Monday, December 13

Protection and Response to User Account Leaks

Today it is being widely published that Gawker media has had their entire databased of user accounts and passwords (DES encrypted) leaked to the public.  Although this event may have been limited to those with user accounts on Gawker properties, imagine this happening on a major service like google, hotmail, or your bank.

The two most significant impacts to most people are:

1)  Gaining access to the Gawker services exposed.  Once the encryption is brute forced on the password data it is possible for someone to directly login to the service as you.

2)  Reuse of passwords on other services.  Because humans are creatures of habit, we tend to reuse usernames and passwords across services, so if someone can find your email address and password, they can attempt to login to other services as you as well.

This provides an opportunity to reflect on methods of preventing and responding to these types of events.

Response - Although it appears to be a good idea to change the password on the affect service account immediately, one of the serious issues with this is that the systems on which you are changing the password may be compromised which would lead to the attacker knowing the new password.

Also, if you are the security manager for an organization, get a copy of the dumped account information and find out if you have any affected users.  Do a search for your company name / domain name, and/or search for hashes of email addresses.

Prevention - IMPORTANT - stop using the same passwords across systems.  Although this is an inconvenience, using different passwords across services will prevent someone from using a compromised password on other services.  Come up with a scheme that works for you to create unique passwords for different services that you can remember.

Use strong passwords.  There are great strong password generators that you can use to come up with good passwords.

Change your passwords occasionally.  Once a year will prevent really stale passwords from being compromised and used, plus it will keep you exercising your brain to remember new passwords.

Use multifactor authentication where possible.  Google and others have made it easy to implement two factor authentication using things like smart phones, SMS, public phones, etc.  These are easy to implement and makes a password compromise a non-event.

Tuesday, November 23

Google Application Security Info

I've covered this before, but google's team has done a fantastic job of promoting improved application security practices.  The gruyere (http://google-gruyere.appspot.com/) is a set of application security training activities focused on educating developers on how to identify and respond to application security issues using a real application.  For those with no budget for security training, this is perfect!

Monday, October 18

Security Updates - Monday October 18th

Its been close to a month since my last post.  Here is a quick list of a few things that are worth mentioning in the security business today;

Advanced Evasion Techniques - StoneSoft and ICSA labs identifying and testing some new network security evasion techniques.  Looks like there is some substance here, as tweets are starting from a few credible sources.  Link - beware this looks like it might just be vendor FUD!

HDMoore and metasploit release a new version of the wiki, and metasploit unleashed.  This is a great resource for anyone needing an intro to pentesting using the framework.  Link

Social Engineering Toolkit or SET has been updated with a few notables including new functionality for the teensy - the hardware based HID attack vector.  Link

The 2010 Verizon PCI-DSS report has been released.  Link

Sunday, September 19

.NET Security Issues - Crypto Attack PoC

There has been some news regarding the latest .NET attack, which exposes some of the oracle padding issues related to some of the tokens used by .NET applications.  Some people have been downplaying the issues saying that these are only theoretical attacks, now researchers have posted a very practical demonstration of the attack on dotnetnuke.  Enjoy!

Thursday, September 9

Adobe 0-day Weaponization

So, it used to take at least some time before published 0-day vulnerabilities were weaponized into malicious trojans and other exploit code.  Now it appears that they time to develop exploit modules is extremely limited, and possibly in some cases prepared before public release.

As referenced in the slashdot story an Adobe spokesman described that the situation could change with the availability of the public samples and exploit code.  I think these types of advisories should be changed to "..the situation has changed, exploit code certainly already exists and has been used privately for some time.."

Tuesday, September 7

Network Analysis - Threat Detection Service

As part of a partnership locally with Metafore we are pleased to be able to provide a new threat detection service.  This service samples your egress network traffic looking for patterns which may indicate that malicious software is operating and abusing your computing environment.

Our team provides the deployed equipment with minimal requirements from you (span port on egress network switch/tap), and two weeks later we will provide you with a report summarizing what was found and our recommendations regarding controls needed to effectively manage these types of real threats.  

