Thanks to Toby for contributing to this security news bulletin!
I was honoured to attend BSides London and DC4420, aka Defcon London both of which were a blast this Wednesday and an obligatory blog post will follow hopefully this evening.
Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“86% of breaches were discovered by outside third parties, and not by the victim organization internally” – Verizon Data Breach report
“That is not a Vulnerability, it is internal” – Steve Lord quote from a customer at BSides London
“AV is like a smoke detector with instructions like ‘for best results hold directly over flame'” – Jason Moliver
“Don’t try to guess the password just click login there isn’t one. Wasted 10 mins on that!” – Robin Wood
To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Mobile Security, Privacy, General
Highlighted news items of the week (No categories):
Updated/Patched: April 2011 Microsoft Black Tuesday Summary, Spring cleaning: Oracle's patch day brings 73 security patches, Security updates available for Adobe Reader and Acrobat, Security Update 2011-002 (Snow Leopard), Silverlight Update Available, iTunes 10.2.2 provides a number of important bug fixes, including:, iOS update for iPhone and iPad blocks fake certificates, Skype for Android update closes privacy vulnerability, Chrome update prevents escape from sandbox, VLC Media Player 1.1.9 closes security holes, Qubes Beta 1 has been released!, Armitage 04.10.11 Released, Wireshark 1.4.6 released, Updates: Process Monitor v2.95, TCPView v3.04, Autoruns v10.07
Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the 'Verizon 2011 Data Breach Investigations Report.' These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.
The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date.
According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.
Separate reports from Cyber-Ark, BeyondTrust show the pitfalls of privileged user access
The users with the organization's highest and most powerful privileges are also the most likely to use their access to snoop around the network for confidential information.
A new survey from Cyber-Ark Software found that 28 percent of IT managers in North America have snooped, and 44 percent of those in Europe, the Middle East, and Africa have done so, too. Around 20 percent of respondents in North America and 31 percent in EMEA say one or more of their co-workers have used administrative privileges to reach confidential or sensitive information.
Eighty percent of critical infrastructure operators say they have experienced a large-scale attack
Eighty percent of organizations that operate smart grid or other critical infrastructure components have experienced a large-scale denial of service (DDoS) attack, and a quarter of them have been victims of extortion through network attacks, according to a study published today.
According to In the Dark: Crucial Industries Confront Cyberattacks, a report issued by McAfee and the Center for Strategic and International Studies (CSIS), many critical infrastructure organizations remain unprepared to stop the next attack.
Mobile Security highlights of the week
This open-source application maps the information that your iPhone is recording about your movements. It doesn't record anything itself, it only displays files that are already hidden on your computer.
In the past few days we have been toying with some Motorola hardware, and have managed to get a basic build of BackTrack 5 (+ toolchain) on a Motorola Xoom. The possibilities look exciting as we are slowly building several experimental arm packages. Our team does not have much experience with the Android OS nor ARM hardware, but so far – so good. We will not promise an ARM release on May 10th, as this new "experiment" was not planned in any way – but we'll do our best.
Today, we are opening up the submissions portal for the Exploitable Mobile App Challenge. The submission period kicks off today (April 12, 2011) and will run through May 20, 2011. We want you to show us your mobile application development and security skills by writing highly hackable, completely insecure applications. Why on Earth would we do this? We want to raise the bar for awareness of mobile risks while having a little bit of fun in the process. As mobile platforms become increasingly complex and increasingly important in society, we are only going to see a greater number of attacks and vulnerabilities hitting the news. This is truly the golden age for mobile application security!
Secure Network Administration highlights of the week
February I spoke at the DoJ Cybersecurity Conference. My abstract for the talk was the following:
In 1989 Berkeley astronomer Cliff Stoll wrote the most important book in the history of computer incident response, The Cuckoo's Egg. Twenty years after first reading the book, Richard Bejtlich, [then] Director of Incident Response for General Electric, re-read The Cuckoo's Egg in search of lessons for his Computer Incident Response Team (GE-CIRT). In the first ten pages, Bejtlich identified seven lessons for his team, and in the next twenty pages, ten more lessons. By the time he finished re-reading the book, Bejtlich identified dozens of lessons that are key to the incident response process, whether it's 1990, 2000, 2010, or beyond
Though I didn't realize what I was seeing, Stuxnet first came to my attention on July 5 last summer when I received an email from a programmer that included a driver file, Mrxnet.sys, that they had identified as a rootkit. A driver that implements rootkit functionality is nothing particularly noteworthy, but what made this one extraordinary is that its version information identified it as a Microsoft driver and it had a valid digital signature issued by Realtek Semiconductor Corporation, a legitimate PC component manufacturer (while I appreciate the programmer entrusting the rootkit driver to me, the official way to submit malware to Microsoft is via the Malware Protection Center portal).
IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.
An older Symantec root certificate, SymRoot1, will expire on April 30, 2011. With an expired certificate, older LiveUpdate clients would no longer authenticate, download, or install content such as AntiVirus definitions or product updates.
To allow customers additional time to plan migrations, Symantec has introduced a workaround that allows LiveUpdate to continue to successfully authenticate valid content from Symantec through July 4, 2012.
This past month has seen more additions to our free Metasploit Unleashed training course, primarily in our on-going effort to build out the Metasploit Module Reference section. Also, with the Metasploit team moving away from meterpreter scripts in favor of post-exploitation modules, we have been updating the relevant sections of MSFU.
Microsoft has released its free Microsoft Safety Scanner (MSS). This scans for and removes malware from Windows systems without requiring prior installation. According to AV-Test's Andreas Marx, the on-demand anti-virus scanner appears to be based on the Malicious Software Removal Tool (MSRT), but with the addition of a complete signature database. MSRT used a mini database of widely distributed threats and is distributed monthly via the automatic update function.
Secure Development highlights of the week
About a couple of weeks ago we talked about the new Firefox 4 security features. Today is Google's Chrome turn, due to the recently added and short term upcoming security features:
A couple of bugs affecting WordPress core here. On line 73, we see that $_SERVER['REQUEST_URI'] is passed to add_query_arg(). From the provided code sample, it's difficult to see that this results in XSS. The developers addressed this by encoding the return value from add_query_arg().
This week's patch is a good one. The code sample was basically a library that only contained functions. While there isn't a blatant vulnerability in the library, there is a startling function called 'PrepDataForScript'. Looking at PrepDataForScript, it's obvious this function is meant to provide some sanitization. Unfortunately, the routine isn't very robust. When you see things like the code snippet below, you know the developer is headed in the wrong direction:
This patch was full of interesting tidbits. First, the change log for this patch is as follows:
+ fix a flaw allowing a remote cross-site scripting attack
Keep the change list description in mind as we go over the patch submitted by the developers. The submitted patch is pretty simple. There is an additional qualifier set for an if statement that checks to see if $_GET['where$i'] is contained within array $f. It's difficult to determine whether this is true but it doesn't really matter. The second change is an addslashes to $_GET['what$i'] before using the tainted query string parameter to build a dynamic SQL statement. This is to prevent an obvious SQL injection bug in the LIKE operator of the SQL statement.
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++
Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):
OWASP-0200 Authentication (continued)
CAPTCHA (Completely automated Turing Tests To Tell Humans and Computers Apart) are illegal in any jurisdiction that prohibits discrimination against disabled citizens. This is essentially the entire world. Although CAPTCHAs seem useful, they are in fact, trivial to break using any of the following methods:
– Optical Character Recognition. Most common CAPTCHAs are solvable using specialist CAPTCHA breaking OCR software.
– Break a test, get free access to foo, where foo is a desirable resource
– Pay someone to solve the CAPTCHAs. The current rate at the time of writing is $12 per 500 tests.
Therefore implementing CAPTCHAs in your software is most likely to be illegal in at least a few countries, and worse – completely ineffective.
Secret Questions And Answers
Questions and answers are back door credentials – they equate to the username and password for the user. Often such schemes use “Mother’s Maiden Name” or other easily found information. If all systems use the same Q&As, it will be possible to break into many accounts using the same information.
They are unacceptable for the following reasons:
– Collection of information about people without their explicit consent (such as “Mother’s maiden name”) is illegal in most privacy regimes. Such collection is subject to privacy laws, review and correction by the subject, and so on.
– IT Security Policies and standards such as ISO 27000 prohibit the clear text storage of passwords, but almost all Q&A schemes store both the question and answer in the clear
– The information in the answers is public for a goodly portion of the users of the Internet, and thus is found using public sources
Secret Questions and Answers have been publicly abused, most notably by the attack on Sarah Palin’s e-mail account, exposing her use of her Yahoo free mail account for government business.
Have a great weekend.