Thursday, December 31, 2009

Cloud computing - Security issues and remediation steps - Part 2

In Part1, we looked at the defentitions and some of the basic offerings in cloud computing. In this part, we will look at the security issues and some of the questions that organizations can ask the providers to assess the risk.

What are the risks?

Before we get to the risk part, we need to understand the requirements from the security perspective. Security requirements are not different when we discuss cloud computing, the basic security requirements are applicable to cloud computing as well, which are:

• Preserve confidentiality, integrity, and availability
• Access Control
• Compliance
• Protect the assets and the organization against malicious agents
• Ensure business runs smoothly with optimal security

ENISA, the European information security agency, recently published an excellent document listing the clod computing risks, some of the major risks include:

  1. LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security.
  2. LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment.
  3. ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks).
  4. COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud:  a) if the CP cannot provide evidence of their own compliance with the relevant requirements b) if the CP does not permit audit by the cloud customer (CC).
  5. MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
  6. DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers.
  7. INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data.
  8. MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater.

   What are the things to check?

Now, let's take a look at some of the things to check before an organization selects a provider, here are some of the quetions that you can ask the provider to assess the security posture. It is not a comprehensive list but this will give you a good idea about the providers's information security capabilities.
  • Does the provider have any information security certifications like ISO 27001?
  • What are the hiring practices and background checks on the employees and administrators of the provider?
  • How is access control enforced and privilege access controlled?
  • What are the provider’s business continuity and disaster recovery plans? Does it involve any locations that your organizations may have an issue with?
  • Does the provider have any responsibility for complying with any regulations (data breach, privacy, etc)?
  • Can the provider’s access control methodologies satisfy the internal requirements?
  • Does the provider use data encryption in transit, storage, and tape? More importantly identify how it is used and keys managed.
  • Does the provider log all access to data?
  • Does the provider have direct control over their servers and infrastructure or is it outsourced again?
  • Does the provider ensure data separation with other customers?
  • Does the provider have incident response and incident notification policies?
  • How does the provider ensure customer data does not get leaked out from the provider’s network?
  • What type of intrusion monitoring (IDS/IPS, malware protection, log monitoring, database monitoring, etc) is in place?
  • How often the devices and applications are scanned for vulnerabilities and patches applied?
  • What is the SDLC process of the provider?
  • How often does the provider test the security posture by the use of a penetration test?
  • During an e-discovery request, how is the provider going to support the investigative activities?

In the third and final part of this series, I will discuss how the organizations can prepare for eventually moving some of the services to cloud.

Wednesday, December 30, 2009

Cloud computing - Security issues and remediation steps - Part 1

As we are coming to an end of 2009, I think it is appropriate to discuss the most talked about computing method and security concerns associated with that. Yes, I am talking about cloud computing and cloud security. Take a look at the Google trends data for this:

As you can see, cloud security has been getting lot of importance this year and it is going to continue though 2010 as well. It also made the number one in the list of Gartner’s top 10 technologies and trends that will be strategic for most organizations in 2010.

In this two part series, I will try to explain what cloud computing is, the benefits, security aspects, risks that comes with it, and what are the important things to check before an organizations decides to go in that direction.

What is cloud computing?

There are multiple definitions available, some of them are below:


Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is comprised of five key characteristics, three delivery models, and four deployment models.

The Economist:

“Cloud-computing"-the delivery of computer services from vast warehouses of shared machines-enables companies and individuals to cut costs by handing over the running of their [enterprise applications] to someone else, and then accessing it over the internet.


Cloud Computing. Cloud computing is a style of computing that characterizes a model in which providers deliver a variety of IT-enabled capabilities to consumers.


 Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies.

What are some of the benefits?

Having defined cloud computing, let's look at why organizations are moving towards cloud computing. Some of the benefits are:
  • Cost benefits
  • Performance improvements
  • Availability improvements
  • Availability of support personnel and expertise
  • Strong SLAs with the provider may be a risk mitigation strategy

 What are some of the basic offerings?

 Even though there are many types of offerings within cloud computing, they all can be divided into three main categtories.

 1. Software as a Service (SaaS)

This type of service lets the consumer use the various applications running on provider’s infrastructure using a web browser. In this scenario, the provider manages the network, servers, operating systems, storage, and the applications. Vendors include Salesforce, Concur, Google, etc

2. Platform as a Service (PaaS)

This type of service lets the consumer deploy their own applications onto the cloud infrastructure. In this scenario, the provider manages the network, servers, operating systems, and storage, but the consumer has control over the deployed applications. Vendors include Google App Engine,, Intuit, etc

3. Infrastructure as a Service (IaaS)

This type of service lets the consumer use the infrastructure, which may include, the network, servers, operating systems, or storage. The consumers get to deploy any part of the infrastructure and they get to manage it as well. Vendors offering this type of service include Amazon EC2, rPath, Microsoft Azure, etc.

