Thursday, 30 December 2010

Security Weekly News 30 December 2010 - Summary

Feedback and/or contributions to make this better are appreciated and welcome

Highlighted quotes of the week:

"Real IT/security talent will work where they make a difference, not where they reduce costs, "align w/business," or serve other lame ends." - Richard Bejtlich

"woodworking tools do not make chairs == security tools do not make security." - Rafal Los

"Sec guys cannot avoid IE use in the enterprise. But we could secure it a bit by using EMET. M$ should give support, though." - Román Medina-Heigl Hernández

"TSA bodyscans/pat-downs are to national security what WAF's DLP's and NAC's are to infosec." - Wim Remes

"To enforce a security policy for users without explanation is like forcing kids to eat vegetables... It will #fail" - Xavier Mertens

"...only 1 cookie was marked as both SECURE and HTTPOnly. Clearly these cookies should be rotated after an actual login, but why establish a session at all if you aren't going to protect it with these basic cookie flags?" - Michael Coates

"Avg # of days in a year a website is vulnerable to at least 1 *serious vulnerability: 200" - Jeremiah Grossman

"Any dictator would admire the uniformity and obedience of the U.S. media." - Noam Chomsky

"MD5, which usually poses a serious computational challenge to reverse <-- ROTFLMAO Serious news fail" - Martin Bos

"No wget? No problem ;) curl -LO -C - http://... <- and that's with resuming transfers" - Tomasz Miklas

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Mobile Security, Privacy, General, Tools, Funny

Highlighted news items of the week (No categories):

Not patched: Internet Explorer zero-day exploit - explanation and mitigation, [0day?] sql-injection in From: 'Zerial.'

Updated/Patched: WordPress 3.0.4 critical security update, VirtualBox 4.0 Simplifies Virtual Operating System Management, Adds Extensions


Is your friend really a friend on Facebook?  []
Scammers go where the people are - Facebook.
Facebook is the latest hot spot for swindlers in search of new victims.
And the world's most popular social-networking website can be a gold mine for such crooks, experts say.
Scams on social-media sites are much the same as the ones you may have received as e-mail, said Kevin Johnson, a consultant for Secure Ideas, which does security research.
'The big difference in the [social-networking] scams is the level of trust that the users have,'' he said. 'People trust them more than they trust e-mail.'

Burglary warning for residents  []
Advice in relation to house burglary:
* ensure your windows and doors are securely locked
* avoid leaving valuables where they can be seen through windows or within easy reach of windows and doors
* never leave your car keys on view or within easy reach of the door
* fit a house alarm
* install outside security lighting which is triggered by movement
* Make a list of your property and mark it with your postcode
* Use timers for lights and radios if you are going out at night
* Report any suspicious activity to police

Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):


I received my Loggly beta account (thanks to them!) a few days ago and started to test this cloud service more intensively. I won't explain again what is Loggly, I already posted an article on this service.
For me, services like Loggly are the perfect cloud examples with all the pro and cons. Smallest organizations may find here a perfect tool to analyze their logs with limited efforts and, at the opposite, there are two main issues regarding the security of your data sent to the cloud.

After suffering a massive outage last week, Skype CIO Lars Rabbe has now detailed what went wrong.
One of the root causes? A bug in the Skype for Windows client (version 5.0.0152).
Rabbe kicks off by explaining that a cluster of support servers responsible for offline instant messaging became overheated on Wednesday, December 22.
A number of Skype clients subsequently started receiving delayed responses from said overloaded servers, which weren't properly processed by the Windows client in question. This ultimately caused the affected version to malfunction.

I noticed while running a vulnerability scan with Nessus, that Citrix Provisioning Servers's TFTP service would crash. This service is used for the PXE booting Citrix's virtual machines, so it is rather important.
I began to wonder if I could cause it to crash with my own evil packet. Of course, I could just sniff the traffic generated by Nessus, but that takes away from the challenge and it wouldn't tell me the exact portion of the packet that caused the crash.
I did a bit of research on TFTP by reading the RFC. In addition, I found that the Wikipedia article has a pretty good description as well as some nice pretty pictures. I thought the packet most likely to cause a crash would be the RRQ (read request) and specifially the filename attribute, since it has the most manipulatable data. I then fired up Scapy.

