Security Weekly News 25 February 2011 – Summary

Quick note: As there seems to be an interest regarding mobile security I have decided to include that section of the full news in the summary, so the order for the summary will be now: business case for security, cloud security, mobile security, network security, web technologies, OWASP secure development guide snippet. You can always go to the full news for hacking incidents, privacy, funny, etc as usual. Please let me know what you think.

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“If a company does not know the value of the information and the other assets it is trying to protect, it does not know how much money and time it should spend on protecting them” – Shon Harris
“All security controls, mechanisms, and procedures must be tested on a periodic basis to ensure they properly support the security policy, goals, and objectives set for them” – Shon Harris
“Users should be an extension to a security team, not the opposition” – Shon Harris
“It has to be simpler. It’s too hard to write secure software, too easy for even smart programmers to make bad mistakes – it’s like having a picnic in a minefield. The tools that we have today cost too much and find too little. Building secure software is expensive, inefficient, and there is no way to know when you have done enough.” – Jim Bird
“Why even bother with password complexity if i cant use special characters??!! recode your app to suck less” – Chris Gates
“My personal opinion, there should be a support group for the spouses of security consultants.” – Ken Johnson

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Cloud Security, Mobile Security, Privacy and Censorship, General, Tools, Funny

Highlighted news items of the week (No categories):
Not patched:
Updated/Patched: Release Notes: Important Issues in this Release of Windows 7 with Service Pack 1, Microsoft's virus scanner causes security problem, Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate, [SECURITY] [DSA 2171-1] asterisk security update

 
Social networking will be the attacker platform of choice in 2011, says Ed Skoudis, founder and senior security consultant with InGuardians.
'But organisations will also have to look out for attacks using memory-scraping, lessons learned from Stuxnet, hardware hacking, and exploiting lack of defences around Internet Protocol version 6 (IPv6),' he told attendees of RSA Conference 2011 in San Francisco.
Skoudis, who has also authored and regularly teaches the SANS Institute courses on network penetration testing and incident response, said the 'bad guys' always move to where the action is, which is now social networking sites like Facebook and LinkedIn.
 
The 2010 Internet Crime Report was released today by the Internet Crime Complaint
Center (IC3). The report demonstrates
how pervasive online crime has become, affecting people in all demographic groups
throughout the country. In 2010, IC3 received 303,809 complaints of Internet crime,
the second-highest total in IC3's 10-year history.
IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National
White Collar Crime Center (NW3C). Since its creation in 2000, IC3 has received more
than 2 million Internet crime complaints.
The 2010 Internet Crime Report provides specific details about various crimes, victims
and perpetrators, as well as state-specific data. It also outlines how IC3 has adapted
its methods to meet the needs of the public and law enforcement.
IC3 received and processed an average of 25,317 complaints per month in 2010. Non-delivery
of payment or merchandise accounted for the most complaints (14.4 percent). Scams
using the FBI's name (13.2 percent) and incidents of identity theft (9.8 percent)
rounded out the top three types of complaints.
 
Faced with securing personal devices and a growing base of threats, security pros feel overwhelmed, (ISC)2 survey reports
Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.
Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to 'information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain.'
'In the modern organization, end users are dictating IT priorities by bringing technology to the enterprise rather than the other way around,' said Robert Ayoub, global program director for network security at Frost & Sullivan. 'Pressure to secure too much and the resulting skills gap are creating risk for organizations worldwide … They are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands.'
 
Unless you've been living under a stone for last couple of weeks, you will have heard about the HBGary Federal hack. Seeing everything published about this probably makes every security professional think for at least a second, 'Could this happen to me too?'.
As most details about how the attack was carried have been published already (for example, see http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars) we can now look at all exploited vulnerabilities.
 
Email, IM fall lower on the list; malware authors take note and respond accordingly, Blue Coat says
U.S. users spend more of their online time on social networks than on anything else — and malware authors are following suit, according to a study published today.
According to Blue Coat's 2011 Web Security Report, U.S. users spend about 906 million hours on social networks each month — more than twice as many as they spend on online games (407 million hours) and email (329 million).
Attackers recognize this trend and are responding in kind, the study says.
 
