[SecurityRatty] tag: five-day

Online Finance Flaw: TIAA-CREF XSS & Potential CSRF

Wed, 03 Dec 2008 06:42:00 +0000

Before discussing a TIAA-CREF security flaw, allow me to clarify my "terms of engagement".
Prior to offering analysis of any security flaws in online financial services, be assured I have engaged the service provider and offered what I believe to a reasonable amount of time to remedy this issue. Specifically, a minimum of two weeks and three unique contact attempts are made. Should the vendor offer a timeline in which the issue will be resolved, so long as it is not months or years, I will wait until they are ready to deploy the fix, then discuss the vulnerability. If I am not in receipt of a reply other than generic customer service replies, I will follow the two week standard, then discuss the issue.

TIAA-CREF, or the Teachers Insurance and Annuity Association - College Retirement Equities Fund, is a respected, widely utilized provider of numerous financial products and services. The TIAA-CREF site is ranked 26,148 on Alexa.com at the time of this writing.

I'll first direct you to the TIAA-CREF Security page, where they discuss the expected elements like identity theft, spoofing, tips, and my favorite, phishing.
Here's where the trouble begins. Obviously, most phishing occurs when some miscreant creates a fake page and attempts to lure victims via email.
The severity of phishing risks are greatly increased by the introduction of a cross-site scripting (XSS) vulnerability in a site that is of high value to phishing attackers.
With such a vulnerability available, the prospect of success for a phisher are much higher given that the malicious URL they would craft could include the actual target domain, rather than a faked misrepresentation. A simple script insertion at the vulnerable variable would then allow the attacker to redirect victims to a maliciously crafted logon page in the context of the vulnerable site.
Sad side note: when you search security at the TIAA-CREF site, the above mentioned Security page is not returned in the results as I write this.
However, the resulting search URL serves as the starting point for our discussion of the flaw:
http://www.tiaa-cref.org/explore/portlets/search.jsp?query=security&strtfrm=1&totpresults=75&srchtype=4&sc=1&frmsite=0
The vast majority of non-search input variables on the TIAA-CREF site offer reasonable XSS protections, likely a blacklist method that redirects you to the following language when common XSS strings are noted, particularly where it counts at logon pages.
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Unfortunately, this methodology was not deployed globally, and thus the following online finance flaw.
All input variables used in TIAA-CREF's search.jsp script are vulnerable to XSS.
Utilized by an attacker, this could have a much more significant impact on TIAA-CREF customers who fall victim to a now more convincing social engineering effort.
Here's the site before script insertion:

Here's the site after script insertion:

Further, certain parts of the site, including the Trust Company logon page, show potential signs of cross-site request forgery (CSRF) in that they accept updates via GET or allow submittal with the referrer stripped.

Lessons learned:
1) Don't assume all is well even though a site may offer examples of how attentive they are to security.
2) Never log on to an online financial service offering (or anything else for that matter) via a link sent to you in an email. Period.
3) Take all steps at your disposal to ensure you are logging in to and transacting with the actual site you intended to utilize. Don't depend on security badges and SSL certificates as your sole means of confirmation.
4) If you note something of concern at a site you utilize, advise them immediately and demand repair or clarification until you're satisfied.

Please feel free to send feedback to TIAA-CREF as I have per my "terms of engagement" above. Hopefully they'll resolve this issue soon, on behalf of customers in their care.

Up next in our series, two of the top five banks mentioned in Javelin Strategy & Research's Banking Identity Safety Scorecard are vulnerable to similar issues.

del.icio.us | digg | Submit to Slashdot

A Diverse Portfolio of Fake Security Software - Part Fourteen

Thu, 27 Nov 2008 04:47:55 +0000

You didn't even think for a second that the supply of typosqutted domains serving packed and triple crypted to the point where the binary is not longer executing, fake security software domains is declining? With the upcoming holidays and the usual peak of web traffic, malicious activity on all fronts is prone to increase during December. YEWGATE LTD, Sawert Alliance, and Sagent Group, personal favorites affiliate participants in a revenue sharing program for serving fake security software, try to maintain a decent rhythm in their typosquatting process, always worth taking a peek at. The very latest rogue security software additions include :

micro-antiv2009 .com (91.208.0.223)
micro-antivir2009 .com
micro-antivirus-2009 .com
micro-av-2009 .com

