Friday, December 18, 2009

MasterCard SDP Program Changes

MasterCard announced new SDP Program changes to drive consistency and quality of Merchant QSA Training in the December 15, 2009 Global Security Bulletin. Tha main change is the fact that from 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
For a more detailed information, please refer to http://www.mastercard.com/us/sdp/merchants/merchant_levels.html

Sunday, December 13, 2009

Backtrack Applications for Your Ubuntu

This post is for those among us who use Ubuntu as they main operating system and would like to install their favourite forensic and/or information security tools.
First step is to create a .list file for the Backtrack repository:
sudo echo http://deb repo.offensive-security.com/dist/bt4 binary/ > /etc/apt/sources.list.d/backtrack.list
Then, we need to download and import the GPG key
wget http://repo.offensive-security.com/dist/bt4/binary/public-key && sudo apt-key add public-key
Finally, update the sources:
sudo apt-get update
Just keep in mind Backtrack is Backtrack and Ubuntu is Ubuntu. Don't try to make Backtrack out of Ubuntu.

Monday, December 7, 2009

SHODAN - Computer Search Engine

SHODAN is a search engine that allows you to find servers/routers/etc. It scans the Internet and indexes the headers that come back. What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it

To demonstrate, let us find an FTP server in China with anonymous access. To do that, I typed FTP port:21 country:CN. In response, SHODAN gives a list of systems matching the criteria:



Running an FTP command with a IP address from the list confirms that the server exists:



Please remember that it is illegal (in most countries) to scan and/or fingerprint a system without proper authorisation from the owner. Considering SHODAN capabilities, one should consider a question of ethical aspects of the "cloud hacking".

URL: http://shodan.surtri.com/

Friday, December 4, 2009

PCI SSC "Ask the Council" Webminar

This session will offer a brief update on PCI SSC initiatives, followed by a live Q&A session with opportunities to address Bob Russo, PCI SSC General Manager, and other members of the PCI SSC team. The updates will cover:
  • Community Meeting outcomes
  • Next steps in the lifecycle process
  • Recently published Council resources
Questions many also be submitted in advance through the online registration tool.

To register for the Tuesday, December 8, 2009 session, please use the following link:
http://register.webcastgroup.com/l3/?wid=0801208094997
To register for the Wednesday, December 9, 2009 session, please use the following link: http://register.webcastgroup.com/l3/?wid=0801209094998

The webinars will be recorded and available for download on the Participating Organization’s area of the Council’s Web site for those Participating Organizations who cannot attend any of the sessions.

For more information, please refer to https://www.pcisecuritystandards.org/pdfs/pr_091130_open_mic.pdf

Friday, November 20, 2009

OWASP Top 10 -2010 RC



Open Web Application Security Project (OWASP), an open-source application security project, has published a release candidate version of the OWASP Top 10 Project for comments and feedback. You can download it from http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf.
It was always perceived that OWASP Top 10 is about 10 most common weaknesses in web applications; this release makes it clear that OWASP Top 10 Project is about Top 10 risks. As a result, OWASP reshuffled the order of the items on the list since now it is based on the estimate risk, instead the frequency of the associated weakness.
In addition, there are two new items:
  • ADDED: A6 –Security Misconfiguration
  • ADDED: A8 –Unvalidated Redirects and Forwards
  • REMOVED: A3 –Malicious File Execution
  • REMOVED: A6 –Information Leakage and Improper Error Handling.
Please review and contribute your thought and comments.

Tuesday, November 10, 2009

Ubuntu 9.10 Is Out!


Ubuntu 9.10 (nicked named Karmic Kuala) is out and it has number of security improvements (over the previous version) that I would like to highlight:
  • AppArmor - AppArmor was introduced earlier that Karmic Kuala; In this release, it features an improved parser that uses cache files, greatly speeding up initialisation on boot making it less likely to be switched off by users, and a bunch of additional profiles.
  • Uncomplicated Firewall - Another "not new" feature which now supports filtering by interface and egress filtering.
  • Non-eXecutable Emulation - Non-eXecutable (NX) memory protection, also known as eXecute-Disable (XD), can help block many exploits an attacker might run from stack or heap memory. The 32-bit PAE desktop kernel (linux-image-generic-pae) now also provides the PAE mode needed for hardware with the NX CPU feature. For systems that lack NX hardware, the 32-bit kernels now provide an approximation of the NX CPU feature via software emulation.
  • Blocking Module Loading - To block the loading of any further modules after boot, the /proc/sys/kernel/modules_disabled one-way sysctl flag now exists to add another layer of protections against attackers loading kernel rootkits.
  • Position-Independent Executables - All programs built as Position Independent Executables (PIE) with "-fPIE -pie" (gcc -pie -fPIE) can take advantage of the exec Address Space Layout Randomisation(ASLR). This protects against "return-to-text" and generally frustrates memory corruption attacks.
A full list of Ubuntu security features can be found at https://wiki.ubuntu.com/Security/Features.

Tuesday, October 20, 2009

Information Disclosure at it Best!


Wanted to share this example of OWASP Top 10 2007-Information Leakage and Improper Error Handling vulnerability. Considering the amount of resources available (OWASP Top 10, SANS 25, etc) freely on the Internet, I am quite surprised to see those appear as often as they are.

Tuesday, September 29, 2009

New Microsoft Security Essentials

Microsoft has announced the launch of the free anti-malware Security Essentials. It uses the Dynamic Signature Service, a Microsoft technology that ensures users are protected by the most current virus definitions available without having to wait for the next scheduled download. In addition, it is designed to run quietly in the background and limits CPU and memory usage. Unfortunatly, it is a still in beta and available to customers in the United States, Israel, China and Brazil only.
Although I think that the age of the "Signature Based" security is over and the furure lays with concepts such as profiling (AppArmor), labeling (SELinux and Solaris Trusted Extensions) and Mandatory Access Control, that is a still welcomed edition to the information security domain.

