January 2007

Myspace phishing site discloses countless usernames and passwords

This just came in on FD, and well, I’d suggest that anyone reading this checks to make sure that no-one you know got fooled by this one.

The phishing site can be found at http://www.marcolano.com/login

All the usernames and passwords can be found here http://www.marcolano.com/login/myspace.txt

I’ve also submitted this to digg.com as it may help to get the world out there a bit more, if nothing else maybe the digg effect will take the site down before the law can. Here’s the link:

http://www.digg.com/security/Change_your_Myspace_passwords_now

Two infosec veterans weigh in on Full Disclosure

Marcus J Ranum (MJR) says (http://www2.csoonline.com/exclusives/column.html?CID=28072)

“After 10 years of full disclosure, security has not gotten any better”.

First off, how would we know what security would have been like without full disclosure? Perhaps it could have been said that security would have gotten exponentially (or even linearly) worse. In which case, statments like “security hasn’t gotten any better” and “the number of vulnerabilities is pretty much constant” would imply that full disclosure works? But, wait, that presupposes that only one factor contributes to the state of security – which is a logical fallacy as well. Hmmm, ok. I can’t draw any logical conclusions here. Let’s go to Bruce’s argument.

Bruce says: (http://www2.csoonline.com/exclusives/column.html?CID=280723)

“Bugs exist whether or not they are disclosed in a public forum. Vendors are more responsive when it could cause bad PR. Public disclosure forces vendors to more quickly fix flaws which makes systems more secure”.

Bruce’s argument logically implies that with full disclosure we have a *potential* for better system security. Unfortunately, we can’t measure the rate at which these fixes actually get deployed and we can’t measure the rate at which crackers use publicly disclosed bugs to exploit unpatched systems. So, at the end of the day, I can’t say whether or not public disclosure actually helps the end user. I can say
that public disclosure at least creates a Potential ™ for better system security….and, that’s something.

A good portion of MJR’s article is devoted to the lambasting of security
researchers. Some quotes:

‘For longer than a decade, we’ve lived under the mob rule, where for some security consultants and companies, “marketing” has been replaced by “splashily announcing holes in commercial products to get 20 seconds of fame on CNN.” ‘

‘Now that we can look back at 10 years of what disclosure has brought us, it’s brought us…well, nothing much. Nothing much, that is, except a grey-market economy in exploits, where independent “vulnerability researchers” attempt to cash in by finding new attacks that they can sell to security companies or spyware
manufacturers—whichever bids higher. Nothing much unless you count the massive amounts of “free” marketing exposure for companies that trade in exploits.’

‘The state of ethics in the computer security industry is pathetic; it’s on par with where medicine was in the 1820s—except that some of the snake-oil salesmen in the 1820s actually believed in their products.’

‘Those of you who are playing the disclosure game are just playing for your two minutes of fame: You’re not making software better. Sure, some of you work for consultancies and startups, and it saves you a ton of money by not having to have a marketing budget, but isn’t shouting “fire!” in a crowded theater so…um, ’90s? I know that the typical security customer is (to you) an unsophisticated rube, but
that does not justify you placing them at increased risk just so you can publish a new signature for your pen-testing tool or get your funny-haired “chief hacking officer” on CNN one more time. ‘

‘Unfortunately, if you look at the last 10 years of security, it’s a litany of “one step forward, one step back,” thanks in part to the vulnerability pimps, parasites and snake-oil salesmen who flocked into the industry when they smelled money and a chance to get some attention. ‘

I think I see a little bias creeping in here and perhaps even a bit of hypocrisy.
Marcus abhors the hacker/security-researcher type. I don’t know if he hates that they are getting attention that is undue, that they are making money off the attention, or that he isn’t getting the attention that he once did. At any rate, it’s getting damn old. The guy that shouts “fire” may very well be annoying. The guy that jumps up and down shouting “Hey, he’s shouting fire” is equally annoying.
In the past, MJR has been spot-on with his analysis. Now, his ‘analysis’ seems as much a PR-trolling rant as any of the mob that he is criticizing. And, let’s not forget that Marcus gets paid by a company that discloses holes in major products and perhaps benefits from the free ‘marketing’. I bet no one is inviting this motherfucker to the company barbecue 😉

Anonymous

Disclosure of the week (2): Excel opcode vuln

There are many ways how to disclose the vulnerabilities.