We have yet to put this tool in an environment which it was not able to find some form of malicious traffic, really!  Here is a sample of the executive report that is produced.  If you are interested in this service please just drop me an email.

Thursday, August 26

DLL Preloading - Update Microsoft Recommendation

UPDATE September 2nd 2010 - Microsoft has issued new updated guidance and a new tool to help customers manage this within their environments.   This new tool helps configure environments to address the root cause of the issue, while software vendors update applications.  Highly recommend that organizations examine and use this tool to prevent exploitation.

As with most reported vulnerabilities Microsoft has issued a response to the DLL Preloading issue that has been hotly discussed.  Their advisory is interesting;

1.  First they recommend disallowing outbound SMB and WEBDAV access (at the firewall) to prevent users from making preloading connections out to the Internet.  This is a solid recommendation, but more in terms of general guidance instead of specifically to this issue.  The problem is that a malicious user could simply zip up the affected document with a copy of the dll and the user would be able to load it locally - hdmoore provides an audit kit that even builds the dll and sample file that can be used in exactly this way.  This advisory also includes disabling the client WEBDAV service which many legitimate deployed application use.

2.  Second they provide a tool that changes the dynamic library loading behaviour either for the entire system or for applications that are affected.  Again this issue is intended behaviour, there are applications that load DLLs at runtime from the current path in order to start appropriately.  This is a solid recommendation, but their may be significant impact to your client's environment.

3.  Third they recommend that developers of applications change individual application DLL loading behaviour to include explicit path definitions, and to use other routines other than DLL loading for system functionality.  These recommendations can be found in this MSDN article.

I recommend organizations utilize the audit kit provided by metasploit to determine which of their applications are affected by the issue, however make sure that you check applications which might not have their extensions registered with the system as the audit kit uses these extensions to build the list of files to check.  Once you know which applications are affected then make a judgement call on which ones to restrict from loading using the Microsoft tool.  Additionally clients should contact each of the affected vendors to ensure that a fix to the application is provided as soon as possible.

Tuesday, August 24

Windows DLL Injection Vulnerability

Most of the security world has now heard about the vulnerability that was reported by hdmoore regarding the linking of malicious dll files by using remote shares in the windows filesystem.  This issue has also been discussed at slashdot by many users.

Since metasploit is constantly updated with the latest public exploits, I decided to try this one out to see how easy it really is on the Windows 7 platform.  Here is the coles notes and results of my attempts.

1.  Prep my test environment.  I use a Windows 7 box fully patched running Windows Defender as my primary Windows work environment.  I also have the convenience of using VMware fusion to virtualize the environment so it was easy to clone my installation to create a sample copy.  I made sure to use the host-only networking so I can isolate the Windows box with metasploit.

2.  I updated my metasploit environment running on my OSX host.  A quick svn update gave me the latest code.  Version 10133 checked out.

3.  I opened msfconsole and loaded the "windows/browser/webdav_dll_hijacker" exploit.  I also set the payload to be the "windows/meterpreter/reverse_tcp" to get an interactive session with the exploited box.  You need to set some options to have it work, so I set the RHOST and SRVHOST variables to my internal host IP address 192.168.32.1.

4.  The last option to set is with the exploit, and I chose to give the file extension ppt and pptx for the exploited file to trigger an opening of Microsoft's Powerpoint application.  This names the resulting files to policy.ppt and policy.pptx.

5.  Type "exploit" and my listener is started and a webserver is created to host the two exploitable files.

6.  On the Windows 7 box, I enter "http://192.168.1.32/documents/" into the address bar.  The browser notices that this is a webdav supported server and loads explorer to display the remote files in the browser window.

7.  Double clicking on the ppt file alerts me that the browser is trying to access a share that requires additional privileges and asks me to confirm the operation, which I do - I really want to test the exploit!

8.  I choose allow to accept the executable attempt to run, and the exploit is run on the Windows 7 box.  I confirm by checking that there is an active session in meterpreter.




