OAuth 2.0 security used by Facebook, others called weak

26. September 2010 · Comments Off on OAuth 2.0 security used by Facebook, others called weak · Categories: Authentication

OAuth 2.0 security used by Facebook, others called weak.

OAuth 2.0 is sweeping through the industry, becoming the standard method of authentication across multiple web applications/sites. Other methods such as SAML and WS-Security are losing out because they are too difficult for web developers to learn and use.

Unfortunately, there is a growing opinion that in an effort to make OAuth 2.0 simple for developers to use, security was compromised.

The main concern is that rather than using digital signatures to assure that the “tokens” transmitted between sites are not tampered with, the sites simply connect to each other via SSL, which is susceptible to man-in-the-middle attacks.

Eran Hammer-Lahav, Yahoo’s director of standards development and one of the creators of OAuth said:

“It is clear that once discovery is used, clients will be manipulated to send their tokens to the wrong place, just like people are phished. Any solution based solely on a policy enforced by the client is doomed.”

How to Configure Mozilla Firefox for Secure Surfing

25. September 2010 · Comments Off on How to Configure Mozilla Firefox for Secure Surfing · Categories: Security-Compliance · Tags:

Via Threatpost: How to Configure Mozilla Firefox for Secure Surfing

Excellent recommendations for configuring Firefox. One exception, take note of one of the Comments about the downside of clearing site preferences as this will blow away the cookies containing all of the choices you made to set preferences on your favorite sites.

In addition, I recommend the Adblock Plus plug-in. It’s had 94 million downloads and over 2,000 reviews averaging the maximum 5 star rating.

HTML5 security concerns

25. September 2010 · Comments Off on HTML5 security concerns · Categories: Security-Compliance · Tags:

Via ThreatPost: Security a Concern as HTML5 Gains Traction

This article and an earlier blog post from Veracode entitled, HTML5 Security in a Nutshell, itemize some of the new HTML5 features which can be seen as new threat vectors including (1) Local database and session storage, (2) sandboxing, and (3) postMessage().

Every new technology increase risks, at the very least, because people misunderstand how to use it and bad actors know this. Therefore as a new technology, in this case, HTML5 gains traction, cyber criminals are drawn to it as well. We’ve seen the same thing happen with Web 2.0 applications, social networking, and virtualization.

If the major security vendors don’t respond to the new threats, you can be sure that new security vendors will.

How risky is the ‘Padding Oracle’ Crypto Attack?

19. September 2010 · Comments Off on How risky is the ‘Padding Oracle’ Crypto Attack? · Categories: Security-Compliance, Vulnerabilities · Tags: ,

ThreatPost reported that a pair of security researchers announced have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies. ‘Padding Oracle’ Crypto Attack Affects Millions of ASP.NET Apps | threatpost.

Microsoft admitted the vulnerability in Microsoft Security Advisory 2416728.

The question is, how likely is this vulnerability going to be exploited in the millions of ASP.NET web sites? According to a post on Slashdot.org:

…this attack requires fairly verbose error messages be sent back to the user of a web application. While I’m sure there do exist some ASP sites where this is the case, I don’t think it has been in any of the non-intranet sites I’ve seen in my career.

It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.

So it appears that the risk of exploitation of this vulnerability depends on the coding practices of the web site developers. Good coding practices, not so risky.

Errata Security: Adobe misses low hanging fruit in Reader

17. September 2010 · Comments Off on Errata Security: Adobe misses low hanging fruit in Reader · Categories: Malware · Tags: ,

Errata Security: Adobe misses low hanging fruit in Reader.

It appears that one of the reasons that Adobe has so many vulnerabilities is lack of a secure software development practices.

One of the most common features of “secure development” is the ability to avoid functions that are known to be dangerous, functions which have caused major vulnerabilities (such as Internet worms) in the past. These are functions developed in the 1970s, before their risks were understood. Now that we have suffered from these functions and understand the risks, we have come up with safer alternatives. Using these alternatives are cheap and easy, and they can save a development house endless embarrassment and remediation time. More importantly, while verifying that your code is “secure” is an essentially impossible task, verifying that your code contains no banned functions is easy. We call this the “low hanging fruit” of secure development.

