Join a great lineup of thought leaders & industry professionals at BrightTALK’s free, online Intrusion Prevention Summit on January 12th. The live, vendor-neutral, interactive webcasts will cover current trends in intrusion prevention systems, the total economic impact of network security intrusion prevention, and best practices and strategies to protect your database from the inside out: http://www.brighttalk.com/summit/intrusionprevention

WHEN: Tuesday, January 12, 2010, attend live online throughout the day or afterward on-demand

TOPICS AND PRESENTERS:
“IDS & IPS: What You Don’t Know Might Hurt You”
Stuart Wilson, CTO of Endace

“Weaponization of Enterprise Mobile Endpoints”
Winn Schwartau, Founder of SCIPP International

“Leverage Cyber Threat Intelligence to Identify Network Intrusions”
Peter Makohon, Principal at Deloitte & Touche LLP

“Malware Analysis in the Incident Response Process”
Tyler Hudak, Incident Handler at General Electric

“The In’s and Out’s of Intrusion Prevention”
Heather Axworthy, Lead Security Specialist at University of Massachusetts

“Building the Business Case for Application Security”
Calem Sima, CTO of ASC and Katherine Lam from HP

“Best Practices: Intrusion Prevention Systems”
Marco Ermini, Network Security Manager, Vodafone Group Services

“Defense in Depth: Protection from Attacks at Various Stages”
Matt Dieckman, SonicWALL

“Network Security Monitoring: Scalability Challenges”
Sirah Ahmed Shaikh, Senior Lecturer at Coventry University

“Intrusion Prevention Systems Overview”
Maria Papadaki, Lecturer in Network Security at University of Plymouth

“Preventing Intrusions by Insiders: A Game-Theoretic Approach”
Sokratis Katsikas, Ministry of Infrastructures, Transports & Networks

Review the schedule and register to attend any or all of the free summit webcasts at http://www.brighttalk.com/summit/intrusionprevention

You will be able to attend any or all of the webcasts, submit real-time questions to presenters, and vote in audience polls. If you are unable to attend the webcasts live, you can also view them afterward on-demand

by Marc André Léger, DESS, MASc (MIS), PhD (Candidate)
Professor, Champlain College (Saint Lambert)
Lecturer, University of Sherbrooke – Longueuil

Lire cet article en français

Summary

On Saturday, November 7th, 2009 from 9:00a.m. to 13:00, students from the Wireless Networking program at Champlain College Saint-Lambert under the supervision of their professor, Marc-André Léger, performed a wireless network security audit in the streets of Montreal, Quebec, Canada as an educational activity. This document presents an overview of what was done and a summary of the results.

Audit objectives

This was primarily intended as an educational activity inspired by media reports and documentaries on the vulnerabilities of home wireless networks. Similar activities had taken place in 2007, 2008 and in the spring of 2009 with previous cohorts of students from the same program. As before, the principal objective from an educational point of view was to provide the students with hands-on experience in performing a wireless network audit). The general objective was to perform a partial area Wireless LAN audit and map the wireless networks (either home or business) that where found. This would give the students an idea of the current situation of wireless networks in the Montreal region.

As in the previous exercises, to respect the right to privacy of residents, students where instructed to only observed IEEE 802.11x data packets and signals present outside the limits of private property, never trespassing. Students had been strictly advised that all activities where being performed on public propriety as a community service activity. No attempt to access computer facilities, files or resources was to be undertaken by students. This was also done to respect Art. 342.1 of the Criminal Code of Canada.

Activity logistics

Fourteen (14) students participated from the WLAN Fundamentals course. The students where divided in 7 teams of 2 or 3 students. Each team was assigned an area in various areas in the Montreal region. These where located in the cities and neighborhoods known as: Brossard, Laprairie, Saint-Laurent, Westmount, Lasalle and Montreal (Ahuntsic, Villeray, St-Michel, Plateau Mont-Royal and Hochelaga-Maisonneuve districts). These areas where convenient to students, based on their area of residence. Students who participated in the exercise where required to have a laptop per team, equipped with a wireless (802.11b, g or n) network adapter and open source software (netstumbler). Students who did not have this equipment had one supplied by the College. As well, the teacher provided GPS devices to students.

War driving or WLAN Security audit ?

War driving is the act of driving around an area searching using a laptop computer or a portable device (PDA, Scanner), to detect networks. The name War driving comes from war dialing, which has been popularized in the 1983 movie WarGames. As for the previous exercise, it was decided to call the exercise a WLAN Security Audit as War Drive has negative connotations.

War driving is possible because users of wireless networks, due to lack of knowledge, lack of adequate information, ignorance or laziness leave their wireless access points unsecured. In many cases the devices are unsecured because the default configuration that was in place when the device was purchased is still being used.

Findings

During the war drive a total of 42128 devices where found, this is a significant increase from the numbers that where identified in the past. We suggest that this increase may be caused by several factors:

• An improvement in the manner in which the exercise is planned and executed;
• An expansion of the coverage area from previous exercises;
• An increase in the number of locations, both residential and business, which have implemented WLANs due to lower prices, greater availability and a reduction of perceived security risks.

For this article, all the devices where used to form the sample (n=42128).

Table 1: summary of results

Based on the data, there has been a lot improvement in the last year. Of the devices included in the 2009 sample, 11.3% where unencrypted. This is an improvement from the already good result of 12.6% in the spring and much better that the 22.7% from 2008, the 24% from the Fall 2007 exercise and the 31% from the Winter 2007 exercise.

