Security News

On a weekly basis Cisco’s Intellishield group will post a free overview of what’s happening in the security world. The reports provide a high level overview of what’s happening in these areas:
*Vulnerability
*Physical
*Legal
*Trust
*Identity
*Human
*Geopolitical
*Miscellaneous
*Upcoming Security Activity

I find the geopolitical information very interesting, mostly because it is hard to find it elsewhere.

The risk reports are also available as podcast downloads or via RSS feed.

Take a look at their archive of Risk Reports here

Read more

My company is using a consulting firm to run a survey on employee engagement. The survey is supposedly anonymous and only aggregate data is viewed.

When I went to take the survey, I noticed that the URL was https://www.%externalvender%.com/Base/Custom/%company%/survey.asp?Survey=42&UserSessionid=23419&l=1

Being a security professional, I opened another window and started decrementing the UserSessionID in the URL. Sure enough, I began seeing other employees responses. Even in an anonymous response this should not happen. Users are prompted to supply their division, location, age (optional), length of tenure (option) and ethnicity (optional). If the optionals are supplied it shouldn’t be hard to figure out who filled in the responses. Users shouldn’t be able to see other users responses.

The URL is HTTPS so I figured it wasn’t a caching issue on our end, but just to be sure I reproduced the results from an external computer.

So what lessons can be learned here? First, dont use a predictable session ID (in this case it was sequential). I’m not a web security guy, but I’m thinking a cookie could be used also to prevent this session browsing as well.

update- This problem was reported to the vendor when I discovered it. They found that it was caused by a recent update. The removed the update.

To avoid hacking and malicious alteration of the application, software companies are turning to new anti-tamper solutions that will protect the entire application, as well as maintain code integrity.

Strong security is all about reducing the attack surface available to hackers and malicious users.

Last week, Amrit Williams and I presented the results of our research paper at SOURCE Conference that we’ve been working on and thinking about for over a decade now.  It started when I did Malware research at a previous company, and watching the ebb and flow of malware (and the related FUD). This reminded me of watching the tide rise on a shore, or perhaps a slightly more intelligent phenomenon like the movement of a flock of birds or a school of fish.  We’ve all seen flocks of birds, and the sudden changes come about that cause a curtain-like ripple throughout the flock.  I couldn’t escape the feeling that there was a pattern here among the samples that could be both modeled and predicted.

Last year I wrote Run Apps on Cisco ISR Routers. That was two weeks after our April Fool’s joke that the Sguil Project Was Acquired by Cisco.

I am wondering if any TaoSecurity Blog readers are using Cisco AXP in production? Looking at the data sheet for the modules, they appear too underpowered for NSM applications, especially at the price point Cisco is advertising.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

The Commonwealth of Pennsylvania found a way to guard data housed on its online infrastructure, reports Greg Masters.

Thunderbird 2.0.0.21 is out.

The security fixes are listed here

MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6).

http://www.adobe.com/support/security/bulletins/apsb09-04.html

As scheduled Adobe has released updates Adobe Reader 8.x and 7.x.

While Adobe has taken a lot of flack for their handling of this patch, I appreciate that they gave dates for releasing the patches and held to it. Its not like some previous Adobe patches where 7.x owners were urged to upgrade rather than waiting for a patch that might never get released.

Browsers bashed first in hacking contest

This is the scariest, stealthiest, and most dangerous exploit I’ve seen come around since the legendary Blue Pill! No, I’m not just trying to sensationalize this or spread fear, uncertainty and doubt. This is serious and represents a massive new security threat for us all.

Read more

Mozilla’s Jesse Ruderman just blogged about a new CSS grammar fuzzer of his, to go along with the JS fuzzer we announced a while ago.

Fuzzers are a tool that we’ve found incredibly valuable in the past, and continue to employ heavily. A fuzzer’s job is to make your application fail by feeding it surprising inputs. The good ones do this by knowing a part of your code well enough that they can make smart guesses about how to confuse it. This one, for instance, produces a constant stream of mostly-correct CSS rules, and watches to see whether the browser can cope with them. Because fuzzers take these random paths, they can uncover subtle bugs that are rarely encountered during “normal” testing; and Jesse is a master at building them.

