Security Weekly News 4 March 2011 – Summary

Thanks to Tadek and Toby for contributing to this weekly security bulletin!
Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“As a majority of security professionals know, there is more risk and a higher probability of an attacker causing mayhem from within an organisation than from outside it. However, many people within organisations do not know this fact, because they only hear stories about the outside attackers who defaced a web server or circumvented a firewall to access confidential information” – Shon Harris
“Actually I don’t recommend AV as a solution. I recommend it as a layer. I don’t run it myself due to the problems it causes me” – Kevin Johnson
“19% of 2-5 year olds can operate a smartphone app but only 9% can tie their shoelaces!” – GGD
“Want to know if you are in the cloud? If you have developers with corp credit cards, you’re in the cloud.” – Rich Mogull
“Developers with corporate credit cards? You have more trouble than the cloud if that’s the case!” – David Rook
“We cannot solve problems by using the same kind of thinking we used when we created them.” – Albert Einstein

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched Vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Mobile Security, Cryptography, Privacy, Funny / Odd

Highlighted news items of the week (No categories):
Not patched: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
Updated/Patched: Microsoft Security Advisory (967940) – Update for Windows Autorun, Firefox 3.6.14 released, iTunes 10.2 is now available and addresses a lot (50+) of vulnerabilities, Flash Player released, ZDI-11-102: PostgreSQL Plus Advanced Server DBA Management Server Remote Authentication Bypass Vulnerability, Wireshark updates close critical vulnerabilities, Security update for Foxit Reader, Chrome 9.0.597.107 released, Thunderbird 3.1.8 released, New avast! Free: , HPSBUX02638 SSRT100339 rev.1 – HP-UX Running OpenSSL, Remote Execution of Arbitrary Code, Denial of Service (DoS), Authentication Bypass, Advance Notification Service for the March 2011 Security Bulletin Release

There are add-ons, VPNs, and apps galore that offer a safer browsing experience-but the browser you use, and the sites you visit, offer strong but simple security tools, too. Here are the best of the no-hassle, no-install-required options that you should be using now.
Security is Frustrating  []
Dave explores the reasons why people do things, like MAC address filtering and hiding their SSID instead of using strong passwords. We see this happen a lot in the corporate world too, people implement security that is easy, not what works. Seems to me that there needs to be a shift of focus. Let's focus on the hard stuff, like passwords, authentication, physical security, client security, and other stuff that I have probably told people they need to do. Yet, we keep marching down the Firewall/IDS/IPS/Anti-Virus route. Dave brings up two more great points: People think they don't have to defend against the best hacker's in the world, yet the best hackers in the world create tools that people use. Secondly, he questions why we are doing things backwards, as in using simple passwords but implementing hidden SSIDs and MAC filtering.
New IBM report highlights shift in endpoint security within the enterprise
A new IBM report found that more than 70 percent of organizations are allowing nontraditional endpoint devices — think smartphones, iPads, and point-of-sale devices — to connect to their corporate networks, but some 36 percent say these devices aren't properly secured.
IC3 received more than 300,000 complaints in 2010 — second-most ever
Online crime was up again in 2010, hitting its second-highest numbers of the past decade, according to a report issued by federal law enforcement authorities yesterday.
According to the '2010 Internet Crime Report,' the Internet Crime Complaint Center (IC3) received 303,809 complaints of Internet crime in 2010, the second-most in its 10-year history.
IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Since its creation in 2000, IC3 has received more than 2 million Internet crime complaints.
the German Federal government adopted a draft law revising certain sector-specific data protection provisions in the German Telecommunications Act. The draft law addresses the implementation of data breach notification requirements in the European e-Privacy Directive by introducing a breach notification obligation for telecommunications companies.

Mobile Security highlights of the week

Google needs a secure sandbox
SOFTWARE DEVELOPER Google has been caught out by lax security design in its Android operating system as highly aggressive malware has been discovered on the Android Market.
At least 21 applications were found to have malware that rooted Android devices without the user's consent, sent IMEI and IMSI numbers, product IDs, model, partner, language, country and user IDs. Most worrying of all was the ability for the rogue applications to download code and run it.
As seen in recent blog postings, Android malware is on the rise. Android.Pjapps is another example of a Trojan with back door capabilities that targets Android devices. As seen with previous Android threats, it is spreading through compromised versions of legitimate applications, available on unregulated third-party Android marketplaces.
We have detected a few applications carrying Android.Pjapps code. One of these applications is Steamy Window. Similar to other compromised Android applications, it is difficult to differentiate the legitimate version from the malicious one once it is installed. However, during installation it is possible to identify the malicious version by the excessive permissions it requests. The images below show the installation process of a clean Steam Window application and a malicious one.

