Surviving the Week 9/28/12

Passwords of 100k IEEE members lie bare on FTP server

IEEE uses Akamai for content delivery. A FTP directory server was discovered which contained log files of username, password, IP addresses and HTTP request information.  Surprisingly, an organization like IEEE logs such a sensitive information.  NTOSpider looks for similar log files on systems during a scan, Test your application with NTOSpider to find out if any log file accessible from your webroot.

Hackers target Windows Update in phishing attack

Thieves have constructed spam messages which claim to originate from The messages, which are designed to resemble official alerts from Microsoft, advise users that their systems might be at risk and advises them to visit a supposed “update” page. Upon clicking the link, however, users are directed to a phishing site which attempts to harvest email addresses from webmail services including Gmail and AOL mail.

USSD attack not limited to Samsung Android devices, can also kill SIM cards

Ravishankar Borgaonkar, a researcher, recently demonstrated the remote data wiping attack at the Ekoparty security conference. The attack can be launched from a Web page by loading a “tel:” URI (uniform resource identifier) with a special factory reset code inside an iframe. If the page is visited from a vulnerable device, the dialer application automatically executes the code and performs a factory reset. Several Samsung Android devices, including Samsung Galaxy S III, Galaxy S II, Galaxy Beam, S Advance, and Galaxy Ace were reported to be vulnerable because they supported the special factory reset code.

jQuery 1.8.2 Released

jQuery 1.8.2 is released with fixes to several bugs and performance enhancements.

SSL Scanner – SSLyze

A python script to test SSL checks has been released.
Documentation can be found at –

Warrantless snooping by the Feds of email and social networks is on the rise.

Documents released by the American Civil Liberties Union (ACLU) on Thursday show that law enforcement agencies in the U.S. have increased surveillance of Americans’ electronic communications.

Java exploited, again !

A new zero-day vulnerability has been discovered in all currently-supported versions of Oracle’s Java software, potentially allowing attackers to install malware on around 1 billion Macs and PCs. Announced on the Full Disclosure mailing list by security researcher Adam Gowdiak on Wednesday, the bug is present in Java 5, Java 6, and Java 7.  The 1 billion figure is taken from installation statistics provided by Oracle.  This vulnerability has serious implications on those business applications that continue to require older Java versions.

Surviving the Week 9/21/12

2012 HouSecCon, 10/11/2012 (in Houston)

HouSecCon is coming up – October 11th in Houston. The agenda is shaping up with a bunch of hot topics and well-known speakers. I’ll (Dan Kuykendall) be speaking on mobile security. At NT OBJECTives, we have been working on how to effectively test mobile service calls. Most of the mobile security focus is on device security. During this talk, we are going beyond device security and into mobile application hacking with several demos and hacking tools. Hope to see you there!

Top Security Threats and Attackers by Country

Web security firm Incapsula this week released the first of what it says will be a monthly report that breaks down the origin of Internet attacks by country. The first survey confirmed that the U.S. and China produce the highest volume of attacks on websites, but they don’t necessarily have the most hackers per capita operating from within their borders.

There are four main types of website attacks, according to Incapsula. Server takeovers by means of Remote File Inclusion, Local File Inclusion, Directory Traversal, and other methods are the most common, in part because they can be easily automated, the company said. Data theft by means of SQL injection and credentials theft through cross-site scripting (XSS) methods are the other main types of directly damaging attacks, while a fourth type, vulnerability scanning, is more akin to “casing” a website for future direct attacks.

Cybercrime-Fest Targets Mobile Devices

The lineup of depressing security stats in a recent report by the Government Accountability Office on mobile devices is growing,

  • The number of variants of malicious software aimed has reportedly risen from about 14,000 to 40,000 in less than a year.
  • New mobile vulnerabilities have been increasing, from 163 in 2010 to 315 in 2011, an increase of over 93%.
  • An estimated half million to one million people had malware on the Android devices in the first half of 2011.
  • Three out of 10 Android owners are likely to encounter a threat on their device each year as of 2011.

Attacks against mobile devices generally occur through four channels of activities.

  • Software downloads
  • Visiting malicious websites
  • Direct attacks
  • Physical attacks

iOS, Android Vulnerabilities Found at HP’s Mobile Pwn2Own Event

Both iOS and Android fall to hackers at this Pwn2own event in Amsterdam. HP awarded two sets of researchers with $30,000 for finding and demonstrating their attacks.

The Android attack was built on the Near Field Communications attack demonstrated by Charlie Miller earlier this year at a Black Hat event.

