Friday, 8 April 2011

Security Weekly News 8 April 2011 - Summary

Thanks to Shaun for contributing to this security news bulletin!

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
"Making connections is always easier when there's alcohol involved" - Adam B. ;)
"Pretty much anyone can be breached at any time" - Jon Oltsik
"Wonder if my Safari exploit still works... ..Hmmm yeah it does I should report that I suppose" - Gareth Heyes

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software updates, Business Case for Security, Web Technologies, Network Security, Cloud Security, Funny

Highlighted news items of the week (No categories):

Not patched: IE9 exploit puts Windows 7 SP1 at risk

Updated/Patched: Dark Black Tuesday Coming Up: 17 Microsoft Bulletins, (Fri, Apr 8th), DHCP client allows shell command injection, WordPress 3.1.1 is now available. This maintenance and security release fixes almost thirty issues in 3.1, including:, Ruby on Rails update addresses security vulnerability, NetBSD and FreeBSD patch hole in IPComp implementation, Novell patches File Reporter vulnerability

How to deal with your RSA tokens from now?

I had a very interesting morning at McCann Fitzgerald who were kind enough to invite me in to give a legal update on data breaches - here's a copy of the handout I provided:
Earlier today I had the opportunity to read a blog post by Uri Rivner, the Head of the Security Division of EMC. While the investigation into the RSA/EMC compromise is still ongoing, Mr. Rivner presents a very good summary of what they do know.
Some of the facts as written by Mr. Rivner:
The first part of the attack was a spear-phishing attempt aimed at non-high-profile targets. The information on the targets was most likely mined from social networking sites. All it took was one of the targeted employees who was tricked into opening an attached Excel spreadsheet.
Three-quarters of energy firms have experienced a breach in the last year; 69 percent expect more to come
Seventy-five percent of energy and utility companies have suffered an IT security breach in the past year, and the situation doesn't seem likely to improve anytime soon, according to a study published today.
According to the 'State of IT Security: Study of Utilities & Energy Companies' report -- which was conducted by Ponemon Institute and sponsored by security monitoring software vendor Q1 Labs -- more than three-quarters of global energy organizations surveyed admit to having suffered at least one data breach during the past 12 months. Sixty-nine percent think a data breach is very likely or likely to occur in the coming year.
Unique malware and variants galore, and more than 40 percent more mobile vulnerabilities than a year ago
Last year will likely go down as the year of the targeted attack, with the litany of big-name breaches that began with Google's revelation that it had been hit by attackers out of China and the game-changer Stuxnet. But it was also a record-breaking year for new malware and variants, with 286 million new samples identified by Symantec.
The newly published Symantec Internet Security Threat Report Trends for 2010 counted some 6,253 new bugs -- the most ever in a year -- that were mostly driven by malware attack toolkits. The ease of deployment that comes with these kits resulted in some 286 million new malware variants, according to Symantec.
In nearly 80 percent of cases, banks did not detect fraud before funds were transferred
Business banking fraud -- particularly in small and midsize companies -- is still causing major problems for both the businesses and the banks that serve them, according to a study published today.
The '2011 Business Banking Trust Study,' a follow-up to a similar study conducted last year, was written by Ponemon Institute and sponsored by Guardian Analytics. This year's numbers suggest that the banking fraud situation has not improved since 2010.

Cloud Security highlights of the week
The March 30 data breach at the email marketing company Epsilon put millions of customer of such notable companies as Best Buy, Ethan Allen, Walgreens, Target and a host of banks vulnerable to a potential onslaught of spam and phishing attacks. The breach to Epsilon's servers has left some important questions unanswered, and it spotlights some common concerns about the security of cloud-based services.

