Sunday, May 31, 2009

MIR-ROR, for incident response

You can’t publish a cool tool without a cool name.
To that end, I am proud to present:
MIR-ROR: Motile Incident Response – Respond Objectively, Remediate.
If that doesn’t qualify me as an uber-dork (like that needed qualification), nothing will. ;-)
I was rooting about all my USB fobs and discovered one I received while at LE Tech last year. Hiding therein was a handy script that Microsoft forensics mastermind Troy Larson had written to gather investigative data from target machines using a USB stick. I reached out to Troy, and he graciously agreed to allow me to brand the script, as well as maintain and optimize it for your use during incident response engagements.

I consider MIR-ROR a specialized, command-line, RAPIER-like script that makes use of the all-important Windows Sysinternals tools, as well as some other useful tools. Further, as you will see, you can easily enhance the script to your liking with whatever command line tool tickles your fancy.

Incident responders and handlers, malware hunters, and system investigators will all find MIR-ROR useful with one caveat. MIR-ROR is noisy, if you need to maintain forensic integrity, take an image and investigate at your analysis station.

Download MIR-ROR at the project site.
For my complete toolsmith article, courtesy of the ISSA Journal, download it here.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Thursday, May 28, 2009

WhiteHat's trustmark program as a game changer

I am a trustmark hater, I admit it; this should surprise no one.
I have labored long and hard over this post, but I believe it to be relevant and important.

WhiteHat Security, the genesis of Jeremiah Grossman's vision for web application security, has instituted a trustmark program.

Carefully branded a Security Certification Program, this offering seeks to raise the bar on the trustmark concept, a game changer if you will.
On one hand, this won't be hard to do.
As I have in the past, I could rail against the dime a dozen, pseudo-fraud programs that are nothing but conversion gimmicks designed to drive sales through falsely gained consumer confidence. They can all take their Nessus scanners and bugger off.

Instead, I'd like to describe why I think WhiteHat Security can shed new light and standards on this concept.
1) Reputation: WhiteHat Security has always been a premier brand in the realm of web application security. This is indisputable. Their scanning engine, their business model, their personnel are all geared to the cause; they are expert in this field.
2) Value of the service: I know first hand how much WhiteHat labored over the process of offering a Security Certification Program, i.e. how to do so without falling into the same lameness all the others so readily exhibit. This program is not about conversions first, security second. The certification is only offered to WhiteHat Sentinel customers. While there are no guarantees, if you are Sentinel customer, the statistical likelihood of your exposure to web application security flaws goes down exponentially should you choose to fix the flaws they discover. I know this not due to whitepapers or marketing claims, but from experience.
3) Lack of arrogance or false claims: A trustmark that reads "Website Security by WhiteHat Security" is not claiming to be Hacker Safe, Hacker Proof, or Hacker Free. Clicking the trustmark leads you to the following:
"This site employs WhiteHat Sentinel, WhiteHat Security's industry-leading website security solution. To help address concerns about safeguarding your confidential data from security breaches and hacker attacks, the "Website Security by WhiteHat Security" mark appears only on sites that use the WhiteHat Sentinel Service."
No BS, no hype, no false claims of grandure or impenetrability, just simple facts.
4) Jeremiah Grossman: Jeremiah knows this business better than anyone. As a business man he was driven to consider adding a Security Certification Program by customer demand. Whether we like it or not, customers like trustmarks seals, and benefit from them, no matter how lame a trustmark program may be. Customers using Whitehat Sentinel are paying for the privilege, this is not $250 a year scam with no value other than false confidence. Jeremiah's reputation is inherent to the success of this program. He is well aware of the pitfalls, and I know he has the integrity to ensure its value as a real security-first offering.