When Jesse originally started talking about his javascript fuzzer, he gave it to other browser vendors first, and he’s done the same with this one. If you’re interested in automated security analysis tools though, he’s now made it public, and I recommend checking it out.

Johnathan Nightingale
Human Shield

Recently Google announced its new ad targeting scheme, which tracks and uses your search results over time to composite an idea of the content you care about. Then it dishes out ads relevant to your alleged interests, and hopes you’re more likely to click them. The Consumerist calls it “relatively benign” while Rob Pegoraro at the Washington Post calls it “more relevant, a little scarier, or both.”

It’s hard to tell at this early stage how intrusive it will be, but I don’t think it’s much to be concerned about. I think sometimes people miss the point that browsing online is never truly private. Google’s goal is to help give people ads they want, which makes you more likely to find what you need online, and helps keep web sites more likely to stay in business. In a way, a noble goal, even if it means that your data is stored and someone could be spying on it somewhere.

Personally, I just don’t think my search results are all that interesting or worth spying on…but maybe I’m just more boring than the norm. I’m also in the habit of searching for things that I want to know now but won’t necessarily care about a few days later. Am I going to start getting ads for anti-virus products, because I search and write about security? I’m curious whether the algorithm will build a list of interests you repeatedly search for, rather than haphazardly dropping everything in.

Luckily you can edit your ad preferences and see what they’ve saved about you, just by clicking here. And they’ve made it easy to opt out of the system–the Consumerist explains how.

For now I think I’ll keep my name up and just see what happens.

I noticed today that Adobe Acrobat 9 Professional wasn’t able to download updates when “Help .> Check for Updates” is selected from within the product. Using Wireshark, I obtained the URLs used to request updates from Adobe. Comparing the results inside my network to those outside of the network, I determined that the BlueCoat proxy on our network had older page cached.

The cached statistics for that page claimed that it had verified with the server that it had a current copy of the file. I blew away the cached content and set swupmf.adobe.com to ‘no cache’. The Adobe Acrobat client was then able to see that updates were necessary.

The Adobe server used eTag. That should have prevented this problem.

Caching can cause issues. When it causes issues with autoupdate mechanisms, would you even notice.

So Cisco launched their Unified Computing System this morning. This has some big implications for EMC, and Chuck Hollis has gone into great detail on this. In a nutshell, Unified Computing System looks to create a single,
virtualized  architecture for the data center, managed from top to bottom by a single set
of tools. Sounds cool, eh? But what does that mean for us lowly security folks?

Click to Download/Listen (9:50)

This week’s Speaking of Security podcast features an update from Washington, DC on cyber security issues and pending legislation.

Free On-Demand Webcast In an economic downturn, attacks on US businesses by Cyber criminals, malware and costly hacks are on the rise. Simple data sharing, email exchange or instant messaging can lea…

The Lance Armstrong Foundation found help after its employees’ inboxes became inundated with spam.

In response to my TaoSecurity Blog post titled Buck Surdu and Greg Conti Ask “Is It Time for a Cyberwarfare Branch?”, I decided to create the Association of Former Information Warriors. I set up a LinkedIn Group with the following description:

The Association of Former Information Warriors is a professional networking group for those who once served as military members in information operations (IO) or warfare (IW) units. The mission of the AOFIW is to propose, promote, and debate policies and strategies to preserve, protect, and defend digital national security interests. Candidate members must be referred by current members. Those no longer in military service are candidates for full membership; those currently serving in uniform are candidates for associate membership.

In other words, to join AOFIW you need to know an existing member. This weekend I am going to try kickstarting the membership process by inviting those I personally know and trust to meet these criteria. You must be a LinkedIn user to join the group, since that is the mechanism we will use to vet and accept members.

I’ll be posting about AOFIW at the AOIFW Blog, which will offer thoughts from other AOFIW members as we grow the group.

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. “Super Early” Las Vegas registration ends 15 Mar.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Yet another malicious email outbreak is soaring around the Internet. This one is specifically targeting those that are job hunting. The email messages masquerade as job offers or responses to job inquiries. The goal of the email is to social engineer the victim into clicking on a malicious attachment. Given the unemployment rate these days, the attack is enjoying a high rate of success. This particular email virus is using Coca-Cola’s™ massive worldwide brand recognition to prey on their victims.

Read more