Friday, April 25, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Killing Security, Piece by Piece [The Falcon's View]

Posted: 25 Apr 2008 10:13 AM CDT

Ok, not really, but it's kind of a catchy headline, right? For anyone that caught the RSA Conference (either live or in archive), then you probably picked up on the theme that I've been riding for a few months now:...

IT Hot Topics Conference, May 15th and 16th Greensboro, NC [StillSecure, After All These Years]

Posted: 25 Apr 2008 08:01 AM CDT

Just a quick note on some recent events I will be attending. I am really psyched to be moderating a panel on NAC (does that mean I can give all of the panel a hard time?) at the IT Hot Topics Conference 2008 at Grandover Resorts & Conference Center, in Greensboro, NC. I also get a chance to play golf on a great course, the afternoon of the 16th! You can read more about the conference and some of the other guests and tracks on Jennifer (JJ) Jabbusch's blog here.

Also, I am at the Intrusion World Conference & Expo May 14th at the Baltimore Convention Center. I am speaking on a number of topics. You can check out the site for details.

If you are attending either of these, stop by and say hello!

Lessons from “Don’t copy that floppy” ’90s Video Still Relevant [BlogInfoSec.com]

Posted: 25 Apr 2008 06:00 AM CDT

How many people remember the name of a short movie that is supposed to fight software piracy back in 1992 called "Don't copy that floppy"? For the ones that do, the bad music, rhymes and situations have probably scarred us for life. Interestingly, there is a new message that one can take away from this video. It is not about the violations surrounding copyright infringement, but more of the risk associated with using our latest incarnation of Sneaker-Net 2.0: the USB thumb drive.

We have all paid attention to the news in regards to the risks with USB thumb drives allowing the employees walk out with information, and there are tools and tricks for mitigating those risks. But the one that we have yet to resolve are the USB storage devices that come from the manufacturers with live and active malware ready to infect your core. Don't believe me? Well, hopefully you have heard about the recent issue with Hewlett Packard sending their customer base infected USB thumb drives. No, these were not the promotional marketing schwag, these were intended for use with their line of servers. ComputerWorld said, "A security analyst with the SANS Institute’s Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. 'I think it’s naive to assume that these are not targeted attacks,' …" Doesn’t this sound like the implantation of the malware was an intentional act?

What about those pesky picture frames that showed up at Best Buy stores preconfigured to infect your machines. Fortunately, Best Buy owned up to the problem and recalled the picture frames, but not without gaining a bit of bad press for being reluctant about doing so. Now, stepping back for a minute; how many other incidents have we had where a USB device has been discovered out of the box and primed for infection? I'm counting news releases and articles that extend back almost a year by now. It's interesting that these are finding their way onto and into the mass consumer's hands and equipment for both residential and business.

So, jumping back to the message that "Don't copy that floppy" was originally trying to convey, there's a new risk for users if they want to copy anything these days. Those fresh, new and mint condition USB enabled devices are going to backdoor your system even if they do come from a trusted source. Or, alternatively, if you find one lying on the side of the road, in the company parking lot, or the bathroom there may be a bigger scheme at hand. What about all those USB giveaways that you get at conferences or in the mail? Yup, they're not immune to being contaminated as well, and it will be particularly ironic when an antivirus company hands you a USB device that's infected! But enough about the drives, what about those other devices that have storage on them like our phones, printers, and Ethernet devices. How long is it going to be until you buy your brand new, top of the line trendy phone to only have it be the deliverer of a new Trojan right into your machine?

There's just a small part of the problem: vendors not doing a good QA check of the products before they leave the door. But what can be done for the consumer in all of this? Obviously, you should not trust the device because it's new and still shrink wrapped. When configuring the device with your workstation format it first and it should be preferably low-level format if you know how. Finally, if you come across a device that is infected out of the box, write about it! Be a fellow netizen and alert us to your concerns and findings if you stumble across one of these devices.

Some additional resources:

Don't Copy that Floppy : http://en.wikipedia.org/wiki/Don’t_Copy_That_Floppy

HP admits to selling infected flash floppy drives : http://www.computerworld.com.au/index.php/id;314715708

Best Buy sold infected digital picture frames : http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058638

Best Buy recalled infected picture frames : http://www.securityfocus.com/brief/670

Social Engineering, the USB Way : http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

Hackers debut malware loaded USB ruse : http://www.theregister.co.uk/2007/04/25/usb_malware/


Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

Spear Phishing with Better Business Bureau complaints [StillSecure, After All These Years]

Posted: 25 Apr 2008 12:04 AM CDT

I received the following email yesterday purporting to be from the BBB. It looked phishy to me, so of course I did not click the link and did a little investigating. However, I could see how someone would be fooled on this one, thinking someone filed a bogus complaint against them. Almost as good as the subpoena story I heard from a customer last week. Beware of stuff like this!

