Security Weekly News 19 November 2010 – Summary

Feedback and/or contributions to make this better are appreciated and welcome

Highlighted quotes of the week:

“Technology alone will not protect you from the insider threat” – Pat Kirwan (at IRISSCON)

“Allocating security investments based upon asset valuation sounds like a good idea, and indeed it is. But doing so is difficult because when CFOs track
corp assets, websites are not included, even when the entire business flows through them.” – Jeremiah Grossman

“Awesome #FAIL: CakePHP – Remote PHP Code Execution Vulnerability through a malicious CSRF Security Token” – Steffan Esser

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Cloud Security, Privacy, Tools, Mobile Security, General, Funny

Highlighted news items of the week (No categories):

Not patched: Mozilla Firefox 3.6.12 Remote Denial Of Service, Cisco Videoconferencing Products Contain Vulnerable Credentials

Patched: Adobe Reader X Released (with new protected mode sandbox), Security updates available for Adobe Reader and Acrobat, VLC Media Player 1.1.5 fixes Windows vulnerability, RedHat – Important: systemtap security update, Mac OS X Server v10.6.5 (10H575), Google Issuing Fix For Latest Android Vulnerability Disclosure

 
The email scandal that blew up in recent days when it emerged male workers at leading accountancy firm PricewaterhouseCoopers had shared a top 10 ranking of
female colleagues highlights the importance of unambiguous acceptable usage policies in the workplace, a leading security expert said.
Honan said the typical non-technical email risks that organisations are faced with usually begin with the leak of confidential information by email, either
as attachments or copied and pasted into the body of an email.
The next threat – as demonstrated by what happened at PwC this week – is the reputational damage caused by the content of emails, such as inappropriate
jokes or the use of abusive, derogatory or defamatory comments about colleagues, customers or competitors.
Another situation that could arise is the organisation – not the individual – being held responsible for the intentional or unintentional distribution of
copyrighted material, such as software, music or video files, which could lead a company into a breach of copyright case.

 

 

 
IT security becoming a higher priority in many organizations, CompTIA reports
Sixty-three percent of U.S. organizations have experienced at least one security incident or breach during the past year, according to a new study released
today.
Almost half of the breached organizations classified the situation as ‘serious’ — meaning there was a financial threat, potential damage to the
organization’s reputation, or other business-critical problem, according to the Computing Technology Industry Association’s (CompTIA’s) 8th Annual Global
Security Trends Study.
Human error is the perceived cause for 59 percent of security incidents, according to the study. Forty-one percent are perceived as technology errors. The
element of human error that most contributes to security breaches? Failure of end users to comply with security policies, which was cited by 49 percent of
respondents.

 

 
Malware growth reaches record rate [www.infosecurity-magazine.com]
Malware growth has reached its highest levels, with an average of 60 000 new pieces of malware identified every day, according to the latest threat report
from security firm McAfee.
Cyber criminals are becoming more savvy and attacks increasingly more severe, said the threat report for the third quarter of 2010.
The Zeus botnet is identified as one the most sophisticated pieces of malware to plague users, with US small businesses losing $70m to Ukrainian
cybercriminals.
Most recently, cybercriminals unleashed the Zeus botnet aimed at mobile devices, designed to intercept SMS messages to validate transactions. As a result,
the report said criminals can perform the full bank operation, stealing funds from unsuspecting victims.

 

 
Why Counting Flaws is Flawed [krebsonsecurity.com]
Once or twice each year, some security company trots out a “study” that counts the number of vulnerabilities that were found and fixed in widely used
software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the
relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.
The reality is that these types of vulnerability count reports – like the one issued this week by application whitelisting firm Bit9 – seek to measure a
complex, multi-faceted problem from a single dimension. It’s a bit like trying gauge the relative quality of different Swiss Cheese brands by comparing the
number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous
and – even humorous – conclusions.

