson supported the Irish Language Act.
The genuine website, now restored, contains a message from assembly member Michelle McIlveen criticising a bilingual consultation on road traffic signs as "a costly waste of money".
 
Credit card fraud figures worthless  [connexionfrance.com]
AN INQUIRY has found that online frauds have been hugely underestimated because police and gendarmes were not registering complaints properly.
Statisticians said that official figures for frauds were worthless, as many crimes had not been registered and the figures were much lower than the real rate of crime.
The Observatoire National de la Délinquance et des Réponses Pénales (ONDRP) estimated that between 5,000 and 10,000 complaints had disappeared.
 
It has long been clear that a lot of grey matter was exercised in creating Stuxnet. It is equally clear that the highly expert team behind the worm was not simply showing off Windows exploits on Siemens manufacturing control systems, but intended to destroy centrifuges used for uranium enrichment.
 
ATM Skimmers, Up Close  [krebsonsecurity.com]
Recently, I found a guy on an exclusive online scammer forum who has hawking variety of paraphernalia used in ATM skimmers, devices designed to be stuck on the outside of cash machines and steal ATM card and PIN data from bank customers. I wasn't sure whether I could take this person seriously, but his ratings on the forum - in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions - were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

Unpatched Vulnerabilities
 
Firefox 4, A Huge Pile of Bugs  [it.slashdot.org]
'Firefox 4.0 beta 9 (AKA 'a huge pile of awesome') was released on January 14, 2011. Firefox 4's release schedule includes a beta 10 and a release candidate before the final launch in late February. However, one wonders if this schedule won't slip again, since there are still more than 100 'hardblocker' bugs, more than 60 bugs affecting Panorama alone and 10 bugs affecting the just-introduced Tabs-on-Titlebar. Some long-standing bugs wont' be fixed in time for Firefox 4 final either (example, example). Many startup bugs are currently pending, although Firefox 4 starts much faster than Firefox 3.6. As a side note, it's unlikely that Firefox 4 final will pass the Acid3 test, despite this being a very popular demand amongst Firefox enthusiasts. Perhaps we'll have to wait until Firefox 4.1 to have this 'huge pile of bugs' (mostly) fixed.'
 
ICQ can be fed crafted updates  [www.h-online.com]
Because the Instant Messaging client ICQ fails to verify the authenticity of updates downloaded from the web, it is possible to substitute trojans for genuine updates. An attacker would, however, need to be able to reroute the resolution of the IP address for update.icq.com to his own server by, for example, interfering with the router or cache poisoning the DNS server.

Software Updates
 
As part of its January patch update, Oracle has released security updates for a number of products. The Critical Patch Update addresses vulnerabilities in, for example, the company's database server, Application Server, WebLogic Server, PeopleSoft Enterprise and Open Office.
Oracle gives vulnerabilities in Solaris, Fusion Middleware and Audit Vault a Common Vulnerability Scoring System (CVSS) score of 10.0, the highest possible level of severity. The company advises all users to install the updates as soon as possible.
 
When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
 
A security update to EAServer from the SAP company Sybase closes two vulnerabilities that could be remotely exploited. According to the manufacturer's report, attackers could exploit a directory traversal vulnerability to read arbitrary files on the server. Sybase states that it would also be possible to install unauthorised web services on EAServer, making it possible to gain control of the server.
 
Tor Logo The developers of the Tor (The Onion Routing project) anonymisation solution has released version 0.2.1.29 to close a hole that can be remotely exploited. According to the developers, the problem is caused by a heap overflow. Version 0.2.1.28, which was released in late December, had already fixed another heap overflow in Tor. This flaw could be exploited to remotely crash Tor and the developers didn't rule out that it could also have been exploited to inject and execute arbitrary code.
 
A flaw in the web server components of the free Mono .NET clone potentially allows ASP.NET applications to supply source code or other files from the web server's application directory. Mono 2.8.2 fixes this as yet unexplained bug. Affected components on the project's vulnerability list include the XSP web server and the mod_mono Apache module. Both of these execute ASP.NET code.

Business Case for Security
 
Top Performers Invest More Annually in Their Application Security Initiatives, but Realize a Higher Return by Identifying and Remediating More Vulnerabilities Prior to Deployment
In the finale of a four-part study on application security by Aberdeen, a Harte-Hanks Company (NYSE: HHS), Aberdeen's analysis of companies adopting the 'secure at the source' strategy -- i.e., the integration of secure application development tools and practices into the software development lifecycle, to increase the elimination of security vulnerabilities before applications are deployed -- found that they realized a very strong 4.0-times return on their annual investments, higher than that of both the 'find and fix' and 'defend and defer' alternative approaches. Although the secure at the source approach is currently the least common to be implemented, Aberdeen's research confirms that it is maturing and transitioning from early adoption to mainstream use.
As part of its benchmarking process for the Security and the Software Development Lifecycle: Secure at the Source report, Aberdeen adapted a simplified version of the Microsoft Software Development Lifecycle (SDL) as a yardstick for measuring current practices. 'To be clear, few companies may be in a position for full-scale adoption of the Microsoft SDL framework -- nor would they necessarily want to do so,' said Derek Brink, vice president and research fellow for IT Security, Aberdeen Group. 'In Aberdeen's view, the pragmatic approach is to leverage the best features of the Microsoft SDL as they apply to your organization, just as one would leverage the best of any other time-tested industry standard. Discard the rest.'
 
Ah, passwords. Love 'em or hate 'em, they're a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better.
Of course we frequently don't do this because of all sorts of human factors such as convenience, memory or simple unawareness of the risks. Still, when it's a case of individuals electing not to create secure passwords, they really only have themselves to blame.
But what happens when the website won't allow you to create a secure password? Or at least when they severely constrain your ability to create long, random, unique passwords? And what about when they don't allow you to send it between your computer and their server securely?
 
