Security Weekly News 17 June 2011 – Summary

Smile! it’s Friday! 🙂
 
In case you missed it I put together a blog post last week regarding my personal experience on the CISSP certification process, etc:
 
Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“A pen test should be a long term, ongoing, subscription, not a once-a-year two-week engagement with a monolithic report at the end.” – Val Smith
“In my view the best way to reduce the risk that external hacking presents, is to not only think like a hacker, but to actually act like a hacker. Until organisations adopt this kind of mindset and approach, instead of following security standards and purchasing out-of-the box security solutions like sheep, I think we are going to see plenty more hacking incidents and data breaches for some time to come yet” – Dave Whitelegg
“Encrypt your data, develop securely, configure correctly, test your defences effectively, use complex passwords, shield your vulnerabilities and build your systems under the assumption that a breach *will* happen.” – Rik Ferguson
“Let’s see what do mobile computing, social networking, and cloud computing all have in common? Oh yes, they all bypass the firewall’s “controls”! How do you reconcile spending on something (firewalls) that does not address any of your top threats?” – Gunnar Peterson
“If you’re reusing the same password on any two sites, change them both now, get a password manager and start using random, strong passwords.” – Martin McKeay
“upload + exec is my favorite type of exploit!” – Josh Abraham
“the EU brainiacs now want to outlaw security testing tools all over europe. I guess in less than 5 y it is time to move to other countries.” – Stefan Esser
“I always wonder how the government wants to create successful cyberwar attack tools when they outlaw them at the same time.” – Stefan Esser
“the #1 exploit we have right now is users copying JavaScript into their browser URL bar” – Tao Stein, Facebook
“Regarding Citibank, I’m just going to keep saying this until it sinks in: L33tness is not required for pwnage.” – Dan Kaminski
‘Security guard “Can I help you sir?” Me “No thanks I’m going to 4th floor” Security Guard “OK” social engineering for the win :)’ – Brian Honan
“Why would a web app add a hidden field to every form containing its local IP address?” – Robin Wood
“Cost per record lost is a most insanely stupid metric. Can’t predict future losses, and lessens apparent impact of current losses.” – Rich Mogull
“I like that, how many alleged APT compromises are just APR (Advanced PR)?” – Jack Daniel
‘#Fail @Paypal, @paypaluk “Password: Your password must contain between 8 and 20 characters. Please enter a shorter password.”‘ – Robin Wood
 
To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Forensics / Reverse Engineering, Cryptography, Wireless Security, Mobile Security, Cloud Security, Privacy / Censorship, Security FAIL, Off Topic, Funny
 
Highlighted news items of the week (No categories):

Updated/Patched: Microsoft June 2011 Black Tuesday Overview, Adobe releases 13 patches for Reader and Acrobat vulnerabilities, Adobe Shockwave player multiple vulnerabilities, Chrome Version 12.0.742.91 Released, Oracle Releases Java Version 1.6.0.26, VMware ESX Patches and VI Client Update, Siemens fixes vulnerabilities in automation systems, Mozilla releases SeaMonkey 2.1, RSA replaces SecurID tokens after hack, VLC Media Player 1.1.10 fixes vulnerabilities, Python 2.6.7 security-only fix released, Security Onion 20110607 featuring Sguil 0.8, Squert 0.8.3, and more polish! a new Setup script (adds support for Sguil 0.8 and Squert 0.8.3 and also provides more information once Setup completes), Snort 2.9.1 beta has been released!, Online Hash Generator, nmap http-waf-detect – Script to detect WAF/IDS/IPS solutions, nmap [NSE] New script smb-mbenum, Skipfish 1.94b Released – Active Web Application Security Reconnaissance Tool, The Bro Network Security Monitor, Introducing WPScan – WordPress Security Scanner, Wireshark network monitor updated to 1.6.0

 
 
“Firewalls and Anti virus – are what Infosec teams spend their money and they think this will do anything whatsoever to stop attackers. The infosec technical debt clock is at 16 years (5,675 days to be precise) since the last field deployed innovation” – Gunnar Peterson
 
