Web

Web related security entries. Anything that has to do with PHP/ASP/JSP, including Apache, IIS, Macromedia flash, etc.

Sophos Threatsaurus

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

About the reported beSTORM “Vulnerability”

A few people asked me about the advisory posted on exploit db (Now also on SecurityFocus) that talks about a security vulnerability in beSTORM, which would be ironic since it’s a fairly simple vulnerability to find by fuzzing, and beSTORM is, after all, a fuzzer.

I always thought security holes in security products were especially funny. You expect security companies to know better, right? Well, as usual, it’s much less funny when it happens to you. Seeing reports about a vulnerability in beSTORM wasn’t amusing.

The thing is, the vulnerability is not in beSTORM, it is not remote, and on top of all – the exploit PoC does not work as advertised. Now comes the second irony: I’ve been on the management team of a security database for the past 14 years, and I’m sure more than one vendor cursed me to walk a mile in their shoes. Well, vendors: I am! Trying to explain to vulnerability databases that just because someone posted something doesn’t mean it’s true, is not easy. But you knew that already.

Now for the details:

The vulnerability described is a problem in WizGraphviz.dll, a graphic library that has been abandoned by its developer. It is not a part of beSTORM, and never was. You could, in early versions of beSTORM, install that DLL in order to view SVG files. beSTORM would have downloaded it on request. But it hasn’t been the case in a while now.

The vulnerability is also not remote. This ActiveX is marked not safe for scripting, which means you have to manually enable it to get the exploit code to run.

In other words, you need to download an ActiveX from the Internet, go into the settings to mark it safe for scripting (and ignore the huge warnings) and then you will be vulnerable to an ActiveX attack when visiting a rogue site. And all this is only true for an old version of beSTORM which is no longer available for download.

Life is full of ironies: This attack is simple enough that we could (should?) have found it by fuzzing this DLL ourselves. Hell, there’s a good chance the good guys that published this advisory did exactly that. For being lazy, we deserve the public flogging. But just to set the record straight, a security vulnerability it ain’t.

 

 

 

Quick way to find out if your account has been hacked?

In the wake of the recent account “hacks,” and fueled by the Yahoo (and, this morning, Android) breaches, An outfit called Avalanche (which seems to have ties to, or be the parent company of, the AVG antivirus) has launched https://shouldichangemypassword.com/

They are getting lots of press.

“If you don’t know, a website called ShouldIChangeMyPassword.com will
tell you. Just enter your email—they won’t store your address unless
you ask them to—and click the button that says, “Check it.” If your
email has been associated with any of a large and ever-growing list
of known password breaches, including the latest Yahoo hack, the
site will let you know, and advise you to change it right away.”

Well, I tried it out, with an account that gets lots of spam anyway.  Lo and behold, that account was hacked!  Well, maybe.

(I should point out that, possibly given the popularity of the site, it is pig slow at the moment.)

The address I used is one I tend to give to sites, like recruiters and “register to get our free [fillintheblank]” outfits, that demand one.  It is for a local community site that used to be a “Free-net.”  I use a standard, low value password for registering on remote sites since I probably won’t be revisiting that site.  So I wasn’t completely surprised to see the address had been hacked.  I do get email through it, but, as noted, I also get (and analyse) a lot of spam.

When you get the notification, it tells you almost nothing.  Only that your account has been hacked, and when.  However, you can find a list of breaches, if you dig around on the site.  This list has dates.  The only breach that corresponded to the date I was given was the Strategic Forecasting breach.

I have, in the past, subscribed to Stratetgic Forecasting.  But only on the free list.  (Nothing on the free list ever convinced me that the paid version was worth it.)  So, my email address was listed in the Strategic Forecasting list.  But only my email address.  It never had a password or credit card number associated with it.

It may be worth it as a quick check.  However, there are obviously going to be so many false positives (like mine) and false negatives (LinkedIn isn’t in the list) that it is hard to say what the value is.

Ad-Aware

I’ve used Ad-Aware in the past, and had it installed on my machine.  Today it popped up and told me it was out of date.  So, at their suggestion, I updated to the free version, which is now, apparently, called Ad-Aware Free Antivirus+.  It provides for real-time scanning, Web browsing protection, download protection, email protection, and other functions.  Including “superfast” antivirus scanning.  I installed it.

And almost immediately removed it from the machine.

First off, my machine bogged down to an unusable state.  The keyboard and mouse froze frequently, and many programs (including Ad-Aware) were unresponsive for much of the time.  Web browsing became ludicrous.

There are some settings in the application.  For my purposes (as a malware researcher) they were inadequate.  There is an “ignore” list, but I was completely unable to get the program to “ignore” my malware zoo, even after repeated efforts.  (The interface for that function is also bizarrely complex.)  However, I’m kind of a non-typical user.  However, the other options would be of little use to anyone.  For the most part they were of the “on or off” level, and provide almost no granularity.  That makes them simple to use, but useless.

I’ve never used Ad-Aware much, but it’s disappointing to see yet another relatively decent tool “improved” into non-utility.