Thursday, July 8

SmartPhone Malware

In 2009 at the CanSecWest conference in Vancouver, it was reported by main-stream media that because no hackers were able to exploit vulnerabilities on the common smartphone platforms, that they were secure.  Now NetQin has shown that they have identified a new set of malware targeting the Symbian platform.  Just more confirmation that any platform is susceptible to malware, if it is an attractive enough target.

Monday, June 28

TDL3 - Decomposed by F-Secure

F-Secure's team of researchers do a great job of dissecting yet another piece of malware. This time its TDL3, an example of increasingly complex and carefully architected software. F-Secure's analysis of this bot, shows some interesting trends:
- The code uses low level disk access to prevent its detection by file-scanning tools, and to provide itself with full disk access
- The implementation of an encrypted file-system within a protected area of the infected machine's disk
- The hooking of browser processes and forwarding of search terms to the bot's C&C servers

Interesting read.

Monday, June 21

New NSS Labs End-point Security Report


In a new report released by NSS Labs 10 Anti-malware vendors are described taking anywhere between 4 and 90 hours to protect their customers from these threats.  The report also mentions up to 50,000 new threats each day that entice users to click malicious links within compromised web-pages.

The vendors covered by the report include AVG, Norman, ESET,  Panda, F-Secure, Sophos, Kaspersky, Symantec, McAfee and Trend Micro.  A sample of the report is available here, but the full version with all the juicy details is $495.00 USD.

Monday, June 7

OSX Exploitation Step-by-Step

For the non-programmers/hackers it might be a little difficult to understand, but D1DN0T has written an excellent walk-through for a penetration test of a service which is running on OSX.  This write-up is good because it shows some of the common problems that occur during debugging and some of the methods of investigating ways around them.  This seems like a trivial exploit to create although I'm sure that much more time and effort went into putting the exploit together than is explained in the text.

Wednesday, May 5

Google's Web Application Security Training Resource - Jarlsberg.appspot.com

"Do no evil".  No really.  The google software team is really firing on all cylinders lately first it was a passive web application security tool ratproxy, then the active web application security assessment tool skipfish, now the people at Google Code University have released a training framework for web developers, security analysts, and anyone else interested in some of the most prevalent web application security threats.

Google Code University has released a distributable web application named jarlsberg coded in python which provides excellent examples of vulnerable application issues.  This includes some common and less-than-common tests (Reflected XSS via AJAX!), including XSS, XSRF, DoS, Code Execution, SQLi, and various others.

Before this, people used webgoat, and other forms of vulnerable applications that came packaged in some of the more popular security live-cds.  This makes all of those obsolete, as it is simple to setup and use, and to reset back to original state.

Although this application isn't as complex as many real web applications, its explanations of the issues, and exploitation hints, make it the perfect test-bed for a simple introductory course (and self-study material) into web application security testing (more to come on this soon!).

Thursday, April 29

Cinco DNSSEC Mayo

For many, the switch on May 5th to the new DNSSEC support in the root server pool is long overdue, for others the swich has people jumpy dreaming up reasons why this will "kill your internet". While Keith Mitchell, head of engineering at root server operator Internet Systems Consortium says "No-one is going to completely lose Internet service as a result of the signed root -- or indeed any DNSSEC deployment efforts -- and I certainly didn't say that it," he says of the Register story. "The worst that is going to happen is that a tiny minority of users behind mis-configured firewall or middleware boxes may experience some performance degradation when their clients have to attempt alternative paths for resolving names," says Mitchell.

As defined by DNSSEC.net "it was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence."

This is intended to protect people from far worse things (phishing, DNS poisoning, rewriting, etc) than having to resolve names through alternate servers. For an easier description wikipedia as always has us covered.

Happy Cinco DNSSEC Mayo!

Wednesday, April 28

Akamai State of the Internet Report

Akamai has released the latest of their reports on the state of the global Internet.  The report is bias toward information relevant to the US, but still has plenty of useful and meaningful global data as well.  A few interesting tidbits:

Top Average Measured Connection Speed (by Country) - South Korea at 11.7Mbps
Canada Average Measured Connection Speed - Not listed (not in the top 10)

Top Unique IP Addresses per Capital (how may IP addresses per person) - Norway at .49 or 1 IP for every two people
Canada - Not listed (not in the top 10)

Top Attacked Port - TCP/445 (Microsoft DS) for 74% of the attack traffic observed.