Sawert Alliance
Peltonen Martti seodancer@gmail.com
33 New Road, Upper Flat
Belize City
Belize
Tel: +7.9602578790

avmyscan .com (91.203.92.186; 78.157.143.184)
go-your-scan .com
bestproscan .com
avproscan .com
goyourscan .com
iabestscan .com
avmyscan .com
best-scan-pro .com
avscan-pro .com
bestscanner-pro .com
avscanpro .com
iascannerpro .com

Jaroslav Voltz
Email: mensfult@gmail.com
Organization: Private person
Address: Biskupsk 9
City: Praha
State: Praha
ZIP: 11000
Country: CZ
Phone: +420.2224811382

virus-labs2009 .com (66.232.113.62)
virus-trigger .com
virusresponse2009 .com
virusresplab .com
virus-response .com

Roman Spitsikov
Uus-Sadama 12
Tallinn, Tallinn 10120
Estonia
Roman.Spitsikov@gmail.com

virusremover2008plus .com (77.245.61.80; 93.190.139.229)

Sagent Group (sergbelo@gmail.com)
Brignal Solutions
P.O. Box 3469 Geneva Place, Waterfront drive
Road town, BVI
BZ
+1.14193017015

antivirus-pro-scan.com (84.243.197.183)
anti-virus-defence.com
protection-livescan.com

Aleksey Kononov cndomainz@yahoo.com
+74954538435 fax: +74954538435
ul. Yakimanskay 34-56
Moskva Moskovskay oblast 112745
ru

rapidantivir .com (91.208.0.220)
rapidantivirus-2009 .com
securityscanner2009 .com
rapidantivirus2009 .com
rapid-antivir .com
extraantivir .com
rapid-antivirus .com
rapidantivirus .com

Sawert Alliance
Peltonen Martti seodancer@gmail.com
33 New Road, Upper Flat
Belize City
Belize
Tel: +7.9602578790

sgscanner .com (116.50.14.185)
sguardscan .com
scansguard .com
getsg2008 .com

Dont get a lump of coal this season!

Tue, 18 Nov 2008 14:46:21 +0000

Make sure your online protection products are working and updated, or you may get a lump of coal this Holiday season.

clipped from www.marketwatch.com

Webroot Threat Advisory: Online Threats to Increase This Holiday Season

To protect themselves during any online
shopping experience, consumers need to be aware of the security
risks and necessary precautions they should take to avoid being a victim
of cyber crime. Since the October to December timeframe will be a key
money-making season for today’s financially
motivated cyber criminals Webroot is recommending that consumers follow
these five steps:

Chertoff: We're Closing that Boarding-Pass Loophole

Mon, 17 Nov 2008 15:57:00 +0000

Five years later, the Department of Homeland Security gets around to fixing a security hole that allows people to easily fly under an alias, bypassing anti-terror name screening.

Dodgy ISP McColo briefly comes online, updates botnet

Mon, 17 Nov 2008 02:00:00 +0000

McColo, the ISP identified as hosting the command-and-control servers for no less than five large botnets, briefly came back online over the weekend before being cut off again, according to security vendors.

A Less Tasteful Internet

Fri, 14 Nov 2008 04:59:47 +0000

It may take awhile, but ICANN can change things for the good. The public comment period is still open on the formal policy on AGP DELETEs, but the stopgap budget measure in place seems to be very effective. ICANN announced that AGP DELETEs declined "... from approximately 17.6M in June 2008 to 2.8M in July 2008." 2.6M of the 2.8M were subject to the fee, so it would seem that even those would continue to decline as the people paying them realize they're wasting their money. AGP DELETEs are the mechanism used by "domain tasters" who register a domain, throw PPC ads up on it and DELETE the registration before five days are up for a full refund of all fees. Under the new budget policy, registrars who exceed a certain threshold of DELETEs as a percentage of total registrations can no longer refund the 20 cent ICANN fee. This alone has led to the massive decline in DELETEs, showing how little margin is involved in each domain. Let's hope that ICANN keeps the policy at least as restrictive as this. Domain tasting may no longer be a problem. ICANN has placed the EstDomains registrar back on death row. Read about it here.

Security, virtualization lead 2009 tech plans

Mon, 10 Nov 2008 21:00:00 +0000

Networking lost ground, but security, business intelligence and server virtualization landed in the top five technology priorities for IT in 2009, according to The Society for Information Management.

Army Social Scientist Set Afire in Afghanistan

Thu, 06 Nov 2008 16:10:00 +0000

For the third time in five months, a social scientist working for the Army's Human Terrain Team has been killed or seriously wounded. This time a woman is doused in gasoline and set ablaze in an apparent Taliban attack.

