Friday, 18 March 2011

Security Weekly News 18 March 2011 - Summary

Thanks to Tadek for contributing to this weekly security news bulletin
Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"The media (and general community) responses on the nuke meltdown highlight human inability to contextualize risk." - Rich Mogull
"Getting a lot of enquiries lately to help orgs go for ISO 27001 Certification. Nice to see companies taking information security seriously" - Brian Honan
"you cannot fight intelligent attackers with auditors." - Alex Hutton
"Does anyone else find it funny that OWASP.org is vulnerable to user name harvesting?" - Kevin Johnson
"The headline you won't be reading: "Millions saved in Japan by good engineering and government building codes"" - Dave Ewing
"Well #pwn2own does not proof anything because lots of hackers don't have the money/time to go to cansecwest anyway" - Steffan Esser
"Opera 11's HTML5 engine is a bliss: <!doctype html><svg><script>a/div>lert(1</div>) // check the auto-transforming!" - Mario Heiderich

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Mobile Security, Privacy, General, Funny
Highlighted news items of the week (No categories):
Not patched: Users of Internet Explorer (IE), Firefox, Safari and Opera won't receive a Flash update from Adobe until next week., MHTML vulnerability under active exploitation (Users browsing with the Internet Explorer browser are affected)
Updated/Patched: PHP 5.3.6 Released!, Google first to patch Flash bug with Chrome update, Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat, What's new in iTunes 10.2.1, PR10-08 Various XSS and information disclosure flaws within Adobe ColdFusion administration console , Pidgin 2.7.11 closes DoS bug, [SECURITY] [DSA 2190-1] wordpress security update
 
WhiteHat Security's 11th Website Security Statistics Report, presents a statistical picture gleaned from over five years of vulnerability assessment results taken from over 3,000 websites across 400 organizations under WhiteHat Sentinel management. This represents the largest, most complete, and unique dataset of its kind. WhiteHat Security makes this report available specifically for organizations that aim to start or significantly improve their website security programs, prevent breaches, and data loss.
Top 3 Key Findings (Full list available in the report)
- Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9-12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.
- During 2010, the average website had 230 serious* vulnerabilities.
- In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent.
 
Cost per breached record hits $214; average breach costs $7.2 million
Everything's more expensive these days -- and experiencing a major corporate data breach is no exception.
The Ponemon Institute and Symantec earlier this week released the findings of the '2010 Annual Study: U.S. Cost of a Data Breach,' which reveals data breaches grew more costly for the fifth year in a row.
The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009, according to the researchers.
'Every year I predict that the costs will go down, and every year, I'm wrong,' quipped Larry Ponemon, founder of the Ponemon Institute. 'We did see some leveling off last year, but the overall costs are still on the rise.'
 
How not to handle a data breach  [www.infoworld.com]
Press the panic button as soon as you find evidence customer data has been compromised, and you'll pay the price
A brand-new Ponemon Institute study [PDF] sponsored by Symantec finds that data breach victims often move too quickly, wasting lots of money and losing customers unnecessarily.
According to Ponemon's 'Annual Study: U.S. Costs of a Data Breach,' companies that respond to data breaches by immediately notifying their users end up spending 54 percent more per record than companies that move more slowly. Forty-three percent of surveyed companies notified customers within one month of discovering the breach, but these companies ended up with per record costs of $268, up 22 percent from 2009. Companies that took longer than a month spent only $174 per record, down 11 percent from 2009.
 
SpiderLabs just released our WASC Web Hacking Incident Database (WHID) Semiannual Report for 2010 (July - December). You can download the full report here (registration required). In this report, we analyze the WHID events from the 2nd half of the year and provide information such as top:
...
Report Summary Findings
An analysis of 75 Web hacking incidents from the second half of 2010 conducted by Trustwave's SpiderLabs team shows the following trends and findings:
* A steep rise in attacks aimed at causing downtime - currently the new no. 1 outcome (up 21% from previous reporting period). This is mainly a result of ideological hacking efforts utilizing distributed denial of service (DDoS) attacks as part of the Anonymous Group versus Anti-Piracy and WikiLeaks events.
* Corresponding to downtime outcomes, denial of service attacks made the largest jump for Attack Methods to no. 1 (up 22% from the previous reporting period).
* Organizations have not properly implemented nor tested anti-automation defenses for their Web application architecture to ensure application availability during denial of service (DoS) attacks.
 
Manchester-based arts centre The Lowry is looking to procure a tokenisation system to ensure it becomes fully PCI-DSS compliant.
The process of becoming compliant with the security standard will have taken four years in total and should be completed by the end of this year.
The tokenisation system will provide The Lowry with a number that relates to a customer's credit card details but the details themselves will not be stored on the centre's premises. Instead, they will be stored by an external token-providing company such as Yes Pay.
The centre has to make this final move because it is reliant on a web developer, Scottish company Web Advertising, for its web ticketing system and Web Advertising's platform is not PCI-compliant.
 