The Errata article found a high-risk function, strcat, still being used in Adobe Reader and is possibly related to a recent vulnerability, SING Table Parsing Vulnerability (CVE-2010-2883).

In addition, Brian Krebs is reporting that Adobe published yet another security advisory earlier this week about a previously unknown vulnerability in Flash being actively exploited.

‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security

17. September 2010 · Comments Off on ‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security · Categories: Malware · Tags:

‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security.

Brian Krebs has a detailed article on Stuxnet with details about its targeting Siemens industrial control systems.

“The mechanism [the Stuxnet worm] used to install the Siemens payload came at the very end, which means this isn’t a Siemens problem and that they could have substituted [General Electric], Rockwell or any other PLCs as the target system,” Weiss said. “At least one aspect of what Stuxnet does is to take control of the process and to be able to do…whatever the author or programmer wants it to do. That may be opening or closing a plant valve, turning a pump on or off, or speeding up a motor or slowing one down. This has potentially devastating consequences, and there needs to be a lot more attention focused on it.”

Burglars used social network status updates to select victims • The Register

15. September 2010 · Comments Off on Burglars used social network status updates to select victims • The Register · Categories: Privacy, Social Engineering · Tags:

Burglars used social network status updates to select victims • The Register.

Posting your location can have unintended consequences. A band of burglars in Nashua, NH were arrested for an estimated 50 burglaries in the area whose locations were chosen based on information they collected from social networks including Facebook.

“Be careful of what you post on these social networking sites,” said Capt. Ron Dickerson of Nashua police. “We know for a fact that some of these players, some of these criminals, were looking on these sites and identifying their targets through these social networking sites.”

New commercial DDoS botnet discovered

15. September 2010 · Comments Off on New commercial DDoS botnet discovered · Categories: blog · Tags: , , , , , ,

Via SC Magazine article, a new commercial DDoS botnet  has been discovered. IMDDOS is growing at a rate of 10,000 devices per day. Note that this is a commercial effort:

Literally anyone who can read or work with a Mandarin Chinese website can go onto their self-service portal, create an account and pick their victim of choice for a DDoS attack.

The botnet’s C&C domains, located in China, are used to push out instructions to infected bots to launch DDoS attacks against a list of targeted domains. Researchers are unsure of the price of IMDDOS attack services and do not know the actual domain names targeted by IMDDOS customers.

Full disclosure: While this article was “stimulated” by Damballa’s VP of Marketing, I still thought it was newsworthy. We partner with FireEye, a Damballa competitor.

Microsoft addresses one of the Stuxnet related zero-day vulnerabilities

15. September 2010 · Comments Off on Microsoft addresses one of the Stuxnet related zero-day vulnerabilities · Categories: Malware, Vulnerabilities, Zero-day · Tags: ,

Today’s round of Microsoft patches addresses a variety of issues including one of the Stuxnet-related zero-day vulnerabilities. Stuxnet actually leverages four different zero-day vulnerabilities! For more details go here, here and here. Computerworld has a more detailed article about Stuxnet: Siemans: Stuxnet worm hit industrial systems.

New attacks leverage a zero-day vulnerability in Adobe PDF reader

14. September 2010 · Comments Off on New attacks leverage a zero-day vulnerability in Adobe PDF reader · Categories: Malware, Zero-day · Tags: , ,

Via ThreatPost yesterday:

Security researchers [at Symantec] say that a new wave of attacks suggests that the malicious hackers behind a security compromise [Aurora] at Google and a number of other prestigious U.S. firms are back in business, this time using an unpatched security flaw in Adobe’s PDF (Portable Document Format) Reader application.

The post is well linked for background information on Aurora.

« Older articles
Newer articles »