The recent security breaches on the Fine Gael and DUP websites has once more brought information security to the fore with extensive coverage of both incidents in the media. One of the questions I keep getting asked after such incidents is "how to I ensure my company is secure?". Making your company, or website, secure is a matter of ensuring the appropriate information security risks have been properly identified and managed. The ISO 27001:2005 Information Security standard provides companies with a structured and proven way to implement and manage an Information Security Management System and provide management and the business with confidence in the security measures that are in place.
 
Why is planning phase of ISO 27001 so important?
If you don't plan your information security activities carefully, chances are you will miss something important - and that will cost you. This is why ISO 27001 defines very precisely the various steps in the planning phase - the purpose is to set clear direction, but also to take into account everything that can cause security incidents.
According to ISO 27001, the planning phase is rather complex and requires several documents and activities to be done. Risk assessment and treatment are the central part of the planning phase - they set the ground for the implementation phase, by defining which security controls are applicable.
 
By mid-2010, Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.
Unsurprisingly, this massive and committed user base is heavily targeted by scammers and cybercriminals, with the number and diversity of attacks growing steadily throughout 2010 - malware, phishing and spam on social networks have all continued to rise in the past year, with a Sophos survey finding that:
 
Getting Ready for PCI 2.0 Compliance  [www.esecurityplanet.com]
The latest version of the Payment Card Industry Data Security Standard (PCI DSS v2.0) went into effect on January 1, 2011. If your work for an entity that stores, processes, or transmits credit card data in electronic form than your organization is required to comply with the standard or risk disciplinary action: being fined for lack of compliance by the acquiring bank or, in very extreme cases, no longer allowed to accept credit card payments.
If your company's been in business a while, PCI and PCI compliance are nothing new. The standard has been around since December 2004 and the individual card brand compliance programs that form the basis of PCI have been in place even longer. Chances are your company has already been through a few PCI DSS assessment cycles and you have a few successful RoCs (report on compliance) under the belt. However, you may be wondering if the changes in the recently issued v2.0 of the standard will change your compliance process or require new controls or procedures in order for your organization to be compliant. In this short overview, we'll take a look at the differences between v.1.2.1 and v2.0 of the PCI DSS and what, if anything, that will mean to your company.
 
Officials today revealed that the 'Advanced Persistent Threat' (APT) has been completely defeated by vendor marketure, analyst/pundit tweets, and PowerPoint presentations.
'APT is dead. Totally gone. The term APT is meaningless now' revealed a senior official under the condition of anonymity, as he was not authorized to discuss the issue with the press -- as if anyone believes that anymore.
 
A great deal of online commerce, speech, and socializing supposedly happens over encrypted protocols. When using these protocols, users supposedly know what remote web site they are communicating with, and they know that nobody else can listen in. In the past, this blog has detailed how the technical protocols and legal framework are lacking. Today I'd like to talk about how secure communications are represented in the browser user interface (UI), and what users should be expected to believe based on those indicators.
The most ubiquitous indicator of a 'secure' connection on the web is the 'padlock icon.' For years, banks, commerce sites, and geek grandchildren have been telling people to 'look for the lock.' However, The padlock has problems. First, it has been shown in user studies that despite all of the imploring, many people just don't pay attention. Second, when they do pay attention, the padlock often gives them the impression that the site they are connecting to is the real-world person or company that the site claims to be (in reality, it usually just means that the connection is encrypted to 'somebody'). Even more generally, many people think that the padlock means that they are 'safe' to do whatever they wish on the site without risk. Finally, there are some tricky hacker moves that can make it appear that a padlock is present when it actually is not.
 
A-class pwnage goes mainstream  [blog.remes-it.be]
Some people still don't believe a company can get owned from the inside. There are no specific secrets that, when divulged, can bring the company down. When a server gets owned, let's reinstall it and move on. Yesterday the Belgian TV program "Basta!" showed a tell-tale example of how people with dedication and enough time/budget can do anything they want to bring a company down.
I suppose they are a plague worldwide : telephone games. An annoying presenter shows a riddle and people can call in with the solution (or a wild guess) and can win exuberant amounts of money. The trick is that people rarely find the answer, especially with the mathematical riddles. The "Basta!" team decided to take them on.
 
The company released results of a new study which it says shows large enterprises are still relying on traditional password policies as opposed to stronger, two-factor authentication technologies
Two-thirds (67 per cent) of large North American organizations have not implemented two-factor authentication for the partners and contractors that access their corporate network, according to a Symantec Corp. report.
The study which polled 306 large enterprises was conducted by Forrester Research Inc. on behalf of the security giant. The respondents included companies from both Canada and the U.S., with all of the companies employing at least a thousand people and 30 per cent of the organizations comprising more than 5,000 employees.
 
The EU's 'cyber security' Agency ENISA, (the European Network and Information Security Agency) has today issued a report on Data Breach Notifications. The EU data breach notification (DBN) requirement for the electronic communications sector in the ePrivacy Directive (2002/58/EC) is vital to increase in the long term the level of data security in Europe. The Agency has reviewed the current situation and identified the key concerns of both the telecom operators and the Data Protection Authorities (DPA)s in its new report.
Recent high profile incidents of personal data loss in Europe have prompted wide discussion about the level of security applied to personal information shared, processed, stored and transmitted electronically.
The Executive Director of the Agency, Prof. Udo Helmbrecht, commented:
'Gaining and maintaining the trust of citizens of that their data is secure and protected is an important factor in the future development and take-up of innovative technologies and online services across Europe.'
 
Cyberwar hype is inhibiting government attempts to develop an appropriate response to cybersecurity threats, say computer scientists.
A heavyweight study by UK computer scientists for the Organisation for Economic Cooperation and Development (OECD) concludes that it is 'highly unlikely' there will ever be a 'pure cyber war", comparable with recent conflicts in Afghanistan or the Balkans. Suggestions to the contrary are down to 'heavy lobbying' by suppliers, the report's authors - Professor Peter Sommer of the London School of Economics and Dr Ian Brown of the Oxford Internet Institute, University of Oxford - conclude.
 