Cloud Security highlights of the week

 
FedRAMP Requirements Aimed to Easy Cloud Computing Adoption
The White House Tuesday issued a draft document detailing requirements to secure cloud computing in the federal government as part of FedRAMP, the Federal
Risk and Authorization Management Program.
The 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing is aimed to ease the process for government agencies to adopt
cloud computing by defining common security and risk assessment requirements that qualified private contractors must meet.

 

 
AWS Free Usage Tier [aws.amazon.com]
To help new AWS customers get started in the cloud, AWS is introducing a new free usage tier. Beginning November 1, new AWS customers will be able to run a
free Amazon EC2 Micro Instance for a year, while also leveraging a new free usage tier for Amazon S3, Amazon Elastic Block Store, Amazon Elastic Load
Balancing, and AWS data transfer. AWS’s free usage tier can be used for anything you want to run in the cloud: launch new applications, test existing
applications in the cloud, or simply gain hands-on experience with AWS.
Below are the highlights of AWS’s new free usage tiers. All are available for one year (except Amazon SimpleDB, SQS, and SNS which are free indefinitely)

Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):

 
Network-Based File Carving [blogs.cisco.com]
In this blog post you will first learn what file carving is and, with a simplified example, why it’s useful. Next you will learn how this powerful technique
has been applied to the network and how its utility has been expanded beyond just forensics. We will talk about several tools in this article, but specific
attention will be paid to the NFEX network file carving tool.
What is File Carving?
File Carving, sometimes contextually shortened to “carving,” is the name given to the technique of extracting files from a data source. It is a specialized
practice where files are located and extracted from a stream of bytes without having to rely on filesystem metadata. Most often, files are located by
searching for a specific “magic number” byte-code called a header and carving out the logically contiguous bytes in between it and a closing code called a
footer. A large list of these headers and footers is actively maintained on the File Signatures website.

 

 
Episode #121: Naughty Characters [blog.commandlinekungfu.com]
Hal has friends in low places:
This week’s Episode comes to us courtesy of one our loyal readers who had a bit of a misadventure with vi. The intended keyboard sequence was ‘:w^C’,
aka ‘save the file, oh wait nevermind’. Unfortunately, there was a bit of a fumble on the ^C and the command that actually got entered was ‘:w^X’,
aka ‘save the file as ‘^X”. Whoops! My friend Jim always says that ‘experience is what you get when you don’t get what you want.’ Our loyal reader was
about to get a whole bunch of experience.
Even listing a file called ^X can be problematic. On Linux and BSD, non-printable characters are represented as a ‘?’ in the output of ls. But on older,
proprietary Unix systems like Solaris these characters will be output as-is, leading to weird output like this:

 

 
A TechEd Europe attendee asked Marcus Murray about password auditing. He expressed his worry about the confidentiality of audited passwords. This question
reminded me about an often overlooked feature of Windows: password filters.
A password filter is generally used to implement custom password policies, but can also be used for password auditing and pentesting purposes. It is a DLL
loaded by the LSA (on a stand-alone machine or a domain controller) and called each time a new password is set. The DLL is designed to check the new
password according to custom password policies, and reply back to the LSA if it accepts the new password or rejects it.

 

 
DNSSEC can help protect your organization from critical Internet threats. But how does it work? This short guide will help you get started
What Is DNSSEC?
DNS Security Extension (DNSSEC) aims to curb these emerging DNS-based attacks. By extending the capabilities of DNS servers and resolvers to look for new
record types — and understanding what and when to trust — organizations can eliminate attacks that exploit lack of authenticated responses and provide
authenticated denial-of-existence.
To understand DNSSEC, you need a basic grip of how DNS works. DNS is a mapping of a friendly name to an IP address, such as darkreading.com maps to
66.77.24.10. It was created to allow users to easily connect to IP systems and their services. Because there are different types of services and redundancy
required for some of these services, there are different record types within DNS.

 

 
Microsoft’s Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This
policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded. [1.]
The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned
driver to load.