Check out the report yourself (you have to give them your email address to get access).


Wednesday, April 21

McAfee Botch, Mistake or Intentional?

If you've been keeping up with the news today regarding the McBlunder by McAfee, you might not have thought of the chance that this might be intentional and malicious.  About a year ago a security researcher documented a case where a remote update was maliciously replaced with other code.  Now most products that do remote updates require some cryptographic signature to make sure that the update is legit (I assume, but don't know for sure that this is the case for McAfee updates), but what if the update was tampered and changed before it was signed.  This is not too far fetched and certainly damages McAfee which malware authors never pass up on these types of opportunities.  It will be interesting to see if this angle is explored at all - or at least what McAfee releases after the internal investigation.

And for those affected - here is the official fix at this time via McAfee

Google's Government Transparency

Here's an interesting link regarding the removal requests that Google receives from different Governments around the world. More interesting is that this information (although not detailed) shows that not all requests are complied with. The overview here explains this in a bit more detail, and also indicates that different rules apply to different countries based on their local laws.

Quite interesting.

Thursday, March 25

Win7/IE8 Exploit - CanSecWest - Vancouver BC, Canada

Recent trends for malware usually point to some older version of Internet Explorer running on Windows XP.  The lack of address randomization and execution protection makes it an easy target to create functioning exploits.  This years CanSecWest security conference again proves that it draws some of the brightest security researchers from around the globe.

As usual Charlie Miller is there on his "no more free bugs" tour - pointing out that Apple still hasn't taken security seriously enough, and showing through 5 lines of python code ways to reliably identify 20+ exploitable bugs in very common Internet related applications.  Seriously Apple, time to implement the basics, users of your operating system are not just educated coders and security people, they are common people that like to click through stuff.

More interesting though is the exploit of a fully patched IE8/Windows7 platform by Peter Vreugdenhil.  His two step bug and exploit avoids both the ASLR, and permanent DEP protections which have made this target so difficult to exploit, proving that if it is built by humans it can be unbuilt by humans.  Paper here.

Rounding out the conference so far is French researchers presenting on abuses of computing capability within host based network cards.  Did you realize that your network card is really an always-on always-listening mini-computer which can be used to listen into communications and access host-memory directly?

More to come from the conference over the next couple days...

Tuesday, March 23

COBIT 5 - Exposure Draft

ISACA has released an exposure draft which describes the design requirements objectives for the next version of the COBIT framework.  It appears that a tighter integration with the other ISACA products will be a main focus ensuring that RiskIT and ValIT processes are tightly integrated.
It will be interesting to see what feedback they get, and the release schedule for the publication.  The continuing development and release of these products keeps ISACA as one of the best professional organizations that provides good return on member dues.

Sunday, March 21

skipfish - Google's Free Web Security Testing Tool

Recently, Google and Michal Zalewski (lcamtuf), author of the other venerable passive web security tool ratproxy, have released a beta version of a second web application security tool, skipfish which performs very optimized security checks of well-known security issues.
As stated within their own documentation the primary design goals are to be high-performance, easy to use, and employ well designed security checks.  I will be comparing this tool to several other tools including AppScan, BurpSuite, and several others, and providing some findings of my own.
Thanks again Google / Michael, this type of continued support helps us and our clients find and fix vulnerabilities!


Update 1: redspin has a bit of an initial writeup on it.


Update 2:  Simple instructions for 10.6.2 OSX install:


a)  download and unpack both skipfish and libidn.
b)  ./configure and make libidn
c)  select a dictionary that you want to use for bruteforcing server resources (these are used to find server resources not linked from the applications being assessed).  Copy the selected file to the root skipfish directory as skipfish.wl
d) make skipfish
e) run skipfish with selected options:  skipfish -h for a list.

