bits and bytes

Surviving the Week 11/30/12, Multiple Instances of Hacking

bits and bytes

In the United Kingdom, hackers attempted to alter the value of goods before trying to buy the items with a stolen credit card. Multiple online companies were able to prevent these attacks. Law enforcement is urging businesses to ensure that their online security is up to date.
http://www.itv.com/news/granada/update/2012-11-21/website-hacked-changing-online-prices-to-1p/

Google.pk, Yahoo.pk, Apple.pk, Microsoft.pk and 275 other Pakistan websites were hacked.
http://techcrunch.com/2012/11/24/hacking-for-the-sake-of-it-eboz-downed-google-apple-300-other-pakistani-sites-and-many-more-just-to-show-it-can/

DreamHost, the popular web hosting company was breached over the long holiday weekend.
https://www.novainfosec.com/2012/11/26/dreamhost-breached/

Test your application with NTOSpider. NTOSpider uses Universal Translator technology that can automatically crawl, detect and attack vulnerabilities that were previously only discoverable by manual testing.

Half of Companies Unaware of Most Current Threats

As per the survey by Kaspersky, half of companies are not knowledgeable about the potential security threats they may face. Some 31 percent of respondents admitted they had never heard of any of the cyberepidemics that recently pose direct threats to their organizations, the study says. Our NTOSpider On-Demand helps companies scanning their application with experts verifying results of the scan.
http://www.kaspersky.com/downloads/pdf/kaspersky_global_it-security-risks-survey_report_eng_final.pdf

Multiple Vulnerabilities

Greenstone XSS / Password Disclosure / Log Forging – http://packetstormsecurity.org/files/118323
PRADO PHP Framework 3.2.0 File Read – http://packetstormsecurity.org/files/118348
SmartCMS SQL Injection – http://packetstormsecurity.org/files/118349
EMC Smarts Network Configuration Manager Bypass – http://packetstormsecurity.org/files/118358
Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow – http://packetstormsecurity.org/files/118359

minecraft

Minecraft Style

minecraftThis is a bit out of character for the purpose of this site, but as a Minecraft fan/addict I have enjoyed the various parody songs that have come out and even considered using parts of Hack That for my podcast intro, but today my kids showed me the hilarious Minecraft Style and just had to share it with all of you.
Enjoy!

btw, if you enjoy parodies, here are my favorite Man vs Wild ones

honeypot

Payback on Web Attackers: Web Honeypots (OWASP AppSecUSA Presentation Review)

honeypotPayback on Web Attackers: Web Honeypots

As a web application scanning tool developer and architect at NT OBJECTives, I’m always thinking about how website are evolving and how we can automate more of applications scans. So, how will the evolution of honeypots influence web application scanning?

This talk at AppSecUSA, by Simon Roses Femerling (@simonroses) the Founder & CEO of VULNEX, was as you can imagine about honeypots. Apparently, most are rather immature technologically insofar as they are too focused. Honeypots are widely deployed but are mostly about simply distracting the hacker and forcing the hacker to waste time on the honeypot but most of them actually squander the opportunity to gather and log information on the hacker.

Several specific honeypots were enumerated and most of these run on top of the server.  Desirable features of a honeypot are low CPU impact and the ability to do more than just analyze attack patterns. Some honeypots generate cookies and some are basic authentication while others are CGI or are a simulation of well-known servers.

The latter one is rather what one pictures when presented with the concept of a honeypot.  Though probably that honeypot just simulates server behaviour to the extent of banner grabs and the like, it provokes imagination in me of having some juicy looking authentication link that then grants the attacker access to vast areas of the website topology that are fake (stealth bomber plans, user account id and passwords, configuration screens, who knows what). I do not actually know if anyone is doing anything this elaborate but it is cool to think about. The artistic challenge to composing such a thing is that the further one probes into the false part of the topology, the exponentially more difficult it likely is to keep it from being obvious that it is just bait.

