45 posts categorized "Tal Be'ery"
February 20, 2013
 Oracle CPU, a wake-up call for Java security
Pin It

Oracle has released its Critical Patch Update, which is focused on fixing a major Java exploit. Java vulnerabilities are clearly on the rise. Currently, they represent more than 10 percent of all reported vulnerabilities this year (see and are reported to be the root cause of some of the high profile compromised insider incidents.


What can I do to protect my organization?

11In a perfect world, we would advise administrators to disable Java on all browsers, but generally speaking, having IT administratively disable ANY software component on “all user machines” is nearly impossible, especially in today’s bring your own device (BYOD) IT environment. The current case of disabling Java components is no different.

The lesson the world should have already learned from incidents such as the Stuxnet attacks is that protection should be around data rather than around devices. Closely monitoring and controlling data at the source is one part of the solution. Another solution is to look for abusive access patterns to data or patterns that reflect the behavior of an outsider within our perimeter. Coupled with data encapsulation, organizations can achieve true mitigation of such risks.

Additionally, individual users should turn off Java 7 browser plug-ins and only enable them specifically to trusted site (such as the mentioned “Java-powered line of business applications”). See the following link for instruction on how to do so in Google’s Chrome browser here.


December 18, 2012
 Data Wiping: A New Trend in Cyber Sabotage?
Pin It

Yesterday, the Iranian CERT made an announcement about a new piece of malware that was designed to corrupt data. This malware joins the list of data corruption malware discovered in April, November and December 2012 – Wiper, Narilam and now GrooveMonitor respectively.  They wrote:

Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks.

GrooveMonitor does not pose a real threat to companies since it attack local files only and not the datacenter (databases or file shares) nor the datacenter backup. However, the Narilam malware discovered last month is a database sabotage malware. Its purpose is to corrupt databases of three financial applications from TarrahSystem used for banking, loans, retails and industrial applications.  But it is not a technical beauty pageant. When all of your data gets wiped and your antivirus proves to be worthless , do you take comfort in the fact the malware was simplistic?

Indeed, this new malware raises the question – are these just singular incidents or do we witness a trend of malware designed to corrupt data rather than steal it? While all three malware attacks originated in Iran, a country of great interest for several espionage agencies around the world, only Wiper is believed to be state-sponsored. The authors of the other two were probably inspired by Wiper to some extent. As Microsoft’s director of trustworthy computing Tim Rains stated nicely this week: “Unintended consequence of operating a sophisticated cyber espionage activity is that criminal groups are essentially given free research on how to infect systems and little-known vulnerabilities are brought to the forefront.”

This is just as true for method of operation. It is easier to hurt a competitor’s business by sabotaging its production systems by corrupting data rather than operating a complicated long term espionage campaign for stealing data. Roel from Kaspersky security blog sums it up: “If it wasn't clear already - the era of cyber-sabotage has arrived. Be prepared.”



December 17, 2012
 From A to V: Refuting Criticism of Our Antivirus Report
Pin It

Our anti-antivirus study got a lot of attention (you could say it went viral).  Most interestingly, people called our methodology “flawed.” 

While our report acknowledged the limitations of our methodology, we believe that, fundamentally, the model for antivirus—and not our methodology—is flawed.  Antivirus was built years ago during an age when mass infections was the name of the game.   Today, malware is deployed to target SPECIFIC individuals—CEOs, researchers, politicians, executives—and not everyone’s mom. 

One reaction to our study asserted that a virus can be blocked based on source IP:  “email with the malware attached, or the included URL… could have been blocked based on its source IP.”   This approach, however, addresses an old threat model in which the attacker would try to infect as many as possible targets with a single campaign – that included reusing URLs to hoax the malware and IP addresses to send an email. Reusing IPs allowed security companies to have blacklists for both IPs and URLs. However, in today’s threat scape, where we consider attackers that are specifically targeting a specific victim, they create a dedicated URL to host the malware and use a dedicated IP address to send malicious mail, easily overcoming blacklists.

Our study concluded that antivirus solutions are very effective in fighting widespread malware, and slightly less effective for older malware (2-3 month old).  But for a new malware, there is a good chance it will evade the antivirus.  In fact, our results are consistent with other studies.    For example, let’s look at the AV-TEST Institute’s results.  

