Security Weekly News 13 May 2011 – Summary

Feedback and/or contributions to make this better are appreciated and welcome 

For those interested, there was also a technical article posted over the weekend: SSH Service: How to set it up in Backtrack without getting pwned

Remember, sometimes the funny section has some food for thought 🙂


Highlighted quotes of the week:
‘”You have won the lottery. Open attached PDF file. Is safe and free from virus” – I don’t think so – *delete”‘ – Brian Honan
“PCI DSS: proving compliance != security since 2008” – Steve Lord
“Just had an email about information collection and DPA type stuff, she CC’ed 780 people on the mail – #DPAFail” – Robin Wood
“How can you avoid being hacked by APT when you can’t even avoid being hacked by accident (mass malware)” – Dan Guido at Source Boston
“relying on statistics and well wishes won’t protect you when wolves come to your door. There is a concept of too late, and you should know it” – Pinvoke
“when I crack someones password and it is a mobile number I’m tempted to call it and say ‘Hi, this is your password calling'” – Robin Wood
“Probably best time ever to become a CISO at Sony. Never will have more attention and top level buy in for security than right now” – David Rook
“I really wonder how many of these internal auditors could really hack an SAP or ERP system…” – Josh Abraham
‘The main driver to go to the “cloud” is not technical but a business decision!’ – #ISACA
‘CFO’s see only the cost reductions when moving to the cloud!’ – #ISACA
“while true; do wget -o /dev/null -O – http://tinyurl.com/ybecxez|sha1sum|grep -q 9d0621; test “$?” = “1” && echo “BT5 live”; sleep 5; done” – Xavier Mertens
“Never assume that a tutorial is too basic for you, there are always gems of into to be found even in basic stuff” – Robin Wood
‘”WebGL – A New Dimension for Browser Exploitation” http://bit.ly/mxuJo6 < HTML5 haxoring continues to improve like we knew it would’ – Jeremiah Grossman
“… HTTPOnly flag for preventing JS to access cookies, can be circumvented by using HTML5 attacks…” – #SCS
“So CSP is useless against xss protection if a site uses google analytics :(” – Gareth Heyes
“Hashing passwords in your database is like ASLR: Neat tech, stops some attackers, but if someone’s in that deep it’s just too late” – Dan Kaminsky
“There are two hard problems in computer science: cache invalidation, naming things, and off-by-one errors.” – David Ulevitch
“Facebook is getting a tonne of press at the minute while some other VERY popular membership sites don’t use https & send passwords in clear” – The Suggmeister
“Gov (and defense contractors) pay 50-100k for exploitable flaws. Google and Mozilla bounties are just beer money.” – Christopher Soghoian

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network security, Database Security, Cloud Security, Mobile Security, Privacy / Human rights, General, Funny

Highlighted news items of the week (No categories):

Not patched: Disable WebGL now, researchers warn, Silently Pwning Protected-Mode IE9 and Innocent Windows Applications

Updated/Patched: May 2011 Microsoft Black Tuesday Overview, Security update available for Adobe Flash Player, Apache HTTP Server update fixes remote DoS issue – Update, Confusion over Skype for Mac security issue – Update, Exim 4.76 RC1 uploaded, HP/Palm webOS, Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized File System Write Access, Patch for BIND 9.8.0 DoS Vulnerability, weblabyrinth, IIS7 Header Block Released, Exchange Log Analyzer, logstash, Presenting… the Microsoft Safety Scanner

 
The study found significant disparities between how internally developed code is tested, when compared to code developed by third parties. First, only 44 percent of companies conduct automated code testing during development for third party code. However, 69 percent use automated code testing for internally developed software.
Second, only 35 percent of companies conduct risk, security or vulnerabilities assessments for third party code, compared to 70 percent of companies deploying these methods on their internally developed software.
‘Software security and integrity is probably the most challenging problem to solve in security today,’ says Pete Lindstrom, research director at Spire Security. ‘But the reality is that the tools used to analyze software code have a high signal to noise ratio and are not easy to use.’
 
Roger Grimes presents a useful tool for figuring out how susceptible your network might be to a password-cracking attack
Don’t be lulled into a false sense of security, though: A complex, six- to eight-character password may have been sufficient 10 years ago, but it’s certainly not today. Most of the Linux/Unix systems I’ve reviewed do not enable their account lockout policy. In the Windows world, the true administrator account cannot be locked out, and some software programs don’t log against the account lockout policy. Many companies are disabling the account lockout policy to prevent automated worms, such as Conficker, from locking out all the user accounts and causing an indirect DoS event.
 
