Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Richard S wrote us and asked what information we could offer regarding languages frameworks that are more suitable for developing secure applications, along with what attributes differentiate them over their less secure counterparts.
I'll treat this as a starting point for a run on reader comments but will set the ground rules, and throw out some core elements to get the conversation under way.
In the interest of full disclosure, I am not a developer (good at break and assess but not create) and I work for Microsoft.
As such I recuse myself from all but a few strong convictions.

First, let's not go for the this language is so much better than that language or that framework s**ks approach. Instead, let's recognize that there are a wide variety of options and that the approach should be about secure development practices first and foremost.
in general terms, what works and why you believe your language/framework of choice is secure to the extent that it is.

Above all else, I espouse following an SDL/SDLC practice to include code review and threat modeling, as well as static and runtime analysis, with security checkpoints woven into to delivery schedules. I am of the opinion that this practice precedes the language or framework being used.
One can obviously write terrible code in the same language with which another developer can write the digital equivalent of Fort Knox.
As Swa Frantzen pointed out in a comment on theCritical Control 7 - Application Software Security diary he posted on my behalf, consider embracing a bottom-up security framework such as OWASP ESAPI (Enterprise Security API).
OWASP ESAPI is available for Java EE, .NET, Classic ASP, PHP, while others are pending release (ColdFusion, C, C++).

Richard's line of questions is focused on web application development, and he posed the point that
there is much literature on design patterns the importance of validation etc., but less on the subject of secure languages and frameworks.
Again, I contend that this is a function less of there being one or two highly touted languages/frameworks, and more about those that have security-centric libraries to be leveraged for product hardening as well as good developers to do so.

For your consideration (borrowed directly from Richard's inquiry):
1) If you take everything else being equal (defensively designed code with input validation, a hardened infrastructure, firewalls, TLS, so on) the question remains : how does the choice of language framework impact on the concept of security in depth?
2) What attributes of the language itself enhance security?
3) If compiled offers an advantage over scripted in this respect, do the likes of C# have an advantage given the resources dedicated to supporting securing it? Are compiled apps less vulnerable than scripted apps as a function of source code exposure post-compromise?

Also on the table are the challenges around 3rd party plugins for given platforms. I believe that this is always the soft spot in what may be otherwise splendid armor. Insert your favorite weakest link analogy here.

I believe a follow-up post will be required here to include references from industry studies that discuss:

Number of organizations that use each framework or language for 'secure' applications
Availability number of security elements built in to the core language / framework
Availability number of 3rd party security elements built (can they be identified as trustworthy)
Number of vulnerabilities identified (per month, per year)
Time to fix

So bring it on: tell us via the comment form what works for you and why (don't hesitate to include favorite static/runtime analysis tools).
Russ McReeTwitter


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Christian (@cseifert) of the Honeynet Project advised us that they've released A.R.E, theAndroid Reverse Engineering Virtual Machine.
This VirtualBox-ready VM includes the latest Android malware analysis tools as follows:

Androguard
Android sdk/ndk
APKInspector
Apktool
Axmlprinter
Ded
Dex2jar
DroidBox
Jad
Smali/Baksmali

A.R.E. is freely available from http://redmine.honeynet.org/projects/are/wiki
Given the probable exponential growth in mobile malware, A.R.E. presents an opportunity to test, learn, and analyze.
Russ McRee
Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
About a month ago, my wife posted a House for Rent-) ). A couple responses came in, among them, one from a person in England. Odd, but there are actually a couple British living in the neighborhood, so she responded:


From: C M [*** names altered ***]
Subject: Rent Inquiry


Hello -
I'm inquiring about the rental property, I will like to get some more details about the property,
I'll like you to give me the below detail ...


[*** questions about property ***]


Certainly not a native speaker of English (the questions I omitted where normal questions someone would have about a house. Cost, when will it be available, utilities included, address...). Some where answered already in the Craigslist ad, but ok. If you deal with prospective tenants, that isn't unusual. As this point, we didn't know that we dealt with someone who isn't local.

My wife's response:


From: H
Subject: your inquire about ...

Hi C

thanks for your interest. Please see the answers to your detailed questions below.
Please feel free to call my cell phone *** if you would like to see the property
in person

... answers to questions removed ....


And another email from the prospective renter. Again, sort of routine questions. At this point, the renter identifies he lives in England:



From: C M

Subject: Re: your inquire about ...

