Earlier this month a wave of IIS/asp.net web sites were popped via SQL injection and started serving out malicious files. Most of the attention was given to the 0day Adobe Flash exploit being used, among other methods. But I’m interested more in the initial attack (being that my developers code in asp.net). The initial attack was an automated attack to find vulnerable SQL injection targets, poke around enough in the MS-SQL backend to find locations to inject, and then inject page data.

The links below give good info to the first half of this wave of attacks: attacking the server/app.

armorize
sucuri
nsmjunkie

The folks at Metasploit have announced the release of Metasploitable, a virtual machine that is pre-built with holes, missing patches, and vulnerable applications which can be used as test targets for Metasploit attacks.

Many Metasploit users run their own virtual labs with various older versions of Windows for easy testing and practice. This is usually time-consuming to set up and maintain, especially when you also include Linux distros.

Metasploitable is an Ubuntu build, so gives many testers a new target to attack than a traditional Windows box missing a few keystone patches.

I wouldn’t be surprised to see this expanded further and used as the basis of a lab for training purposes…

Insecure 26 is available, and as usual, has plenty of interesting articles such as a lengthy one on analyzing Flash content for vulnerabilities.

I cannot count how many times I get blank stares when I talk to asp.net developers about application domains and recycling (troubling, indeed). This is just a really quick link for myself on some neat information about app recycling.

Via Beijtlich, I see this month’s copy of Hakin9 is availabble for free online in pdf format. Heck, you don’t even have to submit any sort of fake registration!

Wanted to point quickly over to an article at nCircle by Chris Pawlukowsky talking about Detecting TLS Legacy Session Renegotiation. I think Chris does a good job describing the issue in text form. Check the bottom of the article for even more technical details.

I expect this to come up a bit more. “Easy” findings like this make auditors squeal in delight to put something on their external non-web-app-pentest scan report. Kinda like the entries that force us to drop SSLv2 and weaker ciphers because they’re, well, weak. Even though the attack itself is exotic and the probability is pretty damn low I’ll ever see this in action in my lifetime.

The TLS renegotiation thing is a bit more interesting, but you gotta admit it is still a bit exotic and still does require weakness in the app itself (unless the attacker can drop down to a weaker cipher or non-encrypted channels). Sounds like something that should be added to The Middler (if it doesn’t do it already). Real attacks would likey need to be tailored to each web app, but I bet there is a universal request that can be made that will throw back an error or something to prove the existence. Should *I* worry about this? No. Should someone working at a place with far higher security interests? Yes. Especially when it can be fixed easily.

Ahh yesterday’s 0day has predictably re-opened the “going-nowhere” debate on disclosure. I’m pro-full disclosure. I’m not anti-responsible disclosure, though, when appropriate.

The bottom-line for me: I’d rather know about the issues and have them exposed so I can deal with them, than to have them stifled or hidden or the exposure delayed. Disclosure improves our security (responsible or full).

(While I am happy to respect responsible disclosure folks their opinions, there isn’t really an argument that would change my mind, just like I expect no argument of mine would change their ideas or those of the “no disclosure” camps. It just is as it is. I’m happy with the current state of vulnerability disclosure. Kinda like abortion rights, I think this is one of those areas where staying on the fence is the right choice, versus standing on one side or the other without any real clear, inarguable reasons [short of any bias, like the ‘duh’ of a vendor preferring anything *but* full disclosure…].)

If you haven’t yet, I’d suggest reading up on the details of this announcement this morning on the full-disclosure mailing list. By leveraging a flaw in Microsoft Windows’ Help Center, code can be executed by anything (I presume) that can invoke Help Center.

Big deal? Not a worm or anonymous remote attack, but this is as big a deal as any recent IE, media, or document problem that leads to arbitrary code execution. In other words, a big deal, but not a drop-the-coffee-on-your-lap-and-shut-all-communications-down-deal. Honestly, I’d hope effective security folks wouldn’t worry too much about this, as there should be other mitigations in place already (like running as non-admin and the like) which lessens the impact of sudden discoveries like this. Yeah…in an ideal world, right? 🙂

Liquidmatrix pointed me over to the Wired article on the growing drama between WikiLeaks, Bradley Manning, Adrian Lamo, and the Army. This has stoked a few thoughts…

Part I: Dumb Criminals, Smart Criminals

Manning came to the attention of the FBI and Army investigators after he contacted former hacker Adrian Lamo late last month over instant messenger and e-mail. Lamo had just been the subject of a Wired.com article. Very quickly in his exchange with the ex-hacker, Manning claimed to be the Wikileaks video leaker.

I’ll start out by not even commenting on the morality of what has transpired in the above article. I’ll start elsewhere.

There are dumb criminals and there are smart criminals. Smart criminals are the ones we (people in general, but also law enforcement) fear the most. Especially smart criminals with financial backing doing ‘white collar’ types of premeditated (or even random opportunistic) crimes…those are difficult to pursue!. They’re typified by not being dumb enough to necessarily get caught. Not all smart criminals get away with what they do, but they tend to be the ones to get away with it if anyone does.

Dumb criminals get caught. Much like your general hacker criminals, they tend to do dumb things, have spotty skills, and more likely end up talking about what they’ve done by making dumb decisions or having dumb associations and misplaced trust.

Manning did a dumb thing: he talked to someone. Not only did he talk to someone, he talked to someone with a level of celebrity status (for better or worse), who has ties to the FBI (for good or bad), and has an interest in not harboring national security secrets for another criminal. Ouch.

A smarter criminal would not have talked, or if he did, he would do exactly as Liquidmatrix mentioned: either nut up or shut up.

