Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Content Management System Research Project – Some Results

Posted on by
2

As I referred to earlier, our team has been doing some research on popular content management systems and potential security vulnerabilities in them. We were doing this as a part of a review of the Syhunt Sandcat4PHP product that our partner has released.

As a part of that project, we have identified significant vulnerabilities in each of the popular content managers we reviewed. Several of the products were found to have various types of injection vulnerabilities (SQL/command/etc.), arbitrary file disclosure and access issues and tons of cross-site scripting (XSS) problems. We are now in the process of notifying each of the product teams about the vulnerabilities we identified.

How bad were things? One word, abysmal…

Here is an inside glimpse of the raw math of the scanning tool’s findings:

CMS                    Injections & File Issues            XSS                   “Risk Rating”

==================================================

Bitweaver                         37                                 7                          42.25

Drupal                             97                                 2                           98.50

Joomla                               4                               15                           15.25

Mambo                             45                             207                        200.25

WordPress                          5                             166                        129.50

** The “risk rating” was based upon each injection and file issue being given a score of 1.0 and each XSS being given a score of .75, then adding them together. It should be noted that this was an arbitrarily chosen mechanism created to give a simple basis for comparison and is NOT reflective of any specific risk rating system or the like. Also, no general weighting or anything is included, so I use the term “risk” loosely…

I also dropped the data into InspireData, a quick and dirty visualization tool I like to play with. It produced these quick images (Note that you can download them for a clearer view):

CMSRiskScore.jpg

This graph shows a plot of the “risk score” by the product tested.

CMSByVulnMap.jpg

This graph shows a matrix of the products plotted across an axis for Injections and File Leaks and an axis for XSS. Interestingly, the red lines show the mean values of the plot just for a quick reference.

As I said before, our team is in the process of contacting each of the CMS projects that we tested and will be disclosing the vulnerability information to them for their mitigation. Our team did some basic testing and analysis on the data that the Syhunt tool found and determined it to be pretty good at finding the issues. We found very few false positives, and the ones we did find were areas where other functions are involved in testing inputs beyond the initial layer of the source code.

The Syhunt tool did very well. It is a great tool for a 1.00 release and very much worth the cost. If you have PHP and javascript applications in your environment, I would suggest grabbing your team a copy. If you have applications that you would like tested by a third party, please feel free to contact us for a quote. Let us know if we can be of any assistance or if you have questions about what we did or the like.

Please note that we will NOT be making disclosures of the identified vulnerabilities at this time, so don’t ask. We will be working with the project teams to mitigate any vulnerabilities identified.

Note that all products were downloaded from public sources and are “open” projects. Versions were current as of the download date. We only scanned the source of core products, no plugins/add ons/expansions or modules outside of the core products were tested in this project. Your paranoia may vary and you should not take any of the results of these tests as advice or endorsement of any of these projects or products. Use the results at your own risk…… 😉

DNS Patches May Break Some Things…

Posted on by
Reply

I just had a quick conversation with an IT technician who alluded to the idea that more than Zone Alarm may be broken by the new port randomization behaviors of “patched DNS”. These fundamental changes to the ports allocated for DNS traffic may confuse existing firewalls and other filtering devices that are unaware of the changes to DNS behaviors.

For example, if you have filtering devices that specific port ranges defined for egress or ingress of DNS traffic, especially if you are using a non-stateful device, this configuration may need to be changed to allow for the greater port range applied to the “patched DNS” setup. Systems that are also “DNS aware” might not expect the randomization of the ports that the patching is creating. As such, filtering devices, especially at the perimeter may well need to be reconfigured or upgraded as well to allow for continued operation of unimpeded DNS traffic.

There may be SEVERAL other nuances that become evident in some environments as the patch process for the DNS issue continues to evolve. Stay tuned to stateofsecurity.com and other security venues for information and guidance as it becomes available.

More on DNS Security Issue Management – Know & Control DNS + SOHO Issues

Posted on by
Reply

Just added this to Revision 2 of the whitepaper:

Attack Vector Management

Part of mitigating the risk of this security issue is also managing the availability of the attack vector. In this case, it is essential that security teams understand how DNS resolution operates in their environment. DNS resolution must be controlled to the greatest extent possible. That means that all servers and workstations MUST be configured to use a set of known, trusted and approved DNS servers whenever possible. In addition, proper egress filtering should be implemented to prevent external DNS resolution and contact with port 53 on unknown systems. Without control over desktop and server DNS use, the attack vector available for exploitation becomes unmanageably large. Upper management must support the adoption of these controls in order to prevent compromise as this and other DNS vulnerabilities evolve.

