Thanks to Tadek and Shaun for contributing to this security bulletin
NOTE: I am still trying to catch up, some news items are a bit dated but worth mentioning, I tried to put newer items at the top of each section so that if you see something dated you already saw you can skip the rest of the section (assuming you already saw what is left in that section).
In case you missed it: here is a blog post I wrote earlier in the week about Dumping Hashes on Win2k8 R2 x64 (using Metasploit)
Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of last few weeks:
“I would like to congratulate #Sony for holding the Best and most enjoying #CTF Ever.” – obzy (Abraham’s Note: CTF = Capture the Flag = Hacking competition)
“Like the Honey Badger, 94% of breached records involved malware that didn’t give a **** that you had AV (2009 #DBIR) ” – Josh Corman (Abraham’s Note: AV = Anti Virus)
“Considering that there is no real reward in disclosing I am pretty sure that the grey/black market vuln. count is higher than white market.” – Stefan Esser
“Code of the day: $htmlVar = htmlentities($var); …. echo $var;” – Stefan Esser
“You should have a data breach crisis team the same way as you have a fire marshal and 1st aid team” – @daraghobrien #privacy2011
“Security is like dodge ball. You can avoid losing if you’re not targeted, but you’re done if the opponent decides you’re the next victim.” – Richard Bejtlitch
“Nuclear power plants should not be connected to the Internet.” – Jacob Applebaum
“real men don’t need unsecure networks to pwn auth tokens” – Tim Strazzere
“# while true; do dd if=/dev/hda1 of=/dev/hda1 conv=notrunc; done # This will kill your harddrive” – #HitB2011AMS
“If you thing software can only harm other software and not hardware, think again.” – #HitB2011AMS
“Google switching to SSL by default only caused a 1% load increase” – #HitB2011AMS
“developing=always going to be bugs, offensive=always going to have false negatives, defensive=always have risk” – Ryan Dewhurst
‘Example of special HTML code supported by mobile phones: New ways to perform fuzzing!’ – #HITB2011AMS
“Please log back in and give me your password…. please? …. Thank you!” – Rob Fuller
“perl is my new favorite language…b/c everyone leaves cleartext passwords in it… :-P” – Chris Gates
“Just checked the TOS and SLAs of MSFT, GOOG, and Amazon Cloud services. None assume any responsibility for damages due to a breach. Amazing” – Jeffrey Carr
“Some People don’t get that disclosure=sending a bunch of emails, reviewing patches, trying to get things fixed is hours of unpaid work.” – Stefan Esser
“for those of you who don’t fuzz, good luck banging in nails with your fist :P” – Gareth Heyes
‘Security is a market where giving customers a little less “what they want” and a little more “what they need”, would go along way.’ – Geoff Belknap
“Did you know that some mobile operators in Belgium intercepts SMS to deliver their ads based on transmitted content?” – Alexandre Dulaunoy
“If you don’t spend money training your staff, don’t be surprised when they do stupid things.” – Security Monkey
“Good to see Facebook pointing out Google’s privacy problems. Because Facebook is great with privacy.” – Mikko Hypponen
To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Unpatched vulnerabilities, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Mobile Security, Cloud Security, Privacy / Censorship, General, Security FAIL, Funny
Highlighted news items of the week (No categories):
Not patched: Vulnerability Advisory: User clicks on something that they shouldn’t have (CVE-0), WordPress User IDs and User Names Disclosure, Dropbox ‘insecure and misleading’ – crypto researcher
Updated/Patched: Cisco Security Advisory: Default Credentials Vulnerability in Cisco Network Registrar, Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified IP Phones 7900 Series, Cisco Security Advisory: Default Credentials for root Account on the Cisco Media Experience Engine 5600, Cisco Security Advisory: Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client, Cisco Releases Security Advisory for Cisco Internet Streamer, WordPress 3.1.3 (and WordPress 3.2 Beta 2), Adobe Releases Flash Player and Flash Media Server Updates, Microsoft releases free AV software that boots from CD or USB, 4 Free Online Tools for Examining Suspicious PDFs, w3af – And now, with a stable core, DOMinator Virtual Appliance, Release of Wireshark 1.6.0rc2, Wireshark 1.4.7 and 1.2.17 Released, Python 2.5.6 fixes medium severity issues
Sony hacked those who purchased from them with a rootkit, then sued others who also purchased from them.. and now it is the most breached company in 2011.