BBB CASE #841246605

Complaint filed by: Brian Williams
Complaint filed against:
Business Name: StillSecure
Contact: Alan Shimel
BBB Member: YES
Complaint status: -
Category: Contract Issues
Case opened date: 4/20/2008
Case closed date: -

Download a copy of this complaint so you can print it for your records (DON'T CLICK THIS)
On February 23 2008, the consumer provided the following information: (The consumer indicated he/she DID NOT received any response from the business.)
The form you used to register this complaint is designed to improve public access to the Better Business Bureau of Consumer Protection Consumer Response Center, and is voluntary. Through this form, consumers may electronically register a complaint with the BBB.Under the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. That number is 246-967.
© 2008 US.BBB.org, All Rights Reserved.

Hurry Up and Wait [BumpInTheWire.com]

Posted: 24 Apr 2008 10:39 PM CDT

It is really quite comical how things work out.  Today we had a “mini” disaster recovery test for our mainframe.  Like most things, every DR test comes with a couple of meetings prior to the actual work being done.  The part I’m involved in is really pretty simple and only involves ensuring a VPN tunnel to the recovery site comes up.  The simple part is the config for this VPN was created back in 2005 and our end has not changed since.  Every test comes with the same sense of importance stressed on this VPN creating successfully.  I get asked several times if somebody will be available at the time the test starts to ensure the VPN comes up.  I give the same bullshit answer every time…”Of course, if I’m not here El Sidekick is here at 6:00 AM every day so he will be here.”  I give the same answer because I know that if the test is scheduled to start at 8:00 AM they won’t be to a point where they need the VPN until 2 hours later at the earliest. 

Today was no different.  The test was scheduled to start at 8:00 AM.  Shortly after 2:00 PM they were at a point where they needed the VPN.  The VPN was up at 8:15 and sat idle for 6 hours.  The tardiness of the VPN creation wasn’t even an issue on our end.  For the third test in a row the DR site clowns didn’t put a default gateway on their config.  Silly clowns.

This has been a crazy busy week.  The stars must have been aligned this week to cause me to be this busy.  I think I’m going to reward myself by taking Friday afternoon off.  If I can’t blow it out on a Friday when the hell can I blow it out?

The Day I met Bruce Schneier at InfoSecuity Europe ‘08 [IT Security Expert]

Posted: 24 Apr 2008 08:14 PM CDT

No matter the profession or walk of life we are all in, we all have our heroes and mentors, for some it is the likes of Einstein, Winston Churchill, Lance Armstrong, Tiger Woods or Richard Branson, for others it's Elvis or Amy Winehouse. For me it's Bruce Schneier, who first made a name for himself as a predominant cryptography expert in 1960s and in recent times has evolved into a fresh and forward thinking security guru. Sure this proves that I'm geek for sure, but for those who have ever read any of Schneier's recent books, blog entries or heard him speak will understand where I coming from.

I can't say I agree with absolutely everything Bruce says, but what grabs me is his unique approach, perspective and understanding of security and the information security industry. Bruce takes a large step back, then cuts out all the politics, security company marketing and associated sales hype, at which point you are left with the bare bones and the questions on what security is really suppose to be about. Which is, what do you want to protect, what are the risks, how will the security solution mitigate those risks, what risks does the security solution introduce and finally what are the costs, inconvenience and trade-offs around the security solution to mitigate the original risk.