Home User and Small Office Vulnerability

Home users and small offices (or enclaves within larger organizations) should pay careful attention to how their DNS resolution takes place. Many home and small business firewall devices such as Linksys, D-Link, Netgear, etc. are likely to be vulnerable to these attacks and are quite UNLIKELY to be patched to current firmware levels. Efforts must be made to educate home and small office users about this issue and to update all of these devices as the patches and upgrades to their firmware becomes available.

DNS Security Issue Overview & Mitigation Whitepaper

Posted on by
Reply

Our engineering team has analyzed the available data on this emerging security issue and the fixes identified. As such, we have prepared the following white paper for our clients and readers.

Please review the paper and feel free to distribute it to your management team, co-workers and others who need to be involved in understanding and remediating the problems emerging with DNS.

You can obtain the white paper here.

If your organization needs any assistance in understanding or managing this vulnerability, please do not hesitate to contact us. We would be happy to assist in any way possible.

HoneyPoint Security Server Console Upgrade and New Deployment Worksheet Available

Posted on by
Reply

A new release of HoneyPoint Security Server Console was released today. Version 2.51 includes two bug fixes and several library upgrades. The new release seems to be a bit faster on Windows systems, likely due to upgrades in the back-end libraries.

The new version fixes a bug in the math of the email alerts to system administrators where the wrong event counts would be included. It also repairs a bug that caused a crash on some systems when changing the status of multiple events. While neither of these bugs are critical, we thought the speed changes were worth a release.

The new version also includes the recently updated User Guide that now includes full instructions for installing the HPoints as a service or daemon using common tools or the tools from the resource kit.

We are also pretty happy to announce the availability of a deployment worksheet that guides new users through the deployment of the console and HPoints and helps them gather and define the information needed to do a full roll out.

We are hard at work on new HPoints and we have several that are finishing the testing process, so stay tuned for more releases soon. Updates are also underway to the Personal Edition (including a whole new GUI) and we are just starting to plan for version 3 of the console, so if you have suggestions, send them in.

Both the updates and the deployment guide are now available on the FTP server. Please use your credentials assigned when you made your product purchase to download them. If you need assistance, simply give us a call!

Corporate Data Classification

Posted on by
Reply

One of the most urgent steps that many organizations are facing in their information security program is that of data classification. While this, and role-based access controls, are two of the most critical processes in the changing security landscape, they are also two of the most painful. Many organizations do not even know where their data is located, stored, processed or used to a full extent and are spending a great deal of resources just understanding “what they have” and “how it is used”.

While knowing where the data is and how it is used is essential, organizations must also embrace some type of mechanism for classifying data. In some cases this can be as easy as creating a standard set of data definitions such as Private Identity Data, Internal Use Only, Customer Confidential, etc. and then building a policy around how data of each type is to be created, managed, stored, processes, handled and destroyed. For many small businesses, this can be a relatively small undertaking and when done right can provide a real improvement in security – IF EVERYONE FOLLOWS THE RULES.

In larger organizations, classifications may be more diverse. There may be Private Employee Identity Data, Private Employee Healthcare Data, Customer Private Identity Data, Internal Use Only, Customer Confidential or others. Many organizations even go a little wild with this and build small acronyms and/or a legend into their policy so that you can label a word document of a contract with a client something like CCC for Customer Confidential – Contracts” or even worse, they will add a department code followed by some acronym that the department heads have made up. This is where the pain gets excruciating!

At MSI, we are big supporters of keeping the classifications as simple as possible. In most cases we are able to stick with “PII” for personal identity information, “Internal Use Only” for sensitive data not to be released outside of the company, “Confidential” for data that must be protected from all eyes except the intended participants and maybe a small set of divisions for other data outside of these such as HR, Finance, M&A, HIPAA, GLBA, etc. depending on what groups need to access the data or what regulations apply to the data. Of course, these can then be added to folder names, document headers, meta-tags and the myriad of other places used to quickly identify data.

Once you get your head around a working group of classifications, then comes the next task – identifying the appropriate controls for each type of data. That process takes experience, insight into specific business processes and a lot of patience. Start with data classification, though, and then build from there. As security evolves and becomes more nuanced, those with data classification schemes in place will be ahead of the coming curve. In the future, not all data will be treated or regulated the same, so make it easy on yourself and get started with data classification as soon as you can!

Project Pre-Release – Vulnerabilities in Popular Content Management Systems Under Study

Posted on by
Reply

Over the next few weeks you will see more details from us about a project that we have been working on. As a part of our relationship with Syhunt, one of our elite partners for application security work, we have been testing and reviewing their new tool, Sandcat4PHP. The tool is a sophisticated and user friendly source code scanner for performing deep analysis of PHP applications including their surrounding javascript and HTML components.