Lesson: It is important for a company to respect their customers. The quote below, which is real, shows no respect.
European member states must work harder to establish national Computer Emergency Response Teams (CERTs) by 2012 if they are to meet the European Commission’s expectations for critical infrastructure protection, according to a new EC review.
The report looks at efforts by member states to meet the goals of its 2009 action plan, designed to ensure that Europe is prepared for and resistant to attacks on its critical information infrastructure.
Ireland’s Computer Emergency Response Team is now receiving up to 10 alerts per day from Irish businesses coming under attack by having their systems compromised to host phishing websites or to distribute malicious software.
Small and medium-sized businesses, in particular, are being targeted by criminals who exploit weaknesses in the companies’ websites, according to the Irish Reporting and Information Security Service Computer Emergency Response Team (IRISS-CERT)
Please take a moment and read the following article on the current Bank of America breach:
There are two main points we need to take from this. First, the insider threat is real. It is also incredibly hard to detect and react to. We have been pushing for quite some time at PDC to move beyond simple IDS/IPS/AV tactics. This story only serves to re-enforce this view.
Eric O’Neill, the former FBI operative who played a crucial role in the arrest and conviction of FBI agent Robert Hanssen for spying against the U.S. for the former Soviet Union and Russia, says security can’t rely on tech alone.
Anyone who has worked to defend enterprise secrets from theft knows that the answer to success certainly doesn’t come from technology alone.
Few know this better than Eric O’Neill. O’Neill is the former FBI operative who worked as an investigative specialist and played a crucial role in the arrest and conviction of FBI agent Robert Hanssen for spying against the U.S. for the former Soviet Union and Russia. The 2007 movie ‘Breach’ was based on O’Neill’s experience investigating Hanssen.
‘The human element is usually the weakest link,’ O’Neill said yesterday at the 2011 Computer Enterprise and Investigations Conference (CEIC) 2011.
All of us have known for a long time that code reviews find defects, and that reviews are cheaper and can be more effective than most kinds of testing. In Code Complete, Steve McConnell builds an overwhelming case for code reviews: disciplined code inspections can find between 45%-70% of all defects in code, while even fast, informal reviews can find 20%-30%. Studies at IBM, HP, Microsoft and other places show that it is several times cheaper to find bugs in code reviews than through testing. And evidence keeps coming in to support that code reviews work.
The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 have now been published, amending the previous Privacy and Electronic Communications (EC Directive) Regulations 2003 as required by the new EC Telecommunications Directives.
As well as new law on cookies that has been discussed previously (Regulation 6), the regulations introduce into UK law a requirement to notify the Information Commissioner, and in some cases the affected users, of breaches affecting the security of personal data. For now, this law only applies to providers of public electronic communications services, but the European Commission are keen that similar requirements be extended to all other organisations handling personal data. So it’s probably worth planning for when (not if) these requirements come to cover all of us.
To define your framework, take Willie Sutton’s advice and go where the money is. In our case, risk and security lay with the IT and information assets in our environment.
For years now, security professionals have been in agreement that a security metrics program is an increasingly important tool to manage the security posture in an environment. We like to cite too-true cliches like ‘you can’t manage what you don’t measure’ and sing ‘Kumbaya’ together about the virtue and benefits of programs. And yet there really aren’t many success stories out there.
Forget the intrusion detection kit, start talking to your employees
The majority of UK workers have no instruction from their employers on how to protect themselves from data loss or malicious software, according to research.
A snapshot survey of 700 UK workers reveals that nearly two thirds (64 percent) do not receive any training or material to educate them on IT security issues, such as how to avoid downloading malware or how to prevent the loss of sensitive data.
Password Managers and Security go hand in hand in this day of age. Due to my Google Account recently getting compromised, I’ve put in quite a bit of research in the solutions you can implement to secure yourself on the Internet. As a plus, these solutions also add an extra level of usability while browsing the net.