 
Val Smith: The fact that the time to push for security was 10 years (or more) ago and it is too late now. EVERYTHING is compromised. Most major software (including open source) has some form of backdoor. Most (if not all) large and important organizations are at a minimum currently targeted and more likely have already been penetrated for multiple years. This comes from my incident response experience. At this point prevention is out the window, detection has failed and we need to come up with what is possible to do next. In my opinion offense is the only real future left, and it’s a bleak one.
As far as what makes a good penetration test, it’s simple, figure out what real attackers do, and do that. Do attackers run nmap, then nessus/nexpose, then core/canvas/metasploit and simply try to root as large a list of boxes as possible? No, pretty much never.
Attackers send a targeted, well-crafted phishing email, beacon out on port 443, encrypt and exfiltrate data. Sometimes they laterally attack and sometimes they go after admin/domain controllers, but not always. Attackers use 0day. This is what pen testers should be doing…
 
 
Unfrozen Caveman Attacker [1raindrop.typepad.com]
Clarke also asks ‘Since defensive measures such as antivirus software and firewalls appear unable to stop the Chinese penetrations,does the administration have any plan to address these cyberattacks?’
The sad thing of course is that the examples he gave – firewalls and anti virus – are what Infosec teams spend their money and they think this will do anything whatsoever to stop attackers.
 
 
At the moment hardly a day goes by without a security breach making the news, even as I write this I am hearing the CIA website has been taken down by a ‘Distributed Denial of Service’ (DDoS) attack by LulzSec. These are unprecedented times, as we are seeing large corporations, government enforcement agencies, banks and even reputable IT security companies being successfully attacked, which goes to validate phrases I regularly use, such as ‘there is no such thing as 100% security’ and nothing can ever be considered as being ‘secure’. My face always etches up with contempt when reading words like “this is a secure website”. So what is going on, why are these breaches occurring now? Are these cyber attacks becoming cleverer and more sophisticated? Are such attacks going to continue? I’ll endeavour to explore and answer these questions in this post.
 
 
More focuses is needed on network monitoring, outbound filtering, and whitelisting, security experts say
The recent spate of successful cyber attacks against high-profile organizations has focused fresh attention on the need for enterprises to implement new defenses against targeted threats.
Over the last few months several supposedly secure organizations, including RSA, Lockheed Martin, and the Oak Ridge National Laboratory have been victims of major attacks.
Last week the International Monetary Fund joined the list when it admitted to a similar intrusion.
An anonymous IMF source quoted in a story in The New York Times described the incident as a ‘very major breach’ that likely resulted from so-called spear phishing.
 
 
The recent security breaches on the Fine Gael and DUP websites has once more brought information security to the fore with extensive coverage of both incidents in the media. One of the questions I keep getting asked after such incidents is “how to I ensure my company is secure?”. Making your company, or website, secure is a matter of ensuring the appropriate information security risks have been properly identified and managed. The ISO 27001:2005 Information Security standard provides companies with a structured and proven way to implement and manage an Information Security Management System and provide management and the business with confidence in the security measures that are in place.
 
 
Infrastructure the most important target for cybercriminals
Germany today launched its new cyberdefence facility in Bonn, dedicated to defending the country’s critical infrastructure, including its electricity and water supply. The facility is believed to be the first of its kind in Europe.
 
 
The importance of conducting internal security assessments cannot be overstated, in ensuring your network, data and user environment are secure not only from internal staff threats but from the outside world. Many of today’s attack vectors work outbound from client systems, therefore inbound firewall rules may not stop this. It is also vital to ensure that data sensitive information such as H.R or payroll data is not accessible to standard users.
Below are the top 5 most common issues I find when conducting internal infrastructure assessments within Windows based domains.
 
 
10 most common iPhone passcodes [www.net-security.org]
Posted on 14 June 2011.The problem of poor passwords is not confined to computer use, and the fact was discovered by an app developer who has added code to capture user passcodes to one of its applications.
 
 
So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts wasn’t bad enough, numerous other security breaches in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com.
As bad guys often like to do, the culprits quickly stood up and put their handiwork on show. This time around it was a group going by the name of LulzSec. Here’s the interesting bit:
Sony stored over 1,000,000 passwords of its customers in plaintext
 
 
Nato is planning to bolster its cyber defence capabilities.
The defence organisation is to assemble a task force to detect and defend against online attacks.
The decision to set up Cyber Red Team coincides with NATO plans to strengthen online defences between its 28 member nations and agree codes of conduct for warfare engagement.
 
