Wednesday, 22 June 2011

Security Weekly News 22 June 2011 - Summary

In case you missed it, I put together a blog post last week on the OWASP AppSec EU Security Conference in Trinity College, Dublin, Ireland with slides, pictures and experience

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"I would recommend to store at least half a year of complete log-data, because many breaches have only been detected months after the initial attack, sometimes even a year. And imagine how bad it is to not only detect a breach this long after the fact but then not even being able to tell what exactly happened and what the impact is" - Kamerazukleber
"Typical Situation. Customer orders re-audit of modified code after one year. Critical vulns are still there. Only filtered by WAF. And showing the customer how the #WAF can be bypassed easily will a) make him buy a new one, b) adjust the filter but never c) fix the code" - Stefan Esser
"as everyone following me knows, or should, everything you say, do, upload, type, delete, etc on the Web should be considered public." - Jeremiah Grossman
"Two-byte unicode is useful in bypassing anti-SQLi defenses. Esp. the single quote filtering." - @gollmann
"Came across interesting security feature in a device. If it detects its being scanned it changes all passwords requiring a hard reset." - Brian Honan
"Is the bitcoin exchange Mt Gox really running on ZenDesk?How can anyone sane do money exchange on a platform like this?" - Stefan Esser
"I've given up. Lets just enjoy the fact we can stay employed for many years testing HTML5. HTML5 rocks (for the wrong reasons)" - Gareth Heyes
"Download a nice picture from a website on your drive double-click to display it > SVG file has local access to your files/dir #pwn3d #HIP" - Hack in Paris
"Fact: Mobile applications are a combination of insecure client applications running on insecure devices connecting to insecure web services…" - ZION SECURITY
"RSA Breach; think again about Security Software As a Service (SAAS) solutions, storing your vulnerabilities with a third party /in the cloud" - Dave Whitelegg
"Selling exploits is like selling a firearm. People can use it to help protect themselves or to hurt others. I sleep fine either way." - Alex McGeorge
"Lot of IOS developers still store clear text passwords in config files... At least use ROT13 ;-) #fail #HIP" - Hack in Paris

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Cloud Security, Crytography, Privacy, Security FAIL, General, Outrageous, Funny / Hilarious
Highlighted news items of the week (No categories):
Not patched:
Firebug Firefox Extension Cross Context Scripting Vulnerability,
CVE-2011-2202 - PHP File upload filename
Firefox 5 is here,
Mozilla Firefox and Thunderbird Security Updates,
TWSL2011-006: IBM Web Application Firewall Bypass,
Vulnerabilities in Adobe Flash Player version included with the BlackBerry PlayBook tablet software,
DSECRG-11-026] SAP NetWeaver J2EE Engine - Authentication bypass ,
[SECURITY] [DSA 2262-1] moodle security update,
Introducing DOM Snitch, our passive in-the-browser reconnaissance tool,
Metasploit Framework 3.7.2 Released!,
Mona 1.0 released!,
Recurity Launches Blitzableiter 1.0 at FIRST,
BSQLBF v 2.7

How does your network stand up to a determined attacker?

Attacks on large organizations (RSA[1][2], Google & Others [3], DuPont[4], Lockheed Martin[5]) have given us a glimpse into the underbelly of targeted attacks.


Importance of Log Files  []
The Sunday Times carries a story about the Fine Gael security breach back in January of this year. The paper states that the company, Election Mall, who were hosting the Fine Gael website at the time of the attack were not able/or would not provide the log files to An Garda Siochana and the Data Protection Commissioner so they could investigate the breach. I am quoted in the piece on why log files are a critical element for your overall security infrastructure.
Log files, when properly configured, can provide invaluable information in the detection and/or investigation of a security breach. Despite this we still find many organisations do not look after their log files properly. Election Mall found this to their cost as Fine Gael has now reportedly cut all ties with that company.
Here is a presentation that I gave a number of years ago on the importance of maintaining and managing your log files. Many of the points in the presentation are still relevant today;
In the din of all the hue and hacks, the Hyundai breach did not get as much attention as others, but the lessons this company's CEO drew from the experience are quite refreshing. This made me jump up out of my chair and applaud (virtually) - I would suggest forwarding this to any execs you interact with
His biggest mistake, he says, was that he used to treat the information-technology department as simply one of many units that helped the company get its main job done. Today he treats it as central to everything the company does.
To help enterprises analyze the effectiveness of their data security measures and determine whether they need to be strengthened, Verizon is offering a new evidence-based risk management service that takes the guesswork out of security decision making while putting to work the insight gained from Verizon's Data Breach Investigations Report (DBIR) series.
The offering, Incident Analytics Service (IAS), enables customers to describe, track, analyze and benchmark data breach incident metrics via a Web application that provides access to data from Verizon's extensive historical and ongoing incident analysis research, one of the largest information risk repositories in the world.
All businesses in the UK that store data on customers will soon have to disclose any breaches, as the European Commission looks to widen the scope of recent changes to data protection laws.
Speaking at the British Bankers' Association (BBA) Data Protection and Privacy Conference in London on Monday, European Union justice commissioner Viviane Reding said the move would ensure all businesses took data protection seriously.

