Security Weekly News 25 March 2011 – Summary

Thanks to Tadek for contributing to this security weekly news bulletin

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“If Iran got some forged certificates, it’s only because they don’t have a CA of their own. It’s considerably less hassle for most countries.” – Moxie Marlinspike (Abraham’s note for the less technical: Most countries have a Certificate Authority -CA- of their own so they can generate valid certificates for ANY domain -i.e. on the fly, which allows them to intercept communications without you getting any warnings in your browser while you think you are safe because you see “https”, etc. Iran supposedly had to hack a Comodo RA to achieve similar capabilities only for certain domains, which is considerably harder)
“I’m beginning to realize, the CMS’s are becoming the most important code to secure.” – Dan Kaminsky
“Soon, perhaps after a series of incidents that can’t be swept away, we’ll need to get SSL over DNSSEC widely supported & deployed.” – Jeremiah Grossman
“Just so we’re clear. The CA security/trust model behind SSL falls down any time an RA loses control over 1 of their user accounts.” – Jeremiah Grossman
“It doesn’t count as security if you have to ‘turn it on'”—Jacob Appelbaum
“Props to Comodo for making CEO available for interviews instead of just producing canned statement. You listening RSA?” – Kim Zetter
“If you are going to spam a pen-tester with your site then better make sure that it stands up to at least basic SQLi protection” – Robin Wood
“If I report a sec bug to your company, at least say thanks after you have patched it. Sometimes its not worth reporting bugs. Other companies however patch and thank with a small token of appreciation. This is the right way to do it.” – Ryan Dewhurst
“Good to see Joomla recognising Full Path Disclosure as an issue because most don’t and they are wrong.” – Ryan Dewhurst

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Mobile Security, Privacy, General, Funny

Highlighted news items of the week (No categories):
Not patched: Industrial Control Systems: security holes galore, Security flaw in RealPlayer
Updated/Patched: Firefox 4 Released!, Fraudulent Digital Certificates Could Allow Spoofing [Microsoft Security Advisory (2524375)], Firefox Blocking Fraudulent Certificates, Security updates available for Adobe Reader and Acrobat, Security update available for Adobe Flash Player, Flash Player 10.2 is now available for mobile devices, APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001, CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files, Joomla! 1.6.0 | Information Disclosure/Full Path Disclosure Vulnerability, Camino 2.0.7 Mac web browser updated, Apache HTTPClient 4.1.1 fixes critical security bug

Slow-growing demand is about to get a boost, Frost & Sullivan says
As threats become more severe and complex, the demand for security information and event management tools will grow to more than $1 billion worldwide by 2015, according to an industry research firm.
The market for SIEM tools, which has been slow-growing for more than a decade, is about to get a shot in the arm, according to a report issued last week by Frost & Sullivan.
The study, 'World Security Information and Event Management (SIEM) and Log Management Products Market,' reports that the SIEM market earned revenues of $678.1 million in 2009 and predicts that this figure will hit $1.3 billion in 2015.
Information security policies and corresponding controls are often unrealistic. They don't recognize how employees need to interact with computer systems and applications to get work done. The result is a set of safeguards that provide a false sense of security.
This problem will continue to grow due to consumerization of IT: the notion that employees increasingly employ powerful personal devices and services for work. This trend makes it easier for the employees to engage in practices that make their life and work more convenient while introducing security risks to their employer.
Hackers Take Schools To School  []
Nearly two-thirds of schools suffer two breaches or more per year, Panda Security study says
Some 63 percent of K-12 schools say they have experienced at least two security breaches in the past year, according to a new study, and their IT administrators are struggling to find the resources they need to keep up with security tasks.
According to the 'Panda Security Kindergarten-12 Education IT Security Study,' which was published today, many schools are struggling to find the time and resources they need to build out their security programs.
PCI Playing Mobile Limbo  []
Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
Given the very nature of PCI, it does horribly when dealing with new technologies. That is, of course, the exact area where PCI needs to be really strong. When technology is new, that's when PCI guidance is most needed. Six months after everyone has deployed is not the best time to weigh in with advice. Giving retail chains a choice of either holding back or not complying with PCI is hardly the best move for an industry that needs to constantly grow and evolve.