Some effective honeypots to which that does not apply include brute force ad infinitum. It looks like an authentication page to something interesting but it just infinite loops a password bruteforcer. Specific attacks like server fingerprinting, session id collecting, directory indexing, the aforementioned brute force, XSS, and PHP CGI can be faked easily to yield credible but false information.

So, how might the evolution of honeypots impact application scanning tools?

We normally presume that the functionality in a web application is in good faith, but honeypots are there confounding an attacker, thus honeypots could confound an application scanning tool. If honeypots get more sophisticated and more of websites topology is fake, IT security teams wouldn’t want their scanners to scan the fake part of the application. Application scanning tools would need to identify and avoid the honeypots.

This could be achieved through training or heuristics. If the heuristic successfully identifies a honeypot, then that would be a vulnerability of sorts unto itself as it would indicate that the honeypot is easily and automatically detectable as such. If this speaker’s vision of more effective honeypots should be realized, then scanning tools should address this and perhaps even now it may be a good idea.

 

 

PCI Security Standards

Surviving the Week 11/23/12, PCI Security Standards Council Adds Guidelines

PCI Security Standards Council Adds Guidelines for Data Security Standards Risk Assessment

PCI Security Standards

PCI Security Standards Council released guidelines for DSS risk assessment. There are three key recommendations:

  1. Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization.
  2. A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner.
  3. Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls).

NTOSpider with Universal Translator Technology generates reports according to the PCI Data Security Standards to help you find security vulnerabilities which violate PCI controls. Test your application with NTOSpider. Request a free trial today.

Full PCI DSS guidelines can be accessed at: https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

 

New Version of Chrome is Released

Google released Chrome version 23.0.1271.64 for Windows, Mac, Linux, and Chrome Frame this week. Some interesting new features for Privacy and Security in the release along with some security fixes.
http://thehackernews.com/2012/11/chrome-23-released-14-vulnerabilities.html

 

Interesting Stats on Cyber Attacks

A couple of studies are showing an increase in cyber security attacks. The NCC Group estimates more than 1 billion hacking attempts to take place in the final quarter of 2012.
http://thenextweb.com/insider/2012/11/12/hacking-attempts-to-pass-one-billion-in-final-quarter-of-2012-claims-information-assurance-firm/

In another report, Websense Security Labs predicts the top 7 cyber security attacks of 2013.

http://www.equities.com/news/headline-story?cat=tech&dt=2012-11-13&val=702635

 

Multiple Vulnerabilities

ManageEngine ServiceDesk 8.0 Cross Site Scripting – http://packetstormsecurity.org/files/118277
dotProject 2.1.6 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118274
Yii Framework 1.1.8 Search SQL Injection – http://packetstormsecurity.org/files/118252
TP-LINK TL-WR841N 3.13.9 Cross Site Scripting – http://packetstormsecurity.org/files/118237
SonicWALL CDP 5040 6.x Cross Site Scripting – http://packetstormsecurity.org/files/118233
WordPress FireStorm Real Estate 2.06.08 SQL Injection – http://packetstormsecurity.org/files/118232
Apple QuickTime 7.7.2 Buffer Overflow – http://packetstormsecurity.org/files/118231
Manage Engine Exchange Reporter 4.1 Cross Site Scripting – http://packetstormsecurity.org/files/118203
Omni-Secure 5 / 6 / 7 Remote File Disclosure – http://packetstormsecurity.org/files/118202
Skype Account Service Session Token Bypass – http://packetstormsecurity.org/files/118199

phil purviance

Blended Threats & JavaScript (OWASP AppSecUSA Presentation Review)

phil purvianceAt AppSecUSA, I attended an illuminating talk by Phil Purviance, who is an Application Security Consultant at AppSec Consulting, Inc. The talk was called, Blended Threats & JavaScript: A Plan for Permanent Network Compromise.

First of all, a blended threat is a single threat pursued through multiple vectors. This was one of those eye opening “holy crap never thought of that” sort of talks.