The iOS attack exploited a previously unreported WebKit flaw on an iPhone 4S.  WebKit is the underlying rendering engine used in Apple Safari on iOS / Mac OS, and Google for Chrome on Android.

Simple Cross Site Scripting Vector That Webkit XSS Auditor Ignores

Google Chrome has a lesser known feature called “XSSAuditor” that was added to help mitigate reflective XSS.  It is similar to NoScript and IE built in XSS filter.
This post shows a trivial attack to circumvent this feature on Chrome version 4 and above as well as Safari 5.1.7

ViewState XSS: What’s the Deal?

Using ASP.Net to provide a detailed example of exploiting an unproperly protected ViewState with reflective XSS.  Even hard coded values can be manipulated.

10 Common Mobile Security Problems to Address

Poor security practices of consumers and inadequate technical controls make mobile devices a target waiting to be attacked. The GAO report came up with a list of mobile vulnerabilities it says are common to all mobile platforms and it offered a number of possible fixes for the weaknesses.

Over Half of Companies Suffered a Web Application Security Breach in the Last 18 Months

Forrester Report published.
The results of “The Software Security Risk Report,” a commissioned study conducted by Forrester Consulting on behalf of Coverity were released this week. This study looked at  application security and testing practices and found that security incidents are becoming more common and expensive. The results included several interesting findings:

  • Most companies experienced at least one breach in the last 18 months and many companies lost hundreds of thousands, if not millions, of dollars.
  • The majority of companies have not implemented secure development practices, “most often citing time-to-market pressures, funding and the lack of appropriate technologies suitable for use during development as their primary roadblocks.”

Read more here:

HoneyMap – Alpha

A real-time world map which visualizes attacks captured by honeypots of the Honeynet Project. Red markers on the map stand for attacks, yellow markers are sensors (honeypots).

This project is highly experimental and should be considered an ALPHA version. So far, current Chrome and Firefox browsers should work fine. Opera, Safari and Internet Explorer probably won’t work.

Surviving the Week 9/14/12

Surviving SQL Injection (link to free SQL Injection tool)
SQLInjection continues to be in the news each week. Despite the fact that it the most well understood vulnerability, it remains the most popular attack technique and many successful breaches are done with SQLi. This attack method remains a problem even in today’s modern web technologies like AMF and REST based applications.

Here a bunch of good resources that might help:
– Free tool for testing SQLi, SQLInvader. Its very similar to SQLmap, but it has a GUI so its very easy to use.
SQLInjection cheatsheet
Injection cheatsheet

A Number of products with SQL Injection, XSS, OS injection and other high risk security issues were reported this week

This week, some very critical security issues has been discovered in some widely used products including WordPress, Joomla, and Drupal.

WordPress Krea3AllMedias SQL Injection –
Knowledge Base EE 4.62.0 SQL Injection –
Joomla RokModule Blind SQL Injection –
PersianTools SQL Injection / Shell Upload –
VICIDIAL Call Center Suite 2.2.1-237 SQL Injection / Cross Site Scripting –
Drupal PDFThumb 7.x OS Injection –
Drupal Inf08 6.x Cross Site Scripting –
Fortigate UTM WAF Appliance Cross Site Scripting –
Wordpress Download Monitor Cross Site Scripting –
Drupal Mass Contact 6.x Access Bypass –
Webify Business Directory Arbitrary File Deletion –
Openfiler 2.x NetworkCard Command Execution –
Oracle VM VirtualBox 4.1 Denial Of Service –

HoneyNet Project Releases SQL Injection Emulator

The HoneyNet Project has released a new version of the Glastopf Web application Honeypot software, which can now replicate SQL Injection attacks.

Use NTO’s Free SQL Invader to test SQL Injection
Use SQL Injection cheat sheet to try stuff manually

Microsoft, Adobe Push out Security Patches

Microsoft has released two security bulletins to address issues in Visual Studio Team Foundation Server and Microsoft System Center Configuration Manager. Adobe released a security hotfix for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX. Patch your systems if you are attacked –

Oracle Confirms Existence of Another Critical Java Flaw

A new security issue has been discovered in Java which allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7.

BlackHole Exploit kit to release version 2.0

This exploit kit is one of the best known to date.  We don’t yet know all the new exploits that could be added into version 2.0 and it’s authors will have done their best to obfuscate mush of their work.  But it can be assumed that this latest Java exploit would be included.  There are quite a few web based Java applications out there that require users to remain on specific, vulnerable versions of Java client which makes them a high risk target.  If you’re a developer of a Java application you need to ensure that your application will support updated Java versions or take your application offline.


