Tuesday, August 28, 2007

Monster hacker server in Ukraine

FROM:

http://www.networkworld.com/news/2007/082407-the-monstercom.html?nlhtsec=0827securityalert2

How was the information stolen? The Infostealer.Monstres Trojan runs batch searches by sending HTTP commands to the Monster Web site to navigate through folders, said Hidalgo. The malware then parses the output that appears in a pop-up window that holds the job seeker profiles that match the search criteria. Essentially, the Trojan worked as an automated search bot that located candidates, captured their contact information and sent it to a remote server controlled by the criminals. Symantec said that the server, though located in Russia, was hosted by a company out of Ukraine.

Essentially the article claims Monster was not hacked. I would claim that Monster needs to do a better job of scouring it's traffic and users and protecting those who posted resumes there in the past - like me.

Wednesday, August 22, 2007

PCI Compliant Managed Hosting

Someone needs to offer PCI compliant managed hosting with appropriate security auditing.

For instance firewall rules should be able to be seen by the end customer at ANY time and the customer should be able to have a third party test and audit all firewall rules and DNS rules that are supposed to be in effect without the knowledge of the managed hosting company and staff.

All touches on a server or network related to an ecommerce system or system with sensitive data including hardware, software and any network devices along the way should be logged and that log should be available to customers at any time upon request or possibly available at any time through a secure system.

Make sure customers are always up to date with latest VPN client software. My hosting company with highest industry uptime server rating was letting me run with out of date VPN software.

Monster Hacked

Monster was hacked and personal information was stolen.

Until our government gets serious about prosecuting intnernational hackers and system admins take seriously good and bad internet traffic and do more to protect apps, networks, VPNs, routers, etc....

This will continue.

And it may be the fall of Rome.

We built the computer. We created the problem. Let's fix it.

Monday, August 20, 2007

Length of SQL strings

If you are using SQL to record actions and log errors, make sure to validate the lenghth of all inputs before inserting into the database. If hackers can pass in a string that is too long they can cause an error that can allow their actions to bypass logging functions going into a database.

Hacking Regular Expressions

If you are using regular expressions you will want to filter out these characters from strings which may be used by hackers to change the meaning of your regular expressions when input is passed into them:

\, *, +, ?, , {, [, (,), ^, $,., #, and white space

Sunday, August 19, 2007

Google Bot Blocking Software

Google bot-blocking software blocked me out of Google adwords on one computer I am using. When I write to customer support I can't get it resolved.

If I didn't have a secondary computer to get in and change my ads - I could possibly be blocked out and continuously charged for something I am trying to shut down.

I have bot blocking software on my site - but if someone calls and provides the appropriate information I can easily resolve any false-posistives. This is an unhelpful response I received - I hope that Google does something about this:


Hello

Thank you for writing back to us. As I mentioned in my previous email, we are unable to provide you the information regarding what is leading to your IP address getting blocked while making certain changes in your AdWords account. I suggest that the next time you get this problem, please delete your system's cache and cookies and log in after a couple of hours.
If the problem persists, you will need to figure out the reason for the IP getting blocked yourself. I apologize for any inconvenience this may cause.

If you have additional questions, please visit our Help Center at https://adwords.google.com/support to find answers to many frequently asked questions. Or, try our Learning Center at http://www.google.com/adwords/learningcenter/ for self-paced lessons that cover the scope of AdWords.

We look forward to providing you with the most effective advertising available.

Sincerely,
Sandhu
The Google AdWords Team

TRANSLATION:


"Sorry we cannot let you back into the administrative site we are charging you for and therefore you may get charged eternally -- but you have to figure out what the problem is with our software, not us."

I know for a fact that there are amazing, smart technical people at Google who can resolve this issue in a matter of minutes. I wonder if they realize this is happening.

