Friday, 8 April 2011

Security Weekly News 8 April 2011 - Full List

Category Index

Hacking Incidents / Cybercrime
RSA SecurID breach began with spear phishing attack  []
The assault against RSA, the security division of EMC Corp., began with two waves of spear phishing attacks using an attached Microsoft Excel file, which targeted an Adobe Flash zero-day flaw.
The phishing attacks took place over a two-day period and targeted two small groups of low-profile employees. Attackers were successful in getting at least one employee to retrieve it from their junk mail folder and open the Excel file titled '2011 Recruitment plan.xls.'
Electronic Frontier Foundation research digs up 37,244 'unqualified' names that were given digital certificates
In yet another example of a flawed SSL website certificate registration process, researchers at the Electronic Frontier Foundation (EFF) found tens of thousands of unqualified website names that had been registered by certificate authorities.
The EFF via its SL Observatory project, which studies all of the certificates used to secure all HTTPS websites, discovered some 37,244 'unqualified' names that had been given digital certificates, including 'localhost' (2,201 certificates), 'exchange' (806), 'exchange' in the name (2,383), and '01srvech' (5,657).
Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation's largest banks and corporate brand names.
Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a "subset of its clients." Epsilon didn't name the clients that had customer data lost in the breach; that information would come trickling out over the weekend, as dozens of major corporations began warning customers to be wary of unsolicited email scams that may impersonate their brands as a result

Unpatched Vulnerabilities
A new exploit for IE9 bypasses all security measures in even the latest fully patched version of Windows 7, according to a French security company Vupen.
The exploit uses an unpatched zero-day vulnerability in Internet Explorer 9 and bypasses all the extra security measures of Windows 7. The latest version of Microsoft's operating system, fully up-to-date with service pack 1 (SP1), is vulnerable. The security hole was reported by the French security company Vupen, that previously discovered an IE8 vulnerability in December of last year.(MS11)

Software updates
Microsoft got big plans for everybody for next Tuesday, and I hope you haven't made any dinner plans because you will be busy patching (or working with your old friends like WSUS to get the patches tested and released).
A total of 17 Bulletins are going to be released according to Microsoft's pre-release. 8 bulletins are rated critical and 9 are rated important. It pretty much affects the usual suspects (Windows, Internet Explorer and Office)as well as some less regular guest starts like Microsoft's developer tools.
The critical patches apply pretty much to all versions of Windows (XP, Vista, Windows 7 and 2008) with one or two exceptions.
The Internet System Consortium's (ISC) open source DHCP client (dhclient) allows DHCP servers to inject commands which could allow an attacker to obtain root privileges. The problem is caused by incorrect filtering of metadata in server response fields. By using crafted host names, and depending on the operating system and what further processing is performed by dhclient-script, it can allow commands to be passed to the shell and executed. A successful attack does, however, require there to be an unauthorised or compromised DHCP server on the local network.
Some security hardening to media uploads
Performance improvements
Fixes for IIS6 support
Fixes for taxonomy and PATHINFO (/index.php/) permalinks
Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues
Version 3.0.6 of Ruby on Rails has been released. According to the developers, the maintenance and security update to the open source web framework addresses a vulnerability in the auto_link functionality.
A hole in the IPComp protocol implementation of certain operating systems can be exploited to compromise a server. IPComp is used for compressing individual IP datagrams mainly in conjunction with IPSec and other VPN technologies. According to Tavis Ormandy, certain embedded datagrams can cause a recursion after they have been unpacked, which results in a kernel stack overflow.
Software and services firm Novell has warned of a security vulnerability (CVE-2011-0994) in its File Reporter product. According to a security advisory from the Zero Day Initiative (ZDI), Novell File Reporter is susceptible to a stack-based buffer overflow issue. This is caused by a boundary error in the File Reporter Agent (NFRAgent.exe) when handling the contents of a certain XML tag. This could, for example, be exploited by a malicious user to compromise a victim's system, possibly leading to the execution of arbitrary code with system privileges.