As a security professional you have to careful not to fall into the trap and tunnel vision in chasing perfect security and zero risk, because there is simply no such thing as perfect security and zero risk! Then the other side of this coin is to ensure the security is appropriate for the risk, making sure the security cost and trade-offs are viable against mitigating the actual risk of attack. Let me take a "real world" UK example, I sure someone might of raised this one, but in order to reduce the risk another London Underground bombing, we could impose a security counter measure of searching all passengers and their bags prior to them entering the system, like we do at airports. It might reduce the risk of attack, but when thinking about the trade-offs, which is huge passenger inconvenience and high costs in employing extra staff to carry out all the searches, does this make it a worthwhile security solution in relation to the risk? The rational answer is clearly no, as it's just not viable, and so we continue to accept this risk of terrorist attack. OK, let's say we went with that security solution, at the end of the day, there still would be a risk of terrorist attack on the London Underground, and the only real way to completely mitigate that is to completely shutdown the underground system!
With business IT Security the same approach should apply, sure there are areas of Law and Industry compliance which must always be followed, but when dealing with security problems outside these areas, I always try to emulate that great Schneier vision, take that step back, making sure the business trades-offs and costs are balanced against the attack risk, it's not always that easy, the real difficulty is in quantifying elements, especially the attack risk. Fortunately for me, I utilise some of my own methods and practices which I have built up over the years to mitigate typical business risks, while causing minimal security trade offs and cost.

Anyway, yesterday I attended InfoSecurity Europe, and I was chuffed to pieces, as not only did I get to listen to Bruce Schneier talk about the Security Industry, but I got to briefly meet him and I got a signed copy of his latest book, Beyond Fear. Which is a must read not only for Security Professionals, but for anyone in general who wants to understand what security is about without knowing any of the technical jargon. I also recommend signing up to Crypto-Gram Newsletter run by Bruce at http://schneier.com/.

After the doors shut at InfoSecurity (ISC)2 EMEA held an event which I attended. From my perspective as CISSP member, I have to say EMEA (ISC)2 is progressing well under the leadership of John Colley, the event itself is evidence of this. Amongst the (ISC)2 bigwigs at this event, was former White House Cyber Security Advisor and (ISC)2 Security Strategist for (ISC) Prof. Howard A. Schmidt, who was also a keynote speaker at InfoSecurity Europe, again another guy who I can listen to all day. http://www.isc2.org/

Finally I met several guys from the UK Chapter of ISSA (Information System Security Association), I promised that I would sign up and get involved after learning that whey were planning more events in northern England. http://www.issa-uk.org/

Great article about malicious software [The Security Mentor]

Posted: 24 Apr 2008 08:02 PM CDT

Ars Technica explains malicious software.

This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names.

It's almost completely nontechnical.

Automatic Patch-Based Exploit Generation [Observations of a digitally enlightened mind]

Posted: 24 Apr 2008 06:19 PM CDT


Security Focus has an article describing a system for reverse engineering Microsoft patches to determine deltas between binaries and automagically developing exploit code within seconds (here)

The technique, which the researchers refer to as automatic patch-based exploit generation (APEG), can create attack code for most major types of vulnerabilities in minutes by automating the analysis of a patch designed to fix the flaws, the researchers stated in a paper released last week. If Microsoft does not change the way its patches are distributed to customers, attackers could create a system to attack the flaws in unpatched systems minutes after an update is released by the software giant, said David Brumley, a PhD candidate in computer science at Carnegie Mellon University.

Honestly I am surprised someone hadn't already developed such a system, you would think the folks at Bluelane would have one running in their lab. Anyway, there is little doubt that the time to protect against dynamic threats is decreasing and minutes matter. However the reality is that most organizations can barely patch within the 3-6 weeks using their crappy version of SMS/SCCM, so really what's the difference between seconds, minutes, hours, days or weeks? And how should an organization deal with, what we already knew were, dramatically shorter times to protect?

Well, first is to note that the old scan and patch model is broken (here), that's not to say that patch management isn't important - it is critical! however the immediate response to exploit code in the wild may not always be to distribute a patch, but to shield against the threat by mitigating the vulnerable condition. Essentially the response should be shield then remove the root cause, which in most cases becomes shield the environment and then patch, upgrade or remove the vulnerability or exposure.

Scan and patch = ineffective

Define policy, audit against policy, enforce policy + shield against emerging threats, then eliminate root cause = effective

So how does an organization shield against attack? They must incorporate and facilitate coordination of all network and host-based technologies as part of their vulnerability and threat management program. Of course this level of organizational command and control would require technologies, like BigFix (here), and processes that support rapid modification to environmental variables. But how is that different from delivering a patch quickly you ask, well, modifying a firewall, host or network based, to block ingress or egress traffic on a particular port is far easier and timely than trying to deploy a patch, not to mention rolling back the change requires far less effort and environmental disruption than other mitigating factors.

