Scrawlr quickly came under fire on the Web Security mailing list for having some pretty major limitations. Billy Hoffman et al have been quick to point out that the tool was designed to address a very specific subset of SQL Injection vulnerability — the type affected by the mass attacks — and is not designed to be a general purpose replacement for existing SQL Injection scanners. Let’s look at the limitations, as outlined on the HP page, one by one.

Limitation: Will only crawl up to 1500 pages

Depends on what they mean by 1500 pages. For example, if I have these links on my front page, is that one URL or three?

• http://www.veracode.com/blog/?p=111&foo=1
• http://www.veracode.com/blog/?p=111&foo=2
• http://www.veracode.com/blog/?p=111&foo=3

Or, does it mean that it will really only crawl 1500 pages total, so if I have the same link 1500 times on the front page, it won’t go any further? Either way, for most smaller websites this is probably fine. If you need more than 1500 you could give it different starting URLs in an attempt to improve coverage. It would be nice to have a clearer definition of what it means to “crawl up to 1500 pages” though.

Limitation: Does not support sites requiring authentication

Well, this will render it useless for the majority of enterprise apps. But there are still a lot of sites out there that don’t require authentication, including some of the ones that got hit during the mass attacks, such as the United Nations, UK government, etc.

Limitation: Does not perform Blind SQL injection

They have taken a lot of flack for this but Billy describes it as a conscious choice:

An early version of the tool checked for blind SQL injection, but the final verison of Scrawlr did not. … The biggest feedback we got from early testing was developers wanted to “see” the vulnerability. Differential analysis is kind of difficult to visualize in a way that is helpful for the average dev, and pulling the table names through blind was too much of a performance issue.

I can sort of understand this rationale. Blind SQL Injection testing is much more susceptible to false positives. As users of any commercial web scanner or source code analyzer will attest, the more time you spend chasing down FPs, the less likely you are to put any faith in future results. It’d be nice if there was a way to toggle Blind SQL Injection testing on and off, though (could be off by default so nobody gets confused).

Limitation: Cannot retrieve database contents

Who cares? Find and fix the vulnerability. Pulling down the entire database “because you can” is a total ego move.

Limitation: Does not support JavaScript or flash parsing

Nobody does this very well anyway, particularly the JavaScript part. Writing a great crawler is probably the hardest part of writing an automated web scanner and it’s one of the biggest differentiators from one product to the next. You’re not going to get that for free.

Limitation: Will not test forms for SQL Injection (POST Parameters)

This is probably the toughest one to swallow. It’s not that difficult to parse out forms from HTML, and form POSTs can represent a major chunk of the attack surface. Granted, the Chinese tool associated with the mass attacks did operate solely on GET requests (i.e. parameters in the query string) so HP can defend this again by saying the tool is really aimed at the sites being targeted by the mass attacks. I think it’s a little short-sighted though; chances are that the mass attacks will evolve and it’s better to be proactive about it than reactive.

Conclusion

It’s tough to bash someone for releasing a free tool. I personally think HP should add an option for enabling Blind SQL Injection testing, and that they should consider supporting POSTs as well as GETs. You’re basically getting a (massively) stripped-down WebInspect for free, so take it for what it is. No single tool is a panacea.

The jury is still out on how effective Scrawlr is against the things it does claim support for. Keep watching the Web Security list; the reviews are filtering in.

From Aut Disce, Aut Discede:

Consider for a moment the state of client-side bugs 5 or 6 years ago. Attacks such as this, a multi-stage miscellany of IE and Mediaplayer bugs that resulted in the “silent delivery and installation of an executable on the target computer, no client input other than viewing a web page” were reported with regularity. Gradually these type of attack gave way to exploitation of direct browser implementation flaws such as the IFRAME overflow and DHTML memory corruption flaws. So what has become of the multi-stage attacks - have they become redundant? The answer to this, which I’m sure you can guess, is a resounding “no” and will be emphatically demonstrated in my upcoming Black Hat talk “The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation”, a joint double session presentation co-presented by Billy Rios, Nate McFeters and Rob Carter.