In the second part of the series, I will cover the security issues associated with this type of computing technology and identify a series of questions that organizations can ask the potential vendors.

Saturday, December 19, 2009

Changes in Facebook Privacy settings

I wrote about privacy issues with social networking sites, here and here. Here is another instance of why you should be careful what you post on these sites.

Facebook recently changed the privacy settings available to the users and in that process they made many of the information visible to "everyone" group. General users does not track such announcements or changes exposing their personal information to be searchable by everyone.

Read about the changes here and here.

URL shortening services - is it safe to use?

You probably noticed the increased use of URL shortening sites such as TinyURL, Bit.Ly, ShortURL, and the new Such services helps writers in blogs and twitter to list urls as a short word, the listed word does not show the real url but clicking on the short url will take you to the actual web site.

Is it safe to use and what are the dangers behind it? 

Some of the risks include:

  • We don't know where the link is taking us.
  • The real site could be a malware hosting site, which could be mapped to a popular and known site.
  • Such urls could be used for a phishing attack.
So how do you protect yourself? 

Use online services such as LongURL or  Expandmyurl. If Firefox is your browser,  add this add-on, which uses  the LongURL online url expansion service to verify. Above all, try not to use such services.

Wednesday, December 9, 2009

Cenzic announced their latest trend Report on Web Application Security for the first half of 2009, the report is based on the analysis performed on the vulnerability reports from various sources such as SecurityFocus, CVE, SANS, USCERT, SecurityTracker, and other third party databases.  

Some key highlights from the report include:
  • The biggest surprise was Firefox that had 44% more vulnerabilities than the other browsers. Another surprise was Safari - as it usually contains few vulnerabilities, but came in at 35%; significantly higher than IE, which came in at 15%
  • Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities
  • 78% of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX.
  • Information Leaks, XSS, Authentication / Authorization and Session Management flaws continue to dominate.

The complete report is available here

Saturday, December 5, 2009

SANS courses coming to India

Suresh from SANS Asia Pacific sent me this message

SANS is pleased to be bringing two popular and important security courses to Bangalore with SANS India 2010 on 22-27 February 2010.  These two six-day courses go beyond the basics and will ramp up your hacking/incident handling or forensics skills:

-  Security 504: Hacker Techniques, Exploits & Incident Handling - Bryce Galbraith
-  Security 508: Computer Forensics, Investigation, and Response - Chad Tilbury

Event Link:

As a special initiative for this event only, SANS is launching a Colleague Rebate to make these classes accessible and affordable to as many students as possible in India. Simply register with your friends and colleagues to earn rebates on tuition. The larger your group, the larger the rebate each group member will receive!

For example:
If you register as a group of 3 to 5 students for our classes at SANS India 2010, each member of the group will receive a 10% rebate of tuition paid.

If you register as a group of 6 to 10 students for our classes at SANS India, each member of the group will receive a 15% rebate of tuition paid.

If you register as a group of 11 students or more for our classes at SANS India, each member of the group will receive a 20% rebate of tuition paid.

Note that group members can come from different organizations so feel free to link up with your current and former classmates, work colleagues, and fellow association members and register as a group in order to qualify for the Colleague Rebate!

How do you take advantage of the Colleague Rebate for SANS India 2010?

 1. Register for your selected course at SANS India 2010 via the SANS webpage at

 2. Start spreading the word via your professional, personal and social networks to get your colleagues interested in attending a course at SANS India 2010 to join your Colleague Rebate Group.

 3. Contact us at for a Colleague Rebate Group Registration Form. Complete the form in full with the names and contact information of your Colleague Rebate Group and return it to us via e-mail at

 4. Once SANS has received registrations and payment from all the members of your group according to the Terms and Conditions below, SANS will then reduce/rebate the fee for each individual.

 5. Colleague Rebates will be calculated on the number of paid students from your list attending SANS India 2010 per the terms and conditions in the following section.

Did you get SHODAN'ed?

A new unique search engine came up last week, which shows the vulnerable services on various Internet facing hosts. Basically someone scanned many IP addresses that are accessible from the Internet, indexed it, and put up as a free service. You must be thinking that this is a goldmine for hackers, yes it is.  