Cybercrime: Same Crimes, Different Days [securosis.com]

Posted: 24 Apr 2008 03:13 PM CDT

I was reading one of Alan’s posts over at StillSecure, based on the Lending Tree debacle. He starts with a bit I totally agree with:

This sort of stealing your competitors information has been going on for decades, well before computers and cybercrime were around. However, this is a great example of some things not going out of style. Obtaining your competitors information is a great motive, computers are just the container where the information is kept.

This is something I’ve been harping on for a while- the only new thing about cybercrime is the vector; nearly every crime we see has a corollary in the physical world. Why? Because we’ve been screwing each other over since before we were technically humans. We’ve been taking things that don’t belong to us since far before we had any concept of commerce or society. That’s tens of thousands, if not hundreds of thousands, of years of criminal refinement. Nigerian 419 scam? It’s the Spanish Prisoner. DoS? It’s sabotage or a protection racket. You name the cybercrime, and I can name the crime.

Now how does this practically apply to how security professionals do their job?

Focus on the crime, not the tech. When you’re piecing together your defenses, monitoring for incidents, or cleaning up a mess always remember that someone attacked for a reason. If they didn’t steal something, hijack an asset for their own use, trespass for the fun of it, or vandalize/break something, keep looking. Odds are you still haven’t figured out why they are there, and what the real target is, and your day ain’t over yet.

A person changes. People don’t.

NJ Supreme Court Defends Internet Privacy [The Security Catalyst]

Posted: 24 Apr 2008 02:57 PM CDT

The Supreme Court of New Jersey has ruled that people have an expectation of privacy when they are online, and law enforcement officials need a grand jury warrant to have access to their private information. While the ruling only affects New Jersey state law, the holding will take precedence over weaker federal court decisions that hold there is no right to privacy on the internet.

The court ruled in the case of Shirley Reid of Lower Township, Cape May County, who was charged with second-degree computer theft for hacking into her employer’s computer system from her home computer. Township police obtained her identity from Comcast by using a municipal court subpoena. The Supreme Court held that law enforcement had the right to investigate her but should have used a grand jury subpoena.

The unanimous seven-member court held that police do have the right to seek a user’s private information when investigating a crime involving a computer, but must follow legal procedures. The court said authorities do not have to warn a suspect that they have a grand jury subpoena to obtain the information.

Writing for the court, Chief Justice Stuart Rabner said: “We now hold that citizens have a reasonable expectation of privacy protected by Article I … of the New Jersey Constitution, in the subscriber information they provide to Internet service providers — just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.”

The case has significant implications for how courts could possibly interpret online privacy in e-mails and other forms of electronic communication. Federal courts have been reluctant to offer stronger protections in defense of online privacy except when there is a clear violation by the government under complicated statues like the Electronic Communications Privacy Act. This is the first ruling in the country that seeks to raise the bar on the privacy standards for online activities. It would help influence other state decisions and eventually could reach the Supreme Court.

5 Security Metrics That Matter [Observations of a digitally enlightened mind]

Posted: 24 Apr 2008 02:51 PM CDT


Security metrics, which I have posted on in the past (here), and (here), are almost as elusive as security ROI. But unlike the mystical pink unicorn that is security ROI, security metrics are real, tangible and meaningful. Why is it then that we have so much difficulty in defining metrics that are both simple in their implementation and significant in their impact on the organization? I believe much of this stems from two flaws in how most organizations approach information security.

The first problem is that, for the most part, security is a reactive, ad-hoc discipline, primarily focused on responding to an incident. This drives post-incident metrics such as how many virus outbreaks did we experience, or how many attacks did our IDS detect, or how much SPAM did our anti-spam thingie block. These might be useful in determining, well, those things above, but they are hardly telling of the effectiveness or efficiency of one’s IT security program.

The second problem is how an organization communicates between groups. Operations, audit & compliance, and security are examples of domains within an organization that use a very different language to communicate problem/resolutions.

Vulnerability assessment is a great example of the problem of cross-organizational communication. Security will look at vulnerability assessment data from the perspective of unique, distinct conditions, operations will look at the data with an eye towards what remediation must be done, and audit & compliance might be concerned with how the data is relevant to regulatory initiatives. Operationally these are all very different ways of describing environmental variables, and it is very difficult to satisfy each of these groups with a simple metric of how vulnerable are we? - to what? or How many vulnerabilities exist in our environment? - Why does it matter? Operations doesn’t care how many, unique, distinct vulnerabilities some VA scanner found - their charter is availability.

