[SecurityRatty] tag: threats

Upcoming Talks and Training

Thu, 03 Jul 2008 10:32:26 +0000

Here is my current list of talks and training

"Breaking Web Services," Monday July 7: OWASP Twin Cities - "SOA and Web services promise wonderful interoperability, but distributed systems create lots of room for fantastic failures. This session will explore the gory details of unique vulnerabilities at each layer of the SOA stack - from the WSDL interfaces to XML processing (XSD, XPath and XQuery), to the implementation languages liike Java and C#, to new security standards like WS-Security and SAML.
I gave a version of this talk with Brian Chess at the 2008 RSA Conference.
"Web Services and SSO: There and Back Again" at Ping's SSO Summit. July 25, Keystone, CO - "What happens to your identity information and business data after you press "SUBMIT" on a website? These bits have a journey as dangerous as Frodo Baggins' travels through Mordor. This talk traces the path from the website through the perils that lurk in the enterprise and legacy systems. We will explore what threats are encountered along the way, and how to design a cost effective security architecture with Security Token Servers using open standards."
"SOA, web services, and XML Security" 1 day training at Usenix Security July 29. This is a public 1 day version of my training see the link for details

Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security

Tue, 01 Jul 2008 15:03:10 +0000

In this interview, cloudsecurity.org talks to Guido van Rossum about Python, Google App Engine and security.

Guido is the creator of the Python programming language and more recently, Google App Engine team member. His involvement with the App Engine project was pretty late - the code “was almost ready for release” when he get involved. The security architect of App Engine was primarily project lead, Kevin Gibbs, supported by the rest of the App Engine crew and the Google Security Team.

The Interview

cloudsecurity.org: What security principles did you follow for App Engine?

GvR: While I can’t share any specifics on what we’re doing to secure App Engine, I can say that the main principle we’ve followed could be called “defense in depth”. We’re not relying exclusively on a secure interpreter, or any other single security layer, to protect our users.

cloudsecurity.org: Please provide some examples of how those principles played out in terms of the current implementation?

GvR: Sorry, we don’t divulge such information.

cloudsecurity.org: What criteria did you apply to Python module selection?

GvR: We first looked for modules that were useful and straightforward to audit. If a module was large or complex, we’d only audit it (fixing things we found) if it was deemed essential or at least useful for a large number of users; otherwise we’d exclude it.

cloudsecurity.org: What do you see as the security risks inherent in exposing an interpreter runtime in a shared environment?

GvR: I presume you’re asking about risks to users, like providing accidental access to data belonging to another app. We’ve taken extensive measures to isolate different apps from each other. For example, each app runs in a separate process, and the datastore prevents an app from accessing data belonging to other apps.

cloudsecurity.org: I recently attended a fascinating talk by Justin Ferguson (a Seattle based security consultant) at eusecwest in London. He gave a great talk exploring security vulnerabilities in language interpreters and specifically highlighted some security weaknesses in Python App Engine. What are your thoughts on his research and specifically the Python issues he highlighted? When do you anticipate they will get fixed?

GvR: We’ve anticipated all of the possibilities raised in Justin’s talk, and took measures to protect our users. Justin highlighted weaknesses in Python, but not in App Engine. Furthermore, our security model does not rely solely upon protections within the Python interpreter; there are additional protections that these external analyses have missed.

cloudsecurity.org: How do you contain an attacker that exploits bugs in App Engine from exploiting the underlying OS and potentially interfering with other users processes or attacking backend systems?

GvR: You are correct that there are strong measures in place, but I’m not at liberty to discuss details.

cloudsecurity.org: Python was the first language to get the App Engine treatment, what language is next and what are some of the language specific security challenges the team has had to deal with?

GvR: Although I can’t comment on what language is next, we are working on this, and have gotten a lot of great feedback from our developers. As far as language-specific security challenges, they stemmed mostly from the complexity of the Python interpreter. We spent a lot of time auditing this, and did a great deal more than just identifying buffer overflows. I can also add that Google is actively researching the security of interpreted languages. Google engineers routinely contribute security fixes to open source projects, including but not limited to Python.

cloudsecurity.org: How does the team decide when ‘enough is enough’ in terms of hardening the interpreter?

