Web

Web related security entries. Anything that has to do with PHP/ASP/JSP, including Apache, IIS, Macromedia flash, etc.

Sophos Threatsaurus

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

About the reported beSTORM “Vulnerability”

A few people asked me about the advisory posted on exploit db (Now also on SecurityFocus) that talks about a security vulnerability in beSTORM, which would be ironic since it’s a fairly simple vulnerability to find by fuzzing, and beSTORM is, after all, a fuzzer.

I always thought security holes in security products were especially funny. You expect security companies to know better, right? Well, as usual, it’s much less funny when it happens to you. Seeing reports about a vulnerability in beSTORM wasn’t amusing.

The thing is, the vulnerability is not in beSTORM, it is not remote, and on top of all – the exploit PoC does not work as advertised. Now comes the second irony: I’ve been on the management team of a security database for the past 14 years, and I’m sure more than one vendor cursed me to walk a mile in their shoes. Well, vendors: I am! Trying to explain to vulnerability databases that just because someone posted something doesn’t mean it’s true, is not easy. But you knew that already.

Now for the details:

The vulnerability described is a problem in WizGraphviz.dll, a graphic library that has been abandoned by its developer. It is not a part of beSTORM, and never was. You could, in early versions of beSTORM, install that DLL in order to view SVG files. beSTORM would have downloaded it on request. But it hasn’t been the case in a while now.

The vulnerability is also not remote. This ActiveX is marked not safe for scripting, which means you have to manually enable it to get the exploit code to run.

In other words, you need to download an ActiveX from the Internet, go into the settings to mark it safe for scripting (and ignore the huge warnings) and then you will be vulnerable to an ActiveX attack when visiting a rogue site. And all this is only true for an old version of beSTORM which is no longer available for download.

Life is full of ironies: This attack is simple enough that we could (should?) have found it by fuzzing this DLL ourselves. Hell, there’s a good chance the good guys that published this advisory did exactly that. For being lazy, we deserve the public flogging. But just to set the record straight, a security vulnerability it ain’t.

 

 

 

Quick way to find out if your account has been hacked?

In the wake of the recent account “hacks,” and fueled by the Yahoo (and, this morning, Android) breaches, An outfit called Avalanche (which seems to have ties to, or be the parent company of, the AVG antivirus) has launched https://shouldichangemypassword.com/

They are getting lots of press.

“If you don’t know, a website called ShouldIChangeMyPassword.com will
tell you. Just enter your email—they won’t store your address unless
you ask them to—and click the button that says, “Check it.” If your
email has been associated with any of a large and ever-growing list
of known password breaches, including the latest Yahoo hack, the
site will let you know, and advise you to change it right away.”

Well, I tried it out, with an account that gets lots of spam anyway.  Lo and behold, that account was hacked!  Well, maybe.

(I should point out that, possibly given the popularity of the site, it is pig slow at the moment.)

The address I used is one I tend to give to sites, like recruiters and “register to get our free [fillintheblank]” outfits, that demand one.  It is for a local community site that used to be a “Free-net.”  I use a standard, low value password for registering on remote sites since I probably won’t be revisiting that site.  So I wasn’t completely surprised to see the address had been hacked.  I do get email through it, but, as noted, I also get (and analyse) a lot of spam.

When you get the notification, it tells you almost nothing.  Only that your account has been hacked, and when.  However, you can find a list of breaches, if you dig around on the site.  This list has dates.  The only breach that corresponded to the date I was given was the Strategic Forecasting breach.

I have, in the past, subscribed to Stratetgic Forecasting.  But only on the free list.  (Nothing on the free list ever convinced me that the paid version was worth it.)  So, my email address was listed in the Strategic Forecasting list.  But only my email address.  It never had a password or credit card number associated with it.

It may be worth it as a quick check.  However, there are obviously going to be so many false positives (like mine) and false negatives (LinkedIn isn’t in the list) that it is hard to say what the value is.

Ad-Aware

I’ve used Ad-Aware in the past, and had it installed on my machine.  Today it popped up and told me it was out of date.  So, at their suggestion, I updated to the free version, which is now, apparently, called Ad-Aware Free Antivirus+.  It provides for real-time scanning, Web browsing protection, download protection, email protection, and other functions.  Including “superfast” antivirus scanning.  I installed it.

And almost immediately removed it from the machine.

First off, my machine bogged down to an unusable state.  The keyboard and mouse froze frequently, and many programs (including Ad-Aware) were unresponsive for much of the time.  Web browsing became ludicrous.

There are some settings in the application.  For my purposes (as a malware researcher) they were inadequate.  There is an “ignore” list, but I was completely unable to get the program to “ignore” my malware zoo, even after repeated efforts.  (The interface for that function is also bizarrely complex.)  However, I’m kind of a non-typical user.  However, the other options would be of little use to anyone.  For the most part they were of the “on or off” level, and provide almost no granularity.  That makes them simple to use, but useless.

I’ve never used Ad-Aware much, but it’s disappointing to see yet another relatively decent tool “improved” into non-utility.

