[SecurityRatty] tag: receives

Kaspersky remains in the best category

Thu, 13 Nov 2008 14:09:14 +0000

Ive always been a fan of the Kaspersky products.

Kaspersky Anti-Virus 2009 receives the Gold Malware Treatment Award from Anti-Malware Test Lab

Kaspersky Lab, a leading developer of secure content management solutions, announces that Kaspersky Anti-Virus 2009 has received the Gold Malware Treatment Award from respected security software test laboratory Anti-Malware Test Lab.

Way to go BitDefender!

Tue, 11 Nov 2008 15:00:44 +0000

Ive been using their products for two years now and Im very satisfied.
BitDefender even works with Vista!
Their online support is excellent and Its not a resource hog.

clipped from www.marketwatch.com

BitDefender Receives Prestigious Integrated Threat Management
Checkmark Certification From West Coast Labs

MOUNTAIN VIEW, CA, Nov 10, 2008 (MARKET WIRE via COMTEX) –
BitDefender(R), an award-winning provider of antivirus software and
data security solutions, announced today that BitDefender Total
Security 2008 received the prestigious Integrated Threat Management
Certification following independent testing performed by West Coast
Labs. The Integrated Threat Management Checkmark Certification is
granted only to products that have successfully passed and
continuously satisfy the requirements of a combination of Checkmark
certifications that together provide an effective integration of
security technologies in a content security context.

Spammers Domain Registrar EstDomains Receives ICANN Deactivation Notice

Wed, 29 Oct 2008 21:27:19 +0000

EstDomains, a domain name registrar that worked closely with cyber criminals, suffered another blow after the organization that oversees the net’s address system said it would revoke the company’s right to sell domain names because of a recent fraud conviction of its president in Estonia. EstDomains has been criticized by many security experts for registering [...]

Applying SDL Principles to Legacy Code

Mon, 27 Oct 2008 14:24:00 +0000

Hello, this is Scott Stender from iSEC Partners, one of the SDL Pro Network partners. As security consultants, we at iSEC work with a variety of companies to drive security throughout their development cycle. Clients with mature security processes ask that we help carry out parts of their process, from requirements analysis to penetration testing. Other clients need help defining their security processes, and we help define and kickoff a program based on the Microsoft SDL, other defined processes, or variations thereof, depending on the client’s needs and abilities. Whether participating in an existing process or helping define one, I personally have been lucky enough to have seen my fair share of successes and failures, and it is this perspective that I hope to share in this guest post.

I find that legacy code poses a unique challenge for organizations rolling out a new security process. Often, the resources dedicated to maintaining older code are a small fraction of those devoted to new features or products. Furthermore, the original developers for such features have often moved on, leaving no subject matter experts to drive reviews. The astute reader will ask “How do I apply the principles of the Microsoft SDL to legacy code when I have no development resources and nobody knows how it works?”

The answer is “Start small, and build expertise over time.”

A Rising Tide Lifts All Boats

The best thing a security engineering team can do to improve security in the short term is to drive code quality, and the first step in this process is to define and enforce a secure coding standard. This helps on two fronts:

1. It will improve code quality and reduce implementation flaws across the entire code base. Unlike other security processes, driving a secure coding standard is relatively easy to accomplish across an entire code base, regardless of the code’s age, by a focused security team. That is not to say that it is easy without qualification – a large batch of spaghetti code will require a lot of work to untangle! Such an effort can only be called “easy” when compared to, say, comprehensive identification and remediation of design flaws across legacy features. Even so, improving code quality through the use of secure coding standards offers a unique combination of high impact, applicability to features, and ability to be carried out by a core team that makes it a sensible first step.

2. The security team might notice that some sections of code have more standards violations or outright flaws than others. This is an instance of vulnerability clustering, a concept that has been used to predict vulnerability rates and improve quality in the functional realm. The evidence is anecdotal, but it stands to reason that portions of code that consistently violate secure coding standards are good places to start looking for other classes of security flaw. These are security hotspots, and should be high on the prioritized list for further review.

