[SecurityRatty] tag: endless

Hype Alert: Internet Shopping Carts Are Secure

Fri, 26 Sep 2008 11:00:00 +0000

My blog reader fed me a nugget today that set off my hype monitor, specifically a post entitled Internet Shopping Carts are Secure.
OMG...really?
To be fair, I realize the author is speaking from the eCommerce perspective, rather than that of an information security practitioner, but here's where the trouble begins:
"Shopping cart service providers have developed secure ecommerce shopping cart solutions for any business owner looking to enhance their current online store, or create a new one. Some ecommerce shopping cart solution providers are even receiving PABP (Payment Application Best Practice) certification which supports PCI compliance requirements for all businesses accepting credit card payments online."
This may be true in part, but it is by no means an all-inclusive claim. Shopping carts continue to be sieve-like, even when apparently reviewed per PCI standards.
Allow me to elaborate.
We'll kick off our hype eliminating effort with a simple Google dork: inurl:"cart.cfm" (picking on ColdFusion again, but man, they make it easy)
GM Parts Direct: Your Shopping Cart jumped right out at me for a number of reasons.
First, I sensed XSS vulns lurking like a Geiger counter senses radiation. Sound effect for edification. :-)
Second, the page contained one of the growing number of aforementioned conversion-driving website security seals.

Tick, tick, click...the Gieger counter is getting louder.
Trustwave claims that the site operator "is enrolled in Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe."
Methinks that Trustwave's Trusted Commerce program is missing a few fundamental security checks. Remember, XSS in PCI regulated sites, according to the PCI DSS, indicates that a site is not compliant (see section 6.5.4) if vulnerable to XSS.
Uh-oh.

All it takes is a fake login page, as opposed to our friends at XSSED.com, and...well, you get the point.
Simply, this is one of an endless number of shopping cart not secure, and not PCI compliant. For shame. You need only browse the Holisticinfosec.org Advisories page to find multiple ecommerce platforms and shopping carts that are missing the mark. Trust me, these are a fraction of the problem.
ecommerce<>security
ecommerce<>SDL
ecommerce<>PCI
website security seal<>security
Sigh.

Slacker Releases G2 Wi-Fi Music Player

Tue, 16 Sep 2008 05:38:53 +0000

Slacker joins Apple and Microsoft in releasing new models: It's been a busy week for those who follow the latest developments in music players. Apple's new iPods, while not revolutionary, still up the ante for features and quality; Microsoft's new Zunes, released today, come with fascinating new software options; and the Slacker G2 today. The G2, like the iPod touch and all Zunes, sports Wi-Fi.

Slacker licenses music directly from publishers, and includes a perpetual subscription in the cost of the player. Slacker creates stations that feed out an endless supply of music. The new models are $200 for a 4GB model with the ability to list 25 stations (up to 2,500 songs), or $250 for an 8 GB model with 40 stations (up to 4,000 songs). You can also sync your own music in MP3 or WMA format. For $7.50 per month, you can upgrade and store songs you're listening to, as well as avoid ads.

The G2 is already getting reviews as a much-improved upgrade from the first release. Like the Zune, there's no browser or other Internet features, and that might be a positive.

The G2 is tied into Devicescape's Wi-Fi home and hotspot authentication system, which lets Slacker G2 owners pre-program encryption keys or login information for hotspots that they frequent. Devicescape's software both retrieves and stores login information, allowing the G2 to be used in places that would otherwise require either tedious entry of a WPA passphrase, or be unavailable without a Web browser to handle the login.

EstDomains & Intercage: A Perfect Couple in Crime

Mon, 15 Sep 2008 17:32:00 +0000

If you track malware issues as readily as I do, you're likely aware of the failings of clownpacks like EstDomains and their hosting buddies Atrivo/Intercage. You need only follow Sunbelt's take on the topic, or search Emergingthreats to come up to speed.
Yesterday, EstDomains posted the most inept, ridiculous response ever issued to the endless and worthy criticism, largely leveled by Brian Krebs at the Washington Post.
Not only can't these morons from EstDomains write, they're either so deeply clueless or flagrantly malicious (likely both), it's beyond laughable. This section sums it up best:
"The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance."
What? Really?
Again, aside from the absolute butchery of the language, did they just say "The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality."? SIGH...yes, they did.

