Surviving the Week 07/27/2012

CodeIgniter 2.1.1 Cross Site Scripting Bypass

CodeIgniter is an open source Web Application Framework that helps authors write PHP applications. Version 2.1.1 of CodeIgniter suffers from a cross site scripting filter bypass vulnerability.

Filtering only is not a good approach to protect against cross site scripting attack. Cross Site scripting is a very common attack with high success. Test your application with NTOSpider to verify whether your application is XSS proof.

http://packetstormsecurity.org/files/114923/codeigniter-bypass.txt

Drupal Location 6.x / 7.x Access Bypass

Drupal is a free and open-source content management system (CMS) and content management framework (CMF) written in PHP. It is used as a back-end system for at least 2.1% of all websites worldwide ranging from personal blogs to corporate, political, and government sites including whitehouse.gov and data.gov.uk. It is also used for knowledge management and business collaboration. Drupal Location third party module versions 6.x and 7.x suffer from an access bypass vulnerability.

http://packetstormsecurity.org/files/115014/DRUPAL-SA-CONTRIB-2012-117.txt

Record number of phishing websites in the wild

Is it any surprise that USA remains the top nation for hosting phishing based trojans? If this were an Olympic event, we’d get an easy gold!  Also China continues to be the most affected country. Another gold winner!
http://www.net-security.org/secworld.php?id=13302

SQL injections becoming favored attack route

SQL injections were the attack vector for the recent compromises at LinkedIn, Yahoo and eHarmony.  A cloud hosting company, Firehost, has posted their findings on attack traffic blocked for their customers over the past quarter.  It appears that more automated tools are out searching for more lucrative targets vulnerable to SQLi.
http://security.cbronline.com/news/sql-injections-becoming-favoured-attack-route-240712

DEF CON to Host NSA Chief General Alexander – He’s Off Limits for ‘Spot the Fed’

If you were at DefCon and missed General Alexander’s talk, you really missed out. He is a highly engaging speaker. If you were there, post a comment to this post and let us know what you took away from it.
http://www.securityweek.com/def-con-host-nsa-chief-general-alexander-hes-limits-spot-fed

Survivng the Week 7/20/2012

Black Hat 2012 Coverage

Dark Reading put together a list of interesting talks to headline at Black Hat this year.  Check out their preview links. Some great talks are on the way, if you’re going, don’t forget that it stays in Vegas. http://www.darkreading.com/security/news/240001945/black-hat-usa-2012-complete-coverage.html

Black Hat Forecast

HTML5 Security (One of our team members Shreeraj Shah will be presenting). A presentation you won’t want to miss. http://www.securityweek.com/researcher-talk-html5-security-black-hat

KPMG Cyber Vulnerability Index 2012

With so many cyber attacks in the news recently, executives are becoming increasingly concerned about their organization’s threat exposure. In the last three quarters, many of the Forbes 2000 companies had been compromised and lost data. A recent survey by KPMG has some revealing findings on attack numbers. Attacks are ever increasing.  Are your organizations applications secure? Test them with NTOSpider.
http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/Documents/PDF/Advisory/Forbes-Survey-publish-and-be-damned.pdf

SAFECode Agile Dev Security Guideline

The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization. SAFECode released “Practical Security Stories and Security Tasks for Agile Development Environments.” This new paper provides practical software security guidance to Agile practitioners –
http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf

Surviving the Week 7/13/12

Nvidia developer forums had been hacked, 400,000 user account compromised.