Security Art's Iftach Ian Amit discusses targeted attacks and how you should go beyond just technology to defend against them.
Some people might be surprised to hear that most targeted attacks aren't directed at a specific individual or item of equipment. Although some strive to reach such victims, normally they focus on a small group of individuals or systems in order to carry out their task.
Targeted attacks are also tasked with greater goals than a traditional attack. For instance, they may intend to steal specific documentation, access custom systems, control or modify information, etc.), but they're not actually that technologically different from 'traditional' attacks.
In my experience of the clients we have helped at Security Art, some attacks do utilize some of the most ingenious technologies and techniques. But at the end of the day, when you scrape off the 'cool cloak' (custom hiding techniques to make the code bypass security technologies), you realize that we are still dealing with the same vulnerabilities, and the same rootkit and Trojan techniques.

Web Technologies
 
Top Ten Web Hacking Techniques of 2010 (Official)  [jeremiahgrossman.blogspot.com]
Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. Now it its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.
 
Spot the Vuln - Sleep  [blogs.sans.org]
It is a common experience that a problem difficult at night is resolved in the morning after a committee of sleep has worked on it.
- John Steinbeck
 
Spot the Vuln - Vegetables  [blogs.sans.org]
People need trouble - a little frustration to sharpen the spirit on, toughen it. Artists do; I don't mean you need to live in a rat hole or gutter, but you have to learn fortitude, endurance. Only vegetables are happy.
- William Faulkner
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

Network Security
 
 
You often read about people who use many different security applications to protect their systems. Not only anti-virus, anti-spyware, firewall, HIPS, ..., but also some other tools like anti-keyloggers, ... And sometimes, when they argue about the additional protection such tools bring, you can read the following: "it does no harm...".
Well, this time, I've a clear example where using a supplemental security tool does harm, even when it adds real protection.
When installed, this tool (which I'm not going to name here because of SEO reasons), installs a Windows explorer shell extension (we've discussed the risks of these shells before). The problem with this tool's shell extension (a DLL), is that it is compiled without the dynamic base flag set. In other words, it doesn't support ASLR.
 
Researchers provide rare inside peek at the exfiltration methods used in targeted attacks
Incident-response experts specializing in targeted, advanced persistent threats (APTs) here today revealed some common exfiltration techniques by these typically nation-state sponsored attacks.
It's difficult to know for sure just how many APT attacks actually occur -- mainly because victim organizations aren't required to report them as long as customer data isn't breached, and many prefer to keep it under wraps. 'A large percentage of organizations don't report it to law enforcement. They want to remediate, keep it quiet, and move on,' says Sean Coyne, a consultant with Mandiant. 'We have seen attackers that have been there [inside organizations] for months and years,' for example, he says.
 
Netflow for Incident Response  [blogs.cisco.com]
This is the Forth part in the series "Missives from the Trenches." (Here are the (first), (second), and(third) parts of the series.) In today's blog post we will be discussing Cisco IOS Netflow. Netflow has an interesting position as being both the most useful and least used tool. When meeting with other companies I often ask them "do you use Netflow?" By asking this question I am actually asking several different questions-Do you care about the security of your site? Or do you have any hopes in managing/responding to events at your site? Answers to these questions unfortunately tend to be as follows: What is Netflow? The network guys use it but we don't. I think we capture it somewhere but not really sure where - and so on. I then mention that Netflow is free, they don't have to buy anything to start using it, and it's used for every large case we do. At that point they start looking angrily at the sales engineer asking why this is the first they are hearing about it. So what is Netflow and why does Cisco CSIRT say its critical to daily event management? Read on to find out!
 
Cisco Systems is beefing up wireless transaction security with new software features for its Wi-Fi access points. The vendor says the changes add needed protection over and above that mandated by the Payment Card Industry (PCI) standard.
 
VABL 101  [www.infiltrated.net]
The VoIP Abuse Blacklist has been a work in progress as I sought a mechanism to document attackers. With that said, the new layout will hopefully be more beneficial to PBX administrators. Rather than reinvent wheels, VABL looks up an attacker's information via Shadowserver's lookup and appends three new fields: type of attacker, address and the letters VABL and a number dialed (when appropriate.)
The type of attacker field may make the biggest difference to those who decide to use this list. There are two specific entries that will appear: BRU, ADN and COM. BRU means that the host attempted to bruteforce a PBX while COM signifies that the attacker managed to compromise either a honeypot or a live machine. ADN is when an attacker places a call and is short for Attacker Dialing Numbers. Whenever you see an entry with ADN, there will be an additional field at the end with the number dialed by the attacker appended to it.
 
Learn more about TCP and UDP ports used by Apple products, such as Mac OS X, Mac OS X Server, AppleShare IP, Network Assistant, Apple Remote Desktop, Macintosh Manager, and MobileMe. Many of these are referred to as 'well known' industry standard ports.
 
While the Mac is rarely targeted for security exploits and viruses, it's no stranger to software piracy-likely because Mac apps are pretty easy to crack. Here's how it can be done and how to prevent it.
How I'd Crack Your Mac App
Well, not you specifically, but by you I mean the average Mac developer. It's too easy to crack Mac apps. Way too easy. By walking through how I can hack your app with only one Terminal shell, I hope to shed some light on how this is most commonly done, and hopefully convince you to protect yourself against me. I'll be ending this article with some tips to prevent this kind of hack.
 
meterpreter xor for further av bypass  [0entropy.blogspot.com]
Still on holidays here, and in between sake, beer and shochu i found some time to read and check some things that i wanted to do for some time now. One of that was how to implement a simple binary xor in an .exe file especially for meterpreter. Meterpreter is great tool but is being detected from antivirus engines and that makes it difficult to use it as a standard payload.
Simple way to create one meterpreter binary that will connect back on ip 192.168.11.7:
 
Introduction to Sguil and Squert: Part 1  [securityonion.blogspot.com]
This post is the first in a multi-part series designed to introduce Sguil and Squert to beginners.
1. Download Security Onion 20110116.
2. Boot the ISO and run through the installer.
3. Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
4. Double-click the Setup script on the Desktop and follow the prompts to configure and start the Sguil processes.
...
 