 
Cloud Security highlights of the week
 
 
Outlook is Cloudy [bhconsulting.ie]
Cloud computing has become an exciting evolution in how we deliver, access and use services over the Internet. The Cloud offers organisations many benefits and opportunities. However, these opportunities and benefits do not come without a number of security risks that need to be considered.
Ireland is uniquely positioned to handle these issues. In an article with the CSO Online Magazine titled “Ireland hopes security measures attract big cloud providers” I outline a number of these benefits. In my opinion these benefits include the high quality of information security professionals that are based here, our experience in managing and running large datacentres and the cloud security research that is going on in various universities.
 
 
Last week, while teaching the CCSK (cloud security) class, the discussion reached a point I often find myself in these days. We were discussing the risk of cloud computing, and one of the students listed “less control” as a security risk.
To be honest, this weaves itself through not only the Guidance but most risk analyses I have seen. And it’s not limited to cloud discussions. One of the places I hear it most often is in reference to mobile computing – especially iOS devices.
 
 
Cloud thoughts [isc.sans.org]
The cloud means a number of different things to different people. For some it is the new frontier, the way forward. For others it is outsourcing by a different name and even less control over what happens in the cloud. In true security fashion and one of my favourite answers, it depends. The reality however is that it is inevitable, in some aspects of your work you will come into contact with the cloud, or you will be asked to secure it.
 
 
Mobile Security highlights of the week
 
 
Lookout joins other security firms, releasing a browser for smartphones that can blacklist known phishing sites.
With data showing the effectiveness of phishing campaigns against mobile browsers, security firms have aimed to fill that particular security hole: Symantec, McAfee, Trend Micro, F-Secure and Webroot are among the companies that have released secure browser add-ons for Android phones.
Wednesday, mobile security firm Lookout joined the group by releasing its own secure browser, Safe Browsing, to its security product, Lookout Mobile Security. The update gives mobile users a browser that prevents drive-by downloads and checks Web sites against a list of phishing sites.
 
 
This presentation was delivered in June 2011 at the Mobile Forensics Conference in Myrtle Beach, SC.
Browse the slide images in the gallery below. A PDF version is available, simply register on the site and then use this link: PDF Download (requires your site login).
 
 
Most of yesterday, Threat Research Analyst Armando Orozco and I took a closer look at a piece of malware discovered by a university security researcher, Xuxian Jiang of North Carolina State. The malicious code, which the malware creator named Plankton, is embedded into a number of apps that were briefly posted to Google’s Android Market earlier this week, then rapidly pulled down after the researchers informed Google of their initial findings.
 
 
Smartphones with open operating systems are getting popular with the passage of time. Increased exposure of open source smartphones also increased the security risk. Android is one of the most popular open source operating system for mobile platforms. Android provide a base set of permissions to protect phone resources. But still the security area is underdeveloped. This survey is about the current work done on the Android operating system. Some of the techniques, which can give a positive edge to the security area, are analyzed in the present survey paper. These techniques are basically to provide a better security and to make the Android security mechanism more flexible. As the current security mechanism is too rigid. User does not have any control over the usage of an application. User has only two choices, a) allow all permissions and application will install, b) deny all permissions and installation will fail.
 
 
Secure Network Administration highlights of the week
 
 
IRM (Incident Response Methodologies) [cert.societegenerale.com]
CERT Societe Generale provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields on which a CERT team can be involved. One IRM exists for each security incident we’re used to dealing with.
CERT Societe Generale would like to thank SANS and Lenny Zeltser who have been a major source of inspiration for some IRMs.
 
 
Offensive IDS [defcon-russia.ru]
Alexey Sintov Slides, Defcon Russia
 
 
By Darren Anstee of Arbor Networks
Why is it a good idea to us flow information?
You don’t need to invest in new equipment to get flow information
It can be used to detect malware infected hosts, DDoS, zero-day exploits, attack and abuse
Network flows information is generated regardless if there was symmetric or a-symmetic routing
Network flow information is like a phone bill, you cannot tell what has been said, but you can use it to prove who talked to who.
 
 
 
 
This is a follow-up post for vSploit – Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework about using Metasploit as a way to test network infrastructure countermeasures and coverage. I mentioned obtaining list of suspicious domains to use for testing organization’s networking intelligence. Simply put, let’s create suspicious traffic to see how organizations respond.
 
 
Publicado por HD Moore en 14-jun-2011 9:28:30
The Metasploit team is excited to announce a new incentive for community exploit contributions: Cash! Running until July 20th, our Exploit Bounty program will pay out $5,000 in cash awards (in the form of American Express gift cards) to any community member that submits an accepted exploit module for an item from our Top 5 or Top 25 exploit lists. This is our way of saying thanks to the open source exploit development community and encouraging folks who may not have written Metasploit modules before to give it a try.
 