Irish organisations are making progress in their approach to information security and the professionalism of people working in this area has also improved, the head of the Irish chapter of the ISSA has said.
Speaking to Siliconrepublic.com at the start of the group’s annual conference in Dublin yesterday, Owen O’Connor said: “We’re raising the bar year by year in terms of skill levels and people’s maturity levels.”
 
Emerging standards, industry initiatives could enable enterprises to collaborate on security
In the world of cybercrime, bad guys work together. They share information; they build attacks together.
Contrast this to most companies, in which event monitoring is often a set of disjointed data streams that someone in the local security department is responsible for reviewing. There is no coordination of monitoring activities between departments, platforms, or applications, let alone cross companies and countries — the way the criminals operate.
 
May 12, 2011
Microsoft released the Security Intelligence Report Volume 10, which highlights a polarization in cybercriminal behavior and a significant increase in the use of “marketing-like” approaches and deception tactics to steal money from consumers.
 
Breach Notification Guidance  [dataprotection.ie]
The Data Protection Commissioner has approved a personal data security breach Code of Practice to help organisations to react appropriately when they become aware of breaches of security involving customer or employee personal information. In the public sector, guidance from the Department of Finance on data security also advises departments and agencies to report data breaches immediately to this Office.
Notification of data security breaches to the Office of the Data Protection Commissioner allows us to advise organisations, at an early stage, how best to deal with the aftermath of a disclosure and how to ensure that there is no repetition. It also allows us to reassure members of the public that we are aware of the problem and that the organisation in question is taking the issue seriously.
 
These days anyone could be watching you, monitoring your every move, waiting to pounce and poach passwords to access your personal data.
‘There are new attacks every day, we see something like 90,000 new pieces of malicious codes coming into our labs every day — that’s one every second,’ said Graham Cluely, Senior Technology Consultant at the software security company, Sophos.
‘The main motive to all of this is to make money,’ he added. ‘They want your email passwords so they can begin to commit identity theft and raid your bank accounts.’
 
Wade Baker, director of risk intelligence for Verizon and creator, author and primary analyst for Verizon’s DBIR series, presented the analysis, findings and recommendations of the 2011 version of Verizon’s DBIR….
It (DBIR) means: “Data Breaches Investigations Report”. To resume very briefly, this document explains how sensitive data is stolen, by who and how. Today, most organizations want to have answers on the following questions: “Are we secure?” and “How to prove that we are secure?” (both must be answered with a limited resources and available date).
 
Cybersecurity still struggles between making a system usable and making it safe, according to Professor Fred Piper of Royal Holloway University of London’s Information Security Group.
Professor Piper has spent more than three decades in information security; his background is originally in cryptography and he has consulted widely on security projects. He gave the keynote address at the annual conference of the Information Systems Security Association’s Irish chapter, which started yesterday in Dublin and is running today.
 
Few topics in the infosec world create as much heat as the classic ‘vulnerability assessment vs. penetration test’ debate, and it’s no different in the web application security space. Sadly, the discussion isn’t usually around which is better. That would actually be an improvement. Instead the debate is usually semantic in nature, i.e. the flustered participants are usually disagreeing on what the terms actually mean. Step 1: agree on terms.
So, I’ll be ambitious here and will tackle both subcomponents of the debate here: 1) what the terms actually mean, and 2) which is better for organizations to pursue.
 
Your Vertical Is . . .  [blogs.forrester.com]
Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed everything, including how vertical markets should be viewed. In the old analog world, you could define yourself by your product or service, but no longer. Today it doesn’t matter if your company sells plastic flowers or insurance – what defines you is your data and how you handle it.
 
Technical/Physical Reality  [pinvoke.wordpress.com]
A few days ago I was outside grilling some food with my family. My son, now 2ish, hadn’t ever been outside during this process- so we obviously wanted to keep him safe from the grill. After some verbal queues, I decided to take some chalk and drew two foot(ish) circle around the area I was grilling.
Why? Physical reality

Cloud Security highlights of the week

 
Risk expert warns industry has no model for calculating risk
While companies like Microsoft were touting the growth and benefits of cloud computing at the recent Cloud Connect conference here in Silicon Valley, one speaker gave what he called his “wet blanket” presentation warning of a big hole in the cloud business model.
The cloud computing industry lacks a method for calculating the risk of a cloud computing accident and a mechanism for sharing that risk, said Drew Bartkiewicz, CEO and founder of CyberFactors, a risk assessment service that rates cloud providers on risk and also helps companies determine the risk of moving their data to the cloud.
 