The impact of IPv6 on message filtering systems  [www.emailsecuritymatters.com]
An interesting article was posted on Slashdot in December:
"As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify 'undesirable' hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt."
In the short term, this is definitely going to be a problem for email security companies that rely strongly on DNSBLs or reputation-based systems.

Wireless Security
 
Have you ever asked yourself why you can go online with your laptop in one room but not in another? Or why you get disconnects and a bad signal strength in one room of the house? The reason usually comes down to the wireless coverage of the Wi-Fi network.

Forensics
 
It has often been said that the best things in life are free. Could it be that that old saying can be applied to digital forensics? In many cases, the answer is a resounding yes!
But first, a little history on just how I know the above to be true. I am a police officer in a small, rural mid-western department. As is the case most everywhere, my department started seeing a rise in complaints related to 'cybercrime', such as email threats and harassment, child sexual abuse and scams. Since I was already very much into computer use, I took an interest in pursuing these cases and requested various training courses related to their investigation. The farther I got into it, the more I learned about computer forensics and I set up the first lab for my department.

Cloud Computing
 
As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
Many Recommendations Applicable to U.S. Governments, Hospitals
A paper on how governments and healthcare organizations should approach deploying secure cloud computing was issued Monday by the European Network and Information Security Agency, advice that could be applicable to governments and hospitals in the United States.
The 146-page report from the European Union agency, Security and Resilience in Government Clouds: Making an Informed Decision, identifies a decision-making model that can be used by senior management to determine how operational, legal and information security requirements, can drive the identification of the architectural solution that best suits the needs of their organization.

Privacy and human rights
 
When I last wrote here about Do Not Track in August, there were just a few rumblings about the possibility of a Do Not Track mechanism for online privacy. Fast forward four months, and Do Not Track has shot to the top of the privacy agenda among regulators in Washington. The FTC staff privacy report released in December endorsed the idea, and Congress was quick to hold a hearing on the issue earlier this month. Now, odds are quite good that some kind of Do Not Track legislation will be introduced early in this new congressional session.
 
To fully understand the privacy of Facebook and how it's likely to evolve, you need to understand one thing - Facebook executives want everyone to be public.
As the service evolves, executives tend to favor our open access to information, meaning information you think is private will slowly become public, but that doesn't mean you can be private if you want to.
 
Jacob Appelbaum, a security researcher, Tor developer, and volunteer with Wikileaks, reported today on his Twitter feed that he was detained, searched, and questioned by the US Customs and Border Patrol agents at Seattle-Tacoma International Airport on January 10, upon re-entering the US after a vacation in Iceland.
He experienced a similar incident last year at Newark airport.
An archive of his tweeted account from today follows.
 
Zero Day blogger and malware researcher Dancho Danchev (right) has gone missing since August last year and we have some troubling information that suggests he may have been harmed in his native Bulgaria.
Dancho, who was relentless in his pursuit of cyber-criminals, last blogged here on August 18. His personal blog has not been updated since September 11, 2010.
At ZDNet, we made multiple attempts to contact him, to no avail. Telephone numbers are going to Bulgarian language voicemails and our attempts to reach him via a snail mail address also came up empty.
 
According to bulgarian newspaper Dnevnik (http://www.dnevnik.bg/tehnologii/2011/01/17/1026425_ekspertut_po_it_sigurnost_dancho_danchev_e_nastanen_v/) IT security expert Dancho Danchev is placed in a psychiatric hospital.
Dancho Danchev, an expert on cybersecurity, is placed in a psychiatric hospital in Bulgaria. The information was confirmed by two sources of 'Dnevnik', although from the hospital refused comment.
 
Developers kicked back out of your undie drawer
Facebook has 'temporarily disabled' a controversial feature that allowed developers to access the home address and mobile numbers of users.
The social network suspended the feature, introduced on Friday, after only three days. The decision follows feedback from users that the sharing of data process wasn't clearly explained and criticism from security firms that the feature was ripe for abuse.
Individual users had to grant permission before developers could hook into the API on Facebook's platform. However, because many users often click through permission dialogue boxes without paying attention, concerns were raised by net security firms such as Sophos that the feature might make life easier for the developers of rogue applications.

Mobile Security
 
Back in November, Thomas Cannon brought to light an issue within the Android operating system. Specifically, he found that it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control. The issue only garners a 3.5 CVSS score, but yet it's still fairly serious.
Thomas reported this issue responsibly to Google and they took it seriously. However, since then they have come back with a ridiculous remediation plan. Granted, its probably not entirely Google's fault, but the overall situation looks very bleak for Android.
 
If you notice that the network icon in the corner of your smartphone's screen just switched from "3G" to an "E," then you may want to watch where you browse. Some nearby snoop may be watching already.
That possibility, at least, is one lesson of the work of Spanish cybersecurity researchers David Perez and Jose Pico, who at the Black Hat security conference in Arlington, Virginia Wednesday demonstrated a new, cheaper system for intercepting the data sent to and from smartphones that run Android, iOS, Windows Mobile and other operating systems, practically any laptop or tablet that can connect to the Internet via a 2G cell connection, or spy on surveillance cameras or industrial control systems that use those connections.
 
One can only hope that security software provider Trend Micro saw a nice sales boost after the proclamation of its chairman earlier this week that Android phones are more vulnerable to hacking than iPhones are. If it didn't, those blatantly self-serving statements were made for nothing.
After all, they're certainly not true. Not only that, but they were made immediately after the company launched its brand-new security software for Android. There's no way that was a coincidence.
The statements were, however, a classic example of the FUD that's so often resorted to by companies that earn their bread by instilling fear in the hearts of computer users.
 
