[SecurityRatty] tag: postings

XSF & XSS: Double your pleasure, double your fun

Sun, 21 Sep 2008 17:00:00 +0000

If you've read this blog, or those of my peers, you're likely quite familiar with cross-site scripting, and the problems associated with open redirect vulnerabilities. A vulnerability you may be less familiar with is cross-site framing, which largely couples the best of both above-mentioned vulnerabilities.
What then, if there's a cross-site framing vulnerability coupled with cross-site scripting in the content offered by the frame? All sorts of problems come to mind: phishing, malware, credential theft; all arguably twice removed from the attacker's source, tucked away in the context of two victim sites.
First, I'll discuss the original XSS issue that led to this finding.
Recently, I was investigating a flawed parameter in Openhire, a career posting vendor used by major companies like Crate&Barrel, Eileen Fisher, Enterprise, Benjamin Moore, Scottrade, and Getty Images.
Most of these sites simply link to the Openhire offering that hosts job postings on their behalf which, in turn, has been crafted to look like the referring site.
As an example, here's Scottrade's employment page hosted by Openhire.

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?version=1&company_id=15624

Standard stuff, looks nicely like the Scottrade site, so everything's cool, right?
Wrong? What if someone hosting a service on your behalf suffers a security gap?
You're only as strong as your weakest link!
Here's the posting for an Application Security Engineer (funny, eh?) at Scottrade as hosted on their behalf by Openhire:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=976367&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters%3B%3B%3BInformation%20Technology%3B%3B%3BSecurity&startflag=3&CFID=66851845&CFTOKEN=29a95-d12594d4-47d9-49e8-9067-1091bdf68e80

Now here the same job posting spewing massive cookie data:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

Screen shot offered below, as the code above will likely be repaired very soon by Openhire. I notified them this past Thursday.

It's bad enough when there's an application security hole in code someone else is hosting on your behalf, but what if your method of displaying said code is also at risk? Enter the Getty Images Jobs page.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=careeropps&startflag=0&company_id=15531&version=2&CFID=12265212&CFTOKEN=60213778

Watch what happens when you pull the Openhire code. Can you say self-replicating frame loop from hell (in Firefox)? Trust me your browser will crash if you leave this running too long. This will likely be fixed soon, so if the URL doesn't work, the screen shot exemplifies the issue.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html

What if, instead of Openhire's Getty Images page, or nothing at all (which obviously creates its own issue), we drop in an arbitrary URL?
Yep, you guessed it.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://www.xssed.com/news/26/Cross-site_framed/

Now, bringing it all home for double the pleasure, double the fun, what if we coupled the original Openhire cross-site scripting vuln with Getty Images cross-site frame vuln?

It hurts twice as much, in my book.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

The lessons learned:
1) Ensure your partners are writing secure code on you behalf.
2) Ensure that the code you utilize to incorporate said partner's code is also well written. ;-)

Double the headache, double the dumb.

del.icio.us | digg

Open Source Intel Rocks, But It's Classified

Wed, 17 Sep 2008 11:45:00 +0000

The head of the CIA doesn't want you to know what he watches on TV. So-called "open source" intelligence -- tidbits taken from newspapers, internet postings, and TV shows -- may come from unclassified material, but the CIA chef says the finished products are too sensitive for average folks to see.

Facebook stamps out malware attack

Fri, 08 Aug 2008 09:00:00 +0000

Facebook has blocked a malware attack targeting unsuspecting users via postings on the site's Wall feature.

Chinese Bloggers Bypassing Censorship by Blogging Backward

Wed, 02 Jul 2008 12:25:19 +0000

With China trying to silence over 30,000 rioters during the weekend, by deleting forum postings and deactivating accounts mentioning the riot, Chinese bloggers have started using a widget they originally came up in order to bypass the "Great Firewall of China" by blogging backward, vertically and horizontally :

"So bloggers on forums such as Tianya.cn have taken to posting in formats that China's Internet censors, often employees of commercial Internet service providers, have a hard time automatically detecting. One recent strategy involves online software that flips sentences to read right to left instead of left to right, and vertically instead of horizontally. China's sophisticated censorship regime -- known as the Great Firewall -- can automatically track objectionable phrases. But "the country also has the most experienced and talented group of netizens who always know ways around it," said an editor at Tianya, owned by Hainan Tianya Online Networking Technology Co., who has been responsible for deleting posts about the riot"

An old-school content obfuscation service that they could take advantage of, offers the opportunity to turn a short message into spam or a fake PGP encrypted file, where both parties can easily decode them to the original.