As in all the previous exercises, the potential problem of the close proximity of multiple wireless devices using channel 6 was found. As before, the use of other channels, channel 1 and 11, has increased. These are distant enough (4 channels minimum) to avoid, or significantly reduce, interference. We also found that some AP’s where configured using channels 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161.

Conclusion

Overall the students seemed quite pleased by the experience as per previous years, allowing them to visualize some of the theoretical concepts seen in class. Compared to previous years the data shows a lot of improvement in wireless network security. While the results from 2007 and 2008 where far from being an ideal situation, the current results indicate that the trend that had been identified in the past continues: users of wireless networks are taking security more seriously. In the past we suggested that this may perhaps be in part the result of IT security awareness campaigns that took place in Québec in the last year and of numerous news reports and documentaries on Information Security.

Bibliography

Léger, Marc-André (2008) Class presentation for the course WLAN Fundamentals, available on www.leger.ca

Internet users have grown immune to security certificate warnings and are more than happy to click past them, according to a new report out of Carnegie Mellon University. Researchers found that users won’t hesitate to engage in this risky browsing behavior, especially since most warnings are for benign things like expired certificates. This behavior leaves them vulnerable to man-in-the-middle attacks, and the report calls for a reform in how warnings are handled in both safe and dangerous situations.

The researchers studied the behaviors of 409 Internet users in order to monitor their reactions to and understanding of various SSL warnings, and found that “far too many participants exhibited dangerous behavior in all warning conditions.” This was despite the fact that many users understood the meaning of the warnings—for example, 50 percent of Firefox 2 users understood what an expired certificate meant, and 71 percent of those users said they actively ignored such a warning (47 percent and 64 percent for Firefox 3 users, respectively).

According to the paper, those who did not understand the expired certificate warnings were more likely to pay attention to them. This can be a problem—the researchers cited a January 2009 study that found at least 44 percent of the top 382,860 SSL-enabled websites had certificates that would trigger warnings. This behavior was slightly reversed, though, when users were presented with a domain mismatch warning (when the domain being displayed to you doesn’t match the webpage you’re looking at). In this case, those who understood the warning were aware of the risks and were less likely to ignore, whereas those who didn’t understand ignored at roughly the same rate as other warnings.

The researchers did a follow-up study of their own with more direct language in the security warnings. They found that users performed better (more securely), but that the numbers were still less than ideal because warnings in general are so prevalent. “Regardless of how compelling or difficult to ignore, users think SSL warnings are of little consequence because they see them at legitimate websites,” reads the report. Instead, the researchers recommended that warnings either be ditched altogether in benign scenarios, or take a more aggressive approach to dangerous websites.

“[U]sers’ attitudes and beliefs about SSL warnings are likely to undermine their effectiveness. Therefore, the best avenue we have for keeping users safe may be to avoid SSL warnings altogether and really make decisions for users—blocking them from unsafe situations and remaining silent in safe situations.”

Further reading:

• Cached HTML version of the paper, Crying Wolf: An Empirical Study of SSL Warning Effectiveness

Source: http://arstechnica.com/security/news/2009/07/benign-security-warnings-have-trained-users-to-ignore-them.ars

Lors de la conférence sur le piratage Black Hat, K. Chen a fait la démonstration d’une vulnérabilité des claviers Apple.

En effet, ces claviers ont une mémoire vive de 256 octets et une mémoire morte de 8 kilo-octets. Une fois le micrologiciel «de base» installé, il reste 1 kilo-octet de mémoire morte: bien plus qu’il n’en faut pour y introduire un enregistreur de frappe.

Une fois l’enregistreur de frappe intégré au micrologiciel du clavier, la réinstallation du système d’exploitation n’y fera rien: rien n’y paraît, il n’y a aucune pile à enlever et aucun module d’extension à enlever.

La faille pourrait être exploitée à distance, ce qui la rend particulièrement dangereuse.

Le site SemiAccurate, qui a rapporté l’histoire, suggère qu’Apple intègre à son système d’exploitation une manière rapide de vérifier l’authenticité du micrologiciel de son clavier, et de le restaurer en cas de besoin.

La présentation (PDF, en anglais) et le document technique (PDF, en anglais) sont disponibles en ligne.

Source: http://techno.branchez-vous.com/actualite/2009/08/les_claviers_apple_vulnerables.html

A la conférence ‘Black Hat’, des chercheurs considèrent que des failles dans le protocole de sécurité SSL pourraient être utilisées pour créer des attaques de type ‘man-in-the middle’ (MITM) indétectables.

Des chercheurs en sécurité ont trouvé de sérieuses failles dans des logiciels utilisant le protocole de cryptage SSL (Secure Sockets Layer), qui sert à la sécurisation des communications sur Internet. Lors de la conférence ‘Black Hat’ de Las Vegas, le jeudi 30 juillet, des chercheurs ont révélé plusieurs attaques qui pourraient être utilisées pour compromettre un trafic sécurisé d’informations entre les sites Web et les navigateurs.

Ce type d’attaque pourrait permettre à un pirate de voler des mots de passe, de pirater un session bancaire en ligne, voire même d’installer une mise à jour pour Firefox contenant du code malveillant, selon les chercheurs. Le problème vient de la façon dont beaucoup de navigateurs ont implémenté SSL, ainsi que de l’infrastructure système de la clé publique X.509 qui est utilisée pour gérer les certificats numériques utilisés par SSL pour déterminer si un site est digne de confiance ou non.