Backgrounding and Snapshots
In iOS when an application moves to the background the system takes a screen shot of the application's main window. This screen shot is used to animate transitions when the app is reopened. For example, pressing the home button while using the logon screen of the Chase App results in the following screen shot being saved to the application's Library/Caches/Snapshots/com.chase directory.
 
RIM identified new security flaws in both its BlackBerry handheld software and its corporate BlackBerry Enterprise Server (BES). CIO.com's Al Sacco provides details for BlackBerry users and admins on how to address the issues, one of which has been deemed 'severe.'

Physical Security
 
Devices from those used to track nuclear materials to warranty seals on Xbox consoles easily circumvented
Security devices used in transportation, packaging and even in accounting for nuclear materials are very vulnerable to attack, two security researchers warned on Tuesday at the Black Hat security conference.
The physical security devices , known as 'tamper-evident devices,' aren't intended to prevent theft but to alert inspectors that something has been broken into.
The devices are wide-ranging in design and application, and are used to seal everything from evidence bags, large shipping containers and even things like the warranty seal on an Xbox gaming console.

General
 
 
Today we're excited to announce that on Thursday, January 20, Yahoo! opens to third-party user authentication with Facebook and Google logins (via OpenID) across the Yahoo! Network. Hundreds of millions of Facebook and Google users will be able to easily sign in and interact on Yahoo! using their Facebook or Google IDs. This eliminates the proverbial necessity of registering for yet another new ID and remembering yet another password. From Yahoo!'s perspective, any signed-in user engaging with Yahoo! services is a valued user, whether she authenticates using a Yahoo!, Facebook, or Google ID.
 
We've looked at removing DRM from iTunes movies and TV shows on Windows, but what about Mac OS X? Here's how to rip out the DRM and turn that copy-protected M4V file into a regular old MP4 on your Mac.
 
First they showed up in your e-mail. Then they found their way onto Facebook. Now ads are coming to your checking account.
As banks test new ways to make money and attract customers, they are tucking ads onto the list of recent purchases on consumers' online bank statements. The charge for your breakfast at McDonald's, for example, might be followed with an offer for 10 percent cash back on your next meal at the Golden Arches. There's no need to print a coupon - just click the link, and the chain will recognize your debit card the next time it is swiped.
 
Keyless car entry and start systems make it easy to get on the road, but they could also make it easier for criminals to take off with your car. And strong encryption won't solve the problem.
Armed with antennas, researchers at ETH Zurich in Switzerland were able to trick 10 models from 8 manufacturers into thinking the car key fob was within proximity and drive away with these 'stolen' vehicles. No scratched doors, no broken glass, and no busted ignitions
 
The government is planning to put a smart meter in every home in the UK by 2017 as a step towards a smart grid, but what are the security implications of such a move and how can the pitfalls be avoided?
Security must be embedded in the smart grid
Availability is often the poor cousin when compared with confidentiality; however, the impact of a major outage is often quantifiable and of staggering proportions. For example, the US north-east blackout of 2003 resulted in a $6 billion economic loss to the region. All this was caused by the loss of something that is often taken for granted: power.
 
25 Most Common Mistakes in Email Security  [www.emailsecuritymatters.com]

Tools
 
Have you ever asked yourself why you can go online with your laptop in one room but not in another? Or why you get disconnects and a bad signal strength in one room of the house? The reason usually comes down to the wireless coverage of the Wi-Fi network.
 
REMnux v.2.0 Released  [security-sh3ll.blogspot.com]
REMnux: A Linux Distribution for Reverse-Engineering Malware
REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports.
 
inguma  [code.google.com]
A Free Penetration Testing And Vulnerability Research Toolkit
 
Armitage Changelog  [www.fastandeasyhacking.com]
18 Jan 11 Changes
- Added a Migrate Now! item to Meterpreter Access menu. Runs migrate -f.
- Right-click in Meterpreter console now shows menu as before (silly bugs).
- Armitage now detects hashdump failure and reports possible causes to you.
- Armitage now binds default handler to 0.0.0.0.
 
Maltego version 3.0.3 Released  [security-sh3ll.blogspot.com]
Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego's unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet - whether it's the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.
 
If you are a frequent user of virustotal service, you might find useful as I did the firefox plugin they have to interact with their service. It allows to scan suspicious links, scan downloads before storing them, scan websites being displayed and search for a file/url report. Saves time to use their service.
 
Since our latest release back in November, the w3af team has focused on making the framework better, stronger and faster. By downloading this release you'll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan.
 
BinScope Binary Analyzer  [www.microsoft.com]
BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft's Security Development Lifecycle (SDL) requirements and recommendations.
 
I wanted to write a quick post to let you know of an interesting new tool that Microsoft is releasing at Blackhat DC.
Microsoft has required attack surface validation of applications prior to release for years - however assessing the attack surface of an application or software platform can be an intimidating process at first glance.
 
backtrack menu (hack linux)  [sourceforge.net]
add backtrack tools with Backtrack Menu on ubuntu (all versions) ,,,,, ,,,simple run this script this will install backtack tools automatic
 
Unhide  [www.unhide-forensics.info]
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.

Funny
 
HTML 5 logo  [www.businessinfo.co.uk]
 
The PCI-DSS Song  [fishermansenemy.com]
 
programming languages  [www-users.cs.york.ac.uk]
Perl is the only language where you can bang your head on the keyboard and it compiles.
 
This is so funny I laughed until I cried! Definitely NSFW. OMG it's hilarious, but it's also not a bad overview of the issues. Especially loved: You read the latest post on HighScalability.com and think you are a f*cking Google and architect and parrot slogans like Web Scale and Sharding but you have no idea what the f*ck you are talking about. There are so many more gems like that.
 