Allow me to exemplify just how ridiculous a claim that is.
Following is content from a packet capture I took during a recent Storm worm analysis.

Using the ip2asn module included in NSM-console availabe in HeX, we find:
27595 | 216.255.189.211 | INTERCAGE - InterCage, Inc.

Using Etherape, also included in HeX, we see:

Using Eric Hjelmvik's NetworkMiner, we see:

See the recurring theme? Intercage, EstDomain's "reliable ally in its battle against malware".
Nice work, guys...keep it up.

I'm submitting this to The Daily WTF as we speak.

del.icio.us | digg

Don't Panic

Fri, 29 Aug 2008 13:03:16 +0000

Sometimes it's easy to believe that every last thing online is going to eat into your PC, burn your house down, kill your cat and so on. The last few days I'd been hearing rumblings about some "Youtube rap video" and a file that would start hijacking your PC - well, thanks to a tipoff from a forum-goer at Spywarewarrior, I can hopefully put this one to rest.

In short, a video promoting a rap mix-tape supposedly took you to a file that "hijacked your PC with Spywarestop". In actual fact, there's no file to hijack you. Let's take a look - here's the Youtube page in question:

Click to Enlarge

As you can see, there's the mix-tape being advertised and a link to Mediafire, where the mix-tape is hosted. Click the Mediafire link, and all that happens is you'll see an advert for various antispyware tools - some of them on the Rogue Antispyware list, some of them not on the list but known to be of little worth to the end-user.

Click to Enlarge

In this particular case, it's an advert for Adware Alert. It's not hijacking you, or breaking things or making your browser fly around the screen, nor is it a "virus". It's just an (admittedly loud) advert. If you're running a browser compatible with Adblock Plus, all you'll see beneath the Mediafire logo is a blank space. Even if you're vaguely alarmed by the advert, all you have to do is click the "Continue to Mediafire.com" message at the top right of the screen (missing from the above screenshot as I cropped the image too small - whoops) and you'll be taken to the file you requested.

Like the title says - don't panic. This really isn't something to worry about too much. Even the most obnoxious rogue antispyware advert (the ones that do resize your browser, throw up endless popups and make annoying "Woop woop" noises) can usually be escaped by simply hitting CTRL+ALT+DEL and using Task Manage to close your browser session.

This week in history - volcanos, hurricanes, and the risk of Black Swans

Thu, 28 Aug 2008 07:07:47 +0000

Pouring over endless details of risks, regulations, taxonomies, and technologies can sometimes give us a narrow view of the world, so it seems worthwhile to take a minute to mark the 125th anniversary of the cataclysmic eruption of Krakatoa this week. For those of us that want to think big but can’t remember that far back, this week is also the 3rd anniversary of Hurricane Katrina’s devastating sweep across a wide stretch of the US Gulf Coast.

By now, I expect that most of you have read or are familiar with the 2007 book, The Black Swan, by Nassim Nicholas Taleb, which argues that these kinds of unpredictable, outlying occurrences are the ones that really shape businesses, countries, economies, and people. Taleb argues that although these “Black Swan” events are almost completely unforeseeable, we mistakenly try to explain the circumstances at the time and make predictions about similar events in the future.

In my ERM work with clients, and especially in the context of research I’ve been doing with my colleague Stephanie Balaouras on business continuity and resiliency, questions come up about how to plan for catastrophes... and they’re good questions. Were the CardSystems or TJX data breaches foreseeable? What about the Societe General debacle or the 2004 Indian Ocean tsunami? What’s next? Should these types of events be included in our risk assessments?

We’d like to get your opinion on these and other risks that may be on the very edge of the statistical tail. At what point do they belong in your risk register?

Of course, it’s possible to define mitigating controls for crises, disasters, or incidents without knowing for sure what they’re going to look like. That’s one of the hallmarks of a good crisis management plan. And that’s an important point, because trying to predict the next unforeseeable event can be a real challenge sometimes.