Surviving the Week 9/7/12

A Number of Exploits Including SQL Injection, XSS, and Authentication Bypass

This week, researchers found some remarkable vulnerabilities including Remote code execution, SQL Injection, and Cross-Site Scripting within bug tracking systems as well as in security vendor’s products. Test your application with NTOSpider to find all possible vulnerabilities.

GarrettCom Privilege Escalation –
Symantec Messaging Gateway 9.5 Default SSH Password  –
HP SiteScope Remote Code Execution –
Kayako Fusion 4.40.1148 Cross Site Scripting –
Drupal Exposed Filter Data 6.x Cross Site Scripting –
Flogr 2.5.6 Cross Site Scripting –
Web@All CMS 2.0 Shell Upload / Local File Inclusion –
Ektron CMS 8.5.0 File Upload / XXE Injection –
Barracuda Web Filter 910 5.0.015 Cross Site Scripting –
eFront Enterprise 3.6.11 Cross Site Scripting –
Support4Arabs Pages 2.0 SQL Injection –
Wiki Web Help 0.3.11 Remote File Inclusion –
JIRA / GreenHopper Cross Site Scripting –
ES Job Search Engine 3.0 SQL Injection –

Database Security on the Cloud for Microsoft SQL Azure

GreenSQL’s software-based solution can be installed as a front-end to SQL Azure. It fully camouflages and secures the Azure database, dynamically masks sensitive and confidential data in real-time, and provides monitoring and auditing of data access and administrative activities. Its caching dramatically increases database performance, reducing latency in cloud environments. By using GreenSQL, companies comply with regulations such as HIPAA, PCI, SOX, and Basel II.

Government Warns Businesses of Cyber Crime Threat

The UK government’s spy agency, GCHQ, launched a program that aims to help business leaders tackle the growing threat of cyber attacks. GCHQ head Lain Lobban will tell business leaders that current confidence in existing security defenses is often misplaced, with potentially major implications for the economy and customers’ trust in online services. He will also ask board members and chief executives how confident they are that their most important corporate information is safe from cyber threats and whether they are aware of the impact on a company’s reputation, share price or even existence if sensitive information is stolen.

Surviving the Week 8/31/12

XSS: Gaining Access to HttpOnly Cookie

Using the method getHeaderField in the Java HTTP API, any applet can access cookies with the HttpOnly flag set. This proves that enabling the HttpOnly flag does not protect you from XSS. Test your application with NTOSpider to find all possible Cross-Site Scripting in your web application.

Attackers releases Zero-Day Java Exploit

A major zero day exploit in Java was released last week. Oracle recently moved Java to a quarterly patch cycle with its next update scheduled for October. Oracle released an out of band update which should be applied immediately across all operating system platforms.  It is rumored that the exploit has found its way into the BlackHole exploit kit and it is available in Metasploit.  You’ll want to ensure that you are running Java version 7 update 7 OR Java version 6 update 35.

If you’re thinking to unplug Java from your browser or uninstall it from your computer completely, then it is a bit harder than point and click.

Number of vulnerabilities including .NET XSS

This week a number of vulnerabilities were posted and as critical as XSS, SQL Injection, Code execution, and authentication bypass. Following is a list of the top risk vulnerabilities discovered in some of the most commonly used web platforms i.e. .Net, Drupal, and WordPress… Test your application with NTOSpider to find security vulnerabilities in your application before production –

.NET Cross Site Scripting
AP NetWeaver HostControl Command Injection
Phorum 5.2.18 Cross Site Scripting
Drupal Apache Solr Autocomplete 6.x / 7.x XSS
Drupal CAPTCHA 6.x Access Bypass
Sistem Biwes SQL Injection / Path Disclosure
Drupal Views 6.x Privilege Escalation
Joomla Spider Calendar Lite SQL Injection
Drupal Taxonomy Image 6.x Cross Site Scripting / PHP Code Execution
Drupal Announcements 6.x Access Bypass
TomatoCart 1.1.7 Cross Site Scripting
Endonesia 8.5 CMS Publisher Module SQL Injection
Disqus Blog Comments SQL Injection
WordPress HD Webplayer 1.1 SQL Injection
EMC Cloud Tiering Appliance (CTA) Authentication Bypass
Plogger 1.0 RC1 Cross Site Scripting
Simple Web Server 2.2-rc2 Code Execution