Secure Network Administration highlights of the week
This is probably the most practical and applicable IPv6 talk I've ever seen. Amazing job.
This talk will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the Internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the Internet host providing the service, the anonymity set of the person or group that administrates the service can be greatly reduced. The core aim of this paper will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators and developers may make that could expose a service provider's identity or reduce the anonymity set they are part of. We will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network
Windows machines compromised by default configuration flaw in IPv6
As anyone who has watched the reimagined Battlestar Galactica will tell you, Sixes are trouble. They are undoubtedly alluring, but all the while they are working covertly, following The Plan, right under the noses of their targets. Nobody realizes the true nature of the threat until it's too late.
The Internet also has its own Six, IPv6 (formerly IPng - IP Next Generation). Modern operating systems ship with it by default, but adoption has been slow for many reasons. Despite the passing of the IPocalypse, it lies largely dormant within today's networks, waiting for the chance to rise up and usurp its IPv4 predecessor.
This article describes a proof of concept of an interesting application of IPv6. I'm going to show you how to impose a parasitic IPv6 overlay network on top of an IPv4-only network so that an attacker can carry out man-in-the-middle (MITM) attacks on IPv4 traffic.
As the day progresses more and more Epsilon clients are notifying their customers that their details have been compromised, I got to thinking about what information is readily given to third parties for many different purposes. The outsourcing of certain specialist tasks is nothing new. What I've found in the past though is that information is often handed over without really thinking through any of the consequences should the information be compromised. So here are some of the things I believe you should be doing when handing over client information to third parties. as per usual feel free to add your own experiences and suggestions.
You might be used to working with IPv4 on Linux, but like it or not IPv6 is on its way in. Roll up your sleeves, spit on your palms, and get ready to go to work because this is your crash course in actually using IPv6. It hardly hurts at all. Linux has supported it since the 2.1 kernel, so you shouldn't have to install anything. Make sure you have the ping6, ip, and ifconfig commands.
Let's get my favorite nitpick out of the way right now - we do not have IPs, we have IP addresses. IP stands for Internet Protocol. As my wise grandmother used to say, sloppy speech equals sloppy habits, which equals a trip to hell in a handbasket.