In this industry, we have already long since had our “holy crap never thought of that” moments with the mechanics of XSS, CSRF, etc but the particular ways Phil proposed for going about it were particularly enlightening.

I must confess that I had grown quite accustomed to the “classic model” of the anatomy of a XSS attack (i.e. attacking a blog). But Phil really showed us some new and eye opening XSS techniques that break the classic model. This would include such things as OnMouseOver() and OnMouseOut() with XSS. In order to do this, make the mouse over area really huge and then XSS the OnMouseOver() event so that all the victim has to do is move the mouse anywhere over the page to activate the attack.

The other half of his talk discussed how how too many engineers mistakenly grow complacent about network devices like routers and modems. IT departments as well as home users tend to set up their devices initially and then as long as they appear to be working, users don’t always remain vigilant about the device’s security over time. A recent example of hackers exploiting this complacency was when 4.5 million modems were hacked in Brazil.

The prevailing mindset is: if the router and/or modem seems to be working then everything is fine. For example, one might CSRF attack 192.168.1.1. A good way to craft such an attack is to couch it in a free download that makes you wait (29 seconds to download, 28, 27, etc). <img src=”http://192.168.1.1...”>.  Then the attacker changes the router password. He/she can even upload new firmware (during that 30 seconds of wait for download) that then does whatever the attacker wants which of course would generally be traffic snooping for passwords and the like and forwarding the information to hacker’s site.

A lot of these security talks are a scary splash of cold water, but for me this one was especially so and was thus a very valuable talk to have attended. Thanks Phil!

douglas crockford

Securing JavaScript by Douglas Crockford (OWASP AppSecUSA Keynote Review)

douglas crockfordAt OWASP AppSecUSA this year, I attended Douglas Crockford talk on Securing JavaScript. Doug is a JavaScript developer and also discovered JSON.

I was looking forward to this talk with great anticipation because this guy is one of the elder statesman of microcomputers (“elder” not quite the affront to vanity it may seem given how quickly this industry has evolved) and I am pretty sure I have enjoyed a few programs of his since I was a kid (how many Douglas Crockfords are there in the world who are computer guys and the right age to have been the author of these programs?).

Like Alan Kay and other luminaries, if I am right, he did a stint at Atari where he wrote some really cool 3d ball bouncing demos and a 3d tunnel demo. Besides being perspective-correct immersive 3d on an 8 bit computer, the ball demos also employed anti-aliasing which was pretty rare at the time. The Lucasfilm games that came out for that computer a few years later for that computer (Atari 8 bit) are the only other examples that occur to me off the top of my head.  Well anyway, I was not disappointed by the talk.

He began by pointing out what I would call the classic security versus usability tradeoff. For example, any browser that does not allow XSS vulnerabilities is not standards compliant.  There are and will continue to be ever more standards such that no developer can be expected to encompass the lot of them in his/her mind and thereby code securely. I was particularly amused by Crockford’s characterization of the browser wars in the 1990’s.  Basically, by making them as fault tolerant as possible of badly formed HTML and other faults, the companies were essentially in a race to see who could produce the most insecure expose-the-user-to-maximum-risk browser. Usability was the priority and security was an afterthought.

Tossing in my own 2¢ on that: this is also a fine description of Windows and the internet. Windows started on rather limited micros so one kind of expects that and I do not think it is any disparagement of Microsoft.  In any alternate history, whatever company got to be the 900 pound gorilla of 80’s micros, the same thing would have evolved I think. But the internet is a bit ironic since packet switching communications protocols, i.e. TCP/IP, were invented specifically to be virtually immune to Soviet attack by having no single point of failure, so one would think those designers would be hyper-security-minded. So there is my offering of historical framework.