Heartland 2010  [1raindrop.typepad.com]
This is the fourth in a series of posts looking at Heartland's share price and business performance.
In November I looked at the trouble their share price has had and how they have underperformed the market and their peers. There are some studies out there showing that share prices are not affected by breaches but it sure looks like the shares took a hit in this case

Cloud Security highlights of the week

 
Cloud computing has become an integrated part of IT strategy for companies in every sector of our economy. By 2012, IDC predicts that IT spending on cloud services will grow almost threefold, to $42 billion. So it's no surprise that decision makers no longer wonder "if" they can benefit from cloud computing. Instead, the question being asked now is "how" best to leverage the cloud while keeping data and systems secure.
 
ISF shares seven deadly sins of cloud computing  [www.infosecurity-magazine.com]
At the (ISC)2 Secure Leadership Conference at the BT Headquarters in London on 8 February 2011, Adrian Davis, principle research analyst at the ISF (Information Security Forum), shared with the audience what he considers to be the seven deadly sins of cloud computing.
"ISF's view of the cloud is shifting", Davis told his audience. "As an industry, we have technology definitions that we are happy with, acronyms and terminology like 'platform as a service', that no-one else uses. Most of society doesn't actually get what we are talking about."
Organizations, he says, are concerned about costs and "getting rid of the IT team in the basement". Sometimes, this means cutting information security completely out of the loop, leaving those responsible for security unable to influence the decision.

Mobile Security highlights of the week

 
Wireless Wisdom  [ecrimewales.posterous.com]
Dr Les Pritchard of e-Security specialists Fiasa (Forensic Investigation and Security Advice) outlines the risks faced by business people using wi-fi or 3G to access the internet while on the move and the precautions they must take. In addition he highlights how those who offer wi-fi access to others need to protect themselves against improper use that could leave them wide open to criminal charges or expensive lawsuits.
 
A new mobile phone virus has been discovered to have infected 150,000 people in China allowing hackers to remotely monitor calls, according to the Beijing Times on Wednesday.
The virus, named X Undercover, takes advantage of existing vulnerabilities in smart phones by forcing the three-way calling service to secretly open. Conversations and text messages can be monitored and copied after the virus breaks into the calling sequence, said Zou Shihong, a security expert with NetQin Mobile Inc.
 
To date, Russian antivirus program vendor Kaspersky has found nearly 2,000 viruses, Trojans, and other threats for mobile devices. At the Mobile World Congress (MWC), the company's founder Eugene Kaspersky told The H's associates at heise Online that although that figure is nothing compared to the number of Windows contaminants, it is nonetheless rising exponentially.
 
While you can't fully backup and restore everything if you lose your jailbreak in a software upgrade or restore, AptBackup is a free app available in Cydia that can help alleviate the trouble of getting all your jailbreak apps back where they belong.
As you can see in the video above, the backup and restore process is very easy. To back up, just launch AptBackup. To restore all your apps, you'll need to re-download AptBackup from Cydia. Once you do, all you have to do is press the restore button. This will automate the process by re-downloading all the necessary apps from Cydia to your iOS device. While it can't restore settings, it does take the tedious work out of setting things up every time you upgrade.
 
Mac OS X: iTunes backs up your iOS device's settings each time you sync, but it doesn't even come close to backing up the device in its entirety. If you want a complete backup of your device, you can do it easily with an application called PhoneDisk and the wonderful command-line utility rsync.
 
Samsung phone Samsung user Alex Roebuck took this picture of his 'bricked' phone
Microsoft has revealed that 1 in 10 users who tried to install a software update on their Windows mobile experienced problems.
The company had previously said that only a 'small number' of handsets were affected.http://www.bbc.co.uk/news/technology-12564651?utm_source=twitterfeed&utm_medium=twitter
ZeuS in the Mobile is back
Yesterday, Polish Security Consultant and blogger Piotr Konieczny wrote (Polish) about a new wave of ZeuS trojan attacks. This time, it took place in Poland and it was directed against customers of ING Bank.
The samples used in this attack run on a number of platforms: Trojan-Spy.Win32.Zbot.bbmf for Windows, Trojan-Spy.SymbOS.Zbot.b for Symbian and Trojan-Spy.WinCE.Zbot.a for Windows Mobile. Yes, this time ZeuS in the Mobile (ZitMo) targets users of Windows Mobile smartphones too.
 
