2012

Posted by Dan Kuykendall
on February 17, 2012

The NTO team keeps growing and the demands of running the business and supporting our customers is keeping me busy… and its a blast. But now its good to be getting back to these weekly postings.

On to the news, so I can help keep you all informed about the important news in web app security.

Will a standardized system for verifying Web identity ever catch on? - Maybe the question is “Do we even want a standardized system for verifying Web Identity?” I for one see stuff like this everyday, and if the FBI’s site can be hacked, who is going to promise the security of OpenID? It will just become the single place an attacker has to attack to get access to everyone’s confidential/private data.
CSRF with upload – XHR-L2, HTML5 and Cookie replay - XHR-Level 2 calls embedded in an HTML5 browser can open a cross domain socket and deliver an HTTP request. Cross-domain calls will abide by CORS, but browsers end up generating preflight requests to check policy and based on that, will allow cookie replay. Interestingly, multi-part/form-data requests will go through without the preflight check and “withCredentials” allow cookie replay. This is how some new cutting edge attacks are going to be performed.
Vote Now! Top Ten Web Hacking Techniques of 2011 – This is an incredibly useful survey that they do each year. So, please vote to help the community get an idea of what is interesting and important to you.
Twitter Enables HTTPS By Default – As sites like Google, Facebook and now Twitter start pushing all traffic to HTTPS, I fear that users will mistake this for real security. “Oh, I can put all my information on Facebook/Twitter/etc now because they are ‘secure’. See there is even a little padlock icon in my browser when I go to those sites, just like the bank.” – FAIL

Surviving the Week – 12/09/2011

Posted by Dan Kuykendall
on December 10, 2011

Sorry I missed last week, this one will cover the last two weeks.

NT OBJECTives Releases SQL Invader - NTO SQL Invader finally makes it easy to exploit a SQL Injection vuln from a clean graphical interface. Check out the video demonstration.
Santa’s CISO failed him! – Another major data leak for 2011
MySQL.com Once again Compromised using Sql Flaw – The article says it well “MySql website is pretty embarrassed for not securing its own database’s properly”.
HTML5

Top 10 HTML5 threats and attack vectors – HTML5 is going to be a treasure trove of attack vectors over the next 2+ years. Heres a good start on a list.
HTML5 Security Concerns Complicate Deployment Plans – Finally people are starting to slow down the wagon to make sure we arent making things worse.

It’s ba-ack. Exploit revives slain browser history bug – Im glad to see this type of research being done, because sometimes we assume one style of change will fix a thing, but thats rarely the case in the end.
OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection – Great write up on making sure the transport layer is secured, and how to recognize when its not.
Critical Zero-day Vulnerability in Adobe Reader – Another week, another critical flow in adobe.
Yahoo Messenger 0-Day Exploit allow status message hijacking – This is cool because its basically an XSS attack against the yahoo messenger.
Millions of printers open to devastating hack attack – Said best by Steve Tornio on twitter “My HP all-in-one printer barely even works. Asking them to code securely is not likely to end well.”
Cross-Site Scripting vulnerabilities in HP Network Node Manager i 9.10 – While on the topic of HP, heres an Interesting application XSS filter in the GET request evaded by new line characters %0D%0A and XSS filter didn’t exist for POST request. Good bypass!!
DNS cache poisoning attack on Google, Gmail, YouTube, Yahoo, Apple - Nothing new, but a reminder of how much we trust in DNS and how easy it is to screw with.

Surviving the Week – 11/25/2011

Posted by Dan Kuykendall
on November 26, 2011

I hope that all of you in the US had a great Happy Thanksgiving.
As is normal for a holiday weekend, the new is a bit light, but here is what I was able to gather for this week.

Detecting and Combating Business Logic Attacks – Business logic attacks are the next generation stealthy attacks. They are not illegal, not malformed request and also hard to detect by web application firewall and IDS. These Fraudulent Attacks Can Cost Organizations Big Money.
Apache HTTP Server Reverse Proxy/Rewrite URL Validation Issue – Nice way of leveraging URL rewriting and accessing internal network. Reverse proxy is not going away soon it seems.
HTML5: Something wicked this way comes – HackPra materials – Good presentation on HTML 5 security
Lotus Notes Formula Injection – It is having context driven injection and one can pass on extended formula as data which being executed. Interesting injection vector like we have in macros
Changing nature of DDoS attacks
Ruby on Rails Input Validation Flaw in Translate Helper Method Permits Cross-Site Scripting Attacks.
Google protects its current HTTPS traffic against future attacks
The CFO’s role in the data breach war

Surviving the Week – 11/18/2011

Posted by Dan Kuykendall
on November 18, 2011

This week was a busy one for me, as I’m finally done traveling for awhile and and got back to working on NTOSpider6 and our growing team. I should be able to keep up with this weekly post again, and will keep you all informed about the important news in web app security.

