Friday, 25 February 2011

Security Weekly News 25 February 2011 - Summary

Quick note: As there seems to be an interest regarding mobile security I have decided to include that section of the full news in the summary, so the order for the summary will be now: business case for security, cloud security, mobile security, network security, web technologies, OWASP secure development guide snippet. You can always go to the full news for hacking incidents, privacy, funny, etc as usual. Please let me know what you think.

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"If a company does not know the value of the information and the other assets it is trying to protect, it does not know how much money and time it should spend on protecting them" - Shon Harris
"All security controls, mechanisms, and procedures must be tested on a periodic basis to ensure they properly support the security policy, goals, and objectives set for them" - Shon Harris
"Users should be an extension to a security team, not the opposition" - Shon Harris
"It has to be simpler. It’s too hard to write secure software, too easy for even smart programmers to make bad mistakes – it’s like having a picnic in a minefield. The tools that we have today cost too much and find too little. Building secure software is expensive, inefficient, and there is no way to know when you have done enough." - Jim Bird
"Why even bother with password complexity if i cant use special characters??!! recode your app to suck less" - Chris Gates
"My personal opinion, there should be a support group for the spouses of security consultants." - Ken Johnson

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Cloud Security, Mobile Security, Privacy and Censorship, General, Tools, Funny
Highlighted news items of the week (No categories):
Not patched:
Updated/Patched: Release Notes: Important Issues in this Release of Windows 7 with Service Pack 1, Microsoft's virus scanner causes security problem, Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate, [SECURITY] [DSA 2171-1] asterisk security update
 
Social networking will be the attacker platform of choice in 2011, says Ed Skoudis, founder and senior security consultant with InGuardians.
'But organisations will also have to look out for attacks using memory-scraping, lessons learned from Stuxnet, hardware hacking, and exploiting lack of defences around Internet Protocol version 6 (IPv6),' he told attendees of RSA Conference 2011 in San Francisco.
Skoudis, who has also authored and regularly teaches the SANS Institute courses on network penetration testing and incident response, said the 'bad guys' always move to where the action is, which is now social networking sites like Facebook and LinkedIn.
 
The 2010 Internet Crime Report was released today by the Internet Crime Complaint
Center (IC3). The report demonstrates
how pervasive online crime has become, affecting people in all demographic groups
throughout the country. In 2010, IC3 received 303,809 complaints of Internet crime,
the second-highest total in IC3's 10-year history.
IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National
White Collar Crime Center (NW3C). Since its creation in 2000, IC3 has received more
than 2 million Internet crime complaints.
The 2010 Internet Crime Report provides specific details about various crimes, victims
and perpetrators, as well as state-specific data. It also outlines how IC3 has adapted
its methods to meet the needs of the public and law enforcement.
IC3 received and processed an average of 25,317 complaints per month in 2010. Non-delivery
of payment or merchandise accounted for the most complaints (14.4 percent). Scams
using the FBI's name (13.2 percent) and incidents of identity theft (9.8 percent)
rounded out the top three types of complaints.
 
Faced with securing personal devices and a growing base of threats, security pros feel overwhelmed, (ISC)2 survey reports
Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.
Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to 'information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain.'
'In the modern organization, end users are dictating IT priorities by bringing technology to the enterprise rather than the other way around,' said Robert Ayoub, global program director for network security at Frost & Sullivan. 'Pressure to secure too much and the resulting skills gap are creating risk for organizations worldwide ... They are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands.'
 
Unless you've been living under a stone for last couple of weeks, you will have heard about the HBGary Federal hack. Seeing everything published about this probably makes every security professional think for at least a second, 'Could this happen to me too?'.
As most details about how the attack was carried have been published already (for example, see http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars) we can now look at all exploited vulnerabilities.
 
Email, IM fall lower on the list; malware authors take note and respond accordingly, Blue Coat says
U.S. users spend more of their online time on social networks than on anything else -- and malware authors are following suit, according to a study published today.
According to Blue Coat's 2011 Web Security Report, U.S. users spend about 906 million hours on social networks each month -- more than twice as many as they spend on online games (407 million hours) and email (329 million).
Attackers recognize this trend and are responding in kind, the study says.
 
Heartland 2010  [1raindrop.typepad.com]
This is the fourth in a series of posts looking at Heartland's share price and business performance.
In November I looked at the trouble their share price has had and how they have underperformed the market and their peers. There are some studies out there showing that share prices are not affected by breaches but it sure looks like the shares took a hit in this case


Cloud Security highlights of the week
 
Cloud computing has become an integrated part of IT strategy for companies in every sector of our economy. By 2012, IDC predicts that IT spending on cloud services will grow almost threefold, to $42 billion. So it's no surprise that decision makers no longer wonder "if" they can benefit from cloud computing. Instead, the question being asked now is "how" best to leverage the cloud while keeping data and systems secure.
 
ISF shares seven deadly sins of cloud computing  [www.infosecurity-magazine.com]
At the (ISC)2 Secure Leadership Conference at the BT Headquarters in London on 8 February 2011, Adrian Davis, principle research analyst at the ISF (Information Security Forum), shared with the audience what he considers to be the seven deadly sins of cloud computing.
"ISF's view of the cloud is shifting", Davis told his audience. "As an industry, we have technology definitions that we are happy with, acronyms and terminology like 'platform as a service', that no-one else uses. Most of society doesn't actually get what we are talking about."
Organizations, he says, are concerned about costs and "getting rid of the IT team in the basement". Sometimes, this means cutting information security completely out of the loop, leaving those responsible for security unable to influence the decision.


Mobile Security highlights of the week
 
Wireless Wisdom  [ecrimewales.posterous.com]
Dr Les Pritchard of e-Security specialists Fiasa (Forensic Investigation and Security Advice) outlines the risks faced by business people using wi-fi or 3G to access the internet while on the move and the precautions they must take. In addition he highlights how those who offer wi-fi access to others need to protect themselves against improper use that could leave them wide open to criminal charges or expensive lawsuits.
 
A new mobile phone virus has been discovered to have infected 150,000 people in China allowing hackers to remotely monitor calls, according to the Beijing Times on Wednesday.
The virus, named X Undercover, takes advantage of existing vulnerabilities in smart phones by forcing the three-way calling service to secretly open. Conversations and text messages can be monitored and copied after the virus breaks into the calling sequence, said Zou Shihong, a security expert with NetQin Mobile Inc.
 
To date, Russian antivirus program vendor Kaspersky has found nearly 2,000 viruses, Trojans, and other threats for mobile devices. At the Mobile World Congress (MWC), the company's founder Eugene Kaspersky told The H's associates at heise Online that although that figure is nothing compared to the number of Windows contaminants, it is nonetheless rising exponentially.
 
While you can't fully backup and restore everything if you lose your jailbreak in a software upgrade or restore, AptBackup is a free app available in Cydia that can help alleviate the trouble of getting all your jailbreak apps back where they belong.
As you can see in the video above, the backup and restore process is very easy. To back up, just launch AptBackup. To restore all your apps, you'll need to re-download AptBackup from Cydia. Once you do, all you have to do is press the restore button. This will automate the process by re-downloading all the necessary apps from Cydia to your iOS device. While it can't restore settings, it does take the tedious work out of setting things up every time you upgrade.
 