Secure Development highlights of the week
Add XSSF to Metasploit Framework on Ubuntu  []
What is XSSF or the Cross-site Scripting Framework?
The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an existing connection with JavaScript loop refreshing in order to allow future browser-based attacks. After injection of the generic attack (resource "loop" generated by XSSF), each victim will ask the attack server (every "x" seconds) if new commands are available:
Clickjacking Defense  []
Stanford Web Security Research recently published a paper on clickjacking defense:
The Stanford defense is lacking because Internet Explorer requires the full body to be loaded before the script will execute properly. That means that you need the <style> element at the end of the document HEAD (so that it will override any other stylesheets or inline styles) and the <script> at the end of the BODY. It is too easy to mess up, especially on platforms with multiple templates and includes, and on longer pages it can make the page seem 'broken' since the script to display the body won't fire until the entire body is loaded.
Opera parser monster eats unicode  []
Whilst writing my own parser I found weird things in Opera's JavaScript parser. I was testing what the various browsers allowed with unicode escapes and it turns out Opera seems more lax than others. My discovery began with the following code:
try {eval('\\u0066\\u0061\\u006c\\u0073\\u0065');} catch(e) {alert(e);}
For the past several days I have been focused on understanding the inner workings of several of the popular file synchronization tools with the purpose of finding useful forensics-related artifacts that may be left on a system as a result of using these tools. Given the prevalence of Dropbox, I decided that it would be one of the first synchronization tools that I would analyze, and while working to better understand it I came across some interesting security related findings. The basis for this finding has actually been briefly discussed in a number of forum posts in Dropbox's official forum (here and here), but it doesn't quite seem that people understand the significance of the way Dropbox is handling authentication. So, I'm taking a brief break in my forensics-artifacts research, to try to shed some light about what appears to be going on from an authentication standpoint and the significant security implications that the present implementation of Dropbox brings to the table.
I recently came across a paper titled Faster Blind MySQL Injection Using Bit Shifting by Jelmer de Hen describing a technique that allows the retrieval of data from a MySQL database in only 8 requests per character using bit shifting; this is a slight improvement from the traditional Bisection method. This got me thinking on how information could be extracted from the database in even less amount of requests and after a few hours of fooling around, this is what I came up with.
Great News for IE9 Users!  []
The investors who are generously funding it, but want to stay anonymous for now, just authorized me to unveil a few details about the revolutionary project which I've been feverishly working on during the past months. What we're talking about is not merely a next-generation NoScript. No, we're talking about the ultimate security tool, nothing less, code named GoodScript.
GoodScript's key feature is the ability to detect and block malicious JavaScript and other active content before it can harm your web browser, while all the "good" code is automatically allowed to run untouched.
Spot the Vuln - Charming  []
For most security issues, I give the developer the benefit of the doubt. It's tough to keep track of all the corner cases and security nuances. For this diff however, there is no excuse.
First, let's cover what the patch fixes. On line 18, the developer was taking a tainted value passed via query string parameter and using that value to build HTML markup. This is XSS in its most classic form. Also, on line 58 the same tainted input is used to build the SRC attribute for an image tag, also resulting in XSS. The developer chose to encode both of these tainted values before using them in the HTML output.
Now, let's talk about the problems with this patch
Mozilla has announced that it is going to be more hands-on with add-on performance. According to Mozilla's Justin Scott, Product Manager for Add-Ons, the average add-on increases start-up time by about 10%; the actual impact in seconds depends upon the user's hardware and software. Scott says in his announcement that the company estimates that installing ten add-ons typically doubles Firefox's startup time. With this in mind, Mozilla is planning a range of initiatives to take on the bad performers.
Some Black Magic Python for n00bs  []
I had lunch with an old friend yesterday and we were discussing Python. He had a background in Perl and PHP so I knew some of the higher-order aspects of Python wouldn't be clear to him yet. He also had rudimentary knowledge of Python decorators, a tool I use all the time.
In an effort to help, I wrote up some code that demonstrates some of these concepts. I think it will be useful to readers of this blog too.
Linkedin es una de esas redes sociales supuestamente creadas para no ligar. Sí, y sorprendentemente funciona, pero lo cierto es que su éxito se debe a que la gente también la usa para ligar. Por eso yo también tengo Linkedin. Así es la vida.
Ayer, en Naked Security se quejaban de que la opción por defecto de permitir ver el correo electrónico de los participantes en un mensaje debería tener el otro valor por omisión. Es decir, que debería venir desmarcado el check box para que no dependiera del usuario, que se podía descuidar como deja bien claro que le sucedió a su compañero Pablo, que tiene su base en Madrid - ¡Pablo, estamos contigo! -

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication (continued)

Authentication Anti-Patterns

Do not implement any of these features - they are either dangerous, illegal, ineffective, or all of the above.

Default Accounts

Do not ship your software with any default accounts such as "YourProductName", "sa", "root", "administrator", or any hard coded service accounts. Do not include any screen shots or text in the documentation indicating a preferred username or password for a particular application ID or service.

Remember Me

Implementing remember me functionality can be incredibly hard. Often software will just embed the username and password in headers or cookies, or a hash or crypto blob of the same. Based upon your risk profile, your application:

- High value applications MUST NOT possess remember me functionality.
- Medium value applications SHOULD NOT contain remember me functionality. If present, the user MUST opt-in to remember me. The system SHOULD strongly warn users that remember me is insecure particularly on public computers
- Low value applications MAY include an opt-in remember me function. There should be a warning to the user that this option is insecure, particularly on public computers.
ESAPI's reference implementation has basic "remember me" functionality based upon an AES encryption of the username and password, but this is not recommended for medium value systems, and should be used with care on low value systems.

Hard Coded Credentials

Do not include any credentials in your source code, including (but not limited to) usernames, passwords, certificates, token IDs, or phone numbers.

Such constants belong in properly protected properties or configuration files. ESAPI has an encrypted properties mechanism you can use to protect clear text credentials in such files.

Source: link

Have a great weekend.