This week in Infosec - 2008-08-25
A weekly snapshot of what’s been talked about in the IT Security realm over the past week.
Attacks
Adobe Flash ads launching clipboard hijack attack - From the ZDNet Zero Day blog:
Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.
In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.
According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.
We’ve all got Flash. Keep it patched, though I haven’ t yet heard if there is a patch available for this attack vector.
Bypassing .NET’s ValidateRequest security feature
The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting).
This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.
We have a lot of .NET here, and my team is studying this paper.
Breaking News
From the Scottish Sunday Herald, “Revealed: 8 million victims in the world’s biggest cyber heist”
EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
By Iain S BruceAN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.
A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.
It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.
Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.
This raises (again) some important issues for the IT and corporate space. How much data should you keep about your clients, and for how long?
Now matter how good your defense-in-depth, someone will get through. What will you allow them to find?
I’ll blog more on this later.
Older News
Students from MIT that were going to do a talk at DefCon were stopped by a court order.
Their research showed how to subvert the Massachusetts Bay Transit Authority payment card system.
As a part of court filings, their full research was included. Court documents are public domain, so, MBTA essentially released what they were trying to hide.
On the 19th, a judge lifted the restraining order, so the students are free to talk.
Will be interesting to see what happens.
I think this is the second time in the past few months where ‘private’ information was included in court filings and hence into the public domain.
Tools
Grendel-Scan - released at DefCon, this is a sophisticated, automated, Open Source web application penetration testing tool.
It appears to rival commercial tools.
I’ll be playing with this soon, I hope.
Countermeasures
Reduce attack surface!
Why allow access to anything by anyone who doesn’t absolutely need it.
Cyber Warfare
Some discussions resulting from the attacks of Georgian IT infrastructure by Russian hackers during the past few weeks.
Conclusion seems to be: we don’t have a real definition of what cyber war is, so it isn’t really warfare.
In my mind, true cyber warfare is using attacks against IT infrastructure as a force multiplier, or as a means of applying coercive pressure to an enemy of the state.
I do not think that the attackers have to be state sponsored.
Some would debate whether or not a DDOS is an act of warfare. I say it is if it is intended to achieve: apply a coercive pressure to an enemy of the state.
A DDOS against a critical communications network, or safety critical control system would certainly qualify. A DDOS against a n00b’s website, perhaps not.
On the Horizon
With elections right around the corner, I’m sure we will see the debate over electronic voting heat up.
Bill