Mobile Security highlights of the week

Private users can now protect their Blackberry smartphones in the same way that corporate users do using the BlackBerry Enterprise Server. The Canadian BlackBerry maker Research in Motion (RIM) is now providing to European customers the BlackBerry Protect application, previously only available to customers in the US. The free service includes client software for the BlackBerry and a web application.
Security specialist Michael Gough, best known for his attacks on VoIP systems, appears to have discovered a vulnerability in LAN-attached access control systems. The vulnerability apparently allows electronic locking systems to be opened without authorisation over a network. Working with developer Ian Robertson, Gough has developed an Android app called Caribou which exploits the vulnerability to unlock doors for which an RFID key card would normally be required.
iOS 4.3.1 Leaked !  []
By Gamal Sabry at Wednesday, March 23, 2011
Here's another proof from BGR, they have leaked a screenshots of the upcoming iOS 4.3.1 which has been tested by someone inside Apple. According to the source, iOS 4.3.1 will simply fix bugs and battery life improvement. You can check out the changes from iOS 4.3 after the jump.

Secure Network Administration highlights of the week

Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only continually changes the source of the webpage but also the malicious binaries being used in the attack. This occurs when you revisit that same malicious site. The malicious site also changes certain strings used inside the animation sequences. For this blog, I have visited that site a few times in span of a minute and collected the various source files and malicious binaries. Here are the screenshots of fake security warnings for different visits:
Wipe, rinse and repeat  []
Most of us have faced a time when a machine gets compromised with malware. In some cases it gets to the point where cleaning the infected computer is too time consuming or too difficult to clean, so the easy option is to wipe the machine and rebuild it.
Just before the forensic community (or some of my fellow handlers) lynch me for making this over generalised, evidence eliminating statement, allow me to elaborate.
Read only USB stick trick  []
The sad demise of readily available, cheap USB sticks with a switch to flip the device to be read only has caused some problems when dealing with suspicious machines, especial when I'm off duty and I hear the dreaded words "Oow, you're in IT – could you have a look at my computer quickly?"
Back in the good old days, I could pick them up at nearly all my favourite shops and the vendors gave them away by the bucket load, but alas, they seem to have all but disappeared.
CD/DVD or Blu-ray disks are great, but lugging around a harden CD case really does clash with some of my outfits and doesn't always send out the right message, particularly at: romantic diners, standing at a checkouts or trying to order drinks at a bar. This is where a small USB key, fitting neatly in to a pocket, helps me blend in with the rest of humanly almost seamlessly. Almost.
Chris Gates wrote a blog post about the 'getvncpw' meterpreter script. I ran into the same issue on Penetration Tests in the past but didn't know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn't get a chance to.
Password cracking in the cloud  []
Passware Kit Forensic is commercial software that enables users to harness the power of cloud computing to accelerate password recovery. It allows the use of Amazon Elastic Compute Cloud for accelerated password recovery, without the need to buy hardware.