Hello H -

Thanks for your respond, firstly I would want you to know that the property
is OK with me and I would like to rent the property. I will be staying in the
property for 1 year after which I will extend my contract on the property if OK
with my need.

I work with '*** ENGINEERING LIMITED' in England as a CNC 5 axis machining centre
setter/operator/programmer and I'm on transfer to the USA.

I will be moving with my wife, I'd like to know how far is the place from bus station,
police station and gas station.

At this point I want you to know that my company will handle the first month
and the deposit which is ($2470) after which other payment for the property will
be handle by me in person.

I would also want you to know that all application and lease papers will be sign
by me in person when I arrive.

If this is OK with you, kindly send me the following details listed below ...

'Full Name that will be on the check'
'Mailing Address where you can receive the check'
'Home Phone'
'cell phone'

Once I receive these details from you, I'll send it to my employer, so that the
payment can be issued out to you immediately. We'll be moving in on the 1st of
November 2011. Looking forward to your reply.

Best Regards

C M

my wife responded (PO Box address she uses for the rental business, and she did not provide a home phone number). This was WAY too easy. A person being so fast signing up for a house unseen? We must have been too cheap!
And a few days later, the check arrived:

The check was written in the name of a person that is listed as an accountant / notary public in the town of Temecula, but the number I found is now used by a different company. The bank, Temecula Valley Bank, failed in July 2009 (http://fdic.gov/bank/individual/failed/temecula.html) and has since been acquired by First Citizens. It is not clear if the check would be honored (if it would be real). We didn't try to cash it.
It didn't take long to find out why we got such a generous check. First month rent + depost was only around $2,000. Instaed, we got almost $7,000!!An e-mail arrived essentially the same day the check arrived, apologizing for the overpayment, asking us to split the overpayment and send it via Western Union to two different addresses in the UK.
Luckily no damage has been done to us. I am still trying to figure out if the person named as origin of the check actually exists and got harmed. I have no reason to believe that this person, if they exist, are aware or profiting from this scan. We did report this tohttp://www.ic3.gov .
According to the FBI's Internet Crime Complaint Center (IC3), 3.6% of the complaints relate to overpayment fraud.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


In CC 18 we discussed incident handling that encompasses planning for and implementing Incident Response procedures. Fortunately, or unfortunately depending on perspective, there is a large body of both experience and material that exists. [1]

The quick win list [1] provides a great initial roadmap to success for this control some of which I would like to call out but first, evidence handling procedures.

A couple of employers ago, I was tasked, along with a couple of other talented Security Engineers, with updating the evidence handling procedures for the company. It is important to understand that during an incident that evidence collection is just as critical as getting to the bottom of what happened.

One rule that we adhered to, even when we were sure that an incident was downgraded to an Event, is treat it as if it was going to be reviewed in a court of law.

Interesting that there is also an RFC you can follow in this regard [2]. RFC 3227 outlines some guidelines for Evidence collection and archiving.

I would like to call out section 2.4 of RFC 3227 and show this as some basic things to think about when doing incident handling:




2.4 Legal Considerations

Computer evidence needs to be

- Admissible: It must conform to certain legal rules before it
can be put before a court.

- Authentic: It must be possible to positively tie evidentiary
material to the incident.

- Complete: It must tell the whole story and not just a
particular perspective.

- Reliable: There must be nothing about how the evidence was
collected and subsequently handled that casts doubt about its
authenticity and veracity.

- Believable: It must be readily believable and understandable
by a court.




So, in honor of our critical controls month, I would like to know what you do for evidence handling.

[1] http://www.sans.org/critical-security-controls/control.php?id=18

[2] http://tools.ietf.org/html/rfc3227

Richard Porter
--- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
There's two parts to this control - one focuses on users, the other on security and IT staff.
Keeping your users abreast of current threats and how to steer clear of these dangers is definitely important. But in today's compliance-driven corporate world, the average staff member already has to sit through many trainings and e-learnings on topics ranging from corporate records management to HR policies to anti bid-rigging rules, etc. Hence, the first hurdle that every security training has to overcome is to actually get the initial attention of the audience.
If you had the choice between attending a Security Awareness Training, and a presentation called How to keep your kids safe on the Net .. which one would you join? The latter can impart just about the same lessons as the former, but hardly anyone in the audience will catch on to the fact that you are teaching them to be careful on the Net just as much as you empower them to watch their kids.
In other words, as in all marketing endeavors, packaging is everything. Once you have the users' initial attention, the easiest way to keep them interested is by using real life examples from your own company or institution. Even if the audience happens to be already aware of a certain attack or threat, and would otherwise be bored, they will always be interested in what REALLY happened, close to home.
You might find out that users come with three levels of security clue:
1. Those who just don't know better