The solutions I’ll share my research over:
1. 1Password
2. Lastpass
3. Keepass
4. Passpack
5. Your mind
The two main questions I test these solutions against:
1. How secure is it?
2. How usable is it?
CISOs should take a military’s observe, orient, decide and act concept and apply to corporate network security, Interop presenter says
Businesses need to look at security as a military exercise and can benefit from strategies that have proved useful in battle, a former military security expert told an Interop audience this week.
‘This is a chess match,’ says Barry Hensley, a retired U.S. Army colonel who was in charge of the army’s global network operations and security center. He is now vice president of Dell SecureWorks’ Counter Threat Unit. ‘Can you lock down a network? Probably not. Can you defend a network? Yes you can.’
He recommends using a military combat concept called observe, orient, decide and act (OODA) that can give businesses a framework for detecting attacks quickly, figuring out what to do about it, doing it and moving on to deal with the next attack. ‘If you can OODA before the enemy can, I believe you can defend a network,’ Hensley says.
There has been a surge in interest with the world of the Navy SEALs since the Osama bin Laden action (this piece in the WSJ was a particularly good profile) and I confess to being caught up in it myself. One of my portfolio company CEOs, Will Tumulty of Ready Financial, is a former Navy SEAL (1990-1995). Will was kind enough to introduce me to a SEAL classmate of his, Brendan Rogers (SEAL 1990-2000), who joined me and 20 NYC CEOs/founders from the tech scene last night to talk about the SEALs – the training, the planning and the operations behind their combat operations – as well as draw out some relevant lessons for entrepreneurs. Brendan went on to HBS and McKinsey after the SEALs and then started his own hedge fund with a partner, so he had an interesting, multi-faceted perspective.
The discussion was wide-ranging and entertaining. The five key lessons Brendan highlighted were as follows:
80% training, 20% execution. SEALs are incredibly well-trained and when they are not on acutal combat deployments, they are spending the vast majority of their time training for a number of different types of missions. In contrast, at start-ups, executives typically spend 100% of their time executing and 0% of their time training. Brendan emphasized the importance of training and practice in all areas – employee onboarding, management practices, etc.
Cloud Security highlights of the week
While catching up on some old Hak5 episodes I found the piece on Amazon’s S3 storage. If you don’t know what S3 is then I recommend going and watching the episode, it gives a good introduction and was all I’d had before starting this project. The thing that caught my eye, and Darren’s, was when Jason mentioned that each bucket has to have a unique name across the whole of the S3 system, as soon as I heard that I was thinking lets bruteforce some bucket names.
The touted cost savings associated with cloud services didn’t pan out for Ernie Neuman, not because the savings weren’t real, but because the use of the service got out of hand.
When he worked in IT for the Cole & Weber advertising firm in Seattle two and a half years ago, Neuman enlisted cloud services from a provider called Tier3, but had to bail because the costs quickly overran the budget. He was a victim of what he calls cloud sprawl — the uncontrolled growth of virtual servers as developers set them up at will, then abandoned them to work on other servers without shutting down the servers they no longer needed
Cloud computing is more secure than on-premise solutions, say its fans
Cloud computing may be the hottest thing in corporate computing right now, but two IT disasters – at Amazon and Sony – beg the question: Is cloud computing ready for primetime business?
It’s a nightmare moment. You are under pressure – to meet customer orders, finish a project, execute a deal – and nothing. Your computers, servers or network are down. If you are lucky, a few nail biting hours and a reboot or three later, you and your IT team have restored services.
But what if your IT infrastructure goes down and there’s nothing you can do because your computing power sits in the cloud, provided over the internet by another company? When a key part of Amazon’s EC2 cloud service collapsed, many of the firm’s customers were reduced to publishing apologies on their websites, and click ‘refresh’ on Amazon’s service health dashboard.
The cloud computing research team at the National Institute of Standards and Technology (NIST) is requesting public comments on a draft of its most complete guide to cloud computing to date.