GvR: That’s not really how we approach it. We realize that security is an ongoing effort, and try to stay ahead of threats through continuous monitoring and testing.

cloudsecurity.org: Some commentators have suggested that perhaps the difficulty of auditing the implementation led to some modules being more heavily restricted than perhaps necessary. What are your thoughts on that and what plans, if any, are there to bring back code objects/functions that were eliminated in the initial release? (with the benefit of hindsight).

GvR: The only thing we are likely to put back is the _ast module, which was not audited based upon an underestimation of its usefulness (see my answer to question #3 above). We will also put back some dummy functions and other objects whose absence currently prevents some popular frameworks from being loaded without modifications. For example, some harmless functionality in the imp module will come back. We’re also looking into making urllib2 work (to some extent), though that’s not really a security issue but merely a matter of API adjustment.

cloudsecurity.org: It is reported that Google encourages small groups to go off and create. How involved were the Google security team with App Engine in terms of design and implementation review/testing? Given the dynamics, is it possible to have a meaningful security process that shadows the development process?

GvR: The Google Security team is involved in everything we do. They have been extremely helpful.

cloudsecurity.org: How can people report security weaknesses they discover in App Engine? What commitment does Google give in terms of dealing vulnerability reports?

GvR: There is a standard process for submitting security issues. See http://www.google.com/corporate/security.html. Google moves very fast to protect its users when a verifiable security vulnerability is reported.

cloudsecurity.org: One concern is the potential misuse of App Engine to exploit security vulnerabilities in visitors browsers. This is not a new problem per se, shared hosting providers know all about this. But with Google and other Cloud providers, the scalability potential is much higher. What are your thoughts on this and what pro-active steps is Google taking to detect and terminate evil apps?

GvR: This is high on our list of concerns. We deal with this through a combination of restrictions on what you can do (e.g. certain HTTP headers and ports are off-limits) and, again, monitoring.

cloudsecurity.org: Beyond App Engine, what role do you think Python will play in the Cloud both now and in the future?

GvR: Sorry, I’m not prone to philosophizing about the future.

cloudsecurity.org: Trust is often cited as a barrier to enterprise adoption of Cloud Computing. What role do you personally think Google can play in building that trust?

GvR: I think trust is built up over a long period of experience. Our actions in terms of being open to our users will be the most important factor in establishing trust. Of course, Google’s reputation also helps: everybody understands that Google doesn’t want its name associated with a bad product.

cloudsecurity.org: Looking at the Cloud Computing landscape beyond Google, what are your thoughts on the current state of Cloud Computing and Security?

GvR: It’s obvious that Cloud Computing is only just taking off. The next few years will be very exciting.

cloudsecurity.org: Lastly, what are some of your favourite App Engine apps?

GvR: There are too many to enumerate. If you insist on a highlight, well, I like Rietveld (http://codereview.appspot.com), a tool for collaborative code review which I (largely) wrote myself. It is open source and includes some essential components from Mondrian, a similar internal tool which I created before I joined the App Engine team.

Thanks

My thanks to Guido for his time and sharing his views.

Meet ratproxy, our passive web security assessment tool

Tue, 01 Jul 2008 12:49:00 +0000

Posted by Michal Zalewski

We're happy to announce that we've just open-sourced ratproxy, a passive web application security assessment tool that we've been using internally at Google. This utility, developed by our information security engineering team, is designed to transparently analyze legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more. (A more-detailed discussion of these features and information on securing vulnerable applications is provided here.) Compared with more-traditional active crawlers, or with fully manual request inspection and modification frameworks, this approach offers several significant advantages in terms of minimized overhead; marginalized risk of site disruptions; high coverage of complex, client-driven application states in web 2.0 solutions; and insight into dynamic cross-domain trust models.

We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary web technologies. We believe that responsible security research brings a net overall benefit to the safety of the Web as a whole, and have released this tool explicitly to support that kind of research.

To download the proxy, please visit this page. Also, please keep in mind that the proxy is designed solely to highlight interesting patterns in web applications, and a further analysis by a security professional is often required to interpret the results and their significance for the tested platform.

Summarizing June's Threatscape

Tue, 01 Jul 2008 03:05:01 +0000

June's threatscape that I'll summarize in this post based on all the research conducted during the month, was a very vibrant one. With the return of GPcode, a remotely exploitable flaw in the Zeus crimeware kit allowing both, researchers and malicious parties to assess the severity of a particular banker malware campaign, the increasing use of malicious doorways next to ICANN and IANA's DNS hijacking, all speak for themselves and how diverse the threats and, of course, the abilities to maintain a decent situatiational awareness about what's going on have become.