2. Those who do know better, but take shortcuts, don't care, or have an it won't happen to me attitude

3. Those who do know better, and stick to being careful
For Group #1, train them, patiently and repeatedly

For Group #2, make a gory example out of one or two trespassers. The others will catch on. If you can't get away with gory examples pour encourager les autres, then patiently treat Group#2 like Group#1.

For Group #3, thank them for every risk that they spot and report, and empower them to act as coaches for Group #1 staff in their team
SANS Control #20 http://www.sans.org/critical-security-controls/control.php?id=20 and the SANS Securing the Human project (http://www.securingthehuman.org) are two good starting points for further information.
Now, for training of security and IT staff. For most readers of this ISC diary, this will mean yourself, and maybe also people that you manage in your team. With training budgets for 2012 currently getting drawn up in many companies, and the economic situation making it unlikely that the budget will be a brimming bucket of money, now is a good time to honestly assess where the gaps are and how to most effectively fill them.
Ask yourself:

- Do I have the know-how to oversee the implementation of some or all of the 20 critical controls? Where are my gaps?

- Would I have the know-how to actually implement, hands-on, some or all of the 20 critical controls? Where are my gaps?
If you are a manager of a security team, I'd recommend you do the above assessment for each of your staff members. Not everyone can be an expert in everything. But, sadly, the recent years of paperwork compliance (SOX, the old FISMA, etc) have bred a large caste of security staff whose main and only competency seems to be to track open issues. In the past couple months though, senior executives have definitely started to catch on to the surprising delta between what the security compliance report suggests, and what the reality is.
SANS training is doing a great job teaching people (and even managers :) hands-on security skills of value. But this isn't a SANS training commercial. Just an encouragement with emphasis to all security specialists out there to make sure that you keep your skills up to snuff. And to all managers of security specialists, that you make sure to have the right people for the job on the team.
Because one thing's for certain: The job ain't gonna get any easier anytime soon.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Wireshark has released 1.6.3 (stable) and 1.4.10 (old stable) to address vulnerabilities and bug fixes.
Download fresh bits here.
Release notes:
1.6.3
1.4.10 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Ending a service it has offered for well over a decade, AOL is shutting down its free LISTSERV-based mailing-list hosting operations, the company told mailing list administrators.
 
Apple is confirming what owners of the iPhone 4S and other iOS devices already know: The latest version of its mobile OS--iOS 5--seems to make your battery lose its juice faster than before. The company now says it plans to release a software update to address the problem.
 
It's clear that companies are increasingly using social networking to connect with customers--Facebook said brands on its site get 100 million "likes" per day--but it's also clear that they are having varying degrees of success.
 
After a couple of high-profile departures, HP on Wednesday announced some executive appointments, including a new CIO.
 
Linux Kernel SCTP Remote Denial of Service Vulnerability
 
Wireshark has released 1.6.3 (stable) and 1.4.10 (old stable) to address vulnerabilities and bug fixes.
Download fresh bits here.
Release notes:
1.6.3
1.4.10 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Company: SAP
 
Linux-PAM 'pam_env' Module Multiple Local Privilege Escalation Vulnerabilities
 
Microsoft has rolled out a new mobile app for Bing built with HTML5 and available first only to iPhone and Android users. It may be another indication that Microsoft is turning its attention away from its home-baked development platforms .Net and Silverlight and toward the industry-standard HTML5.
 
The U.S. Supreme Court next week will begin hearing arguments in a landmark case involving the government's authority to use GPS tracking devices in criminal investigations without first obtaining a court order.
 
Dell CIO Robin Johnson explains how a company's lack of agility, the inability of its IT infrastructure to quickly incorporate a new business process that would give it a competitive edge, can be costly. Johnson explains why the price of this lack of agility, what he refers to as the agility tax, is too high to pay.
 