ProjectHoneypot.org

While searching for an explanation of the IEMB3 user agent string - which I can find no useful information about - I ran across this site which at first glance has a very interesting thing going on. The way I got here searching for IEMB3 was kind of odd since the page was just telling me they have no informationa bout IEMB3, however the concept of what they are doing, if legit, can help track down bots and spammers across multiple web sites across the Internet:

http://www.projecthoneypot.org/

How it works is you set up a monitor on your IPs and they tell you if they see any malicious behavior from your IP space. Of course you have to trust these guys to not be doing some monitoring for their own malicious purposes but hopefully someone will look into that. The concept is interesting and by so doing some unsuspecting web site owners may be alerted if their servers are being used by command and control servers to perform dirty work.

Saturday, August 18, 2007

Monitor Your Monitoring System

Do you know if your monitoring system is really monitoring what it is supposed to be monitoring? Have you audited it? Do you have a way to be notified if it is doing the wrong thing?

In my case I found out my monitoring system at DataPipe was set up to monitor IP address, not the urls I had requested. The problem with this is while the monitoring system may show you that your server is up, it doesn't tell you if there is a DNS error that is disallowing people from accessing your site - or worse - sending them somewhere else via a man-in-the-middle DNS spoofing attack.

Monitor your monitoring systems. Audit your hosting company.

Forum for Women Entrepreneurs Email List Hacked

Members of that group got this total spam email - with the organization's name in the subject line:

Official letter to Forum for Women Entrepreneurs

My name is Rev. Clysta de Armas,the president of the Fellowship of Baptist Church.
We are writting you this letter because we have recieved your recommendation from the Baptist christian organization in your country. You have been recomended as one who is trustworthy and our institution has decided to chose you for a humanitarian mission, one which will be greatly rewarding in financial terms.
The crisis in Zimbabwe has rendered many kids from european decent orphans and most of them have managed through the help of our missionary work to find themselves in South Africa and under the care of the Baptist Church world wide. In one major case a set of twin orphans were left with a treasure under the care and protection of the Baptist Church because one of our reverends was present at the hospital where the father passed away and the father had to entrust the safey and upkeep of the twins in the custody of Baptist organization.
Their father was a co-founder of the commercial farmers corperative union and in his will he entrusted all his estates to the two twin sons. We were also made executors of the last will and testament hence on the demise of Late Mr. Stevens, the sum of 15.5 Million dollars inherited by his sons Patrick Stevens and Mattew Stevens secured in VEF BANK in Riga Latvia was moved down to South Africa and secured in a special reserve account opened in the name of our church on behalf of young Patrick since is not mature enough to hold an account with any financial institution in South Africa.
God’s call comes clearly when we are listening for His voice. It is not just a one time call to salvation. That is the first call on our lives. But it is also a daily call to follow Christ in every situation.As I have tried to answer the call on my life, it has not always been easy or convenient, but it has always been the best for me. I challenge us all to take to heart our new emphasis and "Live the Call" each day. When we hear Jesus calling, let’s jump up and run to Him just as Mary did.
We would like you to help Patrick and his Twin brother Mattew. You may wonder, what do we want you to do for them.
1. Our church organization has no business ideas in mind to plunge this funds.
2. We are not involved in financial matters hence we lack fund management skills
3. We are prepared to raise Patrick and his twin brother Mattew until they are upto the age of 21 when they can manage their own affairs and be free from the orphanage but we need someone who will manage this funds for a period of 15 years because they are only 6 years old now.
4. We also need someone who will receive this fund oversea for this investment purpose.
5. We need a trustworthy and God fearing someone who will give proper accountability and also report events concerning the funds from time to time as shall be required by our organization.
6. For helping in the relocation of the funds to an overseas account, we are prepared to compensation you with 10% of the total funds and also in securing the funds in a solid investment we are prepared to offer you 30% of every yearly profit that shall accrue in the said investment.
7. The terms and conditions of this matter shall be put in a formal business and fund manager contract.
8. In your response, I shall send you some vital information that will enhance your decision making.
I am too busy with official matters regarding the church so please contact Rev. James Willis at the email below:
jameswillismail@sify.com
You can call him on the phone number: +27 79 753 3836
He has been given full authority by our church organization to facilitate this process and shall work in collaboration with you to actualize same so feel free to contact him.
Please respond to this call in the name of humanity.
On getting your response you shall be properly informed on what to do.
Thanks and may the blessings of God be with you.
He awaits your response,