More games with “Who’s got the biggest bounty?”  400,000 is fairly respectable.  Remember back in the day when the bounty was credit card data?  Now it’s about getting large numbers of accounts.  Nvidia was prepared, they at least randomly salted their passwords cache to make it more difficult to crack.  Because users generally reuse passwords and to mitigate the same attack against all their internet facing forums, Nvidia took down a total of five websites as they investigated the compromise.  Good job Nvidia.  http://www.zdnet.com/nvidia-confirms-hackers-swiped-up-to-400000-user-accounts-7000000903/

7 lessons learned from the Yahoo Password Breach

This is a great article and well worth the read.  It’s easy to agree with the writer in that we all need to enforce better password management standards, from the app developers with stronger encryption (bCrypt), to users to stop using dictionary words or simple strings, even hacker-ease style is becoming obsolete, and even with regulators adjusting fines when certain standards are not met.  http://www.informationweek.com/news/security/attacks/240003692

Tumblr patched the critical Persistent XSS vulnerability

This is a fairly popular site and for them to take 3 weeks to fix a persistent cross site scripting vulnerability is a bit troublesome.  Kudos, at least they fixed it.  http://www.ehackingnews.com/2012/07/tumblr-patched-critical-persistent-xss.html

Globally, more than 300,000 people, including many in the US and UK, may have lost net access as the FBI shut down servers answering to the DNS Changer virus.

This event has been in the recent news quite frequently.  There seemed to be a lot of speculation of greater impact than how this really played out.

Top 10 DNS Changer infections by Country

  • US – 69,517

  • Italy – 26,494

  • India – 21,302

  • UK – 19,589

  • Germany – 18,427

  • France, 10,454

  • China – 10,304

  • Spain – 10,213

  • Canada – 8,924

  • Australia – 8,518

More details can be found at -

http://packetstormsecurity.org/news/view/21217/Thousands-Hit-By-FBI-Net-Shut-Off.html

Formspring disables user passwords in security breach

Formspring is the place to share your perspective on anything. Formspring was attaked and they gave up their user name and password data.  Rightfully, they forced all their users to change their password. The CEO posted on his blog about the issue.  “We found that someone had accessed into one of our development servers and was able to extract account information from a production database. We were able to immediately fix the hole and are reviewing our internal security policies and practices to help ensure that this never happens again.

A few questions quickly come to mind;  Why are dev systems connected to production systems?  and  What is the vulnerability path for access to the dev system? such as an unpatched system or through SQLi of a dev web application.

Recently, we heard of similar issues from LinkedIn, Yahoo, Nvidia, and e-Harmony where web apps provided the path to the user data.

Review your application with NTOSpider to find out vulnerabilities in your application, engage NTObjectives professional team to verify other mitigation controls.

http://packetstormsecurity.org/news/view/21228/Formspring-Disables-User-Passwords-In-Security-Breach.html

Microsoft Security Bulletin

Microsoft released patches earlier this week which included two critical fixes for vulnerability in Internet Explorer. Patch those Windows.

http://technet.microsoft.com/en-us/security/bulletin/ms12-jul

Surviving the Week 07/06/2012

Huge SQL injection knowledge base

NTObjectives released a SQL Injection cheat sheet which can be found at http://www.ntobjectives.com/go/sql-injection-cheat-sheet/, A more comprehensive knowledge base of SQL injection can be found at – http://websec.ca/kb/sql_injection

Hidden bugs that made Amazon Web Service outage worse

Amazon web services on the east coast was down due to an electrical storm.  Along with the power outage, Amazon discovered unforseen bugs in their services code which increased their outage. Amazon accepted that they have never came across such a bug. –  http://packetstormsecurity.org/news/view/21192/Hidden-Bugs-That-Made-Amazon-Web-Service-Outage-Worse.html

Three critical fixes planned for July’s Patch Tuesday – Critical

Microsoft is planning to release nine bulletins during tuesday;s July security update, this release includes patches for Windows XP, Vista, Windows 7 & Windows 2008.  This patch set adresses critical flaws that could allow remote code execution across the entire family of products and makes a very interesting vector for worm development.  Start preparing to patch your windows networks – http://packetstormsecurity.org/news/view/21204/Three-Critical-Fixes-Planned-For-Patch-Tuesday.html

WordPress closes XSS, XSRF and information disclosure bugs

If you run a WordPress site,  consider updating to the latest 3.4.1 verion.  Prior versions, like 3.4.0, can allow a remote authenticated user to perform questionable activity such as install code to steal other users authentication cookies.

http://www.securitytracker.com/id/1027219