ColdFusion: Hack Me or Help Me

Thu, 28 Aug 2008 06:13:00 +0000

For your consideration, the endless battle between security and convenience.
Front and center: ColdFusion.
I've been picking on ColdFusion-built apps again a bit lately, and one of my observations has been that consistently, if mismanaged, the verbose error reporting features in ColdFusion can be really problematic.

HIO-2008-0713 JOBBEX JobSite SQLi & XSS
HIO-2008-0729 BookMine SQLi & XSS

Recently, I stumbled on an example of way too much information disclosure in a few sites running a ColdFusion-built CMS. The error reporting was so verbose it included the base path, data source name, database username, and yes, the database password.
I've cleaned it up for the protection of all involved, but here's a screen shot of only 1/4 of the details this site coughed up when I tweaked the input to a calendar date variable.

When I reached out to the developers of this app (always and immediately responsive), they assured me that this was not due to a flaw in the app, but that the "information should be protected, and is by default for our installations" and that the client disabled the security check and turned debugging on. I accept this explanation entirely, but it leads to the classic debate around the dangers of mismanaged debugging features, be they developer added or ColdFusion feature driven. Stupid user tricks are always an issue, but how much rope should they be given to hang themselves? Does error reporting really need to include the database username and password?

Allow me to present a few different perspectives.
First, rvdh's take on Attacking ColdFusion. Developers can learn a lot from this post, if only in that it precisely points out attack vectors. Ronald sums up my concerns aptly:
"As we know, error messages are important. Especially error messages generated by database software we want to inject. This, is useful for obtaining information about table structures that can be a real time-saver for attackers. If the right information is available, attackers do not have to guess database tables and fields anymore, nor having to brute force them. I have never seen so much information regarding the site's structure, used database, table names, drivers, server setup and other information useful for attackers that those of ColdFusion. It almost says: Please Hack Me!"
As I can't presume to improve on this stance, I won't. Well said.

Next, a developer's take on the issue from Joshua Cyr, who has declared it Check Your Error Output Day. Joshua highlights two key points:
1) Do NOT enable the robust errors setting in CF Administrator.
2) Don't forget to remove debugging dump code.
Heed this advice, ColdFusion fans!

One destination that all "secure" ColdFusion paths should lead to is the use of cfqueryparam. Ronald spells it out well mid way through his discussion, and so do the following resources:
coldfusionjedi
Coldfusion Muse

Further excellent resources for ColdFusion security issues:
SQL Injection Part II (Make Sure You Are Sitting Down)
12Robots.com

In closing, security and convenience needn't always be at odds, but often allowing for both requires a higher state of awareness for developers and end-users. Let common sense prevail; perhaps it'll give me less to do in the way of research. ;-)

del.icio.us | digg

Spamblogs Pushing Rogue Antivirus Programs

Mon, 11 Aug 2008 14:50:05 +0000

Nothing earth-shattering, but worth a mention anyway. I've noticed a couple of blogs pushing security blog feeds are also hawking pretend Youtube vids:

Click to Enlarge

When the videos are clicked, you'll find your browser vanishes down onto the taskbar, replaced by this sitting in the middle of the screen:

Once you click the popup box away, you're confronted with this:

Click to Enlarge

...a randomly selected rogue antivirus product. From here on it, any and all attempts to get rid of this page results in an endless barrage of popups, scare tactics ad hilariously lame warning messages (note the first one is called a "Security Update"):

Wow, they just get more and more hysterical, don't they?

The site to block that's pimping the fake videos is

thoughtcrime(dot)blogtodo(dot)com

Automated Spim on Microblogging Site Via MSN Messenger

Thu, 07 Aug 2008 17:12:09 +0000

There's been a fair amount of Twitter coverage recently, but it's worth noting that other countries have their own versions of Twittering and some of them have seem to be a little easier to use in conjunction with Instant Messaging, whereas Twitter still seems to have a need for third party services, add-ins and other tools to get the job done if the service used is something other than Google Talk, Livejournal Chat or Jabber (if it's now more straightforward for other clients too, please let me know!)

Either way, the below illustrates why adding Instant Messaging features to services such as Twitter can cause problems in the long run and needs to be considered carefully.

We were alerted to the fact that a large amount of Spam seemed to be coming out of China in the last day or two (indeed, one contact mentioned to me that this particular message had been sent to their Honeypot around 29,000+ times, which is a lot of spamming for one URL however you look at it). The spam in question seemed to have been sent via a Spambot, and the only mentions of this URL so far in search engines seems to be related to China - shall we take a look?

The URL in question (with part of it redacted) is

http: //5834******/ ;)

You'll notice the spam is short, snappy and also includes a little smiley-face thing at the end. In fact, it looks a little bit like the kind of link people send to their contacts on Twitter, doesn't it?

Well, let's see - a quick search and we find this:

Click to Enlarge

A page from Fanfou.com, which I believe is a Chinese site "inspired" by Twitter with much of the same features and functionality. In fact, it has one feature working straight off the bat that Twitter users previously had to rely on plugins for - the ability to send messages to their page via MSN Messenger updates.

http: //5834****** doesn't actually resolve anywhere - however, a quick Ping to that address and we have an IP:

Click to Enlarge

Type the IP address into the browser, and via some geolocational technology, you'll see a region specific version of the following dating website:

Click to Enlarge

Go back to the page on Fanfou.com, scroll down and select any of the clickable links and surprise - the same page appears. This particular account on Fanfou has something like 30+ pages devoted to endless Spim links via MSN. They link to placeholder pages, sites that look as though they've been suspended and / or deleted with no way to determine what content was there previously - all interspersed with "Twitter" style messages throughout such as this:

Again, note everything is coming via MSN. By this point, you're probably wondering exactly how they allow you to send messages to their Twitter-style pages. Well, the solution is quite clever - check out the IM page. You enter your MSN address, and when you login to your MSN account, you'll suddenly find you have a new IM buddy who wants to be a contact:

Add it, and whenever you want to put a message on your page, send it an instant message and, lo and behold, your Tweet-style message has appeared on your page:

Click to Enlarge

In conclusion, the steps here appear to be

1) Create a Spambot that infects users via MSN Messenger
2) Tailor the messages it sends to be short and sweet, just like a Twitter-style message
3) Set up an account on a service such as Fanfou.com that makes it easy to send messages to your page via MSN Messenger (or other IM services affected by your bot)
4) Infect the PC running your MSN Messenger account then watch as it spams the userpage with whatever messages you want it to send.

Of course, the links can be anything from dating sites and ringtone adverts to infection files and exploits - all made so much more easier (and far less time consuming than manually typing in URLs to your userpage) by the functionality built into the site you happen to be using. It's also worth noting that the accounts sending the Spim don't have to be set up by the spammer - they could be compromised accounts that had been hijacked when clicking a rogue IM link, which is a great way of filling out the spamming ranks very quickly.

This is definitely something Twitter - and any other site out there involved in microblogging - need to keep an eye out for, and consider carefully when thinking of adding integration with popular Instant Messaging clients.

We detect the file sending the weblinks via MSN as Foubot.

Research and Writeup: Christopher Boyd, Director of Malware Research
Additional Research: Chris Mannon, Senior Threat Researcher

Myspace Drive By

Wed, 30 Jul 2008 14:58:50 +0000

Spotted in the wild (like they're spotted anywhere else!)

Apparently the following happened while someone tried to view a blog post:

Click to Enlarge

A fake "your system may be infected" popup. Note the site it launches from is one of the more aggressive types (it shrinks your browser down into the bottom corner, and won't let you do anything other than cycle in an endless loop of popups until you agree to download the file being pushed).

These kind of attacks occur because of rogue adverts being pushed into advertising space, which is likely what happened here. If you are unfortunate enough to be trapped by an attack like this, don't panic - just do a CTRL+ALT+DEL and close the browser window...

CCleaner and SpyBot are in the top five!

Thu, 03 Jul 2008 15:13:40 +0000

Great post over at LifeHacker today. It would heed you to listen up to the advice given.

clipped from lifehacker.com

Five Best Windows Maintenance Tools

You download, create, delete, and move around countless files and endless piles of data on your PC every day. While your PC would ideally handle all of this data for you, it doesn’t take long before you end up with a disorganized, cluttered computer.