Crockford went on to elucidate the problems with Javascript that make it insecure. Things like reliance on global variables and the fact that it is conducive to being coded by poseur-nerds who are not computer scientists. Then he posited a subset that would redress these problems. My favourite language is C++ (as long as Von-Neumann architecture continues to be the dominant computer architecture) and I could propose a similar thing for that.  Crockford’s proposals included static validation only, no code rewriting (self writing, self modifying code), adsafe rules (do not give ads/external-domain entities same rights as script), restricted operator, restricted access to DOM, no document.write, no dynamic script tags. All this is preaching to the choir that is me. Summarizing the talk, he said in so many words that languages emerge at first driven by utility and then we all do a collective “holy crap” when we gather enough knowledge as to what the security problems are and then we must go back and revise the languages/protocols accordingly.

password protection

Surviving the Week 11/16/12, Not a Great Week for Password Protection

Not a Great Week for Password Protection

password protectionEarlier in the week, we saw Twitter forcing users to change their password due to some password loss. Later in the week, a password vulnerability was disclosed in the most famous messenger – Microsoft’s Skype. The vulnerability allowed an attacker to change username and password of a victim’s Skype account by just knowing their email address. Early Friday, Microsoft informed that vulnerability has been resolved.

Information about the attack description – http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address
Information about the patch – http://abcnews.go.com/Technology/skype-fixes-password-reset-security-hole/t/story?id=17718868

ModSecurity Rules Are Out

ModSecurity, one of the biggest open source web application firewall, released their updated rules. Download rules at – http://www.modsecurity.org/download/

One of the unique feature of NTOSpider is, it allows user to generate rules for different WAF including ModSecurity, Snort and Imperva. One can use this feature to import rules in WAF to temporary block all the vulnerabilities detected by NTOSpider.

Multiple Vulnerabilities

Vulnerabilities have been detected in some of the major applications incuding WordPress, Drupal and Oracle. The following list contains patches to the vulnerabilities detected in the past week.

WordPress Kakao Theme SQL Injection – http://packetstormsecurity.org/files/118008
WordPress Eco-Annu SQL Injection – http://packetstormsecurity.org/files/118007
WordPress 3.3.1 swfupload.swf Cross Site Scripting – http://packetstormsecurity.org/files/118009
netOffice Dwins 1.4p3 SQL Injection – http://packetstormsecurity.org/files/118010
BananaDance Wiki b2.2 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118027
Java Applet JAX-WS Remote Code Execution – http://packetstormsecurity.org/files/118040
MYREphp Vacation Rental Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/118088
dotProject 2.1.6 Remote File Inclusion – http://packetstormsecurity.org/files/118101
Narcissus Remote Command Execution – http://packetstormsecurity.org/files/118102
ReciPHP 1.1 SQL Injection – http://packetstormsecurity.org/files/118103
BabyGekko 1.2.2e XSS / LFI / SQL Injection  – http://packetstormsecurity.org/files/118104
MYRE Realty Manager XSS / SQL Injection – http://packetstormsecurity.org/files/118105
Bugzilla Informartion Leak / Cross Site Scripting – http://packetstormsecurity.org/files/118106
Drupal RESTful Web Services 7.x Cross Site Request Forgery – http://packetstormsecurity.org/files/118108
Drupal Smiley / Smileys 6.x Cross Site Scripting – http://packetstormsecurity.org/files/118109
Friendsinwar FAQ Manager XSS / SQL Injection – http://packetstormsecurity.org/files/118110
iDev Rentals 1.0 Cross Site Scripting – http://packetstormsecurity.org/files/118111
Drupal Chaos Tool Suite 6.x Cross Site Scripting – http://packetstormsecurity.org/files/118114
Drupal Table Of Contents 6.x Access Bypass – http://packetstormsecurity.org/files/118115
Oracle Database Client System Analyzer Arbitrary File Upload – http://packetstormsecurity.org/files/118119

hacks everywhere

Surviving the Week 11/9/12, NBC and Coca Cola hacked this week

Couple of Major hacks this week – NBC and Coca Cola

A number of NBC sites were hacked this week. There is no official news on what attacks has been used. Test your application with NTOSpider to find possible vulnerabilities to avoid downtime –
NBC Hack – http://www.theverge.com/2012/11/4/3598998/nbc-snl-hacked
Coca Cola Hack – http://www.networkworld.com/community/node/81739