Friday, March 5

Anti-virus, Patching, Drugs and the Immune System

Anti-virus is a hotly debated control.  For some it is a very profitable business model, and for others it is a primary portion of their security environment.  In other circles pointing out faults and weaknesses in anti-virus controls has become a banner for a crusade.  All of this results in confusion of users who are using it to protect themselves against online threats, which makes all of us a little less secure.  I'd like to make the point that if we focused on the causes of our online illnesses, secure software development and patching, that this would go a long way to improving our trust in the online community.

Anti-virus, like drugs produced by pharmaceutical companies are good at one thing, treating known conditions effecting us.  In anti-virus' case this is known malware and viruses.   These treatments are still essential at treating these conditions, and investment in new treatments is also very important.

On the other hand secure coding, development practices and rapid patching of systems is like our immune system, its there to help us prevent the infections from occurring in the first place.  And just as doctors provide advice on avoiding situations and preventing conditions which would result in infection, security professional provide advice on improving processes around the management of our environments, and the behaviours of our users.

Unfortunately, like drugs, anti-virus products are promoted as being a cure-all by some vendors biased by the profits to be had in the sale of these products.  Doctors live by a code of ethics which prevents them from solely relying upon drug treatments  to treat, cure and prevent the conditions of their patients. Like doctors, we security professionals need to provide the best advice to our customers, and ensure that we recognize the clear differences between these controls, and recommend and apply the right amounts of prevention and treatment.

Wednesday, March 3

Whitehouse Unveiling Their Cyber Security Initiatives

The Whitehouse has unveiled a report describing the specific initiatives that the US government is taking in reaction to the global cyber security threat.  These 12 initiatives, documented within the Comprehensive National Cybersecurity Initiative (CNCI)appear to be part of a well-coordinated plan championed by Howard Schmidt, the President's Cybersecurity Coordinator and include:


Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
Initiative #4: Coordinate and redirect research and development (R&D) efforts.
Initiative #5. Connect current cyber ops centers to enhance situational awareness.
Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
Initiative #7. Increase the security of our classified networks.
Initiative #8. Expand cyber education.
Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs.
Initiative #10. Define and develop enduring deterrence strategies and programs.
Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains. 





Friday, February 26

Web Application Vulnerability Scanners Compared

Web Application Vulnerability Scanning and Identification is a hot topic for many customers, and there a number of excellent products which can help with the identification process. Larry Suto has produced the second of his independent evaluations of these products and posted the results.

In addition the guys over at NTO have posted their response to the report which identifies some interesting debates and responses from the vendors based on the results.

This kind of transparency on the effectiveness of these tools is excellent and really highlights the challenges that ALL web application vulnerability scanners have - especially those tools that can't automatically find the vulnerabilities in their own test sites!

Thursday, February 18

Advanced Persistent Threats APTs

APTs or Advanced Persistent Threats are threats in which the threat agent (person or persons responsible) is highly motivated, well resourced, and highly skilled. This modis operendi of these people is to identify high-value target profiles (senior management, financially responsible, and influential) and gain persistent access to sensitive information.


Over the last few months, there has been an increasing number of public reports related to APT incidents:








Athough it has been widely reported in the past that malware writers and the criminal elements funding their research were moving in the direction of smaller, more targeted attacks, it appears that this trend has been accelerated and is catching many organizations and people off-guard in the process.


There are a couple of difficult challenges associated with countering these types of threats:


1) Threat information - with a few exceptions (government and private intelligence) most people and organizations in the commercial world have no idea who the people behind these attacks are, how they are motivated, the techniques they are using, and what type of information they are after. This severely limits our ability to prevent, detect and respond.


Many of the recently reported incidents have fully funded security teams that are quite well trained and I expect very capable, but without a better understanding of the threats (who they are, what they are after, how they operate, how to respond) their efforts are not likely to be focussed appropriately. Encrypted HTTPS sessions to eastern Europe from client browsers probably doesn't raise any alarms for most people today. There are many sources of vulnerability intelligence (adobe has a new 0-day flaw), but very few sources of threat intelligence (criminal gang X in europe are preparing to target CFO's of petro-chemical organizations by hiring malware developers).