APT in a Nutshell  []
Recently I had the chance to present at Owasp AppSec EU ( on the topic of APT (Advanced Persistent Threat). The talk went down well and as such here is a follow up based on my slides

Should I Change My Password?  []
LulzSec and other groups have been hacking an assortment of prominent organisations. For good or for bad, they have also been publishing their databases, which typically include emails and passwords. Given that most people re-use their passwords, this site allows the average person to check if their password(s) may have been compromised and need to be changed.
Note that no passwords are stored in this database.
I'm not talking about 100% perfect, bug-free code. For all practical purposes, that's impossible. I'm also not talking about doing what Microsoft does, or did, either. They've invested who knows how many hundreds of millions and the better part of a decade hiring every available expert, instituting a month long new code moratorium, and constantly improving their program. A program perhaps only for a mega corporation with billions in cash.
I'm talking about developing software just secure enough for say online banking, shopping, social networking, office collaboration, and other common Web-based applications that process sensitive data. Software secure enough to successfully fend off attackers who might spend several days giving you a free pen-test for their own personal entertainment or monetary gain. Do we know how to make software at least that secure? Really truly?
Think about how you'd answer if someone asked you how.
Attacks on large organizations (RSA[1][2], Google & Others [3], DuPont[4], Lockheed Martin[5]) have given us a glimpse into the underbelly of targeted attacks.
To be clear, every mom and pop shop should not live in fear of a targeted attack/industrial espionage threat but a lot of companies do face this threat. If you make something that would be cheaper to steal than reverse engineer or if beating your competitor to market means a profit for this year or not you're in the zone for some entity to decide to come after you and take it.
Recently at BlackHat DC and Shmoocon, Sean Coyne and Ryan Kazanciyan from Mandiant gave a great talk titled "The Getaway" [6][7] and it covered some of the methodologies and tools that Mandiant felt was common enough to talk about in public. McAfee also released their "Night Dragon" paper [8] which discusses "APT" style attacks and techniques.
Although HIPAA has been around for almost 15 years, organizations subject to it have done the bare minimum. Enforcement of HIPAA has been steadily increasing, finally reaching a level where organizations must begin paying serious attention to it. Now HIPAA/HITECH has emerged as a major force on the security scene for healthcare providers, insurance companies and their business partners. Because many organizations have not taken the regulation seriously, they're looking for quick ways to get starting with or improve their HIPAA compliance program to protect patient data.
Are you keeping track of how many organizations have been breached and their data stolen this week?
I stopped counting.
But it is very interesting to see how different organizations react to data breaches. Those who obviously don't have proper incident handling & response procedures mostly are hit much harder, detect the breach much later and in addition to that get very bad public reputation for it after the breach becomes public.
Those organizations who detect breaches or ongoing attacks early and respond to them appropriately are able to mitigate the impact of that attack.
Those who are able to tell what exactly happened, how it happened, when it happend and how they were able to stop it, earn credibility and good reputation
DEFENCE companies such as Lockheed Martin have seen some of their cyber-defences penetrated. Sony, Google, Citigroup and other firms have had sensitive customer data swiped by high-tech intruders. The IMF has been the victim of a digital attack, as has the website of America's Senate. And a hackers' collective, called Anonymous, has threatened to launch an online assault on the computer systems of America's Federal Reserve unless its chairman, Ben Bernanke, agrees to step down.
These and other events-such as the attack on the public website of the CIA, which was disrupted briefly on June 15th-have led to speculation that there has been a big increase in the threat posed by hackers in recent months. They have also reinforced a belief in some quarters that America is already engaged in a cyber war of sorts, most notably with China. Yet such claims are controversial.