 
Malware Sandbox Services and Software [sempersecurus.blogspot.com]
Whether you are performing digital forensics, or just have an interest in malware, a sandbox environment is an essential part of your analysis program. Sandboxing services can save time and provide a quick and easy glimpse into a suspicious files behavior. I received an email this morning from Jose’ Nazario of Arbor Networks where he provided a link to a list made by the folks at Buster Sandbox Analyzer of various sandboxing tools and services. I decided to take that list, check out and update each of the links and provide a brief description of the various services. I also added a few other services that I’m aware of.
 
 
Commercial sector breakdown (2010 Mandiant data)
Breakdown of IR investigations preformed in 2010 by Mandiant
 
 
Kyle Randolph here, along with the security team for the Adobe Acrobat family of products. This post will discuss the technical details of the new Protected View added in the Acrobat 10.1 release announced today. Even more technical details are available in the Application Security Library.Protected View builds on Adobe Reader Protected Mode discussed previously in a series of technical posts on the ASSET blog. With Protect View, Acrobat users will benefit from the protection provided by a sandbox when they open untrusted PDF files.
 
 
 
 
DEFCON CTF Quals occured at July 3-6 were cool! We took part in the competition together with couple other teams under united name ‘IV’.
53 hours of continuous hacking and reversing, tons of interesting and challenging tasks. We were still submitting tasks in the last seconds and as a result we have passed to the finals, to meet, you guys, in Vegas
 
 
 
 
Secure Development highlights of the week
 
 
Agile != security [www.rakkhis.com]
I am going to fail. Agile and security just do not mix, especially secure at source. Agile is all about rapid development, everyone in a room with brown paper plastered across the wall, product backlogs building up while developers code feverishly on today’s priorities. Security works well in a structured environment. We influence through control points and project gates. Oh, you are writing requirements? Let me provide you some from security. Design stage? A threat model and design review. Build we will mostly ignore but test is our Coup de grce. The pen test is the height of security skill where your lovely creations will be decimated! But how do I apply this magnificence to agile when I am called a CHICKEN and thrown out of the room?
 
 
Back from the latest OWASP Belgium Chapter meeting… Two speakers were scheduled tonight: Colin Watson presented the OWASP AppSensor project then Andreas Falkenberg talked about modern attacks against web services like Twitter. A last-minute guest joined us: Josh Corman who spoke about “rugged software”.
 
 
In this special Web 2.0 tutorial video, security luminary Robert “Rsnake” Hansen discusses serious Web 2.0 attacks that pose a severe threat to the Web security landscape. This exclusive in-depth presentation looks at an array of attack methods and what can be done to better recognize and secure these threats against your organization
 
 
A security firm raised new concerns today about WebGL–but Microsoft piled on with an opinion that’s likely more damaging to fans’ hopes for a universal 3D Web graphics standard.
‘We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities,’ Microsoft said today in a security blog post flatly titled ‘WebGL Considered Harmful.’ ‘In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.’
The move effectively kills WebGL fans’ hopes, at least for now, that WebGL could become a standard Web programmers could count on finding in modern browsers. And that means one hot area of programming, games development, won’t have an easy, unified way to tackle Web-based software.
 
 
A lot of websites are compromised without their owners noticing for days, weeks, even months that the sites are hosting illegitimate content, attacking visitors through malicious code or are being used as a command-and-control channel for a bot network. Below are my 10 tips for detecting that your website was hacked.
 
 
Mozilla is disabling cross domain textures in Firefox 5’s WebGL implementation after a researcher demonstrated an ability to abuse the capability. A report released in May by Context Information Security on WebGL security included a proof of concept which used cross domain textures as to reconstruct a displayed image without directly accessing the image. The Khronos Group, home to the WebGL standard, responded to the issue saying that it was considering requiring opt-in to Cross Origin Resource Sharing (CORS) or some other mechanism to prevent possible abuse.
 