Un chercheur en sécurité qui se fait appeler ‘Moxie Marlinspike’ a montré une méthode pour intercepter du trafic SSL en utilisant ce qu’il appelle un certificat ‘null-termination‘. Pour que cette attaque fonctionne, Marlinspike doit déjà réussir à installer son logiciel sur le réseau local. Une fois que c’est fait, il détecte le trafic SSL et présente son certificat ‘null-termination ‘ pour intercepter les communications entre le client et le serveur. Une attaque du type man-in-the-middle indétectable, selon lui.

L’attaque expliquée par Marlinspike est extrêmement proche d’un autre type d’attaque assez commune, l’injection SQL, qui envoie des données spécifiquement conçues au programme en espérant le pousser à faire quelque chose qu’il ne devrait pas. Il a découvert que s’il créait des certificats pour son propre domaine internet qui incluait des caractères ‘nuls’ (souvent représentés par \0), certains programmes interprèteraient mal le certificat.

Suite et source: http://securite.reseaux-telecoms.net/actualites/lire-failles-dans-le-protocole-de-securite-ssl-20630.html

Dans son dernier rapport semestriel sur l’état de la sécurité sur Internet, Sophos s’inquiète du manque de sécurité dans les grands réseaux sociaux tels que Facebook, et note une multiplication des sites qui effraient leurs visiteurs afin de mieux leur vendre des antivirus bidon.

Le rapport du premier semestre 2009 de la firme de sécurité n’est pas tendre envers les réseaux sociaux: «De l’avis de Sophos, les entreprises 2.0 se concentrent sur la croissance de leur nombre d’usagers aux dépens d’une protection adéquate de leur clientèle actuelle contre les menaces d’Internet.»

Sophos indique qu’une portion significative des travailleurs ont reçu (ou disent qu’un collègue a reçu) du pourriel (33,4%), une attaque d’hameçonnage (21%) ou des modules malveillants (21,2%) par le biais de sites tels que Facebook, Twitter ou MySpace.

En conséquence, la firme de sécurité invite les dirigeants des grandes entreprises 2.0 à repenser leurs sites afin d’offrir un meilleur niveau de sécurité à leurs utilisateurs, et les protéger contre «les auteurs de virus, les usurpateurs d’identité, les polluposteurs et les escrocs».

Forte croissance des faux antivirus

Sophos souligne également la multiplication des sites qui effraient les visiteurs en exposant les dangers des virus et autres logiciels espions, afin de les inciter à télécharger un logiciel antivirus payant mais parfaitement inefficace.

Les sites qui font la promotion de ces faux antivirus sont trois fois plus nombreux qu’à la même période l’an dernier, indique Sophos, qui dénombre actuellement une quinzaine de ces nouvelles pages chaque jour.

Alors que les internautes expérimentés sont plus à même de détecter ces arnaques, surtout lorsqu’elles apparaissent dans une fenêtre «pop-up», les novices peuvent plus facilement tomber dans le piège, et sortir leur carte de crédit pour acheter un de ces faux antivirus.

Les États-Unis, plus grand hébergeur de logiciels malveillants

Sophos note également que près de 40% des logiciels nuisibles (chevaux de Troie, logiciels espions, etc.) sont hébergés sur des serveurs localisés aux États-Unis. La Chine arrive seconde avec 14,7% et la Russie troisième avec 6,3%. En 2207, la Chine occupait la première position de ce palmarès, avec l’hébergement de plus de 50% des modules indésirables. Autres détails et lien de téléchargement du rapport PDF dans le communiqué de Sophos.

Source: http://techno.branchez-vous.com/actualite/2009/07/securite_en_2009_fragilite_des.html

Description:
This fraud alert highlights the current growth and trends in today’s phishing schemes, the potential impact on companies, and insight into how businesses can apply technology to protect themselves and their customers.

VeriSign White Paper Sample

Phishing — luring unsuspecting users to provide sensitive information for identity or business theft — is a serious threat for both consumers and businesses. In the last decade since phishing arrived on the scene, this fraud method has been growing rapidly, with one estimate citing approximately 8 million daily phishing attempts worldwide.

The Anti-Phishing Working Group (APWG) reported that unique phishing attacks submitted to APWG rose 13 percent during the second quarter of 2008 to more than 28,000. It also reported that, during the same period, the number of malware-spreading URLs infecting PCs with password-stealing code rose to a new record of more than 9,500 sites — a 258% increase compared with the same quarter in 2007.

Targeted versions of phishing, called spear phishing, have emerged over the past several years. While common phishing is indiscriminate in its targets, spear phishing targets are known customers of a specific bank, mortgage provider, or other type of organization. Consumers aren’t the only targets of spear phishing. Increasingly, corporate employees are being targeted by savvy criminals. In these attacks, the goal is to gain access to corporate banking information, customer databases, and other information to facilitate cyber crime. According to VeriSign iDefense, spear phishing against corporations reached new heights during April and May 2008. Many of these attacks target senior executives and other high-profile individuals. The victim counts from these attacks is staggering — over 15,000 corporate users in 15 months. Victims include Fortune 500 companies, government agencies, financial institutions and legal firms.