 

 
When Internet ARPAnet was invented in the seventies, its goal was to interconnect military resources using packets based networks and to be strong enough to
resist to “attacks”. Loosing some devices in the network could not affect the communications. Later, the same technology was re-used to build the public
network that you still use today to read to article: the Internet!
But the networks becoming more and more interconnected and complex, it was mandatory to develop protocols to dynamically route all of them. There are many
routing protocols like RIP, OSPF and… BGP!

Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):

 
SSL Implementation Security FAQ [ferruh.mavituna.com]
Etiketler ssl, faq, security, web application security, secure development, english, cat-security, cat-featured, 14.05.2008
SSL Implementation Security FAQ is about implementing SSL in web and desktop applications. This FAQ doesn’t cover issues directly related with SSL/TLS. Only
covers issues related with implementing SSL in applications.
Most of these are common mistakes during the implementation of SSL in the applications. These recommendations are especially critical for e-banking, e-
commerce and similar websites.

 

 
Announcing Release of CRS v2.0.9 [blog.modsecurity.org]
I am pleased to announce the release of the OWASP ModSecurity Core Rule Set (CRS) v2.0.9.
The most significant change is that users can now easily toggle between Traditional or Anomaly Scoring Detection modes.

 

 
Let’s start this conversation by postulating 3 immutable Laws of Application Security Testing (LAST):
1) No static application security testing tool (SAST) can catch 100% of software vulnerabilities during development (though tools like HP’s Fortify SCA do
an extremely thorough job);
2) No black box testing/DAST tool can find 100% of the application vulnerabilities in live applications (though HP WebInspect identifies hard-to-find
vulnerabilities, undetectable by traditional scanners, in the world of Web 2.0 and increasingly complex web apps);
3) #1 and #2 are always true even if, as Voltaire’s Dr. Pangloss erroneously states in Candide, we live in the ‘best of all possible worlds.’ In security,
even the most forward-thinking organizations are riddled with strategy shortfalls, cost/benefit sacrifices, staffing holes, faulty implementations, and
plain old human error.

 

 
Posted by Michael Coates on 11/11/2010
Strict Transport Security is a great solution to protecting against Firesheep
Now ultimately the vulnerable website is supposed to fix this issue on their side. But, let’s not wait around for them. Let’s fix it on our side and protect
our traffic now.
Step 1: Grab a browser that supports Strict Transport Security (Firefox 4 & Google Chrome both support STS)
Step 2: Install an addon that lets you add specific STS settings – STS-UI
Step 3: Configure STS-UI for the sites you’re concerned about
Step 4: Be happy your data is more secure. However, securely transmitting data is only one piece of the security pie. But at least you’re good in that
department.

 

 
This technology agnostic document defines a set of general software security coding practices, in a checklist format, that can be integrated into the
software development lifecycle. Implementation of these practices will mitigate most common software vulnerabilities.
Table of Contents
Introduction
Software Security and Risk Principles Overview
Secure Coding Practices Checklist
Input Validation
Output Encoding

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

 

Building Out Your Enterprise Security API

Using list of user interface, business and security functions and the mappings you have already done, and the ESAPI design patterns, you are ready to create your own Enterprise Security API.

Determine the ESAPI Design Pattern for YourAPI

The ESAPI project has built-in support for Singleton Pattern, the Extended Singleton Pattern and the Extended Factory Pattern. Details are available in esapi-design-paterns.pdf.

Create ESAPI Objects

Within the ESAPI, there are 12 interfaces:
  • accessController
  • encoder
  • encryptor
  • executor
  • httpUtilities
  • intrusionDetector
  • defaultAuditor
  • auditorFactory
  • randomizer
  • securityConfiguration
  • validator
  • sanitizer
Implement each of these interfaces for you particular purposes. Include proper documentation for their use.

Create a HOW TO for your Developers

Unless the API is developer-friendly, the implementation will be difficult at best. Make it easy for them to be more security conscious.

Next step – Developer Training

Source: link

Have a great weekend.