Wow, this email is from a friend of mine that works for Apple in Japan... makes me happy Apple went the extra mile here, check out his story below:
 
Sentinel SecurityCheck offers organizations 30 days of continuous assessment to identify all website vulnerabilities and mitigate leading risk for data breaches; Participating companies gain access to WhiteHat Security's verified vulnerability results and personalized guidance on website risk management
SANTA CLARA, Calif. - March 15, 2011 - WhiteHat Security, the leading provider of website risk management solutions, today announced Sentinel SecurityCheck, a new, complimentary and risk-free program designed to help companies discover the benefits of continuous verified vulnerability assessments, identify their website vulnerabilities and understand their website security posture. The 30 day website security evaluation leverages the WhiteHat Sentinel Software-as-a-Service website vulnerability management platform to offer the world's most advanced technology and security expertise available. Organizations will benefit from the accurate and verified vulnerability information that highlights real-world and real-time risks to their websites.


Mobile Security highlights of the week
 
WhisperCore is a secure Android platform dedicated to providing the security and management features necessary for transforming a consumer phone into an enterprise-class device.
Full disk encryption for your phone.
WhisperCore provides device-level encryption for your phone, protecting all of your data when it counts most.
By default, WhisperCore encrypts your entire data partition at the device level, and can optionally be enabled for your phone's SD card as well.
 
 
It is a tethered jailbreak so it requires a Windows PC every time you wish to reboot your device
Apple released the iOS 4.3 update for the recent iOS devices on March 10 and within a week, we have a jailbreak for the update. The new version of sn0wbreeze 2.3 beta 1 tool created by iH8sn0w, an iOS platform jailbreak developer, will let users jailbreak their iPhone 4, iPhone 3GS, iPod touch 4th gen and iPad. All these iOS devices can be jailbroken only on the Windows platform and that leaves out Mac users. What is interesting is that the jailbreak developer has promised to bring multi-touch gestures to these iOS devices.
 
We have been actively following and analyzing the spate of Android malware in the Android Market place. The most recent outbreak to light up the blog-o-sphere has been the Droid Dream outbreak. Google's response to this was to launch a search and destroy mission. They created and pushed a tool to all handsets that were infected with Droid Dream. The Android Market Security Tool (AMST) was pushed to devices that were known to have downloaded and installed infected applications. This tool disinfects the compromised handsets by eradicating all remnants of the Droid Dream trojan. However, what we found quite interesting, is that shortly after the release of AMST, a trojaned version of the AMST appeared and is making the rounds on the internet! (Yo dawg...)
 
Security FAIL
Apple is leaving some of its older mobile devices unprotected with its latest patch batch.
An iOS 4.3 update, which includes a number of critical security fixes, is incompatible with the still widely used iPhone 3G and older versions of the iPod Touch. The latest version of Apple's mobile software can only be applied on the iPhone 3GSs and later models; the iPod Touch 3rd generation and later models; as well as all versions of the iPad.
 
 
In response to last week's disclosure of an (integer overflow) hole in the BlackBerry browser, Research In Motion (RIM) has recommended that users disable JavaScript. While this doesn't close the hole, it reportedly prevents potential exploits from injecting and executing arbitrary code. However, RIM said that the measure may also hamper the display and interactivity of certain web pages. Alternatively, the company suggests to completely disable the browser. The admins of corporate smartphones can reportedly do so remotely by appropriately configuring the 'IT policy rules'.


Secure Network Administration highlights of the week
 
Windows Vista, 7 and Server 2008 includes a feature called integrity levels, which is arguably the most under-appreciated security mechanism built into the operating system. Yet, it provides powerful ways for mitigating the risks of computer attacks and malware infections. For instance, integrity levels can shield processes from keyloggers; they can also protect files from being accessed by malware running on an infected system.
Another potent benefit of integrity levels is the ability to limit the capabilities of an exploit that manages to compromise an application. This is what I'd like to discuss in the note below.
 
IPv6 videos  [www.youtube.com]
 
Brief Description
The Internet Explorer Administration Kit (IEAK) 9 simplifies the creation, deployment and management of customized Internet Explorer 9 packages. IEAK 9 can be used to configure the out-of-box Internet Explorer 9 experience or to manage user settings after Internet Explorer 9 deployment.
 
