EYE ON SECURITY

The World of Secure Development.

July 2006

A malicious technique for scanning a network, fingerprinting all Web-enabled devices found, and sending attacks or commands to those devices has been uncovered by SPI Labs.

This technique can scan networks protected behind firewalls such as corporate networks. All the code to do this is written in JavaScript and uses parts of the standard that are almost ten years old. Accordingly, the code can execute in nearly any Web browser on nearly any platform when a user opens a Webpage that contains the JavaScript. Since this is not exploiting any browser bug or vulnerability, there is no patch or defense for end users, other than turning off JavaScript support in the browser.

The code can be part of a Cross-Site Scripting (XSS) attack payload, thereby increasing the potential damage caused by XSS. These vulnerabilities are extremely common and large companies like MySpace.com and Yahoo.com have had high-profile XSS attacks that affected millions of users in the past year.

"Web application vulnerabilities, particularly cross-site scripting, are most frequently viewed by security professionals as a nuisance. However, SPI Labs has been closely tracking the escalating damage that these vulnerabilities can cause as they become mainstream," said Billy Hoffman, Lead Research Engineer, SPI Labs. "This potentially devastating JavaScript attack, along with the growing exploitation of Cross-Site Scripting, demonstrates that these vulnerabilities should no longer be last in line to be addressed. There is no such thing as a harmless XSS vulnerability. "

To help reduce the risk of port scans with JavaScript, SPI Labs recommends that you:

• Have your Web applications assessed for security vulnerabilities immediately, and continue to do so on a frequent periodic basis.
• Ensure that all input is validated before being processed.
• Use whitelisting rather than blacklisting for validation. Whitelisting involves accepting what you know to be good data, while blacklisting uses a list of data not to allow. Looking for known, valid, and safe input is much easier than looking for known malicious or dangerous input. For example, you know that a U.S. ZIP code should always be five numbers; whitelisting the zip code input means accepting only five numbers and nothing else.
• Add network Intrusion Detection System (IDS) rules for scanning behavior.

Posted by Jon Erickson at 01:52 PM  Permalink |

A couple of warnings have been issued by Secure Computing. One warning involves Fuzzing and the other regarding Google's hidden malware search capabilities.

Fuzzing is an automated methodology for testing applications for bugs by checking allowed input for a given application and trying to force abnormal responses to see if unexpected results (bugs) can be generated. Once a bug is found, further research can determine if the bug can be exploited as a vulnerability and then be packaged as an exploit.

The increase in application vulnerabilities that have recently been reported are thought to be a direct result of the use of Fuzzing tools. To further demonstrate the power of Fuzzing the vulnerability researchers at the Metasploit Project are releasing a new vulnerability for Internet Explorer every day for the month of July.

"Fuzzing will clearly accelerate the ability for hackers to discover new vulnerabilities in software applications," said Secure Computing's Paul Henry.

Secure Computing also issued a warning about the previously hidden malware search capabilities within Google that were heralded as a tool reserved only for Anti Virus and Security Research firms just weeks ago.

According to Secure Computing, these previously hidden search capabilities have already fallen into the hands of intruders. The key to finding malware in Google lies in having the signature for the specific malware program. Intruders are now sharing these signatures openly on the Internet, making it easy to search Google for the signature of a specific piece of malware. Web sites now catalog these signatures and allow users to simply enter the malware program name and they return the signature for the malware from their database. Users of these signature catalogs are encouraged to submit new malware so the site owners can quickly generate a signature for the malware for their community of users.

"Why bother creating a new virus, worm or Trojan when you can simply find one and download it using Google," said Henry. "Unskilled hackers can use this previously unknown capability of Google to download malware and release it on the Internet in targeted attacks as if they wrote it themselves to try to impress their peers with their skills."

Posted by Jon Erickson at 09:19 AM  Permalink |

IBM has announced new security software that secures networks by automatically detecting and managing security threats as they happen, rather than after the damage is done.

The new software -- IBM Tivoli Security Operations Manager -- will be the company's first product to incorporate technology from IBM's acquisition of Micromuse, and comes only five months after the acquisition closed in February 2006. The software expands on the capabilities of the Neusecure product, which was recently positioned in the leaders quadrant in the Gartner Magic Quadrant for Security Information and Event Management.

