Security Weekly News 20 January 2011 – Summary

In case you missed it I recently put together this quick blog post regarding how to fix Skype when the call button is just disabled and does not let you ring anybody. 

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“”We accept the risk” shouldn’t be magic words that exempt you from basic infosec practices. If they are, your org is doing it wrong.” – Aloria
“We have seen attackers that have been there [inside organizations] for months and years” – Sean Coyne
“It takes a security breach to make an organization start to understand security” – Josh Abraham
“a data-breach isn’t the worst thing in the world. hell you might just learn something or start understanding security…” – Josh Abraham
“”Keyless systems on cars easily hacked” ok so I appreciate people doing cool research and finding vulns but is this really a surprise?” – David Rook
“Okay, if you are using Javascript to validate passwords, don’t use a function that fails on pasted passwords.” – Rich Mogull
“As exhaustion nears, APNIC reclaiming old, unused IPv4 allocations – over 200 netblocks in past week. Are you IPv6 ready?” – Team Cymru

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Wireless Security, Forensics, Cloud Computing, Privacy and human rights, Mobile Security, Physical Security, General, Tools, Funny

Highlighted news items of the week (No categories):

Not patched: Firefox 4, A Huge Pile of Bugs, ICQ can be fed crafted updates

Updated/Patched: Oracle patches 66 vulnerabilities, AST-2011-001: Stack buffer overflow in SIP channel driver, Sybase plugs holes in Application Server, Tor project releases update to close critical hole, Mono developers close security hole

Although this is very funny I have to praise Gareth Heyes for summarising this well the overall feel about HTML 5 in the security community, the new HTML version will bring numerous attack opportunities:
HTML 5 logo  [www.businessinfo.co.uk] 
 
Top Performers Invest More Annually in Their Application Security Initiatives, but Realize a Higher Return by Identifying and Remediating More Vulnerabilities Prior to Deployment
In the finale of a four-part study on application security by Aberdeen, a Harte-Hanks Company (NYSE: HHS), Aberdeen’s analysis of companies adopting the ‘secure at the source’ strategy — i.e., the integration of secure application development tools and practices into the software development lifecycle, to increase the elimination of security vulnerabilities before applications are deployed — found that they realized a very strong 4.0-times return on their annual investments, higher than that of both the ‘find and fix’ and ‘defend and defer’ alternative approaches. Although the secure at the source approach is currently the least common to be implemented, Aberdeen’s research confirms that it is maturing and transitioning from early adoption to mainstream use.
As part of its benchmarking process for the Security and the Software Development Lifecycle: Secure at the Source report, Aberdeen adapted a simplified version of the Microsoft Software Development Lifecycle (SDL) as a yardstick for measuring current practices. ‘To be clear, few companies may be in a position for full-scale adoption of the Microsoft SDL framework — nor would they necessarily want to do so,’ said Derek Brink, vice president and research fellow for IT Security, Aberdeen Group. ‘In Aberdeen’s view, the pragmatic approach is to leverage the best features of the Microsoft SDL as they apply to your organization, just as one would leverage the best of any other time-tested industry standard. Discard the rest.’
 
The company released results of a new study which it says shows large enterprises are still relying on traditional password policies as opposed to stronger, two-factor authentication technologies
Two-thirds (67 per cent) of large North American organizations have not implemented two-factor authentication for the partners and contractors that access their corporate network, according to a Symantec Corp. report.
The study which polled 306 large enterprises was conducted by Forrester Research Inc. on behalf of the security giant. The respondents included companies from both Canada and the U.S., with all of the companies employing at least a thousand people and 30 per cent of the organizations comprising more than 5,000 employees.
 
The recent security breaches on the Fine Gael and DUP websites has once more brought information security to the fore with extensive coverage of both incidents in the media. One of the questions I keep getting asked after such incidents is “how to I ensure my company is secure?”. Making your company, or website, secure is a matter of ensuring the appropriate information security risks have been properly identified and managed. The ISO 27001:2005 Information Security standard provides companies with a structured and proven way to implement and manage an Information Security Management System and provide management and the business with confidence in the security measures that are in place.
 
Security Art’s Iftach Ian Amit discusses targeted attacks and how you should go beyond just technology to defend against them.
Some people might be surprised to hear that most targeted attacks aren’t directed at a specific individual or item of equipment. Although some strive to reach such victims, normally they focus on a small group of individuals or systems in order to carry out their task.
Targeted attacks are also tasked with greater goals than a traditional attack. For instance, they may intend to steal specific documentation, access custom systems, control or modify information, etc.), but they’re not actually that technologically different from ‘traditional’ attacks.
In my experience of the clients we have helped at Security Art, some attacks do utilize some of the most ingenious technologies and techniques. But at the end of the day, when you scrape off the ‘cool cloak’ (custom hiding techniques to make the code bypass security technologies), you realize that we are still dealing with the same vulnerabilities, and the same rootkit and Trojan techniques.
 
The EU’s ‘cyber security’ Agency ENISA, (the European Network and Information Security Agency) has today issued a report on Data Breach Notifications. The EU data breach notification (DBN) requirement for the electronic communications sector in the ePrivacy Directive (2002/58/EC) is vital to increase in the long term the level of data security in Europe. The Agency has reviewed the current situation and identified the key concerns of both the telecom operators and the Data Protection Authorities (DPA)s in its new report.
Recent high profile incidents of personal data loss in Europe have prompted wide discussion about the level of security applied to personal information shared, processed, stored and transmitted electronically.
The Executive Director of the Agency, Prof. Udo Helmbrecht, commented:
‘Gaining and maintaining the trust of citizens of that their data is secure and protected is an important factor in the future development and take-up of innovative technologies and online services across Europe.’
 
