Surviving the Week 6/29/2012

Code Execution Vulnerability in Microsoft XML Core Services

If you are calling “msxml3!_dispatchImpl::InvokeHelper” in your code, make sure to patch it.  A vulnerability exists when the Microsoft’s XML function “msxml3!_dispatchImpl::InvokeHelper” attempts to access an object in memory that has not been initialized, allowing attacker to execute arbitrary code.  Valid exploits have been made public.
http://blogs.mcafee.com/mcafee-labs/vulnerability-in-microsoft-xml-core-services-opens-door-to-attackers

RSA SecurIDs Get Cracked In 13 Minutes

Major corporations, government agencies, and small businesses hand out RSA SecurID fob keychains to employees so that they can securely log in to their systems.  If you use a device like this, you probably assume that it’s a strong security measure to keep your employer’s networks and data secure. A team of computer scientists cracked the encryption it uses in record time.

In a paper, researchers Romain Bardou, Lorenzo Simionato, Graham Steel, Joe-Kai Tsay, Riccardo Focardi and Yusuke Kawamoto detail the vulnerabilities that expose the imported keys from various cryptographic devices that rely on the PKCS#11 standard. They managed to develop an approach that requires just 13 minutes to crack the device’s encryption.
http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf

State of Alaska Fined $1.7 Million for a Lax in Security Protecting Health Records

The US Department of Health and Human Services (HHS) has announced a settlement with the State of Alaska’s Department of Health and Social Services (DHSS) for $1.7 million resulting from HIPAA violations. An investigation began after the physical theft of a USB HDD and investigation team soon learned that the Alaska government does not have proper controls in place.
http://nakedsecurity.sophos.com/2012/06/27/state-of-alaska-fined-1-7-million-for-lax-security-protecting-health-records/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

Survivng the Week 6/22/2012

10 Vulnerable Web Applications You Can Play With

There are number of vulnerable web applications to be discoverd.  Many times we are asked for known vulnerable web applications that can be used for self training or for scan tool evaluation. You can use your existing scanner on these applications and try NTOSpider against vulnerable applications to find the difference between scanners. Contact us for an evaluation of NTOSpider. A good list of 10 vulnerable application can be found at -

http://pentestlab.org/10-vulnerable-web-applications-you-can-play-with/

We also have an online application where you can alst test against – http://www.webscantest.com/

Pro Clan Manager version 0.4.2 suffer from administrative bypass and shell upload vulnerabilities.

Pro Clan Manager is a framework which can be used to develop international content management system dedicated to helping Clans. A high risk vulnerability has been discovered in Pro Clan Manager which allows an attacker to execute commands on the server.

http://packetstormsecurity.org/files/113911/proclanmanager-shellbypass.txt

Member Sues LinkedIn for $5 Million over Hack

Last week, we posted about the LinkedIn password compromise. A LinkedIn member has posted a lawsuit against LinkedIn for $5 Million for the loss of his password. Test your application with NTOSpider to discover vulnerabilities and help protect your company against possible lawsuits..

http://www.inforisktoday.in/member-sues-linkedin-for-5-million-over-hack-a-4878

Easier Enterprise Application Security Management with NTOEnterprise 2.0

Today, we announced our latest product innovation, NTOEnterprise 2.0.

NTOEnterprise enables organizations to build and manage a true enterprise security program across thousands of web applications. It enables you to plan, control and measure scans and look across all application scan data to determine if your security posture is improving or not. NTOEnterprise will enable you and your team to assess and prioritize areas of greatest risk across the enterprise.

NTOEnterprise can be used as software or via SaaS through NTOSpider On-Demand.

Over the past year, we have spent time with our customers to understand how their programs work and how our software could truly helps them orchestrate their enterprise security program.

What’s New in NTOEnterprise 2.0?

Centralized Management Console
The new centralized dashboard provides a consolidated view of web application scans that includes:

  • Active vulnerabilities by vulnerability type
  • Six month vulnerability trending chart
  • Recent completed scans
  • Scans in progress
Enterprise Scan Management
The enhanced user interface enables users to initiate, schedule and configure application scans through a simple user interface. Users can now configure application scans and review in-progress scans, recent scans, scheduled scans and configuration settings, currently scheduled from one consolidated interface. Scans can be scheduled to run at regular monthly or quarterly intervals to provide ongoing monitoring of the your organization’s application security issues.
Blackout Management
Users now have an improved ability to define when scans can’t happen and when they can with improved blackout functionality. Only administrators can define blackout periods and the defined blackouts trump scheduled scanning so users can feel confident that business operations won’t be impacted.
Organize with Asset Tagging
New asset tags facilitate flexible custom reporting and a graphical view of the security posture across all enterprise applications. Organizations can define (customize) their own tags to view applications and vulnerabilities from different vantage points. Organizations can tag by location, team or business functionality such as which applications store credit card data or Personally Identifiable Information (PII). In addition, organizations can define trending data to show vulnerability trends over time.