Motorola XOOM Rooted  [www.koushikdutta.com]
Since it's another Google experience device, and ships with fastboot support (albeit, limited), it really does come rooted out of the box. Just needed to figure out the board kernel base, and compile up a new kernel.
Unfortunately the kernel was not available in the Android repositories. At first, I tried using the Harmony kernel, since they are both tegra 2 250 chips. That turned out to be major fail. As soon as I was about to give up, I noticed that AOSP had updated their tegra kernel repository with some new tasty branches for stingray. Kudos to these guys for being so on the ball! I was able to compile that up and get a working recovery to obtain root, and then get Superuser on the device.
I also built up a recovery, but due to a nonfunctional SD card slot (until they release a firmware update that enables the slot), nothing really works. That will come later.
Here are the instructions to root your device (this assumes you have adb and fastboot installed on your computer):
 
Kindle 3.1 Jailbreak  [hackaday.com]
In the constant battle of manufacturers vs. jailbreakers, the turnaround time between a new software release and a new jailbreak seems to be getting shorter and shorter. [Yifan] noticed that a recent Kindle update broke a previous method of running unsigned code and started the search for a new workaround.
He eventually found a way to force the Kindle to run unsigned code based upon how the software update checked for digitally signed files. With that knowledge in hand, he discovered that he could trick the updater to run any file he wanted by exploiting the standard functionality found in the Unix 'cat' command.

Secure Network Administration highlights of the week

 
Bluehat talk
 
Please Read
If you have previously used a W7 RDP 'patch' please rename or delete %SystemRoot%system32termsrv.dll.bak prior to running the updated script. Sorry for any inconvenience caused.
If you've been following MissingRemote for a while, you know one of our most popular series of guides is Enabling Concurrent Remote Desktop sessions. Continuing that trend we have an updated process below working with the RTM (Official Release to Manufacturing) version of Windows7 Ultimate, Professional, Home Premium and Enterprise Editions, x86 & x64 build 7601, Service Pack Build 1130.
 
I will use this post to collect some of the problems we are hearing about with Windows 7 SP1 and Windows 2008 R2 SP1. Right now, there is no urgent reason to install this service pack and it should be tested first.
A few areas to watch:
– Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1
– Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.
 
Many solid state disks (SSDs), and other flash media such as USB flash drives and memory cards, cannot be securely wiped by software alone. Even after repeatedly overwriting the entire disk, traces of the original data may remain in the memory cells of NAND Flash chips. These traces cannot usually be accessed via the storage medium's standard interface, but they can be read directly from the chips using specialised electronics. According to a team of researchers from the University of California in San Diego led by Michael Wei, the lack of a reliable delete function makes this kind of medium unsuitable for certain usages.
 
With Snort 2.9 came the introduction of the Data Acquisition (DAQ) library to replace direct calls to PCAP functions.'DAQ supports PCAP, AFPACKET, NFQ, IPQ, IPFW, and DUMP which is used for testing.'[1]
After I upgraded from 2.8.6 to 2.9.0.2 (current version is 2.9.0.4), my Snort rules and in particular my Snort rule to detect Windows binary download (sid:15306) no longer detected Windows binary download via a browser. It was also affecting my Snort statistics that were constantly showing a small amount of packet loss.
 
In Part 1 of this series, I barely scratched the surface of password brute forcing.
In this post I hope to go beyond the basics and demonstrate some approaches I use to significantly increase the quality of my tests as well as my chances of success.
Success?
Everyone measures success differently, but hopefully some of you will consider success using these techniques to convey the importance to your developers, customers, bosses, friends, spouses, etc. of selecting strong passwords for web-based authentication mechanisms. I am not talking simply about complexity, length, and so forth, although they of course help. Rather, I am referring to the quality of the password, something that is more difficult, but not impossible to enforce.
 
Interested in capturing, documenting and analyzing scans and malicious activity, Corelan Team decided to set up a honeypot and put it online. In the first week of december 2010, Obzy built a machine (default Windows XP SP3 installation, no patches, firewall turned off), named it 'EGYPTS-AIRWAYS', set up a honeypot + some other monitoring tools, and connected it to the internet.
As expected, we quickly started to see all kinds of traffic… some of them were obvious port scans, others were less obvious recons or attacks. Both exciting and interesting… We could probably spend some time to document the various types of attacks, maybe build a nice table with figures and produce some kick-ass management graphs and do some trends analysis. It would be a fun exercise…
…but nothing beats the real deal.
 