One simple query you can run is and replace the company name with your company name.

Tuesday, November 24, 2009

OWASP 2009 India Notes

I was at the OWASP Asia AppSec conference last week, it was awesome, great speakers and great crowd.

It was my first application security conference, it had a good mix of application security topics and other information security and privacy related stuff.

I also found a good mix of attendees, both developers and core information security folks. I was particularly impressed not only by the sheer number of people from the development community who attended this conference but by the amount of knowledge and understanding this group possessed in the field of information security. I have blogged about the need to make applications more secure and the need for secure development and testing, it was great to see the support and understanding, I think it is an extremely good sign for India and Indian companies.

There was not much vendor booths, I am not sure if it was intentional, did not get a chance to ask this to the organizers.

SANS had a booth and it was great to hear that they are going to start some of their courses in India in coming months,they already had 3 courses as part of this conference. Suresh, who is the MD for Asia Pacific, told me that they are going to have two courses in Bangalore in February, 2010.

Here are the notes from some of the talks I attended.

How to Blackbox test almost anything - Aviram Jenik

  • Majority of today's vulnerability discovery is through blackbox testing, also known as fuzzing
  • Blackbox testing is about testing inputs
  • Inputs are the biggest problem and mostly ignored by the developers
  • Testing proper inputs solves majority of the problems
Threat modeling - Varun Sharma

  • Threat modeling is a repeatable process to find and address all threats to a product.
  • The best time to identify threats and remediate them is at the design stage.
  • Create a data flow diagram first and update it when changes are made.
  • For mitigation, use standard and common mitigation steps.
  • Validate thoroughly.
  • SDL threat modeling tool is one of the tools provided by Microsoft to help identify threats and mitigation steps
Privacy in Security - Dr. PK

I thought this was the best talk, I am biased because of "privacy" being one of my favorite and also because of the tools that he discussed in the talk being familiar to me, I had blogged about one of them, the phishing game back in October. Dr. PK talked about some of the privacy concerns and specifically about the non availability of empirical data on privacy losses in India. He also talked about both human side and technology side of phishing and discussed some of the tools that were part of his research.

Ten things web developers still aren't doing - Frank Kim

Frank talked about some of the common web programming techniques that can easily be implemented. Some of his tips were:
  • Use well known validation code such as OWASP ESAPI
  • Perform proper canonicalization
  • Perform output encoding and escaping
  • Employ strong password
  • Use CSRF guard from OWASP

Friday, November 20, 2009


OWASP has released the release candidate of the new version of Top 10, it is now moving from a vulnerability based to risk based rating system. Instead of identifying the vulnerabilities, it tries to portray the attack vectors, the security weaknesses, and the real impact. Once we have all these relevant details, the missing piece to identify the organization's specific risk is the value of the asset.  

One of the changes that I wanted to see, configuration weakness has been included in this. It is one of the most prevalent issue today, organizations may have a very secure code but if you allow insecure HTTP methods like DELETE or MKCOL in IIS, then it is a welcome message to the hackers.  

This release added "unvalidatedredirects", which is a redirection of pages. Even though it is a considerable risk, it is difficult to exploit, I would have kept the "improper error handling" right there.  

Major changes are given below.  

1)We clarified that the Top 10 is about the Top 10 Risks, not the Top 10 most common weaknesses. See the details on the "Understanding Application Security Risk" page below. 2)We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This affects the ordering of the Top 10 somewhat, as you can see in the table below. 3)We replaced two items on the list with two new items: +ADDED: A6 -Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped because it wasn't thought of as a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10, and so now it's back. +ADDED: A8 -UnvalidatedRedirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage. -REMOVED: A3 -Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications with this problem. PHP is now shipped with more default security, lowering the prevalence of this problem. -REMOVED: A6 -Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal.  

Note that this is only a release candidate and you are welcome to submit your comments to the OWASP team.

Sunday, November 15, 2009

Information Security Conferences in India

After moving to India last year, one of my priorities has been to look for networking opportunities and conferences in the information security space. I will have my first opportunity this week when I attend OWASP AppSec conference in Gurgaon, near Delhi. The AppSec India consists of two day conference, which covers various topics and two days training. SANS conducts 3 separate training tracks , two in the development track and one in the audit track.

If any of the blog readers are going to be attending, I hope to meet you there.

Another conference that is coming up in November is the NASSCOM DSCI Information Security Summit 2009. 

From time to time I will post other conferences and networking opportunities that come along in my inbox.

