Friday, January 25, 2008

An Open Letter to Ken Leonard, CEO, ScanAlert

Dear Mr. Leonard,

As well you are aware; the Hacker Safe brand has long been viewed by those in the information security field with varying levels of skepticism, if not vehement disdain. As there are a plethora of blogs, articles, and exposed vulnerabilities available for you to review, I will not waste your time with excerpts validating our position. Suffice it say, the community at large shares certain doubt about the service offering ScanAlert arrogantly calls Hacker Safe.
It is our view that this is a marketing position only. Nothing, I repeat, nothing, is truly "hacker safe". You claim that websites are free of vulnerabilities when they are clearly not. This is disingenuous and is at the root of what angers information security professionals. If a site is vulnerable while under the auspicious care of ScanAlert's Hacker Safe program should it not lose its Hacker Safe credential until such a time as the vulnerability is remediated? If I take this down to a fundamentally simple premise, saying a site is Hacker Safe while vulnerable to SQL injection, XSS, CSRF, etc. is, in essence, a misrepresentation. If a consumer commits a transaction on a site that is vulnerable, are they not at risk due to vulnerabilities your service claims to scan for? While we understand that you are in the business of growing revenue by indicating websites as “hacker safe”, we believe you are also beholden to the consumers using those sites.
We ask of you this: if a site is found to be vulnerable during your scans, or as reported by third parties, then enforce the findings and suspend their certification. Strive to improve your scan engine where possible. It is your responsibility to NOT label a site “Hacker Safe” when it is not. Then, at least, you are telling the truth, and a consumer can make an informed choice as to how confident they feel about the site's security practices.
There are, at the time of this writing, sites still vulnerable to XSS, yet branded Hacker Safe, that were identified as vulnerable MORE THAN A YEAR AGO. These sites should not be reported as Hacker Safe, period.
Please don't insult us with more of Joseph Pierini’s pearls of wisdom like “XSS vulnerabilities aren't material to a site's certification”. Adopting a view like this is ridiculous and blatantly ignorant given the risks to consumers. You scan for XSS and clearly denote it in your How We Scan section. Therefore, if a site is vulnerable to XSS it is not “Hacker Safe”.
This is far from the first round, credit sla.ckers.org with driving this point home in 2006, only to be shrugged off by Pierini then too. I think there may be a job opening for him over at Zango. Perhaps he could change his mantra from “XSS is not our problem” to “We don’t make spyware.”
What about the PCI argument? If a site is vulnerable to XSS, it’s simply not compliant. See this post for details. It all adds up to consumers at risk. ScanAlert should remember, above all, that safety for the consumer is paramount. Why not live up to your marketing hype and offer a service that truly, honestly, and with integrity, lives up to even a fraction of its namesake.
"What gets us into trouble is not what we don't know. It's what we know for sure that just ain't so. - Mark Twain"

Sincerely,

Russ McRee

Those information security professionals wishing to lend your name to this plea, please add your name as a comment.

del.icio.us | digg

Friday, January 18, 2008

XSS and PCI: Not compliant, or Hacker Safe

As a follow up to the last post on sites vulnerable to XSS that are certified McAfee Hacker Safe, there is more to this story.
Of the additional sites listed in Thomas Claburn's recent Information Week article, many take credit cards online and are thus required to comply with PCI DSS 1.1.
If a website is vulnerable to XSS, THE COMPANY IS NOT PCI COMPLIANT.
Supporting language from the Payment Card Industry Data Security Standard:
6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following:
6.5.1 Unvalidated input
6.5.2 Broken access control (for example, malicious use of user IDs)
6.5.3 Broken authentication and session management (use of account credentials and session
cookies)
6.5.4 Cross-site scripting (XSS) attacks

So not only can we call into question the validity of the Hacker Safe label, we can question how these businesses can be considered PCI compliant. Again, see the Information Week article for the list of sites.
For further consideration, what if these businesses, as McAfee Hacker Safe customers, are signed up for their Scan Alert PCI service?
"To validate compliance with the PCI DSS, a merchant, service provider, and/or financial institution may be required to undergo a PCI Security Scan conducted by an Approved Scanning Vendor (ASV)."
Are there potential gaps here as well?

del.icio.us | digg

Tuesday, January 15, 2008

Hacker Safe? Not so much.

Likely you've all read about Hacker Safe certified Geeks.com being hacked. ScanAlert, recently bought by McAfee, says that "research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning 'Hacker Safe' certification, can prevent over 99% of hacker crime."
I agree...but here comes strike two.
I was happily bouncing about the internet looking for things that should be fixed, when what did I see at Toastmasters International but a McAfee Hacker Safe certificate. Ever the skeptic, I said to myself "Prove it." But, of course, because my white hat and professional values require it, I remembered that first, do no harm are words to live by. But a wee script test in a form field can't hurt, right?
There's video of this here if you prefer.
Let's begin.
Here's the Advanced Search page, note the McAfee Hacker Safe tag in the lower right:


Then, said little test script about to be submitted to the Advanced Search page:



Ruh roh, Rastro. Can you say XSS?



Man, that's not good, so let's try a bit more trickery.



XSSed indeed.