Rev. Clysta de Armas

Take note , send your response to this email only to Mr. James Willis at jameswillismail@sify.com and additionally kindly call him at his phone number
+27 79 753 3836


Received: from gwsin04.mbox.net [165.212.64.16] by cmsmail03.cms.usa.net via mtad (C8.MAIN.3.27X) with ESMTP id 629LHRgwE0189M03; Sat, 18 Aug 2007 06:22:31 GMTReturn-Path: <clystamail_2006@sify.com>Received: from gwsin04.mbox.net [127.0.0.1] by gwsin04.mbox.net via mtad (C8.MAIN.3.31J) with ESMTP id 917LHRgwd0383Ms4; Sat, 18 Aug 2007 06:22:29 GMTReceived: from esmail01.eservices.usa.net [165.212.64.8] by gwsin04.mbox.net via mtad (C8.MAIN.3.31J) with ESMTP id 905LHRgwb0309Ms4; Sat, 18 Aug 2007 06:22:27 GMTX--Routed: 1 gwsin-bmrelay Q:bmrelayX--Routed: 2 gwsin-vs R:localhost:1825X--Routed: 100 IN-RELAY R::525Received: from fdvhgdf [63.147.22.100] by esmail01.eservices.usa.net via smtad (C8.MAIN.3.34P) with ESMTP id XID944LHRgwb8606Xma; Sat, 18 Aug 2007 06:22:27 -0000X--Source: 63.147.22.100 IN clystamail_2006@sify.com fdvhgdfX--MsgId: XID944LHRgwb8606XmaFrom: "Clista De Amas" <clystamail_2006@sify.com>To: [x@x.com]Subject: Official letter to Forum for Women Entrepreneurs - Seattle Date: Fri, 17 Aug 2007 23:21:50 -0700MIME-Version: 1.0Message-ID: <>Reply-To: clystamail_2006@sify.comContent-Type: multipart/alternative; boundary="--=_NextPart_0CEAF315_76FDB910_01C9F258.D84EF1C0"

Friday, August 17, 2007

Cisco Open Source Safe Mapping Software

Cisco released some open source software here aparently. Did someone verify this is really from Cisco? Just wondering.

http://www.networkworld.com/community/?q=node/18481&nlhtsec=0813securityalert5&

URIs can create security holes

URIs in your registry can launch applications according to this article. Some vendors make registry entries with these URIs to make it easier for people to launch applications, however this can lead to serious security flaws:

http://www.networkworld.com/news/2007/081507-new-uri-browser-flaws-worse.html?t51hb&nladname=securityal

Check your registry. Maybe we need Microsoft to wire a tool that reports all these URIs so you can remove them if you don't need or want them on your system.

Wednesday, August 15, 2007

Is your web reporting accurate?

You may not be getting all the referer information you think you are getting. Some data may be completely lost depending on what browsers and search engines are used.

I got to this article because something called GLinkPing.aspx was doing something funky on our server.

Check this out:

http://www.webmasterworld.com/website_technology/3076218.htm

and this:

http://www.javascript-examples.com/track-outgoing/
This article has some good points...

but what I liked best was the grand finale about the author blurb:

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a refugee aid organization, and continues to have his advice ignored by CEOs, auditors and sysadmins alike.
I feel your pain. Auditing and information security is way too lax in this country. It is an esoteric topic that the end user doesn't get so it can be swept under the rug by politicians (or maybe they don't understand it either). People in organizations don't know enough about it and trust people who don't want any more work or look ignorant to do to tell them everything is just fine.

Thursday, August 09, 2007

Fight Spammers - Block their Sites - Google - Help!

This article suggests fighting spam by blocking out the sites that host spam related products:
http://www.networkworld.com/news/2007/080707-uc-researchers-take-antispam-fight.html?nlhtsec=0806securityalert4&

This is an intersting approach to making spam less profitable and protect people on networks where these web sites are blocked, though it may not initially affect the amoung of mail in people's in boxes. The spam will still come - you just won't be able to get to the web site (which is good).

I think penalizing the web hosts that knowingly host these web sites for spammers when it is clear what they are doing is a better approach. Drive up the cost of running these businesses and send the people who support them to jail as accomplices.

Being a hosting company I know this is tricky. I don't want to go to jail because one of my customers sent spam - so this would have to be done knowingly. There would have to be proof of the actions and that may prove difficult when the hosting company says "we didn't know".

However requiring hosting companys that have had 2-3 spam incidents to perform certain types of audits like monitoring outbound mail traffic levels and such might help. If they see an exhorbitant amount of mail coming from a particular customer the should be able to determine if the actions are suspect. Typically you can tell a crappy, spammy web site or email when you see it. You can also find out if that company has a double opt in policy and a clear way to get off the list.

Another concept would be to require spammers to include footers that send complaints back to the top level hosting providers or networks. Each spam message would need to have a clear and easy to read abuse email address that goes to the hosting provider that way they cannot say "we didn't know"...

Obviously there are a lot of web hosting companies and server owners whose systems and networks abused without their knowledge, but some of these people are catering to the bad guys. Those people should be penalized along with the people they support.

Tuesday, August 07, 2007

Blocking Both Ways - China

Here's an interesting post on what China is blocking out due to censorship. Hey maybe they will block out my blog now. Cool.

http://www.schneier.com/blog/archives/2006/06/ignoring_the_gr.html

Anyway it's quite ironic that I want to block my sensitive information from an abundance of hackers coming out of China (and elsewhere) and China wants to block their end users from valid, useful, true and honest information that, once discovered, my help make the world a better place.

We can all learn from our mistakes.

China Building Cyberwarfare Units

Not sure how I missed this one. China is promoting cyberwarfare. Our country created the computer and it is the monster that may be the thing that knocks us off our pedastal if we don't get with the game and get our systems up to speed.

Just recently I went to a governmental web site and the security mechanisms and web site were absolutely pathetic. It is scary that we trust our data and put it all online for anyone to rip off behind these pathetic security models.

I hope that our government will make this one of our top priorities. Are you listening presidential candidates? Our country needs to focus on Internet security, intelligence, protecting our money and our identities.

Monday, August 06, 2007

Core Security Patterns - Wish List

I have pretty much read the Core Security Patterns book from Sun. Ok I skimmed a couple issues we aren't reading but I read some parts 3 or 4 times looking for the information I wanted.

The book is very good, but as I read it I realized I was doing a lot of things in it without having anyone tell me it is a "pattern" because they are just common sense.

The part I found missing was a basic comprehensive example of managing user logins and lost passwords and clearly identify when you send out someone's password that you are sending it to the right user (sending being as an encrypted email, or via allowing them to reset their password online). I understand to some degree this is in the book but from a comprehensive standpoint:

Ok so I store my user passwords as a one-way hash and that's fine and dandy.

But when a user wants to reset their password - what is the best and most secure way to do that? How do you ensure someone who has ripped off the hash cannot reset the password to whatever they want?

Also why do some places have additional questions you have to answer before you login or photos that have to match what you expect - otherwise you know you're at the wrong site. There could be security patterns for this as well for these type of double logins. Do they have login information coming from two different sources in that case?

And how do you know when someone is on dynamic IP addresses and moving from location to location that it is really the same person - you have to assume the user name and password are good enough?

And it talks about man-in-the middle attacks but as I read this it seems like all the discussion is one way - from the client to the server. The client ends up on a different web site.