By integrating network, security, identity and systems management, IBM Tivoli Security Operations Manager can minimize how computer networks are affected by computer worms, which are a growing scourge. A single worm could potentially cause $50 billion of worldwide damage, according to the International Computer Science Institute.

The IBM software automates how security data is collected and analyzed across an IT infrastructure and prioritizes security incidents via a real-time dashboard. This cuts a company's response time from minutes to milliseconds and can make it less expensive for IT outsourcers, ISPs and corporations to maintain secure, available networks.

The software can help IT outsourcers and telecom service providers deliver more reliable service to their customers. Not only can the software monitor how security incidents impact the network's health; network performance can be measured against service level agreements signed with their customers.

Companies can also use the software to monitor security controls in accordance with compliance initiatives such as Sarbanes-Oxley, Basel II, ISO17799 and CoBIT (Control Objectives for Information and related Technology), an industry framework for controlling and governing the use of technology.

IBM Tivoli Security Operations Manager lets companies automatically monitor security controls and show their level of effectiveness through real-time and historical reporting. The software offers a variety of rule and report templates that make it easier to monitor and report on security controls. Integration with different security, system and network devices, such as firewalls and host intrusion detection systems, enables the software to generate reports around audit-worthy security event details.

Tivoli Security Operations Manager integrates with network and systems management from Netcool Omnibus and Tivoli Enterprise Console -- especially to simplify workflow and communications between security and the rest of the IT organization. The software's ability to pull security data from Netcool Omnibus enables companies to monitor security incidents tied to the growing adoption of voice, video and data over IP being delivered by service providers.

Tivoli Security Operations Manager derives other security features from Tivoli Identity Manager and Tivoli Access Manager, helping companies enforce internal security policies and detect foul play by employees and contractors. Insider attacks such as identity theft, whether perpetrated by employees or contractors, typically require access to sensitive systems. This user account and access information is managed by Tivoli Access Manager and Tivoli Identity Manager, and leveraged by Tivoli Security Operations Manager for proactive assessment of security threats.

Posted by Jon Erickson at 09:26 AM  Permalink |

A new security survey of 642 large North American organizations shows that more than 84 percent experienced a security incident over the past 12 months and that the number of breaches continues to rise.

According to the study, which was conducted by The Strategic Counsel on behalf of security vendor CA , security breaches have increased 17 percent since 2003. As a result, 54 percent of organizations reported lost workforce productivity; 25 percent reported public embarrassment, loss of trust/confidence and damage to reputation; and 20 percent reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38 percent suffered an internal breach of security.

In addition, the findings indicate that security isn't being taken seriously enough at all levels of an organization, especially in the financial service industry. Nearly 40 percent of respondents indicated that their organizations don't take IT security risk management seriously at all levels, while 37 percent believe their organization's security spending is too low. Only 1 percent believe it is too high.

Despite these findings, the survey revealed that organizations are taking steps to improve security. The three most important cited security steps were documenting security policies (88 percent), creating security education policies for employees (83 percent), and creating a Chief Information Security Officer position (68 percent) within the organization.

The survey also found that a lack of centralized security administration is affecting employee productivity. Only 6 percent of the organizations were able to provide new employees or contractors with access to all the applications or systems they require on their first day of work.

The survey also found that organizations are turning towards identity and access management (IAM) technology to improve security, enable regulatory compliance and reduce costs. More than 75 percent of the organizations surveyed have implemented some form of IAM functionality and are continuing with IAM investments, with an additional 18 percent planning to begin rolling out an IAM solution or extend their IAM deployments over the next 12-18 months.

The survey of large organizations across North America was conducted by The Strategic Counsel from January through May of 2006. The organizations surveyed had average annual revenues of $1.4 billion and average annual IT budgets of $22 million. The survey was conducted across the manufacturing, government, financial services, retail, communications, healthcare/pharmaceuticals, and oil and gas sectors. Survey margin of error ranges from +/- 2.6 to +/- 3.8 at a 95% confidence level.

Posted by Jon Erickson at 10:40 AM  Permalink |