Spammmic is what I have in mind.

Myrcurial gets placed in the Leaders Quadrant - Gartner Days 1&2

Tue, 03 Jun 2008 10:23:04 +0000

Gartner IT Security Summit - June 1-3, 2008 - Washington, DC.

Alright - call this an omnibus posting.

I had planned to do a better job of intra-day postings, but the schedule here is hectic and as anyone who knows me can attest, I really do work to get maximum value out of any conference that I go to.

Highlights here - much more detail available if anyone comments/emails me to ask.

Day 1
Opening Keynote - The next 10 years in IT Security - Rated: Good.
Keynote - Google’s Security - Rated: Excellent.
Keynote - SciFi Authors’ Future View of IT Security - Rated: Excellent.

“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Mediocre to Good.
Exhibition Floor - Rated: Good.
Food - Rated: Hotel Std. Bring Pepto
Product Highlight - Alcatel-Lucent OmniAccess 3500 Nonstop Laptop Guardian It’s a way to lojack your laptops - a device that stores your crypto keys, 2nd factor auth token, acts as your 3G WWAN, GPS enabled, has an on-board Linux which acts as the “IT department’ controlled/controllable machine. Main feature - remote kill the laptop you lost.

Day 2
Keynote - Security Architecture for the Next 10 years - Rated: Excellent
“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Good to Better
Exhibition Floor - Rated: I don’t want to try to get that much shwag through airport security. SRSLY.
Food - Rated: I cannot wait for my kitchen. I cannot eat this much commercial grade food and stay healthy/alive. Amazing how even the fresh fruit is labelled “Hotel Froot”. It’s like an episode of the Simpsons.

Overall Review: I’ll probably come back - the issue of credibility in ensuring that I can quote someone that the business / IT folks respect rather than just my own opinion is a good thing, however, as a prominent (ha - take that Mike) security blogger, I’m a 4-5 on the CISO-CMM — and I’m surrounded by a whole lot of zeros and ones. Gartner is a good host, they take feedback seriously and are very interested in delivering some real value to people like me.

What needs to be fixed:

You may have noted that I’m not really chuffed by the food, and you’d be damn right. What is it with the “Conference Hotel/Venue” market that gives them such perfect 2 dimensional homogeneity of image and food? Fix the food.
Reorganize the environment such that I spend less time walking back and forth down this hallway.

Wifi… oh terrifying wifi. If there was a Wall of Sheep here, you couldn’t read it - it’d be scrolling too fast. Don’t you idiots have a freakin’ VPN?
BoF Sessions would be good — there’s not a whole lot of time in the schedule just to stir around and talk to people. There should be a number of areas that allow for free form communication amongst attendees. Have Gartner Analysts in and around those areas to spur conversations.
And lastly - Washington? WTF? Flying in to the DC area is practically a strip search. Conferencing is getting harder as the airline industry squeezes - and if I’ve got to fly, I want as little friction as possible.

It’s been a blast, but I need to pay attention and watch the countdown to my airport transfer at 1600.

Tags: Gartner, Gartner IT Security Summit, Alcatel-Lucent, OmniAccess 3500, Security Conferences

Google Helps Arrest Man In India

Mon, 19 May 2008 21:00:49 +0000

Google pulls a Yahoo in India.

From TechCrunch:

Today we’re hearing of another arrest, this time in India. 22-year-old IT professional Rahul Krishnakumar Vaid. His crime was writing in an orkut community named “I hate Sonia Gandhi.” Sonia Gandhi is a prominent politician in India.

Vaid was charged under section 292 of Indian Penal Code and section 67 of the Information Technology Act because he created a profile and then posted content in vulgar language about Sonia Gandhi in the community.

During investigations, the cyber crime cell of Pune police communicated with Google (which owns Orkut) seeking details about the man who formed this forum and circulated the obscene content. It was known that the vulgar message about Sonia Gandhi was circulated through an email address – Rahulvaidindia@gmail.com . The owner of the email id Rahul Vaid was traced, using information supplied by Google, to Chakarpur in Gurgaon city of Haryana.

Allegedly he was vulgar with respects to his postings. This is apparently against the law in India. The offense could fetch him roughly 5 years in the clink if convicted.