Carbonite has announced upgrades to its online backup and restore service that include full OS and application backups, as well as the ability to mirror data to an external drive. The service allows users to perform a full metal restore from the external drive or a CD.
 
CIO's publisher emeritus Gary Beach looks at our annual State of the CIO data for clues to how CIOs manage their time and how well that aligns with their goals.
 
Google usually offers tweaks to its various online apps in dribs and drabs, without much notice -- a new feature here, a slightly revamped one there. But its new redesign of Gmail, Google is pushing out several rather radical changes in one swell foop.
 
Satellite-LTE carrier LightSquared will be "the dumbest broadband wireless pipe," CEO Sanjiv Ahuja told a conference on Wednesday, warmly embracing a role that traditional mobile operators have rejected in varying degrees.
 
Just minutes after launching its first native Gmail app for Apple's iPhone and iPad, Google pulled the program, saying it had "messed up" by issuing a flawed version.
 
Hitachi Data Systems plans to release its latest flavor of Converged Platform data center offerings aimed at analyzing massive amounts of data in SAP environments.
 
In a rare twist, Apple missed a self-imposed deadline to launch iTunes Match, an ambitious service that mirrors your iTunes music library in the cloud. The company said on October 4, during the iPhone 4S launch event, that iTunes Match would be available by the end of October, yet two days after the deadline, the service is nowhere to be found.
 
A new client-server application lets most mobile devices now wirelessly use corporate printers, without having to make changes to smartphones or tablets, or to the printers.
 
Google had better hope you get more than one shot to make a good first impression. That's because the shiny new Gmail app rolled out for the iPhone and iPad Wednesday contained a pretty serious bug that Google acknowledged broke notifications and "caused users to see an error message when first opening the app."
 
Hospitals that are prepared to adopt electronic medical records and achieve the government's "meaningful use" criteria have increased significantly, from 25% to 41%, according to new research.
 
Informatica has strengthened its hand in the burgeoning market for Hadoop, the open-source programming framework for large-scale data processing, unveiling a new data parser on Wednesday that can transform piles of unstructured information into a more structured form for use in running Hadoop jobs.
 
Bennet-Tec TList ActiveX Control 'SaveData()' Insecure Method Vulnerability
 
Sybase M-Business Anywhere Multiple Unspecified Remote Privilege Escalation Vulnerabilities
 
The newly discovered installer has yielded information on how systems are infected, prompting new guidance on ways to bolster defenses.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A new wireless carrier, Republic Wireless, is set to launch next week with plans offering unlimited data, voice and texting for $19 a month and no contract.
 
Windows XP's decline has accelerated and the decade-old operating system shed its largest ever chunk of market share in October, according to data from a Web measurement company.
 
Facebook's fake account detection mechanisms can be defeated 80 percent of the time with the help of automated tools, researchers from the University of British Columbia (UBC) have found after an eight-week test.
 
Chris Russo, deputy fire chief in the Massachusetts coastal town of Hull, launches ELERTS, an emergency communication system that uses smartphones and social media to communicate with first responders and other emergency personnel. Insider (registration required)
 
While flooding in Thailand is affecting hard disk supplies worldwide, the customers most likely to be hit hard by price increases will be consumers in the retail market as manufacturers put enterprises and PC system manufacturers atop their lists.
 
How Hilton's CIO uses honest communications to work through difficult times-and avoid finger-pointing
 
Google today released its first Gmail app for Apple's iPhone, iPad and iPod Touch.
 
IBM Lotus Domino 'NSFComputeEvaluateExt()' Function Remote Stack Buffer Overflow Vulnerability
 
Adobe Flash Player CVE-2011-2416 Remote Integer Overflow Vulnerability
 
Adobe Flash Player CVE-2011-2139 Cross Site Scripting Vulnerability
 
Cisco Security Advisory: Cisco Small Business SRP500 Series Command Injection Vulnerability
 
Adobe Flash Player CVE-2011-2414 Remote Buffer Overflow Vulnerability
 
Adobe Flash Player 'flash.display' Class Remote Memory Corruption Vulnerability
 
VMware is no longer a member of the Java Community Process SE/EE Executive Committee, but Twitter has joined, according to election results finalized this week.
 
