infosec4all.com

The fourth volume of Microsoft Security Intelligence Report (SIR) for the second half of 2007 was published at the end of May.

According to Microsoft “[...] this report provides an in-depth perspective on trends in software vulnerability disclosures as well as trends in the malicious and potentially unwanted software landscape, and an update on trends in software vulnerability exploits [...]“.

European Network and Information Security Agency (ENISA) suddenly discovered that network printers pose serious but frequently forgotten security risk. Duh? Discussion of risks associated with document printing and copying with pretty good guidelines for secure printing can be found here.

One of my favorite topics. Does not necessarily mean that Microsoft is more secure than Apple, but provides a counter argument to all those security hobbyists who are ready to take sides. Comparing ‘security’ of Microsoft applications against ‘security’ of Apple is just like comparing apples and oranges.

A research by the Swiss Federal Institute of Technology compared zero-day patch rate of the two. The bottom line - Apple is behind Microsoft when it comes to patching software.

The findings were presented at BlackHat Europe 2008 and are available in PDF, PPT, and HTML.

Information Security Breaches Survey 2008, by PricewaterhouseCoopers on behalf of the UK Department of Business, Enterprise and Regulatory Reform (BERR) was launched at the Infosecurity Europe exhibition on 22nd April 2008.

This survey is carried out every two years, is the UK’s leading source of information on security incidents suffered by businesses.

There was a lot of discussion about Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) tool in the last couple of weeks. Many feared that the tool was designed to allow backdoor access to Microsoft applications, specially Vista BitLocker encryption. Microsoft responded promptly by not only denying such allegations but by providing some insight into the tool.

According to Microsoft, COFEE is not a new tool, but a USB drive loaded with a set of existing tools that “[...] allow law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab. ”

Official Microsoft COFEE FAQ can be found here. Other articles by Microsoft are available here and here.

New vulnerability in Gmail that can allow attackers to abuse Google’s forwarding option and use their whitelisted SMTP servers to send unlimited number of emails has been the town talk for a few days. The vulnerability is still a proof of concept but still no word from Google. Considering the current amount of spam in the cloud, this exploit would bring only a marginal increase. The original PoC document can be found here.

We’ve been following this one for a few days now and have collected a couple of relevant informational sites hopefully to reduce the amount of time you have to spend researching this.

From washingtonpost.com “Hundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.”

This is a SQL injection attack targeted primarily at .asp pages. There are two fronts to this battle. The users machine (risk of visiting an already infected site) web server (risk of being infected and used to spread malware/host attacks on visitors”)

This shouldn’t really be a surprise to anyone. We’ve been warned for a while now that web attacks were on the rise and that badly written code would be increasingly compromised so here you have it.
The tough part is that we cant just patch an OS and make this go away. It takes a skilled prog to deal with these vulnerabilities which most organizations don’t even know they have because most places don’t do much in the way of web app scans. I have a feeling many more will be learning about this the hard way in coming days/months.

My recommendations for an organization to start dealing with web app vulnerabilities?

1. Get off the IE habit wherever possible AND properly lock down Firefox.
2. Get your web dev staff to training from SANS on mitigating the OWASP top ten.
3. Hound your vendors for any .asp web apps you have purchased and are running and make them check their code.
4. Check the owasp site for web scan recommendations. This need to be part of any org’s vulnerability assessment and ongoing review programs.

The best place in my opinion to start is with the owasp.net website.

http://www.owasp.org

Exploit details from SANS:

http://isc.sans.org/diary.html?storyid=4331

For end users/support staff:

1. A properly-patched system should not be at-risk from this attack. By properly patched we mean updating not just the OS but applications like Real Player and Itunes as well.

2. We recommend using a browser that does not support ActiveX. By default Firefox does not support ActiveX. Use of javascript controls such as NoScript with Firefox are also effective (or just kill java and javascript in your preferences).

A good article on securing your browser:

http://www.us-cert.gov/reading_room/securing_browser/

For Web Programmers: Defending yourself from SQL attacks:

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

Microsoft’s guidelines regarding Protecting asp.net from SQL injection.

http://msdn2.microsoft.com/en-us/library/ms998271.aspx

Also, SQL web service providers should review logs for any reference to www<.>nihaorr1<.>com which has been injecting the file “1.js”

Steve Gibson reported from RSA conference on his SecurityNow podcast with Leo Laporte. The highlight of the conference, according to Gibson, was YUBIKEY - an innovative solution for token authentication.

Very similar to familiar security keys, Yubikey by Yubico is a USB fob that generates one-time time-variant key sequence for user authentication. What’s ingenious about Yubikey is that it does not have a display but acts as a USB keyboard and performs a something-you-have based authentication with a push of a single button.

I don’t have enough information nor skills to examine Yubico’s authentication algorithms and compare this product with other leading solutions in two factor authentication, but I do greet the idea and believe that this product can is something to keep an eye on.