Barnes & Noble Customers File Lawsuits After Breach

Another instance of lawsuits after hacking incident. Victims of a PIN pad tampering incident, which compromised customer information at dozens of Barnes & Noble stores, have filed three class-action lawsuits against the nation’s largest book retailer.
http://www.scmagazine.com/barnes-noble-customers-file-lawsuits-after-breach/article/267227/

Experts Find DOM XSS Flaw in “+1” Button of Google Plus

Security researchers from Minded Security have identified a DOM-based cross-site scripting (XSS) vulnerability in the +1 button of the Google Plus social network. Test your application with NTOSpider to find possible security vulnerabilities.
http://news.softpedia.com/news/Experts-Find-DOM-XSS-Flaw-in-1-Button-of-Google-Plus-Video-304533.shtml

Singaporeans Get Hard Token Baked Into Credit Card

Standard Chartered Bank’s local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token. MasterCard calls the device a ‘Display Card’ and says it includes “an embedded LCD display and touch-sensitive buttons”.
http://www.theregister.co.uk/2012/11/08/hard_token_in_credit_card/

the art of automation

Web Application Security Scanning – The Art of Automation

Few people fully appreciate the difficulty in creating a web application security scanner that can actually work well against most sites. In addition, there is much debate about how much application security testing can be automated and how much needs be done by human hands. Lets look at a recent conversation among some industry experts that took place on Twitter (abbreviated for easier reading).

Jeremiah Grossman ‏@jeremiahg:
RT @kdinerman: WebApp Scanners Challenged By Modern WebTech http://bit.ly/Tz5IX5 < true, but no way the biggest issue

Neil MacDonald ‏@nmacdona
not the biggest issue < what would you say is the biggest issue?

Jeremiah Grossman ‏@jeremiahg
login & maintaining authed-state, 404 detection, infinite website problem & production safety.

zulla ‏@zulladan
@jeremiahg login & maintaining authed-state, 404 detection – i always believed that whitehatsec was one of the few who solved that

Jeremiah Grossman ‏@jeremiahg
@zulladan ahh. technologically the issues are not “solved.” theyre compensated for w/ [human] config. true for everyone to varying degrees.

Dan Kuykendall ‏@dan_kuykendall
Auth, 404, infinite links, etc are all stuff we solved 5+ years ago. Mobile and API are the new challenges

Jeremiah Grossman ‏@jeremiahg
please defined “solved.” As in, the tech does everything automatically w/o human assistance?

Dan Kuykendall ‏@dan_kuykendall
Yes, in 90% of the cases we just need creds, Then automation does the rest. Was hard, but did it.

Neil MacDonald ‏@nmacdona
@dan_kuykendall hard but did it < more & more automation, “good enough” bar higher, humans at top of pyramid

I agree, humans will continue to be at the top of the pyramid when it comes to web application security, but the practical reality is that organizations don’t have the time and money to hire enough humans to effectively find and remediate all of their application security vulnerabilities. So, while it is true that we may never be able to automate 100% of the possibilities, it is our job to push forward the art and science of automation. It’s not easy, but somebody’s gotta do it.

Why Automated Scanning Is Critical

This does not exclude manual training options, but depending solely on manual training is a failed option for most organizations.

  1. Auditors rarely know the application very well. When you have three guys on a security team responsible for hundreds or thousands of applications, its unlikely that they know the application.
  2. Auditors have limited amount of time to spend training the scanner for each application. Often this is nearly no time at all.
    1. The security team has ever used the applications or
    2. had time to learn the ins and outs of each one,
    3. had time to manually configure a scanner with full manual training.
  3. Auditors time better spent on attacks only humans can do, such as business logic and privilege escalation attacks that automation may never be able to adequately discover.
  4. Even SaaS offerings that are aided by manual effort end up being limited by the quality of their automation. Do you really believe that a highly trained security professional is going to review & train the web application security scanner for every nook & cranny of every application? How long would you expect a highly trained security profession to perform a job like this, before they wanted to poke their eyes out with a fork? Not long I’m sure.
  5. Quality of the manual training will vary. Manual effort is going to focus on a few areas here and there and train for those high profile areas (the ones that probably have the best secure development applied to them). You may also end up with a less competent person doing the training, and you get less than ideal training data into the scanner. In the end, much falls back to the automation.

