Surviving the Week 8/24/12

Get Off Your AMF and Don’t REST On JSON

At “BSides Los Angeles“, I presented on “Get off your AMF and don’t REST on JSON”. This talk described how SQL Injection and other attacks remain possible with JSON, REST and AMF. The presentation can be accessed at –
http://www.manvswebapp.com/resources/Get_off_your_AMF_and_dont_REST_on_JSON.pptx

Apache Server 2.4.3 fixes over fifty bugs and two security holes

The Apache Software Foundation has released version 2.4.3 of the Apache HTTP Server, fixing over fifty bugs and closing two security holes. The two vulnerabilities are present in the mod_proxy_aip, mod_proxy_http and mod_negotiation modules. Time to patch
http://www.h-online.com/open/news/item/Apache-Server-2-4-3-fixes-over-fifty-bugs-and-two-security-holes-1672035.html

US Investigating Siemens Security Flaw

The US government is investigating claims from a cyber security researcher that flaws in software component of Siemens networking equipment could enable hackers to attack power plants and other critical systems.
http://www.stuff.co.nz/technology/gadgets/7528325/

Mystery Malware That Targeted Energy Group Contains Amateur Coding Goof

The mystery malware that recently caused havoc on energy sector computers contains an amateur programming error that’s not typical of state-sponsored attacks. As per the malware researcher “This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian Systems,”
http://arstechnica.com/security/2012/08/mystery-malware-amateur-coding-error/

VMware Virtual Machines Targeted by “Crisis” Espionage Malware

Researchers have uncovered a single espionage malware attack that is capable of infecting multiple platforms, including computers running the Windows and Mac OS X operating systems, Windows-powered mobile devices, and VMware virtual machines. This may be the first malware that attempts to spread onto a virtual machine.
http://arstechnica.com/security/2012/08/crisis-espionage-malware-targets-virtual-machines/

Surviving the Week 08/17/12

Sorry readers, last week’s post was missed due to an overwhelming amount of work both on the professional and personal areas. Thank you for holding tight to your browsers F5 key in wait for this update.

Future HTML5 and Security

This past week multiple reports were published on which technologies will see longevity for internet applications. The analysis concludes that HTML5 is here to stay. In fact, most state that instead of building applications on different mobile platforms, companies prefer to create HTML5 applications so that one client can serve all mobile devices as well as all browser users. In the last few weeks, @Shreeraj of BlueInfy presented at BlackHat about security issues in HTML5. Click here to view @Shreeraj’s HTML5 presentation

Here are a few other postings on this topic

Top 3 security risks related to HTML5

http://www.darkreading.com/vulnerability-management/167901026/security/news/240005129/top-3-html5-vulnerability-risk-categories.html

Two interesting projects in OWASP
OWASP launched two new projects focusing on Java security; a java encoder and a java HTML sanitizer. The Java Encoder project is a simple-to-use drop-in encoder class with very little overhead. The Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.

https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

Lessons Learned from Apple iCloud Hack

This was a great and not so great story from Wired reporter, Mat Honan. His entire digital life dissolved before his eyes because Lulszec liked his Twitter handle @mat and wanted to make a statement. They gained entry into his iCloud account, used it to remote wipe all of his devices and achieve access into his other accounts. At least they told him how they did it. Here are some things to keep in mind to minimize damage if a similar incident ever happens to you.  The number one rule of thumb for anything in the cloud, e n c r y p t!
http://securitywatch.pcmag.com/none/301183-lessons-learned-from-apple-icloud-hack

DDoS Attack Takes Down WikiLeaks

The controversial website which often posts proprietary information without consent, was down for at least five days and had been experiencing a massive Distributed Denial of Service (DDoS) attack. Really?  Why?
http://venturebeat.com/2012/08/08/wikileaks-ddos/

Surviving the Week 8/3/12

HTML5 Top 10 Attacks

Last week at Blackhat, our team member Shreeraj Shah presented on threats against HTML5. The talk discussed the Top 10 Threats and Security.  If you missed unfortunately it, you can read the brief.  His whitepaper and presentation can be found here –
http://shreeraj.blogspot.in/2012/08/blackhat-2012-html5-top-10-threats.html

5 Takeaways From Vegas

Mr. Diaz from Kaspersky labs highlights 5 interesting talks from his Blackhat 2012 trip.  I have to agree that these were talks that with important security concerns for the future.  He did miss to point out Shreeraj Shah’s presentation, see above.

http://www.securelist.com/en/blog/208193749/5_takeaways_from_Las_Vegas

Dropbox confirms it was hacked, offers users help

I don’t think it is clear to say that Dropbox was hacked.  What is clear from the Dropbox investigation is that users use the same credentials across internet sites.  They reported that some 300 Dropbox accounts were compromised because credentials stolen from other website cracks were active on Dropbox.  Although this is a small number of accounts it does shed light on the problem of users with bad habits.  Correlation engines are becoming better all the time, look at Google, or Spokeo, for example.  Feeding cracked account information into correlation engines to find other patterns of account holders is key to exploiting an individual.  I give Dropbox two thumbs up for the mitigation strategies they are putting into place; two-factor authentication, active login history, and forced password changes.
http://news.cnet.com/8301-1009_3-57483998-83/dropbox-confirms-it-was-hacked-offers-users-help/

Temenos T24 R07.03 Authentication Bypass

Temenos is one of the world’s leading banking software vendors. An authentication bypass vulnerability was discovered in the password reset functionality because the application failed to properly enforce access control on the password reset functionality. Evidentially, Temenos knew of this vulnerability and released a patch, T24 R8.x.  NTOSpider could help software vendors to discover this type and other types of web app vulnerabilities.
http://packetstormsecurity.org/files/115127/temenos-bypass.txt

Media hype over security tools.  Not everything you read is true.

This is a great article about media over hyping security products/solutions. We’re all too familiar with those free subscriptions to industry magazines.  In some, we read really amazing reviews about solutions we might have tried before and which have completely failed in our environments.  Then you scratch your head and ask if it’s possible for the vendor to have paid for the review which funded your subscription.  The next article looks at media hype from a different perspective and how one media expert feeds other media experts to start a solution revolution.  Notice I didn’t say media and technology experts.
http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html