Posts

Showing posts from December, 2009

Russ = Rogueware: Is nothing sacred?

Image
You know you've hit the big time when...;-)
Alright, maybe not, but you still may have to step aside for my ego.
Wait, you already have to do that.
Fine. Never mind.
But this is kinda funny.

Full disclosure:
I use Google Alerts for my name (Russ McRee) and my domain (holisticinfosec).
I'll be quite honest and tell you that it's a combination of ego and paranoia.
I want to know when people say nice things (rare), when they talk smack (more likely), or when they're illegally reusing content (a constant).

Ok, so now you know I auto-Google myself (you should too), but here's where it gets new and exciting.



See the first entry above, i.e. "Russ"?
No good news there.
Looks like keyword abuse or a compromised site pointing to rogueware/scareware:
hxxp://www.tuckmall.com.tw/blog.php?blog=russ+mcree



Use caution as always if you choose to go there, fellow bug analysts.
MMPC calls the binary Trojan:Win32/Winwebsec.
The VirusTotal results include 10 detections out of 41 possible.

The…

Maltego is the 2009 Toolsmith Tool of the Year

Image
Maltego: transform and correlate

December 2009's edition of the ISSA Journal's toolsmith discusses Maltego at length with specific attention to transforming RFI and scareware attributes.
Maltego is an open source intelligence and forensics application.
While researching and writing for December's article I fell completely for this tool.
It was a difficult decision having covered some brilliant and remarkable tools in 2009, but only one can come out on top.

The 2009 Toolsmith Tool of the Year is Maltego.
Congratulations to Andrew MacPherson and his team.

As an example, I used Maltego to analyze remote file include (RFI) attacks against my website and found it to be an extraordinary addition to my toolkit.
RFI attack URL strings often end with a common script name with a .txt or .gif extension.
I grabbed five such file names as most often seen in my logs from October:
zfxid1.txt
id1.txt
fx29id1.txt
idxx.txt
crespon1.txt
fxid1.txt
I fed these to Maltego and one of the URLS revealed showe…

REI: vulnerability remediation done wrong

Image
Part 2 of 2 of Vulnerability remediation done *

It makes me sad to use REI as another example of the wrong way to manage vulnerability disclosure; I am a member who is fond of their stores and products. I will not name names or blather on about negligence.
Rather, I will let the facts simply speak for themselves.

1) On April 11th, 2008 (more than a year and a half ago), I reported a cross-site scripting vulnerability specific to the REI website search functionality. Via email I received a reply indicating that "I’ll have our team evaluate this." I had every reason to believe it would be resolved.

2) The issue completely fell off my radar thereafter until one evening I was checking old findings and noticed that the vulnerability remained on October 1, 2009.

3) Surprised, if not shocked, I tried an alternative approach. I called REI HQ and asked to speak with an appropriate party to report the issue again. I was transferred to a person who provided me with an email alias to which …

Pligg pluggs holes: vulnerability remediation done right

Part 1 of 2 of Vulnerability remediation done *

Often, when I disclose web application vulnerabilities to Secunia, who in turn works with vendors to drive mitigation and remediation, we are met with vendors who don't reply, don't care, or don't fix.
Yet, once in a rare while a vendor chooses the righteous path.
Such is the case with Pligg.
Pligg posted a detailed, transparent, candid writeup regarding the disclosure and their response prior to the scheduled release date (12/2/09) for the advisory. In addition their new release (1.0.3) addressing the issues in now available.
As I am too often prone to complaining, I relish the opportunity to say "well done."
To Pligg, a hearty thank you; you are now amongst the standard bearing few who swiftly address vulnerabilities, do so with candor and transparency, and care about your user base.
When the advisories go live as scheduled tomorrow they will be found here and here.
Again to Pligg: well done.

del.icio.us | digg | Subm…