Friday, 29 April 2011

XSS myths: input validation is not enough!

Do you still believe input validation is enough to fix Cross Site Scripting (XSS)?

Billy Hoffman said it best at Schmoocon 2007 (4 years ago!!!) in his talk "JavaScript Malware for a Grey Goo Tomorrow" (fast forward to Q & A, minute 51:45):

Person in the audience asks: "You said that AJAX doesn't really change security ..."

Billy Hoffman: "No, it does ... yes"

Person continues: "It doesn't change the fact that the root cause is still input validation since it sucks on everything ..."

Billy Hoffman (roughly exact quote, he talks really fast!): "Certainly, well, I don't want to be .. everyone wants to think ... oh .. web security is nothing new, it's input validation, right? well there has not been anything new in security in the last 30 years, right? it's all input validation, it's all configuration, I mean, I've got a book that's called 'Security and Privacy in computing systems' it is written by this dude in MIT from 1973 and in it he talks about pretty much everything before it became popular, he talks about having a centralised system for vulnerability management reporting, he talks about having to develop tiger teams because it is the only way you are going to find out whether your security is breaking, he talks about input validation back in the day when the computer was so expensive that if a grad student crashed it it was worth more than the grad students' life and that's why you did input validation because you wanted to make sure your program didn't get junked getting crashed, I mean, I don't mean to come down on you but none of this is new, right? it's simply how these things apply to different types of paradigms, right? in the web for example, input validation takes a much bigger role, right? if I open 5000 pipes into word and it crashes ... who cares? right? even if it is a buffer overflow, why would I do that to execute code as myself? that's silly. But if I can do that to a Google document and sheets and I own the server I win, so it is all about how these things apply to different types of situations"

Well, it is now 2011 and you would be surprised but some people, even in the security industry still believe that input validation is a valid fix for Cross Site Scripting! This group of people includes but is not limited to:

- Some people that attend security conferences (I did not hear it at BSides London though! :))
- Some people that put together and/or approve questions for top-notch security certifications (who will remain nameless)
- Some people that are employed by the most reputable security companies in the industry (who will remain nameless too)

I mean, if input validation was a valid fix ... why on earth is it not even mentioned in the OWASP Cross Site Scripting Prevention Cheat Sheet? Look at the XSS prevention rules there, it is all about being careful when rendering untrusted data and how to escape it/output encode it depending on where it is rendered on the page:

- 2.7 RULE #6 - Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way (output stripping, not input validation for special cases where you have to allow HTML by design)
- 2.8 RULE #7 - Prevent DOM-based XSS (output encoding, not input validation)


If you tried to fix Cross Site Scripting and "input validation" was all you did you have a serious problem, at a minimum your application is still possibly vulnerable to Cross Site Scripting of the worst kind aka Stored Cross Site Scripting.

I will go as far as saying this:

Input validation (or even worse fully relying on restricted charsets, which I won't get into) in the context of Cross Site Scripting is the network security equivalent of changing a vulnerable SSH service from port 22 to port 12345. Yes, port 22 is no longer available but you can still get compromised via port 12345 (that granted, will be a bit harder to spot for automated botnets and you will definitely get a lot less scan attempts there but it is not a full fledged fix)

Please consider the following scenarios:

You relied on input validation as the only layer of defense against Cross Site Scripting and any of the following happens:

- User input is rendered in an attribute and the customer now wants to allow double quotes in the company name field so they can type in company names like 'Joe "The biker"'
- User input is rendered in a text area and the customer now wants to allow angle brakets and other characters that may allow for cross site scripting
- I did this in a web application pen test some time ago: JavaScript using user input could be uploaded via an XML file, the name was "validated" by the .NET Validate Request built-in feature when the field was updated in the normal form but it could see nothing when I uploaded the field with script tags HTML encoded so that the XML did not break in the upload parsing process ....
- A third party application that modifies and injects scripts into your database could be interacting with the application you built in a few months/years down the line
- A user allowed to access the database (i.e. malicious DBA, developer or Administrator) inserts a hidden script in a field that is going to be rendered to all users in the home page, if this script starts with a bunch of newline characters it could well go undetected for years.
- Another host in the DMZ gets compromised and the clear-text communication between the database and the web server can be intercepted and altered on the fly inserting JavaScript code via man in the middle (MiTM) -altering SQL query results to contain hidden scripts, for example-
- Etc

If any of the above happened the only reason your application would render malicious JavaScript is simply because Cross Site Scripting was never fixed in the first place. Input validation is not enough for this: data can get into the database in so many ways you must treat it as hostile and output encode it as if it was directly submitted from a form in your site. You can argue that you have worse problems than Cross Site Scripting if some of those scenarios happen, but the situation is really that you would have those worse problems plus Cross Site Scripting, thanks to your application, which was never coded correctly. Changing business requirements for input validation is not rare either ..


In my experience very few companies would take the time to review where the output of a field is rendered, and if it is correctly output encoded there, if the new business requirement was just changing the validation rules to allow for cross site scripting-friendly characters. And in fact, there would be no reason to do this if the field was correctly output encoded in the first place


Therefore, if input validation was all you did your application is probably vulnerable and just waiting for a disaster to happen.

Input validation, like changing a port to a non-default port, has its place in the context of cross site scripting only as an additional layer of defense but never as a valid full fledged fix!
You do not have to take my word for it, OWASP explain it themselves on their site:

How Do I Prevent XSS?

Preventing XSS requires keeping untrusted data separate from active browser content.
1. The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does this for them. See the OWASP XSS Prevention Cheat Sheet for more information about data escaping techniques.

2. Positive or “whitelist” input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications must accept special characters. Such validation should decode any encoded input, and then validate the length, characters, and format on that data before accepting the input.

3. Consider employing Mozilla’s new Content Security Policy that is coming out in Firefox 4 to defend against XSS.

Friday, 22 April 2011

BSides London and DC4420 experience

Update 01/08/2011: The videos are now up here. Thank you Tomasz!

Update: Thanks to Jamie Duxbury (@w1bble) for hosting most of the pictures linked to from this page. I thought it was Soraya for some reason, sorry :).

As I mentioned earlier: I was really honoured to attend BSides London and DC4420, aka Defcon London both of which were a blast this Wednesday.

Bsides London was incredible because of all of the following:
- Great people
- Great talks
- Great relation venue size vs crowd size
- Great atmosphere
- Free conference! (no cost for attending!)
- Free breakfast (muffins, coffee, milk, redbull, club mate, ..)
- Free lunch (packaged lunch, plus listed for breakfast)
- Free bar at the DC 4420 meeting in the afterparty


The first thing that surprised me was how cool was the modded donated redbull by Security Ninja / Realex:


NOTE: There are a lot more conference pictures here, I link to some of those in the blog post but there are much more there. Thank you Soraya for making all those available for everybody to see!