A common language that is driven by policy and used in terms of the business is critical to ensuring cross-organizational communication. Ideally we would be able to draft metrics that address effectiveness and efficiency, how effective is our IT security and operations program and how efficient are we in detecting and remediating change. Most of this would require a move towards a policy driven approach and SLA's to monitor adherence to plan, which we will look at in a future post. I did want to take a minute and list some metrics that every organization must be able to address today, because if you cannot answer these basic questions about your environment, with any degree of accuracy, then all the metrics we will come up will fall short.

1. How many computing devices are actively connected to my network right now and how many of these do we actually own?

2. Of these how many do we actively manage (have full visibility into and command and control of)?

3. What percentage of these are compliant with basic security policies, including…?
a. Endpoint security is up to date and configured in compliance with corporate policy (Anti Virus, Anti Spyware, Personal Firewall, HIPS, Encryption, et al)
b. Systems are configured against a security baseline as defined by NIST, NSA, DISA, CIS, etc…
c. Systems are patched to corporate standards

4. How effective is our change management process? And how quickly can we affect change in the environment. For example, once a decision has been made to change some environmental variable (modify PFW settings, configuration change to the device itself, update to dat files, reconfigure HIPS/PFW settings, etc) what percentage of the environment can we verify conforms these changes within a 24 hour period?

5. What audit mechanisms are in place to detect changes to a corporate COE (common operating environment), how often do we monitor for non-compliance, what is the process for remediating non-compliant devices, and how long does it take from detection to remediation?

If your organization can repeatably and verifiably answer these 5 questions, you are well on your way to metrics nirvana.

ahh, New York in the Spring [Trey Ford - Security Spin Control]

Posted: 24 Apr 2008 02:26 PM CDT

IT IS A BEAUTIFUL DAY IN NEW YORK, and I’m taking a long lunch to post on something NON-WORK related. I’m sitting in Bryant Park in downtown Manhattan, somewhere around 40th or 41st and 6th Ave. It’s gotta be 80 degrees Fahrenheit, I can’t see a cloud anywhere, and the there are people [...]

Searching Google’s Channel Strategy [Alert Logic]

Posted: 24 Apr 2008 01:50 PM CDT

In my last post, I eluded to my disappointment in Google's lack of a good message around security at RSA this year. And at the Venture Tech Network (VTN) Invitational in New Orleans last February, they had a breakout session for VTN members "by invitation only". Ooh, how top secret of you, Google! You do [...]

Network Computing Rolling Review: BigFix Enteprise Suite [Observations of a digitally enlightened mind]

Posted: 24 Apr 2008 01:27 PM CDT


Latest Network Computing rolling review of Patch Management products, this one focused on BigFix Enterprise Suite (here)

BigFix is unique in our testing thus far in that its core patching functionality is an integrated part of a larger framework focused on all aspects of endpoint security and management. This framework, the BigFix Enterprise Suite, can include IT policy management and BigFix’s own antivirus product as well as the patching functionality tested. Not surprisingly, that makes for a more complex user interface than we’ve seen in pure patch management products. It took us some time to get a handle on BigFix’s modus operandi, but once we did, we found the interface and operations fairly straightforward.

Mitigating DoS with Employee Monitoring. What. [un-excogitate.org]

Posted: 24 Apr 2008 12:45 PM CDT

This article over on Computerworld Australia seems to have a couple of conflicting items that have been bugging me since I read it the other day. The article begins by mentioning potential changes to federal government legislation:

The changes will give employers power to intercept all Internet-based communications without consent, including e-mails and instant message (IM) discussions.

It's at this point that all of sudden we go on a massive tangent, whereby the Attorney-General is saying that these legislative changes are a counter-terrorism measure, and that these changes could prevent breaches occurring:

…similar to the Estonian Denial of Service (DoS) attacks in which a 19 year-old hacker disabled the Web sites of banks, schools and the Prime Minister’s office.

Hopefully someone out there can explain to me exactly how allowing employers monitoring rights to their employees is a control against denial of service attacks? Or even better, how exactly a denial of service attack equates to a breach? Especially after they’ve done such a good job of defining what an Information Security Breach is in the “Draft Voluntary Information Security Breach Notification Guide“.

An information security breach occurs when personal information is exposed to unauthorised access, use, disclosure or modification as a result of a breach of an agency’s or organisation’s information security.

The only saving grace in the article was the comment from Nick Elsmore from SIFT where he states that these new laws will have minimal impact on businesses due to most enterprises having provisions for Internet monitoring within employee contracts. My experience in a few different enterprises has proven this to be the case.