What about from the server to the client? How can you really know that that the person you think is sending you the request is really that person? This is related to the above issue. What if someone submits a request and your server gets hacked and the person is redirected elsewhere from that point and all future requests are from another source that is then controlling that user? I would like some discussion on how and why that would or would not be possible.

Also your firewall should prevent IP spoofing, but does it in all cases? This is something I wonder because I have actually seen IPs missing in request logs, but perhaps this is some xss in interjection technique and my backup logs are getting all the data. I haven't had time to drill into this in more detail.

There is information about filtering requests but the book does not go into detail about how to filter out invalid characters for XSS and sql injection attacks. Why not put a chunk of sample code and say - use this for JavaScript, this for SQL, this for Java, this for Perl, etc. etc. etc. so people can drop this code into their apps for better security.

What about random request keys so requests cannot be duplicated as in the case of a hiddne form submitting from another tab open in the browser to your site? How can this be determined if the hidden frame does not pass the referrer with the request?

These are just some things I wondered about as I read this book.

Social Security Administration - Technology

It is amazing how poor the Social Security Administration web site and support are. It is no wonder we have a problem with identity theft in this country. I was trying to register for their online system to submit information for my company - W2 forms, etc. - and it doesn't recognize the information I am inputting - which is correct - and which matches the document they sent to me. The only thing I can figure out is that they don't have my correct birth date perhaps. Everything else is matching up.

The person on the phone was very non-technical and told me to call some technical support number if I get stuck again. I think someone needs to definitely review this web site and the security around it. It would probably be a good idea for someone to read the security patterns book mentioned in previous posts here.

Additionally they could at least install and SSL certificate on the main site so you can verify that you are at the official social security web site.

Saturday, August 04, 2007

WinHTTP Web Proxy - Hack or Bug or?

Hmm. I logged in to review my logs today and saw a lot of errors surrounding this particular service, which to my knowledge is not be started or run by anything I expect or want to be running on my server:

The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

A proxy can be used to forward requests to one server to another server - so has this service been exploited somehow to forward requests to our web site to some other server?

I hope someone at Microsoft can look into and resolve why this is happening and write a patch so that this service is only run when explicitly requested. I don't quite see why it should be required.

JVM Security Wish List

I wish when you installed the Java JVM on a server you could have fine grained control to include only the components you are actually going to use and a security wizard to set up the default security policies, for instance. This would allow not installing additional unneccessary code and potential exploits. I try to remove each jar or directory I know I do not need but I do not know what every single file in the jdk is and whether I can safely remove it or not.

Friday, August 03, 2007

Java Exploits On the Rise? Read this.

I am really curious how much Microsoft stock Larry Seltzer owns.

In his latest article: Java Exploits on the Rise he is reporting Java exploits in a rather curious way.

http://www.eweek.com/article2/0,1895,2161797,00.asp

First all he is talking about the Apple Quicktime implementation in Java. I am not sure the details of this but if there is an application written in a particular language and it has a flaw, typically that is an issue that should be blamed on the application developer, not the language which they chose to implement the application in, right? Perhaps the underlying flaw was a Java bug, but the orginal article he references states:

As in one of the two QuickTime flaws that Apple fixed on May 29, the pwn-2-own hole fixed earlier in the month involved a problem with implementation of QuickTime for Java that allowed reading or writing out of the bounds of the allocated heap, and it also worked by enticing a user to visit a site containing a maliciously crafted Java applet.

"An implementation of " meaning the bug was in the implementation of the application - not in the software language used to implement the application. Right? Let's be clear about what is actually happening in this case. From the words above it is not clear if the error was caused by poorly written application code or Java itself.

On the other points:

#1 I agree with this article stating that Sun's handling of the release of a security patch was somewhat problematic:
http://www.theregister.co.uk/2007/07/10/sun_java_security_update/

#2 The flaw of a buffer overrun in the JavaWeb start app: was this flaw a result of programming done in Java (Java itself does not allow buffer overruns so I doubt this very much). After testing out a download on the sun web site which utilizes at least some component of the Java Web Start app I get this message:

This web site wants to run the following add-on: Java (TM) Web Start active x control from Sun Microsystems, Inc.