Custom & Graphical Report Generation

Custom report generators allow users to define filters to quickly find and analyze vulnerability information from their scans. The custom reports and charts provide fantastic presentation data for management.

Test Management Software Integration

NTOEnterprise is now capable of creating tickets for each discovered vulnerability into popular issue management systems. Supported systems: RSA Archer, HP Quality Center, and Atlassian’s JIRA.

Improved Infrastructure

NTOEnterprise’s back-end infrastructure has been enhanced to optimize user experience and performance.

We invite you to find out more about NTO Enterprise 2.0 or please feel free to contact us to learn more or see a demo.

 

Surviving the Week 6/15/2012

United States Department of Defense data leaked by Anonymous hackers

A group named “Wikiboat” attacked the website of the Department of Defense and gained access to some sensitive information. The information disclosure is the result of a SQL Injection. The leaked data includes some officials name, emails and phone numbers. If the web site of the DoD can be penetrated, it’s time to ask yourself if your application is secure against modern day attacks? Test your application with NTOSpider to find out –
http://thehackernews.com/2012/06/united-states-department-of-defense.html

The Biggest Cybersecurity Threat Just May Be Your Own Staff

According to a survey, 71% of IT management consider insider threats to be the greatest security risk to their companies. In modern days, very few ports are allowed inbound to companies network from evil-net and typically (80 & 443). Attacks from the web have increased over years which take advantage of application vulnerabilities. We have seen cases where a vulnerability in an application resulted in a complete compromise of the internal network.  Make your application more secure by testing it periodically with NTOSpider –
http://blogs.wsj.com/cio/2012/06/12/the-biggest-cybersecurity-threat-just-may-be-your-own-staff/?mod=wsjcio_hps_cioreport

Active Zero-Day Exploit Targets Internet Explorer Flaw

A new zero day vulnerability has been discovered in Internet Explorer. Microsoft released a patch for MS12-037 and CVE-2012-1875.  Patch IE with the highest of priority to protect you against this vulnerability –
http://blogs.mcafee.com/mcafee-labs/active-zero-day-exploit-targets-internet-explorer-flaw

A Tragically Comedic Security Flaw in MySQL

A flaw was discovered due to an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication. MySQL Has released a patch for CVE-2012-2122.  Patch your MySQL to protect against comedic vulnerability –
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

Surviving the Week 6/8/2012

LinkedIn confirms hack, over 60% of stolen passwords already cracked

Linkedin, one of the most popular professional social engineering sites has confirmed a compromise of the user’s password. LinkedIn has confirmed a loss of 6.5 million user passwords. Some of the common passwords in use are – ‘linkedin’, ‘linkedinpassword’, ‘p455w0rd’, ‘redsox’, ‘sophos’, ‘mcafee’, ‘symantec’, ‘kaspersky’, ‘microsoft’ and ‘f-secure’. LinkedIn hashed the passwords with SHA-1 and they have also confirmed to use SALTing to store passwords. It is advisable to change your linkedin password immediately.

http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/

Other major sites are discovering (or finally going public with) their
passwords have also been stolen.  Sites like Lastfm.com and eHarmony.com
are the latest to jump on the bandwagon.  Maybe they think this could
turn out like TJMaxx.

Data correlation tools are in every good data breach toolbag.  If you
have accounts across different major sites and the profiles from these
sites are stolen and correlated, what could be learned about you?  Do
you use the same password, if so, I could assume you to have a paypal
account and a high potential of the same password or even passwords that
are “close” to each other.