Larry Suto study of WAF Effectiveness has finally gotten out, and received some attention.
- My comments about the study
- Response to WAF/IDS/IPS Effectiveness Report – Jim Broome’s “I told you so” blog post
- Effectiveness of web application firewalls (Help Net Security)
- Well-tuned WAFs with DAST products 39% more effective, study finds (Computer Weekly)
- Suto strikes again, or getting the desired results regardless of data – Interesting points about the limitations of the data Larry was able to collect. However, its worth noting that doing WAF evasion and the other recommended steps would probably result in no report to ever be released because it would be extremely difficult and time consuming. Probably why there are no other such reports/analysis even close to what Larry has done. Hopefully Larry’s work will inspire others to pick up the challenge and take it to the next step.
- Bang for your buck: WAF configuration – Incorrectly assumes that NT OBJECTives produced the report, which I have explained in my comment on his bog. The report was performed by Larry Suto who does not and has never worked for NTO.
I presented Not Your Granddad’s Web App @ HouSecCon 2011 – The conference was great this year. My talk went well and I had lots of response and good conversations as a result.
Reviews of SOPA/PROTECT IP – Forcing honesty on the internet… ha!
- New Study From Booz & Co. Shows That SOPA/PROTECT IP Will Chill Investment In Innovation
- DoJ seeks to outlaw lying on social networks (ZDNet UK)
Cloud Security at HouSecCon 2011 – (MJ Keith’s technical preso)
Imperva Announces Pricing of Initial Public Offering – Imperva going public tells me that WAF’s have hit the big time
Fighting 0days With Fundamentals (DarkReading) – A bit of a counter-argument to signature based solutions, and all good points. I think Vinnie is right that developers need to continue to focus on security coding practices to avoid creating the security issues in the first place, but once the baby is born and running amok on the internet, we need to use solutions (DAST, SAST, WAF, IPS) to help protect them. Its never going to be either/or, its going to require both.
“FIX IT!” Ain’t Gonna Cut It: Kicking Off a Software Security Remediation Project – A fantastic post from the Denim Group on how to improve the process of moving from “just fix it” to a well thought out development process with integrated security.
The Twelve Web Security Truths – Nice little summary from my buddy Mike Shema
Amex clueless about security–so what else is new? (Securiteam) – Amex under scrutiny, doesn’t inspire confidence with their lack of responsiveness
Study of next-generation firewall deployments (Help Net Security) – I still don’t understand what qualifies a technology as a “Next-Generation Firewall (NGFW)” but if more than 50% of users are using NGFW’s doesnt that make them no longer “Next-Generation” as they are now the “Current” or “Modern” generation firewalls. Oh well, I guess that’s just me.
Healthcare most breached industry in 2011 – Includes statement that life or death systems account for 5% but are on the rise.
WYSINWYX: What You See Is Not What You eXecute – I’m still trying to dig through this 79 page paper, but it does go into some of the details about why source code scanning tools face some inherit limitations caused when compiled machine code behaves differently than expected. Every C/C++ developer out there has experience debugging these issues and fighting with that special form of hell. I bet Veracode liked this one due to their ability to work against the compiled code.
WhiteHat Security Adds Common Vulnerability Scoring System to Sentinel Website Security Product – I think this is a great move, which we have done as well for our upcoming release of NTOSpider 6.0 (scheduled for release in Q1 2012).
Joomla! security bypass weakness and XSS vulnerability (Help Net Security) – Not that important really, but a reminder that these things will continue to pop up with any popular framework

Surviving the Week – 11/11/2011

Posted by Dan Kuykendall
on November 11, 2011

Web application security news from the last couple weeks.
[I guess I didn't figure out how to keep going with this weekly post when Im traveling, but now I'm done traveling for a couple months, so should be able to keep up with the news]

Another game company under attack – Hackers Crack Steam Database
Debate: Where to insert security – Stay Cool, Nobody is Calling Your Baby Ugly
More reasons WAF’s are needed – The Curious Case Of Unpatchable Vulnerabilities
Interesting way to fight attacks - Teaming Up To Take Down Threats
Georgia Tech Releases Cyber Threats Forecast for 2012
Researchers Outline Hurdles for Mobile Security

Introducing Jim Broome

Posted by Dan Kuykendall
on November 8, 2011

We caught a big one!
I’m proud to announce that my buddy Jim Broome has joined the NT OBJECTives team and will be a contributing to the blog and podcast.