 
Julian Assange Colouring book  [www.julianassangecoloringbook.com]
 
How to Stop Wikileaks  [www.makeuseof.com]
 
Find the weak link  [i.imgur.com]
 
 
Hacker vs Cracker  [yfrog.com]
 
Welsh encryption  [yfrog.com]

Tuesday, 18 January 2011

Disabled call button on Skype?

This is not strictly security related but I thought I would post it anyway ...
So this is really weird, in Skype under windows sometimes the call button is disabled, I have plenty of resources, etc but for some reason Skype just does not let me ring any contact because the button is disabled.
The following Skype post provides some helpful insight into this but since this has happened more than once to me and I am lazy to do it by hand every time I went ahead and created a quick batch script for it.
All you have to do is create a new file called "cleanup_skype.bat", paste the following code into it and then save the file:

echo "Did you exit skype already? if not, this is your chance!"
pause
echo "Deleting skype data ..."
cd %appdata%
rmdir /q /s skype
rmdir /q /s skypepm
echo "Done! Try again"
pause

When you are done you just have to exit skype, click on the cleanup_skype.bat file and you should be good to go. Skype will ask you for your credentials next time you open it but after that you should have the call button enabled.
That's all .. happy calling!

Sunday, 16 January 2011

Security Weekly News 13 January 2011 - Summary

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"Its long past time to hit Ctrl-Alt-Del on the security budget, I propose the Infosec Flat Tax as a better way forward. I hope that CIOs will read this post, do their own math, and have a frank debate with their security teams." - Gunnar Peterson
"Tip: dont tell a good pentest team something "isn't possible" Anything is possible w/ enough caffeine" - Jack Mannino
"Saying tech stops APT is like saying the Great Firewall of China stops Western cultural influence. Technology doesn't beat determination." - Richard Bejtlich
"You're only 20ms away from every creep on the planet" - Mike Poor
"At some point, the rest of the world will realize that if you give us a binary, that binary is open source." - Lurene Grenier
"The more high-level a programming language, the more people that could have messed something up..." - Joshua J. Drake
“If you don’t have any zero-days, you can always go back to exploiting the human!” - Daniel Wesemann
"The deceased are also targets for ID Thieves. Once you die, so do your legal rights. DPA is about protecting the personal data of the living. Data Protection Act (DPA) is so outdated, it was put together before the Internet took off & has never been updated for the Information Age" - Dave Whitelegg
"Security is most successful when no one knows they are there, but the organization still experiences only acceptable losses." - Rich Mogull

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Cloud Security, Physical Security, Mobile Security, Privacy, Social Engineering, General, Tools, Funny
Highlighted news items of the week (No categories):
Not patched: Microsoft Tuesday patches omit known vulnerabilities
Updated/Patched: January 2011 Microsoft Black Tuesday Summary, Microsoft's January Patch Tuesday: 3 fixes but 5 holes unpatched, Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server, PHP 5.3.5 / 5.2.17: Floating-Point bug fixed, Mono ASP.NET source code disclosure vulnerability, Mac OS X 10.6.6 updates security and introduces App Store, MediaWiki 1.16.1 fixes clickjacking issue
 
As practiced in many companies, Information Security is a confused discipline. There are many contributing factors, but the fact that security budgets are misspent is a leading reason. The budget dollars in infosec are not based on protecting the assets the company needs to conduct business, they are not spent on where the threats and vulnerabilities lie, rather they are spent on infrastructure which happens to be the historical background and hobby interest of the majority of technical people in the industry.
 
The new Fine Gael websitehas been generating a lot of press coverage and social media discussions lately. From a Fine Gael point of view though, most of that coverage is not the type of coverage they wished for their shiny new website. Last week Daragh O'Brien blogged about concerns over the hosting of the website in the US and the potential issues surrounding compliance with the Data Protection Act and using providers outside of Ireland and the EU. That issue was then picked up by a number of media outlets such as The Journal.ie and The Irish Times. The comments on the Journal.ie piece are worth reading as they go into more detail on the actual issue, while the Irish Times piece has a quote a Fine Gael spokesman from saying that the site was "absolutely secure".
 
A review of the force's response to cybercrime has been ordered by garda authorities as international studies confirm the flourishing trade in illegal transactions.
The scale of the crimes has not yet been determined, but it is estimated that global corporate losses alone stand at around €750bn a year.
 
Most people owning a PC are familiar with Microsoft's patching process - it's easy and it's there. For a lot of them, it also gives the impression that Microsoft's products are chock-full of flaws.
But, according to Stefan Frei, Research Analyst Director with Secunia, it's not the vulnerabilities in Microsoft's products we should mostly worry about, but those in third-party software.
 
Europol says the EU is now a key cybercrime target  [www.infosecurity-magazine.com]
A report issued today by Europol claims to show that the European Union is a key target for cybercrime because of its advanced internet infrastructure, rates of adoption and increasingly internet-mediated economies and payment systems.
And, says the European Union law enforcement agency, as internet connectivity continues to spread, EU citizens and organisations will be subjected both to a larger volume of cyber-attacks, and to attacks from previously underconnected areas of the world.
In its Threat Assessment on Internet Facilitated Organised Crime - iOCTA - report, the agency says that EU member states already rank amongst the most highly infected countries in the world when it comes to computer viruses and malware.
 
Which of the many information security controls that an organization could implement should it focus on implementing? I don't think one can answer this question in a generic sense, especially since there is little data to indicate what actually, really works in security. However, I can recommend a few starting points for building a security program.
The authoritative framework published as part of ISO 27001 and 27002 lists numerous controls, many of which are relevant to enterprises looking to manage information security risks. Yet, where should one start? Which of the measures are most important, providing the most bang for the buck? ISO 27001 highlights the importance of undergoing a risk assessment to decide which of the controls are relevant for the particular organization. Unfortunately, many companies don't know how to conduct a risk assessment or, having conducted one, didn't get much out of the exercise.


