Security Weekly News 13 January 2011 – Summary

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“Its long past time to hit Ctrl-Alt-Del on the security budget, I propose the Infosec Flat Tax as a better way forward. I hope that CIOs will read this post, do their own math, and have a frank debate with their security teams.” – Gunnar Peterson
“Tip: dont tell a good pentest team something “isn’t possible” Anything is possible w/ enough caffeine” – Jack Mannino
“Saying tech stops APT is like saying the Great Firewall of China stops Western cultural influence. Technology doesn’t beat determination.” – Richard Bejtlich
“You’re only 20ms away from every creep on the planet” – Mike Poor
“At some point, the rest of the world will realize that if you give us a binary, that binary is open source.” – Lurene Grenier
“The more high-level a programming language, the more people that could have messed something up…” – Joshua J. Drake
“If you don’t have any zero-days, you can always go back to exploiting the human!” – Daniel Wesemann
“The deceased are also targets for ID Thieves. Once you die, so do your legal rights. DPA is about protecting the personal data of the living. Data Protection Act (DPA) is so outdated, it was put together before the Internet took off & has never been updated for the Information Age” – Dave Whitelegg
“Security is most successful when no one knows they are there, but the organization still experiences only acceptable losses.” – Rich Mogull

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Cloud Security, Physical Security, Mobile Security, Privacy, Social Engineering, General, Tools, Funny

Highlighted news items of the week (No categories):
Not patched: Microsoft Tuesday patches omit known vulnerabilities
Updated/Patched: January 2011 Microsoft Black Tuesday Summary, Microsoft’s January Patch Tuesday: 3 fixes but 5 holes unpatched, Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server, PHP 5.3.5 / 5.2.17: Floating-Point bug fixed, Mono ASP.NET source code disclosure vulnerability, Mac OS X 10.6.6 updates security and introduces App Store, MediaWiki 1.16.1 fixes clickjacking issue

As practiced in many companies, Information Security is a confused discipline. There are many contributing factors, but the fact that security budgets are misspent is a leading reason. The budget dollars in infosec are not based on protecting the assets the company needs to conduct business, they are not spent on where the threats and vulnerabilities lie, rather they are spent on infrastructure which happens to be the historical background and hobby interest of the majority of technical people in the industry.
The new Fine Gael websitehas been generating a lot of press coverage and social media discussions lately. From a Fine Gael point of view though, most of that coverage is not the type of coverage they wished for their shiny new website. Last week Daragh O’Brien blogged about concerns over the hosting of the website in the US and the potential issues surrounding compliance with the Data Protection Act and using providers outside of Ireland and the EU. That issue was then picked up by a number of media outlets such as The and The Irish Times. The comments on the piece are worth reading as they go into more detail on the actual issue, while the Irish Times piece has a quote a Fine Gael spokesman from saying that the site was “absolutely secure”.
A review of the force’s response to cybercrime has been ordered by garda authorities as international studies confirm the flourishing trade in illegal transactions.
The scale of the crimes has not yet been determined, but it is estimated that global corporate losses alone stand at around €750bn a year.
Most people owning a PC are familiar with Microsoft’s patching process – it’s easy and it’s there. For a lot of them, it also gives the impression that Microsoft’s products are chock-full of flaws.
But, according to Stefan Frei, Research Analyst Director with Secunia, it’s not the vulnerabilities in Microsoft’s products we should mostly worry about, but those in third-party software.
Europol says the EU is now a key cybercrime target  []
A report issued today by Europol claims to show that the European Union is a key target for cybercrime because of its advanced internet infrastructure, rates of adoption and increasingly internet-mediated economies and payment systems.
And, says the European Union law enforcement agency, as internet connectivity continues to spread, EU citizens and organisations will be subjected both to a larger volume of cyber-attacks, and to attacks from previously underconnected areas of the world.
In its Threat Assessment on Internet Facilitated Organised Crime – iOCTA – report, the agency says that EU member states already rank amongst the most highly infected countries in the world when it comes to computer viruses and malware.
Which of the many information security controls that an organization could implement should it focus on implementing? I don’t think one can answer this question in a generic sense, especially since there is little data to indicate what actually, really works in security. However, I can recommend a few starting points for building a security program.
The authoritative framework published as part of ISO 27001 and 27002 lists numerous controls, many of which are relevant to enterprises looking to manage information security risks. Yet, where should one start? Which of the measures are most important, providing the most bang for the buck? ISO 27001 highlights the importance of undergoing a risk assessment to decide which of the controls are relevant for the particular organization. Unfortunately, many companies don’t know how to conduct a risk assessment or, having conducted one, didn’t get much out of the exercise.

Cloud Security highlights of the week

Cloud Vendor Taxonomy  []
The Cloud is here to stay. Already we are seeing stabilisation in the marketplace with some clear leaders emerging. Our Cloud Vendor Taxonomy chart is an attempt to delineate some of the relationships amongst the key players and also allow us to define new entrants. It’s not a hard and fast mapping (for instance OCCI is both a standard and a reference implementation) so expect the borders to be a little blurry.
At the bottom we have the virtualization vendors who provide the core substrate on which all “for sale or rent” clouds get built. One could argue that one of the key enablers of cloud computing is the advent of cheap ubiquitous virtualisation technology. Intel hegemony certainly helped. The gorilla in the marketplace here is VMware, with a huge footprint gained by promoting server virtualisation in enterprises. However the product has been historically expensive (though this is changing in response to significant competition) which opened the door to VMware’s major competitor Xen, an open source alternative which is now part of the Citrix stable.
Adobe To Detail Cloud DoS Attacks  []
It isn’t popular to criticize cloud computing these days, even if Google, Amazon and Microsoft need to employee marketing armies to alleviate security concerns of potential customers. Adobe may crash the cloud party as a security engineer is scheduled to detail a recent discovery of a particularly nasty DoS vulnerability in PHP code.
If you believe the current cloud pitch, the best decision you can make for the security of your data is to move to the cloud. Billion-dollar data centers can provide a security level the average Joe can never match and if your bathroom sink happens to trash your notebook, you can be calm as your data is safely stored in the clouds above. Despite the story we hear, we should not forget that vulnerabilities will continue to exist and, if exploited quickly, could affect a much greater number of users than before

Secure Network Administration highlights of the week (please remember this and more news related to this category can be found here: Network Security):

PlugBot Demo  []
IPv4 to IPv6 – CIOs Who Haven’t Planned for IPv6 Transition Need to Act Now
The Internet’s supply of IPv4 addresses is quickly becoming empty, setting the clock ticking on the final exhaustion of the Internet numbering plan that the world has used for over three decades. Expected to occur in March of 2011, the event will be a wake-up call for connected organizations everywhere. It is clearer than ever before that IPv6 transition plans are urgently needed. Once all IPv4 addresses are depleted, organizations will only be able to receive IPv6 address space.
Solving problems with proc  []
Posted in System administration on January 11th, 2011 by keegan – 21 Comments
The Linux kernel exposes a wealth of information through the proc special filesystem. It’s not hard to find an encyclopedic reference about proc. In this article I’ll take a different approach: we’ll see how proc tricks can solve a number of real-world problems. All of these tricks should work on a recent Linux kernel, though some will fail on older systems like RHEL version 4.
Almost all Linux systems will have the proc filesystem mounted at /proc. If you look inside this directory you’ll see a ton of stuff:
dating an intrusion with flow data  []
One of my Ubuntu dev boxes was broken into. While the box isn’t vital, I’ll still need to reinstall an operating system and set it back up for the developer. I want to know where the attack came from and what the intruder did. I cannot trust the logs on the system, but I can trust the flow data from our upstream router.
I’ve changed my IP addresses, but remote addresses are left unchanged. Here I examine my flow data from 1 January 2011, and remove IP addresses I expect to contact this machine.
Transitional Myths  []
I’d like to continue this mini-series of articles on IPv6. I attended the RIPE 61 meeting this month, and, not unexpectedly for a group that has some interest in IP addresses, the topic of IPv4 address exhaustion, and the related topic of the transition of the network to IPv6 has captured a lot of attention throughout the meeting. One session I found particularly interesting was one on the transition to IPv6, where folk related their experiences and perspectives on the forthcoming transition to IPv6.
I found the session interesting, as it exposed some commonly held beliefs about the transition to IPv6, so I’d like to share them here, and discuss a little about why I find them somewhat fanciful.
Shared libraries that are dynamically linked make more efficient use of disk space than those that are statically linked, and more importantly allow you to perform security updates in a more efficient manner, but executables compiled against a particular version of a dynamic library expect that version of the shared library to be available on the machine they run on. If you are running machines with both Fedora 9 and openSUSE 11, the versions of some shared libraries are likely to be slightly different, and if you copy an executable between the machines, the file might fail to execute because of these version differences. With ELF Statifier you can create a statically linked version of an executable, so the executable includes the shared libraries instead of seeking them at run time. A staticly linked executable is much more likely to run on a different Linux distribution or a different version of the same distribution.
What the cloud giveth, the cloud taketh away too. In a perfect example of the power of the cloud being used harnessed for ill will a researcher in Germany, Thomas Roth has written a program and will demonstrate it next month at Black Hat DC that uses Amazon’s EC2 to “brute force” WPA passwords. This could allow hackers onto your wireless network and access your confidential data.
Of course WEP, another form of wireless security has long been known to be vulnerable. On the other hand it was believed that the computing power necessary to brute force WPA passwords put it out of the reach of most hackers except maybe government backed attacks. But with the power of the cloud behind you many things are possible.
This antenna is one of the easiest and cheapest things you could build to extend the range of your wifi network. Most of the materials are probably sitting in your cupboard right now so it really can be built on a shoestring budget.
Bill of Materials:
Two milo tins or similar
F-Type chassie mount
Pig tale for F to Sma
Short piece of copper wire
Tin snips
Can Opener
Soldering Iron
Drill Bit
Metasploit payload delivery with WMI  []
PSEXEC is great, but for a number of reasons (e.g. antivirus, system modification prohibited by rules-of-engagement) it’s not always the best choice for delivering a Metasploit payload. I started digging around the Internet for an alternative and found some potential with WMI. The WMIC.EXE on Windows and the WIn32_Process class support command execution with the “PROCESS CALL CREATE” command. Looked promising!
WMIC PROCESS CALL Create “calc.exe”

Secure Development highlights of the week (please remember this and more news related to this category can be found here: Web Technologies):

Interesting bug here. In 2008, Stefan Esser reported a bug to the PunBB team which described a SMTP command injection vulnerability. If we look at the code below, we see that PunBB opens a socket connection to a SMTP host and passes various user/attacker controlled values to the SMTP server. Because of this setup, it is possible to craft a SMTP message that tricks the SMTP server into thinking the data provided for the message is completed, and executes any data that follows as SMTP commands. The attacker accomplished this by injecting Carriage Return and Line Feed characters following by a period character on a line by itself (as defined in RFC 821 – SMTP). The PunBB developers addressed this vulnerability by sanitizing CRLFs and period characters.
HTML5 WebSockets are really a great feature for current web development. They allow you to set up a bi-directional TCP connection between a browser and a server. Sure, the protocol is being constantly updated, has it’s own issues, which will probably mean it won’t be ready for Firefox 4. But still, I think it’s great way to make the current web applications more responsive.
That being said, developers must know that using WebSockets will always have some security issues. Just to name the few:
* the client can be spoofed (it doesn’t have to be the browser)
* ws:// server can’t be trusted (MiTM attacks)
* you need to handle the authentication
* the communication over ws:// protocol is plaintext.
This week’s installment of Detecting Malice with ModSecurity will discuss how to detect and prevent Cross-Site Request Forgery (CSRF) Attacks.
Example CSRF Section of Robert ‘Rsnake’ Hansen’s book ‘Detecting Malice’ –
One form of attack that is widely found to be present on most websites is cross site request forgery (CSRF). Basically, an attacker can force a victim’s browser to connect to your site, and perform functions, like change password, change email address, and so on, unless you have some protection in place to defend yourself. The reason why CSRF is so difficult is because the Internet was designed to allow a user to connect to anything they wanted to from anywhere they wanted to, given there was a routable address. Unfortunately that leads to the possibility of attack. Here’s the process flow:
AppSecEU2011  []
The biggest application security conference in Europe will take place at Trinity College Dublin in gorgeous Dublin, Ireland on June 6th through 10th 2011. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks. AppSec EU may also have BOF (informal adhoc meetings), break out, or speed talks in addition to the standard schedule depending on the submissions received.
If you have any questions, please email the conference chair: ireland at
In the design of a system, one of the strongest influences on that system’s security is the complexity of its design. Studies suggest that for most nontrivial software there is a nearly linear, direct relationship between the number of lines of code and the number of bugs in the software, all else being equal. Right away, this tells us that if we can, we should design simpler software.
That “all else being equal” qualifier is an important part of the whole situation, however. Playing golf with your code – trying to complete a program in as few (key)strokes as possible – changes the conditions within which the relationship between line count and bug count takes shape. This is in part because golfing your programs down to minimal source code size can actually make it much harder to read, and thus harder to maintain, improve, and debug.
Oddities of PHP file access in Windows  []
Notorious web development language, PHP, is under constant watch of the hackers, security researchers and other persons who just love to tinker around some stuff. Numerous vulnerabilities and bugs of PHP interpreter regularly highlights bug-tracks, wakes up administrators and burdens the minds of web site owners. And we never can know what nifty tricks PHP interpreter had reserved for our next day. In this paper we will describe details about how PHP treats file names on Windows operating systems, regarding the presence of different fuzzy characters
What language does that browser speak?
Web developers looking to play with the new features in HTML5, CSS 3 and other NEWT tools are still struggling with incomplete and inconsistent browser support. While HTML5 and its siblings are far from perfect (and complete), that doesn’t mean you can’t use them; it just means using them is a little more complicated since you need to detect the current browser’s level of support and then adjust accordingly.
One of the easiest ways to detect the current web browser’s level of HTML5 support is the Modernizr JavaScript library. We’ve covered Modernizr several times in the past and it’s a great addition to any HTML5 toolkit.
A couple months ago I decided to finally dig in and see whether WAFs (Web Application Firewalls) are really useful, or merely another crappy shiny object we spend a lot of money on to get the auditors off our backs.
Sure, the WAF vendors keep telling me how well their products work and how many big clients they have, but that’s not the best way to figure out whether something really does the job. I also talk with a bunch of end users who provide darn good info, but even that isn’t always the best way to determine the security value of a tool. Not all users have good visibility and internal controls to measure the effectiveness of the tool, and many can’t deploy it in an optimal manner due to all sorts of political and technical issues.
Wayback WebApp Hacking  [] allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that has for a given domain.
This is great for enumerating a web applications, many times you’ll find parts of web apps that have been long forgotten (and usually vulnerable).
This module doesn’t make any requests to the targeted domain, it simply outputs a list to the screen/or a file of all the pages it has found on

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

Input validation

-Any input that is accepted and processed from a user or other application (in the case of web services) should be validated against a list of known good parameters (white list) versus looking for bad or malicious syntax (black list). All data from other sources such as client or other applications should be treated as malicious and only a pre-defined set of characters are allowed and thus will be processed by the application.

-It is worth noting here that an application firewall would be a nice design addition to provide a consistent base layer check for all remotely accessible applications so that all input validation checks are not reliant on individual developers. An application firewall should never take the place of server side validation but only to enhance a defense in depth methodology.

-All validation must be validated by server-side controls and not through client side checks such as through Javascript. While it is common to run client side checks to eliminate excessive client requests to the server and wasted CPU utilization and bandwidth the server should always validate these requests as client side checks are trivial to bypass

Source: link

Have a great weekend.