View This Now

Source: http://www.webbuyersguide.com/resource/brief.aspx?id=13997&category=97&sitename=webbuyersguide&kc=wbgnewseweek072009&src=wbgnewseweek072009&kc=EWKNLCSM07212009WP2

The Twitter document leak fiasco started with a simple story that personal accounts of Twitter employees were hacked. Twitter CEO Evan Williams commented on that story, saying that Twitter itself was mostly unaffected. No personal accounts were compromised, and “most of the sensitive information was personal rather than company-related,” he said. The individual behind the attacks, known as Hacker Croll, wasn’t happy with that response. Lots of Twitter corporate information was compromised, and he wanted the world to know about it. So he sent us all of the documents that he obtained, some 310 of them, and the story developed from there.

It’s clear that Twitter was completely unaware of how deeply they were affected as a company – when Williams said that most of the information wasn’t company related he believed it. It wasn’t until later that he realized just how much and what kind of information was taken. It included things like financial projections and executive meeting notes that contained highly confidential information.

We’ve already said a lot about all of this and the related “server password = password” story that was discovered by another individual last week. But we’ve got two more stories to tell. The first, this post, is exactly how the hacks took place, based on information gathered from hours of conversations with Hacker Croll. The second is what was happening behind he scenes with Twitter as the story unfolded. We’ll post that later this week.

When the story first broke the true scope of what had taken place and how it occurred was not understood. Various bloggers speculated about the cause of the attack – with some placing the blame on Google while others blaming the rising trend of hosting documents in the cloud.

We immediately informed Twitter of the information we had in our possession (and forwarded it to them), and at the same time reached out to the attacker. With some convincing, the attacker responsible for the intrusion at Twitter began a dialog with us. I spent days communicating with the attacker in an effort to gain insight into how the attack took place, what the true scope of it was and how we could learn from it.

We’ve waited to post exactly what happened until Twitter had time to close all of these security holes.

Some Background

In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target. Some of the more famous information security breaches have relied on nothing more than elementary issues exploited by an attacker with enough time and patience at hand to see their goal through. A classic example is the case of Gary McKinnon, a self-confessed “bumbling computer nerd” who while usually drunk and high on cannabis would spend days randomly dialing or attempting to login to government servers using default passwords. His efforts led to the compromise of almost 100 servers within a number of government departments. After McKinnon spent a number of years trawling through servers looking for evidence of alien life (long story), somebody within the government finally wised up to his activities which lead to not only the arrest and attempted extradition of McKinnon from the United Kingdom, but a massive re-evaluation of the security methods employed to protect government information.

A more recent example is the case of Kendall Myers, who after being recruited to work for the Cuban government by an anonymous stranger they met while on holiday in that country, set out to obtain a high ranking position within the State Department specifically to obtain access to US government secrets. Kendall dedicated his entire life to obtaining state secrets, and up until he was recently caught by the FBI had successfully passed on secret information and internal documents to the Cuban government for 30 years. He relied only on his memory, his education credentials and sheer dedication.

The Twitter Attack: How The Ecosystem Failed

Like other successful attacks, Hacker Croll used the same combination of patience, sheer determination and somewhat elementary methods to gain access to a frightening number of accounts and services related to Twitter and Twitter employees. The list of services affected either directly, or indirectly, are some of the most popular web applications in use today – Gmail, Google Apps, MobileMe, AT&T, Amazon, Hotmail, Paypal and iTunes . Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well. The end result was chaos, and raises important questions about how private corporate and personal information is managed and secured in a time when the trend is towards more data, applications and entire user identities being hosted on the web and ‘in the cloud’.

“Hacker Croll” is a Frenchman in his early 20’s. He currently resides in a European country and first discovered his interest in web security over two years ago. Currently in between jobs, he has made use of the additional time he now has, along with his acquired skillset, to break into both corporate and personal accounts across the web. His knowledge of web security has been attained through a combination of materials available to the public and from within a tight-knit group of fellow crackers who exchange details of new, and sometimes unknown, techniques and vulnerabilities. Despite the significance and impact a successful attack has, the cracker claims that his primary motivation is a combination of curiosity, exploration and an interest in web security. There is almost a voyeuristic tendency amongst these individuals, as they revel in the thought of gaining privileged access to information about the inner lives of individuals and corporations. The “high” of access and gaining unauthorized knowledge must be big enough to carry a cracker’s motivation through the long hours, days and months of effort it may take to hit the next pot of gold.

For Hacker Croll, his first port of call in setting out to gain access to a target network is to make use of public search engines and public information to build a profile of a company or individual. In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses and their roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and logged. This dragnet across the millions of pages on the web picked up both work and personal information on each of the names that were discovered. Public information on the web has no concept of, or ability to, distinguish between the work and personal details of a person’s identity – so from the perspective of a cracker on a research mission, having both the business and personal aspects of a target’s digital life intertwined only serves to provide additional potential entry points.

With his target mapped out, Hacker Croll knew that he likely only needed a single entry point in any one of the business or personal accounts in his list in order to penetrate the network and then spread into other accounts and other parts of the business. This is because the web was designed at a time where there was implicit trust between its participants – requiring no central or formal identification mechanism. In order to keep private data private, modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use is an email address, and it is this common factor that creates a de facto trust relationship between a user’s applications. The second factor is a password: a random string that only the user knows, is unique to each application, and in theory should take even a computer months or years to figure out if it started guessing. These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.