Cloud Security highlights of the week
 
Cloud Vendor Taxonomy  [www.newbay.com]
The Cloud is here to stay. Already we are seeing stabilisation in the marketplace with some clear leaders emerging. Our Cloud Vendor Taxonomy chart is an attempt to delineate some of the relationships amongst the key players and also allow us to define new entrants. It's not a hard and fast mapping (for instance OCCI is both a standard and a reference implementation) so expect the borders to be a little blurry.
At the bottom we have the virtualization vendors who provide the core substrate on which all "for sale or rent" clouds get built. One could argue that one of the key enablers of cloud computing is the advent of cheap ubiquitous virtualisation technology. Intel hegemony certainly helped. The gorilla in the marketplace here is VMware, with a huge footprint gained by promoting server virtualisation in enterprises. However the product has been historically expensive (though this is changing in response to significant competition) which opened the door to VMware's major competitor Xen, an open source alternative which is now part of the Citrix stable.
<img src='http://www.newbay.com/blog/wp-content/uploads/2011/01/cloud-vendor-taxonomy.png' />
 
Adobe To Detail Cloud DoS Attacks  [www.conceivablytech.com]
It isn't popular to criticize cloud computing these days, even if Google, Amazon and Microsoft need to employee marketing armies to alleviate security concerns of potential customers. Adobe may crash the cloud party as a security engineer is scheduled to detail a recent discovery of a particularly nasty DoS vulnerability in PHP code.
If you believe the current cloud pitch, the best decision you can make for the security of your data is to move to the cloud. Billion-dollar data centers can provide a security level the average Joe can never match and if your bathroom sink happens to trash your notebook, you can be calm as your data is safely stored in the clouds above. Despite the story we hear, we should not forget that vulnerabilities will continue to exist and, if exploited quickly, could affect a much greater number of users than before


Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):
 
PlugBot Demo  [vimeo.com]
 
IPv4 to IPv6 - CIOs Who Haven't Planned for IPv6 Transition Need to Act Now
The Internet's supply of IPv4 addresses is quickly becoming empty, setting the clock ticking on the final exhaustion of the Internet numbering plan that the world has used for over three decades. Expected to occur in March of 2011, the event will be a wake-up call for connected organizations everywhere. It is clearer than ever before that IPv6 transition plans are urgently needed. Once all IPv4 addresses are depleted, organizations will only be able to receive IPv6 address space.
 
Solving problems with proc  [blog.ksplice.com]
Posted in System administration on January 11th, 2011 by keegan - 21 Comments
The Linux kernel exposes a wealth of information through the proc special filesystem. It's not hard to find an encyclopedic reference about proc. In this article I'll take a different approach: we'll see how proc tricks can solve a number of real-world problems. All of these tricks should work on a recent Linux kernel, though some will fail on older systems like RHEL version 4.
Almost all Linux systems will have the proc filesystem mounted at /proc. If you look inside this directory you'll see a ton of stuff:
 
dating an intrusion with flow data  [blather.michaelwlucas.com]
One of my Ubuntu dev boxes was broken into. While the box isn't vital, I'll still need to reinstall an operating system and set it back up for the developer. I want to know where the attack came from and what the intruder did. I cannot trust the logs on the system, but I can trust the flow data from our upstream router.
I've changed my IP addresses, but remote addresses are left unchanged. Here I examine my flow data from 1 January 2011, and remove IP addresses I expect to contact this machine.
 
Transitional Myths  [www.potaroo.net]
I'd like to continue this mini-series of articles on IPv6. I attended the RIPE 61 meeting this month, and, not unexpectedly for a group that has some interest in IP addresses, the topic of IPv4 address exhaustion, and the related topic of the transition of the network to IPv6 has captured a lot of attention throughout the meeting. One session I found particularly interesting was one on the transition to IPv6, where folk related their experiences and perspectives on the forthcoming transition to IPv6.
I found the session interesting, as it exposed some commonly held beliefs about the transition to IPv6, so I'd like to share them here, and discuss a little about why I find them somewhat fanciful.
 
Shared libraries that are dynamically linked make more efficient use of disk space than those that are statically linked, and more importantly allow you to perform security updates in a more efficient manner, but executables compiled against a particular version of a dynamic library expect that version of the shared library to be available on the machine they run on. If you are running machines with both Fedora 9 and openSUSE 11, the versions of some shared libraries are likely to be slightly different, and if you copy an executable between the machines, the file might fail to execute because of these version differences. With ELF Statifier you can create a statically linked version of an executable, so the executable includes the shared libraries instead of seeking them at run time. A staticly linked executable is much more likely to run on a different Linux distribution or a different version of the same distribution.
 
What the cloud giveth, the cloud taketh away too. In a perfect example of the power of the cloud being used harnessed for ill will a researcher in Germany, Thomas Roth has written a program and will demonstrate it next month at Black Hat DC that uses Amazon's EC2 to "brute force" WPA passwords. This could allow hackers onto your wireless network and access your confidential data.
Of course WEP, another form of wireless security has long been known to be vulnerable. On the other hand it was believed that the computing power necessary to brute force WPA passwords put it out of the reach of most hackers except maybe government backed attacks. But with the power of the cloud behind you many things are possible.
 