The AV-TEST Institute, according to their site, is a “leading international and independent service provider in the fields of IT security and anti-virus research.”  According to AV-TEST’s website, in order to test the protective effect of a security solution, AV-TEST researchers simulate a variety of realistic attack scenarios such as the threat of e-mail attachments, infected websites or malicious files that have been transferred from external storage devices. When carrying out these tests, AV-TEST takes the entire functionality of the protection program into account. But even when all of the Anti-virus functionality enabled, the results reveal a worrisome security gap:


While antivirus solutions are very effective in fighting widespread malware and slightly less effective for older malware, for a new malware, there is a good chance it will evade the antivirus solutions.  That’s exactly what we found.

Finally, one should ask a question CEOs are asking CISOs worldwide:   if antivirus software is so good, how come we see so many successful attacks based on infected computers (Coca-Cola, South Carolina DoR to name a few)? And the obvious answer is that antivirus is not perfect and needs to be augmented with data security solutions, as was honestly acknowledged by antivirus veteran researcher, Mikko Hypponen “Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense.”


December 06, 2012
 New Password Cracking Method
Pin It

A new attack makes some password cracking faster, easier than ever.  A researcher has devised a method that reduces the time and resources required to crack passwords that are protected by the SHA1 cryptographic algorithm.

First, some context. One of the main use cases for hashing function, such as the SHA-1 function, is to store passwords securely. When attackers obtain such hashed password, they need to launch a “brute force” attack against it, in order to reveal the password. “Brute force” means, they need to repeatedly guess the password, apply the hashing function on it and compare the result with their hash password they have. The security researcher has found an algorithmic shortcut in SHA-1 calculation that makes the computation easier, thus reducing the time needed to successfully “brute force” an attack.

But it should not surprise the security community, as the writing was on the wall. When a crypto hash is weakened (i.e., discovered to be less secured than perceived), it usually marks the start of its downfall and SHA 1 has been weakened since 2004.  This chart of the state of popular crypto hashes from 2009 ( shows just that:


The corollary?  In case the hashing is done for security (e.g. hash user passwords, verify data integrity, etc.):

  • MD5 is dead and should never be used.
  • SHA-1 is going in the same direction.  Consider an upgrade of existing systems and definitely don't use it for new systems.

A smart choice would be to follow the U.S. National Institute of Standards and Technology (NIST) recommendation for federal agencies: "Federal agencies should stop using SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance." 

Best option? Use a hash function from SHA-2 family, such as the SHA256.




October 17, 2012
 Beating Automated SQL Injection Attacks
Pin It

Recently, US banks were warned about automated attacks coming from Havij, a SQL injection attack tool. While we've blogged on stopping SQL injection in the past, it is a topic always worth revisiting. 


First, let's make clear what WON'T help.  Earlier this month, Kevin Mitnick gave a talk at the US Naval Academy.  The first lesson?

All the firewalls and intrusion detection systems in the world won’t be a guarantee that networks won’t be breached.  There’s no such thing as an impenetrable system, and no such thing as bugless software. Kevin’s demonstration of exploiting vulnerabilities in widely used commercial software proves this. Moreover, this isn’t just software being used in the private sector.  Many of the exploits he demonstrated take advantage of software that’s become an integral part of the way the military handles its information.

Havij exploits vulnerabilities in software and is totally invisible to network firewalls/IPS.  Havij relies on a blind SQL injection vector, so if you protect against it you are safe.  Here's how:

  1. Negative security model:  Protect against SQL Injection by blacklisting certain known SQL injection manifestations.
  2. Positive security model:  Every injection violates the normal application usage profile.
  3. Identifying automated interactions:  Havij is not human and behaves like a robot.  You can detect it by merely detecting the specific user agent string but also more subtle details such as constant values within the SQL attack itself.
  4. Clean code.

From a technology standpoint, only three types of products will help defeat Havij:

  1. Vulnerability scanners
  2. Code scanners
  3. Web application firewalls

Often, we see companies using vulnerability scanners and, to a much lesser extent, code scanning.  These technologies are very important but they only find issues.  Scanners tell you have problems but you have to figure out where they may be.  Code review gives you a specific line to remediate, but this takes time.  If you are under an imminent Havij attack, these products won't help with immediate risk. 

OWASP has argued in the past that technologies focused on finding vulnerabilities are useful but have one major problem:  they don't block attacks.  This is why they recommend a web application firewall.  (Full disclosure:  we are a WAF vendor.)  WAFs do provide a shield against immediate attack and--at least in our case--we can recognize Havij and stop it.  Havij does come with some WAF evasion functionality--but it only works on Web Knight and ModSecurity.