Mac OS X: iTunes backs up your iOS device's settings each time you sync, but it doesn't even come close to backing up the device in its entirety. If you want a complete backup of your device, you can do it easily with an application called PhoneDisk and the wonderful command-line utility rsync.
 
Samsung phone Samsung user Alex Roebuck took this picture of his 'bricked' phone
Microsoft has revealed that 1 in 10 users who tried to install a software update on their Windows mobile experienced problems.
The company had previously said that only a 'small number' of handsets were affected.http://www.bbc.co.uk/news/technology-12564651?utm_source=twitterfeed&utm_medium=twitter
ZeuS in the Mobile is back
Yesterday, Polish Security Consultant and blogger Piotr Konieczny wrote (Polish) about a new wave of ZeuS trojan attacks. This time, it took place in Poland and it was directed against customers of ING Bank.
The samples used in this attack run on a number of platforms: Trojan-Spy.Win32.Zbot.bbmf for Windows, Trojan-Spy.SymbOS.Zbot.b for Symbian and Trojan-Spy.WinCE.Zbot.a for Windows Mobile. Yes, this time ZeuS in the Mobile (ZitMo) targets users of Windows Mobile smartphones too.
 
Motorola XOOM Rooted  [www.koushikdutta.com]
Since it's another Google experience device, and ships with fastboot support (albeit, limited), it really does come rooted out of the box. Just needed to figure out the board kernel base, and compile up a new kernel.
Unfortunately the kernel was not available in the Android repositories. At first, I tried using the Harmony kernel, since they are both tegra 2 250 chips. That turned out to be major fail. As soon as I was about to give up, I noticed that AOSP had updated their tegra kernel repository with some new tasty branches for stingray. Kudos to these guys for being so on the ball! I was able to compile that up and get a working recovery to obtain root, and then get Superuser on the device.
I also built up a recovery, but due to a nonfunctional SD card slot (until they release a firmware update that enables the slot), nothing really works. That will come later.
Here are the instructions to root your device (this assumes you have adb and fastboot installed on your computer):
 
Kindle 3.1 Jailbreak  [hackaday.com]
In the constant battle of manufacturers vs. jailbreakers, the turnaround time between a new software release and a new jailbreak seems to be getting shorter and shorter. [Yifan] noticed that a recent Kindle update broke a previous method of running unsigned code and started the search for a new workaround.
He eventually found a way to force the Kindle to run unsigned code based upon how the software update checked for digitally signed files. With that knowledge in hand, he discovered that he could trick the updater to run any file he wanted by exploiting the standard functionality found in the Unix 'cat' command.


Secure Network Administration highlights of the week
 
Bluehat talk
 
Please Read
If you have previously used a W7 RDP 'patch' please rename or delete %SystemRoot%\system32\termsrv.dll.bak prior to running the updated script. Sorry for any inconvenience caused.
If you've been following MissingRemote for a while, you know one of our most popular series of guides is Enabling Concurrent Remote Desktop sessions. Continuing that trend we have an updated process below working with the RTM (Official Release to Manufacturing) version of Windows7 Ultimate, Professional, Home Premium and Enterprise Editions, x86 & x64 build 7601, Service Pack Build 1130.
 
I will use this post to collect some of the problems we are hearing about with Windows 7 SP1 and Windows 2008 R2 SP1. Right now, there is no urgent reason to install this service pack and it should be tested first.
A few areas to watch:
- Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1
- Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.
...
 
Many solid state disks (SSDs), and other flash media such as USB flash drives and memory cards, cannot be securely wiped by software alone. Even after repeatedly overwriting the entire disk, traces of the original data may remain in the memory cells of NAND Flash chips. These traces cannot usually be accessed via the storage medium's standard interface, but they can be read directly from the chips using specialised electronics. According to a team of researchers from the University of California in San Diego led by Michael Wei, the lack of a reliable delete function makes this kind of medium unsuitable for certain usages.
 
With Snort 2.9 came the introduction of the Data Acquisition (DAQ) library to replace direct calls to PCAP functions.'DAQ supports PCAP, AFPACKET, NFQ, IPQ, IPFW, and DUMP which is used for testing.'[1]
After I upgraded from 2.8.6 to 2.9.0.2 (current version is 2.9.0.4), my Snort rules and in particular my Snort rule to detect Windows binary download (sid:15306) no longer detected Windows binary download via a browser. It was also affecting my Snort statistics that were constantly showing a small amount of packet loss.
 
In Part 1 of this series, I barely scratched the surface of password brute forcing.
In this post I hope to go beyond the basics and demonstrate some approaches I use to significantly increase the quality of my tests as well as my chances of success.
Success?
Everyone measures success differently, but hopefully some of you will consider success using these techniques to convey the importance to your developers, customers, bosses, friends, spouses, etc. of selecting strong passwords for web-based authentication mechanisms. I am not talking simply about complexity, length, and so forth, although they of course help. Rather, I am referring to the quality of the password, something that is more difficult, but not impossible to enforce.
 
Interested in capturing, documenting and analyzing scans and malicious activity, Corelan Team decided to set up a honeypot and put it online. In the first week of december 2010, Obzy built a machine (default Windows XP SP3 installation, no patches, firewall turned off), named it 'EGYPTS-AIRWAYS', set up a honeypot + some other monitoring tools, and connected it to the internet.
As expected, we quickly started to see all kinds of traffic... some of them were obvious port scans, others were less obvious recons or attacks. Both exciting and interesting... We could probably spend some time to document the various types of attacks, maybe build a nice table with figures and produce some kick-ass management graphs and do some trends analysis. It would be a fun exercise...
...but nothing beats the real deal.
 
Earlier this year Mark Baggett wrote an article on running a Nessus scan through Meterpreter. It involved installing an SSH server on the compromised machine and then using it as a SOCKS4 proxy to forward the scan traffic through to the target machine (Nessus Scanning through a Metasploit Meterpreter Session). It was a great idea but I don't like installing tools on clients machines if I can avoid it so never got round to doing it on a test.
Recently Zate Berg added the Nessus plug-in to Metasploit to let you control a Nessus server from the Metasploit command line. Without thinking it through my initial reaction was 'Great I can now scan through a Meterpreter pivot'. Once I thought about it and read Carlos's article New Nessus Plug-In For Metasploit I realised that the Nessus server was still running on the attacker machine and so didn't have access to the tunnel.


Secure Development highlights of the week
 
XSS is not a big deal, or is it? On many occasions, I've seen this vulnerability being classified as useless, not serious, and being a low threat. What I've always had in mind is that it's only the capabilities of the browser, and the hackers mind which sets the limit for a XSS attack.
 