This antenna is one of the easiest and cheapest things you could build to extend the range of your wifi network. Most of the materials are probably sitting in your cupboard right now so it really can be built on a shoestring budget.
Bill of Materials:
Two milo tins or similar
F-Type chassie mount
Pig tale for F to Sma
Short piece of copper wire
Tools:
Tin snips
Can Opener
Soldering Iron
Drill
Drill Bit
 
Metasploit payload delivery with WMI  [jeffseely.tumblr.com]
PSEXEC is great, but for a number of reasons (e.g. antivirus, system modification prohibited by rules-of-engagement) it's not always the best choice for delivering a Metasploit payload. I started digging around the Internet for an alternative and found some potential with WMI. The WMIC.EXE on Windows and the WIn32_Process class support command execution with the "PROCESS CALL CREATE" command. Looked promising!
WMIC PROCESS CALL Create "calc.exe"


Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):
 
Interesting bug here. In 2008, Stefan Esser reported a bug to the PunBB team which described a SMTP command injection vulnerability. If we look at the code below, we see that PunBB opens a socket connection to a SMTP host and passes various user/attacker controlled values to the SMTP server. Because of this setup, it is possible to craft a SMTP message that tricks the SMTP server into thinking the data provided for the message is completed, and executes any data that follows as SMTP commands. The attacker accomplished this by injecting Carriage Return and Line Feed characters following by a period character on a line by itself (as defined in RFC 821 - SMTP). The PunBB developers addressed this vulnerability by sanitizing CRLFs and period characters.
 
HTML5 WebSockets are really a great feature for current web development. They allow you to set up a bi-directional TCP connection between a browser and a server. Sure, the protocol is being constantly updated, has it's own issues, which will probably mean it won't be ready for Firefox 4. But still, I think it's great way to make the current web applications more responsive.
That being said, developers must know that using WebSockets will always have some security issues. Just to name the few:
* the client can be spoofed (it doesn't have to be the browser)
* ws:// server can't be trusted (MiTM attacks)
* you need to handle the authentication
* the communication over ws:// protocol is plaintext.
 
This week's installment of Detecting Malice with ModSecurity will discuss how to detect and prevent Cross-Site Request Forgery (CSRF) Attacks.
Example CSRF Section of Robert 'Rsnake' Hansen's book 'Detecting Malice' -
One form of attack that is widely found to be present on most websites is cross site request forgery (CSRF). Basically, an attacker can force a victim's browser to connect to your site, and perform functions, like change password, change email address, and so on, unless you have some protection in place to defend yourself. The reason why CSRF is so difficult is because the Internet was designed to allow a user to connect to anything they wanted to from anywhere they wanted to, given there was a routable address. Unfortunately that leads to the possibility of attack. Here's the process flow:
 
AppSecEU2011  [www.owasp.org]
The biggest application security conference in Europe will take place at Trinity College Dublin in gorgeous Dublin, Ireland on June 6th through 10th 2011. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks. AppSec EU may also have BOF (informal adhoc meetings), break out, or speed talks in addition to the standard schedule depending on the submissions received.
If you have any questions, please email the conference chair: ireland at owasp.org
 
In the design of a system, one of the strongest influences on that system's security is the complexity of its design. Studies suggest that for most nontrivial software there is a nearly linear, direct relationship between the number of lines of code and the number of bugs in the software, all else being equal. Right away, this tells us that if we can, we should design simpler software.
That "all else being equal" qualifier is an important part of the whole situation, however. Playing golf with your code - trying to complete a program in as few (key)strokes as possible - changes the conditions within which the relationship between line count and bug count takes shape. This is in part because golfing your programs down to minimal source code size can actually make it much harder to read, and thus harder to maintain, improve, and debug.
 
Oddities of PHP file access in Windows  [security-sh3ll.blogspot.com]
Cheat-sheet
Notorious web development language, PHP, is under constant watch of the hackers, security researchers and other persons who just love to tinker around some stuff. Numerous vulnerabilities and bugs of PHP interpreter regularly highlights bug-tracks, wakes up administrators and burdens the minds of web site owners. And we never can know what nifty tricks PHP interpreter had reserved for our next day. In this paper we will describe details about how PHP treats file names on Windows operating systems, regarding the presence of different fuzzy characters
 
What language does that browser speak?
Web developers looking to play with the new features in HTML5, CSS 3 and other NEWT tools are still struggling with incomplete and inconsistent browser support. While HTML5 and its siblings are far from perfect (and complete), that doesn't mean you can't use them; it just means using them is a little more complicated since you need to detect the current browser's level of support and then adjust accordingly.
One of the easiest ways to detect the current web browser's level of HTML5 support is the Modernizr JavaScript library. We've covered Modernizr several times in the past and it's a great addition to any HTML5 toolkit.
 
A couple months ago I decided to finally dig in and see whether WAFs (Web Application Firewalls) are really useful, or merely another crappy shiny object we spend a lot of money on to get the auditors off our backs.
Sure, the WAF vendors keep telling me how well their products work and how many big clients they have, but that's not the best way to figure out whether something really does the job. I also talk with a bunch of end users who provide darn good info, but even that isn't always the best way to determine the security value of a tool. Not all users have good visibility and internal controls to measure the effectiveness of the tool, and many can't deploy it in an optimal manner due to all sorts of political and technical issues.
 
Wayback WebApp Hacking  [www.infosecisland.com]
Archive.org allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that Archive.org has for a given domain.
This is great for enumerating a web applications, many times you'll find parts of web apps that have been long forgotten (and usually vulnerable).
This module doesn't make any requests to the targeted domain, it simply outputs a list to the screen/or a file of all the pages it has found on Archive.org.


Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

Input validation

-Any input that is accepted and processed from a user or other application (in the case of web services) should be validated against a list of known good parameters (white list) versus looking for bad or malicious syntax (black list). All data from other sources such as client or other applications should be treated as malicious and only a pre-defined set of characters are allowed and thus will be processed by the application.

-It is worth noting here that an application firewall would be a nice design addition to provide a consistent base layer check for all remotely accessible applications so that all input validation checks are not reliant on individual developers. An application firewall should never take the place of server side validation but only to enhance a defense in depth methodology.

-All validation must be validated by server-side controls and not through client side checks such as through Javascript. While it is common to run client side checks to eliminate excessive client requests to the server and wasted CPU utilization and bandwidth the server should always validate these requests as client side checks are trivial to bypass


Source: link

Have a great weekend.