The first talk I attended was called "DNS Tunneling: It's all in the name!" by Arron "finux" Finnon, you can see a picture here:
One of the things that I found interesting in this talk was the mention to ssh -o 'ProxyCommand ...

Quick research into the topic reveals cool stuff such as this and this I plan to play with this in the future.

The next talk I attended was called "Jedi Mind Tricks for Building Application Security Programmes" by David Rook and Chris Wysopal, you can see a picture of them here:
and here:

Of course the slide most people laughed (myself included) the most at was when David Rook showed in an image what Business Executives think when we talk about pwnies (this was in the context of trying to avoid talking a foreign language to management):

The main things I got out of this talk were:
- Selling security to management is hard
- Calculating risk is hard, including extrapolating data from great reports such as Verizon's to the circumstances of each company, etc.
- Quantifying business risk for companies that develop code for other companies to use is perhaps the hardest to calculate of all and was not even included as part of the presentation.
- Calculating risk using simple calculations like probability x impact might be the way to go.

After that I went to "Practical Cryto Attacks Against Web Applications" by Justin Clarke, you can see a picture of him here:

I found this talk very interesting, it was basically divided into 3 sections, commented by myself below:
- ECB mode weaknesses and practical attacks: You can see things start the same because there is no initialisation vector, etc. He demoed this by entering a username prepending the letter X a number of times and seeing the ciphertext start the same
- CBC mode weaknesses: Each block is encrypted in part by the previous block, this builds a more random chain of cipher code but propagates errors, this allows ciphertext tampering from the end to the beginning allowing decryption via padding oracle attacks, which he showed a demo of using padbuster.
- Random Number generator weaknesses: This showed how making randomness a function of time alone is not a good idea and was pretty cool too.

This talk was heavily involved in client-side ciphertext tampering (CBC) or analysis (ECB) and he himself said the real solution would be to sign the payload before putting it on the client side so that the signature can be checked before the ciphertext decryption or processing takes place (He mentioned in the talk Microsoft made the mistake of checking the signature after! decryption took place, which enabled the padding oracle vulnerability patched in .NET at the end of 2010)

As he went through the presentation I realised that ECB is just plain wrong (no initialisation vector = same cipher text for any given plain text, and studying the beginning gives this away pretty quick), CBC is way better than ECB but the error propagation is really an issue (padding oracle attacks + think disk encryption: Do you want your entire hard drive data to be corrupted if something messes up just one block at the start?), for those reasons I thought about counter mode: In counter mode encryption can happen in parallel because there is no block chaining, but there is also an initialisation vector (so the first block ciphertext is random, as in CBC) and the counter ensures separate randomness of each block is possible, this makes counter mode not vulnerable to padding oracle attacks or ECB weaknesses.

So at the end I asked something like "I know checking the signature is the proper way to deal with this but given that with ECB you have the same ciphertext for a given plaintext and with CBC you have error propagation, which enables padding oracle attacks, what about counter mode?: you have none of those problems: Are you aware of any practical attacks against counter mode?" his answer was (roughly) "No, but we would have to look at the implementation".

I think the bottom line (and the take away of the talk) is just defense in depth:
- If you leave stuff on the client side: use counter mode for encryption + sign it
- Before you process that or even decrypt it upon submission, check the signature!
- Use reliable random generators that are based on as many sources of randomness as possible

After that, I went to attend "All your logs are belong to you!" by Xavier Mertens, although I arrived late (The talk started 30 minutes before Justin Clarke's talk finished) this was an awesome talk, you can see a quick photo here:

The main things I got out of this talk were:
- OSSEC is a pretty cool HIDS
- Loggly is a pretty cool cloud-based solution to store alerts (not full logs)
- Sguil is the next level for incident response event correlation.

In the lunch break both myself and Thomas Preissler were lucky to have David Rook almost to ourselves and we engaged in very interesting conversation regarding Realex, online credit card payments security, compulsory compliance boundaries (PA-DSS surfaced as a potential relevant candidate under some scenarios), data breaches and web application security in general this was a privilege and I can only thank David for being that approachable, I must say other speakers were very approachable too later on.
During this break I even got a picture with David, thanks Thomas!

After the lunch break was "Breaking, Entering and Pentesting" by Steve Lord, this talk was truly outstanding, entertaining and funny all at the same time!, here are some pictures from Soraya:













After that I watched "Breaking out of restricted RDP" by Wicked Clown:

Wicked Clown side picture:

The talk was based on the fact that you can invoke commands to be run right after you login (with valid credentials) using RDP by using rdesktop -s "%systemroot%\..\binary.exe". The cool thing here is that you can do this even when command line access and a bunch of other things have been disabled! He mentioned he contacted Microsoft about it and they are (so far) not fixing it. The only fix for this seems to be to disable command execution after login.
He even showed how to escalate privileges up to system from a restricted account that just had access to notepad and calculator! very awesome.

The steps were roughly these:
1 - rdesktop -s "%systemroot%\...\iexplore.exe" host_ip
2 - Login to host + when iexplore opens, download meterpreter payload from host you control + save into the windows temp folder (even limited users can write there)
3 - run payload via rdesktop -s "%systemroot%\..\meterpreter.exe"
4 - After the metasploit reverse handler gets the meterpreter connection, run meterpreter getadmin script, even after calling this shell cannot be obtained but the next step is possible
5 - Migrate to winlogon.exe process (after this full sysadmin privileges are gained)
6 - shell, hashdump and other privileged meterpreter commands work now!

He had the demo pre-recorded and explained everything as the demo was playing which I found pretty cool and self-explanatory, this was an awesome talk.

After that I went to "Agnitio: its static analysis, but not as we know it!" by David Rook again. This was a very interesting talk and Agnitio can be downloaded from source forge here, David talked about a number of Agnitio improvements on the works so watch this space if you are into code reviews!

Then I went to "Your money, your media - a DRMtastic Android reverse (re)engineering tutorial" by Manuel Leithner. This was pretty cool too, he made android reverse engineering accessible for the newbie like me, I could follow the talk despite having no reversing experience on Android, that's how awesome the talk was.