When building a ajax based application, you want to protect any POST request against CSRF attacks. If you are using jQuery, then jQuery provides a lot of convenience methods for ajax calls ($.get(), $.post(), $.getJSON() etc.) and it would be a shame if you would have to duplicate adding CSRF tokens to all your ajax calls manually or by going back to $.ajax(), because the convenience method didn't support the way you wanted to add the token. But jQuery, being the customizable framework it is, of course allows you to add these kinds of things through events.
Session based tokens
If you are using session based tokens, you probably generate a secure token when generating the session, and store that token in the session. When a request comes back to the server, you check that the token is included in the request and compare it to what's in the session. If it's the same token, you accept the request, if not you reject it.
 
I'm concerned that too much of software security and Appsec is focused on the enterprise, the big firms with the resources and a mandate for security; and that there aren't enough practical, affordable, simple solutions for small teams - where most of us work today, building and maintaining a lot of the world's software. I want to know more about what's out there that small teams can understand and use and rely on.
 
Your consent without your approval
Facebook users have been subjected to another round of clickjacking attacks that force them to authorize actions they had no intention of approving.
The latest episode in this continuing saga, according to Sophos researchers, is a set of campaigns aimed at Italian-speaking users of the social network. The come-ons promise shocking videos about such things as the real ingredients of Coca Cola. Instead, they are forced into registering their approval of the videos using Facebook's "Like" button.
 
How do you spell JavaScript again?  [www.thespanner.co.uk]
So I came across a cool post to hack the new HTML5 parser that Opera is developing, it is awesome that a vendor says hey c'mon look what we've done, please try and break our stuff. I couldn't resist having a go as they asked so nicely and within minutes....
 
What's New In Python 3.2  [docs.python.org]
This article explains the new features in Python 3.2 as compared to 3.1. It focuses on a few highlights and gives a few examples. For full details, see the Misc/NEWS file
 
Spot the Vuln - Reasoning  [blogs.sans.org]
Man is a reasoning rather than a reasonable animal. - Alexander Hamilton.


Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication

Things not to do:

- Applications MUST NOT store any secret part of the credential in the clear (passwords or questions and answers if implemented)
- Applications MUST NOT expose the credential in untrusted locations, such as cookies, headers or hidden fields
- Applications MUST NOT implement CAPTCHA as there is case law against them with respect to universal access and ineffective
- Applications MUST NOT implement questions and answers as they are contrary to most privacy regimes and ineffective
- Applications SHOULD NOT rely on infrastructure authentication, such as REFERER headers or the client's DNS or IP address as these can be faked

Thresholds Governor

All authentication systems are designed to be open to anonymous, unauthenticated users. Therefore, they are open to denial of service and brute force attacks. Applications implementing their own authentication systems should consider a threshold governor to prevent the over-use of the following paths:

- Account registration processes (if any)
- Primary authentication path
- Step up authentication (such as two factor tokens)
- Password change
- Password resets

(Low value systems only - Most medium and all high value systems should not be using passwords, and thus do not possess password reset capabilities)

OWASP's ESAPI project contains a reference implementation of a basic threshold governor, which is in turn linked to the intrusion logging mechanism based upon a certain number of failed events being raised in a particular time period. You may wish to use this mechanism in your own code by adopting ESAPI and overriding the necessary classes as you see fit.


Source: link

Have a great weekend.

Security Weekly News 25 February 2011 - Full list

Category Index

Hacking Incidents / Cybercrime
 
An organized crime group thought to include individuals responsible for the notorious Storm and Waledac worms generated more than $150 million promoting rogue online pharmacies via spam and hacking, according to data obtained by KrebsOnSecurity.com.
In June 2010, an anonymous source using the assumed name "Despduck" began an e-mail correspondence with a key anti-spam source of mine, claiming he had access to the back-end database for Glavmed, a.k.a. "SpamIt", until recently the biggest black market distributor of generic pharmaceuticals on the Internet.
...
After many months of promising the information, Despduck finally came through with a 9-gigabyte database file that contained three years worth of financial books for the massive illicit pharmacy network. My source shared the data with several U.S. law enforcement agencies, and ultimately agreed to share it with me.
 
It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.
When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.
 
Anonymous logoApparently all the press attention Anonymous has been receiving since the WikiLeaks story broke last December is producing enough lulz to keep them hacking away. At least five websites belonging to Westboro Baptist Church are currently offline after they were defaced earlier today.
The ongoing dispute between the controversial church and Anonymous began with a letter allegedly posted by Anonymous last week. Today, during a live radio interview (interview contains adult language) Anonymous hacked into the church's websites and left a message for anyone who later visited.
 
Holly Hill police said actions by Orlando man was a form of job security
Whac-A-Mole seems like it could be endless fun.
Moles pop out of five holes in the arcade game and a soft mallet is used to force them back into the holes to score points.
Children and adults alike could whack the moles for hours at a time.
Or at least they could until a worker programmed a virus into the machines to make them shut down after a pre-determined number of plays, Holly Hill police said.
Now they have arrested that man, Marvin Walter Wimberly Jr., 61, of Orlando, who faces a charge of offenses against intellectual property.
 
New Fast-Flux Botnet Unmasked  [www.darkreading.com]
'Wibimo' botnet also employs an unusual encryption process
A researcher has discovered a new botnet that uses the rare fast-flux method to stay alive and evade takedown.
Joe Stewart, director of malware research for Dell SecureWorks Counter Threat Unit, here yesterday showed a sample of the botnet's malware he had reverse-engineered, with evidence that the botnet uses fast-flux. Fast-flux is basically load-balancing with a twist: It's a round-robin method where infected bot machines serve as proxies or hosts for malicious sites and are constantly rotated, changing their DNS records to prevent discovery by researchers.
 
Winamp Forums Security Breach FAQ  [forums.winamp.com]
Winamp Management Team -
Hello,
My name is Geno Yoham and I am the General Manager of Winamp. Our entire team is dedicated to protecting the privacy of our users and has put extensive measures in place to ensure your information remains secure. As a result of these precautions, we quickly detected and blocked an attack on the Winamp Forums database. We have confirmed that this breach was isolated to the Winamp Forum (forums.winamp.com) site only. Other Winamp sites and products such as Winamp.com, dev.winamp.com and the Winamp Desktop Media Player were not affected in any way.

Software Updates
 
Published: July 12, 2010
Updated: February 16, 2011
Applies To: Windows 7 with SP1
These release notes address the most critical issues and information about the Windows® 7 operating system with Service Pack 1 (SP1). Currently, no critical issues that require you to take corrective action either before or immediately after installation have been reported or discovered in testing. This document is continuously updated, so if any such issues are discovered or reported, they will be available here.
 
When performing a virus scan, Microsoft's Malware Protection Engine fails to process a specially crafted registry value correctly, enabling local attackers with restricted privileges to execute arbitrary code at system privilege level (privilege escalation). According to Microsoft's advisory, the vulnerable anti-malware engine (mpengine.dll) is part of the Security Essentials (MSE), Windows Live OneCare, Windows Defender, Forefront Client Security and Forefront Endpoint Protection 2010 products as well as the Malicious Software Removal Tool. All versions up to 1.1.6502.0 are reportedly vulnerable.
A patch that is being deployed automatically via the virus and signature update mechanism will fix the issue
 
When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur.
CVE: CVE-2011-0414
CERT: VU#559980
Program Impacted: BIND
Versions affected: 9.7.1-9.7.2-P3
Severity: High
Exploitable: remotely
Description:
When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
 
Package : asterisk
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-0495
Debian Bug : 610487
Matthew Nicholson discovered a buffer overflow in the SIP channel driver
of Asterisk, an open source PBX and telephony toolkit, which could lead
to the execution of arbitrary code.

Business Case for Security
 
Social networking will be the attacker platform of choice in 2011, says Ed Skoudis, founder and senior security consultant with InGuardians.
'But organisations will also have to look out for attacks using memory-scraping, lessons learned from Stuxnet, hardware hacking, and exploiting lack of defences around Internet Protocol version 6 (IPv6),' he told attendees of RSA Conference 2011 in San Francisco.
Skoudis, who has also authored and regularly teaches the SANS Institute courses on network penetration testing and incident response, said the 'bad guys' always move to where the action is, which is now social networking sites like Facebook and LinkedIn.
 
The 2010 Internet Crime Report was released today by the Internet Crime Complaint
Center (IC3). The report demonstrates
how pervasive online crime has become, affecting people in all demographic groups
throughout the country. In 2010, IC3 received 303,809 complaints of Internet crime,
the second-highest total in IC3's 10-year history.
IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National
White Collar Crime Center (NW3C). Since its creation in 2000, IC3 has received more
than 2 million Internet crime complaints.
The 2010 Internet Crime Report provides specific details about various crimes, victims
and perpetrators, as well as state-specific data. It also outlines how IC3 has adapted
its methods to meet the needs of the public and law enforcement.
IC3 received and processed an average of 25,317 complaints per month in 2010. Non-delivery
of payment or merchandise accounted for the most complaints (14.4 percent). Scams
using the FBI's name (13.2 percent) and incidents of identity theft (9.8 percent)
rounded out the top three types of complaints.
 
Faced with securing personal devices and a growing base of threats, security pros feel overwhelmed, (ISC)2 survey reports
Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.
Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to 'information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain.'
'In the modern organization, end users are dictating IT priorities by bringing technology to the enterprise rather than the other way around,' said Robert Ayoub, global program director for network security at Frost & Sullivan. 'Pressure to secure too much and the resulting skills gap are creating risk for organizations worldwide ... They are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands.'
 
Unless you've been living under a stone for last couple of weeks, you will have heard about the HBGary Federal hack. Seeing everything published about this probably makes every security professional think for at least a second, 'Could this happen to me too?'.
As most details about how the attack was carried have been published already (for example, see http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars) we can now look at all exploited vulnerabilities.
 
Email, IM fall lower on the list; malware authors take note and respond accordingly, Blue Coat says
U.S. users spend more of their online time on social networks than on anything else -- and malware authors are following suit, according to a study published today.
According to Blue Coat's 2011 Web Security Report, U.S. users spend about 906 million hours on social networks each month -- more than twice as many as they spend on online games (407 million hours) and email (329 million).
Attackers recognize this trend and are responding in kind, the study says.
 
Heartland 2010  [1raindrop.typepad.com]
This is the fourth in a series of posts looking at Heartland's share price and business performance.
In November I looked at the trouble their share price has had and how they have underperformed the market and their peers. There are some studies out there showing that share prices are not affected by breaches but it sure looks like the shares took a hit in this case

Web Technologies
 
XSS is not a big deal, or is it? On many occasions, I've seen this vulnerability being classified as useless, not serious, and being a low threat. What I've always had in mind is that it's only the capabilities of the browser, and the hackers mind which sets the limit for a XSS attack.
 
When building a ajax based application, you want to protect any POST request against CSRF attacks. If you are using jQuery, then jQuery provides a lot of convenience methods for ajax calls ($.get(), $.post(), $.getJSON() etc.) and it would be a shame if you would have to duplicate adding CSRF tokens to all your ajax calls manually or by going back to $.ajax(), because the convenience method didn't support the way you wanted to add the token. But jQuery, being the customizable framework it is, of course allows you to add these kinds of things through events.
Session based tokens
If you are using session based tokens, you probably generate a secure token when generating the session, and store that token in the session. When a request comes back to the server, you check that the token is included in the request and compare it to what's in the session. If it's the same token, you accept the request, if not you reject it.
 
I'm concerned that too much of software security and Appsec is focused on the enterprise, the big firms with the resources and a mandate for security; and that there aren't enough practical, affordable, simple solutions for small teams - where most of us work today, building and maintaining a lot of the world's software. I want to know more about what's out there that small teams can understand and use and rely on.
 
Your consent without your approval
Facebook users have been subjected to another round of clickjacking attacks that force them to authorize actions they had no intention of approving.
The latest episode in this continuing saga, according to Sophos researchers, is a set of campaigns aimed at Italian-speaking users of the social network. The come-ons promise shocking videos about such things as the real ingredients of Coca Cola. Instead, they are forced into registering their approval of the videos using Facebook's "Like" button.
 
How do you spell JavaScript again?  [www.thespanner.co.uk]
So I came across a cool post to hack the new HTML5 parser that Opera is developing, it is awesome that a vendor says hey c'mon look what we've done, please try and break our stuff. I couldn't resist having a go as they asked so nicely and within minutes....
 
What's New In Python 3.2  [docs.python.org]
This article explains the new features in Python 3.2 as compared to 3.1. It focuses on a few highlights and gives a few examples. For full details, see the Misc/NEWS file
 
Spot the Vuln - Reasoning  [blogs.sans.org]
Man is a reasoning rather than a reasonable animal. - Alexander Hamilton.

Network Security
 
Bluehat talk
 
Please Read
If you have previously used a W7 RDP 'patch' please rename or delete %SystemRoot%\system32\termsrv.dll.bak prior to running the updated script. Sorry for any inconvenience caused.
If you've been following MissingRemote for a while, you know one of our most popular series of guides is Enabling Concurrent Remote Desktop sessions. Continuing that trend we have an updated process below working with the RTM (Official Release to Manufacturing) version of Windows7 Ultimate, Professional, Home Premium and Enterprise Editions, x86 & x64 build 7601, Service Pack Build 1130.
 
I will use this post to collect some of the problems we are hearing about with Windows 7 SP1 and Windows 2008 R2 SP1. Right now, there is no urgent reason to install this service pack and it should be tested first.
A few areas to watch:
- Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1
- Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.
...
 
Many solid state disks (SSDs), and other flash media such as USB flash drives and memory cards, cannot be securely wiped by software alone. Even after repeatedly overwriting the entire disk, traces of the original data may remain in the memory cells of NAND Flash chips. These traces cannot usually be accessed via the storage medium's standard interface, but they can be read directly from the chips using specialised electronics. According to a team of researchers from the University of California in San Diego led by Michael Wei, the lack of a reliable delete function makes this kind of medium unsuitable for certain usages.
 