Saturday, November 14, 2009

SMB zero day affecting Win 2K3, XP, Vista, 7, and 2K8

Laurent Gaffie, a security researcher identified a DoS vulnerability affecting SMB protocol. This is basically a DoS vulnerability, it causes the target machine to freeze and unresponsive. Reboot is the only way to recover from this. Read more about this from his blog.

Microsoft came up with an advisory, the advisory states the workaround as blocking port TCP 139 and TCP 445 at the perimeter Firewalls. Microsoft also confirmed that this vulnerability cannot be used to take control or install malicious software.

SANS handlers also tested this vulnerability, read about it here

Friday, November 13, 2009

Another Microsoft software testing tool

I wrote about the CAT.NET tools earlier in a blog entry, which performs static analysis of .NET code. The signature used in the code checks against various parameters in the .NET code. Microsoft released another tool to check the web applications using the same set of signatures. This new tool, WACA CTP, can be used to scan the web applications, the signature consists of around 100 IIS, ASP.NET and SQL Server settings.

Microsoft has developed a variety of tools to help developers and testers to identify vulnerabilities, it is up to the organizations and the application development team to take the lead and implement secure coding and testing practices. There is no excuse not to do it.

Wednesday, November 11, 2009

First iPhone worm

This week's big news was about the iPhone worm, which changes the iPhone's wallpaper. It affects only the "jail-broken" iPhones, it may not be dangerous worm but the same technique could be used for various malicious purposed including data leak.

What is the vulnerability?

Jail-broken iPhones have the SSH daemon enabled by default and these phones have a default root password. So, the jail-broken phones with an unchanged root password is vulnerable to this.

How does the worm spread?

The worm spreads by scanning other iPhones in the local IP address change, the scan looks for SSH daemon and if it finds any, it tries to login using the default password. Post compromise, it copies an image file to replace the default wallpaper image. Note that the sam attack vector can be used to leak out data, planting other program, etc.

How to remediate this vulnerability?

If you have a jail-broken iPhone, change the password immediately, follow the instructions provided in this article.

Sunday, November 1, 2009

FTC extends Red Flag Rules deadline

The US Federal Trade Commission (FTC) has extended the enforcement deadline of the "Red Flag Rules" until June 1, 2010. 

Red Flags Rule requires all creditors and financial institutions that have “covered accounts” to have an identity theft prevention program to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. According to FTC, A "covered account" is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. "Covered accounts" include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

If your organization has not started the compliance efforts, this is a good time to start.


The how-to guide is available here

Friday, October 30, 2009

New NIST document "Small Business Information Security: The Fundamentals"

NIST has published a new document on information security for small businesses to help them secure their information assets. It is a good read to understand the fundamentals of information security, it also lists some of the must have practices. The document is here

Friday, October 23, 2009

Metasploit project acquired by Rapid7

Really surprised to hear the news that Metasploit project has been acquired by Rapid7. HD Moore, the creator of Metasploit will be joining Rapid 7 as a full time staff, Moore insists in a podcast with Risky.Biz that all core software developed by the new, full time team will remain free and open source.

Hopefully this is a good news in that he can spend more time to develop Metasploit into an even exciting product. This reminds me of the similar moves by Nessus - Tenabale and Snort - Sourcefire

Useful cheat sheets - addition

Adding another cheat sheet to the mix. Transport Layer Protection Cheat Sheet provides various options with explanations for implementing TLS in a web application.

The other collection I posted a while back is here

Friday, October 9, 2009

Cyber Security Awareness Month

October in National Cyber Security Awareness Month, this is a good time to review the security practices and conduct sessions to make users aware of the program. This is also a good time to think on the home front to see what are the cyber threats and assess the defensive measures taken by you and your family members. Educate the kids and other family members on the importance of cyber security. Some useful links are below

Saturday, October 3, 2009

Phishing and Spam IQ Quiz

You think you are good at identifying spam and phishing emails? Take this small quiz and test your skills. Don't be disheartened by not getting 10/10, only 7.4% of test takers got 100%.

On the first page they provide you with some helpful hints, try not to look at those hints initially and see how you score. By the way, I got a 10/10.

You need more challenge? Head on to CMU labs developed phishing game Phil

Thursday, October 1, 2009

Microsoft's Free Anti-malware Tool

Microsoft has released the final version of the Microsoft Security Essentials program. The free malware protection software which until now was available only to a limited amount of beta testers is now available for download, it guards against viruses, spyware, and other malicious software.