Bottom line, the effective web application security scanner must do everything possible to accomplish the best possible scan in a fully automated fashion. The less you leave for the human effort the more effective the human effort will be. It’s taken us a decade of pure focus with a team of highly talented team of developers to solve each challenge and to overcome one nitch case after another. We continue to innovate with automation, but we are also looking forward to the next generation of challenges, and the battle ahead.

the art of automation

The Classic Challenges

  1. Form based logins – There are several challenges here which are important to solve if you ever intend to schedule scans or simple be able to run a point & shoot scan.
  2. Single sign-on- It can be a challenge to be able to login, while avoiding crawling and attacking sites not intended to be part of the attack surface. You must prevent sending credentials to the wrong place, and deal with the various cookies & tokens that get passed back and forth between the various domains/hosts involved in the SSO process.
    • You must automate detection of the login form. There are many possible formats, and they must be distinguished from other forms.
    • Deal with forms that include onsubmit events that do crazy stuff such as client-side encryption of the password to “protect” it over the wire, or calculate some predetermined key based on some other token.
    • Automate the determination of a successful login vs. failed login (diff flavors of failures). This is one of the more challenging tasks that give web application security scanning vendors all sorts of headaches.
  3. Auto-populating forms with valid data – To accomplish the best possible code coverage it is critical to populate form fields with valid data in order to get deep into the application that perform data validation.
    Example Scenario:
    A billing address form where all the input names/ids are textbox1, textbox2, etc. Additionally the developer added code to require a valid state & zip code.
    Weak solution:
    Because the scanner doesn’t know what would be valid inputs for textbox1, textbox2, etc, the scanner might enter a bunch of aaaaaaaa’s into the fields.
    Problem remains:
    The web application security scanner will basically be dead in the water without user training

    • It will not pass this step, which could be step one in a multi-step process.
    • It will miss out on the SQL vuln possible in the street address field because the SQL INSERT happens several lines of code after the state & zip code validation.
  4. Dynamic changes based on user events – Often we see changes based on user action. An example is an onchange event for an option list. The javascript that gets executed might changes the possible form field, or may populate hidden fields with data. If you do not perfectly emulate what would have happened in a browser, you can often fail the basic validation that takes place and never get to deliver your attack payloads.
  5. Session management – It is a constant challenge to stay logged into an application. The scanner must avoid logout buttons/links/events, must properly pass along session tokens wherever they happen to be at the moment (sometimes cookies, sometimes on the URL, sometimes in hidden form field) and adjust to multiple possibilities taking place on a single app. The scanner must also properly identify when it has lost its session, and then be able to re-login (requires automated login process mentioned above) to continue its scan.
  6. 404 detection- Some sites will use the standard 404 handler, but most have started to customize them to offer a better user experience. The scanner must employ a collection tricks & techniques to solve the possible scenarios, or, you end up with endless new links on many sites.
    • Custom 404 that response as a 200. This is the simple one, but many scanners will get caught by this
    • SEO friendly sites – In most of these applications there are no real files, and instead all 404 responses are trapped and processed through the framework to look up the intended content from a database. This can cause scanners to be unable to detect real content from 404 equivalent response.
    • Different 404 handlers based on directory. We see many sites that might have a different 404 handler for one application. A simple example is when your site includes a blog that may be installed as www.site.com/blog/. The blogging software may use SEO friendly URL’s, thereby making your scanner think that EVERY page under /blog/ exists.
  7. Limiting repetitive functionality- Lets say your scanning an online store with 100,000 items.
    • viewproduct.aspx?productid=5
    • viewproduct.aspx?productid=6

    or maybe it looks like

    • /product/5/view
    • /product/6/view

    You must auto-detect these situations and properly limit the amount of testing or your scan will basically run for a very long time, and when it does eventually complete it might end up reporting the same vulnerability (or root cause) 1000’s of times.