To some customers of computing storage, processing and online services, the “cloud” seems no different from the traditional information technology services they have used for years. Amazon’s cloud computing outage last week, and the associated downtime and data loss suffered by a number of Internet web sites, highlights how public cloud computing services are different – and how the contracts for those services are different, too. Here are just three ways that typical cloud contracts may not be adequate to protect a customer’s interests in the cloud.

Mobile Security highlights of the week

 
Should the payment information be stored in your SIM card (where carriers have access to it) or in an NFC (Near Field Communications)? This is scary, once your credit card is stored in your phone, mobile attacks will EXPLODE. This will be the new way for attackers to get CC info. Gone will be the days of planting devices in the store. Attackers will now either attack your phone, or attack the carrier or mobile provider to get credit cards
 
Android: SSH Tunnel is free, open source, and provides one-click SSH tunneling for the entire system or individual apps. The app’s official purpose is to allow users in China to bypass what’s been called ‘the Great Firewall,’ but it can be used by anyone who’d like to ensure private browsing.

Secure Network Administration highlights of the week

 
Hacking the WPA Airwaves  [pauldotcom.com]
It is interesting how many people believe that their wireless is secure because they are using WPA. Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table. The cool thing is I bought an ALFA usb antenna and could sit down at the corner coffee place and still see my wireless access point.
 
Abstract: Disk encryption has become an important security measure for a multitude of clients, including governments, corporations, activists, security-conscious professionals, and privacy-conscious individuals. Unfortunately, recent research has discovered an effective side channel attack against any disk mounted by a running machinecite{princetonattack}. This attack, known as the cold boot attack, is effective against any mounted volume using state-of-the-art disk encryption, is relatively simple to perform for an attacker with even rudimentary technical knowledge and training, and is applicable to exactly the scenario against which disk encryption is primarily supposed to defend: an adversary with physical access
 
A while ago one of our researchers read about a Chinese trojan being spammed out using a unicode trick that would actually reverse some characters in the filename, thus making the file appear to not have executable extension.
We have now received some such trojans, and have investigated this issue in more detail.
The files appear in email attachments like the one below:
 
I don’t use exploits much anymore. Business process problems, logic flaws, configuration errors, social engineering and phishing, trust relationships, and really customized and complex chained vulnerabilities which have little to nothing to do with memory corruption is what I do. A lot of organizations have firewalls and patching down pretty well so traditional exploits are much less lucrative. HD and crew have added some of these things to MSF, but often these attacks are so complex and one off that they are not very ‘frameworkable’
 
Targeted/semi-targeted attacks have been utilizing exploits against Microsoft’s ‘RTF Stack Buffer Overflow Vulnerability’ (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.
Many of the attacks we’ve seen which exploit CVE-2010-333 have used topical subject lines.
And this week is no different. So of course, there’s an Osama bin Laden RTF exploit circulating in the wild which uses the subject: ‘FW: Courier who led U.S. to Osama bin Laden’s hideout identified’.
 
 
Sony’s PlayStation Network was breached between April 17 and April 19 and was taken offline by Sony on April 20. At the time of this writing, the service is still not available and it might not be available until the end of May. Much speculation has ensued on what has actually happened and the information released by Sony does not always match up with what is published elsewhere in print or on the Internet. What is clear is that more than 70 million user records have been stolen.
 
One of my favorite tools in my toolbox is the Vulnerability Scanner Nessus, in part because of it’s accuracy and because I’m part of one of the teams that works adding new cool stuff to it during the day. So I was super happy to see it included as part of Backtrack. Ever since I started working professionally in security Nessus has been part of my toolkit, once nessuscmd was out it became more integral in to my workflow because I could automate stuff for my customers
 
New and Improved gloodin!  [pauldotcom.com]
 
SSH Tunnelling Example  [blog.infosanity.co.uk]
Towards the end of last year I spent a few hours trialling SSH tunnels, I knew how the process worked but hadn’t had much cause to use it in anger; so my lab got some use instead, and a post was written covering the basics; SSH port forwarding 101.
Since I now know how to quickly and successfully implement a tunnel, it turns out that I previously had plenty of cause to use tunnels in the past, I just didn’t know SSH tunnels were the right tool for the job. A couple of recent conversations has made me realise others don’t always know the flexibility of tunnels either so I wanted to try and describe a common scenario to highlight the usefulness of tunnels.

Secure Development highlights of the week

 
WebGL is a new web standard for browsers which aims to bring 3D graphics to any page on the internet. It has recently been enabled by default in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari. Context has an ongoing interest in researching new areas affecting the security landscape, especially when it could have a significant impact on our clients. We found that:
1. A number of serious security issues have been identified with the specification and implementations of WebGL.
 
