Friday, 1 April 2011

Security Weekly News 1 April 2011 - Summary

I know it is April's 1st but I am Spanish, don't worry! :) (we have the 28th of December for those things)

Thanks to Tadek, John and Brian for contributing to this weekly security news bulletin!

For the technically inclined I also put together the following this week:
- iptables: white-listing TCP connections to reduce self-0wnage potential
- Angry IP vs nmap

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"Without strong detective capabilities built into the information systems, the organization has little hope of being able to effectively respond to information security incidents in a timely fashion" - Eric Conrad
"So the kernel exploit @comex used for iPad2 was the one from 4.0.1 that was wrongly fixed.Not TOO surprising that this was found internally." - Stefan Esser.
"It is actually very promising to just look at fixes for previous bugs. Many of them are wrongly fixed." - Stefan Esser
"Very few security experts took XSS serious until @samykamkar mistakenly showed what was possible w/ the MySpace worm." - Jeremiah Grossman
"Nothing causes more problems than not seeing problems." - Dan Kaminski
""Sorry! We can't display this content while you're viewing Facebook over a secure connection (https)." Nice one Facebook!" - David Rook

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Software Updates, Business Case for Security, Network Security, Web Technologies, Privacy, General, Funny
Highlighted news items of the week (No categories):
Not patched:
Updated/Patched: Cisco Secure Access Control System Unauthorized Password Change Vulnerability, Cisco Security Advisory: Cisco Network Admission Control Guest Server System Software Authentication Bypass Vulnerability, VMSA-2011-0006 VMware vmrun utility local privilege escalation, When buffer overflows in printers become a risk (Xerox WorkCentre), Vulnerability closed in Google Picasa, Chrome 10 update patches security vulnerabilities , Ubuntu 9.10 approaches end of life
 
 
Log management, compliance reporting, real-time monitoring, forensic investigation, and incident response still not coordinated, according to SenSage study
Many enterprises think their security processes are failing to meet their potential due to a lack of coordination, benchmarking, and proactive improvement among the various 'silos' of functionality, according to a new survey published yesterday.
The survey, conducted by SIEM vendor SenSage at the 2011 RSA Conference in San Francisco, polled more than 375 show attendees on the effectiveness of five critical security processes: log management, compliance reporting, real-time monitoring, forensic investigation, and incident response


Secure Network Administration highlights of the week
 
Though I didn't realize what I was seeing, Stuxnet first came to my attention on July 5 last summer when I received an email from a programmer that included a driver file, Mrxnet.sys, that they had identified as a rootkit. A driver that implements rootkit functionality is nothing particularly noteworthy, but what made this one extraordinary is that its version information identified it as a Microsoft driver and it had a valid digital signature issued by Realtek Semiconductor Corporation, a legitimate PC component manufacturer (while I appreciate the programmer entrusting the rootkit driver to me, the official way to submit malware to Microsoft is via the Malware Protection Center portal).
 
Most organizations have policies to disallow wireless access points not controlled by the organization which then requires trying to find such devices when they crop up. There are commercial devices that can be deployed to do this and you could always have someone do a walkthrough with a laptop. However, there are some network tricks you can use to provide another 'dirty' detection method.
If rogue APs are plugged into your network, they will decrease the TTL value in all packets by one that traverse through the access point. This can make it easy to detect the presence of those by using p0f/tcpdump/snort to look for packets that have TTL values that are lower than expected. This also works for unauthorized routers, virtual images, bad network stack configurations, etc. It won't detect APs that aren't plugged into your network and has some gaps (for instance, a savvy individual could modify the TTL they use before sending packets out), but again it is a 'dirty' method of detection. The advantage of looking for bad 'TTLs' is that you will also have advance detection of network problems as well.
 
The Changing Wireless Attack Landscape  [www.willhackforsushi.com]
I'm en-route to the SANS Orlando 2011 conference, getting ready to teach SEC617 Ethical Hacking Wireless. I'm really excited about some new material and a changing focus on the SEC617 course.
Over the past couple of years we've seen a definite change in wireless hacking techniques and tools. While we are still seeing attacks against weak deployments of WPA/WPA2 and EAP-based authentication protocols, more and more wireless attacks are targeting 'other' wireless protocols.
 