  8. Memory management – As mentioned earlier, a web scanner is a very complex software engineering task. You can ask around to find that, even companies such as HP & IBM are known for having their scanner crash in large part due to memory management issues. The reason is that each web application is different, but all responses must be parsed & analyzed. This parsing and analysis of unpredictable response data ends up requiring very solid engineering to handle properly.
  9. AJAX/HTML5 – I will save this for another blog post.

Those examples are just the start of the crawling problems that come to the top of my mind. I haven’t even started to mix in attacking and how that can cause session loss, and then how to find new application security vulnerabilities (known vulns don’t exist in this world of custom apps) while avoiding false positives, and eventually delivering a usable/useful report that a tester and a developer can both make use of to hopefully fix the problems the application security scanner finds. Trust me, the solution to each problem and its many flavors are each hard fought battles.

Time after time, as product after product attempts to face these challenges, we see them give up and move toward manual training. Enticing manual training interfaces move front and center. Point and shoot falls to the wayside.

At NT OBJECTives, we have confronted these challenges and have invented automation techniques to solve them. We have won those battles. Now we are setting our sights on the future problems. To read more about the battles we are fighting now, download our new whitepaper on Web Application Security Scanner Coverage in RIA, Mobile and Web Services. Or, if you are skeptical that we can effecitvely address these problems for your custom application, go ahead, request a free trial. I dare you! (Free trial NTOSpider)

nullcrew

Surviving the Week 11/2/12, Ford website hacked by NullCrew

We’re a bit late this week on our Surviving the Week post, because we’ve been busy with our recent product launch of NTOSpider 6.

During the month of October, I spoke at HouSecCon, ToorCon and OWASP AppSec USA with an emphasis on why newer technologies,  like REST, AJAX, JSON and GWT create challenges for modern web scanners and how security professional can determine if scanners are effectively scanning and attacking them.

18 of 24 Major Federal Agencies Have Reported Inadequate Information Security Controls – GAO Report

The U.S. Government Accountability Office (GAO) found in its August 2012 report that “18 of 24 major federal agencies have reported inadequate information security controls,” and “inspectors general at 22 of these agencies identified information security as a major management challenge for their agency.” And in its September 2012 report on mobile security, GAO found that malware aimed at mobile devices alone has risen 185% in less than a year. Talk about scary.

The newest version of our web application security scanner, NTOSpider 6, includes Universal Translator Technology which has the ability to understand the new formats, protocols and development technologies being used in today’s mobile and modern browser-based applications.
http://gov.aol.com/2012/10/22/gao-report-cybersecurity/

Ford Website Hacked by NullCrew, User Credentials Leaked Online

nullcrew

The hackers claim to have leveraged a SQL Injection vulnerability in order to gain access to the databases behind the social.ford.com subdomain. As a result of the breach, database and table names, customer usernames – represented by email addresses – and encrypted passwords have been leaked. Test your application with NTOSpider to find security vulnerabilities including SQL Injection.

http://news.softpedia.com/news/Ford-Website-Hacked-by-NullCrew-User-Credentials-Leaked-Online-302688.shtml

To test SQL Injection further, You can use our free tool, SQL Invader. Details of NTO SQL Invader can be found at
http://www.ntobjectives.com/go/nto-sql-invader-free-download/

South Carolina Hit in Massive Cyberattack – 3.6 Million Tax Payers Exposed

On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers. Six days later, investigators uncovered two attempts to probe the system in early September, as well as a previous attempt that was made in late August. In mid-September, two other intrusions occurred that authorities believe were the first times the intruder or intruders obtained data. No other intrusions have been uncovered at this time, and on Oct. 20, the vulnerability in the system was closed, according to the DOR.
http://www.securityweek.com/south-carolina-hit-massive-cyberattack