With Snort 2.9 came the introduction of the Data Acquisition (DAQ) library to replace direct calls to PCAP functions.'DAQ supports PCAP, AFPACKET, NFQ, IPQ, IPFW, and DUMP which is used for testing.'[1]
After I upgraded from 2.8.6 to 2.9.0.2 (current version is 2.9.0.4), my Snort rules and in particular my Snort rule to detect Windows binary download (sid:15306) no longer detected Windows binary download via a browser. It was also affecting my Snort statistics that were constantly showing a small amount of packet loss.
 
In Part 1 of this series, I barely scratched the surface of password brute forcing.
In this post I hope to go beyond the basics and demonstrate some approaches I use to significantly increase the quality of my tests as well as my chances of success.
Success?
Everyone measures success differently, but hopefully some of you will consider success using these techniques to convey the importance to your developers, customers, bosses, friends, spouses, etc. of selecting strong passwords for web-based authentication mechanisms. I am not talking simply about complexity, length, and so forth, although they of course help. Rather, I am referring to the quality of the password, something that is more difficult, but not impossible to enforce.
 
Interested in capturing, documenting and analyzing scans and malicious activity, Corelan Team decided to set up a honeypot and put it online. In the first week of december 2010, Obzy built a machine (default Windows XP SP3 installation, no patches, firewall turned off), named it 'EGYPTS-AIRWAYS', set up a honeypot + some other monitoring tools, and connected it to the internet.
As expected, we quickly started to see all kinds of traffic... some of them were obvious port scans, others were less obvious recons or attacks. Both exciting and interesting... We could probably spend some time to document the various types of attacks, maybe build a nice table with figures and produce some kick-ass management graphs and do some trends analysis. It would be a fun exercise...
...but nothing beats the real deal.
 
Earlier this year Mark Baggett wrote an article on running a Nessus scan through Meterpreter. It involved installing an SSH server on the compromised machine and then using it as a SOCKS4 proxy to forward the scan traffic through to the target machine (Nessus Scanning through a Metasploit Meterpreter Session). It was a great idea but I don't like installing tools on clients machines if I can avoid it so never got round to doing it on a test.
Recently Zate Berg added the Nessus plug-in to Metasploit to let you control a Nessus server from the Metasploit command line. Without thinking it through my initial reaction was 'Great I can now scan through a Meterpreter pivot'. Once I thought about it and read Carlos's article New Nessus Plug-In For Metasploit I realised that the Nessus server was still running on the attacker machine and so didn't have access to the tunnel.

Database Security
 
Nothing amuses me more than some nice vendor-on-vendor smackdown action. Well, plenty of things amuse me more, especially Big Bang Theory and cats on YouTube, but the vendor thing is still moderately high on my list.
So I quite enjoyed this Dark Reading article on the release of the Oracle Database Firewall. But perhaps a little outside perspective will help. Here are the important bits:
 
Oracle Database Firewall Controversy  [www.petefinnigan.com]
Lindsay passed me a link to an article about the recent Oracle Firewall public release and also the recent partnering with F5.
The part that interests me most is the Oracle firewall and the fact that Oracle has stated:
'..which together it claims will supersede the database activity monitoring (DAM) market...'
Of course the vendors of DAM products completely disagree with this statement and to be honest so do I. A firewall is not activity monitoring and as stated in the article most of the DAM product players support IDS/IPS and also audit trail facilities. So a database firewall is only part of a DAM product and a DAM product provides a better all round solution than just a firewall. Its a subset; Are they (Oracle) suggesting that only a firewall is needed? and that IDS and Audit are not needed (maybe outside of the database? - or maybe they feel audit vault or core audit features satisfies that part of the DAM solution), I don't know of course I can only speculate.

Cloud Security
 
Cloud computing has become an integrated part of IT strategy for companies in every sector of our economy. By 2012, IDC predicts that IT spending on cloud services will grow almost threefold, to $42 billion. So it's no surprise that decision makers no longer wonder "if" they can benefit from cloud computing. Instead, the question being asked now is "how" best to leverage the cloud while keeping data and systems secure.
 
ISF shares seven deadly sins of cloud computing  [www.infosecurity-magazine.com]
At the (ISC)2 Secure Leadership Conference at the BT Headquarters in London on 8 February 2011, Adrian Davis, principle research analyst at the ISF (Information Security Forum), shared with the audience what he considers to be the seven deadly sins of cloud computing.
"ISF's view of the cloud is shifting", Davis told his audience. "As an industry, we have technology definitions that we are happy with, acronyms and terminology like 'platform as a service', that no-one else uses. Most of society doesn't actually get what we are talking about."
Organizations, he says, are concerned about costs and "getting rid of the IT team in the basement". Sometimes, this means cutting information security completely out of the loop, leaving those responsible for security unable to influence the decision.

Mobile Security
 
Wireless Wisdom  [ecrimewales.posterous.com]
Dr Les Pritchard of e-Security specialists Fiasa (Forensic Investigation and Security Advice) outlines the risks faced by business people using wi-fi or 3G to access the internet while on the move and the precautions they must take. In addition he highlights how those who offer wi-fi access to others need to protect themselves against improper use that could leave them wide open to criminal charges or expensive lawsuits.
 
A new mobile phone virus has been discovered to have infected 150,000 people in China allowing hackers to remotely monitor calls, according to the Beijing Times on Wednesday.
The virus, named X Undercover, takes advantage of existing vulnerabilities in smart phones by forcing the three-way calling service to secretly open. Conversations and text messages can be monitored and copied after the virus breaks into the calling sequence, said Zou Shihong, a security expert with NetQin Mobile Inc.
 
To date, Russian antivirus program vendor Kaspersky has found nearly 2,000 viruses, Trojans, and other threats for mobile devices. At the Mobile World Congress (MWC), the company's founder Eugene Kaspersky told The H's associates at heise Online that although that figure is nothing compared to the number of Windows contaminants, it is nonetheless rising exponentially.
 
While you can't fully backup and restore everything if you lose your jailbreak in a software upgrade or restore, AptBackup is a free app available in Cydia that can help alleviate the trouble of getting all your jailbreak apps back where they belong.
As you can see in the video above, the backup and restore process is very easy. To back up, just launch AptBackup. To restore all your apps, you'll need to re-download AptBackup from Cydia. Once you do, all you have to do is press the restore button. This will automate the process by re-downloading all the necessary apps from Cydia to your iOS device. While it can't restore settings, it does take the tedious work out of setting things up every time you upgrade.
 
Mac OS X: iTunes backs up your iOS device's settings each time you sync, but it doesn't even come close to backing up the device in its entirety. If you want a complete backup of your device, you can do it easily with an application called PhoneDisk and the wonderful command-line utility rsync.
 
Samsung phone Samsung user Alex Roebuck took this picture of his 'bricked' phone
Microsoft has revealed that 1 in 10 users who tried to install a software update on their Windows mobile experienced problems.
The company had previously said that only a 'small number' of handsets were affected.http://www.bbc.co.uk/news/technology-12564651?utm_source=twitterfeed&utm_medium=twitter
ZeuS in the Mobile is back
Yesterday, Polish Security Consultant and blogger Piotr Konieczny wrote (Polish) about a new wave of ZeuS trojan attacks. This time, it took place in Poland and it was directed against customers of ING Bank.
The samples used in this attack run on a number of platforms: Trojan-Spy.Win32.Zbot.bbmf for Windows, Trojan-Spy.SymbOS.Zbot.b for Symbian and Trojan-Spy.WinCE.Zbot.a for Windows Mobile. Yes, this time ZeuS in the Mobile (ZitMo) targets users of Windows Mobile smartphones too.
 
Motorola XOOM Rooted  [www.koushikdutta.com]
Since it's another Google experience device, and ships with fastboot support (albeit, limited), it really does come rooted out of the box. Just needed to figure out the board kernel base, and compile up a new kernel.
Unfortunately the kernel was not available in the Android repositories. At first, I tried using the Harmony kernel, since they are both tegra 2 250 chips. That turned out to be major fail. As soon as I was about to give up, I noticed that AOSP had updated their tegra kernel repository with some new tasty branches for stingray. Kudos to these guys for being so on the ball! I was able to compile that up and get a working recovery to obtain root, and then get Superuser on the device.
I also built up a recovery, but due to a nonfunctional SD card slot (until they release a firmware update that enables the slot), nothing really works. That will come later.
Here are the instructions to root your device (this assumes you have adb and fastboot installed on your computer):
 
Kindle 3.1 Jailbreak  [hackaday.com]
In the constant battle of manufacturers vs. jailbreakers, the turnaround time between a new software release and a new jailbreak seems to be getting shorter and shorter. [Yifan] noticed that a recent Kindle update broke a previous method of running unsigned code and started the search for a new workaround.
He eventually found a way to force the Kindle to run unsigned code based upon how the software update checked for digitally signed files. With that knowledge in hand, he discovered that he could trick the updater to run any file he wanted by exploiting the standard functionality found in the Unix 'cat' command.

Privacy and Censorship
 
New copyright law could damage our IT industry
The reports in recent days - notably on Silicon Republic - that the outgoing Government is to sign into law a provision granting judges the power to injunct Internet Service Providers in breach of copyright laws are disturbing.
It looks like they're legislating for the 'three strikes and you're out rule' in the last days of the administration.
If this is the case, then I would urge Minister Hanafin not to sign this Statutory Instrument and to consult carefully with the IT industry, telecoms providers and the Department of Communications before there are any further moves.
 
The Federal Court of Australia has dismissed a case (read the ruling) from the movie industry which argued that ISPs must take action against file-swappers, based on allegations of infringement from copyright holders. The case against ISP iiNet was an appeal of the original judgment in the matter, which also went against rightsholders.
The appeal, considered by three judges, is remarkably long-and thorough. (It includes sentences like, 'Computers operate by means of binary code. A bit is either a zero or a one. A byte is 8 bits. A kilobyte is 1,024 bytes, a megabyte is 1,024 kilobytes and a gigabyte is 1,024 megabytes.')
 
Adam Pash - When you're browsing from a public Wi-Fi connection-like at your favorite coffee shop-anyone on that network can snoop on what you're doing, with very few exceptions. So can the IT crew at your workplace. Today, we're going to walk through setting up an encrypted proxy server on your home computer so you can secure your browsing session no matter where you're connected, keeping your private data significantly more private.

General
 
There are add-ons, VPNs, and apps galore that offer a safer browsing experience-but the browser you use, and the sites you visit, offer strong but simple security tools, too. Here are the best of the no-hassle, no-install-required options that you should be using now.
 
 [blogs.technet.com]
Advancing the Idea of Collective Action to Improve Internet Security and Privacy
To help address growing concerns regarding Internet security and privacy, I recently published a paper outlining an approach to addressing botnets and malware that threaten consumer devices connected to the Internet entitled Collective Defense: Applying Public Health Models to the Internet.
Today at the RSA 2011 conference in San Francisco, I presented the details of this proposal for collective defense, and shared a proof of concept scenario exemplifying how an organization, such as a bank, might promote better device health. Below is video of that scenario:

Tools
 
Today, SecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often useful on penetration tests when the attacker has a list of Active Directory users but no services that are using domain authentication.

Funny
 
 
Flying Cars  [xkcd.com]

Friday, 18 February 2011

Security Weekly News 18 February 2011 - Summary

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"We have decided to create the following forum letter before a compromise happens just to cover our bases. Because, as many of you know, it is not a matter of "if" it is a matter of "when." We just hope that it is not something really dumb, like a default password or a missing OS patch. But, as you all know, stuff happens." - PaulDotCom Security Weekly
"I cringe every time I open an email attachment for customer support - I blame John Strand" - Richard H. Fifarek "<- You are welcome" - John Strand
"Stuxnet & the Google infiltration are not cyber war, who died? However all wars in the future will have a cyber component" - Bruce Schneier
"man, with all the data people put in Chrome 'apps' why would you need to break out of the sandbox? ;-)" - Rob Fuller
"Well in the end even big enterprises get owned through little PHP scripts. However ZDI and co. won't pay for this :P" - Stefan Esser
"9/10 times when I see base64 encoding in a webapp, the result makes me smile!" - Josh Abraham
"Tip of the day: need to work via ssh on many servers at the same time? Keyboardcast - type once, run in all terminal windows" - Tomasz Miklas
"Humorous suggestion of the day: that I return to the US w/ a suitcase containing thousands of USB dives and old floppies as a DoS on customs" - Moxie Marlinspike
"HD proposes presale mandatory security audits before IT signs contract to buy new software or hardware to find vulns and get vendor to fix." - Richard Bejtlich
"Its pretty sad when you are given a rose for valentines day and your first thought is the PCI compliance status of the florist.." - @decnet0
"You know what's really awesome? Explaining technical concepts to non-technical people, and experiencing their genuine curiosity." - Dan Kaminsky

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Mobile Security, Cloud Security, Privacy and Censorship, General, Tools, Funny
Highlighted news items of the week (No categories):
Not patched: Microsoft Windows SMB 'mrxsmb.sys' Remote Heap Overflow Vulnerability
Updated/Patched: Windows 7 Service Pack 1 is available for MSDN and TechNet subscribers, February 2011 Java SE and Java for Business Critical Patch Update Released, VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX, Java Denial of Service Vulnerability (Double Trouble), Cisco Security Advisory: Management Center for Cisco Security Agent Remote Code Execution Vulnerability, Speedy PDF Reader Sumatra Is Now Even Faster at Opening PDFs
 
Up to 60 per cent of Irish companies have suffered a data breach and only a third have proper data breach policies, according to a survey to be published by the Irish Computer Society.
The Data Protection Attitudes and Practices Survey 2011, also reveals that more than one in seven people have suffered a personal data breach over the past 12 months.
And almost half of IT staff are unaware that data breaches must be reported by law. Consequently, two thirds of Irish IT workers say that they are not confident that a data breach involving their own personal information would be reported to them.
 
A new 'State of Application Security Survey' conducted by the Ponemon Institute and commissioned by Barracuda Networks and Cenzic on respondents' perceptions and experiences protecting Web applications has some disappointing results. The survey underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security.
According to 74 per cent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment. And while website attacks are the biggest concern for companies, 88 per cent spend more on coffee than securing Web applications
 
Two of the top five most frequently observed flaws were patched more than five years ago, M86 study says
he availability of a patch for a security flaw doesn't always solve the problem, according to a new study published today.
According to the new Security Labs Report from M86 Security, the top six most frequently observed vulnerabilities on the Web were all discovered at least four years ago, and have all been patched for at least two years.
Most of the top 15 flaws detected by M86 Security were on Windows or Adobe applications, and most have been around for some time -- MS Office Web Components active script execution, for example, has been known since 2002, yet it is still No. 2 on the most frequently detected list.
 
The study found that over half the antivirus programs managed to detect fewer than 10% of the viruses active on the Internet.
If you think your antivirus software is protecting your computer, think again. Only 17% of all of the viruses on the web are detected by antivirus providers, according to research carried out by the Israeli firm Security Art, which examined the effectiveness of 42 antivirus programs, including programs sold by McAfee, Kaspersky, AVG and Aladdin as well as Symantec's Norton antivirus program.
The study also found that over half the antivirus programs managed to detect fewer than 10% of the viruses active on the Internet. Among the antivirus programs tested, the one with the best record was Mcafee with Artemis/GW, with a 17% success rate, followed by Microsoft with 16% and Sophos with 13%. Lower rates were registered for Norton, at 12%. Other products, from Trend Micro, Aladdin eSafe, Fortinet, and the most common, full version of McAfee, registered success rates of less than 10% in detecting the viruses.
 
A security researcher who analyzed data from two recently leaked databases concluded that the rate of password reuse is higher than previously believed.
Joseph Bonneau, a PhD student with the Security Group at the University of Cambridge Computer Laboratory, analyzed user passwords stolen from Gawker and rootkit.com.
The Gawker user database was leaked by hackers in the first half of December, while the rootkit.com one made its way onto the Internet just recently, after Anonymous hacked HBGary.
The Gawker leak was much bigger, exposing some 1.3 million logins and password hashes, compared to the 81,000 stolen from rootkit.com.
When intersecting the two databases, Bonneau found a number of 522 email addresses registered at both sites. Of those, about 456 were determined to be valid pairs.
 
The Spy Next Door: Stealing your life for £44  [blog.itsecurityexpert.co.uk]
How easy can it be to steal your life? For less than 44 quid is it possible to steal your bank account username, password and bank account security questions? For less than 44 quid is it possible to harvest your credit card details, including your credit card security code and Verified by Visa or MasterCard SecureCode password? Is it possible to read your private Emails and access your Email account? Is it possible to monitor all your private web surfing habits and instant messenger conversations, and obtain your username and passwords for all your websites?
 
Cyber crime costs the UK economy £27bn a year, the government has said.
The figures, published for the first time, are a mid-range estimate and the real cost could be much higher.
They are made up of £21bn of costs to businesses, £2.2bn to government and £3.1bn to citizens.
Security minister Baroness Neville-Jones said the government was determined to work with industry to tackle cyber crime.
At the moment, cyber criminals are 'fearless because they do not think they will be caught', she said in a briefing in central London.
 
The Home Office has pledged to spend £63m on the fight against cyber crime.
The move follows David Cameron's announcement in October that Britain is to spend £650m on a new cyber security programme, as part of sweeping reforms to the UK's defence capabilities.
 
The FREE ISO27k Toolkit  [www.iso27001security.com]
The FREE ISO27k Toolkit consists of a collection of ISMS-related materials contributed by members of the ISO27k Forum, either individually or through collaborative working groups organized on the Forum. We are very grateful for their generosity in allowing us to share them with you.
The toolkit is an incomplete work-in-progress: further contributions are most welcome, whether to fill-in gaps or provide additional examples of the items listed below.


Cloud Security highlights of the week
 
This is going to be a bit of a different post for me. One of the exercises in our CCSK Enhanced class we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance.
There are a few different ways to do this, but we decided to go with Trend Micro's SecureCloud service for a couple of reasons. First of all, setting it up is something we could do within the time constraints of the class. Trying the same process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have considering the CCSK Enhanced class is only one day, and covers a ton of material. The other reason is that it supports my preferred architecture for encryption- the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Lastly, they offer a free 60 day trial.


Secure Network Administration highlights of the week
 
When talking about security, companies often focus on the "security perimeter". Inside this perimeter, you have the "good" guys and all the rest is considered as the "wild" world, the Internet. Once you passed the access controls, you are free to walk and do what you want. Can you approve this from a security point of view? And this is true for physical security as well as network security. So often, I found myself alone in corporate buildings where I could perform so many malicious actions! (I insist here on the "could" verb ;-) )
A new wave of gadgets, called the "PlugBot" or the "Pwnie Express", are available for sale on the Internet. The work "gadget" is not the most appropriate in this case. I would say "killer tools" instead. Those small boxes have the same size as a PLC adapter. This makes them extremely portable and discrete. They integrate a powerful toolbox:
 
Targeting a vulnerability in Acrobat Reader is one of the more popular ways of compromising systems nowadays. PDF Stream Dumper is a free tool for analyzing suspicious PDF files, and is an excellent complement to the tools and approaches I outlined in the Analyzing Malicious Documents cheat sheet.
For this introductory walk-through, I will use a malicious PDF file that I obtained from Contagio Malware Dump. If you'd like to experiment with this file in an isolated laboratory environment, you're welcome to download the malicious PDF from my server; the password to the zip file is the word "infected".
 
How To Outrun A Lion?  [www.ctrl-alt-del.cc]
You don't have to outrun a lion - it's enough you outrun the guy running next to you.
Funny enough, the same stands for securing your IT infrastructure - if you are in the 'low hanging fruit' category, you get owned for sure - possibly before you even notice anything shady going on behind your shiny website. When you raise the bar a bit and step out of the damned circle, most of the attackers will give up on you and move to find some other target that is easier to compromise.Of course that doesn't work for determined attackers that want YOU and nobody else, but that's a story for another time.
What's that smell?
It's a smell of FAIL my friend...
 
DDoS Analysis Process  [isc.sans.edu]
We sometimes get requests from people who are undergoing Denial of Service attacks. These days that usually means a Distributed Denial of Service attack. In our role at the Internet Storm Center, we're often limited to consultation roles and and can only recommend possible courses of action for the client. We don't have a canned response or top-three recommendations that will work in all cases; instead we have a process. Hopefully it can keep pace with the evolution of attacks
 
How to crash the Internet  [www.zdnet.com]
We know you can take down Web sites with Distributed Denial of Service (DDoS) attacks. We know that a country, like Egypt, can knock down a country's entire Internet infrastructure. And, we thought we knew that you couldn't take down the entire Internet. It turns out we could be wrong.
In a report from New Scientist, Max Schuchard a computer science graduate student and his buddies claim they've found a way to launch DDoS attacks on Border Gateway Protocol (BGP) network routers that could crash the Internet.
 
Two Windows 7 security patches from this month's Patch Tuesday are reported to prevent VMware's View desktop virtualistation client from accessing the View Connection Server. According to a VMware Knowledge Base article, users that have installed either one or both of patches (Article ID 2482017, 2467023) are affected.
 
Network Visualization  [isc.sans.edu]
One area of interest that I have is network visualization. What I'm referring to is being able to visually see the traffic flows and patterns to determine anomolies or events of interest. We have so much information with our networks today, that it is difficult to process all of it. The trend seems to be getting worse and reverting back to my good ole Army days of 'Do more with less'. With the economic times we live it, it always seems that security is one area that takes a hit. So, we have to work smarter and network visualization is one area that I think has great potential, but seems to be very under developed.
 
A Distributed Cracker for VoIP  [www.symantec.com]
Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality. The botnet is used to propagate URLs pointing to more malware. Recently, the gang behind Sality has distributed a tool to brute force Voice over IP (VoIP) account credentials on systems that use Session Initiation Protocol (SIP). SIP is a protocol widely used to initiate and control voice and video calls made over the Internet.
Let's rewind back to November 2010. At that time, a few SIP-related blogs and mailing lists reported attacks against SIP servers. The attacks consisted of REGISTER attempts using what appeared to be random account names. The novelty lied in the source of the attack, as it seemed the traffic originated from many different IPs. No specific malware was traced back to these attacks, though.


Secure Development highlights of the week
 
Java is out of date on more than 40 percent of machines
Wolfgang Kandeck, CEO of Qualys, said during a presentation at the RSA Security Conference in San Francisco that 80 percent of browsers his company's BrowserCheck service checked were missing one or more patches, ComputerWorld has reported.
BrowserCheck checks for vulnerabilities in browsers (on Windows, Linux and Mac) and 18 browser plug-ins. Plugins include Flash and Reader (Adobe), Java (Oracle) and Silverlight (Microsoft) and Windows Media Player (Microsoft).
 
Ever wonder about that mysterious Content-Type tag? You know, the one you're supposed to put in HTML and you never quite know what it should be?
Did you ever get an email from your friends in Bulgaria with the subject line '???? ?????? ??? ????'?
I've been dismayed to discover just how many software developers aren't really completely up to speed on the mysterious world of character sets, encodings, Unicode, all that stuff. A couple of years ago, a beta tester for FogBUGZ was wondering whether it could handle incoming email in Japanese. Japanese? They have email in Japanese? I had no idea. When I looked closely at the commercial ActiveX control we were using to parse MIME email messages, we discovered it was doing exactly the wrong thing with character sets, so we actually had to write heroic code to undo the wrong conversion it had done and redo it correctly. When I looked into another commercial library, it, too, had a completely broken character code implementation. I corresponded with the developer of that package and he sort of thought they 'couldn't do anything about it.' Like many programmers, he just wished it would all blow over somehow.
 
Some less obvious benefits of HSTS  [scarybeastsecurity.blogspot.com]
HSTS, standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections.
Hopefully it's about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent.
The stated benefits of HSTS include:
* Defenses against sslstrip-like attacks. The initial navigation to blah.com is automatically upgraded to HTTPS.
* Zero tolerance for certification problems. The user is not permitted to 'click through' anything such as a self-signed cert.
 
 [blog.ivanristic.com]
IronBee, a new Apache-licensed web application firewall
It is my great pleasure to announce the launch of IronBee, a brand new open source web application firewall. It's a project whose main goal is build a universal application security sensor through focus on community-building first , code second. To that end, not only is the project open source, but it uses the Apache 2 license and does not require copyright assignments from contributors. How's that for a conversation starter?
 
Spot the Vuln - Radical  [blogs.sans.org]
When you are right, you cannot be too radical; When you are wrong, you cannot be too conservative.
- Martin Luther King, Jr.
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
 
Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks.
Last Friday, Google announced that it open sourced a project that its engineers were working on to add a new functionality into Java called Contracts, or Design-By-Contract (DBC).
 
Yet another operation permitted across domains with no specific security checks is the ability to seamlessly merge <IFRAME> containers displaying chunks of third-party sites (in their respective security contexts) inside the current document. Although this feature has no security consequences for static content - and in fact, might be desirable - it poses a significant concern with complex web applications where the user is authenticated with cookies: the attacker may cleverly decorate portions of such a third-party UI to make it appear as if they belong to his site instead, and then trick his visitors into interacting with this mashup. If successful, clicks would be directed to the attacked domain, rather than attacker's page - and may result in undesirable and unintentional actions being taken in the context of victim's account.
There are several basic ways to fool users into generating such misrouted clicks:
 
ClearClick News  [hackademix.net]
As you probably know, ClearClick is the only effective client-side protection against Clickjacking (AKA UI Redressing).
A couple of weeks ago, Atul Agarwal of Secfence privately reported me a ClearClick bypass based on tracking user's mouse movements and dynamically putting an extremely small click target just under his pointer. Even though it required the attacker's page to be whitelisted and run JavaScript, I deemed this bug deserved to be fixed ASAP because ClearClick, like most web application security countermeasures offered by NoScript


Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication

Objective

To provide secure authentication services to web applications, by:

- Tying a system identity to an individual user by the use of a credential
- Providing reasonable authentication controls as per the application’s risk
- Denying access to attackers who use various methods to attack the authentication system

Architectural Goals

All applications should take into account the following architectural and detailed design goals:

- All applications within your organization SHOULD share a well-debugged and trusted authentication mechanism if possible
- All secured functions and secured resources SHOULD be protected by a common authentication mechanism within the one application
- All applications MUST use the lowest possible privilege service account to access back end systems such as directories, web services, database and message queues
- Credentials SHOULD be transmitted only over encrypted links, particularly weak authentication mechanisms such as passwords
- Credentials MUST be stored after being one-way hashed and salted using acceptable hashing algorithms
- Credential stores SHOULD implement configurable settings for thresholds, lockouts, password complexity and alerts
- Credential stores SHOULD be designed to implement several hashing algorithms as these will be replaced soon and as change is inevitable, your application should plan today for this transition
- Applications SHOULD have the facility to alert the user as to failed login attempts and offer to allow them to change their password (if applicable)
- Applications SHOULD have the facility to notify the user of their last logged in time, and subsequently report a fraudulent login if they disagree with that date and time
- Authentication and registration processes, particularly login failures, SHOULD provide no information as to if an account exists or password or is wrong. A single error message for the end user covering both scenarios is more than adequate
- All pages SHOULD have an effective logout button on every single page in a common location
- Applications SHOULD possess administrative functions to detail and manage never logged in accounts, idle accounts, and accounts that have been administratively- or soft- locked
- Passwords MUST be easily changed. Applications MAY include password strength indicators or provide a random password generator function
- There SHOULD be a logical difference between administrative lockout and failed login lockout, so that re-enabling all users en masse does not unlock administratively locked users
- Medium value applications SHOULD and High value applications MUST provide a mechanism to re-authenticate or transaction sign high value transactions
- Applications MUST protect credentials from common authentication attacks as detailed in the Testing Guide. Following the sections in this chapter will produce such an outcome


Source: link

Have a great weekend.