SC Magazine article on clarification of PCI requirements [StillSecure, After All These Years]

Posted: 24 Apr 2008 12:24 PM CDT

Martin and a bunch of others have written about the recent clarifications around section 6.6 and 11.3 of the PCI DSS. Jim Carr over at SC Magazine ran an article on it today that he interviewed me for. While I am not the PCI expert Martin is, I was happy to contribute my 2 cents (ain't I always).

Anyway, sounds to me like these new clarifications are going to wind up with a lot of web application firewalls being sold.  Here at StillSecure we are thinking about some ways to take those to the next level as well. Hopefully we can announce something soon on this.  Overall, just another indication that right or wrong, compliance is driving a lot of the spending in security today.

April Security “Incidents” Worth Noting [Observations of a digitally enlightened mind]

Posted: 24 Apr 2008 09:51 AM CDT


1. Although not an incident the DNS redirect identified by Kaminsky (here) is the perfect storm of stupidity and greed on the part of ISPs resulting in bad mojo for the rest of us.

At issue is a growing trend in which ISPs subvert the Domain Name System, or DNS, which translates website names into numeric addresses.

When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there’s no such listing and a simple error message should be displayed…

The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn’t exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it’s the official Google site…

The hacker could, for example, send spam e-mails to Earthlink subscribers with a link to a webpage on money.paypal.com. Visiting that link would take the victim to the hacker’s site, and it would look as though they were on a real PayPal page.

2. Mass SQL injections identified by F-Secure (here)

F-Secure estimates 510,000 affected pages, you may be thinking “so why is this news worthy” mass events are worthy for 2 reasons 1. They do not receive much press lately and that has a negative impact on the understanding of threat by executives - they have a security incident memory half-life of 6 months before they decide to stop funding security projects and 2. This exploit coupled with another could result in mass damage.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it’s crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name’b.name from sysobjects a’syscolumns b
where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35
or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There’s a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you’re a firewall administrator we recommend you to block access to them

3. Targeted malware laden subpoena (here)

This is newsworthy because it was highly targeted at a user population that traditionally subverts security controls based on their role in the organization - the CEO - because it was so legitimate looking (no spelling errors, good logo’s) and because it spoke to a basic human desire to not get sued. It is also an example of yet another piece of malware that most of the AV companies didn’t have signatures to detect and clean until after the infections began.

We’ve gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it’s total bogus. It’s a “click-the-link-for-malware” typical spammer stunt. So, first and foremost, don’t click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It’s very highly targeted that way.

TECHNICAL DETAILS: The malicious code that gets downloaded is a CAB with acrobat.exe inside. There is good AV coverage of this right now it looks like. The malware then creates a Browser Helper Object (BHO) at %WINDIR%\system32\acrobat.dll and opens a hidden IE window to communciate to the command and control server. The BHO will also steal any installed certificates installed on the system. The C&C server is hard-coded to an ISP in Singapore at this time. (Thanks to Matt Richard of Verisign for the info).

There were other incidents, as there are every week, but these are worth understanding better as part of an organizations overall security initiatives. Of course as bad as it is in cyberspace we can take comfort in the fact that it will never get this bad…

Lynchings in Congo as penis theft panic hits capital (here)

KINSHASA (Reuters) - Police in Congo have arrested 13 suspected sorcerers accused of using black magic to steal or shrink men’s penises after a wave of panic and attempted lynchings triggered by the alleged witchcraft.

HITB Dubai 2008 [GNUCITIZEN]

Posted: 24 Apr 2008 09:23 AM CDT

The Hack in the Box (HITB) conference that took place in Dubai, was all in all a great fun. I would like to personally thank to Dhillon, Belinda, Amy and everybody else from the HITB crew for making this event possible and making sure that everybody have a good time. The devil is in the details and this is what makes HITB the best conference in Asia and the middle-east region. I am anxiously looking forward for HITB KL.

HITB Dubai 2008

It is needless to say that we’ve made a lot of friends, talked to some of the best minds in the security world, and even had the chance to present ourselves. Adrian presented his talk on Cracking into Embedded Devices for a first time. You can check his slides over here. I repeated my Client-side hacking talk from Black Hat Europe 2008 but with a few modifications. You can check the slides from here. The actual paper can be downloaded from here.