NIST Cloud Computing Synopsis and Recommendations (Special Publication 800-146) explains cloud computing technology in plain terms and provides practical information for information technology decision makers interested in moving into the cloud. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources-for example networks, servers, storage, applications and services-that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Mobile Security highlights of the week
Researchers have identified a second large batch of apps in the Android Market that have been infected with the DroidDream malware, estimating that upwards of 30,000 users have downloaded at least one of the more than 30 infected apps. Google has removed the apps from the market.
Lookout Security reports that Google has removed 34 Android apps from its Market that were infected with malicious code. Lookout estimates that the number of potential victims is between 30,000 and 120,000. Some of the malware samples are modified versions of apps that have been available on the Market for quite some time. Without the knowledge of the app developers, criminals added malicious code to the apps and resubmitted the modified versions to the Market. The apps are infected with Droid Dream Light (DDLight), a variant of the DroidDream malware which was injected into more than 50 apps in March 2011.
Top 10 mobile controls and design principles
The saying that ‘nothing is unbreakable’ repeated for one more time as forensic experts from ElcomSoft managed to break the hardware encryption Apple introduced with the iOS 4.
As a reminder, with Apple’s iPhone 3GS the company introduced a hardware encryption chip. Following the release of iOS 4, Apple brought Data Protection feature, a 256-bit hardware encryption for all the devices featuring the chip. This is also one of reasons why millions of users complained their iPhone 3GS slowed down to a crawl following the iOS 4 update.
There is a great free Android app called Privacy Inspector which scans your apps to find out what they are doing with your phone’s information.
Most of this sort of info is collected and sold to advertisers.
What a stupid phishing site.
This site goes to great lengths to make sure you double-check that the URL you’re on is accounts.craigslist.org.
And it isn’t.
It’s been about six months since I reported a vulnerability in the Android mobile platform that allowed the unprompted installation of arbitrary applications with arbitrary permissions on a victim’s device. While the vulnerability has long been fixed on Android handsets around the world, I’ve yet to write up any technical details about it, and it’s unlikely you’ve heard of it unless you were present at our ShmooCon presentation earlier this year. So without further ado, let’s dive into “When Angry Birds attack: Android edition.”
Project is hosted on github: https://github.com/wuntee/androidAuditTools
When taking the SANS reverse engineering malware class, the two analysis techniques taught are dynamic and static. These concepts/techniques are directly applicable to any sort of reverse engineering. When I am assessing, or pen-testing an application I usually separate my thought process into one of those two buckets. During dynamic analysis of a mobile device it becomes very difficult to understand whats going on in the operating system due to the lack of automated tools; there are no tools that can easily hook into the kernel processes that tell you key information like network connections, file writes, etc.
The Guardian Project – Open-Source Mobile Security [guardianproject.info]
Android Security User Guide
Introduction
This document is meant to serve as a basic How-To Guide for customizing your Guardian experience – from rooting your device via recommended guides to using the suite of specific available applications. There’s a reason we maintain this as a Wiki – should you fail to find the answer to your question here, don’t hesitate to contribute or comment! The following channels can be quite helpful as well for Q&A:
Confidential communications tapped by default
Internet phones sold by Cisco Systems ship with a weakness that allows them to be turned into remote bugging devices that intercept confidential communications in a fashion similar to so many Hollywood spy movies, SC Magazine reported.
Secure Network Administration highlights of the week
Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique ‘cookie’ identifying your system.
As a result, RFC3041 introduces ‘privacy enhanced’ addresses which will change and are created by hashing the MAC address. Of course, each operating system has its own way to enable privacy enhanced addresses.
I’ve just published two new IETF Internet-Drafts, that document the
problem of RA-Guard evasion, and propose mitigations.
They are two Internet-Drafts:
* ‘IPv6 Router Advertisement Guard (RA-Guard) Evasion’
* ‘Security Implications of the Use of IPv6 Extension Headers with IPv6
Neighbor Discovery’
CPNI (http://www.cpni.gov.uk) has published the ‘Security implications
of IPv6′ viewpoint document, which is basically an excerpt of a
technical report on which I have been working during the last couple
of years, and we’ll be published anytime soon.
Threats ‘affect every industrialized nation’
A security researcher who voluntarily canceled a talk about critical holes in Siemens’ industrial control systems has criticized the German company for downplaying the severity of his findings.