Another thing: Just how long and how much could have been disclosed had Manning not been dumb and talked to someone? How many not-dumb Mannings are lurking in your network?

Part II: Challenges in Organizational Security

“If you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?” Manning asked.

I knew before reading the article that I wasn’t going to be impressed with how Manning exfiltrated the videos (and thousands of other files) from secure locations.

The sobering thought on this is…Manning had no real beef with what he was doing. He wasn’t getting paid, he didn’t seem to have some external motivation. He performed what I consider a crime of opportunity. Thankfully, that’s “all” it seemed to be. Sure, it was performed over many months of time and repeatedly, but I still consider all of that to be opportunistic as far as crimes go.

But this is why espionage (both national and corporate) scare me more than even anonymous Internet-borne crime: they physically influence and turn a real, living asset who has access into your secret network and information, and leverage that relationship to siphon out information. Or worse, actually perform active sabotage or other planting of access for others. This is why “cyberwar” doesn’t scare me as much as rogue insiders, depending on the organization in question.

What if a nation-state had targeted and turned Manning successfully? Someone like him truly is a goldmine worth the cost to acquire.

And don’t make the mistake in thinking Manning is an outlier. He’s just another face on the crowd, not much different at all from the rest. The sort of guy and white-collar crime that can be really scary to address.

I haven’t even touched on the fact that Manning had the warning signs of being a disgruntled worker. (Though how many people *wouldn’t* have those signs to some degree, who knows, but it should increase the level of organizational paranoia nontheless!)

Part III: Information Just Wants To Be Free

“He would message me, Are people talking about it?… Are the media saying anything?” Watkins said. “That was one of his major concerns, that once he had done this, was it really going to make a difference?… He didn’t want to do this just to cause a stir…. He wanted people held accountable and wanted to see this didn’t happen again.”

Part of the underlying ‘hacker ethic’ deals with the tendency of information to be free, much in the same way that electrons tend towards chaos or water tends to fill whatever form it can that presents the least resistence.

Perhaps Manning will ultimately be hailed as a moral whistleblower who is exposing secrets that should be made available to the public, for the good of the public.

Perhaps…

But at least think about that when thinking about what should be held secret by a company and what effort may be needed to keep that “tendency toward freedom” that information tries to flow. (And how powerful it may make a third party who suddenly has possession of such valuable information, like WikiLeaks reportedly may be now.) If your organization truly wants to emulate the, “Do no evil,” mentra, then there shouldn’t be many terribly damaging pieces of information (other than patents and trade secrets and the like) inyour possession, right? Mistakes, sure, but is it better to bury them or be transparent with them?

One thing I don’t do enough is make a mention when I add new (or missed!) sits and blogs to my link menu on the right. Certainly, not even *I* keep up with what is over there, let alone anyone else, despite it being a great place to spend a Saturday morning filling up your own RSS feeds with my links.

So here are a few new additions to my links and feed reader:

www.attackvector.org
securitythoughts.wordpress.com (not to be confused with securethoughts.com)
beechplane.wordpress.com

What are my requirements? Well, for my own personal feeds list, the blog has to add something to me or my knowledge. Honestly, I’m horrible with my feeds right now as I have 1000s of items unread (a few high-traffic feeds boost that up, btw, like the once-amusing “my life is average” feed), so adding more has become a small question-raising thing these days. Kinda like buying a new book. Will I really read it? Will it be worth reading? Will it then be worth keeping around after I have finished? (sectioning off one’s time is one of the two big components to what I call actually growing up!)

For links on the left side, I tend to add anything that pertains to info security, including personal blogs of people who are in security but don’t always talk security. I don’t remove much unless it may be a blog that hasn’t been updated for 5 years or a site that is simply dead and gone. Other, lower links are things I find interesting or may find interesting to reference in the future.

I also don’t make a huge list of all the actual “news” sites out there. I try to get the important ones and the basic ones that end up giving me all the news I really need. Adding tons more just ends up with lots of sites all saying and linking to the same things.

Robert Graham over at ErrataSec has a post in response to Securosis and Microsoft regarding secure development lifecycles. I’d have commented there, but they don’t allow anonymous comments…and I’ve been conscious to not browse around the web while logged into my usual account (something about correlation and tracking nonsense). And I look dumb posting as lvnewsreader. 🙂 So here’s my response:

Disclaimers: I’ve not thoroughly read the links Robert provided, so apologies if I sound dumb. I agree with everything Robert said in his post, so this isn’t really an argument so much as it is a situational “next-step.”

An SDL (or really any preventive security) really plays back into the great gamble of business; gambling with the risk of being breached or not (in whatever form).

But I think there *is* a case where prevention can demonstate a save of money: assume the risk of a breach is absolute. For Microsoft, I think we can safely say they will have weaknesses and thus patches to roll out. I’m pretty sure they can play the game of valuating the impact of those incidents, and probably spend on prevention and feel ultimately good about it. With Robert’s “sale” analogy, this would be the situation where your wife *was* going to buy that item today regardless of the sale, but she did actually save money (though possibly by sheer luck).

Assuming an incident is inevitable is easy to say, but hard to act on. Most organizations have years of no apparent critical security issues, and their mgmt will have a hard time accepting that suddenly the sky is falling. Just the same way many people think their home is secure, just because they’ve not witnessed someone wriggling the windows.

Side note: I really like Robert’s “sale” analogy. That’s actually a small pet peeve of mine. Sales aren’t meant to save someone money who is already buying something. It is meant to make a sale right at that moment that would not have been made anyway (or getting someone into a store to make other ancillary sales).