Look at the front page of almost any web application and you will see hints at just how hopeless and helpless we are in managing our digital lives: “forgot my password”, “forgot my username”, “keep me logged in”, “do not keep me logged in”, “forgot my name”, “who am i?”. Features that were designed and built as a compromise since we are often unable to remember and recall a single four-digit PIN number, let alone a unique password for every application we ever sign up for. Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use – which often is to say, very weak.

Now going back to Hacker Croll and his list of Twitter employees and other information. Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees – be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application – it is the weakest application used by the weakest user. For an attacker such as Hacker Croll looking to exploit the combination of bad user habit, poorly implemented features and users mixing their personal and business data – his chances of success just got exponentially greater. Companies that are heavily web based rely largely on users being able to manage themselves – the odds are not only stacked against Twitter, they are stacked against most companies adopting this model.

Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access – but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at hotmail.com.

At Hotmail, Hacker Croll again attempted the password recovery procedure – making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

Well designed web applications will never just give a user their password if they forget it, they will force the user to pick a new one. Hacker Croll had access to the account, but with a password he had specified. To not alert the account owner that their account had been compromised, he had to somehow find out what the old Gmail password was and to set it back. He now had a bevy of information at his fingertips, a complete mailbox and control of an email account. It wasn’t long before he found an email that would have looked something like this:

To: Lazy User
From: Super Duper Web Service
Subject: Thank you for signing up to Super Duper Web Service

Dear Lazy User,

Thank you for signing up to Super Duper Web Service. For the benefit of our support department (and anybody else who is reading this), please find your account information below:

username: LazyUser
password: funsticks

To reset your password please follow the link to.. ahh forget it, nobody does this anyway.

Regards,

Super Duper Web Service

Bad human habit #1: Using the same passwords everywhere. We are all guilty of it. Search your own inbox for a password of your own. Hacker Croll reset the password of the Gmail account to the password he found associated with some random web service the user had subscribed to and that sent a confirmation with the password in clear text (and he found the same password more than once). He then waited, to check that the user was still able to access their account. Not too long later there was obvious activity in the email account from the account owner – incoming email read, replies sent and new messages drafted. The account owner never would have noticed that a complete stranger was lurking in the background. The second domino falls.

From here it was easy.

Hacker Croll now sifts through the new set of information he has access to – using the emails from this user’s personal Gmail account to further fill in his information map of his target. He extends his access out to all the other services he finds that this user has signed up for. In some instances, the password is again the same – that led Croll into this user’s work email account, hosted on Google Apps for Domains. It turns out that this employee (and in fact most/all Twitter employees and everyone else) used the same password for their Google Apps email (the Twitter email account) as he did with his personal Gmail account. With other sites, where the original password may not work – he takes advantage of a feature many sites have implemented to help users recover passwords: the notorious “secret question”.

Fork the story here for a moment because there is a real issue here with the “secret question” (from here on abbreviated more appropriately as just “secret ?”). For some strange reason, some sites refer to the “secret ?” as an additional layer of security – when it is often the complete opposite. In the story of Hacker Croll and Twitter, the internal documents that we now all know about were only a few steps away from the first account he gained access to. In addition to that, this attacker, and certainly others just like him, have been able to demonstrate that some of the biggest and most popular applications on the web contain fundamental weaknesses that alone might seem harmless, but in combination with other factors can cause an attacker to completely tear through the accounts of users, even those who maintain good password policy.

This is not the first time that the issue of “secret ?” being used in password recovery systems has been raised. Last September, US Republican Vice Presidential candidate and former governor of Alaska, Sarah Palin, had screenshots of her personal Yahoo mail account published to Wikileaks. A hacker or group known only as ‘Anonymous’ claimed credit for the hack, which was carried out by the attacker making an educated guess in response to the security question used to recover passwords. In early 2005, celebrity Paris Hilton suffered a similar incident when her T-Mobile sidekick account was broken into, and the details of her call log, messages (some with private pictures of Hilton) and contact list were leaked to the media. The culprit, again, was “secret ?”.

Giving the user an option to guess the name of a pet in lieu of actually knowing a password is just dramatically shortening the odds for the attacker. The service is essentially telling the attacker: “we understand that guessing passwords is hard, so let us help you narrow it down from potentially millions of combinations to around a dozen, or even better, if you know how to Google, just one”. The problem is not the concept of having an additional authorization token, such as mothers maiden name, that can be used to authenticate in addition to a password, the problem arises when it is relied on alone, when the answer is stored in the clear in account settings, and when users end up using the same question and answer combination on all of their accounts.

From this point, with a single personal account as a starting point, the intrusion spread like a virus – infecting a number of accounts on a number of different services both inside and outside of Twitter. Once Hacker Croll had access to the employee’s Twitter email account hosted by Google, he was able to download attachments to email that included lots of sensitive information, including more passwords and usernames. He quickly took over the accounts of at least three senior execs, including Evan Williams and Biz Stone. Perusing their email attachments led to lots more sensitive data being downloaded.

He then spidered out and accessed AT&T for phone logs, Amazon for purchasing history, MobileMe for more personal emails and iTunes for full credit card information (iTunes has a security hole that shows credit card information in clear text – we’ve notified Apple but have not heard back, so we won’t publish the still-open exploit now).

