Best security article this week--maybe from the past several months.  I can't figure out who is more complacent:  developers and hackers...  Anyways, highlights below

http://www.zdnet.com.au/hackers-accidentally-give-microsoft-their-code-339305548.htm

When hackers crash their systems while developing viruses, the code is often sent directly to Microsoft, according to one of its senior security architects, Rocky Heckman.When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

"People have sent us their virus code when they're trying to develop their virus and they keep crashing their systems," Heckman said. "It's amazing how much stuff we get."

At a Microsoft Tech.Ed 2010 conference session on hacking today, Heckman detailed to the delegates the top five hacking methods and the best methods for developers to avoid falling victim to them. Heckman explained how to create malicious code that could be used in cross-site scripting or SQL injection attacks and, although he said it "wasn't anything you couldn't pick up on the internet", he suggested delegates use the code responsibly to aid in their protection efforts.

According to Heckman, based on the number of attacks on Microsoft's website, the company was only too familiar with what types of attacks were most popular.

"The first thing [script kiddies] do is fire off all these attacks at Microsoft.com," he said. "On average we get attacked between 7000 and 9000 times per second at Microsoft.com," said the senior security architect.

"I think overall we've done pretty good, even when MafiaBoy took down half the internet, you know, Amazon and eBay and that, we didn't go down, we were still up."

Heckman said there were two reasons why the top hacking methods of cross-site scripting and SQL injection had not changed in the past six years.

"One, it tells me that the bad guys go with what they know, and two, it says the developers aren't listening," he said.

Heckman said that developers should consider all data input by a user as harmful until proven otherwise.

While Google and MS are bashing each other over whether we should have a responsible/coordinated/full disclosure policy, it seems were might be heading to 'no disclosure.'

RSnake (Robert Hansen) predicts that since the industry is certainly not encouraging enough and often offensive against the disclosing party, the security researcher will probably go for more profitable options (such as selling vulnerabilities to black hats) or abandoning this field of research – either of which is not a desired outcome from a security perspective.

We can already see that attitude from Arcos, a security firm, with a the recent code-execution bug in Windows apps quoted in :

http://blog.rapid7.com/?p=5325

“I don’t know if you saw the draft of our new commercial disclosure policy, but we essentialy gave up on alerting vendors for free. We’ve been providing free research to them for over 10 years and it hasn’t paid out well. What you’re seeing on Bugtraq now are the “remains of the old days,” so to speak :-) We’ve found better markets for this kind of information. To answer your specific question: no, we have not reported any issues in the products you mentioned – and have no intention to, should we come across one."  [Emphasis ours].

In January of this year, Imperva’s ADC published a report on the most commonly used passwords.  Of the 32 million, nearly 2 million were in Spanish.  Agua Marketing—a firm that specializes in marketing to Spanish speakers—helped us analyze the list.  They found many passwords and patterns.  If you read Spanish, you can access our report here.

Of the 32 million passwords, a significant portion, 1,830,196, were identified as Spanish which included passwords that could be bilingual, such as ‘chocolate’ which is spelled the same in English and Spanish as well as universal sequences like ‘abc123’.  The purely Spanish words totaled 1,001,662 including all Spanish words, proper names and intentionally misspelled expressions.  

The tricky part:  we have no way of knowing who was a native Spanish speaker.  If we had usernames, that would have helped--but they were unavailable.  However, to our knowledge, no one has ever had such a large pool of Spanish passwords to analyze.  The frequency of use of the passwords was very relevant: it gave us insight into the types of passwords selected by Spanish-speaking users.  

Key findings?  Spanish speakers devised passwords based on:

• Names of persons
• Keyboard sequences
• Favorite things such as movie characters, food, etc…
• Terms of endearment
• Computer terms
• Religious terms

 

 

Once in a while we find the terms SCADA systems and security breach in the same news piece. The mere coupling of these two terms together is enough to send a shiver through most people's spines. SCADA ((Supervisory Control and Data) systems are the driving force behind the most basic services of modern civilizations: power plants, dams, water systems and traffic control systems. Thus, an attack aimed at such systems can severly impair a modern nation in the worst case.