After that I watched "Security YMCA" by Chris John Riley, The Suggmeister, Arron "finux" Finnon and Frank Breedijk:


There is even a video on YouTube here and Thomas even took the time to write the lyrics (as well as his own BSides London conference review) in his blog here
Unfortunately I missed Brian Honan's talk ("Layer 8 Security - Security The Nut Between The Keyboard & Screen") due to an speaker failing in the other track and all the talks being moved on that track. However this picture from Soraya is perhaps one of the best slides he had:

At the end of BSides London, the man of the day was Thomas Preissler who participated and won ALL the contests! this had the difficulty not only of getting the challenge right but to also be the name picked up from the bunch, all of which he achieved!, here are some pictures of his success (you can see the conference organiser shock as he was repeatedly getting up to pick up prices!):







After Thomas's achievement one of the conference organisers said "Dude, you seriously should try to get the lottery this week!".
Finally it was said "Please complete the feedback form since we will choose another name from those who filled it in", then I said to myself "hey, I forgot to submit that!" so I start to fill the thing in and the guy waiting with the box for the last minute submissions is saying all the time "come on, dude! make something up!", I completed the feedback thing (honestly, not making anything up) as soon as I could, submitted it and amazingly I got the feedback form prize afterwards!
So I basically got to choose among the books Thomas Preissler left :), some of which I already had, so I went ahead and picked "Metrics and Methods for Security Risk Management" by Carl S. Young. A big plus here for me was that a lock picking set was also given to me courtesy of Random Storm (one of these, in the picture there are two):

When I picked the prize I got to meet Robin Wood which was a true honour for me (I had really enjoyed the shows where he appeared at Hak5, etc). Later on, I even got a change to ask him "will Ryanair let me fly with this lock pick set" and he very kindly said "do not worry, write your post address and we will post them for you" (he works for RandomStorm now, who were giving away the lock picking sets).

After BSides London we went to celebrate in the after-party with the DC4420, aka Defcon London people, this happened at The Phoenix, a pub in the centre of London.
Two more talks were held there:
- "My #dc4420 talk is so dark light just falls into it. Good job they’re all whitehats there so it’ll only be used for good." - By Steve Lord
- "cccamd, spartacus, and the largest sat-card sharing ring in the world" by Neil 'mu-b' Kettle.

I found the Steve Lord talk very interesting again, he basically talked about memory analysis and how to evade detection even at that level.
The CCCamd talk was about Sky Card Sharing and how weak the program commonly used for card sharing is, he presented a number of vulnerabilities in this program that he reverse engineered and successfully exploited.
Both talks were very funny but interesting at the same time.


Perhaps the best from the time at the Phoenix with the Defcon London guys was the opportunity to reach more to the speakers and the rest of the people: For example, I got to talk and know more about people like Tomasz Miklas, Adam Laurie, Xavier Mertens, Frank Breedijk (interesting conversations about Perl, dyslexia and seccubus!), Justin Clarke (went a bit deeper into counter-mode vs CBC and then Justin commented a lot of interesting things like "standard background checks" vs "blackhat community background checks" and plenty of other cool things), Sandro Gauci, Robin Wood, Chris John Riley and other participants like an interesting mix of Spanish, Irish and Switzerland guys I met at the very end :).

Other BSides London Reviews:
- By Xavier Mertens (he attended talks I did not attend so might be interesting/complementary)
- By Thomas Preissler


Interesting on the side remarks:
- BSides was awesome but the conversations on the DC4420 party and on the way to that place were truly interesting and the speakers got even more approachable (probably due to more talk time available), which was great.
- I was amazed at how people wrote their Android unlocking patterns without any covering, etc (security people, even well known speakers, at a security conference) and even how weak those patterns (that I saw as I was even looking away being polite) were.
- It was interesting to see how other security people share similar hobbies, for example, David Rook told me that his best was deadlifting 250kg in competition and Robin Wood told me that he could bench press 115kg (more than 1.5 his bodyweight), as an amateur power-lifter this makes them brothers in iron to me now :)

Security Weekly News 22 April 2011 - Catchup - Summary

Thanks to Toby for contributing to this security news bulletin!

I was honoured to attend BSides London and DC4420, aka Defcon London both of which were a blast this Wednesday and an obligatory blog post will follow hopefully this evening.

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"86% of breaches were discovered by outside third parties, and not by the victim organization internally" - Verizon Data Breach report
"That is not a Vulnerability, it is internal" - Steve Lord quote from a customer at BSides London
Older quotes:
"AV is like a smoke detector with instructions like 'for best results hold directly over flame'" - Jason Moliver
"Don't try to guess the password just click login there isn't one. Wasted 10 mins on that!" - Robin Wood

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Mobile Security, Privacy, General
Highlighted news items of the week (No categories):
Not patched:
Updated/Patched: April 2011 Microsoft Black Tuesday Summary, Spring cleaning: Oracle's patch day brings 73 security patches, Security updates available for Adobe Reader and Acrobat, Security Update 2011-002 (Snow Leopard), Silverlight Update Available, iTunes 10.2.2 provides a number of important bug fixes, including:, iOS update for iPhone and iPad blocks fake certificates, Skype for Android update closes privacy vulnerability, Chrome update prevents escape from sandbox, VLC Media Player 1.1.9 closes security holes, Qubes Beta 1 has been released!, Armitage 04.10.11 Released, Wireshark 1.4.6 released, Updates: Process Monitor v2.95, TCPView v3.04, Autoruns v10.07
 
Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the 'Verizon 2011 Data Breach Investigations Report.' These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.
The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date.
According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.
 
IT Temptation To Snoop Too Great  [www.darkreading.com]
Separate reports from Cyber-Ark, BeyondTrust show the pitfalls of privileged user access
The users with the organization's highest and most powerful privileges are also the most likely to use their access to snoop around the network for confidential information.
A new survey from Cyber-Ark Software found that 28 percent of IT managers in North America have snooped, and 44 percent of those in Europe, the Middle East, and Africa have done so, too. Around 20 percent of respondents in North America and 31 percent in EMEA say one or more of their co-workers have used administrative privileges to reach confidential or sensitive information.
 
Eighty percent of critical infrastructure operators say they have experienced a large-scale attack
Eighty percent of organizations that operate smart grid or other critical infrastructure components have experienced a large-scale denial of service (DDoS) attack, and a quarter of them have been victims of extortion through network attacks, according to a study published today.
According to In the Dark: Crucial Industries Confront Cyberattacks, a report issued by McAfee and the Center for Strategic and International Studies (CSIS), many critical infrastructure organizations remain unprepared to stop the next attack.


Mobile Security highlights of the week
 
iPhone Tracker  [petewarden.github.com]
This open-source application maps the information that your iPhone is recording about your movements. It doesn't record anything itself, it only displays files that are already hidden on your computer.
 