I expect WhiteHat Security to manage this program from the perspective of an industry standard-bearer, as their first customer has indicated.
Should the rest of the wannabes and posers in the trustmark game raise their standard to this level, I'd have less to talk about.
Good luck and godspeed, WhiteHat, the industry needs your continued integrity in this space.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Wednesday, May 27, 2009

WebTuff checks for WebDAV vulnerability

The folks at Applicure, the dotDefender vendor, have created WebTuff, a free utility to check for the IIS 6 WebDAV vulnerability.
I occasionally run into dotDefender when I'm "analyzing" web application security issues on the Intarweb, and can say that I've been pleasantly surprised by its capabilities.
Please note: This is not an endorsement for Applicure products; simply consider it the suggestion that they are worthy of your consideration.
To that end, a free utility is always a great way generate interest; if your're concerned about exposure to the WebDAV vulnerability, give WebTuff a try.
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Wednesday, May 20, 2009

SearchFinancialSecurity: The need for financial Web application security

The current lead story on SearchFinancialSecurity.com is my contribution Why financials must implement Web application security best practices.
This is a follow up piece, a summary if you will, on my Online Finance Flaws campaign, kindly solicited by TechTarget to drive home the point: Is there any one sector more than financial services who must take a stronger stance with regard to Web application security?
Answer: Not that I can think of.
Security hits to financial-services firms have far reaching impacts beyond individual victims, including economic implications that can contribute to global economic malaise.
This article offers examples of flaws noted in major financial-services websites, data from OWASP's Security Spending Benchmarks Project Report as well as best practices guidance derived from security development lifecycle (SDL) methodology.
I invite you to read the article at your earliest convenience.
As always, feedback is welcome.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Monday, May 18, 2009

Desktopsmiley: Annoying and insecure

Adware giant desktopsmiley.com annoys me in ways I can't repeat here (to protect the innocent and moral among you), so I'll keep this simple.

Some facts:
1) desktopsmiley.com is ranked 287 in the world according to Alexa.
This is simply stupefying to me, and testament to the fact that there are way too many oblivious people installing this crapware.
2) The geniuses at Desktopsmiley.com have wrestled long and hard with the antiviruse vendors such that their latest installer doesn't trip a single signature per Virustotal. Further ground for to be much annoyed...and perhaps impressed at their obvious negotiation skills.
3) Desktopsmiley.com has a privacy policy. Rejoice! Now we can all install it and know our data and our privacy is protected. Or not. Just read this dreck and you'll shudder at the clearly defined consequences of installing this "not spyware".

I am therefore inclined to point out that this spectacular product offering cares little for your privacy or your security.

Case in point 2x:
That privacy page? Not so private. It's vulnerable to XSS, and I'm sure this isn't the only example.
Explore for yourself: http://tinyurl.com/qv9zkw

Screen shot, if you prefer.



The next one is particularly fun as it is clearly indicative of bad Flash coding practices. The clickTag variable is wide open on smiley.swf.
Follow this URL, then click the super happy swf! Hurray!

http://download2.desktopsmiley.com/landing/images/tm106/smiley.swf?clickTag=http://cwe.mitre.org/data/definitions/601.html

Can you say arbitrary redirect? I knew you could, boys and girls.

I hereby declare the creation of a new Holisticinfosec award for just such occasions, the ID Ten C Award.
Don't get it? Spell it out and say it with me: ID 10 C...you should be able to handle it from there.
Desktopsmiley.com, consider yourselves awarded, for being both annoying and insecure.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Wednesday, May 13, 2009

WebCollab - Billy Goat security goodness

A quick shout-out to the WebCollab team for a transparent and quick turnaround on security fixes for vulnerabilities I reported through Secunia.
They were prompt, communicative, and thorough in their review, claiming that "this is the first publicly notified issue with WebCollab in more than six years of releases."
I truly appreciate teams who openly address their methodology, the change log, and the core issues.
Well done and thank you, WebCollab. Yours is a model I wish others would adopt.
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Tuesday, May 05, 2009

The McAfee Secure Double Standard

McAfee Secure claims to be McAfee Secure while not McAfee Secure

It's been a rough week for our McAfee Secure friends.
First, an XSS, Iframe injections, and XMLHTTP outing provided by XSSed.com, followed quickly by a CSRF browbeating from The Skeptikal One, Mike Bailey.
While these findings should not come as a surprise, I have no doubt McAfee moved as quickly as possible to resolve the issues.

What sadly should also not come as a surprise is that the entire time these numerous vulnerabilities were live, so too was the McAfee Secure trustmark.

