Archives for October 2010

TaoSecurity: What Do You Investigate First?

TaoSecurity: What Do You Investigate First?.

Richard Bejtlich offers the obvious, but usually difficult to implement answer to the following question:

Let’s say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?

Bejtlich offers two answers which generally converge into one: focus on assets, i.e. the most critical assets in your organization.

Ideally, the log, flow, event collection and analysis system you are using has the ability to discover all network attached assets and then enable you to group them into IT/Business Services. The you can prioritize your focus based on the criticality of each IT/Business Service. An example of such a system is AccelOps.

Force-TLS does not force TLS

Robert Graham from Errata Security tested Force-TLS and found that it does not protect against Firesheep.

First of all, the plug-in “Force-TLS” does not protect you, as some have suggested. I proved this with Twitter, where I was able to sidejack the connection with both FireSheep and Hamster. I’m not sure what Force-TLS does, but it doesn’t force a connection to be TLS/SSL. I configured *.twitter.com (the domain and all subdomains), and the URL “http://twitter.com” still appeared in the address bar.

In addition, Firesheep’s ability to successfully sniff traffic depends on your network adapter.

FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).

Rob provides extensive details and screenshots on his test methods.

hackademix.net » Forcing HTTPS with NoScript

hackademix.net » Forcing HTTPS with NoScript.

Looks like those of you already using the NoScript Firefox add-on, you do not need another add-on to enable/force SSL when it’s available.

Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmailaddons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now.

Security alert: New Trojan Horse apps said to attack the Mac

Security alert: New Trojan Horse apps said to attack the Mac.

Some security mavens have long theorized that as the Mac becomes more popular, we’d start to see malware that would start targeting the platform. Sure enough, this morning’s crop of email blasts from PR firms included a few notices of trojans that are affecting Mac users.

Two Mac oriented security companies SecureMac and Intego are reporting attacks targeting Mac users. They both seem to be legitimate.

Easy fix for Firesheep creates a problem for enterprises

Using SSL encryption to connect to social networks like Facebook and Twitter mitigates the risk of your credentials being stolen when you are using public WiFi networks to connect to the Internet. But it creates a problem for enterprises attempting to control the use of social networking because most firewalls and Intrusion Prevention Systems are blind to SSL traffic.

The recent publication of Firesheep, and the subsequent download of over 104,000 copies of the Firefox plug-in in the last 24 hours, highlights this well understood security flaw in the way social networking sites communicate with their users. Firesheep sniffs the WiFi network traffic to capture your user name and the established session ID for any of 26 sites including Facebook, Twitter, Amazon, and the NYTimes. This allows the Firesheep user to access any of these sites as you!! This not only will reveal your personal information to the Firesheep user, but allow him/her to impersonate you.

This article, Firefox Add-on Firesheep Brings Hacking to the Masses, provides a very good detailed explanation of how Firesheep works. The article also describes several readily available tools which enable or force the use of SSL for all traffic to sites that accept SSL. In other words, rather than just encrypting the exhange of identification and password credentials, all traffic is encrypted.

There is no doubt that using SSL is a good privacy protection control. However, SSL encrypted sessions will make it more difficult for enterprises to control the use of social networking because most firewalls and IPSs are not capable of decrypting SSL traffic. In other words, most firewalls and IPSs are blind to SSL traffic. An exception is Palo Alto Networks, the industry leading Next Generation Firewall.

Burning question: How can VM sprawl be prevented?

Burning question: How can VM sprawl be prevented?.

VM sprawl, or virtual machine sprawl, is just what it sounds like: too many VMs sprawled across a virtual infrastructure, taking up processing power and storage space even if they are rarely used. Since spinning up a new VM can be done in a matter of minutes, users come to expect a new machine, on-demand, whenever they want it.

The issue is not necessarily to prevent VM sprawl, assuming all these VMs are serving valid business purposes. The issue is managing them and providing security. We recommend the following solutions:

  • Management AccelOps automatically discovers new VM instances and new VMWare hosts. It then continues to monitor availability and performance and collect the appropriate logs and flows they generate.
  • Network and Server Security Altor Networks provides a VMSafe-certified firewall/IPS which is embedded in the VMWare hypervisor. It protects the hypervisor itself, controls and protects all communication into and out of the associated VMs, and monitors the services running in each VM.
  • Database Security – Specifically for virtualized database servers, we recommend Sentrigo. It runs in the database VM to (1) protect the database from targeted database attacks like SQL Injection and (2) provides complete user access monitoring and control including activity generated by privileged users, stored procedures and triggers.

Facebook Insecurity as a Microcosm of All The World’s Security Problems

Facebook Insecurity as a Microcosm of All The World’s Security Problems.

Gartner’s John Pescatore weighs in on the latest chapter in the ongoing Facebook privacy controversy.

Basically, what you see is Facebook taking several steps to protect its customers – advertisers. If they were trying to protect Facebook users, they would have taken very different steps. Because what you don’t see is any real attention to actually addressing the real vulnerabilities.

So, the key takeaway: make sure that you are the actual customer when you trust your data or your customers’ data to a social network or cloud service provider, or any other 3rd party for that matter. A cloud provider can claim they are better at running a data center than you are, but if they are focusing on protecting their advertising revenue, not your data, that claim is meaningless.

The Social-Engineer Toolkit (SET) – Computer Based Social Engineering Tools | Darknet – The Darkside

The Social-Engineer Toolkit (SET) – Computer Based Social Engineering Tools | Darknet – The Darkside.

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

Here is a list of the attack vectors SET provides:

  • Spear-Phishing Attack Vector
  • Java Applet Attack Vector
  • Metasploit Browser Exploit Method
  • Credential Harvester Attack Method
  • Tabnabbing Attack Method
  • Man Left in the Middle Attack Method
  • Web Jacking Attack Method
  • Multi-Attack Web Vector
  • Infectious Media Generator
  • Teensy USB HID Attack Vector
  • SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security

    SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security.

    Brian Krebs today is providing an update on banking Trojan activity. While ZeuS has been in the public eye, another banking Trojan SpyEye seems to be ascending.

    In the last several years, it is estimated that the ZeuS Trojan enabled the theft of more than $70 million from nearly 400 organizations.

    Facebook Advertisers Can Glean Private Data – NYTimes.com

    Facebook Advertisers Can Glean Private Data – NYTimes.com.

    Privacy vulnerabilities continue to be revealed on social networking sites like Facebook and MySpace reports the NYTimes. The Times describes two research papers which discuss how unethical advertisers can game social networks to determine people’s private profile information like sexual orientation.

    Facebook counters that it has tools in place to prevent unethical advertiser behavior. However, Facebook realizes it needs to do more. In fact, Facebook announced that it proposing encrypting user IDs as a way to prevent the sharing of IDs with data brokers. But Facebook admits this will only “address the inadvertent sharing of this information on Facebook.”

    Mashable weighs in with the obvious question, “Frankly, we think that encrypting the UID parameters within an iFrame is a good idea and a good first step towards accountability. Our big question is: Why is this only happening now?”

    If you are looking for a clearer technical explanation of what the fuss is all about and the limited step Facebook is proposing read Ars Technica’s, Facebook touts encryption as solution to security flaw.