Basically, when he was done, Hacker Croll had enough personal and work information on key Twitter executives to make their lives a living hell.

Just to summarize the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

What could have happened next is that Hacker Croll could have used or sold this information for profit. He didn’t do that, and says he never intended to. All he wanted to do, he says, was to highlight the weaknesses in Twitter’s data security policies and get them and other startups to consider more robust security measures.

He also says he’s sorry for causing Twitter so much trouble. We asked Hacker Croll if he had any message he wants to deliver to Twitter, and he sent me the following:

Je tiens à présenter toutes mes excuses au personnel de Twitter. Je trouve que cette société a beaucoup d’avenir devant elle.

J’ai fait cela dans un but non lucratif. La sécurité est un domaine qui me passionne depuis de longues années et je voudrais en faire mon métier. Dans mon quotidien, il m’arrive d’aider des gens à se prémunir contre les dangers de l’internet. Je leur apprend les règles de base.. Par exemple : Faire attention où on clique, les fichiers que l’on télécharge et ce que l’on tape au clavier. S’assurer que l’ordinateur est équipé d’une protection efficace contre les virus, attaques extérieures, spam, phishing… Mettre à jour le système d’exploitation, les logiciels fréquemment utilisés… Penser à utiliser des mots de passe sans aucune similitude entre eux. Penser à les changer régulièrement… Ne jamais stocker d’informations confidentielles sur l’ordinateur…

J’espère que mes interventions répétées auront permis de montrer à quel point il peut être facile à une personne mal intentionnée d’accéder à des informations sensibles sans trop de connaissances.

Hacker Croll.

This roughly translates to:

I would like to offer my personal apology to Twitter. I think this company has a great future ahead of it.

I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the Internet. I learned the basic rules .. For example: Be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing … Upgrading the operating system, software commonly used … Remember to use passwords without any similarity between them. Remember to change them regularly … Never store confidential information on the computer …

I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge.

Croll hacker.

What’s the takeaway from all this? Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent. And while any single service can be fairly secure, the important thing is that the ecosystem most certainly is not. Combine the fact that so much personal information about individuals is so easily findable on the web with the reality that most people have merged their work and personal identities and you’ve got the seed of a problem. A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.

Source: TechCrunch http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/

Analyst and security experts say Timothy Curley, a database administrator accused of $1 million in fraudulent activity, is indicative of insider security threats. Solution providers, they say, need to elevate business awareness about insider threats.
If your enterprise customers seem unaware of the dangers to their databases posed by rogueemployees, it might be time to tell them the story of Timothy Curley.

Employed by American Express as a database administrator; Curley was arrested on June 24by the U.S. Secret Service on claims from his former employer that he and an accomplice stole more than 1,000 customer records in order to carry out over $1 million in fraudulent activity.

The lesson is obvious. Corporate data stores are extremely valuable. So much so that even those charged with keeping them safe can be tempted to dip into the treasure chest. DBAs and similarly privileged users have access to some of the most concentrated, well-organized and precious collections of data your customers own.

“I am really surprised we don’t hear more about these types of cases,” says Slavik Markovich, founder and CTO of the database security vendor Sentrigo, who at the same time says the scarcity of stories may be understandable—and “frightening”—considering “monitoring of insiders and privileged users is just in its infancy. It’s really just started.”

After all, in the case of Curley and his buddy, the cops found crack pipes and methamphetamine alongside their stash of cloned credit cards. If the drug-fueled DBA could steal $1 million before being caught, imagine how long the ones with clear minds are lasting.

In a survey of 400 IT workers conducted earlier this year by Cyber-Ark, 35 percent admitted to accessing corporate information without authorization. More specifically, in regard to databases 47 percent said that if they moved to another job they would steal database information to bring with them. And among all respondents, approximately 75 percent reported that they could circumvent the controls currently in place to restrict access to internal information.

Cyber-Ark’s data supports estimates from analysts at Forrester Research, who believe that 70 percent of threats to databases come from within the enterprise.

“These [internal threats] are often very difficult to detect and block, largely because of excessive privileges granted to users, users sharing common log-ins and accounts, and privileged users such as testers, developers and even DBAs having access to sensitive data,” wrote Noel Yuhanna in a February 2009 report on the state of database security.

Analysts say solution providers have an opportunity to bring all of this overwhelming evidence to bear on clueless enterprise IT administrators and line-of-business managers. Now is the time to begin formulating strategies for implementing controls over the database that include not just the average user, but also the unchecked super-user, they say.

If you can’t appeal to the customer’s sense for the carrot of security, you can at least pull out the compliance stick. For example, those organizations that must comply with PCI DSS standards could potentially be putting themselves at risk if they are not able to track privileged user access to databases containing credit card information. According to VeriSign, which acts as a PCI assessor, more than 70 percent of organizations that fail their audits are flagged for failing to track and monitor access to cardholder data.

Regardless of the motivations you try to build awareness, the key is to try, Markovich says.

“I think the most important thing is awareness,” Markovich says. “The channel needs to talk with their customers and explain to them that protecting via firewall or from the outsider is no longer sufficient. You have to be aware that your database can and—if you don’t do anything—will be breached by privileged users.”

Clearly awareness is a start, but what next?

Yuhanna of Forrester says: “Security professionals should secure databases starting with strong authentication, authorization and access-control procedures, and should then use advanced security solutions such as encryption, auditing, masking and real-time protection.”