Security testing may also be applied to legacy code, but initial activities should be considered on a case-by-case basis based on the expected return on investment. Such testing ranges from using inexpensive off-the-shelf tools to exercise common interfaces to rather expensive custom testing and formal analysis. It is worthwhile to begin with off-the-shelf tools, such as those that target file parsers or web applications, and tools created as part of your greater secure development efforts. These can help identify easily-found flaws and suggest improvements to the coding standards. Comprehensive security testing, on the other hand, is best tackled after the Legacy Security Push.

The Legacy Security Push

Coding standards and basic testing provide bang for the buck, but formal security processes seek to provide security assurance. The challenge for legacy code is that it needs to play catch-up. Security processes that occur early in the development cycle, such as requirements analysis, design review, and threat modeling, are particularly difficult to achieve years after the fact. The main goal of the Legacy Security Push is to create the deliverables from these efforts, the most important of which are security requirements and a full risk analysis.

It may sound trivial, but security requirements are essential. Not only do they define proper operation for the system in question, they also define assumptions that are suitable for relying systems. It is very common to find security flaws in legacy systems that arise from well-intentioned but incorrect assumptions such as “I assume that the Foo authenticates server Bar when initiating a bank transfer.” It stands to reason that Foo would do so for such an important activity, but this assumption must be validated. It is very common for older features to have been deployed in and written for different environments where the security assumptions that are "obvious" today just didn't apply at the time.

When reviewing legacy systems, the first step is to identify such requirements. If the original architects, developers or managers are available, they can provide valuable insight at this stage. More often than not this is not the case, and analysis must instead rely on what documentation is present and interaction between the software and its consumers. The goal is the same as in requirements analysis during project inception, except that in this case one must turn the process on its head and reverse engineer requirements from system behavior. At the conclusion of this effort, requirements can be theorized – “Foo must authenticate its server Bar before initiating a bank transfer.”

Risk analysis can be performed once a plausible set of requirements have been identified. Threat modeling is a more structured means of performing such an analysis, with the eventual goal of identifying means by which requirements can be violated by an attacker.

As with requirements analysis, original developers would be a valuable resource to consult. With or without such help, the first step is to identify how the software works. In many cases, help is not available and performing this task requires a great deal of effort. For features of moderate size, this author has spent upwards of a month reading code, using process profiling tools, and walking through the software with a debugger to identify program flow and security-sensitive functionality.

Once completed, actual system behavior should be documented and compared against the requirements theorized. It might be that the requirements should be re-evaluated (New requirement: Do not assume that Foo requires server authentication) or the system may need to be changed (New bug: Foo does not verify the CN for Bar). At the end, this information should be sufficient to support a comprehensive threat modeling exercise where security requirements, risks, and their mitigations can be documented.

Next Steps

Bringing a legacy feature up to par with its newer kin requires a relatively small number of items: improved code quality, clear security requirements, and a thorough threat model. As we have seen, performing even these tasks is quite the effort! I am sure that it is little comfort to be reminded that accomplishing these tasks has simply laid the foundation, and that the true benefit is that the newly-reviewed legacy feature is able to participate fully in the security processes that remain: reviewing cross-component security requirements and assumptions, comprehensive testing, and incident planning, to name a few.

Unfortunately, there is no silver bullet in security assurance. The soundness of the design and implementation of legacy software is just as important as in newer software, which is why any complete secure software development process will look backwards as well as forwards. Feature by feature, from higher priority to lower, the overall security of the software improves as legacy code receives the full security treatment it deserves.

Did you find the silver bullet? Might you think that defining security requirements is unnecessary? Perhaps “It is old and has not been attacked yet.” is a valid security strategy! Please comment below or email me directly at scott@isecpartners.com and share your thoughts.

Proxy Caches are a Challenging Threat to Internet Security

Sun, 05 Oct 2008 06:41:52 +0000

Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed.

Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons.

As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being sent the same Set-Cookie HTTP headers, for example. Caching proxy servers should obtain a fresh cookie for the each new client request. Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients. However, application developers cannot assume that proxy caches are well behaved, especially for applications where security and privacy are required.

Web developers cannot know whether their content is consumed directly or via a proxy cache. Developers also cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intended content. For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there’s no guarantee it will be consumed by the intended web browser.

