Spoofing Apple

epic on May 28th, 2012 | File Under Uncategorized -

Well the unthinkable has happened. Just when my faith blindly rested in Apple’s care, a vulnerability has been discovered and it’s a good one.

A company called Major Security found the issue, which, is an error in Apple’s mobile web browser application Safari. This error is current in iOS 5.1. This error so far is confirmed on iPhone 4, 4S, iPad2, and a third generation iPad running iOS 5.1. According to the article it appears that any device running the latest mobile version of OS is affected by this vulnerability. There is a demo site that you can test the error out, but I won’t be posting any links to demo this error simply because I can’t seem to find the company’s website who found this error. You’ll have to do you own digging to find them.

Apple is apparently aware of the issue as of March 1, 2012, and has posted an advisory regarding the vulnerability as of March 20, 2012. According to the article in reference, a patch is being pushed out the door.

The article is here, and to learn more about URL Spoofing go here.

No Comments

The Importance of Vulnerability Assessments

epic on May 24th, 2012 | File Under Uncategorized -

I read quite an extensive article this morning about the attempted extortion of Symantec. According to the article, a group or person named YamaTough from Anonymous had managed to get Symantec’s source code for PCAnywhere and Norton Anti Virus. The extortion bit was getting money out of Symantec or they would release the source code to the Internet.

It’s quite an extensive article (which you can find below), but it really shows me a few things about some aspects of our industry, and one of the many things that makes our product so great. The threat of attack is ever constant. Even huge corporations are at risk, and new threats are popping up all the time. To protect yourself from attack you must be prepared, and most importantly you must be vigilant. Hackers are exactly those two things, and more, at the very least you must match their level of effort. Take a look at one aspect of the article, look how guarde they are with their identities, look how much effort they put into remaining invisible. How come you aren’t making the same level of effort to be protected from attack?

Our product is a daily evaluation of your vulnerabilities. They may show up and disappear depending on a multitude of factors. Even though this may happen, with SecuScan you will always know where you stand on a daily basis; you’ll be taking a large and important step to being prepared. When you have millions of dollars worth of product/information, when your company is at stake, don’t leave it to chance.

The article in reference can be found here.

E. D.

No Comments

Good Business Practice 6: Lack of Memorability

epic on May 22nd, 2012 | File Under Uncategorized -

I’ve been guilty of it, you’ve been guilty of it, the person next to is probably doing it right now: writing your password down. Continuing through the TrustWave Security report I’m now touching down on a good topic: your password.

This part of the report details writing a password down because of a lack of memorability or lasting uniqueness to the user. It also discusses using various tactics through social interaction, (either personal or through the Net somehow), to obtain your login credentials. I want to focus on something we have all had a conversation about here at the office, especially me because I’m the “new guy”.

Your password has to be significant to you so you can remember it, but it can’t be so obvious that it can easily be guessed or discovered through “brute force”. I would define Brute Force in layman’s terms as someone either manually or electronically cracking your password, using a password generator to go through common words or phrases quickly and easily. Or, knowing you, simply guesses the password. However the password can’t be so confusing or convoluted that you would forget it easily. Some people are getting good at making the complex password, but it’s not memorable, so they either write it down, or risk forgetting it. Also if you have multiple services, using the same password for everything means if your password is compromised, all of your accounts are at risk. The problem with a written record of your passwords, say, at the office is that if someone discovers where this list is, your office identity is now compromised.

The way I have been told to create a unique but memorable password is to pick something familiar to you, use two words put together into one, and exchange some of the letters in those words for special characters (numbers and symbols). I’ll give you an example: sunnyday In order to make this more resistant to brute force you would write it out like this: 5unnEd@y I used special characters and the phonetic pronunciation of Y in the word as E. This password is memorable but also secure. So don’t write it down.

The password portion I used from the TrustWave Security Report can be found on page 39.

No Comments

Good Business Practice Part 5: Lingering Weakness

epic on May 17th, 2012 | File Under Uncategorized -

I’m still going through this report bit by bit, trying to take in and learn as much as I can. Today I hit on the Asia/Pacific portion of the report; but I’m not shocked by what I’m reading. It’s not the type of attack, it’s not how the attack was carried out, or even what they were after, what shocks me about this portion of the report is that it’s the same old reasons. Maybe I shouldn’t be surprised, but once again the report points out to us that it was the weakest, most ill prepared companies that took the brunt of attacks. I guess I am shocked, but in some ways I’m not. Shocked that this message isn’t clear to a lot of companies out there. That there seems to be business owners who take the least effective path thinking, “It’ll never happen to us, what are the odds?”