01. U.K's Crime Reduction Portal Hosting Phishing Pages - nothing new here since vulnerable sites are to be "remotely file included" and SQL injected to locally host anything on behalf of a malicious party. Risk and responsibility forwarding is one thing, but having a crime reduction portal hosting phishing pages is entirely another. The phishing pages was shut down in less than 12 hours upon notification

02. Price Discrimination in the Market for Stolen Credit Cards - Tracking down "yet another stolen credit cards for sale" service in the wild, the price discremination that they applied greatly reflects the current lack of transpararency for a potential buyer of stolen credit cards, and how higher profit margins are driving the entire business model. With script kiddies running their own botnets and undermining the sophisticated botnet master's high profit margin business model by undercutting their prices, stolen credit cards are not what they used to be - an exclussive good. Nowadays, they are a commodity good and often a bargain

03. Blackhat SEO Redirects to Malware and Rogue Software - Sampling an active blackhat SEO campaign out of the hundreds of thousands currently active online, releaved a large portfolio of domains serving Zlob variants by pitching them as fake codecs that the end user should download if they are to view the non existent adult content at the sites. Where's the OSINT mean? It's in the fact that the codecs and the fake security software phone back to UkrTeleGroup Ltd's network

04. Using Market Forces to Disrupt Botnets - With the current oversupply of malware infected hosts, and botnet masters embracing the services model for anything malicious, in this post I discussed the radical security approach of puchasing already infected malware hosts on a per country basis, disinfecting them and forcing them to update all the software on the infected PCs. Of course, on an opt-in basis. The possibility to directly provide incentives for botnet hunters to shut down whatever they come across to on a daily basis, and that's a lot of botnets, is also there

05. Who's Behind the GPcode Ransomware? - The title speaks for itself, the research with enough actionable intelligence gathered in the shortest timeframe possible is already proving accurate and highly valuable. How come? Stay tuned for more developments

06. ImageShack Typosquatted to Serve Malware - In a rare instance of a creative attack combining typosquatting in order to impersonate ImageShack and serve malware by redirecting users to an image file that is actually forwarding to the binary, I was recently tipped by the folks at TrendMicro who are also following this that the site is up and running again. Not for long

07. Fake YouTube Site Serving Flash Exploits - Next to using the usual set of exploits courtesy of a commodity web malware exploitation kit, this campaign was also using flash exploits. Even more interesting is the fact that the password stealer obtained was attempting to phone back to a misconfigured malware command and control interface, basically allowing you to assess the campaign from the eyes of the "campaigner"

08. Monetizing Web Site Defacements - Web site defacements are getting monetized just like SQL injections are in order to locally host a blackhat search engine optimization campaign on a vulnerable site with a high page rank. In this post I've assessed such monetization courtesy of a web site defacer at The Africa Middle Market Fund

09. Malicious Doorways Redirecting to Malware - Yet another large domains portfolio exposed though a malicious doorway redirecting to fake porn and video sites serving Zlob variants, tracking down the initial spamming of the malicious doorways across multiple vulnerable forums and guestbooks

10. The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw - When cyber criminals get advised to patch their vulnerable versons of the Zeus Crimeware Kit, you know there's a monoculture in the crimeware market. This flaw released publicly in May, 2008, not just allows others to hijack someone's ebanking botnet, but also, vendors and researchers to better assess a vulnerable Zeus command and control location

11. Fake Celebrity Video Sites Serving Malware - When templates for fake video and adult sites are just as available as they are now, anyone can take advantage of this cheap social engineering track that seems to work just fine. Compared to relying on blackhat search optimization to acquire traffic, some of the campaigns were SQL injected at vulnerable sites in order to drive traffic to them, next to several other tactics which when combined can result in a lot of people unknowingly visiting the sites

12. Phishing Campaign Spreading Across Facebook - An internal phishing campaign was circulating across Facebook, which got taken care of thanks to coordinated efforts with Facebook's security folks. There's also an indicating tha they are currently typosquatting other social networking sites like Hi5 for instance