“The vulnerabilities are far reaching and affect every industrialized nation across the globe,” Dillon Beresford wrote in an email posted to a public security list. “This is a very serious issue. As an independent security researcher and professional security analyst, my obligation is not to Siemens but to their consumers.”
The Metasploit Framework has included the useful tools msfpayload and msfencode for quite sometime. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules. Now I would like to introduce a new tool which I have been working on for the past week, msfvenom. This tool combines all the functionality of msfpayload and msfencode in a single tool.
Merging these two tools into a single tool just made sense. It standardizes the command line options, speeds things up a bit by using a single framework instance, handles all possible output formats, and brings some sanity to payload generation.
Mandiant’s free Redline tool is designed for “triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis.” The new utility is meant to replace Audit Viewer, which was Mandiant’s earlier memory analysis tool. Both programs rely on Memoryze for capturing the memory image of the live Windows host, though they can also examine “dead” memory image files.
A diferencia de la versión Pro de Metasploit, una de las limitaciones a la hora de “pivotear” conexiones desde Meterpreter por medio de route es el tipo de herramientas que podemos usar a través del pívot. Esto es debido a que cualquier herramienta que use raw sockets no funcionará a través del túnel, estando limitados a conexiones TCP y UDP que realicen una “conexión completa” (connected sockets). En el caso de Nmap, por ejemplo, implica que únicamente podemos realizar escaneos de tipo TCP connect (-sT) por medio de socks4 y proxychains, pero será inútil utilizar switches como -sS (syn scan), -O (OS detection) o similares. Aunque otra opción es utilizar portforwarding (portfwd) mediante el cual mapear puertos locales con los de la víctima, estamos limitados a conexiones TCP, por lo que esto también reduce opciones a la hora de elegir herramientas que empleen UDP. En nuestro caso lo que haremos será preparar un entorno que nos ayude a “forwardear” peticiones DNS desde herramientas que hagan uso de UDP (nmap, dnsenum, etc) a través de Meterpreter.
Organizations large and small utilize social media for interacting with current and prospective customers, recruiting employees and tracking the sentiment regarding the organization’s products and services. (In this context, social media includes blogs as well as social networking sites such as Facebook and Twitter.) As a security professional, you can also use social media for a related purpose: keeping track of malicious activities and threats against your organizations that attackers sometimes discuss publicly.
When I first started on this post, I intended to write about some fun things one can do with a $30 Rosewill IP camera (RXS-3211). While I still intend to do this in the near future, I decided instead to document an interesting password disclosure vulnerability I found that appears to affect at least 150 different IP-based surveillance cameras. This vulnerability allows a remote, unauthenticated attacker to read and/or change the administrator password on affected devices by sending a single UDP packet. This gives an attacker full control over the device, including access to the video streams. Relatedly, a passive attacker on the local network can retrieve the current password without a MITM attack if the device is currently being administrated.
We have mentioned the ‘Microsoft Support’ scams a few times over the last 6 months or so (http://isc.sans.org/diary.html?storyid=10135), but a recent change in their operations grabbed my interest. A colleague of mine mentioned that other day that he had been the recipient of the mystical ‘Microsoft Support’ call to inform him that they had received an alert from his computer. It was the usual scenario, with a twist.
In previous iterations of this scam the person on the phone would get you to click through to the event viewer to ‘find something red’. Strangely enough there is usually something red in most people’s event log log. However, do not despair if you don’t have anything red, yellow is just as bad. Once the problem (well any problem) was identified your support would have expired and they redirect you to a web site where you can part with your money and download some version of malware.
To date, a major gap exists in vulnerability standardization: there is no standard framework for the creation of vulnerability report documentation. Although the computer security community has made significant progress in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) [1] dictionary and the Common Vulnerability Scoring System (CVSS) [2], this lack of standardization is evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator. In this white paper, a common and consistent framework is proposed for exchanging not just vulnerability information, but any security-related documentation.
RTIR is the incident handling and ticketing system used by JANET CSIRT, and builds upon the popular open source ticketing system RT. RTIR was originally developed for JANET CERT by Best Practical, with further development guided by the RTIR Working Group as part of TF-CSIRT.