NGS00042 Technical Advisory: Solaris 11 USB hub class descriptor kernel stack overflow (CVE-2011-2295)
 
[ MDVSA-2011:163 ] phpldapadmin
 
Multiple vulnerabilities in Efront
 
[ MDVSA-2011:164 ] wireshark
 
The U.S. House of Representatives has voted to approve a five-year moratorium on new taxes targeted toward mobile services, with supporters arguing that customers pay higher taxes on their mobile plans than on most other goods and services.
 
Can you program a network of multivendor switches and routers, all running different operating systems, command line interfaces and configuration routines, to work in concert when it comes to managing flows?
 
The two best things about WAN optimization are that it practically guarantees better response times for applications while at the same time either reducing the need for WAN bandwidth or at least staving off for a while the need to boost it.
 
Wait, we're still arguing this one? Why?
 
The past three years have been very noisy on the data center fabric and architecture front. Every quarter seems to bring about a new convergence blueprint from another vendor - and a variety from one or two.
 
Danish vulnerability management company Secunia aims to make the task of reporting software vulnerabilities easier for security researchers by offering to coordinate disclosure with vendors on their behalf.
 
Lenovo's profit for the third quarter nearly doubled year on year as the company continued its fast-paced growth, beating Dell to become the world's second-largest PC vendor.
 
Imagine plopping down your credit card to turn on compute services late at night when there's no time to get permission from your boss and then getting distracted before the weekend on another work emergency. On Monday, when you remember you signed up for the services, which you intended to use for just a short time, you discover you've racked up US$5,000 in charges on your personal card.
 
This isn't too much of a contest yet, since Apple is just getting started on its cloud storage service while Amazon Cloud Drive has been available for months.
 
Ten years ago the argument over virtualization would have been a short one because VMware was the only game in town, but that early dominance is now being significantly challenged by Microsoft, Citrix and Red Hat (KVM).
 
WikiLeaks founder Julian Assange lost an appeal in the U.K.'s High Court on Wednesday that sought to block his extradition to Sweden on potential charges of rape and molestation.
 
Stacked silicon is being hailed as the wave of the future. Experts expect volume production in two years. Insider (registration required)
 
Yahoo said it has arrived at a definitive agreement to acquire Interclick, a provider of targeted advertising services, for about $270 million.
 
Barnes & Noble has invited the news media to a New York event on Monday, sparking speculation that the bookseller will announce a lower-cost Nook Color tablet computer that matches or beats the $199 price of the upcoming Amazon Kindle Fire.
 
Cisco used to be a networking company, pure and simple. It built its dominance and influence on capturing a dominant market position in routers and switches, both in the enterprise and in service provider networks.
 
Several different flavors have sprung up in cloud computing and each has their pros and cons. Add to these the plethora of vendor-created acronyms and it can be confusing to figure out the best option.
 
The battle between Microsoft and Google for office cloud dominance reminds me of the clash of the Titans. Microsoft and its classic on-premises business model is like Gaia, the earth goddess, and Google with its disruptive lightening bolt, is like Zeus, a sky god and a next generation kind of god.
 

Posted by InfoSec News on Nov 01

http://news.sky.com/home/technology/article/16101158

By Sam Kiley
security editor
Sky News
November 01, 2011

A leading internet security expert has warned that a cyber terrorist
attack with "catastrophic consequences" looked increasingly likely in a
world already in a state of near cyber war.

Eugene Kaspersky is not given to easy hyperbole. But the Russian maths
genius who founded an internet security empire with a global reach,...
 

Posted by InfoSec News on Nov 01

http://www.informationweek.com/news/security/client/231902027

By Mathew J. Schwartz
InformationWeek
November 01, 2011

Up to 50,000 breached records appear online every week. Do any of them
include your usernames and passwords?

Answering that question is the principle aim of free website
PwnedList.com, which is billed by its creator as being "a simple
one-click service to help the public verify if their accounts have been
compromised...
 

Posted by InfoSec News on Nov 01

http://www.infoworld.com/t/security/anonymous-threatens-then-cancels-attack-drug-ring-177609

By Robert Lemos
InfoWorld
November 01, 2011

When the Anonymous movement has a bad day, supporters get arrested. When
the Zeta drug cartel has a bad day, nearly three dozen of its members
are killed and dumped on a Mexican highway.

Now the two worlds have collided: One arm of Anonymous has called out
the Zeta gang for allegedly kidnapping a...
 
Internet Storm Center Infocon Status