I realize the odds of McAfee Secure removing the McAfee Secure trustmark when they are not McAfee Secure is highly unlikely, it nonetheless exemplifies a double standard.
The key question is this.
If the McAfee Secure customer portal is vulnerable to CSRF for 4-5 weeks while the portal code is under repair, should it declare itself McAfee Secure?

To further my point, language from the McAfee Secure Standard:
In the event that McAfee discovers a vulnerability that prevents a merchant’s website from complying with the McAfee SECURE standard, the merchant will have a 72-hour remediation window. In instances where McAfee believes confidential customer data is at immediate risk, or in those cases where McAfee has evidence of prior compromise, the McAfee SECURE trustmark may be removed before expiration of this 72-hour window.

While the McAfee Secure Standard does not indicate that CSRF by itself is worthy of pulling a trustmark, the fact remains that because Mike had demonstrated what could be done with this paricular vulnerability, such as a live weaponized attack script, McAfee was treating it like a high-priority critical issue.
I can therefore only hope that a McAfee Secure customer under the same circumstances would NOT have been displaying a McAfee Secure trustmark.

So there it, plain and simple, for your consideration.
A double standard?
You decide...comments welcome.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Sunday, May 03, 2009

Homebusinessinstitution.com: Probable fraud, definite XSS

While I've recently been trying to take a more positive tack in my exploration of online security issues, I must digress.
Cable viewers have again been endlessly inundated with Home Based Business advertisements claiming riches beyond your wildest dreams.
You know the one..."I made over $9000 last month working from home part-time."
Right...
Same message, different URL; they simply change the URL every so often. The current domain is 67gogreen.com, others have included crazyfox.com and 46homeworker.com.
All of this complete bulls**t is brought to you by LG Technologies of Temecula, CA, under the premise of Home Based Busines - As Seen on TV.

First, the fine print:
The incomes depicted are not typical and represent a small percentage of actual participants. There are no guarantees that participants will be able to achieve the income levels depicted.

Second, your privacy at risk:
We will maintain a record of your Personally Identifiable Information (PII) that will be sold or transferred to third parties that we believe offer products, services, and/or opportunities that are consistent with your expressed interests. Note that if you voluntarily provide us with Personally Identifiable Information, you consent to our sale, transfer, and use of your information.

Third, security:
We treat your Personally Identifiable Information very carefully and use our best efforts to protect your Personally Identifiable Information against unauthorized access and disclosure.

Do you now? Let's investigate...

HomeBusinessInstitution claims to be VeriSign Secured and are indeed using a Verisign cert. Thereafter, they display badges claiming "100% Safe Secure" and "100% Privacy Verified". Too bad they're both utter crap.
All measures of security (there aren't any) falter drastically, as homebusinessinstitution.com falls immediately to cross-site scripting (XSS).
To exemplify both my dismay and the lack of secure input validation, I offer the following screen shot of customized Javascript executing in the context of homebusinessinstitution.com.



Companies such as this, who exploit the gullible and naive, infuriate me well before I endeavor to dissect their weak claims of securing your PII. To find that their victims are then at further risk leaves me blistering. It strikes me that only their vast disclaimer language serves to protect them from the likes of criminal prosecution or civil litigation.
There's an interesting study of LG Technology and their associates provided here.
I do hope someone finds a way of putting this likely fraud to an end.

del.icio.us | digg | Submit to Slashdot

Saturday, May 02, 2009

SUMO Linux: Security utilizing multiple options



May's toolsmith, in the ISSA Journal, features SUMO Linux: Security utilizing multiple options.

From the column:
SUMO Linux is the brain child of Marcus Carey of Sun Tzu Data in Washington, D.C area. As part of his DojoSec events and training program, Marcus found himself, and his students, frustrated with needing various tools from different Live CD distributions. Powering down, loading a new disc, and waiting until the new one comes up; annoying and troublesome to say the least.
SUMO Linux 1.0 is the genesis of that teaching experience – one DVD to rule them all. First released in November 2008, this young project represents a multi-boot DVD inclusive of five (that’s right, I said five) popular security-related Linux distributions. Bonus!


Sumo Linux includes Backtrack, Helix, Samurai Linux, dban, and DVL.

Grab the DVD ISO, pull down the article PDF, and make quick use of this excellent distribution.
Cheers.

del.icio.us | digg | Submit to Slashdot