BRAIN  [campaigns.f-secure.com]
Searching for the first PC virus in Pakistan
 
With 2.4M downloads and counting
(http://wordpress.org/download/counter/), Wordpress definitively
deserves its script.
When it comes to security, a CMS is less vulnerable itself than its
(numerous) third-party plugins and Wordpress has more than 13.000.
This script tries to list those probably installed on a given blog by
brute forcing the wp-content directory. The dictionnary it uses has the
13.405 existing plugins to date, sorted by popularity. Despite Nmap does
its best to parallelize the queries, it could take an hour to test them
all so by default the script will just test the 100 most popular ones.
Of course, an option is provided so that the user can tweak this from
any number to all.
 
DDOS protection strategies  [rakkhi.blogspot.com]
Distributed Denial of Service (DDOS) has drawn attention lately with incidents ranging from Anonymous taking down the Visa and Mastercard sites as retribution for cutting donations to Wikileaks, to Wordpress being attacked by the Chinese. A talk at the DC4420 meetup in London described DDOS as the modern political protest, comparable to a crowd protesting on Oxford street. The protest means that some people cannot go shopping, and there is media attention drawn to the cause; Paypal goes down for a few hours, the techblogs, Twitter and eventually old media play a similar role. In addition, the few million the site loses to downtime means that they may think twice about bowing to pressure so quickly from a US senator. Regardless of motives, if you operate a major website today, especially one where every minute of downtime has an impact to the bottom line, DDOS protection is something you have to think about.
 
Vulnerable by Design  [g0tmi1k.blogspot.com]
Pentest lab. 'Hacker' training. Deliberately insecure applications challenge thingys.
Call it what you will, but what happens when you want to try out your new set of skills? Do you want to be compare results from a tool when it's used in different environments? What if you want to explore a system (that is legal to do so!) that you have no knowledge about (because you didn't set it up!)...
If any of that sounds helpful, below is a small collection of different environments, so if you want to go from 'boot to root', 'capture the flag' or just to dig around as much as you want to try out the odd thing here and there. These will allow you to do so and without getting in trouble for doing it!
 
As BackTrack 5 development rolls on full steam ahead, we've been getting numerous questions about the future release. We thought we'd publish a blog post with general information about BT5 for the impatient. The codename of this release will be "revolution", for a bunch of reasons.
BackTrack 5 will be based on Ubuntu Lucid (10.04 LTS), and will (finally) support both 32 bit and 64 bit architectures. We will be officially supporting KDE 4, Gnome and Fluxbox while providing users streamlined ISO downloads of each Desktop Environment (DE). Tool integration from our repositories will be seamless with all our supported DE's, including the specific DE menu structure.
 
VNC passwords and Metasploit and DES  [carnal0wnage.attackresearch.com]
inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>
 
If you've been paying any attention to the open source security software space, you've probably noticed that one of our favorite tools, nmap, ships with a pretty serious scipting engine. NSE allows users to run scripted interactions on discovered services, and lately, the repository of those scripts has exploded. As of the 5.50 release of nmap, there are 177 scripts and 54 supporting libraries, covering all sorts of protocols you're likely run into during a pen-test engagement.
 
Windows Credentials Editor (WCE) allows to list logon sessions and add,
change, list and
delete associated credentials (ex.: LM/NT hashes).
This can be used, for example, to perform pass-the-hash on Windows and also
obtain NT/LM hashes from memory (credentials not stored locally
including domain credentials from interactive logons, services, remote
desktop connections, etc.) which can be used in further attacks.
Supports Windows XP, 2003, Vista, 7 and 2008.


Secure Development highlights of the week
 
Spot the Vuln - Curiosity  [software-security.sans.org]
 
From About.com (a New York Time Company website):
Privacy and security while browsing the Web is important to all of us, as evidenced by the fervent voting in this category. The five finalists featured an impressive selection of tools intended to make everday life on the Web safer.
After more than three weeks of non-stop action, the readers have made their decision. The reigning champion in the 2011 Best Privacy/Security Add-On category, for the second year in a row, is NoScript!
 
Summary: These 11 proven practices for efficient, lightweight peer code review are based on a study at Cisco Systems using SmartBear CodeCollaborator. They can help you ensure that your reviews both improve your code and make the most of your developers' time.
Our team at SmartBear Software® has spent years researching existing code review studies and collecting 'lessons learned' from more than 6000 programmers at more than 100 companies. Clearly, people find bugs when they review code, but the reviews often take too long to be practical. We used the information gleaned through years of experience to create the concept of lightweight code review. By using lightweight code review techniques, developers can review code in one-fifth the time needed for full, formal code reviews. We also developed a theory for best practices to employ for optimal review efficiency and value. This article outlines those practices.
1. Review fewer than 200-400 lines of code at a time.
2. Aim for an inspection rate of fewer than 300-500 LOC per hour.
3. Take enough time for a proper, slow review, but not more than 60-90 minutes.
4. Be sure that authors annotate source code before the review begins.
5. Establish quantifiable goals for code review and capture metrics so you can improve your processes.
6. Use checklists, because they substantially improve results for both authors and reviewers.
7. Verify that the defects are actually fixed.
8. Foster a good code review culture in which finding defects is viewed positively.
9. Beware of the Big Brother effect.
10. Review at least part of the code, even if you can't do all of it, to benefit from The Ego Effect.
11. Adopt lightweight, tool-assisted code reviews.
 
IronBee versus ModSecurity  [blog.ivanristic.com]
After spending a couple of weeks talking about IronBee to anyone willing to listen, I have assembled a list of commonly asked questions. Not unexpectedly, the question that tops the list is about the difference between ModSecurity and IronBee.
With IronBee we had a luxury of starting a brand new project with a wealth of experience and a clear idea of what we want to achieve long-term. (This is completely the opposite from where I was when I started ModSecurity.) Thus, we were able to look at our goals and choose the best path to reach them. Because so much of our lives were spent with ModSecurity, the first thing we did was look at its successes and limitations, with the idea that we should keep what's good and improve what's not as good. Two not so good things of ModSecurity stuck out: the lack of a community of developers and the fact that ModSecurity runs only in the Apache web server.
 
During a penetration test, RedTeam Pentesting discovered a directory
traversal vulnerability leading to arbitrary command execution in the
nostromo HTTP server.
 
Clickjacking needs some loving. Contrary to what is being thought, it's not only used for Facebook viral scams. As shown by last year's Paul Stone's studies, now it's not only just hide-the-button-and-follow-the-mouse trick. It even got the more accurate name of UI Redressing (which is right, as attackers are not after your clicks, they profit from playing with the UI of the victim application). In this post we'll play a game to see how advanced UI-Redressing attacks look like and how an attacker may trigger an unexploitable XSS flaw in an application.
 
This is my first post in my blog and also my first post regarding my security vulnerabilities findings in Google Reward Program,
In the last 2 months, I participated in Google reward program and found some High, Serious vulnerabilities,
(First, I want to mention that Google has the best professional, brilliant security team, It amazing how much Google care about security and do a amazing job to secure their sites, Thanks Adam, Google Security Team for giving me the chance to show my skills :))
 
This vulnerability allows an untrusted applet to gain all privileges. Untrusted applets launch without user interaction (other than visiting a web page containing the <applet> tag, of course).
 
As they say: "If you can't measure it, you can't manage it."
There's a serious push in the industry right now for security metrics. People really want to know what works - because this ain't it. But where can we find hard data?
What about fuzzers - the automated, randomized testers that have been so good at finding bugs through sheer brute force?
 
Burp Suite Tutorial - The Intruder Tool  [www.securityninja.co.uk]
Hi everyone,
I have been spending some time this week reviewing some of the old Security Ninja blog posts now that we are getting close to our second birthday. I wanted to create a list of things I've promised to write about but never got around to doing.
The first item on my list is a tutorial for the Burp Suite. If you Google "Burp Suite Tutorial" my blog post from 2008 saying I was going to write a tutorial is the 7th result returned. The old Security Ninja blog has received over 2,000 visits to that blog post including an additional 30 visits so far in March.
 
Spot the Vuln - Flag - Cross Site Scripting  [software-security.sans.org]
This week's cross site scripting vulnerability is somewhat unusual in that it exists in javascript, rather than server side. The checkPlain function is used to output encode data fetched via Ajax/XHR (for instance, dynamically loading a new article). It seems to do the job, however the String.replace function in javascript only replaces the first instance by default; any additional instances of the character will remain intact.


Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication (continued)

Authenticating With Multi-Factor Systems

What is two factor authentication, really?

Two factor authentication is using more than one of:
- Something you know (account details or passwords)
- Something you have (tokens or mobile phones)
- Something you are (biometrics)
to logon or process a transaction.
If you can create another factor, such as a special token on a particular computer based upon a set of something you know or a single biometric reading, this is effectively single factor authentication. For example, some banks implement a scheme that requires you to type a username, passwords and answer a personal question, and if you get those right, your computer will be marked as a physical factor. It's obvious that this scheme is open to many attacks, but the primary weakness is that the system is not truly a two factor solution as it is based upon a simple set of "something you know" and thus you can make any computer a second factor if you know these details.

Typical two factor solutions involve registering a hardware device such as a token, phone or biometric device on top of the "something you know". In all cases, the two factors should be used together for best results.

Lastly, biometric devices are known weak against simple physical attacks, have a known false positive and known false negative authentication rate, thus making them less than desirable as a non-repudiation mechanism. Additionally, biometrics are expensive compared to the cost of phone- and token- based two factor authentication schemes. Until the technology significantly improves, becomes price competitive with cheap phone and tokens, and is relatively universal, biometric devices should not be considered except in highly specialist circumstances.

Source: link

Have a great weekend.