Again, the event was great. The amount of effort the HITB crew put into the preparation was evident all the way till the end. We highly recommend to attend any of the following HITB events as they are very much worthed.

But The Earth Remains Forever... [The Falcon's View]

Posted: 24 Apr 2008 09:06 AM CDT

I've pointed out numerous times the fallacious logic of the current carbon emissions crowd, that the planet is not about to die, just that humans may be impacted. Unfortunately, it's hard to get a word of rational logic heard over...

Top Ten Items from the Recent Breach at Hannaford Supermarkets [RSA Conference - Blog]

Posted: 24 Apr 2008 07:03 AM CDT

OAuth & ID-WSF Authz Models [RSA Conference - Blog]

Posted: 24 Apr 2008 06:25 AM CDT

The whys of igovt [RSA Conference - Blog]

Posted: 24 Apr 2008 06:18 AM CDT

I Support Barack Obama for President [Observations of a digitally enlightened mind]

Posted: 23 Apr 2008 10:15 PM CDT


<political commentary below - if you are not interested stop reading>

I generally try to avoid discussing politics, religion or operating system preference, as these issues tend to drive highly charged emotions. For the most part this is a security industry blog, but it is also a representation of my thoughts and feelings, and after thinking through the options I feel like supporting Barack Obama for President (here)

Prior to the 2004 Democratic Convention I wasn’t familiar with Senator Obama, but I was captivated as he gave the Keynote. I remember turning to some friends and saying “that guy is going to be President one day”, honestly I barely remember who the Democrat’s were endorsing, but I will never forget Senator Obama’s speech.

Sitting on the sidelines and lamenting the loss of our freedoms, the loss of four-thousand dedicated men and women of the US military, watching the collapse of the housing industry, record oil prices, and a looming economic disaster is no longer an option. As citizens of the United States we have the ultimate  resposibility to do everything in our power to ensure the freedoms our founding fathers fought for, and every generation since has bled for, remain ours to pass on to our children.

This freedom starts with a voice, yours and mine. A single voice, a single vote combined with others to create the winds of change - regardless of your political beliefs, whether they be republican, democratic or somewhere in between, just remember that it is not only your right to vote, it is your responsibility.

Finally someone said it! [Security Balance]

Posted: 23 Apr 2008 05:51 PM CDT

I was extremely happy to read this post from Richard Mogull, where he says:

Data Classification Is Dead

I know what's running through your head right now.

"WTF?!? Mogull's totally lost it. Isn't he that data/information-centric security dude?"

Yes I am (the info-centric guy, not the insane bit), and here's the thing:
The concept that you can run around, analyze, and tag your data throughout the enterprise, then keep it current through changing business contexts and requirements, is totally ridiculous. Sure, we have tools today that can scan our environment and, based on policies, tag files, but that just applies a static classification in a dynamic environment. I have yet to talk with a customer that really does enterprise-wide data classification successfully except for a few, discrete bits of data (like credit card numbers). Truth is that's data identification not data classification.

Enterprise content is just too volatile for static tags to really represent it's value.”

A few years ago I was advocating the same thing during a discussion with some friends, where I was complaining about how pointless the current data classification policies and procedures are when we think about the current state of applications, data sharing and web 2.0 stuff. I just don’t believe that information classification can happen in a dynamic organization in the way that is taught in, let’s say, a CISSP prep class. We really need to think out of the box when dealing with the challenges of priorizing security measures according to the value of information.

I’ll quote Richard again about data classification: “That, my friend, is not only dead, it was never really alive.”

Fuzzy Math: When 10 Points is Really 9 [The Falcon's View]

Posted: 23 Apr 2008 03:57 PM CDT

Well, her royal heinous (er, sorry, highness) has won the Pennsylvania race, and the mass media is tripping all over itself to make her the nomination, in spite of what the majority wants. Nevermind that Obama was 25+ points down...

Functional Cryptography the future? [Data Protection, Management and Leakage]

Posted: 23 Apr 2008 10:07 AM CDT

Interesting concept this new research from UCLA called functional cryptography. Apparently the key is a function of peoples "attributes" and not having the specific key itself - as far as I can understand. I would guess that defining these attributes might be tough... Seems like they are addressing key management, authentication and aspects of sharing keys without going for a full blown PKI infrastructure...

Be interesting to find out more about this area.

However, one aspect of this did strike me as sysnergestic to my views of data centric/information centric security - the attributes and keys are held within the data itself and resides with the data...

No comments: