Just in case you thought that deploying a firewall and an anti-virus should render you secure,the bad news are that times have changed and the "coconut" security model starts showing it’s limitations. Protecting solely the perimeter just makes your network hard on the outside and juicy on the inside.

According to to Forrester Research, the majority of security breaches involve internal employees, with some estimates as high as 85 percent.
in "The Top 5 Internal Security Threats" , itsecurity.com presents the most common security vulnerabilities and threats which involve the internal staff :

1. Spear phishing
2. Laptop theft / loss
3. Unintentional Access and Disgruntled Ex-Employees
4. Missing Security Patches
5. Lack of AUP ( Acceptable Use Policy)

I would toss a few more threats / vulnerabilities which most commonly lead to internal security risks :

6. Improper network segregation and failure to handle rogue mobile computers
7. Improper segregation of duties and authorization among the corporate business and IT processes.
8. Lack of audit trails - Who did what and when ?
9. Improper handling of removable media devices such as thumb drives, memory cards, etc which facilitate the information leak

I know that it’s a thin line between the "BigBrother is watching you!" corporate culture and a secure information environment but one thing is clear: neglecting the internal threats can have desastruos consequences.

Information Security can be achieved if we go back and look into it’s 3 basic components : People, Technology and Processes. If you wnt to deploy proactive  security actions you must address each of these 3 components.

Some of the countermeasures against internal threats are  :
Phishing :
Phishing-fighting strategies include implementing anti-phishing toolbars that display a website’s real domain name, as well as maintaining a roster of well-known phishing sites for employee reference. But companies should forget about training IT personnel and staging corporate awareness campaigns, says Alan Paller, director of research at The SANS Institute. Rather, he suggests running “benign spear phishing exercises against your own employees….There’s no other way to solve it.”

Laptop theft / loss
Companies should require employees to protect their laptops with a startup password so that if they are stolen, at least the data is unusable. Make a practice of deleting old e-mails, text messages, call logs and unwanted files from all portable devices. And it’s always a good idea for employees to take advantage of a device’s built-in encryption capabilities and password protection features. Kingston’s Data Traveler Elite Privacy Edition, for example, is a USB Flash drive that secures 100% of data on-the-fly via 128-bit hardware-based AES encryption, and locks out potential users after 25 consecutive failed password attempts.

Unintentional Access and Disgruntled Ex-Employees
There’s no shortage of vendors promising to simplify the user provisioning process. Entrust, for example, offers solutions that automate policy enforcement and delegate administration for user provisioning which helps maintain security levels while managing large numbers of users. Another example is Courion. Courion’s AccountCourier is an automated user provisioning solution that instantly grants, revokes or modifies access to any operating system, application, Web portal or other IT assets without manual intervention.

Missing Security Patches
Patch management software and services can greatly ease the burden on today’s administrators. Ecora’s Patch Manager automates system discovery, patch assessment and patch installation on workstations and servers. Ideal for heterogeneous IT environments, Novell ZENworks Patch Management notifies administrators of exactly what patches and security holes reside on each server, desktop and laptop. And then there’s SecureCentral PatchQuest, automated patch management software for distributing and managing security patches, hotfixes and updates across networks comprising Windows, Red Hat and Debian Linux systems.

Lack of AUP
Strict usage policies can prohibit employees from sedning sensitive information via insecure e-mail. E-mail content scanning technology can also help. IBM Expresses Managed Security Services for example, scans and monitors e-mail before it ever reaches a network, ensuring that it’s free from harmful or damaging content. And MessageLabs’ Boundary Encryption service lets businesses set up a secure private email network between themselves and their partners to ensure the end-to-end delivery of encrypted communications.

I invite you to comment on how do you handle these internal threats ? And from which perspective : the employer’s position or the "always finding a way out" employee perspective ?

Web Application Security Consortium released an iteresting paper which emphasises on the need for application security classification. It’s always about finding the right security balance .

In order to make effective decisions about security tradeoffs, architects and developers need to calculate the confidentiality, integrity, and availability requirements of their applications.  In short, application classification needs to precede secure application development.
 
The author’s experience in the industry has shown that, while most organizations have policies covering data classification, rarely do they have similar policies on application classification.  Developers and architects often have to make assumptions about the sensitivity of the data that they are handling and make architectural and design trade-offs based on these assumptions. 
 