UK office of PricewaterhouseCoopers carried out 2008 Information Security Breaches Survey (ISBS) on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR). Preliminary findings were issued yesterday. There is really nothing spectacular out there but once again they reinforce the importance of employees in implementation of information security policies.

“[...] What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people. [...] Only when behaviour changes do businesses realise the benefits of a security-aware culture.[...]”

Training is crucial:
“[...] To be truly effective, awareness messages need to be personalised and tailored to the audience – staff need ownership, plus what works well for a bank won’t necessarily come across well on the shop floor. Messages also need to be kept up to date, so sharing experience with other organisations is important. [...]”

And its effectiveness depends on management involvement:
“[...] The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organisation. [...]”

 The full results of the survey will be launched at Infosecurity Europe in London, 22-24 April www.infosec.co.uk.

The problem of identity theft is ubiquitous, with cases being discovered every day from countries of European Union through Canada, and Australia. Without question, United States remains the most significantly affected by this crime. As a result, most of the research and publicity focuses on this country.

There is no single factor that makes identity theft possible. Not only do the factors change through time, they also differ from country to country. I call the set of specific factors and environments that create fertile ground for committing identity theft identity theft enablers or simply enablers. The most significant enablers specific to the United States are examined here in no particular order.

Credit reporting agencies
The credit reporting system in the United States is the most complete set of information on consumers in the world – far more thorough than any government census. (Sullivan, 2004) The original purpose of the system was to help lenders gather enough information about customers to assess their ability to pay off the loans. Today, the multibillion dollar industry consists of three credit reporting agencies: Equifax, TransUnion, and Experian. They sell credit history information on anyone legally living in the United States to anyone willing to pay for such information. Interestingly enough, the biggest beneficiaries from identity theft are not the criminals but the three reporting agencies, with the credit monitoring industry alone making $900 million, with 20% annual growth. (Dash, 2006)

Based on the wide range of credit information with estimated two billion records monthly growth (Sullivan, 2004) and complex formulas known only to those three companies, each consumer is assigned a credit score – a number that indicates a consumer’s credit worthiness – a number that basically decides on behalf of lenders whether consumer can get a loan and under which terms. The system is geared toward facilitating the growth of the credit industry and its own protection, and not protection of individual customers. In that regard, as long as the applicant’s credit application indicates good chances for timely repayment, the request is granted regardless of who actually submits the application and receives the money. As long as the inaccurate information does not hurt the lenders, those companies do nothing to improve the system, in spite of decades-long problems with accuracy of the reports. (Sullivan, 2004)

Social security numbers
The growth of bureaucratic state in the first half of the twentieth century created a need for a system of public records that lead to creation of the Social Security System in 1935. The system was intended to track individual employees’ earnings and therefore each citizen was assigned a unique, nine digit identifier known as Social Security Number. (Solove, 2006) Neither the social security number nor the social security card was intended to be used for identification purposes. The first cards even carried the inscription “NOT FOR IDENTIFICATION”. Contemporary social security cards do not bear picture or any other identifying information except for the name of the holder and social security number itself. Unfortunately, the importance of social security numbers and their use for identification changed significantly within a single century. According to the US Senate (Thomas, 2004) the social security number is one of the main tools used to steal identity, due to its use for purposes not intended by the original design.

Social security cards and more specifically social security numbers represent one of the main breeder identifiers that criminals use to initiate the crime of identity theft. In many instances, social security number together with birth certificate is used by various agencies to establish an initial identity and issue an identification bearing photograph or other biometric data.

US social security numbers are probably the most guarded pieces of information by individuals and at the same time widely available and frequently asked for and used in every day’s life.

Instant credits
This term was coined by the director of the Federal Trade Commission in 2002 (Sullivan, 2004) but basically describes an ability, available to millions of Americans to walk into an electronics store or a car dealership and legally walk out with goods worth tens of thousands of dollars just minutes later. When even mortgages are approved within similar time frame it is simply not possible to do better research on an applicant’s background. (Sullivan, 2004) In order to boost sales, merchants, based on credit scores provided by credit reporting agencies, approve instant credits to customers who can prove their credit worthiness, not their identity.

Convenience checks
Convenience checks are cash like instruments mailed to cardholders that allow them to transfer balances from one credit card issuer to another with a stroke of a pen. (Sullivan, 2004) Unlike cards, in most cases the use of convenience checks does not require any authorization, and the checks are not covered by a $50 liability limit. All customers are required to do is sign the check and mail it back to the issuer, or even submit it online.

Functional literacy
Organization for Economic Cooperation and Development defines functional literacy as ability to understand and employ printed information in daily life. According to the National Institute for Literacy 50% of the adult population in the United States is considered illiterate, with 44 million that cannot read a newspaper or fill out a job application (compared to 24% in the United Kingdom).  This factor facilitates growth of identity theft by impeding customers’ ability to protect themselves from daily attacks against their privacy.

Read the rest of this entry »