 
If you are a professional web developer, security is an important aspect of your job. If you are planning to store critical or sensitive data in your web application (passwords, credit cards, etc.), you should use strong cryptography to protect this data.
But what is strong cryptography and why should we use it? Learn more about strong cryptography in PHP in this session.
Presenter: Enrico Zimuel, Senior Consultant & Architect Zend Technologies
 
 
Some years ago, everything just went crazy from the Error-based MySQL, and unserialize seemed somewhat complicated and do not occur in real life. Now it’s the classic technique. What can we say about dinosaurs such as zero-byte inkludah, which came to replace the file name truncated. Researchers always something to dig up, invent, and in the meantime has come new version of the interpreter, engines, and with them – new bugs developers.
In fact, there are three methods to find vulnerabilities: Savvy (when a researcher comes up with some trick and check if it works in practice), source code analysis and fuzzing. On an interesting Chinese fuzzingand its development from my side I want to tell.
 
 
According to security lore, relying on the secrecy of usernames to secure accounts is a bad practice. However, the premise of known usernames is not always the case for external attackers. For this reason, from a practical point of view (not the security utopian one) even poor passwords can withstand bruteforce attacks when paired with nonpredictable usernames. This is specially true on remote web logins where brute forcing is easily detected and thwarted by most IPS or CAPTCHAs.
 
 
Anatomy of a SQL Injection Attack [www.barracudalabs.com]
As you probably heard from our previous blog posting, Barracuda Networks suffered a breach from a SQL Injection attack on the weekend of April 8. While the overall impact of the breach turned out to be relatively minor (only contact names, including names and emails), such an event always involves a post-mortem. As is often the case in events such as data breaches or data center outages, there is never one single error that leads to the outage or attack but rather a series of interrelated errors that ultimately results in a failure or vulnerability that can be exploited. Taken individually, each event is usually accounted for by the organization and there are redundancies in place to handle any failure issues. However when taken together, the unexpected – in this case an attack on our site – occurs. In analyzing the attack, we observed:
 
 
Des chiffres et des lettres [fluxius.handgrep.se]
(on breaking CAPTCHA with python)
In this article, I will only focus on the captcha part, which was a little bit harder to break in a short time
 
 
More LFIs [pastebin.com]
Tom Landry® follow @landrytom or visit landrytom.wordpress.com
 
 
OWASP AppSec EU 2011 review [pentest4devs.blogspot.com]
OK, OK, I’ve failed miserably to keep this blog even vaguely upto date.
But I’ve just got back from OWASP AppSec EU 2011, so a quick review is a good way to kick it off again.
I’m relatively new to the security ‘scene’ so it was the first major OWASP event I’ve been to, and I didnt really know what to expect.
 
 
A Report on AppSec Europe 2011 [www.clerkendweller.com]
I arrived back from Dublin on Friday night following a full programme of training, presentations, meetings and networking at AppSec Europe 2011, held in Dublin, Ireland.
 
 
Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):
 

Ensure Idle, absolute timeouts are as short as practical

 

Sessions must have a limited lifetime and expire after a period of time based on business and usability requirements balanced with security considerations. The application should be able to measure the period of inactivity for a session and expire it, destroying the session and overwriting the session cookie. (See the logout section).
 

Store privileged State only on Trusted Devices

 

 

Destroy Sessions on Logout

 

Applications should invalidate and ideally remove the session identification token after a user logout. Cookies are often associated with the life of a browser window. If a user logs out of your application on a shared workstation such as an Internet kiosk and a subsequent user attempts to access the same application, the second user must not get the same session identifier token as the first. To implement this, the application should over write session cookies and explicitly expire and destroy the session on logout.
 
Destroying sessions on logout using ESAPI reference code
public void logout() {
ESAPI.httpUtilities().killCookie( ESAPI.currentRequest(), ESAPI.currentResponse(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME );
 
HttpSession session = ESAPI.currentRequest().getSession(false);
if (session != null) {
session.invalidate();
}
ESAPI.httpUtilities().killCookie(ESAPI.currentRequest(), ESAPI.currentResponse(), “JSESSIONID”);
loggedIn = false;
logger.info(Logger.SECURITY, “Logout successful” );
ESAPI.authenticator().setCurrentUser(User.ANONYMOUS);
}
The killCookie method properly overwrites the existing cookie:
 
public void killCookie(HttpServletRequest request, HttpServletResponse response, String name) {
String path = “//”;
String domain=””;
Cookie cookie = ESAPI.httpUtilities().getCookie(request, name);
if ( cookie != null ) {
path = cookie.getPath();
domain = cookie.getDomain();
}
SafeResponse safeResponse = new SafeResponse( response );
safeResponse.addCookie(name, “deleted”, 0, domain, path);
}
 
Source: link
 
Have a great weekend.