[SecurityRatty] tag: sets

AlgoSec upgrades analysis platform to paint big picture of firewall protection

Sun, 23 Nov 2008 21:00:00 +0000

AlgoSec is releasing new software that enables its Firewall Analyzer to simulate the effect multiple firewalls have on traffic, making simpler to determine the net effect of the firewalls and to streamline their rule sets.

Mamma.com: Insider trading and XSS

Tue, 18 Nov 2008 06:55:00 +0000

Mamma.com's got issues other than Mark Cuban's insider trading allegations. As a point of reference for this conversation, Mamma.com is ranked 4064 on Alexa as of today.
I won't profess to following Mr. Cuban's public life and the occasional antics. Obviously, he's a colorful and popular figure; certainly in Dallas, if not nationally.
What follows is not a judgment of Mr. Cuban or his pending legal challenges. I'm sure the process will play itself out accordingly.
A quick summary and some reference material:
The SEC has filed insider trading charges against Mr. Cuban. "According to the SEC, Cuban dumped 600,000 shares, or all of his 6.3% stake, in the search engine Mamma.com (The Mother of All Search Engines), in June 2004 after learning about private financing that the company was proposing. By selling, he avoided losing $750,000, the SEC alleges."
The whole issue for Mr. Cuban was PIPE financing because it's "dilutive to existing shareholders’ stakes."
That's the long and the short of the current issue, and again, not my real interest here, with the exception of the bet I made with myself regarding the probable web application security posture of mamma.com.
All this talk about a popular site immediately sets off the little bell in my head (I hear it a lot).
"What's wrong with the site?" is always the first question I ask myself.

I was not disappointed.

Mamma.com exhibits the following issues:
1) XSS vulnerability in the utfout variable.

2) XSS vulnerability in the qtype variable.

3) XSS vulnerability in their Mammajobs site at the pid variable. This one's weirder still; if you drop an IFRAME in, it simply redirects to any URL you include in the IFRAME string.

4) The prospect of CSRF (rather pointless here given that its just a search engine, but but still defies best practices) appears likely given that mamma.com blindly accepts updates via GET and POST with no sign of a formkey (canary) in sight.

I figured it best to stop there, and have submitted all these to Copernic (the Momma parent company).
I am however truly disappointed that an enterprise as ambitious and motivated as Momma/Copernic seems to have thrown the baby out with the bath water when it comes to web application security.
With regard to Mark Cuban dumping his shares: maybe he was afraid of getting pwned. ;-) All kidding aside, it's a shame that the whimsical and pessimistic thoughts regarding web site security that bounce around in my head inevitably bear themselves out.

del.icio.us | digg | Submit to Slashdot

Anti-malware group sets product testing guidelines

Tue, 11 Nov 2008 02:00:00 +0000

The Anti-Malware Testing Standards Organization said Monday that its membership had agreed on guidelines and principles for testing anti-malware products.

Antimalware group sets product testing guidelines

Mon, 10 Nov 2008 21:00:00 +0000

The Anti-Malware Testing Standards Organization yesterday announced its members, which include more than 15 security firms specializing in combating malicious code, have adopted test principles and best practices they hope will eventually help unify the industry in the sphere of malware-code testing and reporting.

Links List 11.7.08

Fri, 07 Nov 2008 19:49:59 +0000

Government contractors spill their thoughts about how Obama’s historic win will affect the industry. A majority of those questioned agreed to the fact that nothing will change overnight and everything will occur within 2-3 years. Others expressed thoughts on who will lead procurement and acquisition policy at GSA and OMB, as well as a possible hiring freeze for the government workforce. We’re also waiting to see what will happen to FISMA and IPv6 compliance going forward as a new administration and new OMB management sets their own agendas and mandates.

Due to the slow economy, most tech companies are being cautious and ratcheting back sales forecasts for software and hardware. The exception: Infra-Strategy, a company that operates a group of Web sites that help people find a lawyer and info to deal with bankruptcies, divorces and DUI cases. Visits to the sites are booming – with visits to totaldivorce.com, for example, up 112% in October 2008 (I found the picture on the website particularly compelling). Apparently, in bad times, divorce rates go up. Who knew?