Introducing Application Classification
In order to help solve this problem, organizations should implement a strong application classification program that is linked to application development.  Each application is rated “Low”, “Medium”, or “High” on the metrics of Integrity, Availability, and Confidentiality (for definitions of these terms please consult (4)).  These ratings are linked with specific security requirements within the organization’s development standards.

Read the full article : The Importance of Application Classification in Secure Application Development

Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.

This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.

The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.

Live View is capable of booting:

• Full disk raw images
• Bootable partition raw images
• Physical Disks (attached via a USB or Firewire bridge)

Supported Operating Systems

• Windows XP, 2000, 2003, NT, Me, 98
• Linux (limited support)

Behind the scenes, Live View automates a wide array of technical tasks. Some of these include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS was originally installed; creating a customized MBR for partition-only images; and correctly specifying a virtual disk to match the original image or physical disk.

Live View is developed by CERT, Software Engineering Institute

SC Magazine has released a group test of the best forensic tools of 2007. The test looked at several classes of forensic tools, including traditional computer forensics tools; network forensics analyzers; specialized tools for such things as live forensic capture, PDA forensics, etc.; and tools for performing forensic captures over networks, largely in an incident response environment.

The products which were evaluated :

• Device Seizure v. 1.1
• EnCase Forensic v. 6
• Gargoyle Investigator
• LiveWire Investigator v. 3.1.1C
• LR1000 v. 3.5
• P2 Enterprise Shuttle
• ProDiscover IR v 4.9

The conclusions were that while the available tools tend to be more and more alike, offering mostly the same features, the forensics application vendors are exploring ways to capture forensic data on the media and on the network in very difficult circumstances.

The winners are :

• We liked WetStone Technologies Gargoyle Investigator Forensic Pro Edition v. 2.6.1 a lot for its utility, value and ease of use. We award it our Best Buy.
• For its very high value, ease of use and solid functionality we award Technology Pathways ProDiscover IR v 4.9 our Recommended rating.
• WetStone Technologies LiveWire Investigator v. 3.1.1C is an extremely powerful tool for analyzing computers without taking them off-line. We award LiveWire our Approved for SC Labs rating for its utility, performance and extremely strong documentation.

Read full story

San Mateo, Calif. is hosting Software Security Summit(TM) ( http://www.s-3con.com ) during April 16-17. As usual, this is a great opportunity for security vendors to present the latest R&D results.

This year, SPI Dynamics will  lead five presentations during the summit which already  make me wish I was there :

1.   Who: Caleb Sima, Co-founder and CTO
     What: "A Study of AJAX Vulnerabilities and Hacking Techniques"
     When: Monday, April 16, 2007 at 9:45 a.m.
     Where: Software Security Summit, San Mateo Marriott
2.   Who: Matt Fisher, Senior Security Engineer
     What: "Hybrid Application Security Analysis — Ensuring Your Code is Secure"
     When: Monday, April 16, 2007 at 11:00 a.m.
     Where: Software Security Summit, San Mateo Marriott
3.   Who: Caleb Sima, Co-founder and CTO
     What: Technical General Session: "The Latest Trends in Advanced Web Hacking and Secure Coding in the Real World"
     When: Monday, April 16, 2007 at 1:00 p.m.
     Where: Software Security Summit, San Mateo Marriott
4.   Who: Matt Fisher, Senior Security Engineer
     What: "Deeper Injections"
     When: Monday, April 16, 2007 at 3:30 p.m.
     Where: Software Security Summit, San Mateo Marriott
5.   Who: Matt Fisher, Senior Security Engineer
     What: "Exploiting Web Application Code: The Methodologies and Automation of SQL Injection"
     When: Wednesday, April 18, 2007 at 1:30 p.m.
     Where: Software Test & Performance Conference (STPCon), San Mateo Marriot

If you hurry, you can still catch the April 18 Presentation and if any of you have attended this Summit, please post some comments, impressions  or pictures. I bet it was a great conference.

Usually I don’t click on phishing links, especially when the header is forged and the subject contains PayPal

From: "PayPal"

However, this link raised some suspicions becaused it looked like a google forceful redirect http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu- FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&amp ;amp;amp;amp;amp;amp;amp;amp;num=5&adurl=http://24.49.66.79:82/www.paypal.com/cgi-bin /webscr=home=p/index.php So I decided to capture the traffic and see what it’s all about. Well.. I don’t know if this is a new way to exploit google or is it an-every-day-phishing-link but this is the full movie of the events :

Request #1 My browser requests the google page : Response #1 Google issues a 302 redirect to www.googleadservices.com Request #2 As instructed by the 302 response, my browser requests the page from www.googleadservices.com Response #2 Googleadservices.com responds with another 302 redirect to the scammer’s phishing site which is http://24.49.66.79:82/www.paypal.com/cgi-bin/webscr=home=p/index.php Request #3 Again, as instructed by the redirect, my browser requests the phishing URL Response #3 Phishing site responds as it should , delivering a copy of paypal.com Response #4 Firefox flags the site as phishing and advises about it There you have it. PayPal phishing using Adsense forceful redirect. Pretty nasty… to say the least.

March 2007 is over and so is the Month of PHP Bugs project initiated by Stefan Esser. The number of PHP flaws revealed during one month it’s astonishing : 44. Many of these bugs pose a real threat to PHP installs older than 4.4.5 or 5.2.1 . so it’s no wonder that the whole project stirred a lot of controversy and debate. Here are bugs 29 to 44 :

29. PHP 5.2.1 unserialize() Information Leak Vulnerability The new S: datatype in unserialize() does not work at all which leads to disclosure of heap memory content.
30. PHP _SESSION unset() Vulnerability Unsetting HTTP_SESSION_VARS and _SESSION can lead to arbitrary code execution.
31. PHP _SESSION Deserialization Overwrite Vulnerability Deserialization of session data can overwrite _SESSION which can be exploited to execute arbitrary code.
32. PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability The security fix for MOPB-31-2007 introduced a double free vulnerability into PHP 4 that can lead to the execution of arbitrary code.
33. PHP mail() Message ASCIIZ Byte Truncation ASCIIZ character injection into an email message will truncate it.
34. PHP mail() Header Injection Through Subject and To Parameters A flaw in handling folded Subject and To headers allows mail header injection through both fields.
35. PHP 4 zip_entry_read() Integer Overflow Vulnerability The zip_entry_read() function of PHP 4 is vulnerable to an integer overflow in memory allocation that leads to an exploitable bufferoverflow.
36. PHP session.save_path open_basedir Bypass Vulnerability Due to some magic directory guessing a script can bypass the open_basedir restriction on the session save path.
37. PHP iptcembed() Interruption Information Leak Vulnerability A malicious user space error handler that interrupts iptcembed() can manipulate its parameters which leads to disclosure of arbitrary heap memory.
38. PHP printf() Family 64 Bit Casting Vulnerabilities A 64 bit long to int cast results in multiple flaws in PHP’s printf() function family that lead to a new class of exploitable vulnerabilities. PHP Application Format String Vulnerabilites.
39. PHP str_replace() Memory Allocation Integer Overflow Vulnerability When a single char is replaced by a long string many times in str_replace() this can result in an integer overflow in memory allocation that leads to a buffer overflow vulnerability.
40. PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability An overlong boundary string passed to imap_mail_compose() will overflow a stack buffer and lead to arbitrary code execution.
41. PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability Calling sqlite_udf_decode_binary() with a malformed input string can lead to an exploitable buffer overflow
42. PHP 5 php_stream_filter_create() Off By One Vulnerablity The internal wildcard handling for stream filters contains an exploitable off by one overflow vulnerability that can be triggered by accessing a php://filter URL.
43. PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty An unchecked maxsize parameter to the msg_receive() function can result in an integer overflow during memory allocation that results in an exploitable buffer overflow.
44. PHP 5.2.0 Memory Manager Signed Comparision Vulnerability Due to a signed integer comparison the request for more than 2 GB of memory will be answered with a minimum size memory block. This results in a myriad of (sometimes remotely) exploitable buffer overflows.

Omninerd.com has published an extensive article which covers the major 2006 Operating System Vulnerabilities. A lot of work has been put in careful analysis of various flavors of the 4 core OSes available today : Windows, OS X, Linux and UNIX.

From Microsoft, testing included Windows XP, Server 2003 and Vista Ultimate. Examinations against Apple included Mac OS9, OSX Tiger and OSX Tiger server.5 Augmenting Apple’s UNIX representation, security tests were also performed on FreeBSD 6.2 and Solaris 10.

Rounding up the market share, Linux security testing included Fedora Core 6, Slackware 11, SuSE Enterprise 10 and Ubuntu 6.10. The summarized coverage of 2006 vulnerabilities by SANS showed the most prevalent attack vectors were not directly against the operating systems themselves.However, this article approaches the operating system as an entity in and of itself for analysis of only the vulnerabilities of core features. As such, vulnerability scans were conducted against 2006’s flagship operating systems in various configurations to determine weakness from the moment of installation throughout the patching procedure.

From Microsoft, testing included Windows XP, Server 2003 and Vista Ultimate. Examinations against Apple included Mac OS9, OSX Tiger and OSX Tiger server.5 Augmenting Apple’s UNIX representation, security tests were also performed on FreeBSD 6.2 and Solaris 10. Rounding up the market share, Linux security testing included Fedora Core 6, Slackware 11, SuSE Enterprise 10 and Ubuntu 6.10. Read 2006 Operating System Vulnerability Summary by OmniNerd.com

It’s finally here Metasploit is pleased to announce the immediate, free availability of the Metasploit Framework version 3.0 from http://framework.metasploit.com/

From H.D. Moore’s email : The Metasploit Framework ("Metasploit") is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits, 104 payloads, 17 encoders, and 3 nop modules.

Additionally, 30 auxiliary modules are included that perform a wide range of tasks, including host discovery, protocol fuzzing, and denial of service testing. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide.

The framework is written in the Ruby programming language and includes components written in C and assembler. Get the final version at http://framework.metasploit.com

Symantec released it’s XI edition of Internet Security Threat Report which covers the 2nd half of 2006 global security activity : malware, vulnerabilities, exploits, phishing, etc. Quoting the exec summary:

The Symantec Internet Security Threat Report provides a six-month update of Internet threat activity. It includes analysis of network-based attacks, a review of known vulnerabilities, and highlights of malicious code. It also assesses numerous issues related to online fraud, including phishing, spam, and security risks such as adware, spyware, and misleading applications.

Attack Trends Highlights

• The government sector accounted for 25 percent of all identity theft-related data breaches, more thanany other sector.
• The theft or loss of a computer or other data-storage medium made up 54 percent of all identity theftrelated data breaches during this period.
• The United States was the top country of attack origin, accounting for 33 percent of worldwide attack activity.
• Symantec recorded an average of 5,213 denial of service (DoS) attacks per day, down from 6,110 in the first half of the year.
• The United States was the target of most DoS attacks, accounting for 52 percent of the worldwide total.
• The government sector was the sector most frequently targeted by DoS attacks, accounting for 30 percent of all detected attacks.
• Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers.
• Home users were the most highly targeted sector, accounting for 93 percent of all targeted attacks.
• Symantec observed an average of 63,912 active bot-infected computers per day, an 11 percent increase from the previous period.
• China had 26 percent of the world’s bot-infected computers, more than any other country.
• The United States had the highest number of bot command-and-control computers, accounting for 40 percent of the worldwide total.
• Beijing was the city with the most bot-infected computers in the world, accounting for just over five percent of the worldwide total.
• The United States accounted for 31 percent of all malicious activity during this period, more than any other country.
• Israel was the highest ranked country for malicious activity per Internet user, followed by Taiwan and Poland.
• Fifty-one percent of all underground economy servers known to Symantec were located in the United States, the highest total of any country.
• Eighty-six percent of the credit and debit cards advertised for sale on underground economy servers known to Symantec were issued by banks in the United States.

Vulnerability Trends Highlights

• Symantec documented 2,526 vulnerabilities in the second half of 2006, 12 percent higher than the first half of 2006, and a higher volume than in any other previous six-month period.2
• Symantec classified four percent of all vulnerabilities disclosed during this period as high severity, 69 percent were medium severity, and 27 percent were low severity.
• Sixty-six percent of vulnerabilities disclosed during this period affected Web applications.
• Seventy-nine percent of all vulnerabilities documented in this reporting period were considered to be easily exploitable.
• Seventy-seven percent of all easily exploitable vulnerabilities affected Web applications, and seven percent affected servers.
• Ninety-four percent of all easily exploitable vulnerabilities disclosed in the second half of 2006 were remotely exploitable.
• In the second half of 2006, all the operating system vendors that were studied had longer average patch development times than in the first half of the year.
• Sun Solaris had an average patch development time of 122 days in the second half of 2006, the highest of any operating system.
• Sixty-eight percent of the vulnerabilities documented during this period were not confirmed by the affected vendor.
• The window of exposure for vulnerabilities affecting enterprise vendors was 47 days.
• Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera.
• Mozilla had a window of exposure of two days, the shortest of any Web browser during this period.
• Twenty-five percent of exploit code was released less than one day after vulnerability publication.
• Thirty-one percent was released in one to six days after vulnerability publication.
• Symantec documented 12 zero-day vulnerabilities during this period, a significant increase from the one documented in the first half of 2006.
• Symantec documented 168 vulnerabilities in Oracle database implementations, more than any other database.

Malicious Code Trends Highlights

• Of the top ten new malicious code families detected in the last six months of 2006, five were Trojans, four were worms, and one was a virus.
• The most widely reported new malicious code family this period was that of the Stration worm.
• Symantec honeypot computers captured a total of 136 previously unseen malicious code threats between July 1 and December 31, 2006.
• During this period, 8,258 new Win32 variants were reported to Symantec, an increase of 22 percent over the first half of 2006.
• Worms made up 52 percent of the volume of malicious code threats, down from 75 percent in the previous period.
• The volume of Trojans in the top 50 malicious code samples reported to Symantec increased from 23 percent to 45 percent.
• Trojans accounted for 60 percent of the top 50 malicious code samples when measured by potential infections.
• Polymorphic threats accounted for three percent of the volume of top 50 malicious code reports this period, up from one percent in the two previous periods.
• Bots made up only 14 percent of the volume of the top 50 malicious code reports.
• Threats to confidential information made up 66 percent of the top 50 malicious code reported to Symantec.
• Keystroke logging threats made up 79 percent of confidential information threats by volume of reports, up from 57 percent in the first half of the year and 66 percent in the second half of 2005.
• Seventy-eight percent of malicious code that propagated did so over SMTP, making it the most commonly used propagation mechanism.
• Malicious code using peer-to-peer to propagate rose from 23 percent of all propagating malicious code in the first six months of 2006 to 29 percent in the last half of the year.
• The majority of malicious code reports during this period originated in the United States.
• During the second half of 2006, 23 percent of the 1,318 documented malicious code instances exploitedvulnerabilities.
• MSN Messenger was affected by 35 percent of new instant messaging threats in the second half of the year.

Phishing, Spam, and Security Risks Highlights

• The Symantec Probe Network detected a total of 166,248 unique phishing messages, a six percent increase over the first six months of 2006. This equates to an average of 904 unique phishing messages per day for the second half of 2006.
• Symantec blocked over 1.5 billion phishing messages, an increase of 19 percent over the first half of 2006.
• Throughout 2006, Symantec detected an average of 27 percent fewer unique phishing messages on weekends than the weekday average of 961.
• On weekends, the number of blocked phishing attempts was seven percent lower than the weekday average of 7,958,323 attempts per day.
• Organizations in the financial services sector accounted for 84 percent of the unique brands that were phished during this period.
• Forty-six percent of all known phishing Web sites were located in the United States, a much higher proportion than in any other country.
• Between July 1 and December 31, 2006, spam made up 59 percent of all monitored email traffic. This is an increase over the first six months of 2006 when 54 percent of email was classified as spam.
• Sixty-five percent of all spam detected during this period was written in English.
• In the last six months of 2006, 0.68 percent of all spam email contained malicious code. This means that one out of every 147 spam messages blocked by Symantec Brightmail AntiSpam contained malicious code.
• Spam related to financial services made up 30 percent of all spam during this period, the most of any category.
• During the last six months of 2006, 44 percent of all spam detected worldwide originated in the United States.
• The United States hosted the largest proportion of spam zombies, with 10 percent of the worldwidetotal.
• The most commonly reported security risk was an adware program named ZangoSearch.
• All of the top ten security risks reported in the last six months of 2006 employ at least one anti-removal technique compared to only five of the top ten security risks in the last reporting period.
• All of the top ten security risks reported during this period employ self-updating.
• Potentially unwanted applications accounted for 41 percent of reports in the top ten new security risks in the second half of 2006.
• Misleading application detections increased by 40 percent in the second half of 2006.

Full report (PDF)