Attacks can’t be avoided, but can be mitigated.
French bank Societe Generale has released a guide to help businesses prepare and defend against Distributed Denial of Service (DDoS) attacks.
The guide covers preparation, identification, containment, remediation, and aftermath and is the fourth incident response management document released by the bank.
There is a lot of malware out there, and sometimes it’s very difficult for security researchers or AV-vendors to estimate the extent of such a threat (eg. a trojan). One technique to do is called sinkholing: The goal is to register malicious botnet domains proactively or reactively to prevent the criminals exerting command and control over hijacked/infected computers, and at the same time warn ISPs of infected computers.
I’d like to come back to an issue I faced yesterday with one my servers. I think that this story could be a good example as part of an IPv6 awareness program…
One of my servers in my home lab runs several virtual machines. This server is reachable from outside via a VPN. On Sunday morning, I tried to access from a remote location and was ejected with a nice “connection timeout” for the SSH port. After some checks, the server looked to be ok, all the other services were running fine, the VM’s were working as expected.
Over the last few weeks there’s been a lot of commentary around the breach of Sony’s PlayStation Network. Sadly, there has been no good discussion of how PSN was breached. What this breach means for Sony is largely defined by how it happened. Before we get to that though let’s go over a quick timeline of some of the important points in the breach’s timeline.
Previously, we have discussed using FOCA to perform reconnaissance on a target company. FOCA is a windows-based tool. Some people would find this unfortunate. But, since BackTrack (our penetration testing linux distribution of choice) is Ubuntu-based, we smart hackers can install a Windows emulation environment called ‘wine’ to install Windows-based software. Here’s how:
INSTALLING WINE IN UBUNTU / BACKTRACK
Wine is one of the easiest packages to get installed in Ubuntu. Simply open up a terminal and enter the following text to install wine:
sudo apt-get install wine
And, because we’ll need ‘rar’ installed later on to handle an archive we download, enter the following text in the terminal to download and install ‘rar’
sudo apt-get install unrar
…
Thinking about that i’ve decided to gather a list, the most complete I could, with all vulnerable pentesting tools I could find. They are categorized based on the type of application like Web Pentesting, War Games and Insecure Distributions. Due to the amount of tools I won’t be doing any previews because it would delay this post a lot and make it a little boring to read. I’m gonna review every tool with complete labs later on in future posts.
Some of the most common banking trojans we run into are versions of ZeuS (ZBot) and SpyEye. These are not your average bots. They are commercially developed crimeware. The trick is that the groups that develop and sell ZeuS and SpyEye do not use them themselves.
Today I spent a little time looking into a packet capture supplied by Vivek Ramachandran at SecurityTube. This packet capture is part of a series of WiFi hacking challenges he is putting together, and immediately after opening it I got freaked out.
Normally, packet captures are sorted by their capture timestamp, though there is no requirement for that to be the case. In Vivek’s challenge, the packet capture appears to be intentionally out-of-order to make analysis more difficult. You can open it up in Wireshark and sort by the timestamp column, but it makes it impossible to apply packet filters such as ‘frame.number < 10000’ since the frame number isn’t related to incrementing timestamps.
Secure Development highlights of the week
The best exploits are often not exploits at all — they are code execution by design. One of my favorite examples of this is a signed java applet. If an applet is signed, the jvm allows it to run outside the normal security sandbox, giving it full access to do anything the user can do.
Metasploit has supported using signed applets as a browser exploit for quite awhile, but over the last week there have been a couple of improvements that might help you get more shells. The first of these improvements is replacing RJB signing (which requires a JDK and was somewhat difficult to get working) with OpenSSL (which works out of the box with a default Ruby installation). That led directly to the second major improvement: once the RJB dependency went away, it was a lot easier to support user-supplied certificates.
Earlier this year, we at SSL Labs conducted a second, much deeper survey of SSL usage. (I can now say ‘we’ and really mean it, because most of the work on the survey was done by my Qualys coleague, Michael Small.) I presented the results last week at Hack In the Box Amsterdam:
Back from Swiss Cyber Storm and Hack in the Box conferences, it’s time to post about my conferences speech.