13. Underground Multitasking in Action - As a firm believed in taking a random sample for a particular threat segment, this was once of these cases confirming the confidence I've built into anticipating upcoming tactics and strategies to be used

14. An Update to Photobucket's DNS Hijacking - Despite that Photobucket didn't oficially acknowledge the DNS hijacking, the hosting provider the NetDevilz hacking team used issued a statement. Ironically, the Turkish hacking group used the same provider weeks later to redirect ICANN and IANA's domains to Atspace.com

15. Fake Porn Sites Serving Malware - Among the largest domains portfolio of malware serving porn sites I've exposed in a while, all of them naturally remain active since they are hosted on a partition of RBN's diverse network. Visualizing a malicious doorway or the entire ecosystem provides a better understanding at how structured the ecosystems are

16. Backdoording Cyber Jihadist Ebooks for Surveillance Purposes - Despite that in this case we have a cyber jihadist backdoording his own released books, the international intelligence community next to law enforcement are known to have expressed interest in backdooring suspect's PCs, so why not SQL inject the cyber jihadist forums themselves?
17. Right Wing Israeli Hackers Deface Hamas's Site - When you read that Hamas's site is hacked, you ask yourself the following, do they even have a web site that's up the running? The answer to which would be the fact that even Hezbollah has been maintaining an Internet infrastructure since 1998
18. ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group - A fact is a fact, no comment here, go through all the technical details of the hijacking, including some actionable intelligence on who's behind the hijacking
19. The Malicious ISPs You Rarely See in Any Report - Who's tolerating malicious activities on their network, and how is the RBN related to all this? Well, when combined, the tiny parts of these ISPs represent a tiny part of the Russian Business Network itself

Study: Unpatched Web browsers prevalent on the Internet

Mon, 30 Jun 2008 20:00:00 +0000

Only 59.1 percent of people use up-to-date, fully patched Web browsers, putting the remainder at risk from growing threats from diligent hackers, according to a new study published by researchers in Switzerland.

Ad-Aware 2008 Now Available!

Mon, 30 Jun 2008 11:38:14 +0000

Whats new in 2008?

Integrated anti-virus protection
Our powerful anti-spyware software now includes extended
anti-virus protection for Ad-Aware 2008 Plus and Pro versions.
Improved rootkit removal system
An improved rootkit removal system is now available to
address today's threat framework.
Bigger and better detection
Lavasoft's new extended anti-virus engine boosts detection
to include over one million additional virus and malware threats.
Substantially reduced use of computer memory
Plus and Pro users will notice a significant reduction in
computer memory used while in watchguard mode.
64-bit platform support
Ad-Aware 2008 Free, Plus and Pro versions will have full
64-bit platform support as well as Windows Vista compatibility.
Faster updates
New download compression results in faster product updates
for users on all systems.
New international network of malware security volunteers
submitting samples of the latest malware threats in the wild.

Now Available on the SpywareBiz AntiSpyware page. Get it now!

Same Letters, New Acronym

Fri, 27 Jun 2008 08:50:12 +0000

On 26 June, Cisco, IBM, Intel, Juniper and Microsoft announced the formation of the Industry Consortium for the Advancement of Security on the Internet (ICASI). The major goal of the consortium is to be a forum where technology vendors can work together to share information and address new threats that have common impacts across their product lines. This is markedly similar to the goals of another consortium that all five vendors belong to, the Information Technology Information Sharing and Analysis Center (IT-ISAC), established way back in 2001 and largely ineffective.

There are some differences, though. ISACs were always U.S.-centric with the U.S. government trying to be involved. ICASI is supposed to be more global, but since it is being established by North American vendors, there is no real difference there, but at least it is government-neutral. The IT-ISAC had many member companies that were security product vendors and security services vendors, while ICASI is currently limited to five of the biggest infrastructure vendors, with Oracle and Sun and any telecom vendors noticeably missing.

Back in 2001, I commented that the IT-ISAC could make a difference only if it was driven by the vendors' corporate security officers, not by product managers, and if it focused on inward-looking improvements in security and not outward-bound marketing and press releases. The IT-ISAC never really met those goals and was largely ineffective. ICASI will have to take the same behind-the-scenes focus, or it will end up being just another multivendor acronym that goes nowhere.

Can you hear me now?

Fri, 27 Jun 2008 06:56:10 +0000

Verizon released a very interesting Data Breach report that analyzes over 500 forensic reports on their system over a number of years. It is great work by Verizon to gather this data and to publish it. Of course a consultant I go into lots of companies where they could learn a lot just by being more open and talking through issues with peers in other companies. Would be great to see other companies follow Verizon's lead.

I suggest you read their report, and I would like to add a little color to their findings from the perspective of the swamp I spend most of my time in - Web services security. Granted it is just one report, but the data run counter to a lot of conventional security "wisdom":

Who is behind data breaches?

73% resulted from external sources
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

The internal/external divide is pretty silly these days, as is companies' recanting "inside the firewall and outside the firewall", I spend most of time hooking things up together precisely _so_ they intereoperate remotely. The firewall is a speed bump at best. At any rate external sources is a primary concern in Web services security, because - hey look our Web service front end just made your Mainframe/As400/Unix DB/ CICS/whatever accessible remotely. This is great from a functionality standpoint, but the issue is that these back end systems were never designed with anything remotely resembling an Internet threat model. Additionally, the Verizon team's findings around business parties and multiple parties strikes at the heart of a number of popular misconceptions in Web services security - "well its just B2B and its behind a firewall."

How do breaches occur?

62% were attributed to a significant error

59% resulted from hacking and intrusions

31% incorporated malicious code

22% exploited a vulnerability
15% were due to physical threats

A couple of things to note here - malicious code in my opinion is likely to be the biggest problem in Web services security going forward. There is a large gap waiting to be exploited here. You have no control over the other end of the pipe plus a massive attack surface, the only thing lacking is the attacker's ability to find and exploit which I strongly suspect is just a matter of time. Wrt hacking an intrusions we have the remote, passive nature of web security to blame here in Web services world. Paraphrasing Jeff Williams, the problem is that an attacker can just try an attack if it doesn't work, try again, again, and so on. This partially because of the loosely coupled nature of the systems, but it is also because commonly used information security protocols have diverged from reality are modeled using an object-centric mentality, where you "own" the object you are protecting and can afford to put passive controls around.

What commonalities exist?

66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls

Many of the attacks against Web Services are not difficult, in my training class, we'll typically execute 8-10 different attacks in a two day period. But the big one from this list is the first one - the amazing amount of attack surface offered up by Web services. Brad Hill has done a good job articulating these issues in SOAP/XML/WS-*, but at an enterprise its even bigger than those standards - the thing is we use Web services to make stuff interoperate, to make stuff reusable, and to virtualize endpoints. Great stuff if what you want to do is decentralize your business, but this creates oceans of space for attackers to roam. When you look beyond the Visio and the IDE view of web services, and get to the runtime there is an amazing amount of detritus left behind by all these layers.

If you are headed to Pakistan - watch your back

Thu, 26 Jun 2008 23:20:00 +0000

So much goes on in the murky world of Polictics that we often do not know what is afoot until long after the fact. Take a look at today's bombshell for instance.

Everyone seemed to be shocked to hear that North Korea came clean about their nuclear weapons capability and were rewarded by the lifting of some sanctions. This is a total "180" from their behavior not that long ago when they were flexing their nutrition-deprived muscles and thumbing their noses at the rest of the world.

This in turn is making me wonder about the threats from Afghanistan's President Karzai to Pakistan. President Karzai has been very vocal regarding Pakistan's involvement in his country's border area and his warnings suggesting Afghanistan's intent to attack their neighbor seems to be starting to agitate the Paskistani authorities. Which makes me wonder....is Karzai's theatrics a way to open the door for his U.S. protectors to launch an attack on the Pakistani border?

If this is the case, than Americans travelling to Pakistan should really consider if they need to be there and if they do, they should give serious consideration to their safety while there. We were recently contacted by a U.S. company who had business in Pakistan and rightfully so, they were worried for their safety. There are no doubt, many sympathizers in Pakistan, especially near the Afghan border who have little love for America or it's citizens. Further strikes (no matter how justifeid they may be), will only heighten this dislike/distrust.

If you are headed to that region, be well aware of what might lay ahead and plan accordingly.

Cisco, IBM, Intel, Juniper and Microsoft fight cyber terror together

Thu, 26 Jun 2008 20:00:00 +0000

Five major network hardware, software and services vendors are banding together to improve IT security by promoting faster responses to threats.