Stay posted here for a pretty in-depth review of the new tool, its use and capabilities. We will be doing that review as a part of the project as well.

First, let me start with the purpose and the scope of the project. In the last few months we have worked with a number of clients who have had issues with the security of their content management system. More than a few of them are using popular products, but several are using proprietary tools as well. As such, we have worked on a few incidents and application reviews. That led to a pretty in-depth discussion between a couple of clients and ourselves about the state of content management system security, in general. As an off shoot of that discussion, we decided to test 5 of the most popular content managers using the new Syhunt PHP scanner, since we needed to review it anyway.

Next, we obtained a couple of lists of popular content managers. Selecting our five was pretty easy and we settled on the following:

WordPress, Joomla!, Mambo, Drupal and BitWeaver

We then downloaded the current versions of the CMS (as of that day, a couple of weeks ago…) and set up our testing environment.

We assessed the entire package, but only as downloaded from the web site. That means in most cases, that we tested only the core components and not any additional modules, plugins or components. We considered whatever was in the default download to be the basis for our work.

To date, we have begun our assessments and review of the CMS tools. We will be in contact with each of the CMS projects about the findings of the assessments and they will receive the details of the tool’s findings prior to public release of the technical details. Statistical and numeric data will also be forthcoming.

For now just let us say that we are evaluating our findings and that the tool performed very very well.

I look forward to sharing the details with everyone in the coming days.

Let me know if you have any questions about the product, the project or the work.

June Virtual Event Announced – Social Engineering Assessments Primer

Posted on by
Reply

We are proud to announce our June Virtual Event topic for the month. Please join us as we cover a primer for social engineering assessments and how they can assist you in securing your organization. As always, our virtual events are long on information and short on sales and spin. They are also FREE!

Abstract:

This presentation will cover the reasons why your organization should consider a social engineering assessment as a part of their routine security auditing processes. Examples of test scenarios will be given, along with ideas on scoping such tests. Further, ways to appropriately use the results and tips on presenting the identified issues to upper management will be discussed.

Date: Tuesday, June 26th at 4pm Eastern

To register for the presentation and to receive the PDF of the slides as well as the dial in number, please send email to info@microsolved.com with “June Virtual Event” or the like in the subject line.


Editors note: Sorry for the need to create a subject clarification, but we are holding several events this month including live and virtual versions of our State of the Threat presentations. If you need more info about those presentations, just ask. Thanks!

Increases in PHP Scanning

Posted on by
Reply

We are detecting increasing PHP scans for a series of known PHP vulnerabilities that thus far are originating from Asia.

To date, we see no new attacks, just checks for known bad pages, particularly admin interfaces and a couple of quick URLs to test for command injections. The scans seem to have begun in the last 24 hours and the traffic appears to be related to a possible new PHP scanner. Likely, some new tool has been released that contains a plethora of PHP vulnerabilities.

Organizations should ensure that any systems offering PHP or PHP applications have been properly assessed and patched.

HoneyPoint Security Server users are urged to deploy a web HoneyPoint or HornetPoint and to drop the hosts performing the scans into your firewall or router black hole lists. This should allow you to create a “one strike and you’re out” approach for black holing attacking systems.

Please let us know if you see any new PHP activity. We are currently watching this pattern for any zero-day type activity, but thus far, we have observed only known security issues. being probed.

SHOCKER – The FBI says Wi-Fi Hotspots are Insecure!!!

Posted on by
Reply

It’s hard to believe, but the FBI has recently announced that Wi-Fi Hotspots might not be secure.

I read it here, so it must be true… 😉

In a way I am glad to see public notices like this. Maybe if the FBI draws attention to the problems, average people will pay attention to the solution. Of course, their mitigation suggestions include the “keep your computer patched, use firewall and encryption” routine.

The sad part is that you can do all of these things and still fall victim to a number of security issues such as dns poisoning, DHCP spoofing, social engineering and a myriad of other problems. I guess that is a perfect reason why we push so hard for average folks to use our HoneyPoint:Network Trust Agent product. At less than 10 bucks, it adds yet more capability and ease of use to protecting even non-technical users when they are on untrusted networks, including wi-fi.

Public networks are likely to remain unsafe for users who are not vigilant for a long time to come. Firewalls and patches can help keep them safe, but until they make better decisions about information security and can resist many of the basic attacks that leverage social engineering and the like, free wi-fi will likely be a cyber-wild west for a while longer.

If you want to hear more about protecting mobile users against public network threats, drop us a line. Until then, we will wait to hear from the FBI. Maybe they can help us get the word out that there is help available for wi-fi users.