The most recent incident involving security vulnerabilities in SCADA system showed up last week, as news broke up regarding a worm attacking WinCC software from Siemens. Putting aside the smoke screens and the FUD spread around this story allows us to understand the true nature of "SCADA attacks" and point out the tools that would help organizations deflect them.

To begin with, the initial infection vector used an unpatched Windows operating system vulnerability. This vulnerability is weaker than most recently announced vulnerabilities, as it only allowed the attack to be launched through a media physically conntected to a workstation. This vulnerability allowed the attacker to execute arbitrary code on the compromised workstation. This particular attacker chose to "attack" the WinCC software. The vulnerability eploited by the attacker was actually a factory set password to the system's database. Thus, the attack code did not actually interface with the code of the WinCC software but rather with the database server it uses. An analysis of the code shows that the attack consisted of extracting information from the database and sending it over to an attacker controlled server. Much the same way, the attacker could have changed the password on the account in the database server, putting the system out of service or tampering with the contents of the database, yielding unimaginable effects.

So, while "SCADA" security is an enigmatic domain, database activity monitoring and security is actually a pretty established one. It means that if we take the mistery out of SCADA security and apply a component by component security measures we could actually make our SCADA systems secure. In fact, by using a database firewall enterprises could have mitigated this recently described attack altogether!

 This is not the first time we've discussed this approach to SCADA security and it will probably not be the last one. While SCADA systems do pose a different threat profile with respect to the consequences of an attack and some unusual IT components, at the bottom line this are modern IT systems relying for their management on standard operating systems, standard commercial database and most often a web interface. Let's use the good tools we have to protect those.

 

Imperva uncovered a new, automated, cloud-based phishing kit.  Our Application Defense Center found this kit on a hacker forum.

Unlike previous phishing kits that have been available for years (which we detail here), this new approach lives in the cloud and relies on hackers exploiting other hackers.  And with the new cloud-based approach the infrastructure for this phishing kit never goes away.  Why?  In traditional schemes when you take down a server you take down not only the web page but also the back end data collection capability. In this cloud version, data collection is hosted separately from the phishing web sites which means hackers only need to repost the web front end in a new location to be back in business.  (It's like whackamole).

Also, and perhaps what's more interesting, this attack highlights that there’s no honor among thieves.  Two master hackers wrote and then posted a phishing kit into hacker forums.  The irony is that anyone using this kit becomes an unknowing member of the master hacker’s army.  When hackers use this kit and deploy a successful phishing campaign, all the stolen credentials and information goes straight back to the master hacker without the proxy hacker’s knowledge.  It’s very clever.  The master hacker never needs to conduct a campaign to see financial gain.  

This next gen phishing kit works like this: 

1. Two master hackers created a phishing kit that generates phishing sites as a service to other hackers.
2. The master hacker publishes the kit on hacker forums and news groups
3. Other hackers download and use the kit to create the phishing sites and create numerous campaigns becoming "proxy" hackers.  The master hacker claims 200,000+ downloads.
4. The proxy hackers see some success, potentially stealing dozens to hundreds of credentials before their fake sites are shut down.
5. The master hacker that leverages uses a back door in the kit to harvest all the credentials the proxy hackers managed to get--which, collectively, probably amounts to thousands of credentials.  
6. Since new people create new phishing sites every day, with new campaigns the master hacker’s numbers just grow and grow and grow.

The kit was developed in Algeria with Arabic tutorials while the kit itself is in English.  Here’s how you sign up for it: 

 

And here’s how you select pages to spoof:

An here’s a "dashboard" screenshot showing victims:

  

Happy Bastille Day.  Today is the first full day that Windows XP SP2 goes unsupported.  

"Support for Windows XP with Service Pack 2 (SP2) will end on July 13, 2010"

No more support for XP SP2 = no more security updates  = unpatched vulnerabilities = exploits with no mitigation.

According to hitslink.com XP has 63% market share – by far the most popular OS out there.

 

According to Qualys – the XP SP2 version is at least as popular as SP3.

According to Qualys, automatic update to SP3 will be pushed to anyone who participates Windows update program – which means home users, but not enterprise users.

Summing it up – it's very reasonable to predict that we will see a raise in successful attacks against enterprise XP SP2 computers in the near future.

(To check for your windows version - Click the Start button  , type winver in the search box, and then press Enter.)

For more on this subject:

http://www.networkworld.com/news/2010/061410-clock-winding-down-on-windows.html?source=nww_rss

http://lastwatchdog.com/hackers-nirvana-horizon-microsofts-ends-patching

The new Google App Inventor is a powerful  tool:  https://www.google.com/accounts/ServiceLogin?service=youngandroid

App Inventor is built on the idea that you do not need to be a developer to build great mobile applications. Instead of code, App Inventor allows you to visually design applications and use blocks to specify application logic.  Google explains, for example:

• Use the GPS-location sensor to build location aware apps.  For example, build an app to help you remember where you parked your car.

• Make your apps communicate by using the phone functionality.  For example, build an app that periodically texts "missing you" to your loved ones.

• Integrate with the web to build mashup applications.  For example, build an app that talks to your favorite website like Twitter.

How does a hacker see this new capability?  We used Google Translate and converted the above three bullets from "good guy speak" to "hacker speak."  

App Inventor is built on the idea that you do not need to be a hacker to build malicious mobile applications. Instead of code, App Inventor allows any script kiddie to visually design malware:

• Use the GPS-location sensor to build location aware apps.  For example, build an app that will track the exact location of its user.
• Make your apps communicate by using the phone functionality.  For example, build an app that periodically texts to subscribe to expensive or bogus mobile services.
• Integrate with the web to build mashup applications.  For example, build an app that talks to a hacker site with your personal information.

Although malicious applications can surely be made without the App inventor, lowering the bar for application development might make the Android a favorable target for script kiddies.

Let's hope that Google has a good mechanism to ensure that only good applications enter the Andorid's market place (http://www.android.com/market/free.html).

Given recent experience, we're concerned:

1. Banking malware found on Android Marketplace:  http://www.sophos.com/blogs/gc/g/2010/01/11/banking-malware-android-marketplace/
2. Malicious Google Android Apps Discovered: http://www.techjaws.com/malicious-google-android-apps-discovered 

Interesting profile on how Microsoft conducted a quick patch a CSRF vulnerability in SP3 and a depressing reminder of the patch cycle rat race:

http://sites.google.com/site/tentacoloviola/pwning-corporate-webmails

We recently got an inquiry from a UK reporter regarding bots and their growth.  The responses are interesting and useful--especially the answer the second question on detecting bots your own computer.

How many UK computers contain / are part of BOTNETS? (estimate)

By recent Anti-virus vendors publications, it is possible to estimate that the UK is currently home to over 3 million infected machines (not including business systems).

How can you track a computer that is part of a botnet?

Your PC could easily be part of a Botnet without you even knowing. If your PC internet connection seems very slow at times while you are doing some regular internet activity it could be a sign for a Botnet infection, if programs like msconfig, the Windows Registry Editor, and your antivirus program don't load, your PC is almost certainly infected.

It can be difficult to tell if your PC has been botted but there are some warning signs.

• Monitor and analyze firewall and router logs, as well as server and workstation logs.
• Monitor and analyze network traffic ,for example an IRC traffic in case you are not using an irc, also check if the host is trying to communicate to any Command and Control (C&C) Center.
• Check your PC startup list (msconfig Utility),the list of programs that load automatically when Windows starts, look for suspicious file names (random character strings...etc).
• Check for suspicious running processes (by open Task Manager or by Process Explorer).
• Check suspicious open ports.
• Check modification of windows hosts file.
• You can also pick up clues from your friends, in case a friend tells you “Why did you send this video to me?” and you know you didn't send it you can pretty much bet you’ve become infected or that your account has been compromised.
• Check for numerous undelivered e-mail notifications in your inbox. Spam to unknown e-mail addresses will result in a “failure to deliver” notification in your inbox, Bots will frequently use e-mail accounts to send out spam. 
• Check for additional e-mail addresses in your account, in case you did not create it you may have an infected computer.
• Check for multiple toolbars on your Internet Web browser. Bots will frequently install various toolbars to help collect search information from your Web browser. 
• Unusual error messages. Error messages that suggest applications cannot run or drives cannot be accessed can be indications of a bot infection. 
• Check in your “outbox” for email messages that you didn’t send.

Interesting example of how knowing an IP address can help you understand the motivations and IQ of your website visitors: