Cros site request forgery - What comes next?

A pair of Princeton University researchers announced Monday that they have discovered cross-site request forgery (CSRF) vulnerabilities on four popular websites — ING Direct, YouTube, MetaFilter and The New York Times.

Researchers found CSRF vulnerabilities on The New York Times website which made user email addresses available to an attacker. On ING Direct's website, attackers could open up bank accounts on behalf of a user and transfer funds into their own account.

Read the full article here: http://www.scmagazineus.com/Popular-websites-fall-victim-to-CSRF-exploits/article/118564/

1SSA - Security consulting, training and products: http://www.1ssa.net

Adobe Exploit toolkit in the wild

An Adobe exploit toolkit has been discovered in the wild. It seems that it has already reached a quite mature state with all kinds of features that can make security professional's life miserable. PDF - Once the format of trust, to exchange information with un-trusted parties, it now can become another victim of its functionality.

The full article can be found here: http://www.scmagazineus.com/Adobe-vulnerability-exploits-are-mounting/article/118456/

1SSA - Security consulting, training and products: http://www.1ssa.net

Brits happy to hand over password details for £5 gift voucher

This should tell security professionals something...Although the majority (60 percent) of 207 London residents were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher, the public at large take a hard line on firms who fail to keep tight hold of customer data. Maybe a topic for the next security training session?

Read the full article here: http://www.theregister.co.uk/2008/09/26/security_breach_attitudes_survey/

1SSA - Security consulting, training and products: http://www.1ssa.net

Cloned US ATM cards used in the UK at self checkouts

The "plastic money" no matter in which form, ATM card, credit card, debit card, blah blah...all have a significant flaw. US issued cards have a fall back to using data from the magnetic stripe in cases where the cards does not support Chip and PIN. For the longest time card reader and writer that could write that information were not available to the public, at least in certain countries and that was already the flaw. Nowadays it is very easy to copy such cards or create them once you have the information that needs to go on the card.

Read the full article at: http://www.theregister.co.uk/2008/08/29/cloned_us_atm_cards_in_uk/

1SSA - Security consulting, training and products: http://www.1ssa.net/

Passport snooping public servant faces year in prison

A bored former State Department analyst faces up to a year behind bars as a result of his penchant for reading the passport files of celebrities. In our information overloaded society access rights, trust and the ability to make an informant decision (i.e. what does an airport TSA screener know about my computer files? - a separate post for this topic is coming).

Read the full article at: http://www.theregister.co.uk/2008/09/23/passport_snooping_plea/

1SSA - Security consulting, training and products: http://www.1ssa.net/

World's electrical grids open to attack

History repeats....doesn't that sound like something we had 10-12 years ago? People discovering buffer overflows in all kinds of applications. Now hackers and security experts are discovering the edge technologies of IT e.g. SCADA.Read the full article:http://www.theregister.co.uk/2008/09/25/abb_critical_bug/1SSA - Security Consulting, Products and Training - http://www.1ssa.net

read more | digg story

US and China top cyber attacker list

According to a study the United States tops the list of cyber attackers against SecureWorks' clients with 20.6 million attempted attacks originating from computers within the country.

China ran second with 7.7 million attempted attacks emanating from computers within its borders. This was followed by Brazil with over 166,987 attempted attacks, South Korea with 162,289, Poland with 153,205, Japan with 142,346, Russia with 130,572, Taiwan with 124,997, Germany with 110,493, and Canada with 107,483.

The only two questions I have are: What is your customer base? Is it distributed evenly across the globe? Studies/Statistics can sometimes paint a wrong picture, even though I believe that the overall distribution of attackers could be right.

Having talked with a friend in China I get the impression that they are in a phase of Internet adoption that we had back in 2000. Not much strategic thinking around security (e.g. Today ISPs in the US offer free Antivirus software. They have learnt that for example a worm that spreads across its customer base only back fires on them - congested networks, unhappy customers, etc. To invest in providing a free antivirus solution to its customers helped and in the end paid for itself.)

1SSA - Security consulting, training and products: http://www.1ssa.net

Certification still pays for CISSPs, CISMs

Of 165 IT certs, 17 increased in value... 7 of those being security certs. The trend starts with compliance concerns and security awareness has grown from there. With increased awareness comes greater need for experienced security pros to manage security plans and systems. Info Sec has proven to be one of the most stable IT niches.1SSA - Consulting, Training and Products http://www.1ssa.net

read more | digg story

Two-Third of US companies victim of cybe-crime in 2005

According to a report compiled by the US Department of Justice (DoJ) Two-Third of the companies replying to its survey have been a victim of cyber-crime. The DoJ received more than 7800 replies to its request for information. That is 23% of the overall send out requests.

Read the report here:
http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf
http://www.ojp.usdoj.gov/bjs/pub/press/cb05pr.htm

1SSA - Security consulting, training and products: http://www.1ssa.net/

Kaspersky with new patents...faster and better in recognizing rootkits

Kaspersky registered several patents with the US patent office. Most of them are targeted to increase the speed (most of the readers know that this is a favorite topic of mine). But also new approaches on finding rootkits. Overall none of the patents is really new, according to AV-TEST, a website that tests antivirus solutions.

Here is one of the patents:
http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%252Fnetahtml%252FPTO%252Fsrchnum.htm&r=1&f=G&l=50&s1=7392544.PN.&OS=PN/7392544

1SSA - Security consulting, training and products: http://www.1ssa.net

DNSSEC for .gov

According to a Networkworld article the US government has decided to deploy DNSSEC, a technology that replaces the old venerable DNS services that is used to look up Internet addresses of websites and email servers. The old system was the target of multiple attacks in recent years and was never designed for the Internet as it is used today.

Read more at:
http://www.networkworld.com/news/2008/092208-government-web-security.html?fsrc=rss-security

1SSA - Security consulting, training and products: http://www.1ssa.net

After Trend now Kaspersky...killing Windows Vista

After Trend Micro now Kaspersky...both vendor released updates to their antivirus products that identified valid (not infected) Windows Vista system files as infected files and deleted or quarantined them. As a result users got stuck with after a reboot with the famous blue screen. The latest signature files should address the issue...questions comes up where we are heading with the signature based anti-virus approach? It slows systems down more and more due to the constantly increasing number of virus signatures that it needs to check against and how much longer before we run the issue of valid files (maybe we have reached that point already) being identified as infected? A signature is only a few bytes long and some vendors have some other methods to check for an infection but one thing that we learnt out of those two incidents is that it is not fool proof.



For the German speaker here is a link to Kaspersky's German forum with lots of "stressed" users:
http://forum.kaspersky.com/index.php?showtopic=85001


1SSA - Security consulting, training and products: http://www.1ssa.net

Clickjacking...what comes next?

Clickjacking is nothing new but so far nobody really came up with a way to use it for bad things. I guess this has changed and some guys tried to present about their discovery at the OWASP (Open Web Aplication Security Project) conference in New York this month but I guess too much explosive material in it and the presentation was canceled. So what is clickjacking? It makes a user click on a link/button/etc. that is only visible for a short time or hardly visible.

I personally was thinking about this for years, ebing annoyed by Widnows behavior of switching the focus of windows, right int he middle when I was typing a password...I think most of us had that happen to us, at least sot of us power users ;-) This might not qualify as a clickjacking attack but for sure it is anoying and has resulted in at least oen of my passwords goign out via IM message to a friend.

Read more about clickjacking (or why nobody should know about the security problems associated with it) here:

http://ztrek.blogspot.com/2008/09/possible-clickjacking-security-flaws-in.html
http://ha.ckers.org/blog/20080915/clickjacking/
http://jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html

1SSA - Security consulting, training and products: http://www.1ssa.net

NSA snooping on cell phone calls

According to a posting on Bruce Schneier's blog the NSA seems to have triggered a new market for data mining in the cell phone space.

Read the full post here:
http://www.schneier.com/blog/archives/2008/09/nsa_snooping_on.html

1SSA - Consulting, Training and Products: http://www.1ssa.net

Phishing is out and Trojans are back in according to an APWG report

According to the latest report released by the Anti-Phishing-Work-Group (APWG) there is a trend with websites being used to distribute malicious code (Trojans) that has now outnumbered the number of phishing attacks.

You can download the report from here:
http://www.antiphishing.org/reports/apwg_report_Q1_2008.pdf

Business Week website hacked - Another victim of SQL injection

And another prominent victim of a SQL injection attack. Most people do not know but tools are now widely available to automate such attacks. Sooner or later the attacker will find a vulnerable site where the tool is successful....scary but in the battle of good and evil we are unfortunately always one step behind.

Here is the full article on Sophos' blog:
http://www.sophos.com/security/blog/2008/09/1777.html

Hackers infiltrate Large Hadron Collider systems

Hackers have mounted an attack on the Large Hadron Collider, raising concerns about the security of the biggest experiment in the world.

read more | digg story

Cloud computing may draw government action - Network World

Cloud computing has been pitched as the silver bullet for resource management. Big players are already offering it. Now it draws some more attention and I think some of the concerns are quite justified.

read more | digg story

iPhone records all user actions according to a Iphone hacker

That is what we need, another privacy issue...The iPhone is recording everything users see and do on their devices, for caching purposes, an iPhone hacker has said.Read the full article at:http://news.zdnet.co.uk/security/0,1000000189,39487429,00.htm

read more | digg story

Stolen laptops at airport number too high?

Seems like Computer World magazine did not buy into a common study that claims that thousands of laptops got stolen every week at US airports. The number seem to be a little high and Computer World did some research....Here is the link:http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9107799

read more | digg story

PwC in Germany looses unknown number of user data including clear text passwords

You would expect that one of the leading audit companies would play by the rules it preaches to its customers. But it seems that PriceWaterhouse Coopers (PwC) in Germany had a major security breach according to ZDF, the German public TV channel. At least 56,000 users of their online application system have been affected. To make it worse, PwC is currently not sure how many data elements have been affected. But to top the whole story: The passwords used by applicants were stored in clear text (!!) and have been used for attacks on online payment systems like Money Bookers and Click&Pay, using the passwords stolen from PwC.

On a site note:
According to the German magazine WiSo, which conducted a survey with 2000 users, approximately 80% of them use the same password for their online accounts. Which is not surprising in our information rich society, requiring us to have sometimes 20-30 accounts with passwords.

Here is the German online article:

http://www.heise.de/security/Gestohlene-PwC-Datensaetze-fuer-Missbrauch-von-Click-Buy-benutzt-Update--/news/meldung/115621

4 critical patches coming from Microsoft in the September patch round

The never ending story of buffer, heap, etc. overflows...this time the full bandwidth of Microsoft products is part of it. Let's see if my PC boots up Tuesday after the patches have been applied.



See Microsofts anouncement below:

http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx

Trend Micro identifying Microsoft operating system files as Trojans

Oh well....now after over a decade of Anti Virus products we still use pattern recognition as the primary method of identifying malware....I guess either we run out of paterns or Trend Micro was a little too aggressive ;-)

Recent updates from Trend Micro Internet Security, pattern 5.521.50 and 5.525.50, detected the Microsoft operating system files as Troj_Generic or Troj_Generic.ADV and quarantined them.

