Bill’s Security Blog

A weekly snapshot of what’s been talked about in the IT Security realm over the past week.

Attacks

Adobe Flash ads launching clipboard hijack attack - From the ZDNet Zero Day blog:

Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.

We’ve all got Flash.  Keep it patched, though I haven’ t yet heard if there is a patch available for this attack vector.

Bypassing .NET’s ValidateRequest security feature

The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting).

This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.

We have a lot of .NET here, and my team is studying this paper.

Breaking News
From the Scottish Sunday Herald, “Revealed: 8 million victims in the world’s biggest cyber heist”

EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
By Iain S Bruce

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

This raises (again) some important issues for the IT and corporate space.  How much data should you keep about your clients, and for how long?

Now matter how good your defense-in-depth, someone will get through.  What will you allow them to find?

I’ll blog more on this later.

Older News
Students from MIT that were going to do a talk at DefCon were stopped by a court order.

Their research showed how to subvert the Massachusetts Bay Transit Authority payment card system.

As a part of court filings, their full research was included.  Court documents are public domain, so, MBTA essentially released what they were trying to hide.

On the 19th, a judge lifted the restraining order, so the students are free to talk.

Will be interesting to see what happens.

I think this is the second time in the past few months where ‘private’ information was included in court filings and hence into the public domain.

Tools

Grendel-Scan - released at DefCon, this is a sophisticated, automated, Open Source web application penetration testing tool.

It appears to rival commercial tools.

I’ll be playing with this soon, I hope.

Countermeasures

Reduce attack surface!
Why allow access to anything by anyone who doesn’t absolutely need it.

Cyber Warfare
Some discussions resulting from the attacks of Georgian IT infrastructure by Russian hackers during the past few weeks.

Conclusion seems to be: we don’t have a real definition of what cyber war is, so it isn’t really warfare.

In my mind, true cyber warfare is using attacks against IT infrastructure as a force multiplier, or as a means of applying coercive pressure to an enemy of the state.

I do not think that the attackers have to be state sponsored.

Some would debate whether or not a DDOS is an act of warfare.  I say it is if it is intended to achieve: apply a coercive pressure to an enemy of the state.

A DDOS against a critical communications network, or safety critical control system would certainly qualify.  A DDOS against a n00b’s website, perhaps not.

On the Horizon

With elections right around the corner, I’m sure we will see the debate over electronic voting heat up.

Bill

Black Hat/Defcon Coverage

Lots of analysis of the Black Hat presentation by Mark Dowd of IBM’s ISS and Alexander Sotirov of VMWare about circumventing Vista security.

Essentially, they discovered a way to completely subvert most of Vista’s built in low-level security systems.

Let’s hope Microsoft gets it right in their next OS…

Note, there’s some people saying it isn’t a big deal.  Time will tell.

Here’s the summary from speaker’s list of Black Hat USA 2008:

Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

This talk aims to present exploitation methodologies against this increasingly complex target. We will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.

More coverage:

• Bruce Schneier - Bypassing Microsoft Vista’s Memory Protection
• Search Security - Researchers use browser to elude Vista memory protections

Attack Trends

I keep up to date on the NIST’s National Vulnerability Database, updates to the milw0rm exploit database, and many others.

Though I don’t read all the alerts in detail (there are usually about 40 per day), I do try to scan enough to get an idea of what’s being disclosed.

The bulk seem to be SQL Injection Vulnerabilities or Cross Site Scripting (XSS).

These attacks can be very potent.

SQL injection can lead to information disclosure, unauthorized data modification, and data loss.

SQL injection attacks run through the browser and web server directly to the database.

XSS involves, generally, inserting script into URL’s or user input form fields that, when viewed by others, causes the script to run.  The scripts can run in the context of the user’s browser security zone, and has access to all cookies and whatnot.

Both types of attacks are difficult to deal with using “security tools.”  Most host-based intrusion detection systems (antivirus, anti-spiware, etc) are useless.

In both cases, application modifications need to be made.  Additionally, layer 7 firewalls can be employed to try to prevent these types of attacks.

From a defense-in-depth perspective, both approaches should be employed.

On another front, attacks against social networking sites continue.

As more and more private data gets into these online resources, they become a more attractive target for attackers.

New Attack Vectors

Kris Kaspersky of Kaspersky labs has uncovered flaws in Intel processors that allow remote attackers to execute arbitrary code on any computer that uses the flawed processor.

Man, that’s crazy stuff…

I wrote a blog post about it, “Why agro the OS when you can pwn the hardware?”

Bill

While most of the vulnerability alerts I see are XSS and SQL injection, there are some really nasty low level attacks coming out.

I’ve posted about Blue Pill  and subverting virtual infrastructures.

Kris Kaspersky of Kaspersky Labs has uncovered flaws in certain Intel chips that can allow remote attackers to execute arbitrary instructions. (Read: Remote code execution through Intel CPU bugs)

Now, let’s think about this a sec.  The flaw is in the CPU, not the OS.

It doesn’t matter what OS, how hardened it is, or nuthin’.

If you can get your attack instructions to the CPU, the processor will happily run them.

Pwnage at the lowest level.

Intel has reportedly fixed the remotely exploitable bugs (it will not fix the non-remotely exploited bugs):
Researcher: Intel fixed two critical flaws in its chips
Intel proactively fixes security flaws in its chips

But what does a processor patch look like?  Can you say firmware update?

That’s my speculation.

How many people are going to run out and patch their CPU firmware?

I don’t think there is an “automatic update” for my CPU… lol.

In any event, it will be interesting to watch this story.

Bill