Q: What is Cookiejacking?
A: Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim’s cookies without any XSS.
Any cookie.
Any website.
Ouch.
During the creation of a hacking challenge about XSS we had to figure out how to bypass the new AntiXSS filter in
Google Chrome. It was included in the latest release and we were in the middle of a hacking challenge about XSS and Sesion Fixation. We were thinking about to change the rules of the game, but, we managed to bypass the filter in an easy way, so we didn´t change it and players were also able to discover it. This is the ‘how’:
The SharePoint Hacking Diggity Project is a research and development initiative dedicated to investigating the latest tools and techniques in hacking Microsoft SharePoint technologies. This project page contains downloads and links to our latest SharePoint Hacking research and free security tools. Assessment strategies are designed to help SharePoint administrators and security professionals identify common insecure configurations and exposures introduced by vulnerable SharePoint deployments.
A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn’t help ask, what if php uploads had been restricted? The answer was .htaccess files. Using SetHandler in a .htaccess file is well known, but does not lead to remote code execution. So after some thinking I put together some self contained .htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc)
When the IE team talks about Cross-Site-Scripting (XSS) attacks, we’ve usually grouped them into three categories
* Type 0: DOM-based XSS
* Type 1: “Reflected” XSS
* Type 2: Persistent/Stored XSS
DOM-APIs like toStaticHTML enable pages to protect themselves against Type 0 attacks. The Internet Explorer XSS Filter can block Type 1 attacks by detecting reflected script and neutering it. Servers can protect themselves against Type 2 attacks using the Anti-XSS library to sanitize stored data.
It turns out, however, that there’s a fourth type of XSS attack: Socially-engineered XSS. In a socially-engineered XSS attack, the user is tricked into running an attacker’s JavaScript code in the context of the victim site. Even if a site follows best-practices to block XSS Types 0, 1 and 2, they may still be vulnerable to Socially Engineered XSS attacks.
Most high-profile cyberattacks are enabled by flaws in computer systems? software, so-called software vulnerabilities in the application layer. As a preliminary step towards addressing the problem of software vulnerabilities, we have compiled a list of existing initiatives focused on finding and preventing software vulnerabilities. This document provides a comprehensive list of different SSE initiatives, with a focus on the EU,but also including some major US and global SSE initiatives.
Summary
Basic upload form in Flickr.com was vulnerable to CSRF. Visiting a malicious page while being logged in to Flickr.com (or using Flickr.com ‘keep me signed in’ feature) allowed attacker to upload images or videos on user’s behalf. These files could have all the visibility / privacy settings that user can set in Basic Upload form. Uploading files did not require any user intervention and/or consent.
LinkedIn SSL Cookie Vulnerability [www.wtfuzz.com]
LinkedIn is a business-oriented social networking site. Founded in December 2002 and launched in May 2003, it is mainly used for professional networking. As of 22 March 2011, LinkedIn reports more than 100 million registered users, spanning more than 200 countries and territories worldwide.
There exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner.
The following is a guest blog post by Denis Sinegubko, a malware researcher, security blogger, and software developer. Denis is the creator of Unmask Parasites, a free tool for checking websites for badware.
Matt Cutts, the head of the webspam team at Google, recently tweeted about a new black hat SEO trick:
“A recent spam trend is hacking websites to insert rel=canonical pointing to hacker’s site. If U suspect hacking, check 4 it.”
A few days later, he wrote about it in his blog post about rel=canonical corner cases.
If Matt Cutts pays so much attention to this and calls this a trend (not just individual cases) it’s definitely something worth looking into. So I decided to find more information about this “canonical” issue.
Computer scientists have developed software that easily defeats audio CAPTCHAs offered on account registration pages of a half-dozen popular websites by exploiting inherent weaknesses in the automated tests designed to prevent fraud.
Decaptcha is a two-phase audio-CAPTCHA solver that correctly breaks the puzzles with a 41-percent to 89-percent success rate on sites including eBay, Yahoo, Digg, Authorize.net, and Microsoft’s Live.com. The program works by removing background noise from the audio files, allowing only the spoken characters needed to complete the test to remain.
