You all probably know that i’m in the middle of doing a SANS gold paper on Security Onion .. here’s a talk Doug Burks did at Shmoocon on his distro
The dominance of exploit kits like Blackhole, Incognito and others, continues to be seen in the wild. Attackers continue to use these exploit kits to generate malicious webpages and host them on various domains. These exploit kits usually targets browser and browser plugin vulnerabilities.
To increase the likelihood of a successful attack, exploit kits are commonly used to infect legitimate sites that already have significant traffic. Attackers achieve this by crafting scripts designed to identify sites with injection vulnerabilities, which allow for hidden iFrames to be written, which then point to the exploit kit URL. When users visit the infected sites and are redirected to the browser exploit kits, a known browser or plugin vulnerability is typically used to download and execute malicious content without user knowledge. You can visit this related blog for more information about iFrame injection in detail.
Recently, I’ve seen a spike in such compromised sites, which lead to exploit kit URLs.In most cases, the JavaScript code containing the hidden iFrame is heavily obfuscated. Different exploit kits have their own techniques to obfuscate malicious code. Let’s take look at a couple of examples and their respective de-obfuscated code.
Read the full article on Zscaler Research
While unpatched systems are often the first stepping stone of a breach, it’s often weak or shared credentials that help attackers intrude deeper into the network and breach sensitive data. Common problems are:
- Weak passwords that lack length or complexity
- Passwords contained in dictionaries
- Passwords that are easily guessed based on information about the infrastructure
- Vendor default passwords
- Replaying cached credentials
- Re-use of passwords across trust zones
- Development test credentials in a production environment
- Active accounts of previous employees
Services You Can Audit With Metasploit
These are all issues you can scan for with Metasploit. Unlike other password auditors that only test Windows login credentials, Metasploit Pro can brute force passwords to audit passwords across a wide range of operating systems and services, including:
SMB/Windows/CIFS server- PostgreSQL database
- IBM DB2 database
- MySQL database
- Microsoft SQL Server database Oracle
- Oracle RDBMS Server
- HTTP server (basic authentication)
- HTTPS server (basic authentication)
- Secure Shell server
- Telnet server
- File Transfer Protocol server
- Post Office Protocol v3 server
- BSD Remote Execution server
- BSD Remote Login server
- BSD Remote Shell server
- VNC/RFB server
- Simple Network Management Protocol
Where You Can Learn More
HD Moore, the Metasploit Chief Architect, is showing some of the tips and tricks of how to audit passwords with Metasploit in next week’s webinar. Register now and save the date on your calendar!
Read the full article from Rapid7 Community : Blog List – Metasploit
From Oracle:
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for January 2012, which will be released on Tuesday, January 17, 2012. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 78 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.
78 security patches. I’ll say that again. 78 oracle security patches. While I’m glad that they’re fixing their stuff it is just a little amazing that there are that many. And DBA’s being who they are will vacillate and come up with all kinds of reasons why they can’t apply patches as they still haven’t done the ones from 2010. In other words…job security for the rest of us.
Oh, and if that wasn’t enough there will also be 27 MySQL patches released at the same time.
Source: Article Link
To attack your system, to steal something or do something else nasty, the bad guys need to find a way in, and usually a way out as well. This is what Attack Surface Analysis is all about: mapping the ways in and out of your system, looking at the system from an attacker’s perspective, understanding what parts of the system are most vulnerable, where you need to focus testing and reviews. It’s part of design and it’s also part of risk management.
Attack Surface Analysis is simple in concept. It’s like walking around your house, counting all of the doors and windows, and checking to see if they are open, or easy to force open. The fewer doors and windows you have, and the harder they are to open, the safer you are. The bigger a system’s attack surface, the bigger a security problem you have, and the more work that you have to put into your security program.
For enterprise systems and web apps, the doors and windows include web URLs (every form, input field – including hidden fields, URL parameters and scripts), cookies, files and databases shared outside the app, open ports and sockets, external system calls and application APIs, admin user ids and functions. And any support backdoors into the app, if you allow that kind of thing.
I’m not going to deal with minimizing the attack surface by turning off features or deleting code. It’s important to do this when you can of course, but most developers are paid to add new features and write more forms and other interfaces – to open up the Attack Surface. So it’s important to understand what this means in terms of security risk.
Measuring the System’s Attack Surface
Michael Howard at Microsoft and other researchers have developed a method for measuring the attack surface of an application, and to track changes to the attack surface over time, called the Relative Attack Surface Quotient (RSQ).
Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an Attack Surface Metric for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes…) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.
Smaller teams building and maintaining smaller systems (which is most of us) and Agile teams trying to move fast don’t need to go this far. Managing a system’s attack surface can be done through a few straightforward steps that developers can understand and take ownership of.
Attack Surface: Where to Start?
Start with some kind of baseline if you can – at least a basic understanding of the system’s attack surface. Spend a few hours reviewing design and architecture documents from an attack surface perspective. For web apps you can use a tool like Arachni or Skipfish or w3af or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the attack surface – at least the part of the system that is accessible over the web. Or better, get an appsec expert to review the application and pen test it so that you understand the attack surface and real vulnerabilities.
Once you have a map of the attack surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. This is where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls,and intrusion detection or prevention systems to help protect your app.
The attack surface model will be rough and incomplete to start, especially if you haven’t done any security work on the system before. Use what you have and fill in the holes as the team makes changes to the attack surface. But how do you know when you are changing the attack surface?
When are you Changing the Attack Surface?
According to The Official Guide to the CSSLP
“… it is important to understand that the moment a single line of code is written, the attack surface has increased.”
But this over states the risk of making code changes – there are lots of code changes (for example to behind-the-scenes reporting and analytics and changes to business logic) that don’t make the system more vulnerable to attack. Remember, the attack surface is the sum of entry and exit points and untrusted data elements in the system.
Adding a new system interface, a new channel into the system, a new connection type, a new API, a new type of client, a new mobile app, or a new file or database table shared with the outside – these changes directly affect the Attack Surface and change the risk profile of your app. The first web page that you create opens up the system’s attack surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the attack surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.
Changes to session management and authentication and password management also affect the attack surface. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Changes to the code that handles encryption and secrets. Changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time OS.
Use a Risk-Based and Opportunity-Based Approach
Attack Surface management can be done in an opportunistic way, driven by your ongoing development requirements. As they work on a piece of the system, the team reviews whether and how the changes affect the attack surface, what the risks are, and raise flags for deeper review. These red flags drive threat modeling and secure code reviews and additional testing.
This means that developers can stay focused on delivering features, while still taking responsibility for security. Attack surface reviews become a part of design and QA and risk management, burned in to how the team works, done when needed in each stage or phase or sprint.
The first time that you touch a piece of the system it may take longer to finish the change because you need to go through more risk assessment. But over time, as you work on the same parts of the system or the same problems, and as you learn more about the application and more about security risks, it will get simpler and faster.
Your understanding of the system’s attack surface will probably never be perfect or complete – but you will always be updating it and improving it. New risks and vulnerabilities will keep coming up. When this happens you add new items to your risk checklists, new red flags to watch for. As long as the system is being maintained, you’re never finished doing attack surface management.
from AppSec News http://swreflections.blogspot.com/2012/01/essential-attack-surface-management.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+BuildingRealSoftware+%28Building+Real+Software%29
Researchers at Symantec yesterday confirmed that working attack code published Jan. 6 can cripple Web servers running Microsoft’s ASP .Net.
from Network World on Security http://www.networkworld.com/news/2012/011112-public-attack-code-aimed-at-254798.html?source=nww_rss