Thursday, September 17, 2009

Security Development Lifecycle Tools from Microsoft

Microsoft has released two additional tools to supplement secure development life cycle (SDLC) tools portfolio which includes well known AntiXSS, FxCop and Cat.NET.
The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to verify that required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.
Both tools (and others) are available to download for free from the Microsoft Security Development Life cycle Tools Repository.

Tuesday, September 15, 2009

How we protect you... Yeah, how?


Seriously, I don't get it. It is 2009, the network firewalls have been here fore more that twenty years and people (information security professionals, no more no less!) still make those amateur assumptions that they will solve all their security problems.
I've been reading HSBC's "Security guarantee" on their website (http://www.offshore.hsbc.com/1/2/international/internet-banking/how-we-protect-you) which states that they use the most advanced security systems and software to protect customer accounts including:
  • Combination of user name and password
  • Encryption (that would be https)
  • Network firewalls
  • SSL certificate (that still would be https)
Now that is secure, is not it? Well, no… Since application has access to the database, a skilled hacker would use encryption to bypass network firewalls (since firewall can not inspect the encrypted traffic) and user name/password fields could be used perform phishing, Cross Site Scripting (XSS) and SQL injections (diagram above).
In a year 2009, application security should be on the CISO agenda and network firewalls should be left to network administrators. Web applications should be protected by Web Application Firewalls (WAF), by constantly reviewing the source code to detect vulnerabilities and by training software architects and developers.

Tuesday, September 8, 2009

Flash Cookies - Yammy!

For some reason, everybody talks about flash cookies! But those are not much different to a traditional browser cookies we all know and love (to hate). The differences are that they are not controlled through a standard "privacy" setting of Internet browsers and they are less known (sadly, even to a Information Security specialists).
So where do you find those nasties and what to do about them?
To find these flash cookies all you have to do is to look for .sol extension in the following directories:
  • Windows: Within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.
  • Mac OS X: ~/Library/Preferences/Macromedia/FlashPlayer.
  • GNU-Linux: ~/.macromedia
There are number of alternatives to treat the problem:
  • Browser extensions (I know of Better Privacy extension for Firefox)
  • Schedule a task (using Task Scheduler for Windows or Cron job on Unix/Linux) to remove .sol files
  • Set access control permission on the relevant directory to be read only
And there is legal twist to this story as well. Apparently, usage of Flash cookies is illegal in UK according to Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003.: "Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
* is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
* is given the opportunity to refuse the storage of, or access to, that information."

Thursday, September 3, 2009

AntiXSS v3.0

For years, (security aware) software developers were using OWASP ESAPI (Enterprise Security API) as a security framework to validate input/output to prevent Cross Site Scripting (XSS). Although it supports Java, Python, PHP and .NET among the others, only Java toolkit is mature enough to be used by the enterprises in production environment.
Now .NET users have Microsoft Anti-Cross Site Scripting Library to help protect applications from XSS attacks. In addition, enterprises may find Security Runtime Engine very useful since it has the ability to protect legacy applications from XSS attacks without having to change too much code.

Monday, August 17, 2009

Malicious Facebook application

.
Facebook had it share of a limelight (http://www.scmagazineuk.com/Warnings-made-over-malicious-Facebook-application/article/146596/) following bad publicity that hit Twitter previously. The way I see it, Facebook developers can try to develop a more secure application that will make attacks such as those more difficult, but unless people change their attitude towards their own private information nothing will stop hackers from obtaining it and using it for their own benefit.
As an organisation that owns the data, you can deploy smart perimeter security devices (Web Application Firewalls, Intrusion Prevention Systems, Network Access Control, Content Inspection, etc.), anti-malware software on your servers, perform rigorous patching and even use behaviour inspection databases. But, unless you address the core of the problem, which is lack of security awareness, and educate users (be those internal employees, software developers or the actual consumers of your services) those will have only a limited impact on the level of the security.
Now, the real questions is whose responsibility is it, anyway? As a Facebook user myself, I would expect Facebook to tell me right from wrong...

Saturday, August 15, 2009

Whose Responsibility is it Anyway?

Yesterday, SC Magazine published an article about PCI DSS compliance responsibility (http://www.scmagazineuk.com/Whose-responsibility-for-compliance-is-it-anyway/article/146476/) which I found very amusing. Why? Well, how come when you give something that is dear to you, you don't consider whom you give it to?
From a user prospective, if you don't think twice before you give away your private information, you have no one to blame but yourself. As a merchant or a service provider, you need to make sure that information that was given to you by the end user stays secure throughout data lifecycle and if you share it, it has to be someone who can provide at least the same level of security as you do.
PCI DSS requirement 12.8 is there to enforce that. Right now, merchant and/or service provider is not required to use only PCI DSS certified service providers but it is their responsibility to maintain a register of all third parties that have access to cardholder data, to have a proper contract in place (which includes acknowledgement by the third party of their responsibility for securing cardholder data) and review the associated risk regularly.

Wednesday, August 5, 2009

IBM has announced the acquisition of Ounce Labs

IBM has announced the acquisition of Ounce Labs, a provider of enterprise source code security testing (http://www.scmagazineuk.com/IBM-announces-acquisition-of-Ounce-Labs/article/140881/).
Earlier (I think last year), they acquired AppScan and now Ounce Lab; although both provide slightly different capabilities (source code security vs. web application vulnerability) it seems that IBM wants either to eliminate the competition or to have a single leading product in application security space. Would be interesting to see how it plays out...