MIR-ROR updated, v1.1 now available

MIR-ROR 1.1 is available on the CodePlex MIR-ROR site. This is a minor update to the MIR-ROR script including a repaired path declaration. We also removed a pause statement to promote improve WMI scripting with MIR-ROR.
MIR-ROR is a specialized, command-line script for incident response that makes use of the Windows Sysinternals tools, as well as some other useful tools. Further, you can easily enhance the script to your liking with whatever command line tool you require for response.

Thanks to Bryan Casper, Mike Maonde, Alex Alborzfard, Gene Morganti, Andreas Bunten, Harlan Carvey, and Rick Wanner for feedback after the initial release.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

ColdFusion, SaaS, and negligence

Recent headlines have described news pertinent to ColdFusion-related vulnerabilities and hacks specifically targeting the FCKEditor text editing tool, and the CKFinder file management tool. There have been further indications of attackers uploading a ColdFusion web shell as often seen on vulnerable PHP platforms.

These discussions reminded me of two significant pet peeves.
1) ColdFusion error verbosity and how useful it is to attackers.
2) Negligent vendors who do absolutely nothing about security vulnerabilities they've been advised of; worse still, when the vendor is a SaaS provider.

Case in point: WebPublish CMS

I communicated with these folks at multiple intervals via email and telephone from February 20, 2009 until April 23, 2009. It took multiple efforts just to get through as my messages were manually interpreted as "potential SPAM". Trust me, my security advisory language does not trip SPAM filters and is most often easily and well received. Yet, after finally making a connection, I received the classic "we don't have the time and resources to address this issue any time soon." To which I replied with useful resources for mitigation and remediation. My last received communication stated "I will have a look and see if I can incorporate as much as I can." That was two and half months ago.
I think we can agree the tenets of responsible disclosure were followed, yes?
Thus, a seemingly capable, growing SaaS provider quite simply blew me off.

So be it. Here's my favorite example of something they should immediately fix: A cross-site scripting (XSS) vulnerability exhibited in the ColdFusion error page leading to significant information disclosure (ID) while indicating possible SQL injection (SQLi) vulnerabilities. Wow, really?

A screen shot complete with a wee bit 'o appsec humor courtesy of an IFRAME insertion:


Now take this absurdity to the next level.
As many a vendor is prone to doing, WebPublish CMS sites clearly state that "This site is powered by WebPublish".
How helpful.
Try intext:"powered by WebPublish" via Google.
Just a few results, yes?
We'll use a few for further analysis. What do they all have in common?
kellyprecision.ie
multiples.ie
netcommunications.ie
snapprinting.ie
webpublishcms.com
Yep, all the same IP, as in all on the same server.

Core application vulnerabilities in a primary service offering (SaaS) from one vendor, on one server, affecting hundreds if not thousands of clients.
See the problem?
Negligence, plain and simple.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Malzilla: Exploring scareware and drive-by malware

Yesterday included a SANS ISC diary post regarding a tool list useful for de-obfuscation. Amongst the entries was Malzilla.
Fortuitous timing I say!
My toolsmith column for July's ISSA Journal is a complete analysis of Malzilla's capabilities.

Malzilla is best described as a useful program for use in exploring malicious pages, allowing you to choose your own User Agent and referrer and use proxies. While it downloads Web content, it does not render it, so it is not a browser. Think of it as WGET with a user interface and some very specific talents. In Using Malzilla, we’ll take a close look at rogue AV tactics and exploit sites in order to study the infection process utilized.

Lenny Zeltser contributed great feedback regarding Malzilla for this piece, thus furthering the tool's credibility.
Give the article a read and add Malzilla to your arsenal.
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

ASS Cert Online Store is Hacker Safe

Those of you aspiring to proudly display your recently acquired Application Security Specialist certifications can rest comfortable knowing that the CafePress ASS Cert Online Store is protected by McAfee Secure/Hacker Safe. This is wonderful news as it guarantees that your transaction is safe while you purchase your favorite ASS Cert products. The store is offering ASS Hats, Office Attire, ASS Gear, framed certificate tiles, and framed oath reminders for those of you who may forget:

I will maintain my status as a Certified Application Support Specialist as proof of my knowledge and experience.