Clearly one assurance remains in this battle: Daily scans. Imagine getting a security update report of your data infrastructure each morning. Knowing where you stand, knowing your customers information is being protected the best way possible, knowing what you need to fix, where your weakness is and how to improve it.

I know I’m harping on this, and maybe you get the picture by now, but I know for a fact that there are still people out there that are ignoring my warnings and encouragements. Why? Well if everyone understood their security risks and wanted to do something about it, my blog wouldn’t be about the year’s latest attacks :)

Today’s information came from page 17 of the TrustWave Global Security report for 2012. It can be found here.

No Comments

Good Business Practice – Part 4

epic on May 8th, 2012 | File Under Uncategorized -

I’m still going through this security report, and for good reason: it’s showing me a lot I need to learn, a lot that everyone needs to learn.

I’m currently on the section where they discuss how criminals will go after your stored data but only if it’s easy. Typically an attack will not occur if it becomes difficult, or takes too much time. The thief just wants to get in, steal your information and get out. This is such an important fact that we need to focus on. I know it doesn’t seem all that big of a deal but it is. It shows us that with preparation, due diligence, and constant measures to increase our security that thieves will actually move along to easier targets. You can actually protect yourself just by making this not worth their time or effort.

So once again, with daily scans, security compliance, good software design, and the right mentality, you can avert a good portion of your security risks. By being more determined, better protected, and doing the diligence of good security, the results are worth it.

The information for this article can be found on page 15 of the report.

No Comments

Good Business Practice – Part 3

epic on May 2nd, 2012 | File Under Uncategorized -

Continuing my rampage through the TrustWave Global Security report for 2012, I come across the section where they outline where “identifiable” attacks came from. It came as a little bit of a surprise to see the Russian Federation at the top of the list, second only to Unkown attacks. Let me explain how this is working. Of all attacks that could not be traced or their origins identified, they are listed as Unknown in origin. They could have come from anywhere, and we will never know. Those that could be identified, 29.6% of all attacks were from Russia, twice as many attacks as the next largest, which is the USA at 10.5%.

It’s up for interpretation as to all the things that this means. Do those countries need stricter laws? I there an encouraging factor that is breeding these attacks? Does the security in those countries need to rise? Do these regions require greater “chip & pin” technology? Are the current safeguards to personal information enough? Does better technology increase our safety or decrease it? Some good questions to consider in the coming months.

The material discussed in today’s blog can be found on page 14 of the TrustWave Global Security report for 2012.

No Comments

Good Business Practice – Part 2

epic on May 1st, 2012 | File Under Uncategorized -

I’m continuing my review of the TrustWave 2012 Global Security Report, and I came across something pretty important. We already know that the Food & Beverage industry made up a very large portion of attacks last year; by far the most targeted industry. But upon further reading most of those attacks happened to retail franchises that outsourced their development/maintenance services, most notably the smaller franchises. 76% of attacks were attributed to those businesses that outsourced their software and development. Another fact revealed is that those businesses that outsourced, most were not even aware of any security standard that their software developer had to adhere to.

This brings up one of the things we keep harping on here at SecuSolutions: due diligence. The daily scans? That’s due diligence. Those scans would find the holes left by the software developer and prevent them from becoming problems.

I’m going to quote the paragraph from the report below. It’s an eye opener:

“The majority of our analysis of data breach investigations – 76% – revealed that the third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers. Small businesses within the food and beverage and retail industries were most often impacted by these attacks, as they typically outsource all development and support of their systems. Anecdotally, merchants were unaware of the security best practices or compliance mandates by which their partners were required to abide. In other instances, victims were unaware that this third party was only responsible for a subset of security controls – thus still leaving these systems open to attack.”

-  TrustWave Global Security Report 2012, System Administration & Responsibility, Page 10

No Comments

Good Business Practice – Part 1

epic on April 25th, 2012 | File Under Uncategorized -

I just stumbled across the TrustWave 2012 Global Security Report, while I’m still reading through it (it’s 65 pages), some key points are standing out about where trends have been the last year and likely where we think they are going to head. The report also has some good suggestions about security measures you can take to protect yourself, but the bottom line still remains: daily vulnerability scanning is still one huge step to proper protection and preparedness.

The report goes on to tell us that businesses in franchise chains that contain customer data are most likely to be hit. The popular focus of attacks is still customer data. When I say customer data I’m talking about personally identifiable information like mailing addresses, credit card numbers, social security information, things like that. So if you are a company of medium to large size that contains a great deal of customer info, it’s time to buckle up! This report says you are most likely to be hit by attacks.

I have to agree with the reports findings. It was well conducted and on a fundamental level, it just makes sense. Go after the information tied to the little guy, the guy that doesn’t have many resources, the guy that trusted his info to someone else. The guy who, once offered up his information for legitimate business, now has no way of erasing it, or protecting it. Now add the fact that if it’s a large business, you now have millions of peoples’ information you can get your hands on; hence the reason for attack.

If you make any resolution this year with your business, it should be for secure business practice, preparedness for your clients sake, for your reputation, and because it’s how you do good business.

The report can be found here, although you do have a small sign up form to fill out in order to download it.

No Comments

Web Application Security: Part 4 – HTTP Response Splitting

Brennan Kootnekoff on December 18th, 2010 | File Under Uncategorized -

HTTP Response splitting is yet another vulnerability that utilizes improper input validation/sanitization from a user.  This exploits pages which have user input directly redirected to Header information, such as redirects.

For example, here is a code for a vulnerable website

<?php

$redirurl = $_REQUEST[‘redirurl’];

header(‘Location : /goto.php?url=$redirurl’);

?>

If you send the text “top” to the redirurl parameter, the usual server response would be:

HTTP/1.1 302 Moved Temporarily

Date: Wed, 24 Dec 2003 12:53:28 GMT

Location: http://www.website.com/goto.php?url=top

Content-Type: text/html

Connection: Close

But a malicious user would utilize this un-sanitized input to his advantage and modify the HTTP Header Response. This is performed by sending a CLRF line termination, and shaping a completely different response.

For example, if a malicious user were to send the following data for the redirurl parameter:

blergh%0d%0aContent-

Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-

Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<script>alert(‘surprise’);</script>

The server would respond with:

HTTP/1.1 302 Moved Temporarily

Date: Wed, 24 Dec 2003 12:53:28 GMT

Location: http://www.website.com/goto.php?url=blergh

Content-Type: 0

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 19

<script>alert(‘surprise’)</script>

This would consequently completely alter the page, and instead of the usual content being shown, the user would have a popup box with the word ‘surprise’ written come up on their screen.

This can be even used maliciously to redirect unsuspecting users to a completely different website.

Finding every location which incorporates user input in headers may be a nightmare with a large website. SecuScan can help automate this procedure as well as looking for Directory Traversal vulnerabilities on your website on a day to day basis.

Contact SecuSolutions at sales@secuscan.net or visit secusolutions.com for more info!

No Comments

Web Application Security Part 3 – Directory Traversal

Brennan Kootnekoff on November 29th, 2010 | File Under Uncategorized -

A directory traversal vulnerability occurs when there is a lack of validation for user-supplied input files. This vulnerability can be used to access non-intended files stored or accessible by the server.

For example, the following is an example of vulnerable code:

First Page:

<?php

$template = ‘main.php’;

if (isset($_REQUEST[‘template’]))

$template = $_REQUEST[‘template’];

include ( “/etc/apache2/templates/” . $template );

?>

If someone were to send the following as a POST or GET request:

&template=../../../../../../etc/passwd

The user would be able to access the complete user list on the server, and brute force the password on the hacker’s local machine.  If there are sensitive files, such as unencrypted master password lists or source code on the server, then this vulnerability can cause un-repairable damage to any size of company.

With PHP this risk can be easily mitigated by normalizing characters or re-writing URI request functions to not directly pass on to a filesystem function, finding every location which incorporates the display of user-input may be a nightmare with a large website. SecuScan can help automate this procedure as well as looking for Directory Traversal vulnerabilities on your website on a day to day basis.

Contact SecuSolutions at sales@secuscan.net or visit secusolutions.com for more info!

No Comments