Jim Broome, CISSP
Jim, an information security veteran with two decades of experience in the security industry, is joining as VP of Security Services. Jim’s role is to provide world-class SaaS based web security services through NTOSpider On-Demand while also providing leadership to the NTOLabs research and consulting teams.

Experience
Practice Manager – Accuvant LABS – Accuvant, Inc.
As one of Accuvant’s most seasoned security assessors, Mr. Broome performed innumerable consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments, penetration testing, and wireless security assessments for a large number of Fortune 500 clients. These clients came from a variety of markets, including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Principal Security Consultant – ISS X-Force

Prior to joining Accuvant, Jim was a principal security consultant for Internet Security Systems (ISS) and a member of the X-Force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western region consulting practice while performing his day-to-day duties of network assessments and penetration testing.

Directory of Network and Security Operations – Cavion.com

Before X-Force, he was the director of network operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

Surviving the Week – 09/30/2011

Posted by Dan Kuykendall
on September 30, 2011

The hacks are continuing to take place on more and more critical sites.

Mysql.com hacked, serving malware – These type of hacks against critical open source project websites/servers are a problem that few projects are equipped to deal with.
Scanning Applications Faster – A Chicken vs. Egg Problem – I have to agree with Rafal Los on this one. I think too many think shorter scan times are critical, but I think we should be focused on quality results.
Does Facebook keep tracking users after they have logged out? – Uh… YES, along with countless other websites. None-the-less its good that people are starting to be presented with details about this kind of thing.
Defending Against The ‘Apache Killer’ Exploit - I appreciate te quick response from the Snort community and Sourcefire to help protect against these attacks at the low level.
Bluetooth vulnerabilities becoming easier to exploit – As a long time fan of The Car Whisperer, its fun to see more Bluetooth hacking taking place.

Surviving the Week – 09/23/2011

Posted by Dan Kuykendall
on September 23, 2011

Sorry for the missing posts the last couple of weeks, I need to figure out how to manage these weekly posts during travel periods. So this week will include a couple items from the missing weeks.

The crack heard around the world… Researchers crack SSL encryption
Operation Shadeyrat: Over 70 prominent organizations were attacked in an operation called ShadyRAT.
Embarrassing loss of control for NBC News Twitter account
Web App Attacks Rise, Disclosed Bugs Decline
WAF/IPS news:
- Whither the WAF: (subscribers only) If you can get your hands on this report from Wendy Nather its a very good read about the possible future of the WAF market and assimilation from IPS and Firewall players.
- Trustwave starts pushing the benefits of their corporate sponsorship of ModSecurity.
Managing The Risk Of Flaws In Third-Party Software: A great reminder of the risks of using 3rd party code. Not to say that it must be avoided, but always be aware. These examples dont even touch on 3rd party binaries (like dll’s or static .lib’s) which also avoid any testing by source code analysis tools.
Not new, but Joe McCray posted the slides from his talks. Hes awesome in person, but even the slides are informative, including his APT Presentation.

Surviving the Week – 09/02/2011

Posted by Dan Kuykendall
on September 2, 2011

Welcome to “Surviving the Week”!

Each week I will be collecting the top news/stories/articles/blog_posts related to application security. These may not always be the big headlines or directly focused on application security, but they will be the items that interested me the most, and hopefully will be of interest to my readers. Great replacement for Jeremiah’s defunct “Best of Application Security” series.

Google SSL Cert Compromise: Info and fallout details here, here, here, here and here.
Kernel.org Hacked – Geek community attacks itself, <sarcasm>Real nice<sarcasm>.
This week on Celebrity Deathmatch: Battle of CSO’s
Oracle CSO Mary Ann Davidson vs Veracode CSO Chris Wysopal
WAF != Firewall – Yes, that’s right. I’m self promoting, deal with it.
Most security pros don’t think a breach will happen to them – Title says it all… oh, and the security pros are wrong.
The Good, Bad, and Ugly of Technology Acquisitions – Amrit Williams explains his thoughts and experiences from his time during the IBM acquisition of BixFix.
Sometimes Input MUST be validated Client-Side: o_O – After watching Matt Johansen‘s Hacking Google Chrome talk at B-Sides LA, I think this is a very serious issue to be watching in the months/years ahead.
DDos attack using Google Plus Servers – Nothing earth shattering here, but props on the clever attack.
Kevin Mitnick on Colbert Report – I know this is 2 weeks old, but very cool to have a “hacker” as a guest on Colbert.

Man Vs WebApp

Web Application Security Blog and Podcast

Category Archives: Surviving The Week