Cloud Security highlights of the week
With the recent announcement of iCloud, Apple joins Google, Amazon and Microsoft in their aggressive push into cloud computing, in a race to reel customers into their media ecosystems.
The general idea of the "cloud" is to store your media on the internet so you can access it from any device anywhere, as opposed to leaving it on a hard drive. Now with cloud services, we can juggle around our data between multiple gadgets.
Have music on your PC that you want to listen to on your smartphone? Boom, stream it from the cloud. Want to access a document on another computer? Bam, grab it from your web-connected "cloud" drive. Ideally, with cloud services you can access other types of media, such as photos, e-books and videos, across multiple devices, too.
Amazon published a tutorial about best practices in creating public AMIs for use on EC2 last week:
How To Share and Use Public AMIs in A Secure Manner
Though the general principles put forth in the tutorial are good, some of the specifics are flawed in how to accomplish those principles. (Comments here relate to the article update from June 7, 2011 3:45 AM GMT.)
The primary message of the article is that you should not publish private information on a public AMI. Excellent advice!
Unfortunately, the article seems to recommend or at least to assume that you are building the public AMI by taking a snapshot of a running instance. Though this method seems an easy way to build an AMI and is fine for private AMIs, it is is a dangerous approach for public AMIs because of how difficult it is to identify private information and to clear that private information from a running system in such a way that it does not leak into the public AMI.
Amazon customers often have poor security practices, inadvertently publishing security keys and passwords
Researchers in Germany have found abundant security problems within Amazon's cloud-computing services due to its customers either ignoring or forgetting published security tips.
Amazon offers computing power and storage using its infrastructure via its Web Services division. The flexible platform allows people to quickly roll out services and upgrade or downgrade according to their needs.
Thomas Schneider, a postdoctoral researcher in the System Security Lab of Technische Universität Darmstadt, said on Monday that Amazon's Web Services is so easy to use that a lot of people create virtual machines without following the security guidelines.
With the news that Dropbox managed to leave every single user account wide open for four hours, it's time to review encryption options.
We are fans of Dropbox here at Securosis. We haven't found any other tools that so effectively enable us to access our data on all our systems. I personally use two primary computers, plus an iPad and iPhone, and with my travel I really need seamless synchronization of all that content. I always knew the Dropbox folks could access my data (easy to figure out with a cursory check of their web interface code in the browser), so we have always made sure to encrypt sensitive stuff. Our really sensitive content is on a secure internal server, and Dropbox is primarily for working documents and projects - none of which are highly sensitive.
While companies are adopting cloud computing at an ever faster rate, company executives are wondering whether it's been too fast for comfort, according to research.
Some 60 per cent of leaders surveyed by Avanade are worried about the level of "cloud sprawl" (unauthorised software) within their organisations, a problem that's been compounded by a rate of cloud adoption of 25 per cent over the past two years.

Secure Network Administration highlights of the week

Stealing Passwords from mRemote  []
If you don't know mRemote is a tabbed remote connection manager for Windows. It can store and manage a number of different connections, chief among them RDP,VNC, and SSH. It is a popular tool among IT Support people who have to remote into a lot of machines.
When you save connections in mRemote it outputs all of that data into an XML report in your local AppData folder. The passwords are saved in an encrypted format, however this is trivial to circumvent. The passwords are encrypted with AES-128-CBC Rijndael Encryption, and then the IV is pre-pended to the encoded passwords and the whole thing is base64 encoded for output into the XML. The encryption key that is used is the md5 hash of the string 'mR3m'. So to decrypt these passwords we follow a simple process

Backtrack 5 VPS  []
HackingMachines provides hosting services for penetration testers and security professionals. We do it because we are pentesters ourselves and there is no similar product on the Internet. From experience we know what a good pentesting VPS should be and we can communicate with our customers on the same level.
Furthermore we will try to stand out and deliver something special. When purchasing a VPS, you can choose to base it on BackTrack5, an excellent penetration testing distribution. We publish various tips and tricks in our wiki, to let you make the most our of your VPS. If you have some input, don't hesitate to contact us.
When writing the SET interactive shell for the Social-Engineer Toolkit, I had to ponder what the best route in creating a flexible reverse shell. This backdoor had to be a familiar programming language (to me) and be modular for me to add new things onto it. Python being my strongest language posed some significant challenges as it was not a compiled language. Fortunately there is a way to compile python into a binary by wrapping the interpreter and necessary modules into an executable. As you can imagine this can be somewhat large.

