security

so did a lot of serious security incidents.

During last week, we saw…

---

- The largest newspaper in Sweden get their e-mail systems hacked

Apparently, the intrusion was made by initally hacking the newspapers intranet (which was connected to the internet!) and once the attackers had access to the intranet users names and passwords, they just tried those against their webmail system. Apparently people use the same passwords in different systems The group claiming the hack was “Vuxna Förbannade Hackare” (In english: Mature Pissed-Off Hackers) and apparently it was motivated by the fact that the newspaper did not have any coverage of their previous attack on the TV channel TV3’s website.

During the past week the hackers has been releasing more and more internal details from Aftonbladet such as e-mails and user details for partner websites etc. and they have stated that they will continue until the newspaper admits that they have been hacked on the front page of the website.

---

- The Largest ISP in Sweden looses 2 weeks worth of e-mail for 300 000 customers

This was an OMFG experience. Apparently, according to the information now available, there had been no backups taken (or they had been corrupt), monitoring or maintenance of the affected systems since the 14 December. Telia are now offering 20£ vouchers (only usable in Telia stores) to all affected customers and are also going to handle more serious data losses on a case-by-case basis.

And why did this happen? Well, apparently the guy that was monitoring the systems quit. (Period.)

Nice way to follow routines and policies guys…

---

- A USB stick containing hundreds of pages of US NATO reports left in a library

Some of the material found had the classification “secret“, but this has not been verified by the newspaper reporting.

Apparently this information was left in one of Stockholms largest libraries on an unencrypted USB stick.. heh.. I mean, encrypted USB sticks are soooo hard to come by these days, so why use them?

This has also been reported on by “The Register“:

According to Swedish daily Aftonbladet, the stick contained material on NATO’s ISAF peace-keeping force in Afghanistan, as well as an intelligence report on the attempted assassination of Lebanon’s defense minister and the murder of Sri Lanka’s foreign minister.

---

Word of advise, do not trust anyone else with your data people

Cheers and good luck in this 20£ corporate voucher world!

but “L O L” at Microsofts latest security debacle

I think their own advisory from 1999 (!!!) explains the issue pretty well:

The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname “wpad” to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the domain name or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.

Well,

too bad they only protected their customers from this if their domains ended in .com, and that this issue has persisted through eight more years of code (how much new code did they say there were in Vista?). This little function seems to have remained unchanged for almost a decade anyhow…

Now let’s hope that Microsoft are faster than the bad guys… And in the meantime:

• If you have a webfilter, block all adresses containing “wpad.” in them.
• On most Windows operating systems, stopping the service “WinHTTP Web Proxy Auto-Discovery Service” would also do it, but some people have been having problems with this.

In other words, keep an eye on your network the next couple of weeks until MS produces a patch.

Cheers and browse safe!

For those of you that has not been following the computer security news and blogs there is a new vulnerability in town, and it’s nasty.

The problem lies in the jar: protocol implementation used by Firefox and it enables an attacker to conduct XSS and gives them almost limitless possibilitys for malware hosting.

This is an example URI which exploits the issue:

jar:http://www.icmpecho.com/myjarshrine/yarihooo.jpg!/malwareloadingscript.html

Now, instead of copying others work which they have probably spent hours or more on to explain the issue in full, I’ll give you a short recap of the happenings and more and more exposing blog posts:

---

2007-02-08 - Jesse Ruderman logs the bug in the Mozilla bugzilla tracker. It remains unpatched and not widely known until…2007-11-07 - Researcher pdp discusses the issue and potential impact at GNUCitizen. This opens this bug up to a whole new audience and…2007-11-10 - Beford illustrates the seriousness of this issue and issues in the same family by targeting Google and Gmail and posts a new bug entry.2007-11-10 - And then Mario posts at GNUCitizen about other attack vectors including malware- and exploit-hosting.

---

During these last days we have also seen some very strange recommendations from leading scurity experts at ZDNet, Secunia and US Cert (and one at The register as well) as the most excellent Giorgio over at the Hackademix blog.

The problems with the recommendations given by these persons and/or organisations is mainly that the recommend blocking URI’s containing JAR: in webfilters and deep packet inspecting firewalls or avoid following “jar:” links.You should understand why this would be a total waste of time if you have read the above articles and in particular Giorgio’s comments on the issue.

Also you should know why if you have seen one page load another like in most web based exploits (Including the one on the Swedish Parliament’s websites this week (swedish link, sorry)). My feeling is that the first advisories were rushed out “to be first in the corporate sector” and sloppy research took its toll.

If you do want to protect yourselves for real, you might wanna download and install the NoScript extension to Firefox which also handles JAR.

Happy times!

Last week I held and on-demand seminar out at a company in Stockholm, Sweden.

This is my retelling of that seminar and I wrote this down mostly for my own sake, for learning and seeing the areas in which I had to improve in order to be more clear to non-technical people that is on the other end of my message being transmitted.