The Insecurity of Google’s ClientLogin Protocol
Google announced that they are going to fix the issue also for devices with older Android versions. The fix does not require an update of the Android OS and will be transparent to the user. So, as far as we know, users will not get any feedback when the update will be available on their devices. The fix is based on a changed configuration file for Google services on the device. The update mechanism might be similar to the application removal or Android Cloud to Device Messaging (C2DM) features. The update will only ensure encrypted synchronization of Calendar and Contacts. The Picasa synchronization, which was integrated in Android 2.3, will remain unencrypted.
Cryptographic side channel attacks usually leverage state changes on the system to get additional sources of information than can lead to shortcuts for breaking the cipher. Cache attacks for example, exploit the inter-process leakage of memory access patterns. We sure won’t be elaborating more on this from this blog. Concept to grasp here: cache hit or miss events can be useful, and not only for Cryptanalysis.
Privacy-wise, any additional sources of information can come in handy for tracking purposes (as we’ve seen before). Third party cookies help advertising companies to hinder our ability to remain untraced while skipping from one website to another
During a recent security test [1] I found a Tomcat server with default username and password, great I thought, easy shell. I fired up Metasploit, chose multi/http/tomcat_mgr_deploy, pointed it at the server and let it go. Bang, fail. I’ve never had this fail before so I checked my options and fired it off again, fail again. I checked the options again and the server and found it was a Linux x86_64 box but the 64 bit payload appeared to be broken. So I tried the generic payload, still nothing.
Deobfuscating the Facebook Spam Script [www.kahusecurity.com]
The latest Facebook spam Javascript code was sent to me. Apparently there are two versions, one was obfuscated while the other wasn’t. Lucky me, I get the obfuscated one!
My first thought was “wow, nice obfuscation but should be easy to get around”. Ha, no such luck. The second layer is worst than the first. Do you see the fifth line from the top on the right-hand side? It’s callee!
Friends, Romans, Countrymen – Lend me your ears!
It is my pleasure to announce the official release of ESAPI 2.0GA!
This release features some key enhancements over ESAPI 1.4.x including,
but not limited to:
* Upgrade baseline to use Java5
* Completely redesigned and rewrote Encryptor
* New and Improved Validation and Encoding Methods
* Complete redesign of the ESAPI Locator and ObjectFactory
…
Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):
Cryptographically Strong
A key feature of any session handler is the cryptographic strength of the session token or session ID. A session handler must issue tokens which are unpredictable and large enough to be unguessable. Session tokens should be user unique, non-predictable, and resistant to reverse engineering. A trusted source of randomness must be used to generate the session tokens.
Appropriate Key Space
Even cryptographically secure algorithms allow an active session token to be easily determined if the keyspace of the token is not sufficiently large. Attackers can essentially “grind” through most possibilities in the token’s key space with automated brute-force scripts. A token’s key space should be sufficiently large enough to prevent these types of brute force attacks, keeping in mind that computation and bandwidth capacity increases will make these requirements change over time.
Session Identifier Entropy
The session identifier should use the largest character set available to it. If a session identifier is made up of say 8 characters of 7 bits the effective key length is 56 bits. However if the character set is made up of only integers that can be represented in 4 bits giving a key space of only 32 bits. A good session identifier should use as many characters as possible. Exceptions to this can be made, however, for special control characters that would require escaping and thus complicate development. Most application frameworks use the characters A-Z and 0-9 and some add case sensitivity by including a-z.
Validate SessionID values coming from clients
All input from clients should be encoded and validated. Many frameworks validate and encode GET and POST parameters, but fail to adequately encode sessionID values inside of cookies as submitted from the client. The ESAPI code uses an ESAPI method to clean sessionID values:
public String getRequestedSessionId() {
String id = request.getRequestedSessionId();
String clean = “”;
try {
clean = ESAPI.validator().getValidInput( “Requested cookie: ” + id, id, “HTTPJSESSIONID”, 50, false );
} catch (ValidationException e ) {
}
return clean;
}
Source: link
Have a great weekend.