Business Case for Security
I had a very interesting morning at McCann Fitzgerald who were kind enough to invite me in to give a legal update on data breaches - here's a copy of the handout I provided:
Earlier today I had the opportunity to read a blog post by Uri Rivner, the Head of the Security Division of EMC. While the investigation into the RSA/EMC compromise is still ongoing, Mr. Rivner presents a very good summary of what they do know.
Some of the facts as written by Mr. Rivner:
The first part of the attack was a spear-phishing attempt aimed at non-high-profile targets. The information on the targets was most likely mined from social networking sites. All it took was one of the targeted employees who was tricked into opening an attached Excel spreadsheet.
Three-quarters of energy firms have experienced a breach in the last year; 69 percent expect more to come
Seventy-five percent of energy and utility companies have suffered an IT security breach in the past year, and the situation doesn't seem likely to improve anytime soon, according to a study published today.
According to the 'State of IT Security: Study of Utilities & Energy Companies' report -- which was conducted by Ponemon Institute and sponsored by security monitoring software vendor Q1 Labs -- more than three-quarters of global energy organizations surveyed admit to having suffered at least one data breach during the past 12 months. Sixty-nine percent think a data breach is very likely or likely to occur in the coming year.
Unique malware and variants galore, and more than 40 percent more mobile vulnerabilities than a year ago
Last year will likely go down as the year of the targeted attack, with the litany of big-name breaches that began with Google's revelation that it had been hit by attackers out of China and the game-changer Stuxnet. But it was also a record-breaking year for new malware and variants, with 286 million new samples identified by Symantec.
The newly published Symantec Internet Security Threat Report Trends for 2010 counted some 6,253 new bugs -- the most ever in a year -- that were mostly driven by malware attack toolkits. The ease of deployment that comes with these kits resulted in some 286 million new malware variants, according to Symantec.
In nearly 80 percent of cases, banks did not detect fraud before funds were transferred
Business banking fraud -- particularly in small and midsize companies -- is still causing major problems for both the businesses and the banks that serve them, according to a study published today.
The '2011 Business Banking Trust Study,' a follow-up to a similar study conducted last year, was written by Ponemon Institute and sponsored by Guardian Analytics. This year's numbers suggest that the banking fraud situation has not improved since 2010.

Web Technologies
Add XSSF to Metasploit Framework on Ubuntu  []
What is XSSF or the Cross-site Scripting Framework?
The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an existing connection with JavaScript loop refreshing in order to allow future browser-based attacks. After injection of the generic attack (resource "loop" generated by XSSF), each victim will ask the attack server (every "x" seconds) if new commands are available:
Clickjacking Defense  []
Stanford Web Security Research recently published a paper on clickjacking defense:
The Stanford defense is lacking because Internet Explorer requires the full body to be loaded before the script will execute properly. That means that you need the <style> element at the end of the document HEAD (so that it will override any other stylesheets or inline styles) and the <script> at the end of the BODY. It is too easy to mess up, especially on platforms with multiple templates and includes, and on longer pages it can make the page seem 'broken' since the script to display the body won't fire until the entire body is loaded.
Opera parser monster eats unicode  []
Whilst writing my own parser I found weird things in Opera's JavaScript parser. I was testing what the various browsers allowed with unicode escapes and it turns out Opera seems more lax than others. My discovery began with the following code:
try {eval('\\u0066\\u0061\\u006c\\u0073\\u0065');} catch(e) {alert(e);}
For the past several days I have been focused on understanding the inner workings of several of the popular file synchronization tools with the purpose of finding useful forensics-related artifacts that may be left on a system as a result of using these tools. Given the prevalence of Dropbox, I decided that it would be one of the first synchronization tools that I would analyze, and while working to better understand it I came across some interesting security related findings. The basis for this finding has actually been briefly discussed in a number of forum posts in Dropbox's official forum (here and here), but it doesn't quite seem that people understand the significance of the way Dropbox is handling authentication. So, I'm taking a brief break in my forensics-artifacts research, to try to shed some light about what appears to be going on from an authentication standpoint and the significant security implications that the present implementation of Dropbox brings to the table.
I recently came across a paper titled Faster Blind MySQL Injection Using Bit Shifting by Jelmer de Hen describing a technique that allows the retrieval of data from a MySQL database in only 8 requests per character using bit shifting; this is a slight improvement from the traditional Bisection method. This got me thinking on how information could be extracted from the database in even less amount of requests and after a few hours of fooling around, this is what I came up with.
Great News for IE9 Users!  []
The investors who are generously funding it, but want to stay anonymous for now, just authorized me to unveil a few details about the revolutionary project which I've been feverishly working on during the past months. What we're talking about is not merely a next-generation NoScript. No, we're talking about the ultimate security tool, nothing less, code named GoodScript.
GoodScript's key feature is the ability to detect and block malicious JavaScript and other active content before it can harm your web browser, while all the "good" code is automatically allowed to run untouched.
Spot the Vuln - Charming  []
For most security issues, I give the developer the benefit of the doubt. It's tough to keep track of all the corner cases and security nuances. For this diff however, there is no excuse.
First, let's cover what the patch fixes. On line 18, the developer was taking a tainted value passed via query string parameter and using that value to build HTML markup. This is XSS in its most classic form. Also, on line 58 the same tainted input is used to build the SRC attribute for an image tag, also resulting in XSS. The developer chose to encode both of these tainted values before using them in the HTML output.
Now, let's talk about the problems with this patch
Mozilla has announced that it is going to be more hands-on with add-on performance. According to Mozilla's Justin Scott, Product Manager for Add-Ons, the average add-on increases start-up time by about 10%; the actual impact in seconds depends upon the user's hardware and software. Scott says in his announcement that the company estimates that installing ten add-ons typically doubles Firefox's startup time. With this in mind, Mozilla is planning a range of initiatives to take on the bad performers.
Some Black Magic Python for n00bs  []
I had lunch with an old friend yesterday and we were discussing Python. He had a background in Perl and PHP so I knew some of the higher-order aspects of Python wouldn't be clear to him yet. He also had rudimentary knowledge of Python decorators, a tool I use all the time.
In an effort to help, I wrote up some code that demonstrates some of these concepts. I think it will be useful to readers of this blog too.
Linkedin es una de esas redes sociales supuestamente creadas para no ligar. Sí, y sorprendentemente funciona, pero lo cierto es que su éxito se debe a que la gente también la usa para ligar. Por eso yo también tengo Linkedin. Así es la vida.
Ayer, en Naked Security se quejaban de que la opción por defecto de permitir ver el correo electrónico de los participantes en un mensaje debería tener el otro valor por omisión. Es decir, que debería venir desmarcado el check box para que no dependiera del usuario, que se podía descuidar como deja bien claro que le sucedió a su compañero Pablo, que tiene su base en Madrid - ¡Pablo, estamos contigo! -