The speed of “social” …

I made a posting on the blog.

Then I moved on to checking news, which I do via Twitter.  And, suddenly, there in my stream was a “tweet” that, fairly obviously, referred to my posting.  By someone I didn’t know, and had never heard of.  From Indonesia.

This blog now has an RSS feed.  Apparently a few people are following that feed.  And, seemingly, every time something gets posted here, it gets copied onto their blogs.

And, in at least one case, that post gets automatically (and programmatically) posted on Twitter.

I would never have known any of this, except that the posting I had made was in reference to something I had found via those stalwarts at the Annals of Improbable Research.  I had made reference to that fact in the first line.  The application used to generate the Twitter posting copies roughly the first hundred characters of the blog post, so the Improbable Research account (pretty much automatically) retweeted the programmed tweet of the blog posting that copied my original blog posting.  I follow Improbable Research on Twitter, so I got the retweet.

This set me to a little exploration.  I found, checking trackbacks, that every one of my postings was being copied to seven different blogs.  Blogs run by people of whom I’d never heard.  (Most of whom don’t seem to have any particular interest in infosec, which is rather odd.)

Well, this blog is public, and my postings are public, so I really can’t complain when the material goes public, even if in a rather larger way than I originally thought.  But it does underline the fact that, once posted on the Internet, it is very unsafe to assume that any information is confidential.  You can’t delete data once it has passed to machines beyond your control.

And it passes very, very fast.

The “Man in the Browser” attack

Gizmodo reports:

New “Man in the Browser” Attack Bypasses Banks’ Two-Factor Authentication Systems

Except there is nothing new about this attack. OWASP documented it in 2007 and it was widely known that malware writers used it to bypass 2-factor authentication.

More from Gizmodo:

Since this attack has shown that the two-factor system is no longer a viable defense, the banking industry may have to adopt more advanced fraud-detection methods

Given that this has been going on for more than 5 years, it’s obvious that banks already have adopted more advanced fraud detection methods.

So why are they forcing you to carry around tokens and one-time passwords that make it awkward and uncomfortable to use your own money as you wish?

Because with only few exceptions, banks’ security guys are not interested in making your life comfortable. The more you suffer, the more you think they are secure.

Maybe it’s time to ask for accountability? Which of their so-called security features is really for security, and which is for CYA or ‘make-the-regulator-happy’?

Forcing your users to write down their passwords

This sums up everything that is wrong with the “password policy” theme. From the t-mobile web site:

T-Mobile Password Policy

There is no way any reasonable person can choose a password that fits this policy AND can be remembered (note how they are telling you that you CANNOT use special characters. So users now have to bend according to the lowest common denominator of their bad back-end database routine and their bad password policy).

I’m sure some high-paid consultant convinced the T-MO CSO that stricter password policy is the answer to all their security problems. Reminds me of a story about an air-force security chief that claimed 25% increase in security by making mandatory password length 10 characters instead of 8, but I digress.

Yes, I know my habitat. No security executive ever got fired for making the user’s experience more difficult. All in the name of security. Except it’s both bad security and bad usability (which, incidentally, correlate more often than not, despite what lazy security ‘experts’ might let you believe.

I’ve ranted about this before.

“The next big cyber attack will be worse than 9/11”

Except it won’t be.

I’m assuming the reporter who quoted the statement in the title as coming from the Davos “Global Shapers” group was trying to make his own headline. Hey, that works (I even used it myself). But this is not the first time we’ve been warned about the Armageddon that is cyber terror, and it’s time somebody called bullshit on it.

Now don’t get me wrong, I’m not mother Teresa. I work in IT security, and have been known to scare people now and then with the “this is what might happen to you if you won’t fix your security”.  Most times I’d like to think I was calling it the way I saw it, but I’m sure more than once people that were listening to me thought I was exaggerating. And probably much more than once, I was. But this is not an “exaggeration”. It’s something totally different.

Have you been terrorized? I bet you have. You don’t have to know someone who was killed by a suicide bomber; it’s enough if you think back to when the school bully tried to take your lunch. That was terrifying. And terrorizing. You thought bodily harm will come to you, and this is why “terror” works so well: it’s scary.

Is ‘cyber terror’ really that scary? Well, lets compare. Many of us have been “victims” of cyber terror. You probably visited a web site that was defaced by political hacker wannabes. Were you terrorized?

We’ve all heard about the attacks in Estonia. That was the most effective cyberwar to date. But did anyone died? Lets compare it to the war (actual war) in Georgia. Again Russia clashing with a neighbor, but this time people died; lost their homes; forced to move their lives elsewhere. I’m sorry, but that’s not the equivalent of having to reformat your computer or losing facebook connectivity for 24 hours.

War is war: people die, suffer bodily harm, have their lives change. I’m not against the term “cyber-war” or “cyber-terror”, but can we put it in proportion please?

So no, the next ‘cyber war’ or ‘cyber terror’ attack won’t be worse like 9/11. It won’t be even mildly comparable to 9/11. Unless it kills thousands of people, in which case there will be nothing “cyber” about it.