Is it always a recession when it comes to IT Operations? Companies are constantly trying to find ways to do more with less in IT – reducing costs but keeping the same or even adding functionality – deploying technologies that drive IT consolidation such as mobile and remote access, unified communications and virtualization. Chris Silva of The Forrester Blog for IT Infrastructure & Operations Professionals is looking for a research panel to find out what fellow IT companies are doing to keep their IT budgets in check. To join the research panel visit: http://itpanel.forrester.com/.

The Cloud Computing Monopoly debate continues. O’Reilly Media founder Tim O’Reilly and technology writer Nicholas Carr (of “IT Doesn’t Matter” fame/infamy) have been discussing the ‘potential for a single company to achieve monopoly control of the world of cloud computing.’ But what’s even more interesting is the “who will make a lot of money” in cloud computing question.

Quality Assurance in Malware Attacks - Part Two

Tue, 14 Oct 2008 03:21:38 +0000

Surprisingly, while opportunistic cybercriminals have long embraced the malware as a service model, and are offering managed lower detection rate services for a customer's malware, or DIY ones where the customer can take advantage of popular tools ported to the Web, others are still trying to innovate at a faddish market niche - multiple offline AV scanners tools aiming to ensure that their malware doesn't end up in the hands of vendors/researchers.

Multiple offline AV scanning tools like this very latest release, naturally using pirated copies of popular antivirus software, are faddish, due to the fact that during the last two years, the underground has been busy working on several paid web based services, that not only make sure vendors and researchers never get the chance to obtain the samples, but also, are already offering scheduled scanning of malware and automatic ICQ/Jabber notifications for QA of the campaign, next to the rest of unique features disintermediating legitimate multiple AV scanning services.

Certain features within such services clearly speak for the intentions of the people behind the service. For instance, among one of these features is the ability to fetch a binary from a set of given dropper URLs like malwaredomain.com/binary.exe, the result of the scan can then alert the malware campaigner about the current state of detection.

What's on these proprietary multiple AV scanning service's to-do list? Let's say anything that a legitimate multiple AV scanning service would never offer, like the following according to one of the services in question :

- DIY heuristic scanning level settings for each of the software in place
- upcoming sets of anti spyware and personal firewalls with detailed statistics of the sandboxing
- behavior-based detection results

The possibilities for integrating such proprietary multi AV scanning services within the QA process of a malware campaign are countless, and both, the customers and the sellers seem to have realized the potential of this ecosystem.

Cambridge lab sets quantum key world record

Tue, 07 Oct 2008 20:00:00 +0000

The hugely promising security technology of Quantum Key Distribution (QKD) has moved an important step closer to commercialization with the announcement by U.K.-based researchers that they can now shift encryption keys around at speeds of 1Mbps.

University sets up a campus warning network for free

Mon, 06 Oct 2008 20:00:00 +0000

Elon University needed to come up with a campus-wide emergency notification system that integrated with all the possible warning-delivery systems already installed on campus, and managed to pull it off for free.

Credit-card security standard issued after much debate

Tue, 30 Sep 2008 20:00:00 +0000

The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, today issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization.

Passgen tool from my book

Mon, 29 Sep 2008 16:42:29 +0000

Way back in 2005, Jesper Johannson and I wrote Protect Your Windows Network. It’s still available, and although its product set is now somewhat dated (Windows XP and Server 2003), much of the practical advice about security policies, social engineering, security dependencies, and how to think about security remains relevant. That’s because we strove to write something more lasting than a simple configuration guide.

On the CD-ROM accompanying the book we included a tool called Passgen. In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

For a while Jesper maintained a web site for the book, running on a server in his house. His ISP changed policies and made it impractical to continue running the site. But because the tool is still so useful, I’ve put a copy in my SkyDrive—look in the “Passgen” folder.

Also, note that I’ve put a new section in the right-side column, “Resources for you.” Here’s where I’ll keep links to bits and pieces that many of you will find relevant and interesting.