Secure Development highlights of the week

Recently, a colleague sent me an email which provided a flashback into my own past:
Hey, Eric–
Why do we show this when opening HTML locally? What are we protecting the user from?
Internet Explorer restricted this webpage notification bar
I myself had sent an email with almost the same text nearly seven years ago, and the surprisingly complicated answer is one of the key reasons I joined the IE team a few months later.
At the time, I was working as a Program Manager on the Office Online website, and I'd come across the specs for the Windows XP SP2 (codename "Springboard") updates to the web browser. Now, by this time, I'd been working on the web for nearly 8 years, and I "knew" what everyone else did about web security-you're supposed to treat web content on the Internet as hostile, but script running from your local computer was obviously more trusted and thus should run freely. What were these Springboard guys thinking? Didn't they know how the web was supposed to work?
According to Tor developer Jacob Appelbaum and a blog posting by the Mozilla Foundation, the Comodo SSL Certification Authority may have been compromised. As a consequence, criminals apparently obtained nine certificates for web sites that already existed, including There is no official statement on whether the situation was caused by insufficient checks during the certification process or by a breach of Comodo's infrastructure.
Today marks the 30th day since I removed all the root certificates for trusted certificate authorities. It was an interesting one month and I've learned a bunch. The main takeaway from this experiment is that I don't need 3 digit number of trusted CAs in my browser. Again, this is person specific and US centric, but the total count as of today is 10! The list of subject names and signatures follows for the ones interested in the exact list.
Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server.
These attacks, Cross Site Scripting (XSS), redirects to HTTP pages from HTTPS and Clickjacking use vulnerable web applications more as a mirror to bounce attacks into the browser. The browser can provide meaningful protection against these attacks, unlike for more server centric attacks like sql injection, for which the attacker is in full control of the client.
The PHP-Nuke version 8.x and lower versions are vulnerable to Cross Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer Check) is found to be broken.
Abraham's note: You should be using random tokens for CSRF protection as described here:
Spot the Vuln – Invincible  []
This week's vulnerability is was a tricky one. The bug patched in this change list affected the Comment-Rating plugin for WordPress (fixed in 2.9.24). Let's take the bug step by step. First, the application takes a user/attacker supplied value and runs it through an escaping function here (line 9):
$k_id = strip_tags($wpdb->escape($_GET['id']));
So, $k_id is now tainted and contains an escaped value provided by the attacker. A few lines later, we see the following code:
Today, we're updating the Chrome beta channel with a couple of new capabilities, especially for web developers. Fresh from the work that we've been doing with the HTML Speech Incubator Group, we've added support for the HTML speech input API. With this API, developers can give web apps the ability to transcribe your voice to text. When a web page uses this feature, you simply click on an icon and then speak into your computer's microphone. The recorded audio is sent to speech servers for transcription, after which the text is typed out for you. Try it out yourself in this little demo. Today's beta release also offers a sneak peek of GPU-accelerated 3D CSS, which allows developers to apply slick 3D effects to web page content using CSS.
The New York Times is estimated to have spent $40 million to $50 million to construct an elaborate new paywall that will force some users of the site to pay a monthly fee to read paper content. But just days after rolling out a version of the paywall, the newspaper is playing whack-a-mole with loyal readers who have found simple ways around it.
In the days since the paywall went live, readers have leveraged Twitter and some simple Web programming to circumvent the paywall, which limits readers to 20 free articles a month. Kristin Mason, a New York Times spokesperson, said in an e-mail message, that the company is monitoring the situation, but expects 'some percentage of people who find ways around our digital subscriptions.'

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication (continued)

Password Guidelines

Passwords are intrinsically weak. Therefore, your application should encourage good password practices:

– Credentials should only traverse encrypted links
– Store the password in a strongly hashed and salted format to prevent rainbow table attacks.
– Pass phrases (long passwords over 20 characters in length) should be encouraged
– Short passwords should be prohibited
– Do not force folks to change passwords frequently as this results in the users writing the passwords down insecurely
– Where suitable, try to share the credential with as many low value systems as possible to encourage one single high quality password
– Allow expert users to store strong passwords in approved password managers. Encourage them to use unique random passwords for each service


Lockouts are counter-productive if implemented badly.

In general, the threshold governor (see above) should be implemented to prevent any one IP address monopolizing authentication CPU, network, and IO resources. If necessary, such as for compliance with a national security standard, a configurable soft lockout of approximately 15-30 minutes should apply, with an error message stating the reason and when the account will become active again.

Ensure any lockout mechanism protects against both same username, many passwords and many usernames and same password attacks. This can only be done using the threshold governor approach as shown above.

Source: link

Have a great weekend.