Years ago, while working as a Network Engineer, I did a bit of sniffing of our wireless access points. I noticed that some access point, mainly Cisco, broadcast the Access Point's name. I also noticed that the same access point will use a slightly different MAC Address (BSSID) for each SSID (ESSID). Typically the last nibble (half byte), or two, changes. I thought that was interesting, and moved on.
 
Changing Passwords  [www.schneier.com]
How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer's or bank's password expiration policy: people who finally memorized their current password and are realizing they'll have to write down their new password. How could that possibly be more secure, they want to know.
The answer depends on what the password is used for.
 
Adobe Flash CVE-2011-0609  [blog.metasploit.com]
Recently, I spent about a week and a half working on the latest 0-day Flash vulnerability. I released a working exploit on March 22nd 2011. The original exploit was just an attempt to get something working out the door for all of our users. The first attempt left a lot to be desired. To understand the crux of this vulnerability and what needed to be done to improve the first attempt at exploiting it I had to dig in deep into ActionScript.


Secure Development highlights of the week
 
Abraham's note: Do you ever use $_SERVER['PHP_SELF']?
 
Content Security Policies are designed to prevent cross-site scripting and other attack types. Firefox 4 is the first browser to support this new concept.
Cross-site scripting (XSS) has become the plague of the internet, and even the banks haven't managed fully to tackle this problem on their web sites. However, XSS attacks on browsers could soon be a thing of the past, at least for Firefox users: the Mozilla Foundation's latest version 4 of Firefox supports the concept of Content Security Policy (CSP). This allows web administrators to tell browsers which domains to accept as trusted sources of JavaScript code by sending the special X-Content-Security-Policy HTTP header.
When CSP is enabled, JavaScript code embedded in HTML documents is no longer executed by default. Whether the code was already included in the original HTML document or injected during an attack will make no difference - the code will simply be ignored by the browser. CSP will consequently also thwart typical XSS attacks that use specially crafted URLs containing embedded JavaScript.
 
(Mostly) good password resets  [www.skullsecurity.org]
This is part 3 to my 2-part series on password reset attacks (Part 1 / Part 2). Overall, I got awesome feedback on the first two parts, but I got the same question over and over: what's the RIGHT way to do this?
So, here's the thing. I like to break stuff, but I generally leave the fixing to somebody else. It's just safer that way, since I'm not really a developer or anything like that. Instead, I'm going to continue the trend of looking at others' implementations by looking at three major opensource projects - WordPress, SMF, and MediaWiki. Then, since all of these rely on PHP's random number implementation to some extent, I'll take a brief look at PHP.
 
Many Web security professionals believe that because Static Analysis Software Testing (SAST) has access to the source code and / or the binary of an application, it can deliver "100% code coverage." Proponents of this assertion also claim that SAST therefore offers a more comprehensive vulnerability analysis than Dynamic Analysis Software Testing (DAST). This belief is a myth.
Arbitrarily declaring that one form of testing is superior to another is like saying that a household thermostat is better at measuring heat than a meat thermometer. Sure, both devices do measure heat, but that's where the similarity ends. Source code access absolutely has its benefits, but just like comparing the functions of a room temperature gauge and a meat temperature thermometer, there are many other important distinctions between SAST and DAST that must be considered.
 
client side filtering
 
Spot the Vuln - Proportion  [software-security.sans.org]
 
creepy  [ilektrojohn.github.com]
A geolocation information aggregator.
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
 
Introducing Gmail Motion  [gmailblog.blogspot.com]
In 1874 the QWERTY keyboard was invented. In 1963, the world was introduced to the mouse. Some 50 years later, we've seen the advent of microprocessors, high resolution webcams, and spatial tracking technology. But all the while we've continued to use outdated technology to interact with devices. Why?
This is a question that we've been thinking about a lot at Google, and we're excited to introduce our first attempts at next generation human computer interaction: Gmail Motion. Gmail Motion allows you to control Gmail - composing and replying to messages - using your body


Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication (continued)

Minimum hash strength

The minimum hash strength SHOULD be SHA-256 for the next few years.

Applications MUST be designed to allow selection of multiple algorithms, as the USA's NIST is currently running an hashing algorithm competition, which will choose a successor to SHA-256, SHA-384, and SHA-512. Your application MUST be able to transition to the new hashing algorithm by no later than one year after the new algorithm's release. This doesn't mean that MD5 will be dead at that point, but your application should cope with the idea that insecure algorithms such as MD5 or SHA-1 can be retired at some point.


Source: link

Have a great weekend.