Friday, 11 February 2011

Security Weekly News Catchup 11 February 2011 - Summary

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"We’ve learned the importance of Secure-By-Default because people rarely harden their “security” settings as standard practice" - Jeremiah Grossman
"Modern browsers are incredibly complex beasts, pushed well beyond their intended limits - and in that capacity, broken in more ways than we can imagine" - Michal Zalewski
"historically, complex security features have been shown to have far more failure modes. In essence, the fewer things can be misunderstood or overlooked, the better we are all off" - Michal Zalewski
"I'm annoyed by all the armchair critics of Stuxnet. How many nuclear programs have _you_ hacked?" - Alexander Sotirov
"BGPSEC, DNSSEC, IPSEC, ... And data is still vulnerable due to dumb passwords! What a wonderful world! " - Xavier Mertens
"An IPv6 packet walks into a bar. Nobody talks to him." - Sam Johnston
""Compliance: An assualt on reason." Why spend 80%+ of your budget on the 10% of your enterprise that ISN'T your core business?" - indi303
"penetration testing outcomes need to be more business relevant, and risk analysts need to then shut up and listen." - Alex Hutton
""Risk management - a guess multiplied by an approximation, taken to the power of an expert opinion." Fred Cohen, securitymetrics ML
"I'm not trying to be nasty, really... but If I don't know you, I don't want to be your friend on Facebook, LinkedIn, XING, ... Sorry!" - Chris John Riley

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime / Data Leakage, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Mobile Security, Wireless Security, Cryptography / Encryption, Privacy and Censorship, Social Engineering, General, Tools, Funny
Highlighted news items of the week (No categories):
Not patched: Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096), Data theft vulnerability in Android 2.3 not plugged, Security vulnerability demonstrated in Safari
Updated/Patched: February 2011 Microsoft Black Tuesday Summary, Service Pack 1 for Windows 7 and Server 2008 is ready, OpenSSH 5.8 fixes information leakage vulnerability, phpMyAdmin updates close security vulnerability, Security updates available for Adobe Reader and Acrobat, Ruby on Rails updates fix security holes, Google releases Chrome 9 security update, OpenOffice Security Fixes, Cisco Security Advisory: Default Credentials for Root Account on Tandberg E, EX and C Series Endpoints, WordPress 3.0.5 (and 3.1 Release Candidate 4), ClamAV 0.97 has been released!, Snort is coming this week!, Oracle Security Alert for CVE-2010-4476, Security update available for Adobe Flash Player, Security update available for Shockwave Player, Security update: Hotfix available for ColdFusion, Cisco Nexus 1000V VEM updates address denial of service in VMware ESX/ESXi, Google releases Chrome 9.0 stable, PostgreSQL security update fixes a buffer overrun, Update fixes DoS vulnerability in DHCPv6 server, Mailing list application Majordomo reveals file content, VLC Media Player 1.1.7 addresses critical vulnerability, Opera 11.01 closes critical hole, CouchDB update fixes cross-site scripting vulnerabilities, Ruby Mail gem can execute arbitrary shell commands, Exim update closes vulnerability, Security update for RealPlayer
The European statistics agency Eurostat, based in Luxembourg, announced on Monday that in the last year nearly one in three internet users in European Union countries has experienced a problem with malware. According to the Eurostat report, 31% of computer users had a malware infection in 2010, which led to a loss of data or time. Any financial losses were not quantified. In compiling the survey, Eurostat used data mostly for the second quarter of 2010 from people in the 27 EU member states in the age range of 16 to 74.
Cost of a Data Breach  []
This Ponemon Institute annual survey documents the high costs that result when companies lose customer data.
My last post outlined 3 things that virtually guaranteed the swift and untimely demise of any software security assurance program. One of you loyal readers (actually, it was eventually more than just one) then pointed out that simply pointing out what was wrong just wasn't my way of doing things - so I had to write a follow up post that outlined the things that I felt that a solid SSA program needed.
Luckily, I just so happen to have a Top 4 handy. Why top 4, you ask? Because there really are 4 components that make up a successful software security assurance program. More importantly there are 4 things that I have personally witnessed and implemented that have contributed greatly to the success of many programs - and so without further ado here is my list of 4 Components of a Successful Sofware Security Assurance Program.
Attackers exploited more new vulnerabilities in January than usual, writing exploits for half of 'critical' vulnerabilities
The number of exploited vulnerabilities jumped dramatically last month, with more than 60 percent of new vulnerabilities being exploited, a new report says.
Exploit activity is typically at a rate of 30 to 40 percent, according to Fortinet's newly released January 2011 Threat Landscape report. Close to half of 'critical' vulnerabilities were exploited by attackers, the report found.
This day and age everyone is worried about the insider threat. Internal Penetration Testing doesn't really test what would happen if your janitor got paid 50 bucks to put a USB stick in one of your servers. External Penetration Tests are never scoped for that sort of testing. So what is a company to do? How can they know what the risk is? The answer? Usually they guess or assume. Mostly because they are scared to find out, it's happened to them before, or one of a million different justifications. I've got a webinar coming up to describe exactly this type of testing, but I thought I'd go into it a bit here.
Six months ago, the Zero Day Initiative (ZDI) announced that it would no longer tolerate vendors taking a long time to fix security flaws in their products and would release information on vulnerabilities after a maximum of 180 days. They've now lived up to their promise and released information on 22 long-running security problems.

Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):
When a call starts off with 'I think we've had an incident' or 'something isn't right' actual proof of an event or incident has really occurred is a must*. If it's some odd happening on Windows, then it's time to look at the Windows event logs. Windows has three standard event logs: application, system and security. The one most security folks need to keep an eye on is the security event log.
Some questions to ask or ponder about your Windows security logs
Do you review or monitor them?
How big are the log files?
What happens when the log file are full?
Do you know if security audit policies in place?
Do you have different audit policies for certain systems?
Are all your machines using the same time reference?
Can you recognize the event ID that could mean trouble?
Today, IANA announced that it had handed out two more /8 IPv4 assignments to APNIC. As a result, IANA is down to 5 /8s, triggering its special policy to hand out one address to each regional registrar (RIR). The 5 RIRs are AFRNIC (Africa), APNIC (Asia Pacific), ARIN (North America), LACNIC (Latin America) and RIPE (Europe). [1]
IANA hands IP address space to the RIRs in chunks of /8s, who then pass it on to ISPs, who then pass it on to end users. Some large end users may approach their RIR directly, and some 'legacy assignments' are managed by IANA directly.
But in the end, what does this all mean?
The European Network and Information Security Agency (ENISA) has issued a new guide on good practice, practical information and guidelines for the management of network and information security incidents by CERTs.
Recent reports of increased cyber attacks has made the need for and use of the Agency report on how to fight cyber attacks even more topical and current.

Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):
Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come. Some decisions are obvious: How do we authenticate users? How do we restrict page access to authorized users? Others, however, are not so obvious. The following list comes from empirical data after seeing the architecture of many enterprise applications and the downstream effects of security.
1. Session Replication
Load balancing is a must have for applications with a large user base. While serving static content in this way is relatively easy, challenges start to arise when your application maintains state information across multiple requests. There are many ways to tackle session replication- here are some of the most common:
Web Browsers and Opt-In Security  []
The last decade has taught us much about computer and information security. We've learned the importance of Secure-By-Default because people rarely harden their "security" settings as standard practice. We're also painfully aware that security is often a trade-off between functionality and usability, which requires a balance be made. Ideally this balance is decided between what level of security a product claims and the customer's expectations. Operating systems and Web servers have taken a strong supporting stance with regards to Secure-By-Default. Web browsers, well, I think there is much room for improvement.
Modern browsers are incredibly complex beasts, pushed well beyond their intended limits - and in that capacity, broken in more ways than we can imagine. We are only beginning to scratch the surface of all the design problems ahead of us - say, new and unexpected classes of UI vulnerabilities - but even within the bounds of what we understand and know how to fix, some fascinating and very human discourse patterns emerge... and will ultimately shape the future of the web.
The dominant theme of some of the security-relevant debates we are having today is that of aesthetics - an argument most prominently embodied by the controversy around Mozilla's Content Security Policy, an ambitious (and now scaled back) vision for controlling the interactions between all content on the web.
Spot the Vuln - Light  []
HTTP statuses graph  []

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):


-Ensure logging is enabled across all application tiers including web servers, application servers, databases and application level logging per user. Additionally logging should be done across the supporting infrastructure including application firewalls, stateful firewalls, Network based IDS/IPS, etc as this will not only help identify security incidents but also misconfigured clients or other components.

-There are many requirements from the state, federal and industry level (PCI, etc) for saving security logs with accurate timestamps. Consideration should be given to how these logs will be stored and backed up (onsite or offsite or both).

-Consideration should also be given to how will these logs will be retrieved in the event of a security breach. Is there log aggregation, event management, log monitoring, and event management that can process logs from separate components to identify and isolate intrusion attempts? Also all devices/components that are logging need to be identified to ensure that part of the applications environment blind to intrusion attempts.

-Accurate timestamps are also very important such as in the case of incident response. Depending on the criticality of the application, implementing time syncing to a time server/atomic clock via NTP might be necessary?

Source: link

Have a great weekend.