Hack in Paris 2011 Wrap-Up  []
Hopefully, the next part of the presentation was more interesting. Nice tools were presented like OVAL ("Open Vulnerability Assessment Language"). Based on a huge XML configuration file, this tools analyzes your host. It builds a list of installed software and associated vulnerabilities if they are. You could roughly compare it to the Secunia PSI. The most important fact given during the presentation: 95% of attacks are using known vulnerabilities. That's why patching your systems and applications is so important!
Information security of RSA SecurID devices has been weakened because of a data break-in. Users should change token PIN codes and organisations should watch out for possible break-in attempts. SecurID devices should be exchanged for new ones as soon as possible.
Security company RSA will exchange SecurID password-generating tokens for new ones because of a data break-in last March. The attackers managed to steal information that affects the information security of systems secured with SecurID products. This information has been used in break-in attempts against the data systems of the defence company Lockheed Martin.
VRT IP, DNS and URL lists
This is a collection of IP, DNS and URL information gathered from our Malware data feeds.

Secure Development highlights of the week
News about intrusions into the servers of online stores, games vendors and other internet services can now be read on an almost daily basis. Often, the intruders obtain customers' login data including their passwords. As many people use the same password in multiple places, criminals can use the passwords to obtain unauthorised access to further services.
WordPress is currently investigating a series of '[...] suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.' [1]
Please note that this article expects some prior knowledge of blind SQL injections.
Edit: If you want to read about this in Russisn, its been published here in 2009.
Usually a syntax error in a blind SQL injection will have some sort of visible effect in the output of a web application. So what if we could conditionally generate such an error instead of relying on conditionally delaying and timing a request using functions such as BENCHMARK or SLEEP?
There is no documented way of causing MySQL to throw an error based on a condition in a query. However, in both MySQL 4 and 5, there exists an operator named REGEXP (and it's synonym RLIKE). This operator is used for pattern matching using regular expressions.

Free Security Threat Guides  []
Once again, in line with maltainfosec's aim of disseminating useful information on common web vulnerability threats, Veracode have published a number of free easy-to-understand security threat guides proving useful for audiences ranging from IT executives to consumer-level cell phone users.
Each guide consists of key concepts, impacts and videos giving an explanation of the threat itself. You can grab free these guides through the following links

Vulnerabilities in a Flash  []
Flash Player-related vulnerabilities currently account for approximately 14% of all Web application vulnerabilities discovered by WhiteHat Security. This statistic is surprisingly high considering that HTTP Archive reports 47% of Web applications are currently using Flash technology.
Flash Media Player is an effective method for delivering stylish vector graphics across multiple platforms to enrich a Web user's experience. When properly designed, Flash makes a website visit interactive and fun. Unfortunately, Flash can also introduce vulnerabilities to an otherwise safe application. Many Flash developers are primarily designers who may have some programming experience, but little - if any - knowledge about Web security.
Web Application Security is an important part of developing applications. As developers, I think we often forget this, or simply ignore it. In my career, I've learned a lot about web application security. However, I only recently learned and became familiar with the rapidly growing 'appsec' industry.
I found a disconnect between what appsec consultants were selling and what I was developing. It seemed like appsec consultants were selling me fear, mostly because I thought my apps were secure. So I set out on a mission to learn more about web application security and penetration testing to see if my apps really were secure. This article is part of that mission, as are the previous articles I've written in this series.
Deobfuscating Javascript can be tricky so why not make the job easier by using a tool? There's several tools that can help you deobfuscate Javascript. Before I get to those tools, I wanted to show you how to deobfuscate them manually. I've been getting a lot of requests from folks who want to learn how to deobfuscate malscripts so this article is for you.
Let's have a look at the malicious scripts. These scripts were found in the wild and randomly selected based on its difficulty. I've uploaded these scripts to so you can play along (warning, these are real malicious scripts so take the necessary precautions!).
Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future :)
Some interesting articles have surfaced lately regarding the Apple vs. Facebook on-going war over 'apps'. There are two specifically - this one, and this one - that I'd like to reference here in this post. While some analyses of the super-secret Project Spartan that FaceBook is supposedly working on center around the Apple vs. FaceBook apps war brewing - I think the focus is something else entirely. I think the focus, from a technology perspective, is HTMLv5.

Mosaic of attacks from image upload  []
While auditing web-applications, I often stumble upon image upload functionality. One could think that today safe upload and processing of images is quite usual thing. However, still not all checks seems to be enough, thus leaving for attackers possibility to intrude. Recently I had to deal with some interesting case - not new, but some limitations with image upload capabilities made me to apply some tricks.
The most significant limitation was image resize. Even if the image met requirements of width and height, it was forcefully processed through PHP-functions, thus heavily changing order and bytes themselves in image

Hack in Paris 2011 Wrap-Up  []
Mario started with a presentation of SVG (or "Scalable Vector Graphic") files. Basically, they are XML files with a lot of features. The most interesting are: they can contain links, scripting & events and inclusion of arbitrary objects. Enough to become scared! They may contain an applet, a Flash file or a PDF and are deployed using an <img>, <object> or <embed> tag, directly accessed or via CSS. Imagine a malicious beautiful SVG file, you download it and double-click on it. This file has full access to your files/directories!
Mario performed several demos and showed how the different browsers handled malicious SVG files. The most awesome demo was an SVG file within an <img> tag. It contained a malicious PDF which started Skype and dial out a number. Brilliant!

