infosec4all.com

The fourth volume of Microsoft Security Intelligence Report (SIR) for the second half of 2007 was published at the end of May.

According to Microsoft “[...] this report provides an in-depth perspective on trends in software vulnerability disclosures as well as trends in the malicious and potentially unwanted software landscape, and an update on trends in software vulnerability exploits [...]“.

European Network and Information Security Agency (ENISA) suddenly discovered that network printers pose serious but frequently forgotten security risk. Duh? Discussion of risks associated with document printing and copying with pretty good guidelines for secure printing can be found here.

One of my favorite topics. Does not necessarily mean that Microsoft is more secure than Apple, but provides a counter argument to all those security hobbyists who are ready to take sides. Comparing ‘security’ of Microsoft applications against ‘security’ of Apple is just like comparing apples and oranges.

A research by the Swiss Federal Institute of Technology compared zero-day patch rate of the two. The bottom line - Apple is behind Microsoft when it comes to patching software.

The findings were presented at BlackHat Europe 2008 and are available in PDF, PPT, and HTML.

Information Security Breaches Survey 2008, by PricewaterhouseCoopers on behalf of the UK Department of Business, Enterprise and Regulatory Reform (BERR) was launched at the Infosecurity Europe exhibition on 22nd April 2008.

This survey is carried out every two years, is the UK’s leading source of information on security incidents suffered by businesses.

There was a lot of discussion about Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) tool in the last couple of weeks. Many feared that the tool was designed to allow backdoor access to Microsoft applications, specially Vista BitLocker encryption. Microsoft responded promptly by not only denying such allegations but by providing some insight into the tool.

According to Microsoft, COFEE is not a new tool, but a USB drive loaded with a set of existing tools that “[...] allow law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab. ”

Official Microsoft COFEE FAQ can be found here. Other articles by Microsoft are available here and here.

New vulnerability in Gmail that can allow attackers to abuse Google’s forwarding option and use their whitelisted SMTP servers to send unlimited number of emails has been the town talk for a few days. The vulnerability is still a proof of concept but still no word from Google. Considering the current amount of spam in the cloud, this exploit would bring only a marginal increase. The original PoC document can be found here.

We’ve been following this one for a few days now and have collected a couple of relevant informational sites hopefully to reduce the amount of time you have to spend researching this.

From washingtonpost.com “Hundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.”

This is a SQL injection attack targeted primarily at .asp pages. There are two fronts to this battle. The users machine (risk of visiting an already infected site) web server (risk of being infected and used to spread malware/host attacks on visitors”)

This shouldn’t really be a surprise to anyone. We’ve been warned for a while now that web attacks were on the rise and that badly written code would be increasingly compromised so here you have it.
The tough part is that we cant just patch an OS and make this go away. It takes a skilled prog to deal with these vulnerabilities which most organizations don’t even know they have because most places don’t do much in the way of web app scans. I have a feeling many more will be learning about this the hard way in coming days/months.

My recommendations for an organization to start dealing with web app vulnerabilities?

1. Get off the IE habit wherever possible AND properly lock down Firefox.
2. Get your web dev staff to training from SANS on mitigating the OWASP top ten.
3. Hound your vendors for any .asp web apps you have purchased and are running and make them check their code.
4. Check the owasp site for web scan recommendations. This need to be part of any org’s vulnerability assessment and ongoing review programs.

The best place in my opinion to start is with the owasp.net website.

http://www.owasp.org

Exploit details from SANS:

http://isc.sans.org/diary.html?storyid=4331

For end users/support staff:

1. A properly-patched system should not be at-risk from this attack. By properly patched we mean updating not just the OS but applications like Real Player and Itunes as well.

2. We recommend using a browser that does not support ActiveX. By default Firefox does not support ActiveX. Use of javascript controls such as NoScript with Firefox are also effective (or just kill java and javascript in your preferences).

A good article on securing your browser:

http://www.us-cert.gov/reading_room/securing_browser/

For Web Programmers: Defending yourself from SQL attacks:

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

Microsoft’s guidelines regarding Protecting asp.net from SQL injection.

http://msdn2.microsoft.com/en-us/library/ms998271.aspx

Also, SQL web service providers should review logs for any reference to www<.>nihaorr1<.>com which has been injecting the file “1.js”

Steve Gibson reported from RSA conference on his SecurityNow podcast with Leo Laporte. The highlight of the conference, according to Gibson, was YUBIKEY - an innovative solution for token authentication.

Very similar to familiar security keys, Yubikey by Yubico is a USB fob that generates one-time time-variant key sequence for user authentication. What’s ingenious about Yubikey is that it does not have a display but acts as a USB keyboard and performs a something-you-have based authentication with a push of a single button.

I don’t have enough information nor skills to examine Yubico’s authentication algorithms and compare this product with other leading solutions in two factor authentication, but I do greet the idea and believe that this product can is something to keep an eye on.

UK office of PricewaterhouseCoopers carried out 2008 Information Security Breaches Survey (ISBS) on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR). Preliminary findings were issued yesterday. There is really nothing spectacular out there but once again they reinforce the importance of employees in implementation of information security policies.

“[...] What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people. [...] Only when behaviour changes do businesses realise the benefits of a security-aware culture.[...]”

Training is crucial:
“[...] To be truly effective, awareness messages need to be personalised and tailored to the audience – staff need ownership, plus what works well for a bank won’t necessarily come across well on the shop floor. Messages also need to be kept up to date, so sharing experience with other organisations is important. [...]”

And its effectiveness depends on management involvement:
“[...] The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organisation. [...]”

 The full results of the survey will be launched at Infosecurity Europe in London, 22-24 April www.infosec.co.uk.

Some time ago I wrote how problems associated with proper identification of identity theft and lack of statistical data in the United States. This time, a paper commissioned by the European Network and Information Security Agency (ENISA) aiming to facilitate development of European ecommerce policy identified similar problems existing in the European Union. The paper focuses on the economics of security and discusses economic incentives to both governments and private sector that can facilitate improvement of security and customer confidence in electronic commerce.

The paper, titled Security Economics and the Internal Market provides 15 recommendations on information security issues that need to be handled at member state level and harmonized and coordinated among EU members. The recommendations call for establishment of EU comprehensive security breach notification law, better reporting on security incidents, EU standard for security of network connected equipment, mandatory distribution of software patches, better procedures for resolution of disputes in electronic transactions, and EU wide body similar to NATO in charge of fight against cyber-crime.