Surviving the Week – 03/30/2012

Will there be a blackout?

The Anonymous hacker group has announced that they will bring down 13 root DNS servers by DDoS. Is this possible? According to Hackers News, they say that it might not be completely possible to shutdown the internet because the ISP’s are pretty-well prepared for these types of attacks. At this stage, I think the chances of them being able to pull this off are basically nil because its too easy to recover from backups and make use of read-only backup DNS servers. We will find out on the 31st – (update: Looks like they failed, ‘cause the internet is still here)

Authorization bypass in McAfee Email And Web Security Appliance

The current McAfee Email and Web Security appliance authorization bypass functionality allows any logged-in user to reset the administrator password which results in any user becoming the administrator. If a product like “McAfee Email And Web Security Appliance” can have an authorization bypass vulnerability, how certain are you that your custom applications are secure???

Verizon’s insightful 2012 Data Breach Investigations Report

The most common malware infection vector continues to be installation or injection by a remote attacker. This paper covers the various scenarios in which an attacker breaches a system via remote access and then deploys malware or injects code via web application vulnerabilities.

An EU Cybercrime Centre to fight online criminals and protect e-consumers

The EU centre will warn EU Member States of major cybercrime threats and alert them of weaknesses in their online defences. It will identify organised cyber-criminal networks and prominent offenders in cyberspace. It will provide operational support in concrete investigations, be it with forensic assistance or by helping to set up cybercrime joint investigation teams.


Surviving the Week – 03/23/2012

Joomla vulnerability

One of the world’s leading CMS solutions, Joomla (Version 2.5.1) was vulnerable to Blind SQL Injection. Joomla reported the vulnerability February 29th and reported it resolved March 5th.

By exploiting Blind SQL Injection, an attacker can enumerate a database which can potentially result in complete loss of data and functionality. Subsequently, this vulnerability can lead to web site defacement or access to internal network.

This should serve as a reminder that building web applications on top of popular and well reviewed platforms can still leave you at risk to serious security breaches. These are the types of vulns that script-kiddies love to perform mass attacks against.

Read more:

Microsoft SharePoint missing protection

Apparently, Microsoft SharePoint 2007 & 2010 is missing protection against Frame Injection & Click-Jacking. Microsoft SharePoint fails to send X-Frame-Options to the server. An attacker can leverage this vulnerability to inject a frame in the page. This frame can access information in the framed page. The way it works is that X-Frame-Options instructs the browser to disallow framing. If a content management application and SharePoint are both vulnerable, do you have all security controls in place???

Read more:

How to prepare for google’s privacy change

On Thursday, Google’s much-discussed new privacy policy went into effect. Here are some useful tips to avoid leaking your private data:

  1. Don’t sign in unless it is required
  2. Remove your Google search history
  3. Clear your YouTube history
  4. Set chat to Off-the-record

Read more:

Wine geekery at RSA – a wine tasting reception, NT OBJECTives style

On Februrary 28th, We sponsored a wine tasting reception in San Francsico at RSA with Tech Exec Networks and I.S.E Alumni. We are grateful to our I.S.E hosts and to Kevin Mitnick who signed copies of Ghost in the Wires at the event.

Kevin Mitnick (on right) signing books

Many thanks to all who attended our party. We enjoyed meeting everyone and had a great time.

As you may know, I’m a wine guy.  I personally selected a range of boutique European wines for this event. The wines were very popular – many requested that we share the list of wines we tasted, so here it is.

Me pouring wines
  1. Sebastien Brunet Domaine de la Roche Vouvray Brut NV – This sparkling Chenin Blanc was a light alternative to champagne and a nice way to start the tasting.
  2. 2010 Frantz Saumon Menu Pineau (Loire Valley, France) – Menu Pineau is an obscure grape related to Chenin Blanc. The wine had nice acidity and minerality.
  3. 2006 de Moor Bel Air et Clardy Chablis (Burgundy, France) – This chardonnay is from one of my favorite producers. The hot vintage produced a relatively fruity wine for Chablis.
  4. 2007 Huet Vouvray Le Haut Lieu Demisec (Loire Valley, France) – This off dry wine was showing a bit of age. Huet is one of my favorite Chenin Blanc producers and their wines can age for decades.
  5. 2010 Marcel Lapierre Morgon (Beaujolais, France) – This wine, made from Gamay, was showing beautifully with lovely fruit and solid acidity.
  6. 2010 Pierre Gonon Les Isles Feray, Vin de Pays de l’Ardeche (Rhone Valley, France) – This Syrah wine was showing beautiful fruit and was a crowd pleaser. I think that it has terrific complexity for an entry level, affordable wine.
  7. 2005 Francois Chidaine Montlouis Moelleux (Loire Valley, France) – This sweet chenin was starting to show some age but still had beautiful expressive fruit. Chidaine is another terrific producer in the Loire.

The wines were sourced from Terroir, one of the San Francisco’s hottest wine bars and stores focusing on small production European wines.  I stay near Terroir every time I’m in San Francisco despite the somewhat ‘colorful’ neighborhood where my hotel is located.

Let me know how you like these wines. More wine tastings coming soon.

Tales from the web scanning front: Don’t eat the entire buffet at once

One of the more common problems that we see is customers trying to bite off more of their application infrastructure at once than they can chew.  A certain amount of planning will yield better, more digestible results with substantially less indigestion.

Dropping all of into your web scanner when there are 100 applications with 50,000 pages across 60 subdomains is likely not an optimal strategy.  Here are some considerations:

  • Scan time:  Assuming reasonable connectivity and application server horsepower, a scan of a medium-sized application can take 3- 12 hours.  Scanning 60 applications at once will take a week or more before the scan completes and you can start working on the results.
  • Information Segmentation:  Most enterprises will have more than one development team.  It’s not the best policy to ship detailed information about all of your vulnerabilities to people who don’t need to know it.  Also, it’s much easier to have one report per application that you can just send to the team coding it so that they can fix just the vulnerabilities listed in the report.
  • Report Size:  A scan that large will create a report that will be immense if you have any significant number of findings.  Even if your vendor segments and paginates the report, it is going to be harder to navigate than a series of smaller reports.
  • Re-Scanning: Once the developers start remediating vulnerabilities, you will be asked to re-scan to give a clean bill of health for each application.  You don’t want to have to wait the week or more an enterprise scan takes to update the development team.

The one downside to all of this is that you will have to kick off and monitor more scans.  If you have a large number of applications and this is likely to be a logistical headache, you should consider an enterprise portal to schedule and monitor scans and deliver scan results (full disclosure, we offer such a tool).

As in most endeavors, a bit of planning goes a long way in making life easier.  Giving some thought to breaking up your application scanning will make your application scanning program a lot easier and more effective.

An Information Security Place Podcast – Episode 03 for 2012

Today’s show is Michael interviewing Kevin Riggins. Kevin is an Enterprise Security Architect for a Fortune 500 financial services company. Kevin and Michael have some great conversation about Kevin’s job, what he is doing at RSA, where he blogs, the book he coauthored, etc. (look below in the show notes for links to everything).

Then a fun discussion starts about cloud, risk, mobility, risk in the cloud, risk in mobility, risk of mobility integrated with the cloud, and so on. Good stuff all around.

Here’s some links to stuff about Kevin and other stuff we talked about in the show.

  • Management Team Member for the Society of Information Risk Analysis – link
  • Coauthor on The Cloud Security Rules – link
  • Kevin blogs at Infosecramblings – link
  • Twitter pages – link and link and link