Network Security
This is probably the most practical and applicable IPv6 talk I've ever seen. Amazing job.
This talk will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the Internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the Internet host providing the service, the anonymity set of the person or group that administrates the service can be greatly reduced. The core aim of this paper will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators and developers may make that could expose a service provider's identity or reduce the anonymity set they are part of. We will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network
Windows machines compromised by default configuration flaw in IPv6
As anyone who has watched the reimagined Battlestar Galactica will tell you, Sixes are trouble. They are undoubtedly alluring, but all the while they are working covertly, following The Plan, right under the noses of their targets. Nobody realizes the true nature of the threat until it's too late.
The Internet also has its own Six, IPv6 (formerly IPng - IP Next Generation). Modern operating systems ship with it by default, but adoption has been slow for many reasons. Despite the passing of the IPocalypse, it lies largely dormant within today's networks, waiting for the chance to rise up and usurp its IPv4 predecessor.
This article describes a proof of concept of an interesting application of IPv6. I'm going to show you how to impose a parasitic IPv6 overlay network on top of an IPv4-only network so that an attacker can carry out man-in-the-middle (MITM) attacks on IPv4 traffic.
As the day progresses more and more Epsilon clients are notifying their customers that their details have been compromised, I got to thinking about what information is readily given to third parties for many different purposes. The outsourcing of certain specialist tasks is nothing new. What I've found in the past though is that information is often handed over without really thinking through any of the consequences should the information be compromised. So here are some of the things I believe you should be doing when handing over client information to third parties. as per usual feel free to add your own experiences and suggestions.
You might be used to working with IPv4 on Linux, but like it or not IPv6 is on its way in. Roll up your sleeves, spit on your palms, and get ready to go to work because this is your crash course in actually using IPv6. It hardly hurts at all. Linux has supported it since the 2.1 kernel, so you shouldn't have to install anything. Make sure you have the ping6, ip, and ifconfig commands.
Let's get my favorite nitpick out of the way right now - we do not have IPs, we have IP addresses. IP stands for Internet Protocol. As my wise grandmother used to say, sloppy speech equals sloppy habits, which equals a trip to hell in a handbasket.

Cloud Security
The March 30 data breach at the email marketing company Epsilon put millions of customer of such notable companies as Best Buy, Ethan Allen, Walgreens, Target and a host of banks vulnerable to a potential onslaught of spam and phishing attacks. The breach to Epsilon's servers has left some important questions unanswered, and it spotlights some common concerns about the security of cloud-based services.

Where I live The cameras only snap the rear plates..
Happy April Fools Day!  []
As some folks may have noticed, the startup process for the Metasploit Console (msfconsole) has changed this morning. Windows users are now greeted with a slightly different message than they are used to:
Clients from Hell  []