If you’re not using a password manager, I suggest you begin.  There are
a lot of options.  On Windows, I’ve been a KeePass, http://keepass.info/
user for years.  With writing this, I discovered Password Gorilla,
https://github.com/zdia/gorilla/wiki/ that looks interesting as it’s
cross platform.  mSecure is interesting, but pricey across
multiple platforms, https://msevensoftware.com/  A few readers have responded and added that 1Password is a good option as well, https://agilebits.com/onepassword

Chrome XSSAuditor bypass with leading comment

XSS has been listed in top two security vulnerabilities for quite some time now. Most modern browsers now come with XSS protection and lot of applications rely on these client side protection provided by browsers. From time to time, it has been observed that these client side (browser) validation can easily been bypassed. The following link demonstrates 10 methods to bypass Chrome XSSAuditor.  Rather than relying on browsers, applications still need to fix the problem at their core. Test your application using NTOSpider to find out whether your application is vulnerable to XSS -

http://code.google.com/p/chromium/issues/detail?id=130594

Seven Web Server HTTP Headers that Improve Web Application Security for Free

We see vulnerabilities in most of the applications we test. There are some basic protections which the HTTP protocol provides which most applications do not implement. Following is a very comprehensive list of HTTP headers which provides protection against web application attacks.

http://recxltd.blogspot.co.uk/2012/03/seven-web-server-http-headers-that.html

 

Flame Update – Used Microsoft Digital Certificate to Replicate

A very interesting update on Flame, malware targeting Middle Eastern countries, from Alexander Gostev at Kaspersky today about Microsoft, the trusted certificate authority.

Malware is a short name for malicious software and is software that helps hackers disrupt computer operations, collect information, or gain unauthorized access to certain applications.

Fraudulent or stolen certificates?

Below is an excerpt from Gostev’s blog: (http://threatpost.com/en_us/blogs/snack-attack-analyzing-flames-replication-pattern-060712)

It appears that one of the ways that Flame replicated was by leveraging a digital certificate from Microsoft.

“What we’ve found now is better than any zero-day exploit. It actually looks more like a “god mode” cheat code – valid code signed by a keychain originating from Microsoft,” Gostev wrote in his blog.

It looks like Microsoft is taking this seriously and addressing this in upcoming releases as discussed Dark Reading’s article, Microsoft Hardens Windows Update After Flame Attacks. Microsoft has admitted the problem, revoked the certificate and posted the following:

“Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.” http://technet.microsoft.com/en-us/security/advisory/2718704

How did the digital certificate get signed?

There has been substantial speculation that Flame was created by the US or Israeli governments. If I were a betting man, I’d say that the speculation will now turn to conspiracy theories concerning how the creators of Flame got their hands on this certificate. It is possible that they tricked the certificate authority. Conspiracy theorists will certainly argue that there was active and knowing cooperation by parties at the certificate authority.

Digital certificates and web application security

Secure website communication relies on the same underlying technology as the code-signing certificate authority model. This  kind of weakness can be used to compromise trusted communications with websites.

Surviving the Week 6/01/2012

Revealed: Hundreds of words to avoid using online if you don’t want the government spying on you

This week, The Department of Homeland Security has been forced to release a list of keywords and phrases it uses to monitor social networking sites and online media for signs of terrorist or other threats. There are some interesting words which are very common in the information security industry. In fact, the word “security” is on the list as well. One thing, I am pretty sure of is, my blog is monitored.  The complete list can be accessed from – http://www.dailymail.co.uk/news/article-2150281/REVEALED-Hundreds-words-avoid-using-online-dont-want-government-spying-you.html

Flame malware – more details of targeted cyber attack in Middle East

On June 28, the Flame malware was discovered as targeting Iranian computer systems. Flame can activate a computer’s audio system to eavesdrop on Skype calls or office chatter, take screenshots, log keystrokes and even capture information from Bluetooth-enabled phones left nearby.   http://nakedsecurity.sophos.com/2012/05/28/flame-malware-cyber-attack/

May 2012 Threat Stats

Very interesting stats on zombie or bot controlled systems.  Among notable factoids, Threat Stats from the May issue of SC Magazine indicate where the largest increases in month-over-month zombie activity occurred. http://www.scmagazine.com/may-2012-threat-stats/slideshow/746/#0

Cookie law: websites must seek consent from this weekend

A new EU law will be in effect from this Saturday in the UK.  It is a very interesting law which talks about taking user’s consent before saving any data (including temporary storage as part of the browser i.e. cookie, applet, activeX) on user’s computer. On one hand, this will effect usability of web applications but will give some level of protection against malware and drive by downloads. http://packetstormsecurity.org/news/view/21037/Cookie-Law-Websites-Must-Seek-Consent-From-This-Weekend.html