XSS attack on CIA Website  []

Google hardens Chrome 13 and 14  []
Google is experimenting with blocking sites that mix HTTP and HTTPS scripts and with supporting DNSSEC validation of HTTPS sites in the 'canary' and development builds of Chrome and Chromium 14. Google has also detailed the enhancements to security in Chrome 13 which recently entered the beta channel.
Chrome 13 is already introducing a number of new experimental security features. It blocks HTTP authentication for resources within a page where the resources are from a different domain. It also adds a first implementation of Mozilla's Content Security Policy to help mitigate cross site scripting, click jacking and packet sniffing attacks.

WebGL - More WebGL Security Flaws  []
In this blog post Context demonstrates how to steal user data through web browsers using a vulnerability in Firefox's implementation of WebGL. This is a continuation of our research into serious design flaws that could affect any browser which implements WebGL, currently Chrome and Firefox.
Context has been researching the new 3D graphics technology, WebGL, which allows web pages to draw fast 3D graphics in a similar manner to computer games. This exciting technology has the capability to deliver a much richer experience to web users.
However, to enable this impressive breakthrough in online technology, web browsers (currently Chrome and Firefox) have had to expose low level parts of their operating systems which previously could not be directly accessed by potentially malicious web pages, thus creating a number of potential security vulnerabilities.
Mozilla's VP of Technical Strategy, Mike Shaver has rejected Microsoft's criticism of WebGL in which it said it would not implement the 3D graphics standard because of security issues in the design. Shaver says that 'there is no question that the web needs 3D capabilities' to enable developers to create 'advanced visualisations, games or new user interfaces' and points at Molehill (Adobe's 3D for Flash) and Microsoft's Silverlight 3D which are offering just those capabilities.
Agnitio 2.0
I had originally planned to release v2.0 of Agnitio at Hack in Paris but I have been a victim of scope creep and real life getting in the way of my development time! I did show off some of the new features in v2.0 during my talk and rather than showing some images and lots of text I've uploaded a short video below.
Issue 10: Hijacking en "redes inseguras"
Tras el análisis en el issue 9 de lo que es una "red insegura" o no en un entorno como el de Tuenti, hay que hablar del clásico del robo de la sesión o hijacking de una cuenta en Tuenti. Para que sea entendible por todos, baste decir que cuando un usuario se autentica contra una aplicación web, esta genera un conjunto de variables en el servidor que le identifican de forma única, y que se entregan al usuario en forma de cookie. Esa cookie se convierte en un token que le permite entrar en todas las partes de su cuenta, y debe ser enviada en cada petición.

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

Rotate Session Identifiers

For high value sites, session identifiers should be regenerated prior to any significant transaction, after a certain period of time and after a certain number of requests. For medium and low value sites, Token regeneration should be performed after a change in user privilege, such as moving from an anonymous visitor to a logged in user or moving from a logged in user to an administrator. If a user is moving from an insecure page on the site to a more secure section of the site that uses HTTPS, the session ID should also be regenerated so that the secure session ID has never been transmitted in an unencrypted state. An additional session ID might be used instead of regenerating the original session ID. Unless this capability is built in to the application framework, it must implemented in addition to the application framework session controls. The prior recommendations about first leveraging platform security mechanisms still apply – because this control measure often includes writing additional custom code for an application the application should require the application framework session management features to be in operation as well as this additional rotating session identifier.

Using ESAPI reference code to regenerate session identifiers
public HttpSession changeSessionIdentifier(HttpServletRequest request) throws AuthenticationException {

// get the current session
HttpSession session = request.getSession();

// make a copy of the session content
Map temp = new HashMap();
Enumeration e = session.getAttributeNames();
while (e != null && e.hasMoreElements()) {
String name = (String) e.nextElement();
Object value = session.getAttribute(name);
temp.put(name, value);

// kill the old session and create a new one
HttpSession newSession = request.getSession();

// copy back the session content
Iterator i = temp.entrySet().iterator();
while (i.hasNext()) {
Map.Entry entry = (Map.Entry);
newSession.setAttribute((String) entry.getKey(), entry.getValue());
return newSession;

Source: link

Have a great week and weekend.