VM Detection by In-The-Wild Malware  []
A large number of security researchers use Virtual Machines when analyzing malware and/or setting up both active and passive honeynets. There a numerous reasons for this, including: scalability, manageability, configuration and state snapshots, ability to run diverse operating systems, etc..
Malware that attempts to detect if it's running in a Virtual Machine (then change its behavior accordingly to prevent analysis by security people) is not a subject of academic fancy. A recent search of VirusTotal showed they receive at least 1,000 unique samples a week with VM detection capabilities. (This search was performed by searching for known function import names from non-standard DLLs.) Personally, my first encounter with malware that behaved completely differently inside a Virtual Machine (from a real host) was approximately eight years ago.

Following our earlier post on nasty network address ranges, ISC reader Tom wrote in with some interesting logs. His information ties a recent wave of Java exploits to several addresses in the same netblock. The latest exploits in this case start with a file called 'new.htm', which contains obfuscated code as follows

Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):

IEEE Security and Privacy published an article that my group and I wrote some months ago, it's titled : Splitting the HTTPS Stream to Attack Secure Web Connections. You can find it here, check it out !

A study of HTTPOnly and SECURE cookie flag settings for the top 1000 websites serving HTTPS content
A basic HTTPS request was sent to to the top 1000 websites. The HTTP responses were investigated to observe the usage of HTTPOnly and SECURE cookie flags. Here is what was found:

NoScript vs Insecure Cookies  []
Mike Perry's Automated HTTPS Cookie Hijacking just made Slashdot's front page, so I decided to spend some time nesting a countermeasure inside NoScript's request intercepting guts.
The original idea comes from an email conversation I had with pdp just after his GMail account had been compromised: he suggested to mark every cookie with the "Secure" attribute, causing the browser to send it exclusively over HTTPS connections.
Later he detailed this concept as a feature of his yet to be developed BrowserSecurify plugin:

Firefox 4 will not include a 'do not track' privacy option to block targeted advertising, according to the web browser's maker Mozilla.
The Firefox 4 browser will not ship with what we envision is the end-to-end solution. We don't think any browser can today.
- Firefox browser maker Mozilla
On Monday, an AFP report stated that Firefox 4, which is due for release in early 2011, would include a 'do not track' privacy option to foil behavioural advertising. Behavioural or targeted advertising products track a user's behaviour online, and serve ads based on the user's perceived interests.

Posted by: Giorgio in Anonymity, Mozilla, NoScript
Latest NoScript (2.0.9) supports the Do Not Track tracking opt-out proposal, joining AdBlock Plus in this experiment.
From now on, a web browser with NoScript installed warns every HTTP server it contacts that its user does not want to be tracked, i.e. that his data must not be collected for profiling and persistent identification purposes. I believe this is a safe assumption about the feelings of most if not all NoScript users.

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

Access Controls, Authentication, and Authorization need to be understood

-Multi-tier design: separate Web, application, middleware, and database tiers on DMZ's

-Proper due diligence needs to be taken to only allow access from certain IP(s) and port(s) over any connections to the applications environment such as via Business partner connections (vpn tunnels). Additionally ensure that application controls are also used to validate proper authentication and authorization for the user or device to access the application.

-Network based stateful firewall allowing only the necessary communication ports. For example this could be a stateful firewall allowing only access to a web application listening on ports 80 and 443 externally on a DMZ. From the web server DMZ only the necessary port(s) and source and destination IP(s) are allowed to the database DMZ.

-Web Application firewall(s) could also be deployed to help with common input validation checks. These usually check for malicious syntax such as for SQL injection or Cross Site Scripting attacks, or even sometimes sensitive data such as SSN leaving the environment.

-Within each DMZ the use of Private VLANs should be considered to protect application components within the same layer 2 segment. For example if there are multiple Databases used by other applications within the same DMZ on the same switch then PVLANs should be deployed. This would protect the applications database from being accessible to a compromised database on the same layer 2 segment.

-How will users or other applications authenticate to the application? In the case of a web application is basic, NTLM, or form based authentication or even multi-factor authentication with an OTP or RSA server necessary? How will thick clients or other applications be authenticated into the applications environment, such as through certificates?

-Password policies should be created, understood, and adhered to when coding the application. This should include the secure storage of credentials, only strong credentials are allowed; secure transmission of credentials, and a policy of least privilege. This should also include how passwords are reset securely.

-Role based access controls based on least privilege are adhered to and enforced throughout the application.

Source: link

Happy New Year everybody!