This is the Fortinet Security Research Team way:

1. Release FortiGuard Advisory FGA-2006-30 when MS07-002 is not yet public
2. Include Microsoft Security Bulletin 927198 and CVE-2006-3432 references, which no exist and are not accessible
3. Publish an advice to “apply the update provided by Microsoft”
4. Wait for MS January security updates
5. Ignore FGA-2006-30 and generate redirection to FGA-2007-01
6. Change Microsoft Security Bulletin reference to MS07-002 and CVE name to CVE-2007-028, with three digits in ‘0028’
7. Don’t release any revision history or information about new CVE name or about removed 2006-30 advisory
8. Wait if users will not notice your way to act

Update: According to Google’s cache e.g. this advisory was released.

Disclosure of the week (1): Opera 9.10

There are many ways how to disclose the vulnerabilities.

This is the Opera Software way:

1. Release new 9.10 version of the browser (Dec 18th ’06)
2. Don’t publish any information in the Security section of official changelog
3. Check if iDefense will release their related advisories
4. Release two knowledge base advisories
5. Update the changelog with no revision history or Last Updated date
6. Wait if users will not notice your way to act

Oracle started MS-style advance notification

Oracle has reported that it plans to release fixes for 52 security vulnerabilities on Tuesday 16th January. The notification is part of the new program to help database administrators.
Redmond guys has informed about the upcoming security bulletins since late 2004.

Oracle’s so-called Pre-Release Announcement is located at

oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html.

One of the interesting details is that

The highest CVSS base score of vulnerabilities across all products is 7.0.

[CVSS link added by the author]

Web Honeynet Project: announcement, exploit URLs this Wednesday

important note: the name of the web honeynet project has been changed to the web honeynet task force to avoid confusion with the honeynet project.

[ warning: this post includes links to live web server malware propagated this wednesday via file inclusions exploits. these links are not safe! ]

hello.

the newly formed web honeynet project from securiteam and the isotf will in the next few months announce research on real-world web server attacks which infect web servers with:
tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

the web honeynet project will, for now, not deal with the regular sql injection and xss attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.

these attacks form botnets constructed from web servers (mainly iis and apache on linux and windows servers) and transform hosting farms/colos to attackplatforms.

most of these “tools” are being injected by (mainly) file inclusion attacks against (mainly) php web applications, as is well known and established.

php (or scripting) shells, etc. have been known for a while, as well as file inclusion (or rfi) attacks, however, mostly as something secondary and not much (if any – save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.

the bad guys currently exploit, create botnets and deface in a massive fashion and force isps and colos to combat an impossible situation where any (mainly) php application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.

what is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) – meaning aside for research, the web honeynet project will also release actionable data on offensive ip addresses, urls and on the tools themselves to be made availableto operational folks, so that they can mitigate the threat.

it’s long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. several folks (andquite loudly – me) have been warning about this for a while, now it’s time to take action instead of talk. :)

note: below you can find sample statistics on some of the web honeynet project information for this last wednesday, on file inclusion attacks seeding malware.
you will likely notice most of these have been taken care of by now.

the first research on the subject (after looking into several hundred such tools) will be made public on the february edition of the virus bulletin magazine, from:
kfir damari, noam rathaus and gadi evron (yours truly).

the securiteam and isotf web honeynet project is supported by beyond security ( http://www.beyondsecurity.com )..

special thanks (so far) to: ryan carter, randy vaughn and the rest of the new members of the project.

for more information on the web honeynet project feel free to contact me.

also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).

sample report and statistics (for wednesday the 10th of january, 2007):

ip | hit count | malware (count), … |
195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4),
http://m embers.lycos.co.uk/onuhack/injek.txt? (6),
http://m embers.lycos.co.uk/onuhack/cmd.do? (2),
69.93.147.242 | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif?

The Bank of America: Please lower your defenses, we’re coming through

I wrote about the how the Bank of America are conditioning their customers to be more susceptible to phishing.

It seems they are actually trying to break a record here (or else their security guy quit and was replaced by a marketing person). I just got an email that said:

This email was sent to you by Bank of America. To ensure delivery to your inbox, please add bankofamerica@replies.em.bankofamerica.com to your address book or safe sender list.

My first assumption was that it was a phishing email – why on earth would the BoA legitimately try to convince me to open myself up for phishing? (after adding this email to my “safe sender list” every phisher in the world would set this as their “from” address). In fact, a friend made fun of me for thinking this was a legitimate email – clearly only phishers can think I’m that stupid. Unfortunately, it’s real – it was sent to an email used only by the BoA and unknown to anyone else.

Sad indeed.