Friday, 18 February 2011

Security Weekly News 18 February 2011 - Summary

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"We have decided to create the following forum letter before a compromise happens just to cover our bases. Because, as many of you know, it is not a matter of "if" it is a matter of "when." We just hope that it is not something really dumb, like a default password or a missing OS patch. But, as you all know, stuff happens." - PaulDotCom Security Weekly
"I cringe every time I open an email attachment for customer support - I blame John Strand" - Richard H. Fifarek "<- You are welcome" - John Strand
"Stuxnet & the Google infiltration are not cyber war, who died? However all wars in the future will have a cyber component" - Bruce Schneier
"man, with all the data people put in Chrome 'apps' why would you need to break out of the sandbox? ;-)" - Rob Fuller
"Well in the end even big enterprises get owned through little PHP scripts. However ZDI and co. won't pay for this :P" - Stefan Esser
"9/10 times when I see base64 encoding in a webapp, the result makes me smile!" - Josh Abraham
"Tip of the day: need to work via ssh on many servers at the same time? Keyboardcast - type once, run in all terminal windows" - Tomasz Miklas
"Humorous suggestion of the day: that I return to the US w/ a suitcase containing thousands of USB dives and old floppies as a DoS on customs" - Moxie Marlinspike
"HD proposes presale mandatory security audits before IT signs contract to buy new software or hardware to find vulns and get vendor to fix." - Richard Bejtlich
"Its pretty sad when you are given a rose for valentines day and your first thought is the PCI compliance status of the florist.." - @decnet0
"You know what's really awesome? Explaining technical concepts to non-technical people, and experiencing their genuine curiosity." - Dan Kaminsky

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Mobile Security, Cloud Security, Privacy and Censorship, General, Tools, Funny
Highlighted news items of the week (No categories):
Not patched: Microsoft Windows SMB 'mrxsmb.sys' Remote Heap Overflow Vulnerability
Updated/Patched: Windows 7 Service Pack 1 is available for MSDN and TechNet subscribers, February 2011 Java SE and Java for Business Critical Patch Update Released, VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX, Java Denial of Service Vulnerability (Double Trouble), Cisco Security Advisory: Management Center for Cisco Security Agent Remote Code Execution Vulnerability, Speedy PDF Reader Sumatra Is Now Even Faster at Opening PDFs
Up to 60 per cent of Irish companies have suffered a data breach and only a third have proper data breach policies, according to a survey to be published by the Irish Computer Society.
The Data Protection Attitudes and Practices Survey 2011, also reveals that more than one in seven people have suffered a personal data breach over the past 12 months.
And almost half of IT staff are unaware that data breaches must be reported by law. Consequently, two thirds of Irish IT workers say that they are not confident that a data breach involving their own personal information would be reported to them.
A new 'State of Application Security Survey' conducted by the Ponemon Institute and commissioned by Barracuda Networks and Cenzic on respondents' perceptions and experiences protecting Web applications has some disappointing results. The survey underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security.
According to 74 per cent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment. And while website attacks are the biggest concern for companies, 88 per cent spend more on coffee than securing Web applications
Two of the top five most frequently observed flaws were patched more than five years ago, M86 study says
he availability of a patch for a security flaw doesn't always solve the problem, according to a new study published today.
According to the new Security Labs Report from M86 Security, the top six most frequently observed vulnerabilities on the Web were all discovered at least four years ago, and have all been patched for at least two years.
Most of the top 15 flaws detected by M86 Security were on Windows or Adobe applications, and most have been around for some time -- MS Office Web Components active script execution, for example, has been known since 2002, yet it is still No. 2 on the most frequently detected list.
The study found that over half the antivirus programs managed to detect fewer than 10% of the viruses active on the Internet.
If you think your antivirus software is protecting your computer, think again. Only 17% of all of the viruses on the web are detected by antivirus providers, according to research carried out by the Israeli firm Security Art, which examined the effectiveness of 42 antivirus programs, including programs sold by McAfee, Kaspersky, AVG and Aladdin as well as Symantec's Norton antivirus program.
The study also found that over half the antivirus programs managed to detect fewer than 10% of the viruses active on the Internet. Among the antivirus programs tested, the one with the best record was Mcafee with Artemis/GW, with a 17% success rate, followed by Microsoft with 16% and Sophos with 13%. Lower rates were registered for Norton, at 12%. Other products, from Trend Micro, Aladdin eSafe, Fortinet, and the most common, full version of McAfee, registered success rates of less than 10% in detecting the viruses.
A security researcher who analyzed data from two recently leaked databases concluded that the rate of password reuse is higher than previously believed.
Joseph Bonneau, a PhD student with the Security Group at the University of Cambridge Computer Laboratory, analyzed user passwords stolen from Gawker and
The Gawker user database was leaked by hackers in the first half of December, while the one made its way onto the Internet just recently, after Anonymous hacked HBGary.
The Gawker leak was much bigger, exposing some 1.3 million logins and password hashes, compared to the 81,000 stolen from
When intersecting the two databases, Bonneau found a number of 522 email addresses registered at both sites. Of those, about 456 were determined to be valid pairs.
The Spy Next Door: Stealing your life for £44  []
How easy can it be to steal your life? For less than 44 quid is it possible to steal your bank account username, password and bank account security questions? For less than 44 quid is it possible to harvest your credit card details, including your credit card security code and Verified by Visa or MasterCard SecureCode password? Is it possible to read your private Emails and access your Email account? Is it possible to monitor all your private web surfing habits and instant messenger conversations, and obtain your username and passwords for all your websites?
Cyber crime costs the UK economy £27bn a year, the government has said.
The figures, published for the first time, are a mid-range estimate and the real cost could be much higher.
They are made up of £21bn of costs to businesses, £2.2bn to government and £3.1bn to citizens.
Security minister Baroness Neville-Jones said the government was determined to work with industry to tackle cyber crime.
At the moment, cyber criminals are 'fearless because they do not think they will be caught', she said in a briefing in central London.
The Home Office has pledged to spend £63m on the fight against cyber crime.
The move follows David Cameron's announcement in October that Britain is to spend £650m on a new cyber security programme, as part of sweeping reforms to the UK's defence capabilities.
The FREE ISO27k Toolkit  []
The FREE ISO27k Toolkit consists of a collection of ISMS-related materials contributed by members of the ISO27k Forum, either individually or through collaborative working groups organized on the Forum. We are very grateful for their generosity in allowing us to share them with you.
The toolkit is an incomplete work-in-progress: further contributions are most welcome, whether to fill-in gaps or provide additional examples of the items listed below.

Cloud Security highlights of the week
This is going to be a bit of a different post for me. One of the exercises in our CCSK Enhanced class we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance.
There are a few different ways to do this, but we decided to go with Trend Micro's SecureCloud service for a couple of reasons. First of all, setting it up is something we could do within the time constraints of the class. Trying the same process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have considering the CCSK Enhanced class is only one day, and covers a ton of material. The other reason is that it supports my preferred architecture for encryption- the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Lastly, they offer a free 60 day trial.

Secure Network Administration highlights of the week
When talking about security, companies often focus on the "security perimeter". Inside this perimeter, you have the "good" guys and all the rest is considered as the "wild" world, the Internet. Once you passed the access controls, you are free to walk and do what you want. Can you approve this from a security point of view? And this is true for physical security as well as network security. So often, I found myself alone in corporate buildings where I could perform so many malicious actions! (I insist here on the "could" verb ;-) )
A new wave of gadgets, called the "PlugBot" or the "Pwnie Express", are available for sale on the Internet. The work "gadget" is not the most appropriate in this case. I would say "killer tools" instead. Those small boxes have the same size as a PLC adapter. This makes them extremely portable and discrete. They integrate a powerful toolbox:
Targeting a vulnerability in Acrobat Reader is one of the more popular ways of compromising systems nowadays. PDF Stream Dumper is a free tool for analyzing suspicious PDF files, and is an excellent complement to the tools and approaches I outlined in the Analyzing Malicious Documents cheat sheet.
For this introductory walk-through, I will use a malicious PDF file that I obtained from Contagio Malware Dump. If you'd like to experiment with this file in an isolated laboratory environment, you're welcome to download the malicious PDF from my server; the password to the zip file is the word "infected".
How To Outrun A Lion?  []
You don't have to outrun a lion - it's enough you outrun the guy running next to you.
Funny enough, the same stands for securing your IT infrastructure - if you are in the 'low hanging fruit' category, you get owned for sure - possibly before you even notice anything shady going on behind your shiny website. When you raise the bar a bit and step out of the damned circle, most of the attackers will give up on you and move to find some other target that is easier to compromise.Of course that doesn't work for determined attackers that want YOU and nobody else, but that's a story for another time.
What's that smell?
It's a smell of FAIL my friend...
DDoS Analysis Process  []
We sometimes get requests from people who are undergoing Denial of Service attacks. These days that usually means a Distributed Denial of Service attack. In our role at the Internet Storm Center, we're often limited to consultation roles and and can only recommend possible courses of action for the client. We don't have a canned response or top-three recommendations that will work in all cases; instead we have a process. Hopefully it can keep pace with the evolution of attacks
How to crash the Internet  []
We know you can take down Web sites with Distributed Denial of Service (DDoS) attacks. We know that a country, like Egypt, can knock down a country's entire Internet infrastructure. And, we thought we knew that you couldn't take down the entire Internet. It turns out we could be wrong.
In a report from New Scientist, Max Schuchard a computer science graduate student and his buddies claim they've found a way to launch DDoS attacks on Border Gateway Protocol (BGP) network routers that could crash the Internet.
Two Windows 7 security patches from this month's Patch Tuesday are reported to prevent VMware's View desktop virtualistation client from accessing the View Connection Server. According to a VMware Knowledge Base article, users that have installed either one or both of patches (Article ID 2482017, 2467023) are affected.
Network Visualization  []
One area of interest that I have is network visualization. What I'm referring to is being able to visually see the traffic flows and patterns to determine anomolies or events of interest. We have so much information with our networks today, that it is difficult to process all of it. The trend seems to be getting worse and reverting back to my good ole Army days of 'Do more with less'. With the economic times we live it, it always seems that security is one area that takes a hit. So, we have to work smarter and network visualization is one area that I think has great potential, but seems to be very under developed.
A Distributed Cracker for VoIP  []
Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality. The botnet is used to propagate URLs pointing to more malware. Recently, the gang behind Sality has distributed a tool to brute force Voice over IP (VoIP) account credentials on systems that use Session Initiation Protocol (SIP). SIP is a protocol widely used to initiate and control voice and video calls made over the Internet.
Let's rewind back to November 2010. At that time, a few SIP-related blogs and mailing lists reported attacks against SIP servers. The attacks consisted of REGISTER attempts using what appeared to be random account names. The novelty lied in the source of the attack, as it seemed the traffic originated from many different IPs. No specific malware was traced back to these attacks, though.

Secure Development highlights of the week
Java is out of date on more than 40 percent of machines
Wolfgang Kandeck, CEO of Qualys, said during a presentation at the RSA Security Conference in San Francisco that 80 percent of browsers his company's BrowserCheck service checked were missing one or more patches, ComputerWorld has reported.
BrowserCheck checks for vulnerabilities in browsers (on Windows, Linux and Mac) and 18 browser plug-ins. Plugins include Flash and Reader (Adobe), Java (Oracle) and Silverlight (Microsoft) and Windows Media Player (Microsoft).
Ever wonder about that mysterious Content-Type tag? You know, the one you're supposed to put in HTML and you never quite know what it should be?
Did you ever get an email from your friends in Bulgaria with the subject line '???? ?????? ??? ????'?
I've been dismayed to discover just how many software developers aren't really completely up to speed on the mysterious world of character sets, encodings, Unicode, all that stuff. A couple of years ago, a beta tester for FogBUGZ was wondering whether it could handle incoming email in Japanese. Japanese? They have email in Japanese? I had no idea. When I looked closely at the commercial ActiveX control we were using to parse MIME email messages, we discovered it was doing exactly the wrong thing with character sets, so we actually had to write heroic code to undo the wrong conversion it had done and redo it correctly. When I looked into another commercial library, it, too, had a completely broken character code implementation. I corresponded with the developer of that package and he sort of thought they 'couldn't do anything about it.' Like many programmers, he just wished it would all blow over somehow.
Some less obvious benefits of HSTS  []
HSTS, standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections.
Hopefully it's about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent.
The stated benefits of HSTS include:
* Defenses against sslstrip-like attacks. The initial navigation to is automatically upgraded to HTTPS.
* Zero tolerance for certification problems. The user is not permitted to 'click through' anything such as a self-signed cert.
IronBee, a new Apache-licensed web application firewall
It is my great pleasure to announce the launch of IronBee, a brand new open source web application firewall. It's a project whose main goal is build a universal application security sensor through focus on community-building first , code second. To that end, not only is the project open source, but it uses the Apache 2 license and does not require copyright assignments from contributors. How's that for a conversation starter?
Spot the Vuln - Radical  []
When you are right, you cannot be too radical; When you are wrong, you cannot be too conservative.
- Martin Luther King, Jr.
Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks.
Last Friday, Google announced that it open sourced a project that its engineers were working on to add a new functionality into Java called Contracts, or Design-By-Contract (DBC).
Yet another operation permitted across domains with no specific security checks is the ability to seamlessly merge <IFRAME> containers displaying chunks of third-party sites (in their respective security contexts) inside the current document. Although this feature has no security consequences for static content - and in fact, might be desirable - it poses a significant concern with complex web applications where the user is authenticated with cookies: the attacker may cleverly decorate portions of such a third-party UI to make it appear as if they belong to his site instead, and then trick his visitors into interacting with this mashup. If successful, clicks would be directed to the attacked domain, rather than attacker's page - and may result in undesirable and unintentional actions being taken in the context of victim's account.
There are several basic ways to fool users into generating such misrouted clicks:
ClearClick News  []
As you probably know, ClearClick is the only effective client-side protection against Clickjacking (AKA UI Redressing).
A couple of weeks ago, Atul Agarwal of Secfence privately reported me a ClearClick bypass based on tracking user's mouse movements and dynamically putting an extremely small click target just under his pointer. Even though it required the attacker's page to be whitelisted and run JavaScript, I deemed this bug deserved to be fixed ASAP because ClearClick, like most web application security countermeasures offered by NoScript

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication


To provide secure authentication services to web applications, by:

- Tying a system identity to an individual user by the use of a credential
- Providing reasonable authentication controls as per the application’s risk
- Denying access to attackers who use various methods to attack the authentication system

Architectural Goals

All applications should take into account the following architectural and detailed design goals:

- All applications within your organization SHOULD share a well-debugged and trusted authentication mechanism if possible
- All secured functions and secured resources SHOULD be protected by a common authentication mechanism within the one application
- All applications MUST use the lowest possible privilege service account to access back end systems such as directories, web services, database and message queues
- Credentials SHOULD be transmitted only over encrypted links, particularly weak authentication mechanisms such as passwords
- Credentials MUST be stored after being one-way hashed and salted using acceptable hashing algorithms
- Credential stores SHOULD implement configurable settings for thresholds, lockouts, password complexity and alerts
- Credential stores SHOULD be designed to implement several hashing algorithms as these will be replaced soon and as change is inevitable, your application should plan today for this transition
- Applications SHOULD have the facility to alert the user as to failed login attempts and offer to allow them to change their password (if applicable)
- Applications SHOULD have the facility to notify the user of their last logged in time, and subsequently report a fraudulent login if they disagree with that date and time
- Authentication and registration processes, particularly login failures, SHOULD provide no information as to if an account exists or password or is wrong. A single error message for the end user covering both scenarios is more than adequate
- All pages SHOULD have an effective logout button on every single page in a common location
- Applications SHOULD possess administrative functions to detail and manage never logged in accounts, idle accounts, and accounts that have been administratively- or soft- locked
- Passwords MUST be easily changed. Applications MAY include password strength indicators or provide a random password generator function
- There SHOULD be a logical difference between administrative lockout and failed login lockout, so that re-enabling all users en masse does not unlock administratively locked users
- Medium value applications SHOULD and High value applications MUST provide a mechanism to re-authenticate or transaction sign high value transactions
- Applications MUST protect credentials from common authentication attacks as detailed in the Testing Guide. Following the sections in this chapter will produce such an outcome

Source: link

Have a great weekend.