While you're logged in, you can even make use of an added feature: an open redirect that allows you direct internet traffic to any destination of your choosing!
Check it out here.
Enjoy, and I expect to see all you Application Security Specialists to be wearing your ASS Hats when I see you at defcon.



del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

IT Infrastructure Threat Modeling Guide now available

In April I discussed the IT Infrastructure Threat Modeling Guide (then in beta), a Solutions Accelerator I've written with the Solution Accelerators for Security and Compliance team.
The IT Infrastructure Threat Modeling Guide is now available for download via the Technet Library and the Download Center.

Networkworld's kind coverage of the guide's release provides additional insight.

Purpose of this Guide:
Provide an easy-to-understand method that enables IT professionals to develop threat models for their environments and prioritize their investments in IT infrastructure security.
IT infrastructure threat modeling should be incorporated into an organization's IT mindset as a matter of policy, much like any other part of the validation, implementation, and installation process. Threat modeling in the name of secure infrastructure should be performed throughout the technology implementation process, much like any other component that is measured for performance, usability, and availability.

This guide maps directly to SDL guidance and marries threat modeling infrastructure to a sound, existing framework.
This has been quite an effort and a valuable learning experience for me.
I'd like to thank the following for their contributions, leadership, and effort during this process:
Kelly Hengesteg, Steve Wacker, Karina Larson, Adam Shostack, Frank Simorjay, Jeff Sigman, Chase Carpenter, Sumit Parikh, and Shruti Kala.
To the numerous people who reviewed and provided feedback, thank you as well.

When you use a structured method as described in this guidance to develop threat models for your IT infrastructure, you identify and mitigate threats to your environment in an efficient and effective manner.
It is the intent and hope of this guidance that the benefits of choosing to develop a threat model portfolio for your IT infrastructure will be many, and that a holistic state of security becomes commonplace for those who undertake the process.

I look forward to your feedback as you read the IT Infrastructure Threat Modeling Guide and hope to learn of your success stories as you utilize it to enhance security in your associated environments.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Presenting at Defcon 17 with Mike Bailey

In case you didn't know, CSRF still works. ;-)
Mike Bailey and I will be discussing this sad fact via CSRF: Yeah, It Still Works at DEFCON 17 at the end of July. We do hope to see you there!
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

eWeek hypes "secure" SaaS without checking the facts

In an article called SaaS Proof Points, eWeek put on the blinders and jumped on the bandwagon declaring such SaaS wisdom as "not only have modern SAAS applications assuaged security concerns, but the SAAS model itself is seen by some as the most secure approach to handling data".
What!? Wow.
Add to that the well-intended declaration of SaaS neophyte Kimberly Rogers of Santander Consumer USA, while detailing her company's use of Service-now.com. Rogers, who had never worked with a SaaS-based application before, added that "security can be as tight as you want it to be." Noting such blind faith from a Service-now.com user I was motivated to take a closer look at the provider.
Kimberly, respectfully, you are making a dangerous assumption.
Putting on my bad guy hat for a second, if I can entice you to click a link in a targeted, specially crafted email (phishing), that in turn executes JavaScript in the context of Service-now.com (cross-site scripting) and returns the cookie you use for authentication to Service-now.com (credential theft), is it still reasonable to assume that "security can be as tight as you want it to be"?
I think not.
Service-now.com suffered from a cross-site scripting (XSS) vulnerability that allowed cookie theft and other XSS fun such as frame defacement.

Before XSS:


After XSS:


Please note that Service-now.com responded to my advisory and made repairs in a reasonable amount of time, all the while communicating admirably.
That said, if SaaS providers don't ratchet down hard on their basic web application security, silly yet valuable data spills such as described above will continue to prevail unabated.
If trade publications continue to publish hype rather than balanced facts I must assume that data breaches and provider shortcomings will continue to be commonplace as said providers won't be held to a higher standard.

When StrongWebmail fell so readily to an XSS vulnerability this past week (well done Lance, Mike, and Aviv), I simply shook my head in dismay. Are service providers so blind as to not consider the holistic security view before putting 10k on the line?
That was a rhetorical question.
Answer? Obviously.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)