BackTrack 5 on a Motorola Xoom  [www.offensive-security.com]
In the past few days we have been toying with some Motorola hardware, and have managed to get a basic build of BackTrack 5 (+ toolchain) on a Motorola Xoom. The possibilities look exciting as we are slowly building several experimental arm packages. Our team does not have much experience with the Android OS nor ARM hardware, but so far - so good. We will not promise an ARM release on May 10th, as this new "experiment" was not planned in any way - but we'll do our best.
 
Today, we are opening up the submissions portal for the Exploitable Mobile App Challenge. The submission period kicks off today (April 12, 2011) and will run through May 20, 2011. We want you to show us your mobile application development and security skills by writing highly hackable, completely insecure applications. Why on Earth would we do this? We want to raise the bar for awareness of mobile risks while having a little bit of fun in the process. As mobile platforms become increasingly complex and increasingly important in society, we are only going to see a greater number of attacks and vulnerabilities hitting the news. This is truly the golden age for mobile application security!


Secure Network Administration highlights of the week
 
Cooking the Cuckoo's Egg  [taosecurity.blogspot.com]
February I spoke at the DoJ Cybersecurity Conference. My abstract for the talk was the following:
In 1989 Berkeley astronomer Cliff Stoll wrote the most important book in the history of computer incident response, The Cuckoo's Egg. Twenty years after first reading the book, Richard Bejtlich, [then] Director of Incident Response for General Electric, re-read The Cuckoo's Egg in search of lessons for his Computer Incident Response Team (GE-CIRT). In the first ten pages, Bejtlich identified seven lessons for his team, and in the next twenty pages, ten more lessons. By the time he finished re-reading the book, Bejtlich identified dozens of lessons that are key to the incident response process, whether it's 1990, 2000, 2010, or beyond
 
Though I didn't realize what I was seeing, Stuxnet first came to my attention on July 5 last summer when I received an email from a programmer that included a driver file, Mrxnet.sys, that they had identified as a rootkit. A driver that implements rootkit functionality is nothing particularly noteworthy, but what made this one extraordinary is that its version information identified it as a Microsoft driver and it had a valid digital signature issued by Realtek Semiconductor Corporation, a legitimate PC component manufacturer (while I appreciate the programmer entrusting the rootkit driver to me, the official way to submit malware to Microsoft is via the Malware Protection Center portal).
 
IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.
 
Problem
An older Symantec root certificate, SymRoot1, will expire on April 30, 2011. With an expired certificate, older LiveUpdate clients would no longer authenticate, download, or install content such as AntiVirus definitions or product updates.
Solution
To allow customers additional time to plan migrations, Symantec has introduced a workaround that allows LiveUpdate to continue to successfully authenticate valid content from Symantec through July 4, 2012.
 
MSFU Updates - April 2011  [www.offensive-security.com]
This past month has seen more additions to our free Metasploit Unleashed training course, primarily in our on-going effort to build out the Metasploit Module Reference section. Also, with the Metasploit team moving away from meterpreter scripts in favor of post-exploitation modules, we have been updating the relevant sections of MSFU.
 
Microsoft has released its free Microsoft Safety Scanner (MSS). This scans for and removes malware from Windows systems without requiring prior installation. According to AV-Test's Andreas Marx, the on-demand anti-virus scanner appears to be based on the Malicious Software Removal Tool (MSRT), but with the addition of a complete signature database. MSRT used a mini database of widely distributed threats and is distributed monthly via the automatic update function.


Secure Development highlights of the week
 
About a couple of weeks ago we talked about the new Firefox 4 security features. Today is Google's Chrome turn, due to the recently added and short term upcoming security features:
 
A couple of bugs affecting Wordpress core here. On line 73, we see that $_SERVER['REQUEST_URI'] is passed to add_query_arg(). From the provided code sample, it's difficult to see that this results in XSS. The developers addressed this by encoding the return value from add_query_arg().
 
This week's patch is a good one. The code sample was basically a library that only contained functions. While there isn't a blatant vulnerability in the library, there is a startling function called 'PrepDataForScript'. Looking at PrepDataForScript, it's obvious this function is meant to provide some sanitization. Unfortunately, the routine isn't very robust. When you see things like the code snippet below, you know the developer is headed in the wrong direction:
 
Spot the Vuln Charming - SQL Injection  [software-security.sans.org]
This patch was full of interesting tidbits. First, the change log for this patch is as follows:
**1.9.1**
+ fix a flaw allowing a remote cross-site scripting attack
Keep the change list description in mind as we go over the patch submitted by the developers. The submitted patch is pretty simple. There is an additional qualifier set for an if statement that checks to see if $_GET['where$i'] is contained within array $f. It's difficult to determine whether this is true but it doesn't really matter. The second change is an addslashes to $_GET['what$i'] before using the tainted query string parameter to build a dynamic SQL statement. This is to prevent an obvious SQL injection bug in the LIKE operator of the SQL statement.
 
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++


Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication (continued)

CAPTCHA

CAPTCHA (Completely automated Turing Tests To Tell Humans and Computers Apart) are illegal in any jurisdiction that prohibits discrimination against disabled citizens. This is essentially the entire world. Although CAPTCHAs seem useful, they are in fact, trivial to break using any of the following methods:

- Optical Character Recognition. Most common CAPTCHAs are solvable using specialist CAPTCHA breaking OCR software.
- Break a test, get free access to foo, where foo is a desirable resource
- Pay someone to solve the CAPTCHAs. The current rate at the time of writing is $12 per 500 tests.
Therefore implementing CAPTCHAs in your software is most likely to be illegal in at least a few countries, and worse - completely ineffective.

Secret Questions And Answers

Questions and answers are back door credentials - they equate to the username and password for the user. Often such schemes use "Mother's Maiden Name" or other easily found information. If all systems use the same Q&As, it will be possible to break into many accounts using the same information.

They are unacceptable for the following reasons:

- Collection of information about people without their explicit consent (such as "Mother's maiden name") is illegal in most privacy regimes. Such collection is subject to privacy laws, review and correction by the subject, and so on.
- IT Security Policies and standards such as ISO 27000 prohibit the clear text storage of passwords, but almost all Q&A schemes store both the question and answer in the clear
- The information in the answers is public for a goodly portion of the users of the Internet, and thus is found using public sources
Secret Questions and Answers have been publicly abused, most notably by the attack on Sarah Palin's e-mail account, exposing her use of her Yahoo free mail account for government business.


Source: link

Have a great weekend.