US and Canada Launch Joint Cybersecurity Plan

Canada and the United States announced Friday they were launching a joint cybsersecurity plan to protect their digital infrastructure from online threats. The action plan, under the auspices of the US Department of Homeland Security and Public Safety Canada, aims to better protect critical digital infrastructure and improve the response to cyber incidents.
http://www.securityweek.com/us-canada-launch-joint-cybersecurity-plan

On Cybersecurity, Small Businesses Flirting with Disaster

U.S. small businesses are hiding behind the belief they have done enough to secure themselves against hackers and malware when in reality many are vulnerable to attacks that could doom their businesses, according to a recent survey. The survey, sponsored by the National Cyber Security Alliance (NCSA) and Symantec, found that 77% of 1,015 small businesses think they are safe from cyber attacks. The survey defines small business as a company with less than 250 employees. Use NTOSpider on-demand to test your application. NTOSpider on-demand allows small and medium business to scan their applications effectively without requiring any security staff. Our consulting team can help you verify the scan results
http://www.zdnet.com/on-cybersecurity-small-businesses-flirting-with-disaster-survey-finds-7000005891/

Number of XSS, SQL Injection, File include and other high risk vulnerabilities in some of the very commonly used platform/applications

Drupal Time Spent 6.x / 7.x XSS / CSRF / SQL Injection – http://packetstormsecurity.org/files/117660

Drupal MailChimp 7.x Cross Site Scripting – http://packetstormsecurity.org/files/117666 WordPress GRAND Flash Album Gallery SQL Injection / Disclosure / File Overwrite – http://packetstormsecurity.org/files/117665

WordPress Easy Webinar Blind SQL Injection – http://packetstormsecurity.org/files/117706

WordPress FoxyPress 0.4.2.5 XSS / CSRF / SQL Injection – http://packetstormsecurity.org/files/117768

NASA Tri-Agency Climate Education (TrACE) 1.0 XSS – http://packetstormsecurity.org/files/117692

NASA Tri-Agency Climate Education (TrACE) 1.0 SQL Injection – http://packetstormsecurity.org/files/117693

Joomla Quiz Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117770

Oracle Java Font Processing “maxPointCount” Heap Overflow – http://packetstormsecurity.org/files/117659

VaM Shop 1.69 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117649

ClanSphere 2011.3 Local File Inclusion / Remote Code Execution – http://packetstormsecurity.org/files/117655

Inout Article Base Ultimate SQL Injection / CSRF – http://packetstormsecurity.org/files/117656

Bitweaver 2.8.1 Cross Site Scripting / Local File Inclusion – http://packetstormsecurity.org/files/117668

Inventory 1.0 SQL Injection – http://packetstormsecurity.org/files/117682

Layton Helpbox 4.4.0 SQL Injection – http://packetstormsecurity.org/files/117684

Layton Helpbox 4.4.0 Stored Cross Site Scripting – http://packetstormsecurity.org/files/117688

Layton Helpbox 4.4.0 Cross Site Scripting – http://packetstormsecurity.org/files/117690

VicBlog Path Disclosure / SQL Injection – http://packetstormsecurity.org/files/117709

Gramophone 0.01b1 Cross Site Scripting – http://packetstormsecurity.org/files/117710

TP-LINK TL-WR841N Local File Inclusion – http://packetstormsecurity.org/files/117749

NetCat CMS 5.0.1 Cross Site Scripting / HTTP Parameter Pollution – http://packetstormsecurity.org/files/117772

Citrix XenServer 6.0.2 Privilege Escalation – http://packetstormsecurity.org/files/117767

PG Dating Pro CMS 1.0 Cross Site Scripting / SQL Injection – http://packetstormsecurity.org/files/117771

Endpoint Protector 4.0.4.2 Cross Site Scripting – http://packetstormsecurity.org/files/117765