Source: http://www.channelinsider.com/c/a/Security/Rogue-DBAs-Hidden-Inside-Security-Threat-218563/?kc=EWKNLDAT07162009STR4

Dans son dernier rapport semestriel sur les tendances en sécurité informatique, Cisco publie une entrevue très instructive avec un «botmaster», c’est-à-dire un individu qui exploite des réseaux de PC zombies (botnets).

D’après les renseignements obtenus par Cisco, un «botmaster» qui exploite des réseaux d’ordinateurs infectés pourrait gagner entre 5000 et 10.000 dollars américains par semaine.

Grâce à ces armées de PC zombies, les «botmasters» peuvent par exemple expédier massivement des courriels commerciaux non sollicités, ou entreprendre des campagnes d’hameçonnage pour ensuite exploiter directement ou revendre les renseignements personnels récoltés, par exemple les mots de passe de comptes bancaires en ligne.

Ils peuvent également revendre leurs réseaux à d’autres cybercriminels, pour un prix qui varie entre 10 et 25 cents par PC zombie.

Le «botmaster» interrogé par Cisco signale qu’il a pu construire un réseau de 10.000 PC compromis sans même avoir à exploiter directement des failles de sécurité ou diffuser des vers informatiques tels que Conficker. Il a tout simplement utilisé des systèmes de messagerie instantanée pour expédier des liens de téléchargement pointant vers le module de contrôle à distance, demandant aux destinataires de télécharger ce «logiciel cool». Que les internautes imprudents soient avertis…

Jeff Shipley de Cisco indique qu’il est crucial d’appliquer les mises à jour de sécurité pour colmater les failles connues, qui sont susceptibles d’être exploitées par des pirates informatiques, mais ajoute qu’«un comportement en ligne sécuritaire est encore plus important».

Cisco a demandé au «botmaster», qui semblait avoir de solides connaissances en informatique, quelles étaient les raisons pour lesquelles il s’adonnait à ces activités illégales et immorales au lieu d’occuper un poste dans une firme honnête. L’individu a répondu qu’il avait déjà un casier criminel et qu’il ne possédait pas la formation officielle nécessaire pour occuper un tel poste…

Article original chez Cisco: http://www.cisco.com/web/about/security/intelligence/bots.html

Source: Jean-Charles Condo http://techno.branchez-vous.com/actualite/2009/07/confessions_dun_botmaster_infe.html

Selon une étude réalisée par des chercheurs en sécurité, des équipements peu coûteux permettraient de lire à distance, dans le réseau d’alimentation électrique, les caractères frappés sur certains claviers.

Les chercheurs Andrea Barisani et Daniele Bianco, de la firme Inverse Path, affirment qu’ils ont pu lire les caractères qui étaient frappés sur un clavier PS/2 jusqu’à une distance de 15 mètres.

Les chercheurs expliquent que, dans les claviers de type PS/2, les fils électriques sont près les uns des autres et qu’ils sont faiblement isolés, ce qui permettrait l’induction des données dans le fil de mise à la terre. La fuite des données – mesurées comme des variations de voltage – serait ensuite transmise vers les fils de mise à la terre de la prise de courant, et pourraient être détectée à une certaine distance avec des appareils relativement communs et peu coûteux.

D’après la BBC, les claviers de type PS/2 faciliteraient ce type d’écoute électronique car les données sont transmises un bit à la fois, et à une cadence relativement faible.

«Le signal carré du PS/2 est conservé avec une bonne qualité… et peut être décodé vers les informations originales de frappes au clavier», indiquent Andrea Barisani et Daniele Bianco sur le site de la BBC.

Les deux chercheurs feront une démonstration d’espionnage à distance grâce aux fuites dans les prises de courant lors du congrès Black Hat qui se tiendra à Las Vegas, du 25 au 30 juillet 2009.

Source: Jean-Charles Condo: http://techno.branchez-vous.com/actualite/2009/07/prise_courant_espionnage.html

Avec la popularité des microblogues et des services de messagerie instantanée sont apparus des services de réduction d’adresses URL, qui permettent de partager facilement une longue adresse grâce à une nouvelle adresse qui contient un identifiant aléatoire. Et il semblerait que les polluposteurs aient trouvé le moyen d’en tirer parti!

En effet, l’entreprise MessageLabs, qui tient des statistiques sur le pourriel, a aperçu une montée importante de l’utilisation des services de réduction d’adresses URL chez les polluposteurs; le 8 juillet dernier, plus de 2% des pourriels observés contenaient une adresse URL raccourcie.

Le caractère aléatoire des adresses URL raccourcies aurait favorisé leur adoption: il est plus difficile de bloquer une série d’adresses menant au même site que l’adresse principale du site. On peut donc plus facilement inciter un usager à visiter un site, souvent en falsifiant les informations d’un de ses contacts.

Les pourriels observés sont typiques: augmentation de la taille du sexe et perte de poids sont au programme.

Source: http://techno.branchez-vous.com/actualite/2009/07/les_services_de_reduction_durl.html

En entrevue avec PC World, Matt Sergeant de chez MessageLabs a souligné l’importance de n’ouvrir que les messages de personnes connues et de s’assurer de leur légitimité.

VUPEN Security monitors, reviews, and verifies vulnerability reports

then publishes security advisories which help network professionals

to eliminate irrelevant alerts and respond quickly and efficiently to

important and real security threats.