Something tells me the McAfee Hacker Safe service offering would do well to dig a little deeper before certifying a site.
Meanwhile, sanitizing input might not be a bad idea for our Toastmasters friends.
Play nice until Toastmasters gets a chance to fix it, please. I've already let them know.
Cheers.
del.icio.us | digg

Thursday, January 10, 2008

NSM-Console and HeX update

While researching the HeX System for the pending February toolsmith, I was extremely pleased to discover NSM-Console, from Matthew Lee Hinman. I've not yet seen such an efficient, useful, all encompassing framework for offline packet analysis. NSM-Console includes modules for:
# aimsnarf
# ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
# tcpxtract
# tcpflow
# chaosreader
# bro-IDS
# snort
# tcpdstat
# capinfos
# tshark
# argus
# ragator
# racount
# rahosts
# hash (md5 & sha256)
# ra
# honeysnap
# p0f
# pads
# fl0p
# iploc
Consider giving both HeX System and the included NSM-Console an immediate look.

NSM-Console and HeX update at del.icio.us Digg NSM-Console and HeX update

Thursday, January 03, 2008

Zango's in your Face(book)

The Zangonistas are at it again, this time deftly disguising their "software" as a Facebook Widget. Fortinet, who discovered the issue, discusses the "Secret Crush" widget at length, so no need to repeat their extensive effort.
Instead, I'd like to offer a bit of analysis, then invoke a debate.

ANALYSIS

I ran Setup.exe, as found in hxxp://static.zangocash.com/Setup/46/Zango/Setup.exe, through the analysis mill and I think the evidence speaks for itself.
IMPORTANT NOTE FOR YOUR CONSIDERATION: All of the following occurs BEFORE you accept the EULA.

IPs called:
66.150.14.74 Zango
66.150.14.65 Zango
66.150.14.61 Zango
64.94.137.72 Zango

URLs:
http://installs.zango.com/downloads/valueadd/SRS/UCI/R1/seekmo.html
http://installs.zango.com/downloads/valueadd/SRS/UCI/R1/zango.html
http://installs.zango.com/downloads/valueadd/SRS/Installer/2.0.26/R1/Installer.exe
http://static.zangocash.com/Setup/Update/
http://public.zangocash.com/php/rpc_uci.php
http://te.seekmo.com/TrackedEvent.aspx
http://te1.zango.com/te.aspx

Registy Keys:
HKEY_CURRENT_USER\Software\ZangoInstall
HKEY_CURRENT_USER\Software\ZangoDebugSettings
softwaredistributionfaild
HKEY_LOCAL_MACHINE\Software\MediaGateway
SoftwareList
hkey_local_machine\software\seekmo
hkey_local_machine\software\zango
softwareurl: %s, registry: %s
GetSoftwareList
The software you are trying to install does not yet support Windows Vista@.
The software you are trying to install does not support your operating system.
Anti-virus and firewall applications can interfere with this and other software installation programs.
You may want to temporarily disable these applications during software installation.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_LOCAL_MACHINE\software\Mozilla\
HKEY_CURRENT_USER\Software\
HKEY_LOCAL_MACHINE\Software\
Software\Microsoft
softwarecount=%d&retrycount=%d&reason=%s
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\ActiveX Compatibility
Software

API Log (edited for brevity, but oh so interesting):
416a68 LoadLibraryA(crypt32.dll)=762c0000
762ec91d RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\OID)
77ddecaf RegOpenKeyExA (SOFTWARE\Microsoft\Cryptography\Providers\Type 001)
77dded3f RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001)
77ddee3b RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider)
77ddf4b3 ReadFile()
77e6ce44 CreateFileA(C:\WINDOWS\System32\rsaenh.dll)
ffeb87e ReadFile()
77ddf43f LoadLibraryA(C:\WINDOWS\System32\rsaenh.dll)=ffd0000
ffe8206 RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography)
ffeb11f RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\Offload)
762ec6c4 RegOpenKeyExA (CryptDllFindOIDInfo)

What are we encrypting and offloading? Hmm?

719546f9 LoadLibraryA(UxTheme.dll)=5ad70000
41996b RegOpenKeyExA (HKLM\SOFTWARE\WindUpdates)
4195f3 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Winad Client)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows SyncroAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Win Comm)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdTools)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdControl)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows TaskAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ControlAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ServeAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admilli Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\DeskAd Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admanager Controller)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdStatus Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdStatus)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows FormatAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdTools Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Preview AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Pass)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Access)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Gateway)
41996b RegOpenKeyExA (HKLM\SOFTWARE\MediaGateway)

Wait a minute...I haven't accepted the EULA yet!
Let's discuss.

DEBATE

You know my opinion, I think Zango's offerings are spyware, I always have and I always will. They'd prefer their products be referred to as adware and that they're harmless. I have debated this issue with them in person (perfectly nice people, but analysis supplants personality), and they would argue that, because their software only installs with the explicit consent of the enduser, it can't be labeled as spyware. To which I say, if it calls home, reports behavior, and shapes a response based on said behavior, it's spyware, EULA or not. Round and round we go, where we stop, no one knows. The searches define:spyware and define:adware will provide impetus for the debate.
If a user knowingly installs a widget or a piece of software with a EULA that describes it behavior, can it objectively be called spyware or malicious?
Comments welcome. Cheers.

Zango's in your Face(book) at del.icio.us Digg Zango's in your Face(book)

January's toolsmith - Gpg4win

January's toolsmith column in the ISSA Journal features Gpg4win, a suite that integrates GPG into your Windows envronment. Next month will be discussing more powerful NSM opportunities with HeX, a FreeBSD-based Live CD loaded with network security monitoring tools. toolsmith offers insights on tools useful to the infosec practitioner, typically open source or inexpensive. The ISSA Journal is available to members in print and online at issa.org. Article copies are available on the toolsmith page.

January's toolsmith - Gpg4win at del.icio.us Digg January's toolsmith - Gpg4win