Don’t be evil, eh?

Article Link

Staten Island University Hospital notifies patients of December theft

Thu, 01 May 2008 11:09:25 +0000

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
Staten Island University Hospital

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
88,000

Types of Data:
"names, Social Security and health insurance numbers"

Breach Description:
"STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital."

Reference URL:
Staten Island Advance
Staten Island Advance (Video)

Report Credit:
Glenn Nyback, Staten Island Advance

Response:
From the online sources cited above:

STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital.
[Evan] Wow, December?!

After four months with no arrests, hospital administrators are just now beginning the process of sending letters to patients whose names, Social Security and health insurance numbers were contained in computer files on a desktop computer and a backup hard drive stolen Dec. 29 from one of the hospital's finance offices at 1 Edgewater Plaza.
[Evan] A desktop computer and backup hard drive, likely without encryption and containing sensitive personal information is generally poor information security practice. There was no mention of encryption in the news report, so I will assume that it was not present.

"The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,"
[Evan] As stated in numerous Breach Blog postings, true credit monitoring only alerts an individual AFTER fraud has already taken place. A Social Security number and other personal information does not expire or become ineffective after a year, so how good is one year of protection?

Ms. Ryback said no medical records were included in the files

wouldn't speculate why SIUH waited so long to notify people. "I'm not going to get into that," she said.

Police described the suspect -- caught on a surveillance camera -- as a black man between 30 and 40 years old. The man is seen walking out carrying the computer equipment in a cardboard box.
[Evan] The video of the theft is here. Its almost surreal to watch someone walk away with something that is very valuable to many people.

"at this time, there is no reason to believe that patient information from the stolen computer has been misused."
[Evan] Nope. The thief has not called the hospital to inform them that he is misusing the information.

Ms. Ryback said that, while the motive for the theft is open to question, it appears that it might have been purely for the value of the equipment.

"We take this opportunity to offer our apologies to the patients who are affected by the theft,"

"We reassure our patients and community that, as always, we regard patient confidentiality as one of our highest priorities, and in this regard, we are working to take additional steps to protect patient information and to reduce the possibility of computer theft in the future."
[Evan] Like what? Provide some details. Tell your customers/patients specifically what you plan to do in order to protect the information that belongs to them.

Without elaborating, Ms. Ryback said that "all you can do is be more security-conscious."
[Evan] Uh, no. This is not all you can do. Being security-conscious is important, but it is far, far, far from all you can do. How much weight should we put behind a statement like this? It's obvious that Ms. Ryback is not qualified to quantify "all you can do".

Police are asking for the public's help in catching a thief who made off with computer equipment from a Staten Island administrative building occupied by Staten Island University Hospital.

Police ask that anyone with information about the theft call NYPD's Crimestopper Hotline at 800-577-TIPS.

Citizen/Victim Reaction:
"After 4 months? Why did it take so long, Ms. Ryback? and now your going to offer to watch peoples credit ? I hope they sue your pants off," one reader, goaway12, posted yesterday.

averagedude, asked, "where was security?"

youbetchabar, joked, "4 months is about the same amount of time it takes to get called in the ER," poking fun at the waiting time for emergency patients.

Commentary:
On the one hand I enjoy doing research, albeit brief research about information security breaches. On the other hand I get really offended by organizations that demonstrate a lack of due care in the handling of personal information. No organization is going to state ""We reassure our patients and community that, as always, we regard patient confidentiality as one of our lowest priorities, and in this regard, we are working to take additional steps to disclose patient information and to increase the possibility of computer theft in the future." In the end, what really matters? It's not what the organization claims, it is what it demonstrates.

I am miffed by SIUH's apparent lack of risk, information security, and incident response management.

Past Breaches:
Unknown

Traffic stats and the top 10 blogs

Wed, 30 Apr 2008 01:00:00 +0000

This is the 300th published entry onto this blog. I thought it might be interesting to do a quick review of how many visitors it's getting, where you are all coming from and what the most popular postings have been over the past 12 months. Traffic figures are pretty good - weekly page views are generally between 600 and 800. Not too bad for a niche subject. As expected, most readers are from the UK but there's good interest from the US. I also have a small number of regular readers from the far east. My top ten blog entries (by unique page view) have been as follows: 1. Building an Information Security Strategy (5 March 2007) 2. What CIOs should be doing about security in 2008 (14 Jan 2008) 3. The 10 deadly sins of Information Security management (31 October 2007) 4. Portable wireless hacking device (9 Feb 2007) 5. HSBC new two-factor authentication system (7 September 2007) 6. Data Protection Act - What's the Damage? (20 September 2007) 7. RFID Passports (6 Jan 2008) 8. Incident definition and response (11 January 2007) 9. Use of Skype (28 March 2007) 10. More on PCI - the audit guide (24 March 2007) Ironically, those entries where I personally think I've hit the sweet spot and I sit by the phone waiting for the book-deal and television show hosting offers to come in don't do as well as the entries that are more "off-the-cuff." Your comments and feedback are always welcome.

Security Catalyst Forums

Tue, 29 Apr 2008 02:17:00 +0000

I've written often about all the ways I have met people. My network has certainly grown in the last year between facebook, linkedin, the numerous blogs that I read and the numerous blogs that they all link to.

One place that has certainly been a terrific place to meet smart people interested in Information Security and to harvest some of their ideas are the Security Catalyst Forums. Registration is free and gets you access to some really amazing people.

Each week someone volunteers to sum up the last week's postings and this week is my turn so here goes...

Andrew Hay is doing his CISSP and has been given a lot of advice by the members. Generally it is agreed that cccure.org is a good resource but always ready to jump in and start new Security Catalyst initiatives, Michael wants to put together a resource for those Catalyst Members studying for the CISSP.

I personally did the official CISSP boot camp training course and found it well worth doing. I bought the official ISC2 guide but found it to be too wordy and technical. It is a great resource though and I have used it many times since my exam but at 10pm after a days work it is the last thing your eyes want to see.

Education seems to be a theme at the moment - Didier Stevens write his GSSP-C exam and Kevin Riggins is debating doing a Masters in Information Protection/Assurance.

Information Security is slowly becoming so much more more than just Firewalls and Antivirus and the education needed is becoming vast. I think it has already come to the point where it is impossible to know everything and practitioners now need to work out what section of Information Security they want to get into.

I personally am interested in the management side of InfoSec but if I choose that then I will not be able to get deeply into any particular part of InfoSec anymore. I have my CISSP and would love to get a Masters like the one above but GSSP-C would be too restrictive for me but to each his own. Well done Didier and good luck Andrew, Kevin and all those that are looking to grow their knowledge.

Don Weber raises an interesting question - should businesses be monitoring search queries via their proxy servers. My feeling is that yes, they should. Companies should monitor everything and they have the right (in South Africa at least) to do so. However, (there is always an however with me) context is everything. One has to use the information that one gets from logs as a guide and try to understand exactly why someone browses so much or such strange sites or whatever. I believe that Information Security has to become a central part of the organisation and has to make connections with all departments. All browsing issues must be driven by HR with technical and policy help from InfoSec.

There were other discussions, jobs posted and conferences listed but I'm not going to go into them all. The last thing I'd like to say is that I asked a question on the Security Catalyst Forums and got some quality replies - all different but all quality that will allow me to do my job that much better.

Chinese Hacktivists Waging People's Information Warfare Against CNN

Mon, 21 Apr 2008 22:25:00 +0000

Empowering and coordinating script kiddies by releasing DIY DDoS tools (backdoored as well) during the DDoS attacks against Estonia for instance, is exactly what is happening in the time of blogging with a massive forum and IM coordination between Chinese netizens enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coordinated incidents greatly illustrate what people's information warfare, and the malicious culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a central coordination point for recruiting DDoS participants on a nationalism level. Some info on hackcnn.com, the malware, internal commentary on behalf of the hacktivists, and who's behind it :

hackcnn.com (58.49.59.253)
58.48.0.0-58.55.255.255 CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000
china@hackcnn.com

Upon execution of the tool, 18 TCP Connection Attempts to cnn.com (64.236.91.24:80) start, trying to access the following file at CNN.com :

- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"

antiCnn.exe
Scanner results : 3% Scanner(1/36) found malware!
TROJAN.DOWNLOADER.GEN
File size: 174592 bytes
MD5...: c03abd4d871cd83fe00df38536f26422
SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691
Released by : Red Flag Cyber Operations nixrumor@gmail.com

From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :

Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers

Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :

"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."

"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."

DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.

According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list.