Secure Network Administration highlights of the week

The plot? As usual:
A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.
Are you up to the challenge? All details are here
Poor man's DLP solution  []
Although I have been fortunate to work with a company that handles large amounts of money and time to implement the security solutions typically get the latest technology solution, we also have companies that do not handle the same amount of money due to profit margin business in which they are located and therefore there is a greater rationale for the investment of monetary resources in those projects that are vital to the operation of the company.
A risk that materializes more frequently in companies is the leaking of information and one of the most common ways to steal over the Internet is through various forms such as emails and file transfers. That means we need to have a sensor that is responsible for monitoring the Internet traffic inbound and outbound. To determine your position, we will outline a two firewall DMZ and place a snort sensor in the middle using linux and configured in bridge mode.
TUESDAY, MARCH 1, 2011 AT 3:40PM
Constant connections and odd binaries running on systems usually get caught pretty quickly in CCDC events. However, NFS exports are hardly ever noticed. Setting it up on an Ubuntu/Debian box is a snap and given the right directory and permissions can lead you right back to getting shell any time you want without a constant connection. Plus, NFS blends right in and can listen on TCP and/or UDP (2049)
TUESDAY, MARCH 1, 2011 AT 2:38PM
Thanks to jduck for pointing it out, but you need to actually make a change to get this to work, reference: and search for: Modifying History Behavior

Secure Development highlights of the week

Agnitio v1.2 released today  []
I wanted to start today's blog post by saying thank you to everyone who has downloaded Agnitio so far! Agnitio has been downloaded 1250 times since I released v1.0 104 days ago and with people still downloading both v1.0 and v1.1 nearly everyday that number continues to rise! I must admit that when I first released Agnitio I was worried that no one would download and use it, building isn't as sexy as breaking in information security and the same applies to the tools. Agnitio isn't ever going to be a metasploit or SET, you can't pop boxes with it but it will hopefully help you find and fix vulnerabilities in your web applications.
Filed under DoS, java, php
Originally posted as Taming the Beast
The recent multi-language numerical parsing DOS bug has been named the 'Mark of the Beast'. Some claim that this bug was first reported as early as 2001.This is a significant bug in (at least) PHP and Java. Similar issues have effected Ruby in the past. This bug has left a number of servers, web frameworks and custom web applications vulnerable to easily exploitable Denial of Service. Oracle has patched this vuln but there are several non-Oracle JVM's that have yet to release a patch. Tactical patching may be prudent for environment.
Here are three approaches that may help you tame this beast of a bug.
Awesome XSS challenge  []
Can you do it?
To be honest, I was a little confused by this week's patch. There are several XSS bugs in this code. Originally, the vulnerable code would take a tainted $_REQUEST value (a value from a GET, POST, or cookie) and assign the tainted value to a couple of different PHP variables ($description and $notes in particular). The application then uses of these tainted values on lines 136 and 140, resulting in XSS. The developer addressed these XSS issues by html encoding the $_REQUEST values before assigning them to PHP variables. In the code mentioned above, the developer decided to encode/sanitize at the point of assignment (as opposed to the point of consumption). There are differing perspectives as to whether one should encode/sanitize upon assignment or consumption, but the truth is both methods work.
Spot the Vuln – Character  []
The Web Tracking Protection specification is designed to enable users to opt-out of online tracking. The platform has two parts:
Filter lists, which can enforce user privacy preferences by preventing the user agent from making unwanted requests to webservers that track users.
A user preference, which is an HTTP header and a DOM property, to be used by webservers to respect the user's privacy.
Together these technologies can be used to enforce privacy protection for users, and provide access to content and services that respect user privacy preferences.

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication (continued)

Suggested Timeouts

The following timeouts are suggested, but any value will do as long as it severely impacts both vertical and horizontal brute force attacks.

– One failed attempt: At least 5 seconds
– Two failed attempts: At least 15 seconds
– Three failed attempts: At least 45 seconds
If there’s an obvious brute force attempt (for example, more than 100 attempts per minute), the IP address and/or session should be banned for a period of time, such as 15 minutes. In such cases, error messages should make it clear why this action has been taken.

Distributed Brute Force

If in case of a distributed brute force, the application should monitor the total number of failed authentication attempts per minute, and have a configurable threshold above which the authentication system automatically injects a configurable 45+ second delay between authentication attempts. This will make all but the largest distributed brute force attempt infeasible, even when looking for a single account with a well known password.

Source: link

Have a great weekend.