Note: this is an Active X control. It is not required to run Java applications. It is a tool to help keep Java applications up to date. In this case it is platform specific technology, so if this flaw is related to this component of running Java it is due to an improperly written Active X control (microsoft technology) or something in the Java Web Start active X control utilizing an underlying OS component to display images, not Java as a programming langage - at least for this Windows component. I would guess in this case it was written in C/C++ and compiled in native languages for each OS, and that is how the same bug got propagated to Linux and Solaris as well but cannot know for sure. Because it was not written in Java most likey that is the source of the buffer overrun, not Java itself.

#3 As for the image parsing flaw:

Consider the recent vulnerability in Java's image parsing code.

followed up by:

The parsing of data coming out of files seems to be a never-ending source of security issues in all platforms.

Yes image parsing is a source of security flaws on all platforms - and more than one report has come out on image parsing by various Microsoft technologies including Office. Java does not claim to prevent all image parsing flaws in and of itself. Some of this would be up to the application developer to validate input and output. Additionally since images are actually displayed by the OS (Microsoft - GDI) I would question - is it not up to the OS to validate the image? I am not sure but since all applications use the OS to display images and the OS sends the data to an output device for human visability - then I would recommend that this error checking be done on an OS level. BUT. I am not an OS developer. This occurs on all platforms - so I am guessing this needs to be handled by the app given that info.

The fact that Java is used to write malware is more like a compliment to the language than a detriment. Hacks can be written in any language. Perhaps Java is used because it offers more fine grained control over the environment and is more reliable and takes advantage of the fact it runs on any OS. HMM???

Also for the malware he referenced - that is not a Java flaw but an application written in Java that someone would have to download and run - just as they would have to run malware on any windows machine. You can write a piece of malware in windows technology and email it to someone and if they run it and it deletes their entire hard drive - is that a flaw in the technologies used to write the exploit? Please do not mince words and twist reality into an article designed to create a big headline where people get an idea in their head and don't read the details.

And finally, the most outrageous part of this article, is that he is referencing an exploit on the Symantec web site which references an OCX -- a Microsoft technology. An active X control. Also, the article references JavaScript. Have you ever heard the statement "JavaScript is not Java?" JavaScript runs client side, not server side. JavaScript was used in the exploit - it was not exploited. The Javascript mentioned at the beginning of the article is used to exploit Microsoft IE bugs and is an old, known exploit. The bottom of the article summarizing the new exploit and further clarifies that this is a Microsoft browser flaw - not a Java exploit:

The good news is that the vulnerability exploited in this attack was already patched by MS06-067; the bad news is that malware authors now know and will use this new technique. Heap Feng Shui really takes heap exploitation for browsers to the next level and it’s a powerful method that allows the creation of more efficient and reliable exploits in the future.

Yes there are flaws in Java as with any programming language including this very serious flaw in Java Web Start:

http://www.securiteam.com/windowsntfocus/5UP010UM0G.html

Every language has holes and will continue to be exploited just as banks are still robbed. However I still think Java provides a lot more control over your environment to manage security - unless you are running on Windows in which case you have to rely on the Windows OS for some aspects of security - which can be good and bad. If you are not an OS developer, Microsoft pours more money into OS development than you could do alone and you may be better off, though Linux is cheaper and for OS developers they will have more total control of the environment and Linux has proven to be more secure in some apsects than Windows.

However everything is ultimately exploitable and constant analysis is needed - no matter which language or OS you choose.

Audit the auditors

I keep repeating in this blog...audit everything. Audit your auditing software. Audit your security auditors. Audit audit audit.

And software cannot do EVERYTHING for you. Some brains and analytics need to be involved in any good security policy:

Audit your security software