Ideally, SSL should be used on all web transactions that require confidentiality and privacy, including our recent Google Docs breach. On the other hand, even SSL is not foolproof. For example, many web developers do not correctly set the “Encrypted Sessions Only” cookie property. These incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.

There be dragons …

Note: Reposted from the (ISC)2 blog.

OWASP AppSec Asia 2008: Proxy Caches and Web Application Security

Fri, 03 Oct 2008 07:05:04 +0000

Back to travelling a bit, I have accepted an invitation from Wayne Huang, Chapter Leader, OWASP Taiwan, to give the following presentation at OWASP AppSec Asia 2008, October 27 - 28, 2008, in Taipei:

Proxy Caches and Web Application Security

Abstract: Proxy caches, combined with poorly written session management code, can easily lead to serious Internet security breaches. Web application developers cannot know whether their content is consumed directly or via a proxy cache. Developers cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intented content. Consequently, proxy caches are a serious theat to web application security. In the presentation, we will discuss the recent security breach Tim found in Google Docs and review web application security and session management topics related to proxy caching.

Compromised Cpanel Accounts For Sale

Mon, 18 Aug 2008 06:42:50 +0000

Is the once popular in the second quarter of 2007, embedded malware tactic on the verge of irrelevance, and if so, what has contributed to its decline? Have SQL injections executed through botnets turned into the most efficient way to infect hundreds of thousands of legitimate web sites? Depends on who you're dealing with.

A cyber criminal's position in the "underground food chain" can be easily tracked down on the basis of tools and tactics that he's taking advantage of, in fact, some would on purposely misinform on what their actual capabilities are in order not to attract too much attention to their real ones, consisting of high-profile compromises at hundreds of high-profile web sites.

Embedded malware may not be as hot as it used to be in the last quarter of 2007, but thanks to the oversupply of stolen accounting data, certain individuals within the underground ecosystem seem to be abusing entire portfolios of domains on the basis of purchasing access to the compromised accounts. In fact, the oversupply of compromised Cpanel accounts is logically resulting in their decreasing price, with the sellers differentiating their propositions, and charging premium prices based on the site's page ranks and traffic, measured through publicly available services, or through the internal statistics.

SQL injections may be the tactic of choice for the time being, but as long as stolen accounting data consisting of Cpanel logins, and web shells access to misconfigured web servers remain desired underground goods, goold old fashioned embedded malware will continue taking place.

Interestingly, from an economic perspective, the way the seller markets his goods, can greatly influence the way they get abused given he continues offering after-sale services and support. It's blackhat search engine optimization I have in mind, sometimes the tactic of choice especially given its high liquidity in respect to monetizing the compromised access.

The bottom line - for the time being, there's a higher probability that your web properties will get SQL injected, than IFRAME-ed, as it used to be half a year ago, and that's because what used to be a situation where malicious parties would aim at launching a targeted attack at high profile site and abuse the huge traffic it receives, is today's pragmatic reality where a couple of hundred low profile web sites can in fact return more traffic to the cyber criminals, and greatly extend the lifecycle of their campaign taking advantage of the fact the the low profile site owners would remain infected and vulnerable for months to come.

Related posts:
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Injecting IFRAMEs by Abusing Input Validation
Money Mule Recruiters use ASProx's Fast-flux Services
Malware Domains Used in the SQL Injection Attacks
Obfuscating Fast-fluxed SQL Injected Domains
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Summarizing Zero Day's Posts for July

Fri, 08 Aug 2008 10:35:52 +0000

Different audience provokes different approach for communicating a particular event. In case you aren't reading ZDNet's Zero Day, where I blog next to Ryan Naraine and Nathan McFeters - join us.

Also, consider subscribing yourself to my personal RSS feed, or Zero Day's main feed in order to read all the posts. Here's a quick summary of my posts for last month :

01. Blizzard introducing two-factor authentication for WoW gamers
02. Sony PlayStation's site SQL injected, redirecting to rogue security software
03. 300 Lithuanian sites hacked by Russian hackers
04. Antivirus vendor introducing virtual keyboard for secure Ebanking
05. Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers
06. Storm Worm's Independence Day campaign
07. Approximately 800 vulnerabilities discovered in antivirus products
08. $1 Million prize offered for cracking an encryption algorithm
09. U.K's most spammed person receives 44,000 spam emails daily
10. Storm Worm says the U.S have invaded Iran
11. Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails
12. Verizon, Telecom Italia, and Brasil Telecom top the botnet charts in Q2 of 2008
13. XSS worm at Justin.tv infects 2,525 profiles
14. Remote code execution through Intel CPU bugs
15. Ringleader of cybercrime group to be offered a job as cybercrime fighter
16. Spam coming from free email providers increasing
17. Kaspersky's Malaysian site hacked by Turkish hacker
18. Georgia President's web site under DDoS attack from Russian hackers
19. 75% of online banking sites found vulnerable to security design flaws
20. McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position
21. Click fraud in 2nd quarter of 2008 more sophisticated, botnets to blame
22. How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability
23. DNS cache poisoning attacks exploited in the wild
24. The Neosploit cybercrime group abandons its web malware exploitation kit
25. OS fingerprinting Apple's iPhone 2.0 software - a "trivial joke"
26. HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame

Click Fraud, Botnets and Parked Domains - All Inclusive

Mon, 28 Jul 2008 03:58:08 +0000

It gets very ugly when someone owns both, the botnet, and the portfolio of parked domains actively participating in PPC (pay per click) advertising programs, where the junk content, or the typosquatted domain names is aiming to attract high value and expensive keywords in order for the scammer to year higher on per click percentage. This is among the very latest tactics applied by those engaging in click fraud. Hypothetically, the cost to rent the botnet and commit click fraud would be cheaper than sharing revenue on per click basis with "human clickers" who earn money based on how many ads they click given a set of scammer's owned sites, where the customer supports represents a DIY proxy switching application changing their IP on the fly.

Click Forensics's recent Q2 2008 report indicates that botnets were responsible for over 25% of all click fraud activity they were monitoring during Q2. Not surprising, given that botnets have long been observed to commit blick fraud, using a common traffic exchange scheme. What's new is the use and abuse of parked domains :

"Despite indication that some of the clicks from parked domains were invalid, Google failed to disclose to the plaintiff specific domain names in which these ads were clicked on, making detection of invalid clicks difficult and even worse concealing any evidence of invalid clicks," the lawsuit alleges. RK West eventually went through its server logs and discovered the source of the clicks, said Alfredo Torrijos, one of the company's attorneys."

Will cybersquat security vendors for improving the chances of attracting high-valued keywords to later on click fraud? The trend has been pretty evident for a while, with cybersquatting increasing on an yearly basis according to multiple sources :

"Rise in pay-per-click advertising where cybersquatters link the domain name they have registered with a website containing ads promoting a variety of competing brands. The cybersquatter receives money every time internet users access this website and click on one of the ads."

However, the "internet users who are supposed to click on one of the ads on the parked domains owned by the scammers" will get clicked by a botnet owned or cost-effectively rented by the scammer. Here's a sample of currently parked domains attracting Symantec ads :

symentec .com
symantek .com
symanteck .com
symantac .com
symantaec .com
symantic .com
symmantec .com
symanntec .com
ssymantec .com
symanthec .com
symanzec .com
symanttec .com
sjmantec .com
saimantec .com
seymantec .com
symanrec .com
symantrc .com
symantwc .com
aymantec .com
dymantec .com
sxmantec .com
symantex .com
symantev .com
symabtec .com
symamtec .com
synantec .com
stmantec .com
symanyec .com
sumantec .com
symant3c .com
syman5ec .com
wwwsymantec .com
symanteccom .com
ymantec .com
syantec .com
symntec .com
symanec .com
symantc .com
symante .com
symattec .com
symantcc .com
syman-tec .com
syymantec .com
symaantec .com
symanteec .com
symantecc .com
ysmantec .com
syamntec .com
symnatec .com
symatnec .com
symanetc .com
symantce .com

As well as recent sample brandjacking Kaspersky :

kespersky .com
kasparsky .com
kaspaersky .com
kaspasky .com
kasperscky .com
gaspersky .com
kasbersky .com
kasppersky .com
kasperrsky .com
kasperssky .com
kasperskj .com
kasperskey .com
kaapersky .com
kasperaky .com
kasperdky .com
laspersky .com
kaspersly .com
kasperskt .com
kaspersku .com
kasp3rsky .com
kaspe4sky .com
kas0ersky .com
wwwkasperskycom .com
wwwkaspersky .com
kasperskycom .com
aspersky .com
kspersky .com
kasersky .com
kaspesky .com
kaspersy .com
kaspersk .com
kappersky .com
kaspessky .com
kas-persky .com
kasp-ersky .com
kasper-sky .com
kasperskyy .com
akspersky .com
ksapersky .com
kapsersky .com
kaseprsky .com
kaspesrky .com
kaspersyk .com
kaspersky24 .com
kasperskyonline .com
kaspersky-online .com

What's most disturbing is that instead of having cybersquatting taken care take of a long time, and scammers emphasizing on the junk content in order to attract the relevant ads on the bogus domains, the still trendy cybersquatting still does the magic by including the targeted word in the domain name itself.

Related posts:
Cybersquatting Security Vendors for Fraudulent Purposes
Cybersquatting Symantec's Norton AntiVirus
The State of Typosquatting - 2007

Very few details are available for Missouri National Guard breach

Tue, 15 Jul 2008 10:15:48 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
National Guard Bureau

Contractor/Consultant/Branch:
Missouri National Guard ("MOGUARD")

Victims:
"Citizen-Soldier and employee"s

Number Affected:
"approximately 2,000"

Types of Data:
"some personal information"

Breach Description:
"The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised. Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation."

Reference URL:
Missouri National Guard Press Release
St. Louis Post-Dispatch

Report Credit:
Missouri National Guard

Response:
From the online sources cited above:

The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised.

Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation.
[Evan] Sounds like a good excuse to not reveal details.

It is important to note that we have no reason to believe that the information that was compromised was for the purpose of gaining Citizen-Soldier or employee information or that the information has been or will be used inappropriately.
[Evan] It's nice that MOGUARD can make this judgment call on behalf of the victims. Its too bad the victims are not allowed to make a determination themselves based on the facts surrounding this breach.

The Missouri National Guard has a list of those Citizen-Soldiers or employees whose information was compromised.
[Evan] Keyword is "was", and not the phrase "may have been".

Letters are being sent to these individuals and/or their Families.

The list includes approximately 2,000 individuals.

At this time we have no confirmation of misuse of Citizen-Soldier or employee information resulting from the loss.

"I am distressed that sensitive information has been compromised," Major General King Sidwell
[Evan] I am impressed when a leader of an organization steps forward and speaks about a breach. In my opinion it demonstrates strong leadership and the understanding that the "buck" ultimately stops with him.

"I am especially concerned about the problems and inconveniences this may cause for our Missouri National Guard Citizen-Soldiers and their families," King said.

Because Social Security Numbers may have been contained within the missing information, we advise individuals to monitor financial accounts continuously for suspicious activity as a matter of good practice.
[Evan] This statement provide a clue as to what "some personal information" may be.

The Missouri National Guard has safeguards in place to protect private information.

We provide ongoing privacy training to all employees.

The Missouri National Guard has taken action to rectify this unfortunate situation, and is working to insure our Citizen-Soldier’s or employee’s information receives the highest standard of security and privacy protection.

Any soldier or family member with questions should call a hotline number at 1-888-526-6664 extension 7888.

If the soldier is deployed overseas, the soldier may use the Defense Switching Network and call 312-555-9500 extension. 7888.

Commentary:
We have no idea as to what the cause of this breach may have been. Anyone want to guess? If so, post a comment.

It’s a little ironic. I was just typing an email response to an information security friend of mine about military breaches and the way the military has a completely different way of disclosing details (if any). This breach is proof positive. We'll have to see if further details emerge over time.

I sincerely hope that the owners of the "personal information" (the victims) get all of the answers that they require in order to evaluate risk themselves and make educated decisions on how they will proceed.

Past Breaches:
Unknown