* ClanSphere Multiple Unspecified Remote SQL Injection Vulnerabilities

http://www.vupen.com/english/advisories/2009/1794

* Photo DVD Maker PDM File Handling Buffer Overflow Vulnerability

http://www.vupen.com/english/advisories/2009/1793

* Dillo “Png_datainfo_callback()” PNG Integer Overflow Vulnerability

http://www.vupen.com/english/advisories/2009/1792

* CMME “admin.php” Username Cross Site Scripting Vulnerability

http://www.vupen.com/english/advisories/2009/1791

* Linux Kernel “kvm_arch_vcpu_ioctl_set_sregs()” Denial of Service Issue

http://www.vupen.com/english/advisories/2009/1790

* KVM “kvm_arch_vcpu_ioctl_set_sregs()” Denial of Service Vulnerability

http://www.vupen.com/english/advisories/2009/1789

* XScreenSaver “.xscreensaver” Handling File Disclosure Vulnerability

http://www.vupen.com/english/advisories/2009/1788

* Microsoft Windows MSVidCtl Remote Buffer Overflow Vulnerability (0day)

http://www.vupen.com/english/advisories/2009/1787

* Sun Java System Web Server JSP Source Code Disclosure Vulnerability

http://www.vupen.com/english/advisories/2009/1786

* Sourcefire 3D Sensor and Defense Center Privilege Escalation Issue

http://www.vupen.com/english/advisories/2009/1785

* Horde Passwd Application “backend” Cross Site Scripting Vulnerability

http://www.vupen.com/english/advisories/2009/1784

* phpMyAdmin SQL Bookmark Cross Site Scripting Vulnerability

http://www.vupen.com/english/advisories/2009/1781

* Linux Distributions Multiple Package Security Updates

http://www.vupen.com/english/linux-advisories/

The following exploits and proof-of-concepts were developed by VUPEN

and are available as part of the VUPEN Exploits & PoCs Service :

More information: http://www.vupen.com/exploits

* VLC Media Player SMB URI Processing Buffer Overflow Exploit

This code execution exploit takes advantage of a buffer overflow

vulnerability affecting VLC Media Player when processing a

specially crafted “smb://” URI within a playlist.

CVE ID: CVE-NOMATCH

* Adobe Reader Mesh Generators Processing Heap Overflow Exploit #3

This code execution exploit takes advantage of another heap

overflow vulnerability in Adobe Acrobat Reader when processing

Universal 3D (U3D) content within a PDF file.

CVE ID: CVE-2009-2028

______________________________________________________________________

VUPEN Security monitors, reviews, and verifies vulnerability reports

then publishes security advisories which help network professionals

to eliminate irrelevant alerts and respond quickly and efficiently to

important and real security threats.

* VMware ESX Security Update Fixes Kerberos Code Execution Vulnerability

http://www.vupen.com/english/advisories/2009/1750

* Pidgin ICQ Web Message Handling Denial of Service Vulnerability

http://www.vupen.com/english/advisories/2009/1749

* Sun Solaris Kernel “udp” Remote Denial of Service Vulnerability

http://www.vupen.com/english/advisories/2009/1748

* Sun Solaris NFSv4 “nfs_portmon” Unauthorized Network Access Issue

http://www.vupen.com/english/advisories/2009/1747

* Sun Java System Access Manager Cross-Site Scripting Vulnerability

http://www.vupen.com/english/advisories/2009/1746

* NEWSolved “newsscript.php” Multiple SQL Injection Vulnerabilities

http://www.vupen.com/english/advisories/2009/1739

* Audio Article Directory “file” Parameter File Disclosure Vulnerability

http://www.vupen.com/english/advisories/2009/1738

* BookFlip Component for Joomla “book_id” SQL Injection Vulnerability

http://www.vupen.com/english/advisories/2009/1737

* Clicknet CMS “side” Parameter Processing File Disclosure Vulnerability

http://www.vupen.com/english/advisories/2009/1736

* PHP-Sugar “t” Parameter Processing File Disclosure Vulnerability

http://www.vupen.com/english/advisories/2009/1735

* Almnzm “customer” Parameter Remote SQL Injection Vulnerability

http://www.vupen.com/english/advisories/2009/1734

* K2 Component for Joomla “category” Remote SQL Injection Vulnerability

http://www.vupen.com/english/advisories/2009/1733

* com_php for Joomla “id” Parameter Remote SQL Injection Vulnerability

http://www.vupen.com/english/advisories/2009/1732

* Messages Library “CatID” Parameter Remote SQL Injection Vulnerability

http://www.vupen.com/english/advisories/2009/1731

* Whois.Cart “cpanel_1_log.htm” Information Disclosure Vulnerability

http://www.vupen.com/english/advisories/2009/1730

* SCMPX M3U Playlist Processing Buffer Overflow Vulnerability

http://www.vupen.com/english/advisories/2009/1729

* HT-MP3Player “.ht3″ File Processing Buffer Overflow Vulnerability

http://www.vupen.com/english/advisories/2009/1728

* HP-UX Web Server Suite Code Execution and DoS Vulnerabilities

http://www.vupen.com/english/advisories/2009/1727

* osTicket Administrative Login Remote SQL Injection Vulnerability

http://www.vupen.com/english/advisories/2009/1726

* Linux Distributions Multiple Package Security Updates

http://www.vupen.com/english/linux-advisories/