Security Weekly News 22 April 2011 - Catchup - Full List

Category Index

Hacking Incidents / Cybercrime
 
[4/22/11 UPDATE: Russian media this morning are reporting that Ivan Kaspersky has been freed after his captors' ransom demands were met. No official word from Kaspersky Lab yet on this latest development.]
The 20-year-old son of Kaspersky Lab founder Eugene Kaspersky reportedly has gone missing in what may be a kidnapping plot, according to published reports in Europe today.
Russian news outlet Lifenews.ru reported that Ivan Kaspersky had been abducted on April 19, and that his kidnapper's were demanding $4.09 million in ransom. The kidnappers contacted his father Eugene Kaspersky by phone, the report said, demanding the money.
 
Online statement separates HBGary from HBGary Federal, says some email content was taken out of context
HBGary, the security firm that was attacked by the hacker group Anonymous earlier this year, last week issued a new statement that attempts to clarify some of the reports and comments made about it by Anonymous and the press.
The statement says in part:
'First, HBGary, Inc. and HBGary Federal are two distinct companies with completely different management, employees and missions. As is evident from the released emails, while members of HBGary Inc. served on the Board of Directors for HBGary Federal, the Board was not involved in the day to day activities of the Company but rather only in the overarching financial direction of the business, especially since much of the work of HBGary Federal is classified.
 
(Wordpress) Security Incident  [en.blog.wordpress.com]
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners' code. Beyond that, however, it appears information disclosed was limited.
Based on what we've found, we don't have any specific suggestions for our users beyond reiterating these security fundamentals:
 
WordPress Reports Multiserver Breach  [www.darkreading.com]
'We presume our source code was exposed and copied,' popular blog host says
WordPress, the popular blog-hosting site, is reporting a breach of several of its servers.
Automattic, the company that drives WordPress, as well as Akismet, 'had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed,' said WordPress in a blog.
 
The German software company Ashampoo, publishers of CAD, office, utility and security software for Windows has been the victim of an attack on its servers and, as a consequence, has issued a warning to its customers. The warning explains that the attackers gained access to one of the company's servers, and were able to steal an unspecified number of customer names and associated email addresses. The company insists, however, that no credit card or banking information was compromised.
 
Unencrypted data was placed on an Internet-facing server, state comptroller says
The Texas Comptroller's office Wednesday will begin sending notification letters to some 3.5 million employees and teachers whose personal information was inadvertently disclosed on an agency server that was accessible to the public.
The unencrypted data was placed in public-facing servers in violation of state policy, according to officials.
 
US security firm Barracuda Networks reports that, last Saturday (9 April), criminals hacked into its company website and stole customer and staff data. To prove that they were successful, the intruders have made available parts of the stolen database. Barracuda specialises in server and web application security and claims to be the 'worldwide leader in email and web security appliances'.

Software Updates
 
 
Oracle has released 73 security patches on its April patch day, closing many holes in Solaris, eponymous database server, WebLogic application server, Fusion middleware and other products. Among the most critical of the holes closed, scoring 10.0 on the CVS scoring system, are one in Sun GlassFish Enterprise Server and Sun Java System Application Server and one in Oracle jRockit.
 
Critical vulnerabilities have been identified in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. These vulnerabilities, including CVE-2011-0611, as referenced in Security Advisory APSA11-02, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
 
Security Update 2011-002 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update.
 
Microsoft has issued a security patch for Silverlight KB2526954. It fixes six issues. However, the Microsoft link to KB2526954 is still not live. If you have Microsoft update running, it is ready to install. This is rated as important and will auto install.
 
Addresses an issue where iTunes may become unresponsive when syncing an iPad.
Resolves an issue which may cause syncing photos with iPhone, iPad, or iPod touch to take longer than necessary.
Fixes a problem where video previews on the iTunes Store may skip while playing.
Addresses other issues that improve stability and performance
 
The iOS 4.3.2 software update for the iPhone, iPad and iPod Touch has been released and among its security updates is the addition to a blacklist of the fraudulent SSL certificates which were issued after an attacker compromised the Comodo SSL Certification Authority. A the end of March, browser makers began blocking the fake certificates for the login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org domains
 
The latest update to Skype for Android addresses a security vulnerability in the app that could have allowed a malicious third-party application to access locally stored files. According to a post on the Skype Security blog by Chief Information Security Officer Adrian Asher, these files include cached profile information and instant messages.
 
Google has published version 10.0.648.205 of Chrome, a security update for the Windows, Mac OS X and Linux version, as well as Chrome Frame for Internet Explorer. According to Google, the update addresses three vulnerabilities related to support for GPU acceleration. They are all considered critical; Google says they allow an attack to break out of the sandbox and gain access to the operating system. One of the GPU vulnerabilities, however, only affects the Windows version of Chrome
 
The VideoLAN project has released version 1.1.9 of its VLC media player, the free open source cross-platform multimedia player for various audio and video formats. According to the developers, the tenth release of the 1.1.x branch of VLC is a maintenance and security update that addresses several issues found in the previous update from the end of March.
 
Qubes Beta 1 has been released!  [theinvisiblethings.blogspot.com]
I'm very proud to announce that we have just released Qubes Beta 1! Some new features that have come into this release include:
Installer (finally!),
Improved template sharing mechanism: service VMs can now be based on a common template, and you can now easily create many net- and proxy- VMs; template upgrades now don't require shutting down all the VMs;
Standalone VMs, convenient for development, as well as for installing the least trusted software,
 
Armitage 04.10.11 Released  [www.liquidmatrix.org]
 
Wireshark 1.4.6 released  [www.wireshark.org]
 

Business Case for Security
 
Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the 'Verizon 2011 Data Breach Investigations Report.' These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.
The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date.
According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.
 
IT Temptation To Snoop Too Great  [www.darkreading.com]
Separate reports from Cyber-Ark, BeyondTrust show the pitfalls of privileged user access
The users with the organization's highest and most powerful privileges are also the most likely to use their access to snoop around the network for confidential information.
A new survey from Cyber-Ark Software found that 28 percent of IT managers in North America have snooped, and 44 percent of those in Europe, the Middle East, and Africa have done so, too. Around 20 percent of respondents in North America and 31 percent in EMEA say one or more of their co-workers have used administrative privileges to reach confidential or sensitive information.
 
Eighty percent of critical infrastructure operators say they have experienced a large-scale attack
Eighty percent of organizations that operate smart grid or other critical infrastructure components have experienced a large-scale denial of service (DDoS) attack, and a quarter of them have been victims of extortion through network attacks, according to a study published today.
According to In the Dark: Crucial Industries Confront Cyberattacks, a report issued by McAfee and the Center for Strategic and International Studies (CSIS), many critical infrastructure organizations remain unprepared to stop the next attack.