Breaking CAPTCHA can be a job ..  [www.freelancer.co.nz]
 
Here is a wonderful post from Lanmaster53. You need to make this site one of your favorites.
Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this. However, an equal amount of attention is not always paid to authentication logs.
 
OpenID Attribute Exchange flaw  [www.net-security.org]
The OpenID Foundation has issued an alert for all sites using OpenID that don’t confirm that the information passed through Attribute Exchange – the service extension for exchanging identity information between endpoints – was signed.
Apparently, when the information is not signed, an attacker is able to modify it.
 
A couple of days ago Graham Cluley wrote about a new Twitter scam claiming to tell you how many hours you have spent on the network.
About 5 hours ago the TimeChecker2.6 application was still spreading on Twitter but at tmate.plhighlights.cu.cc the oauth_token key was missing from the redirect. This probably means that Twitter ended up suspending the rogue application
 
Well, that did not take long at all. The Chrome version of Angry Birds has only been live for a few hours and it’s already been hacked to give players access to all of the levels. Web developer Wes Bos saw the potential to make a slight change to the web cache and had a working hack in a short time
 
Microsoft said something really NEAT  [fuzzyaliens.com]
The guys and girls over at Microsoft’s Security Development Lifecycle team have been thinking about combining security and user experience engineering into their process. While this is undoubtedly a snarky thing to say, I’m going to say it:
Welcome, Microsoft, to the Fuzzy Aliens way of thinking! You’re now addressing security the way I’ve been doing since 2007!
 
Internet Explorer has an Advanced option named Do not save encrypted pages to disk. By default, this option is unchecked (except for Windows Server systems) and I recommend you leave it that way.
In IE9, this option does exactly what it says it does-resources received from HTTPS URLs are not placed in the Temporary Internet Files Cache and temporary files are not created for these resources. This option is universal for HTTPS responses; their headers (e.g. Pragma, Cache-Control) are not consulted.
While that might sound appealing to some readers, it’s important to realize that this will break any scenario where a file is needed.
 
Remember how it was possible to upload files with arbitrary names & contents cross domain? The method had one, but crucial limitation – it did not include any credentials. In other words, the POST message would be sent to server without any cookies / HTTP auth, so it would most likely be discarded by the attacked application. You could upload a file (precisely, that’s a CSRF File Upload), but, in most cases, the receiving application would drop it. Until now 🙂
 
People occasionally ask why LLVM-compiled code sometimes generates SIGTRAP signals when the optimizer is turned on. After digging in, they find that Clang generated a ‘ud2’ instruction (assuming X86 code) – the same as is generated by __builtin_trap(). There are several issues at work here, all centering around undefined behavior in C code and how LLVM handles it.
This blog post (the first in a series of three) tries to explain some of these issues so that you can better understand the tradeoffs and complexities involved, and perhaps learn a few more of the dark sides of C. It turns out that C is not a ‘high level assembler’ like many experienced C programmers (particularly folks with a low-level focus) like to think, and that C++ and Objective-C have directly inherited plenty of issues from it.
 
Google engineers are planning to move the entire Chrome browser to Native Client (NaCl), a new and more powerful sandboxing technology that is currently being developed by the company.
Google Chrome is already being revered as the most secure browser due to the sandbox that separates its rendering processes from the rest of the operating system.
In current form, the browser’s components that handle Web code parsing access Windows APIs through a tightly controlled brokering process.
 
Spot the Vuln – Notes  [software-security.sans.org]
 
 

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

 

OWASP-0300 Session Management (continued)

Architectural Goals

Things Not To Do

Applications should NOT use as variables any user personal information (user name, password, home address, etc.).
Highly protected applications should not implement mechanisms that make automated requests to prevent session timeouts.
Highly protected applications should not implement “remember me” functionality.
Highly protected applications should not use URL rewriting to maintain state when cookies are turned off on the client.
Applications should NOT use session identifiers for encrypted HTTPS transport that have once been used over HTTP.

Use Only the Framework’s Session Manager

The ability to restrict and maintain user actions within unique sessions is critical to web security. Most users of this guide will be using an application framework with built in session management capabilities. Others will use languages such as Perl CGI that do not. Those without a built in session management system and those who override the existing session management systems are at an immediate disadvantage. Implementations built from scratch are often weak and breakable. Developers are strongly discouraged from implementing their own Session Management. Leading web frameworks have undergone rounds of testing and fixing that leave them using secure methods of token generation. There is no value in re-writing such basic building blocks.

In spite of the maturity of many of these frameworks, research continues into making them more secure. Therefore, application developers and web masters must maintain the latest versions and patches to application frameworks to ensure that the newest and most secure version is in use.

Source: link

Have a great weekend.