We need to start sharing intelligence better. Governments who are funding intelligence research should expand these programs and build partnerships with the organizations being targeted. This serves to inform the community about current threats, and collect information regarding incidents. Targets are in most-cases commercial non-military organizations who don't have the benefit of being briefed by NSA on a regular basis. Those governments who don't collect this type of intelligence need to start. And commercially, private industry needs to serve our clients better by insuring advice being provided is as accurate and actionable as possible.


A good example of this is the Transglobal Secure Collaboration Program (TSCP).


2) Deployed control in-effectiveness - anti-virus, intrusion detection/prevention products have been developed to respond to malware that is reported to them in most cases after the infection has occurred. Keeping anti-virus software updated is important, but so is realizing that it only protects from well known vulnerabilities.


These threats are using custom malware, in some incidents used in only a small number of cases, and developed to be un-noticeable by the target. Exclusive dependence on traditional types of security controls for protection against these threats will only establish a false sense of security.


We also need to adopt a new set of controls and thinking when addressing these threats. We need to start isolating sensitive information and processing away from other less trustable activities (web browsing, email, etc), and we need to be vigilant in protecting them. We should start reintroducing the basic security concepts of fail-close, and whitelisting rather than signature matching into more of our sensitive processes and educating our clients on reasons they are not permitted to update their facebook profile from the online-banking terminal.






Tuesday, February 16

ScanSafe 56%-80% of 2009 Malware Infections Related to Adobe Acrobat

In a new report released by CISCO's ScanSafe they claim that 2009 started off with 56% of malware infections occurring by way of flaws found in Adobe Acrobat products. This seems to be very high to me, I would think that some of the drive-by browser flash infections are still a larger percentage of this total.

Thursday, February 11

Chip and PIN Vulnerabilities Documented

There is a significant research document that's been published publicly on some issues related to the new Chip and PIN standard. Looks like the vulnerability is associated with a lack of coordination between each of the organizations involved.

The attack although sophisticated is easily used by individual's with no technical understanding of the attack simply a "wedge" inserted between the card and the POS device.

Considering that these cards are all being migrated to by Canada's largest card issuers, this is a big issue. I have not yet confirmed that this affects chip and pin cards issued in Canada.

Link to press release-http://www.cl.cam.ac.uk/research/security/banking/nopin/press-release.html

Link to technical paper-http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf

Monday, January 18

Targeted Attacks - 2010 Predictions

It doesn't seem long into the new year and we already have two really high-profile targeted attacks,
  • The one reported at the end of December was a targeted attack on Google and a few other companies using some 0-day code. - Google's release
  • The other is a new report of defense contractors being targeted using a only-recently patched exploit for adobe acrobat reader. - F-secure's writeup
Not surprisingly, motivation of would-be attackers continues to move from targets of opportunity to targets of value, the surprising thing about it is how quickly this trend is progressing.

Saturday, January 2

Security Updates - 2009/2010

Sorry about the hiatus between posts - its been a busy holiday season and isn't showing any signs of slowing down in the next few weeks. I've posted a few tweets here and there for some quick updates but nothing major, so here are a few links that have really caught my eye over the last month or so (some really good stuff here!).

Best Practice / Research updates
  • ISACA has published two new sets of documents for members, updated guideline on implementing and improving IT governance, and a new framework and practitioner tool-set for identifying and managing IT risks. In my opinion the RiskIT material provides a great high-level explanation of the IT risks management principals and provides and excellent set of tools for identifying and measuring risks as part of an assessment. If you have IT Risk management responsibilities and aren't a member of ISACA it's time to sign up!
Security Tool Updates

There are tons of new updates to tools, in fact too many to list them all here - if your job requires finding and using open-source and commercial tools your box just got a lot bigger.

PacketStorm Security has a bunch of updates to open-source tools recently, too many to list but notables include;
  • wafp - web application finger printing
  • hostmap - for mining DNS information
  • wapati - new web application vulnerability scanner
  • scapy - update to a great packet manipulator
  • metasploit! - after the Rapid7 acquisition lots of development happening here...
All for now - have a great new year!