October 11, 2012
 Firefox Vulnerability: Tech Details
Pin It

Firefox is leaking URLs data across domain, by not restricting javascript’s “location” method.  How does it work?

A “proof of concept” exploit for the vulnerability exists (for more, check this out).

  1. A user browses to the attacker site.
  2. That attacker opens a new window in Twitter from attacker site.
  3. If the victim is signed in to twitter, then the user gets redirected to a URL that contains a personal twitter ID.
  4. The attacker can now query the new window on the URL and obtain the victim’s personal twitter ID.

On previous versions of Firefox, this attack would fail:


There was a regression in Firefox 16 that allowed this attack to work:






September 10, 2012
 Managing Java Vulnerabilities
Pin It
Great perspective from our own Tal Be'ery on managing Java vulnerabilities. 


July 23, 2012
 Gamigo Breach
Pin It

Forbes is reporting that gaming website Gamigo was breached.  The article notes:

When this breach originally happened, the data wasn’t released, so it wasn’t a big concern. Now eight million email addresses and passwords have been online, live data for any hacker to see.

There is a more likely scenario.  The article should have said:

When this breach originally happened, the data was revealed to the hackers and whomever they give it to which is a major concern. After a while, when the original hackers were done with it, they released to the community which means this data is probably worthless by now.

Another point:  this breach has some similarities to LinkedIn breach.  Specifically, a few million hashed passwords which were disclosed to It’s very likely that the full leak of LinkedIn data including email addresses and login names would surface a few months from now.




July 12, 2012
 How The Yahoo Voices Breach Went Down
Pin It

Yahoo! Voices was breached.  This application is an online publishing application that was developed by Associated Content and later acquired by Yahoo!.   It allows consumers to share information on any topic, such as planning a wedding or details on Tom and Katie’s divorce.   

Sadly, this breach highlights how enterprises continue to neglect basic security practices.  According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application which is a well known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded).  One would think the recent LinkedIn breach would have encouraged change, but no.  Rather, this episode will only inspire hackers worldwide.

The file published by the hackers seems to contain some 450K usernames and password of Yahoo! Voices users. Yahoo! The usernames and password seems to be obsolete, but the published file suggests that the hackers gained access to the whole database and were able to view some private data on 450,000 users such as full name, full address, phone number, bio, education, and date of birth.

Here’s some technical details:

  • Another epic password fail: It seems that the app stored the passwords both on encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless.
    • ac_www =>> fix_ac_user :::: aes_passwd
    • ac_www =>> fix_ac_user :::: clear_passwd
  • How was it exploited?  According to hacker "Method: Union-based SQL Injection" which is the basic form of SQL injection.  (For more on stopping SQL injection, read here).
  • It's interesting to note that apps use zip code info to gain intelligence on users:
    • ac_www =>> ac_zip_data :::: ZipCode
    • ac_www =>> ac_zip_data :::: HouseholdsPerZipCode
    • ac_www =>> ac_zip_data :::: WhitePopulation
    • ac_www =>> ac_zip_data :::: BlackPopulation
    • ac_www =>> ac_zip_data :::: HispanicPopulation
    • ac_www =>> ac_zip_data :::: PersonsPerHousehold
    • ac_www =>> ac_zip_data :::: AverageHouseValue
    • ac_www =>> ac_zip_data :::: IncomePerHousehold


  • Someone should delete all the TomKat videos and contribute a Yahoo! Voices tutorial on proper password storage methods.  Until that's done, here's an enterprise password security guide everyone should read.
  • This attack highlights the challenges of security with 3rd-party applications.  The attacked application s probably acquired by Yahoo! from a 3rd party, Associated Content. It's very challenging to have an effective SDLC with 3rd parties. Therefore, you need to put them behind WAF.


June 21, 2012
 Figuring Out the True Size of the LinkedIn Breach
Pin It

Great column by Imperva's Tal Be'ery explaining why the LinkedIn breach exceeds 6.5M users.  The fun bits:

In the RockYou password breach , which now serves as the gold standard for passwords study, it was found that the uniqueness of the password was less than 50%, i.e. each password was used more than twice on average. Therefore, it’s safe to assume that the number of accounts directly hit with such hypothetical breach would well exceed the 10 Million mark. For this reason, we will use 10M as our approximation for the number of breach-able accounts.

Now let’s move forward with an estimate of collateral damage. How many friends did the directly hit accounts have? A naïve approach would be to multiply 10M by the number of the average unique friends each member has. It’s easy to see that if the number exceeds 16, then 10M breached accounts would span the whole 160M members of the social network.




Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: