High Profile XSS

Posted on by
Reply

A security issue in Barack Obama’s website has been exploited by a user to redirect users to Hillary Clinton’s website. Visitors of the community blogs section of his website were sent to Hillary Clintons home page via a Cross Site Scripting (XSS) vulnerability. This story highlights the importance of secure coding practices, as well as finding and remediating any XSS that are found on your site. Had the intentions of the user posting the XSS been malicious, he could have infected all of the visitors with malware/spyware. Moral of the story, XSS is not a vulnerability that should be taken lightly.

Changing the World….Again!

Posted on by
Reply

In the last couple of years since we launched the HoneyPoint family of products, it has been an interesting experience. I have learned the joys and hardships of marketing a security software product. I have tried to make myself heard in an overcrowded and noisy marketplace. I would do it all over again, because HoneyPoint is the right idea and the right thing to do.

Now, MSI is again out to change the world. This week, we are launching a new release of HoneyPoint Security Server Console and officially releasing the long awaited HoneyPoint Trojan. Using these new tools, security teams can now create friendly Trojans that report information back to them whenever they are used. Security teams can gather when people access data that they should not and they can track data, documents and other pseudo-information around the world. That means that if you make jet engines, you can drop these Trojans on your file servers and anonymous FTP sites and then proceed to learn more about where they propagate!

But, that isn’t even the big news. The big deal is a new enhancement to HoneyPoint Security Server called HornetPoint. HornetPoints are the world’s first implementation of what we call “defensive fuzzing”. Like normal HoneyPoints, these pseudo-services listen on IP ports and wait for network contact. Just like HoneyPoints, they then capture the source and content of those transactions and report them to the central server. HoneyPoints, of course are often deployed to create an enterprise honeypot.

But, unlike normal HoneyPoints, HornetPoints are not a passive defense. Instead of replying with normal and expected data, the HornetPoints fuzz the expected data and mutate it into random and unexpected ways. The result is that a high number of attacker tools, worms, scanners and bot-net tools crash when the mutated data is received. Thus, HornetPoints, actively defend themselves and the network of their owners. Unlike more traditional defenses, HornetPoints don’t just guard against attacks – they break attackers and their tools!

We are just starting to populate the web site with information on these new versions and enhancements to the HoneyPoint product line. Over the next several days, we will make the new versions available and get the updated marketing added to the web site. In the meantime, if you are interested in hearing more about these new capabilities and the evolution from security to Corporate Counter Intelligence, just give us a call.

A special thanks is due from the MSI staff to those who have supported us during this process. Thanks to all of the folks who have urged us to complete the enhancements and to those who have helped challenge us to again rise to a new level. Things are certainly changing and we are all very proud to be a part of the next evolution of information security! We promise, we will continue to work hard to bring the best bleeding-edge protection and insights to all of you. As always, thanks so much for believing in us and in choosing MSI as your security partner!

OpenOffice Overflow

Posted on by
Reply

Several OpenOffice vulnerabilities have been released over the weekend. In total, four advisories have been released detailing various types of overflows in the software. These could be exploited in various ways, all resulting in complete system compromise. Version 2.3 and below are vulnerable, and OpenOffice has released version 2.4, which addresses these vulnerabilities.

April Virtual Event – Evangelizing Security to Upper Management

Posted on by
Reply

Abstract:

This presentation will explain several techniques that have successfully been used to help upper management understand the information security initiative in several organizations. Overall strategies and specific tactics for gaining upper management support will be identified. The audience can use these techniques to gain, maintain and ensure rapport with upper management, establish and reinforce the value of the security team and to demonstrate the value of including the security team in business operational decisions and planning.

This virtual event will be held Wednesday, April 30th 2008 at 4pm Eastern time. You can get access to a PDF of the slides and the phone number and passcode for the audio portion by sending an RSVP email to info@microsolved.com.

For those unable to attend, the slides and an MP3 of the audio portion will be made available following the presentation.

Intel Centrino Wireless Exploit

Posted on by
Reply

A popular attack framework has released an exploit that takes advantage of a vulnerability within older Intel Centrino wireless drivers. Specifically the Intel 2200BG has this issue. The vulnerability exists with the w22n51.sys driver which has a buffer overflow. It would be a very good idea to make sure you are running the latest wireless drivers if you’re using an Intel Centrino based laptop, as the exploit will infect every machine vulnerable within the vicinity at the kernel level.

Cisco Network Admission Control Appliance Vulnerability

Posted on by
Reply

The Cisco Network Admission Control Appliance (NAC) contains a vulnerability that allows the shared secret used by the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM) to be captured. This can then be leveraged to gain control over the CAS.

The following versions of NAC are known to be vulnerable:
 All 3.5.x versions
 All 3.6.x versions prior to 3.6.4.4
 All 4.0.x versions prior to 4.0.6
 All 4.1.x versions prior to 4.1.2

For full details see Cisco’s original advisory at: http://www.cisco.com/warp/public/707/cisco-sa-20080416-nac.shtml

CA Products ActiveX Control Vulnerabilities

Posted on by
Reply

The ActiveX control gui_cm_ctrls.ocx in a number of CA products contains vulnerabilities caused by improper input validation. Successful exploits can lead to arbitrary code execution and could lead to full compromise of an affected system.

BrightStor ARCServe Backup for Laptops and Desktops r11.5 (Server only, client is not affected).
CA Desktop Management Suite r11.2 C2
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C2
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C2
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C2
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C2
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)
CA Desktop and Server Management r11.2 C2
CA Desktop and Server Management r11.2 C1
CA Desktop and Server Management r11.2a
CA Desktop and Server Management r11.2
CA Desktop and Server Management r11.1 (GA, a, C1)

For full details see the original advisory at: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=174256

MSI Launches New Threat Modeling Offering & Process

Posted on by
Reply

Yesterday, we were proud to announce a new service offering and process from MSI. This is a new approach to threat modeling that allows organizations to proactively model their threat exposures and the changes in their risk posture, before an infrastructure change is made, a new business operation is launched, a new application is deployed or other IT risk impacts occur.

Using our HoneyPoint technology, organizations can effectively model new business processes, applications or infrastructure changes and then deploy the emulated services in their real world risk environments. Now, for the first time ever, organizations can establish real-world threat models and risk conditions BEFORE they invest in application development, new products or make changes to their firewalls and other security tools.

Even more impressive is that the process generates real-world risk metrics that include frequency of interaction with services, frequency of interaction with various controls, frequency of interaction with emulated vulnerabilities, human attackers versus automated tools, insight into attacker capabilities, focus and intent! No longer will organizations be forced to guess at their threat models, now they can establish them with defendable, real world values!

Much of the data created by this process can be plugged directly into existing risk management systems, risk assessment tools and methodologies. Real-world values can be established for many of the variables and other metrics, that in the past have been decided by “estimation”.

Truly, if RISK = THREAT X VULNERABILITY, then this new process can establish that THREAT variable for you, even before typical security tools like scanners, code reviews and penetration testing have a rough implementation to work against to measure VULNERABILITY. Our new process can be used to model threats, even before a single line of real code has been written – while the project is still in the decision or concept phases!

We presented this material at the local ISSA chapter meeting yesterday. The slides are available here:

Threat Modeling Slides

Give us a call and schedule a time to discuss this new capability with an engineer. If your organization is ready to add some maturity and true insight into its risk management and risk assessment processes, then this just might be what you have been waiting for.

Critical Oracle Vulnerabilities

Posted on by
Reply

Multiple vulnerabilities have been reported in the Oracle products listed below. The packages SDO_GEOM, SDO_IDX, and SDO_UTIL do not properly sanitize input, this can allow the injection of arbitrary SQL code. Additionally there are issues with the DBMS_STATS_INTERNAL package. These issues could allow an attacker to gain DBA privileges. There are additional issues that remain unspecified. See Oracle’s original advisory at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html

* Oracle Database 11g, version 11.1.0.6
* Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
* Oracle Database 10g, version 10.1.0.5
* Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
* Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0
* Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server 10g (9.0.4), version 9.0.4.3
* Oracle Collaboration Suite 10g, version 10.1.2
* Oracle E-Business Suite Release 12, version 12.0.4
* Oracle E-Business Suite Release 11i, version 11.5.10.2
* Oracle PeopleSoft Enterprise PeopleTools versions 8.22.19, 8.48.16, 8.49.09
* Oracle PeopleSoft Enterprise HCM versions 8.8 SP1, 8.9, 9.0
* Oracle Siebel SimBuilder versions 7.8.2, 7.8.5