Web Technologies
 
About a couple of weeks ago we talked about the new Firefox 4 security features. Today is Google's Chrome turn, due to the recently added and short term upcoming security features:
 
A couple of bugs affecting Wordpress core here. On line 73, we see that $_SERVER['REQUEST_URI'] is passed to add_query_arg(). From the provided code sample, it's difficult to see that this results in XSS. The developers addressed this by encoding the return value from add_query_arg().
 
This week's patch is a good one. The code sample was basically a library that only contained functions. While there isn't a blatant vulnerability in the library, there is a startling function called 'PrepDataForScript'. Looking at PrepDataForScript, it's obvious this function is meant to provide some sanitization. Unfortunately, the routine isn't very robust. When you see things like the code snippet below, you know the developer is headed in the wrong direction:
 
Spot the Vuln Charming - SQL Injection  [software-security.sans.org]
This patch was full of interesting tidbits. First, the change log for this patch is as follows:
**1.9.1**
+ fix a flaw allowing a remote cross-site scripting attack
Keep the change list description in mind as we go over the patch submitted by the developers. The submitted patch is pretty simple. There is an additional qualifier set for an if statement that checks to see if $_GET['where$i'] is contained within array $f. It's difficult to determine whether this is true but it doesn't really matter. The second change is an addslashes to $_GET['what$i'] before using the tainted query string parameter to build a dynamic SQL statement. This is to prevent an obvious SQL injection bug in the LIKE operator of the SQL statement.
 
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++

Network Security
 
Cooking the Cuckoo's Egg  [taosecurity.blogspot.com]
February I spoke at the DoJ Cybersecurity Conference. My abstract for the talk was the following:
In 1989 Berkeley astronomer Cliff Stoll wrote the most important book in the history of computer incident response, The Cuckoo's Egg. Twenty years after first reading the book, Richard Bejtlich, [then] Director of Incident Response for General Electric, re-read The Cuckoo's Egg in search of lessons for his Computer Incident Response Team (GE-CIRT). In the first ten pages, Bejtlich identified seven lessons for his team, and in the next twenty pages, ten more lessons. By the time he finished re-reading the book, Bejtlich identified dozens of lessons that are key to the incident response process, whether it's 1990, 2000, 2010, or beyond
 
Though I didn't realize what I was seeing, Stuxnet first came to my attention on July 5 last summer when I received an email from a programmer that included a driver file, Mrxnet.sys, that they had identified as a rootkit. A driver that implements rootkit functionality is nothing particularly noteworthy, but what made this one extraordinary is that its version information identified it as a Microsoft driver and it had a valid digital signature issued by Realtek Semiconductor Corporation, a legitimate PC component manufacturer (while I appreciate the programmer entrusting the rootkit driver to me, the official way to submit malware to Microsoft is via the Malware Protection Center portal).
 
IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.
 
Problem
An older Symantec root certificate, SymRoot1, will expire on April 30, 2011. With an expired certificate, older LiveUpdate clients would no longer authenticate, download, or install content such as AntiVirus definitions or product updates.
Solution
To allow customers additional time to plan migrations, Symantec has introduced a workaround that allows LiveUpdate to continue to successfully authenticate valid content from Symantec through July 4, 2012.
 
MSFU Updates - April 2011  [www.offensive-security.com]
This past month has seen more additions to our free Metasploit Unleashed training course, primarily in our on-going effort to build out the Metasploit Module Reference section. Also, with the Metasploit team moving away from meterpreter scripts in favor of post-exploitation modules, we have been updating the relevant sections of MSFU.
 
Microsoft has released its free Microsoft Safety Scanner (MSS). This scans for and removes malware from Windows systems without requiring prior installation. According to AV-Test's Andreas Marx, the on-demand anti-virus scanner appears to be based on the Malicious Software Removal Tool (MSRT), but with the addition of a complete signature database. MSRT used a mini database of widely distributed threats and is distributed monthly via the automatic update function.

Database Security
 
David has released four new papers on Oracle security topics a few days ago. Two of the papers seem to be from his ill fated book on Oracle Forensics as they are labelled 'chapter 3 - How attackers break in' and 'chapter 4 - Preventing break ins' respectively but one is perhaps too short for a book.
The other two papers are on 'Oracle data blocks' and 'a forensic analysis of PL/SQL injection attacks in Oracle'.

Mobile Security
 
iPhone Tracker  [petewarden.github.com]
This open-source application maps the information that your iPhone is recording about your movements. It doesn't record anything itself, it only displays files that are already hidden on your computer.
 
BackTrack 5 on a Motorola Xoom  [www.offensive-security.com]
In the past few days we have been toying with some Motorola hardware, and have managed to get a basic build of BackTrack 5 (+ toolchain) on a Motorola Xoom. The possibilities look exciting as we are slowly building several experimental arm packages. Our team does not have much experience with the Android OS nor ARM hardware, but so far - so good. We will not promise an ARM release on May 10th, as this new "experiment" was not planned in any way - but we'll do our best.
 
Today, we are opening up the submissions portal for the Exploitable Mobile App Challenge. The submission period kicks off today (April 12, 2011) and will run through May 20, 2011. We want you to show us your mobile application development and security skills by writing highly hackable, completely insecure applications. Why on Earth would we do this? We want to raise the bar for awareness of mobile risks while having a little bit of fun in the process. As mobile platforms become increasingly complex and increasingly important in society, we are only going to see a greater number of attacks and vulnerabilities hitting the news. This is truly the golden age for mobile application security!

Privacy
 
I didn't know about this:
The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.
This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

General
 
In Japan, lots of people -- especially older people -- keep their life savings in cash in their homes. (The country's banks pay very low interest rates, so the incentive to deposit that money into bank accounts is lower than in other countries.) This is all well and good, until a tsunami destroys your home and washes your money out to sea. Then, when it washes up onto the beach, the police collect it:
 
Qubes Beta 1 has been released!  [theinvisiblethings.blogspot.com]
I'm very proud to announce that we have just released Qubes Beta 1! Some new features that have come into this release include:
Installer (finally!),
Improved template sharing mechanism: service VMs can now be based on a common template, and you can now easily create many net- and proxy- VMs; template upgrades now don't require shutting down all the VMs;
Standalone VMs, convenient for development, as well as for installing the least trusted software,
 
Vein scanner, shrunk  [www.h-online.com]
The size of a 500 yen coin: Fujitsu's vein scanner.
Source: Fujitsu A new photographic optical system has allowed Fujitsu to build a palm vein scanner that's only about the size of a coin. According to the company, the palm vein structure is much harder to replicate than finger prints and offers a higher number of reference points to provide secure user authentication.
 
In an extraordinary intervention, the Justice Department has sought and won permission from a federal judge to seize control of a massive criminal botnet comprising millions of private computers, and deliver a command to those computers to disable the malicious software.
The request, filed Tuesday under seal in the U.S. District Court in Connecticut, sought a temporary restraining order to allow the nonprofit Internet Systems Consortium, or ISC, to swap out command-and-control servers that were communicating with machines infected with Coreflood - malicious software used by computer criminals to loot victims' bank accounts.
 
Toshiba's self-encrypting drives are designed to securely delete their data when they are a connected to an unknown computer.
Source: Toshiba Toshiba has extended its range of 2.5-inch drives with hardware data encryption - also called Self-Encrypting Drives ('SEDs') - to include models with an automatic deletion feature ('wipe'). Developed to comply with the Trusted Computing Group's (TCG) Opal specification, Toshiba's series MKxx61GSYD drives encrypt all written data via AES-256 without causing performance loss. They can be associated with the hardware of a specific computer via a Trusted Platform Module (TPM). If an unauthorised person attempts to access the drive, the integrated firmware will automatically delete the cryptographic key.

Friday, 8 April 2011

Security Weekly News 8 April 2011 - Summary

Thanks to Shaun for contributing to this security news bulletin!

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"Making connections is always easier when there's alcohol involved" - Adam B. ;)
"Pretty much anyone can be breached at any time" - Jon Oltsik
"Wonder if my Safari exploit still works... ..Hmmm yeah it does I should report that I suppose" - Gareth Heyes

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software updates, Business Case for Security, Web Technologies, Network Security, Cloud Security, Funny
Highlighted news items of the week (No categories):
Not patched: IE9 exploit puts Windows 7 SP1 at risk
Updated/Patched: Dark Black Tuesday Coming Up: 17 Microsoft Bulletins, (Fri, Apr 8th), DHCP client allows shell command injection, WordPress 3.1.1 is now available. This maintenance and security release fixes almost thirty issues in 3.1, including:, Ruby on Rails update addresses security vulnerability, NetBSD and FreeBSD patch hole in IPComp implementation, Novell patches File Reporter vulnerability
How to deal with your RSA tokens from now?

 
I had a very interesting morning at McCann Fitzgerald who were kind enough to invite me in to give a legal update on data breaches - here's a copy of the handout I provided:
 
Earlier today I had the opportunity to read a blog post by Uri Rivner, the Head of the Security Division of EMC. While the investigation into the RSA/EMC compromise is still ongoing, Mr. Rivner presents a very good summary of what they do know.
Some of the facts as written by Mr. Rivner:
The first part of the attack was a spear-phishing attempt aimed at non-high-profile targets. The information on the targets was most likely mined from social networking sites. All it took was one of the targeted employees who was tricked into opening an attached Excel spreadsheet.
 
Three-quarters of energy firms have experienced a breach in the last year; 69 percent expect more to come
Seventy-five percent of energy and utility companies have suffered an IT security breach in the past year, and the situation doesn't seem likely to improve anytime soon, according to a study published today.
According to the 'State of IT Security: Study of Utilities & Energy Companies' report -- which was conducted by Ponemon Institute and sponsored by security monitoring software vendor Q1 Labs -- more than three-quarters of global energy organizations surveyed admit to having suffered at least one data breach during the past 12 months. Sixty-nine percent think a data breach is very likely or likely to occur in the coming year.
 
Unique malware and variants galore, and more than 40 percent more mobile vulnerabilities than a year ago
Last year will likely go down as the year of the targeted attack, with the litany of big-name breaches that began with Google's revelation that it had been hit by attackers out of China and the game-changer Stuxnet. But it was also a record-breaking year for new malware and variants, with 286 million new samples identified by Symantec.
The newly published Symantec Internet Security Threat Report Trends for 2010 counted some 6,253 new bugs -- the most ever in a year -- that were mostly driven by malware attack toolkits. The ease of deployment that comes with these kits resulted in some 286 million new malware variants, according to Symantec.
 
In nearly 80 percent of cases, banks did not detect fraud before funds were transferred
Business banking fraud -- particularly in small and midsize companies -- is still causing major problems for both the businesses and the banks that serve them, according to a study published today.
The '2011 Business Banking Trust Study,' a follow-up to a similar study conducted last year, was written by Ponemon Institute and sponsored by Guardian Analytics. This year's numbers suggest that the banking fraud situation has not improved since 2010.


Cloud Security highlights of the week
 
The March 30 data breach at the email marketing company Epsilon put millions of customer of such notable companies as Best Buy, Ethan Allen, Walgreens, Target and a host of banks vulnerable to a potential onslaught of spam and phishing attacks. The breach to Epsilon's servers has left some important questions unanswered, and it spotlights some common concerns about the security of cloud-based services.


Secure Network Administration highlights of the week
 
IPV6 ATTACKS  [www.room362.com]
This is probably the most practical and applicable IPv6 talk I've ever seen. Amazing job.
 
This talk will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the Internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the Internet host providing the service, the anonymity set of the person or group that administrates the service can be greatly reduced. The core aim of this paper will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators and developers may make that could expose a service provider's identity or reduce the anonymity set they are part of. We will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network
 
Windows machines compromised by default configuration flaw in IPv6
As anyone who has watched the reimagined Battlestar Galactica will tell you, Sixes are trouble. They are undoubtedly alluring, but all the while they are working covertly, following The Plan, right under the noses of their targets. Nobody realizes the true nature of the threat until it's too late.
The Internet also has its own Six, IPv6 (formerly IPng - IP Next Generation). Modern operating systems ship with it by default, but adoption has been slow for many reasons. Despite the passing of the IPocalypse, it lies largely dormant within today's networks, waiting for the chance to rise up and usurp its IPv4 predecessor.
This article describes a proof of concept of an interesting application of IPv6. I'm going to show you how to impose a parasitic IPv6 overlay network on top of an IPv4-only network so that an attacker can carry out man-in-the-middle (MITM) attacks on IPv4 traffic.
 
As the day progresses more and more Epsilon clients are notifying their customers that their details have been compromised, I got to thinking about what information is readily given to third parties for many different purposes. The outsourcing of certain specialist tasks is nothing new. What I've found in the past though is that information is often handed over without really thinking through any of the consequences should the information be compromised. So here are some of the things I believe you should be doing when handing over client information to third parties. as per usual feel free to add your own experiences and suggestions.
 