As a teaser for that, I’m going to revisit an old attack - pre-computed dictionary attacks on NTLM - and discuss how we can steal domain credentials from the Internet with a bit of help from Java. I’m going to split it into two posts. In this post we’ll apply the attack to Windows XP (a fully patched SP3 with IE7). In my next post we’ll consider its impact on Windows Vista.

For the full article read on.

Why are you still here? Go read it.

Article Link

• Passport
• Voting ID card
• PAN card
• Driving License card
• Government issued ID card
• Social Security Card
• Military ID card
• Consular ID card
• Postal ID card
• Government Employee ID Card
• Credit Card
• Debit Card
  

Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store."  The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Reference URL:
Merchant 911 Blog

Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911

Response:
From the online source cited above and my own cursory investigation:

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.

The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.

their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure.  Neither are their respected login pages.

“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.

The form also requires a full name and DOB.

I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.

If a company official can’t use his company’s domain for email, I’m not going to talk to him.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.

Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago.  I've been a little busy lately, but was finally able to check it out.  Let me recap what I found.

First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.



The flash home page forwards visitors to a static index (indexaa.html) page.  The first paragraph on the page informs visitors about PinPay.

"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."



See where the page says, "Register for your FREE card HERE!!"?  This is a link to the sign-up page that Tom was referring to.



No "https" in the URL.  Tom was right on that.  The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").



The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card



SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information!  First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard".  Second, no encryption?!  Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?

Let's dig a little (public) information about ACAP Security.  According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network.  ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content".  Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption. 

I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular.  This is not a new topic, but I will take some time to demonstrate the risk.

In order for my information to be compromised, someone (or something) will need to capture the traffic.  In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server).  My information doesn't travel directly from my computer to the server.  There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.



As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz.  The final few hops are not reported due to filtering.  So where could my traffic be captured?  At the very least:

• Between my computer and my router (or firewall)
• Between my firewall and the ISP hand-off
• Between all the traversed devices within my ISP's network
• Between all the traversed devices through the internet
• Between all the traversed devices within the destination ISP's network
• Between all the traversed devices within the destination organization's network and the server itself.
  

• Drogheda
• Dunleer
• Bagnelstown
• Court Place Carlow
• Stephens Green
• Tallaght
• Montrose"
  

• Drogheda
• Dunleer
• Bagnelstown
• Court Place Carlow
• Stephens Green
• Tallaght
• Montrose
  

Imagine Bob Sheppard's one of a kind voice booming over the PA system at Yankee Stadium.  The words echoing off the hallowed stands that Ruth built, near first base where Gerhig stood, over the green grass of centerfield where DiMaggio and Mantle roamed. Ladies and Gentlemen, now hitting for the NY Yankees, number 60, Billy Crystal. For one of my favorite comedians, a life long dream came true for his 60th birthday.

It is no secret that Crystal who grew up in Long Beach, Long Island is a die hard, crazy Yankee fan.  Today the Yankees probably made him "the luckiest man on the face of the earth", or at least since another Yankee said those words.  They signed Billy to a one day contract and let him suit up and take an at bat in a pre-season game.  Alas, the mighty Crystal struck out, but not before fouling a ball off down the line and running the count to 3 and 2. What a special event and great thing to do for a special fan.  I can only imagine the goose bumps that Billy for sure had!  Classy move by the Yankees.

This is the last year for the greatest sports venue in America, Yankee Stadium.  I very much want to take my boys up this season to see at least one game in the old stadium.  In the meantime if anyone really wants to make me happy, maybe you can finagle to get me a similar stint with the Yanks.  If not I would settle for coming and playing QB for the Steelers for a play as well.  But I guess I am no Billy Crystal, but I can dream can't I? Like Yogi says, it ain't over till its over.

Imagine Bob Sheppard's one of a kind voice booming over the PA system at Yankee Stadium.  The words echoing off the hallowed stands that Ruth built, near first base where Gerhig stood, over the green grass of centerfield where DiMaggio and Mantle roamed. Ladies and Gentlemen, now hitting for the NY Yankees, number 60, Billy Crystal. For one of my favorite comedians, a life long dream came true for his 60th birthday.

It is no secret that Crystal who grew up in Long Beach, Long Island is a die hard, crazy Yankee fan.  Today the Yankees probably made him "the luckiest man on the face of the earth", or at least since another Yankee said those words.  They signed Billy to a one day contract and let him suit up and take an at bat in a pre-season game.  Alas, the mighty Crystal struck out, but not before fouling a ball off down the line and running the count to 3 and 2. What a special event and great thing to do for a special fan.  I can only imagine the goose bumps that Billy for sure had!  Classy move by the Yankees.

This is the last year for the greatest sports venue in America, Yankee Stadium.  I very much want to take my boys up this season to see at least one game in the old stadium.  In the meantime if anyone really wants to make me happy, maybe you can finagle to get me a similar stint with the Yanks.  If not I would settle for coming and playing QB for the Steelers for a play as well.  But I guess I am no Billy Crystal, but I can dream can't I? Like Yogi says, it ain't over till its over.

Nine out of the world’s top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it’s not immediately clear who ranked those top 11.

The “he” is Mark Potts CTO of Software, Hewlett-Packard. When I read that the first thing that came to mind was; Billy Hoffman is top 10 material? The end is near!! (joking…) Then I wondered who is ranking hackers and how much would it cost to get the #1 spot. Then later I thought there must be a real ranking because if you where making it up you would just say “nine out of the top ten, not 9 out of the top 11″ which would generally mean you had 8 of the top ten and one person at eleven so you went for Top eleven instead of top ten. Maybe people from Australia use a top 11 system?

Post from: Grumpy Security Guy

HP Corners the Market on Hackers

By K.C. Jones
InformationWeek
December 27, 2007 03:10 PM

A New York City software engineer managed to gain access to the operating system for a touch-screen display available in the back seat of many Manhattan taxicabs and also used it to connect to the Internet. But no sensitive information or critical systems were compromised, according to the display systems vendor. The display is used to present short videos and ads to taxi riders, and can be used to pay the taxi fare with a credit card. A VeriFone Transportation Systems spokesman told InformationWeek Thursday that passengers’ credit card data is encrypted and isn’t stored locally, so it wasn’t compromised. He also said the cab had an outdated modem, used while the city tested the display systems.

Billy Chasen posted photos on his blog earlier this month showing that he accessed a New York City cab’s video display system files after seeing an error message on the screen. The artist and software engineer explained in the blog that he managed to open Internet Explorer, launched the Connection Wizard, selected aSprint (NYSE: S) card for a dial-up connection, and accessed Adobe (NSDQ: ADBE)’s Web site.

Chasen said he opened files and “had full administrative access to everything on the PC.”

“It was not only a security flaw, but people also pay with the screen if they use a credit card,” he said, adding the information could be stored locally.

“What I did was a much bigger problem than GPS tracking,” he said. “You’re essentially giving strangers access to a computer that is shared with hundreds of customers.”

Chasen went on to say that he could have installed software from the Internet.

The VeriFone spokesman, however, said Chasen had merely accessed media files, and passengers could not gain control of sensitive information.

“It’s a Windows-based system, so I could never say never,” he said. “But there is no credit card information stored in the system.”

The spokesman said the meter is integrated into the display system but not reliant upon it, so errors and unauthorized access would not affect meter functioning. He also pointed out that the New York City Taxi and Limousine Commission strictly regulates fares and meters.

“If the meters weren’t functioning right, the TLC would be all over it,” he said.

He also responded on Chasen’s blog, saying VeriFone investigated the incident, the old modem was replaced, and users cannot access editing tools on the system.

The new taxi technology systems, which are required for all New York cabs, generated controversy earlier this year and prompted some cab drivers to protest because they feared they would be monitored and tracked by GPS technology.