The CTO of the company had asked us to help him educate his users on their responsibilities when it comes to keeping a network secure, and what potential harm they could cause themselves and the company if not doing so.

This is the neverending problem. Educating users. So how did I go about re-inventing the wheel?
I started out by presenting six simple questions and statements:

• Do you think that the information in your home computer is valuable?
• Do you think that your home computer is adequately protected from viruses and other kinds of malware?
• Do you think that the information in your work computer is valuable?
• Do you think that your work computer is adequately protected from viruses and other kinds of malware?
• Is the statement “There is less malware today than two years ago” true or false?
• Is the statement “There is less risk for getting infected now than two years ago” true or false?

I asked the participants to consider the questions and statements and keep their answers in their head. Of course, they might have understood that a person from an anti-malware vendor might have a hidden agenda in these questions

After this I presented some of the results from an internal study that concludes that most users of our anti-malware solutions think that the two last statements are true. That is, they think that there are less malware in the world and that there is less risk to get infected now than two years ago.

I then continued on to talk on how this is fundamentaly wrong and backed that up with the statistics from PandaLabs and the recent “InfectedOrNot”-survey of home users computers. I did not mention the corporate study, but if you are interested you can find both of these at Panda Security’s Research blog.

This study (of home users) are based on 1,5 million PC’s that were scanned with the online service www.infectedornot.com between May and July 2007. Among other things it concludes that out of all scanned computers with running and up-to-date antiviruses, almost 23% have active malware on their system. That is almost 1 in 4.

Why is this? Well, one thing that is largely responsible for this situation is the change of objective and goal of the malware today. Just a couple of years ago there were no banking or creditcard logging trojans, no spam-enabling botnets etc. Back then it was all about fame for the author, and that made it very easy for us antivirus guys. Today we are seeing a lot of new malware pop-up and a large amount of these are created with only one goal in mind, and that is financial gain for the creators. And as we all know, where there is money coming in there is money spent and what we are seeing today are professional malware writers making a business out of it. They have business plans and a whole development cycles and spends a lot of resources on pumping out variations on their goods to avoid the anti-malware radar. The “Storm worm” is a good and quite obvious example of this.
Of course this variation flood of the same malware creates a lot of strain on our (Panda Security’s) and other vendors virus-labs and forces us to either become selective, or to have a huge backlog of malware. Up until recently this was the situation for us.

We have had to adapt to this situation more and more during the last couple of years and we are finally catching up thanks to different things. First, we have increased the amount of automated processes and minimized the human factor in malware analysis and second we have created and implemented new technology that helps us to proactively detect and report potential threats (TruPrevent). Other new technology such as our “Collective Intelligence” also helps in detecting new malware family’s at an early stage.

Anyways, the end result of this massive onslaught of new modifications is that we (all security vendors) are bound to miss at least one which in many cases leads to a user being compromised in one way or another.

Now I turned the focus to where the real impact is and that is; Who is the Target and who is the Victim?

As the motivation behind the malware has changed, it is more than ever the actual user behind the keyboard that is the target. It is her information, her payment cards, her banking info and it is her computer that the malware authors want to use in DDoS attacks and other criminal activities.

This is very important for the average user to understand because if they do not, they will not think before they act and fall prey for the criminal gangs of the digital world (OMG, that sounded like a SecurityFocus line hehe).

OK, so what can the user do to secure his computer against these different kinds of threats? Well, as a start you (the user) should make sure that the following four bases are covered:

• Check that your computer is up to date
  • Windows Update
  • Secunia Personal Software Inspector (great tool)
• Check that you have an anti-malware solution installed
  • And turn on all protection modules, they are there for a reason
• Check that your anti-malware solution up to date
  • If it’s not, it is almost useless
• Check that you have a firewall installed
  • If not included in your anti-malware, use XP/Vista’s builtin firewall

However, as I mentioned in the start of this article, there will be things that can slip through. So what do we do next? How do we protect ourselves from threats that even the largest companies that offer protection cannot touch? Many times this is just a matter of:

Sound reason & Knowledge

I then continued on to illustrate what sound reason is when you browse the internet, use your e-mail and use community’s or instant messaging. In this section I talked about issues such as attached files or filetransfers from unknown users or senders, why you should not just click Yes/I Accept/Next without reading and seriously considering why you are asked. I also discussed the social issues and identity security issues posed by sites like MySpace and in particular Facebook. You know, the real essentials of this whole seminar. What you really really should not do when being asked to do something, to use your sound reason.

And then we have the “Knowledge” part. How do you teach a user to behave in a secure way and recognise indicators of foul-play in 10-15 minutes? Quite hard wouldn’t you say? I reasoned like this; Knowledge is part experience and part theory. If you have seen someone get their machine infected in some way or another then it is highly unlikely that you will repeat the same mistake (or… hopefully it’s “highly unlikely”). So I decided that the best way to learn users what to avoid was to actually show them some of the warnings they should pay special attention to and also demonstrate some social engineering tricks used by malware today.