You might be used to working with IPv4 on Linux, but like it or not IPv6 is on its way in. Roll up your sleeves, spit on your palms, and get ready to go to work because this is your crash course in actually using IPv6. It hardly hurts at all. Linux has supported it since the 2.1 kernel, so you shouldn't have to install anything. Make sure you have the ping6, ip, and ifconfig commands.
Let's get my favorite nitpick out of the way right now - we do not have IPs, we have IP addresses. IP stands for Internet Protocol. As my wise grandmother used to say, sloppy speech equals sloppy habits, which equals a trip to hell in a handbasket.


Secure Development highlights of the week
 
Add XSSF to Metasploit Framework on Ubuntu  [securitystreetknowledge.com]
What is XSSF or the Cross-site Scripting Framework?
The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an existing connection with JavaScript loop refreshing in order to allow future browser-based attacks. After injection of the generic attack (resource "loop" generated by XSSF), each victim will ask the attack server (every "x" seconds) if new commands are available:
 
Clickjacking Defense  [www.codemagi.com]
Stanford Web Security Research recently published a paper on clickjacking defense: http://seclab.stanford.edu/websec/framebusting/framebust.pdf
The Stanford defense is lacking because Internet Explorer requires the full body to be loaded before the script will execute properly. That means that you need the <style> element at the end of the document HEAD (so that it will override any other stylesheets or inline styles) and the <script> at the end of the BODY. It is too easy to mess up, especially on platforms with multiple templates and includes, and on longer pages it can make the page seem 'broken' since the script to display the body won't fire until the entire body is loaded.
 
Opera parser monster eats unicode  [www.thespanner.co.uk]
Whilst writing my own parser I found weird things in Opera's JavaScript parser. I was testing what the various browsers allowed with unicode escapes and it turns out Opera seems more lax than others. My discovery began with the following code:
try {eval('\\u0066\\u0061\\u006c\\u0073\\u0065');} catch(e) {alert(e);}
 
For the past several days I have been focused on understanding the inner workings of several of the popular file synchronization tools with the purpose of finding useful forensics-related artifacts that may be left on a system as a result of using these tools. Given the prevalence of Dropbox, I decided that it would be one of the first synchronization tools that I would analyze, and while working to better understand it I came across some interesting security related findings. The basis for this finding has actually been briefly discussed in a number of forum posts in Dropbox's official forum (here and here), but it doesn't quite seem that people understand the significance of the way Dropbox is handling authentication. So, I'm taking a brief break in my forensics-artifacts research, to try to shed some light about what appears to be going on from an authentication standpoint and the significant security implications that the present implementation of Dropbox brings to the table.
 
I recently came across a paper titled Faster Blind MySQL Injection Using Bit Shifting by Jelmer de Hen describing a technique that allows the retrieval of data from a MySQL database in only 8 requests per character using bit shifting; this is a slight improvement from the traditional Bisection method. This got me thinking on how information could be extracted from the database in even less amount of requests and after a few hours of fooling around, this is what I came up with.
 
Great News for IE9 Users!  [hackademix.net]
The investors who are generously funding it, but want to stay anonymous for now, just authorized me to unveil a few details about the revolutionary project which I've been feverishly working on during the past months. What we're talking about is not merely a next-generation NoScript. No, we're talking about the ultimate security tool, nothing less, code named GoodScript.
GoodScript's key feature is the ability to detect and block malicious JavaScript and other active content before it can harm your web browser, while all the "good" code is automatically allowed to run untouched.
 
Spot the Vuln - Charming  [software-security.sans.org]
 
For most security issues, I give the developer the benefit of the doubt. It's tough to keep track of all the corner cases and security nuances. For this diff however, there is no excuse.
First, let's cover what the patch fixes. On line 18, the developer was taking a tainted value passed via query string parameter and using that value to build HTML markup. This is XSS in its most classic form. Also, on line 58 the same tainted input is used to build the SRC attribute for an image tag, also resulting in XSS. The developer chose to encode both of these tainted values before using them in the HTML output.
Now, let's talk about the problems with this patch
 
Mozilla has announced that it is going to be more hands-on with add-on performance. According to Mozilla's Justin Scott, Product Manager for Add-Ons, the average add-on increases start-up time by about 10%; the actual impact in seconds depends upon the user's hardware and software. Scott says in his announcement that the company estimates that installing ten add-ons typically doubles Firefox's startup time. With this in mind, Mozilla is planning a range of initiatives to take on the bad performers.
 
Some Black Magic Python for n00bs  [j2labs.tumblr.com]
I had lunch with an old friend yesterday and we were discussing Python. He had a background in Perl and PHP so I knew some of the higher-order aspects of Python wouldn't be clear to him yet. He also had rudimentary knowledge of Python decorators, a tool I use all the time.
In an effort to help, I wrote up some code that demonstrates some of these concepts. I think it will be useful to readers of this blog too.
 
Linkedin es una de esas redes sociales supuestamente creadas para no ligar. Sí, y sorprendentemente funciona, pero lo cierto es que su éxito se debe a que la gente también la usa para ligar. Por eso yo también tengo Linkedin. Así es la vida.
Ayer, en Naked Security se quejaban de que la opción por defecto de permitir ver el correo electrónico de los participantes en un mensaje debería tener el otro valor por omisión. Es decir, que debería venir desmarcado el check box para que no dependiera del usuario, que se podía descuidar como deja bien claro que le sucedió a su compañero Pablo, que tiene su base en Madrid - ¡Pablo, estamos contigo! -


Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication (continued)

Authentication Anti-Patterns

Do not implement any of these features - they are either dangerous, illegal, ineffective, or all of the above.

Default Accounts

Do not ship your software with any default accounts such as "YourProductName", "sa", "root", "administrator", or any hard coded service accounts. Do not include any screen shots or text in the documentation indicating a preferred username or password for a particular application ID or service.

Remember Me

Implementing remember me functionality can be incredibly hard. Often software will just embed the username and password in headers or cookies, or a hash or crypto blob of the same. Based upon your risk profile, your application:

- High value applications MUST NOT possess remember me functionality.
- Medium value applications SHOULD NOT contain remember me functionality. If present, the user MUST opt-in to remember me. The system SHOULD strongly warn users that remember me is insecure particularly on public computers
- Low value applications MAY include an opt-in remember me function. There should be a warning to the user that this option is insecure, particularly on public computers.
ESAPI's reference implementation has basic "remember me" functionality based upon an AES encryption of the username and password, but this is not recommended for medium value systems, and should be used with care on low value systems.

Hard Coded Credentials

Do not include any credentials in your source code, including (but not limited to) usernames, passwords, certificates, token IDs, or phone numbers.

Such constants belong in properly protected properties or configuration files. ESAPI has an encrypted properties mechanism you can use to protect clear text credentials in such files.


Source: link

Have a great weekend.