In reference to the previous post, our partner Syhunt has added MX injection testing capabilities to their Sandcat product. Of course, this is in addition to the thousands of other tests already being performed by the tool.

Sandcat is an excellent tool for performing checks of web servers, web applications and such for potential and known vulnerabilities.

MSI is proud to represent Syhunt in the United States, and we use Sandcat as a powerful addition to our toolkit. If you would like more information about Sandcat or MX Injection, please call your MSI account executive and schedule a time for a technical briefing with an engineer.

MX and other injection vulnerabilities are an emerging risk, and more information will be coming over the next several weeks and months as various tools, techniques and products in the security community begin to evaluate product lines and software applications common to most organizations. Stay tuned for more on this family of issues as it becomes available.

Over the last several months security researchers have been identifying more and more scenarios for performing injection style attacks against various applications.

What is interesting about this is that many of the new injection issues have little to do with SQL. In fact, protocols like LDAP and SSI along with various forms of command injections, code injections and response spoofing have proven to be targets for this family of input attacks.

In a recent article about a new version, called MX Injections, techniques for attacking and compromising various web-based mail applications are disclosed. Using these types of exploits could prove a serious danger to organizations – exposing their internal communications and data stores to attackers, or even allowing compromise of underlying systems (depending on what the data stores contain.)

Given the focus of attackers on new application layer techniques such as these, every organization should quickly identify their existing exposed applications and ensure that those systems have been appropriately tested for various injection issues. Additionally, since these techniques are continually evolving, a system of ongoing application testing is likely to be the most effective tool for protecting against these emerging threats.

Continuously, there are client questions about best practices on a myriad of different ideas, technologies and strategies. Put four or five information security teams together and some of the basics shake out but the higher-level best practices remain “under discussion”.

We need a better way to make this happen. We need a wikipedia-like, open source discussion mechanism for best practices that can bring people together, establish baselines and encourage discussion of the sticking points. I would have MSI attempt this, but as a vendor, it should be viewed as a conflict of interest. That said though, someone needs to support an interactive way to make this discussion feasible, free, open and accessible. SANS, OWASP, CISecurity and others are all good starts and highly powerful as organizations, but we need some open group to establish an open forum that creates, revises and reaches consensus on best practices for everything from system settings to physical access processes.

Perhaps this exists already and I just can’t seem to find it. But, neither can the other folks that ask for this type of information. If it is out there, we as infosec professionals need to do a better job of making it known.

If you have an organization willing to undertake such a project, or are willing to lead a group to undertake such a task – drop us a line. We would love to contribute.

As we Americans depart for the Thanksgiving holiday, we often engage in a large amount of travel around the country. This year, I would like to have all of our readers pay special attention to the safety measures being used to protect you as you travel about.

On the roads, check out the numbers of police, their laser/radar guns and the automated systems they have been placing around the country for the last year or more. Do these deployments and tools really make you safer, or do they just make you feel safer?

At the airport, you will be asked to remove your shoes, place your laptop in a bin and put everything liquid into a clear plastic bag. Do any of these processes actually make you safer? Does having someone look at a clear liquid in a baggie make it more or less safe, or is this security theater?

Even trains, busses and other forms of public transportation have begun to deploy similiar techniques and new technologies. What is the value of these mechanisms?

So, as you travel this year, please pay attention, ask questions and compare the implementations to the risks. Some of the steps out there certainly make sense and protect us. My opinion is, many others are simply a waste of time, money and resources – since they truly provide little more than a feeling of safety or security through theater.

You decide. Maybe together, enough of us can help those in charge of such things make better choices about solutions. Maybe we can get them to focus on real risks, real threats and effective mitigations…

Either way, have a safe and happy holiday!

Tomorrow, Tuesday 11/07/06, is election day in the US, so don’t forget to vote. The polls are open in most states before and after work, so take a few minutes and let your voice count.

PS – In some states, Ohio included, make sure you remember to bring your ID in order to vote. Check with your local election officials for requirements.

What can you say? It doesn’t get more serious than when the CEO is the source of the threat to the organization’s assets.

In this story, CEO of MSP … Arrested a CEO is being charged with identity theft on a large scale. In this era of corporate governance and high penalties for abuse of one’s position, this will be one case to watch.

The story is via VAR Business and is pretty interesting. It is an excellent example of how identity theft from insiders has become “all the rage” in attacker circles.

Follow this one as it goes into trial. It promises to lay some groundwork for further prosecution of insider thieves to come.

I have talked to many organizations in the last few months that are all wrapped up in deploying new security technologies and making elaborate plans for securing their organization. The problem is many of these same organizations have yet to get the basics right.

It does little good for you to invest in new IPS technologies, encryption widgets, automatic defensive packet switches, uber biometric scanners and other gadgets if your employees simply give out their passwords when asked, continue to click on email attachments that are suspicious and throw away scraps of paper with the keys to the kingdom on them. As in Neil’s earlier post, some users just continue to be the weakest link.

How can IPS help you if you can’t keep your systems patched? Maybe it could be used to stop some attacks, but without omnipresent visibility, it won’t truly defend you, just give you a false sense of security. That’s the problem with relying on technology and gadgets to secure your organization, without the other components of policy/processes that are strong and awareness that is effective, you might as well throw your money out the window instead of buying some new whiz-bang piece of hardware or software that the vendors say will solve your problems.

The basics of infosec haven’t really changed. You still need a set of policies and processes that explain how the organization operates, how you will secure and handle data and how your users are to act. They need awareness training on these processes and policies so that they know how to act, how to handle data and what you expect them to do when something bad happens. THEN, you need technology to enforce the rules, audit for “bad stuff” and protect you against users who make poor choices. That truly is the role of effective security tools.

So, before you invest in the next overreaching security vendor “silver bullet”, take a moment and ask whether or not those same dollars could be better used in helping your organization do the basics better. If the answer is yes, then quietly excuse yourself from the presentation, go back to your office and implement a plan to assist with the root of the problem. Otherwise, buy away, keep looking for point solutions and keep wondering why your users are still throwing passwords in the dumpster…

As we blogged about earlier in the week, core processing systems continue to be a focus for security teams. This week has seen additional new issues in HP-UX, Oracle problems and issues in various other related applications. Please take a moment and look through your patch levels and ensure your core systems are up to snuff.

In other news, PHP vulnerabilities are continuing to soar. Attackers are very focused on PHP problems, new vulnerabilities and exploiting vulnerable systems. PHP-based systems should be reviewed on an ongoing basis with bleeding edge updated tools to help guard against problems. Security issues with PHP have been identified in thousands of PHP applications, PHP language use and even some of the tenets of the language itself. While groups are working to educate users of PHP and harden the underlying code around the language, PHP is likely a risky undertaking for most businesses to be considering today. It is surely powerful, efficient and easy to use, but many organizations have outlawed it, claiming it is simply too insecure for “prime time” web applications.

As an aside, BT Group has announced an acquisition of Counterpane. Congrats go out to Bruce and team for their hard work. BT has gotten a strong visionary out of the deal, and with the likes of Marcus Ranum and other talented folks on staff, look for some great things from them in the future.

Looks like there are quite a few issues emerging with various systems and components that many banks and such use for their core processing. The last few weeks have seen issues in Oracle, MySQL, AIX, of course Windows and various supporting tools and services.

Given the importance of core processing availability to most financial institutions, many are hesitant to patch their production systems associated with these critical functions. However, just the opposite should be true. These systems should be among the first patched to various vulnerabilities – of course – once a patch has been properly tested and vetted in their backup, lab or QA environment (they all have those, right?).

Certainly, increased pressure on patching these systems is coming from legal compliance and regulatory requirements, but financial organizations should ensure that they have an action plan for maintaining the patching and security of these systems – regardless of, and in light of, their criticality to the life of the organization. Taking a “wait and see” or “it’s working so don’t mess with it” approach could be a severely damaging error on the part of IT and management.

Core processing vulnerabilities are going to continue to emerge and present themselves as critical issues. Getting a process for managing them put into place is an excellent idea, the sooner the better.

I just wanted to post this pointer to another article of mine that ITWorld is running. This one is an explanation of some ideas of different approaches to doing security testing of applications.

If you are considering app testing, and want to get an overview of pent testing, code review and hybrid processes, this is probably a good start. You can then dig deeper into the mechanisms and such via sites like OWASP, SANS, etc.

You can find the article here.