U.S. Court Rules that Hashing = Searching

Wed, 05 Nov 2008 05:28:17 +0000

Really interesting post by Orin Kerr on whether, by taking hash values of someone's hard drive, the police conducted a "search":

District Court Holds that Running Hash Values on Computer Is A Search: The case is United States v. Crist, 2008 WL 4682806 (M.D.Pa. October 22 2008) (Kane, C.J.). It's a child pornography case involving a warrantless search that raises a very interesting and important question of first impression: Is running a hash a Fourth Amendment search? (For background on what a "hash" is and why it matters, see here).
First, the facts. Crist is behind on his rent payments, and his landlord starts to evict him by hiring Sell to remove Crist's belongings and throw them away. Sell comes a cross Crist's computer, and he hands over the computer to his friend Hipple who he knows is looking for a computer. Hipple starts to look through the files, and he comes across child pornography: Hipple freaks out and calls the police. The police then conduct a warrantless forensic examination of the computer:

In the forensic examination, Agent Buckwash used the following procedure. First, Agent Buckwash created an "MD5 hash value" of Crist's hard drive. An MD5 hash value is a unique alphanumeric representation of the data, a sort of "fingerprint" or "digital DNA." When creating the hash value, Agent Buckwash used a "software write protect" in order to ensure that "nothing can be written to that hard drive." Supp. Tr. 88. Next, he ran a virus scan, during which he identified three relatively innocuous viruses. After that, he created an "image," or exact copy, of all the data on Crist's hard drive.
Agent Buckwash then opened up the image (not the actual hard drive) in a software program called EnCase, which is the principal tool in the analysis. He explained that EnCase does not access the hard drive in the traditional manner, i.e., through the computer's operating system. Rather, EnCase "reads the hard drive itself." Supp. Tr. 102. In other words, it reads every file-bit by bit, cluster by cluster-and creates a index of the files contained on the hard drive. EnCase can, therefore, bypass user-defined passwords, "break down complex file structures for examination," and recover "deleted" files as long as those files have not been written over. Supp. Tr. 102-03.

Once in EnCase, Agent Buckwash ran a "hash value and signature analysis on all of the files on the hard drive." Supp. Tr. 89. In doing so, he was able to "ingerprint" each file in the computer. Once he generated hash values of the files, he compared those hash values to the hash values of files that are known or suspected to contain child pornography. Agent Buckwash discovered five videos containing known child pornography. Attachment 5. He discovered 171 videos containing suspected child pornography.

One of the interesting questions here is whether the search that resulted was within the scope of Hipple's private search; different courts have approached this question differently. But for now the most interesting question is whether running the hash was a Fourth Amendment search. The Court concluded that it was, and that the evidence of child pornography discovered had to be suppressed:

The Government argues that no search occurred in running the EnCase program because the agents "didn't look at any files, they simply accessed the computer." 2d Supp. Tr. 16. The Court rejects this view and finds that the "running of hash values" is a search protected by the Fourth Amendment.
Computers are composed of many compartments, among them a "hard drive," which in turn is composed of many "platters," or disks. To derive the hash values of Crist's computer, the Government physically removed the hard drive from the computer, created a duplicate image of the hard drive without physically invading it, and applied the EnCase program to each compartment, disk, file, folder, and bit.2d Supp. Tr. 18-19. By subjecting the entire computer to a hash value analysis-every file, internet history, picture, and "buddy list" became available for Government review. Such examination constitutes a search.

I think this is generally a correct result: See my article Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531 (2005), for the details. Still, given the lack of analysis here it's somewhat hard to know what to make of the decision. Which stage was the search — the creating the duplicate? The running of the hash? It's not really clear. I don't think it matters very much to this case, because the agent who got the positive hit on the hashes didn't then get a warrant. Instead, he immediately switched over to the EnCase "gallery view" function to see the images, which seems to be to be undoudtedly a search. Still, it's a really interesting question.

Adobe Patches Older Reader PDF Flaw, In Total 8 Vulnerabilities Patched

Tue, 04 Nov 2008 21:30:57 +0000

Adobe Systems Inc. today patched its Reader application for the fifth time this year, plugging eight security holes, including one that was reported to the company more than five months ago. In late May, researchers at Core Security Technologies told Adobe of a critical vulnerability in Adobe Reader and Adobe Acrobat, the free-of-charge and for-a-fee programs, [...]