Read the Trend Micro Support update here:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038089

The Number of Machines Controlled by Botnets Has Jumped 4x

Increasing number of compromised machines in botnets.

read more | digg story

Study: 88% of IT Pros Would Steal Passwords or Data if Fired

If you needed another reason to keep your sysadmins happy: Out of 300 IT pros polled by security company Cyber Ark, 88% said they would steal sensitive data or futz with master login passwords if they happened to be fired.

read more | digg story

Security spending continues despite shaky economy, Forrester

An uncertain economy is causing many companies to do some budget tightening, but the continued barrage of data breach news has helped keep data security a priority in most company board rooms, says Khalid Kark, a principal analyst at Cambridge, Mass.-based Forrester Research Inc. In this interview, Kark shares some of the details of a recent securi

read more | digg story

Procter & Gamble outsources security to IBM, but keeping security staff

Outsourcing is a reality nowadays and if done right it can create win win situations for everyone involved. Standard tasks that overwhelm security professional nowadays are one candidate for outsourcing. Seems like someone at Procter & Gamble understood that.

Here is the full article: http://www.networkworld.com/news/2008/082908-procter.html?fsrc=rss-security

1SSA can help with evaluating what and how to outsource security!

Hackers attacking Iraq's vulnerable computers

It seems like that we have reached a new level of war against terror. At least in Iraq. Now that the infrastructure is halfway working again, hackers are attacking computer systems.

Read the full article at: http://www.usatoday.com/tech/news/computersecurity/hacking/2008-08-28-iraqhackers_N.htm

Online Gamers target of Virus authors

I was kind of amazed to hear this but it kind of makes sense. As the primary target of virus authors the online gamer has emerged. Even the virus discovered on the space station some weeks back was targeted to online gamers. According to NOD32-producer Eset Win32/PSW.OnLineGames was with 13 Prozent the #1 Virus in July. Even McAfee estimates that a stolen WoW account is worth $10 and worth mroe than a stolen credit card data, which is valued 50 Cents (!!) nowadays.

Here is a nice report that McAfee has put together: http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_online_gaming.pdf

Data breaches in 2008 outpaces 2007's

The number of data breaches reported in 2008 has surpassed those reported in 2007, according to the Identity Theft Resource Center (ITRC), a non-profit organization tracking the statistics.

See the full article at: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1327048,00.html?track=sy160

Vmware - security problems

It is kind of "cute" to talk with folks that are specilized in virtualization...it makes me remember the times when a new OS had to be more secure....sure it is more complex but for that reason it must be more secure....hmmmm...I think at least with OSes we have learnt that a new release does not always mean more security. With Vmware for years everyone believed that it made the world more secure...lately Vmware is cranking out more and more patches. This time to prevent address information disclosure, privilege escalation and other security issues....whatever that means. Reality is that we take physical controls and emulate them in the Vmware system....what comes next?

Here is the Vmware anouncement: http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0510.html

USB stick/Thumbdrive - AES encryption cracked

Wasn't everyone released when we finally saw USB sticks/Thumbdrives (and whatever else name those little fellows got) came up with AES encryption? Expensive but worth the money, protecting the valuable company data with hardware encryption...correct...oh well...its all in the details. According to CT a German computer magazine at least one of the encrypted fellows has been cracked.

According to the magazine there is a serious flaw that the developers of the encrypted USB thumbdrive stumbled over. A security process...and most of us should be familiar with it...storing already used passwords to check if a user really changed the password. BTW...the USB stick was FIPS 140-2 certified....ouch!

If you can read German, here is the link to the full article:

http://www.heise.de/security/USB-Stick-mit-Hardware-AES-Verschluesselung-geknackt--/artikel/113014

BBC - Man's 'pants' password is changed

According to a BBC news report the British bank Lloyds TSB had an incident with a customer that had his password changed by one of its employees. Sounds to me like a serious problem with access rights and password change process in general.

'A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not". Steve Jetley, from Shrewsbury, said he chose the password after falling out with Lloyds TSB over insurance that came free with an account.
He said he was then banned from changing it back or to another password of "Barclays is better". The bank apologised and said the staff member no longer worked there. ' - BBC

Read the full news report here: http://news.bbc.co.uk/2/hi/uk_news/england/hereford/worcs/7585098.stm

Welcome to 1SSA's security blog!

Welcome,

This is the new 1SSA blog with the latest security news !

Daily updates will bring you the latest news around Information Security.

Regards,

Frank Siepmann