One of those examples that worked the best was a login page for a large swedish bank which I had modified to “ring alarm bells” by faking an invalid SSL certificate. I then named that slide to “The internet banking service - Find the error”.

No one was able to spot the error.

And I was even using Vista which showed the whole adress bar in red with a big “Certificate Error”-shield at the end. Anyhow, I went on to tell them why this was a bad thing and from now on they are probably going to pay more attention to these kinds of errors.

Another example that seemed to make some people move around a bit in their chairs was the Storm worm’s halloween spreading mechanism with the dancing skeleton. Specially after I explained what storm was designed to be able to be used for (creditcard gathering, spam, ddos, well… everything). As I saw their reaction I even threw out an old classic a colleague of mine told me to say, “They can even turn on your webcam and see what you do in the room”. Heh.. yeah.. i know, a bit evil but it fit perfectly into my talk and they seemed to get the point now.

Now there was not very much time left for me to spend so I finished of with a recap of the questions in the beginning and also took a short slide on the corporate aspects. If they as private persons could suffer such financial loss and make it easier for others to conduct criminal activities, what could happen if their work-computers or computers that they connected to their workplace with got compromised? I asked them to consider the following possible implications of this kind of intrusion:

• Money. Large amounts of money. Either through direct loss or industrial espionage.
• Money. In the form of work-hours needed to clean up a widescale infection (including specialist help)
• Brand and Reputation. The damage caused by their network spreading malicious software or distributing confidential client information.
• Their personal freedom as in the restrictions put on their browsing, messaging and other aspects. Probably there is some checks on this today, but how will that change after an intrusion? Upper-management will want to restrict as much as possible to prevent this from happening again.

Yes, I know the last one is kind of a moot-point (as everything should already be locked down) but I needed to give them a personal connection to the trouble that could be caused, and -oh my god- if they cannot access their hotmail one day

And then i finished of with the “The End - Questions?” slide and took some of them. What was interesting about the questions was that a lot of them was regarding the Codec-fakes that I had discussed in my “Sound Reason” section. I did not expect this to be as prominent as most issues we recieve through the supportline with infections has entered through the web-browser with the help of security vulnerability’s or other means, we almost never hear anything about the fake codec angle (good thing?/bad thing? :)). But I guess that Sunbelt Software is really doing a good thing drumming on about the sites that are advertising those.

Ok, that was it. I would really like any comments that you might have, so please drop me a line at: daniel(dot)nystrom ( a ) icmpecho(dot)com!

I downloaded and listened in on the web application security talk that Jeremiah Grossman (WhiteHat Security (coordinators of the talk), Robert “RSnake” Hansen (SecTheory), Chris Paggen (Cisco) and Jordan Wiens (Network Computing) had. This was an unscripted roundtable discussion and it was very interesting to me, as I’m not so skilled in the areas that they discussed (getting there, more on that in later posts). Full info on the talk can be found at:

http://jeremiahgrossman.blogspot.com/2007/11/live-online-roundtable-episode-1.html

For me, the part of the talk dealing with WAF’s (web application firewalls) and normalization of input was quite interesting. As discussed, there really is no good way to do it if the customer or developer do not know they way his server and webapps handles input (and output for that matter) and which features are needed. However, if there is good documentation of the webapp that is to be protected, you might get away with some normalization (and then why not do it). WAF’s in general is not something you “just plug in” and some more fine tuning will most likely be needed if normalization is something that you want to do.

Another thing that i thought was actually more interesting, was hearing these people that are specialists on web security discuss the PCI DSS and what their experience and comments on it were.

One good thing with the PCI DSS is that for an CTO/Administrator/Security engineer that is really dedicated to providing good security for his company and it’s clients, the standard can be used to push up security budgets and raise awareness in upper-management. However, the money will also have to be well spent, and that’s where some of the participants see a problem.

That problem is that companys and departments with dedicated budgets will try to hold down costs, sometimes even if they have the money needed for a thorough security solution, all for increased profit. This in turn might lead them to cheaper and less reliable certified scanners and vulnerability testers, that might not find holes where there actually are plenty. What does this lead to? Well, not much for those trying to fill the PCI’s requirements, as they will still pass (AND with no problems detected, wohooo). The cost, as usual, ends up with the customer that gets his or hers creditcard-data stolen from the site.

An update on this were posted by RSnake (one of the participants) on the 11/11-07.

Another topic regarding the PCI DSS that was discussed was it’s unclarity in certain paragraphs that might lead to total or partial circumvention of the upholding of the standard. No comments regarding this but it does indeed sound pretty serious if that’s the case

More information on the PCI DSS here. And I also recommend you all to visit the link in the top of this post and listen to the whole webinar.

Cheers,