Earlier this year Mark Baggett wrote an article on running a Nessus scan through Meterpreter. It involved installing an SSH server on the compromised machine and then using it as a SOCKS4 proxy to forward the scan traffic through to the target machine (Nessus Scanning through a Metasploit Meterpreter Session). It was a great idea but I don't like installing tools on clients machines if I can avoid it so never got round to doing it on a test.
Recently Zate Berg added the Nessus plug-in to Metasploit to let you control a Nessus server from the Metasploit command line. Without thinking it through my initial reaction was 'Great I can now scan through a Meterpreter pivot'. Once I thought about it and read Carlos's article New Nessus Plug-In For Metasploit I realised that the Nessus server was still running on the attacker machine and so didn't have access to the tunnel.

Secure Development highlights of the week

 
XSS is not a big deal, or is it? On many occasions, I've seen this vulnerability being classified as useless, not serious, and being a low threat. What I've always had in mind is that it's only the capabilities of the browser, and the hackers mind which sets the limit for a XSS attack.
 
When building a ajax based application, you want to protect any POST request against CSRF attacks. If you are using jQuery, then jQuery provides a lot of convenience methods for ajax calls ($.get(), $.post(), $.getJSON() etc.) and it would be a shame if you would have to duplicate adding CSRF tokens to all your ajax calls manually or by going back to $.ajax(), because the convenience method didn't support the way you wanted to add the token. But jQuery, being the customizable framework it is, of course allows you to add these kinds of things through events.
Session based tokens
If you are using session based tokens, you probably generate a secure token when generating the session, and store that token in the session. When a request comes back to the server, you check that the token is included in the request and compare it to what's in the session. If it's the same token, you accept the request, if not you reject it.
 
I'm concerned that too much of software security and Appsec is focused on the enterprise, the big firms with the resources and a mandate for security; and that there aren't enough practical, affordable, simple solutions for small teams – where most of us work today, building and maintaining a lot of the world's software. I want to know more about what's out there that small teams can understand and use and rely on.
 
Your consent without your approval
Facebook users have been subjected to another round of clickjacking attacks that force them to authorize actions they had no intention of approving.
The latest episode in this continuing saga, according to Sophos researchers, is a set of campaigns aimed at Italian-speaking users of the social network. The come-ons promise shocking videos about such things as the real ingredients of Coca Cola. Instead, they are forced into registering their approval of the videos using Facebook's "Like" button.
 
How do you spell JavaScript again?  [www.thespanner.co.uk]
So I came across a cool post to hack the new HTML5 parser that Opera is developing, it is awesome that a vendor says hey c'mon look what we've done, please try and break our stuff. I couldn't resist having a go as they asked so nicely and within minutes….
 
What's New In Python 3.2  [docs.python.org]
This article explains the new features in Python 3.2 as compared to 3.1. It focuses on a few highlights and gives a few examples. For full details, see the Misc/NEWS file
 
Spot the Vuln – Reasoning  [blogs.sans.org]
Man is a reasoning rather than a reasonable animal. – Alexander Hamilton.

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication

Things not to do:

– Applications MUST NOT store any secret part of the credential in the clear (passwords or questions and answers if implemented)
– Applications MUST NOT expose the credential in untrusted locations, such as cookies, headers or hidden fields
– Applications MUST NOT implement CAPTCHA as there is case law against them with respect to universal access and ineffective
– Applications MUST NOT implement questions and answers as they are contrary to most privacy regimes and ineffective
– Applications SHOULD NOT rely on infrastructure authentication, such as REFERER headers or the client’s DNS or IP address as these can be faked

Thresholds Governor

All authentication systems are designed to be open to anonymous, unauthenticated users. Therefore, they are open to denial of service and brute force attacks. Applications implementing their own authentication systems should consider a threshold governor to prevent the over-use of the following paths:

– Account registration processes (if any)
– Primary authentication path
– Step up authentication (such as two factor tokens)
– Password change
– Password resets

(Low value systems only – Most medium and all high value systems should not be using passwords, and thus do not possess password reset capabilities)

OWASP’s ESAPI project contains a reference implementation of a basic threshold governor, which is in turn linked to the intrusion logging mechanism based upon a certain number of failed events being raised in a particular time period. You may wish to use this mechanism in your own code by adopting ESAPI and overriding the necessary classes as you see fit.

Source: link

Have a great weekend.