By mid-2010, Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.
Unsurprisingly, this massive and committed user base is heavily targeted by scammers and cybercriminals, with the number and diversity of attacks growing steadily throughout 2010 – malware, phishing and spam on social networks have all continued to rise in the past year, with a Sophos survey finding that:

Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):

 
 
You often read about people who use many different security applications to protect their systems. Not only anti-virus, anti-spyware, firewall, HIPS, …, but also some other tools like anti-keyloggers, … And sometimes, when they argue about the additional protection such tools bring, you can read the following: “it does no harm…”.
Well, this time, I’ve a clear example where using a supplemental security tool does harm, even when it adds real protection.
When installed, this tool (which I’m not going to name here because of SEO reasons), installs a Windows explorer shell extension (we’ve discussed the risks of these shells before). The problem with this tool’s shell extension (a DLL), is that it is compiled without the dynamic base flag set. In other words, it doesn’t support ASLR.
 
Researchers provide rare inside peek at the exfiltration methods used in targeted attacks
Incident-response experts specializing in targeted, advanced persistent threats (APTs) here today revealed some common exfiltration techniques by these typically nation-state sponsored attacks.
It’s difficult to know for sure just how many APT attacks actually occur — mainly because victim organizations aren’t required to report them as long as customer data isn’t breached, and many prefer to keep it under wraps. ‘A large percentage of organizations don’t report it to law enforcement. They want to remediate, keep it quiet, and move on,’ says Sean Coyne, a consultant with Mandiant. ‘We have seen attackers that have been there [inside organizations] for months and years,’ for example, he says.
 
Netflow for Incident Response  [blogs.cisco.com]
This is the Forth part in the series “Missives from the Trenches.” (Here are the (first), (second), and(third) parts of the series.) In today’s blog post we will be discussing Cisco IOS Netflow. Netflow has an interesting position as being both the most useful and least used tool. When meeting with other companies I often ask them “do you use Netflow?” By asking this question I am actually asking several different questions-Do you care about the security of your site? Or do you have any hopes in managing/responding to events at your site? Answers to these questions unfortunately tend to be as follows: What is Netflow? The network guys use it but we don’t. I think we capture it somewhere but not really sure where – and so on. I then mention that Netflow is free, they don’t have to buy anything to start using it, and it’s used for every large case we do. At that point they start looking angrily at the sales engineer asking why this is the first they are hearing about it. So what is Netflow and why does Cisco CSIRT say its critical to daily event management? Read on to find out!
 
Cisco Systems is beefing up wireless transaction security with new software features for its Wi-Fi access points. The vendor says the changes add needed protection over and above that mandated by the Payment Card Industry (PCI) standard.
 
VABL 101  [www.infiltrated.net]
The VoIP Abuse Blacklist has been a work in progress as I sought a mechanism to document attackers. With that said, the new layout will hopefully be more beneficial to PBX administrators. Rather than reinvent wheels, VABL looks up an attacker’s information via Shadowserver’s lookup and appends three new fields: type of attacker, address and the letters VABL and a number dialed (when appropriate.)
The type of attacker field may make the biggest difference to those who decide to use this list. There are two specific entries that will appear: BRU, ADN and COM. BRU means that the host attempted to bruteforce a PBX while COM signifies that the attacker managed to compromise either a honeypot or a live machine. ADN is when an attacker places a call and is short for Attacker Dialing Numbers. Whenever you see an entry with ADN, there will be an additional field at the end with the number dialed by the attacker appended to it.
 
The impact of IPv6 on message filtering systems  [www.emailsecuritymatters.com]
An interesting article was posted on Slashdot in December:
“As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify ‘undesirable’ hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt.”
In the short term, this is definitely going to be a problem for email security companies that rely strongly on DNSBLs or reputation-based systems.

Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):

 
Top Ten Web Hacking Techniques of 2010 (Official)  [jeremiahgrossman.blogspot.com]
Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we’re talking about actual new and creative methods of Web-based attack. Now it its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.
 
Spot the Vuln – Sleep  [blogs.sans.org]
It is a common experience that a problem difficult at night is resolved in the morning after a committee of sleep has worked on it.
– John Steinbeck
 
Spot the Vuln – Vegetables  [blogs.sans.org]
People need trouble – a little frustration to sharpen the spirit on, toughen it. Artists do; I don’t mean you need to live in a rat hole or gutter, but you have to learn fortitude, endurance. Only vegetables are happy.
– William Faulkner
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

 

Application availability

Understanding what the application criticality is and who will be accessing the application needs to identified and if there are any SLA’s service level agreements. This section goes hand in hand with the criticality of the application. If there is a need for 99.9% uptime then consideration should be given to hosting the application within a Data Center environment (owned by your or hosted in a 3rd party Data Center) with redundant power (UPS’s and generators), failover network equipment, interconnections, etc. versus hosting the application on your developers desk on the same breaker as the coffeemaker and connected to a shared hub.

-Consideration to all the infrastructure components involved in all the data flows should be understood. For example are there any single points of failure within the application data flow such as only one network firewall, web server, router, single internet connections, etc.

-If there are SLA’s or needs for constant up time failover for network equipment and load balancers involved to distribute the load to many web or application servers should be considered.

-Additional consideration should be given to bandwidth requirements of the application. Such as will this application be taking on a constant load or will there be spikes of usage as certain times. Bandwidth that the applications needs should be estimated so that spikes in usage can be planned for to ensure that there isn’t any packet loss when under excessive load, such as during a nightly batch process or seasonal load for shopping site during Christmas. Total bandwidth should also be considered at every point along the applications data flow also. For example are business partner servers accessing this application over a segment that is already over utilized? –Latency should also be considered such as will this application housed in a data center in North America be accessing databases in Singapore over an MPLS vpn?

Source: link

Have a great week and weekend.