Now, the obvious question is how good is this. According to the washingtonpost report,

"AV-Test ran MSE against 3,732 samples of malware that are currently infecting PCs around the world, and found that the program blocked all of them, both when the samples were opened or accessed and when the malware was manually scanned."

Sunday, September 20, 2009

New SANS forensic certification

Rob Lee at SANS sent this email requesting security professionals to rate the requirements of a new Forensic certification GCFE
If you already hold forensics credentials such as the GCFA, your input will be valuable in shaping the future of the new GCFE credential. The survey requires you to identify yourself and list your qualifications. Your name may be listed in the validation report that is submitted for accreditation. This survey will take an estimated 15 minutes of your time. The JTA can be accessed at the link below. It will be available through September 30th.


Microsoft application assessment tools

As mentioned in the previous blog cybercriminals are increasingly attacking applications and hence it is critical to develop secure applications through standardized SDLC processes. Microsoft offers many tools to test and validate the security of the developed application and recently they released number of tools in this area

Risk Tracker tool that manages and tracks information security risk.

BinScope Binary Analyzer. Microsoft says that their developers and testers are required to use this tool as part of the SDL. It analyzes the binaries for a wide variety of security protections such as detecting stack-based buffer overflows and ensuring safe exception handling

CAT.NET v1 CTP is a binary analysis tool to identify XSS, SQL Injection and XPath Injection in the code.

Saturday, September 19, 2009

Cyber Security risks

Cyber criminals are increasingly attacking applications, this is the findings of a study published by SANS this week. The top cyber security risks report combines intelligence from TippingPoint, Qualys and SANS themselves. The two main risk areas are listed below.
"Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access."
"Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits."
As you can see the two areas that cyber criminals look for are client side application vulnerabilities where there have been many 0-days and traditionally patch releases have been slow. The example they have shown is very real and something that we see on a daily basis, the latest example being the New York Times incident
If you combine this with the Verizon report, we can assume that client side applications and web application vulnerabilities are being increasingly used as entry points but cyber criminal's main target is getting sensitive information from organization's critical databases.
The SANS report also lists some of the mitigation steps

Friday, September 18, 2009

Attacks on BGP protocol

BGP is the protocol that runs on the Internet backbone, so DoS attacks against BGP could be devastating. Last month there was a targeted DoS against BGP protocol, Cisco corrected this issue, read the announcement.

Sunday, August 23, 2009

Data breach news and analysis

Folks at Open Security Foundation have started a new web site which will offer news and analysis on the various data breaches. From the announcement,  
" is a free and dynamic community of interest dedicated to helping companies mitigate the damages associated with the loss of personally identifiable information. We provide news, opinions, expert analysis, white papers, dialogue and reviews on data breach recovery."  

Following are some other sites where we can get data breach and identity theft information. (pre 2008)  

FTC lists the cases involving the privacy of consumer information under Section 5 of the FTC Act:

Friday, August 14, 2009

Online reputation

One of the readers asked about RBLs, so here you go.

What is your reputation on the Internet world? How do you know that you don't have any zombie machines in the inside of your network sending out spam emails? Your domain name and IP address gets classified as spam originators by various reputation authorities if they identify any systems or networks within the domain sends out spam. Such reputation authorities lets you identify if they classified any devices in your domain as spam originators. Commercial spam filtering devices does regular lookups to these authorities to determine and block such spam sources.

Saturday, August 8, 2009

Cisco IPS - new feature

For those who use Cisco IPS devices, check the following announcement,

"IPS 7.0 contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that we have amassed over the years. At regular intervals, Cisco IPS receives threat updates from the Cisco SensorBase Network, which contain detailed information about known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS uses this information to filter out the worst attackers before they have a chance to attack critical assets. It then incorporates the global threat data in to its system to detect and prevent malicious activity even earlier."

Read the release notes to get more information.

SNORT and IPTABLES users may be familiar with a similar concept wherein you could do the lookups to various Realtime Blackhole Lists or RBLs

Friday, August 7, 2009

Clampi Virus

As the world deal with the swine flu virus, there is an equally destructive virus / trojan that affects the computing world. It is known as Clampi  and it is one of the deadliest trojans that is making the rounds on the Internet, According to a report, it is operated by a serious and sophisticated organized crime group from Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions.

Typically, trojans such as this gets installed when people open infected attachments or even by simply visiting a web page using a vulnerable browser or other applications such flash, pdf, etc. Such web sites that people visit could be intentionally or they may be taken to those web sites unintentionally by clicking on some links on a regular / normal site and that site may have some XSS or other types of vulnerabilities.

In any case, once the trojan gets installed it copies itself as one of the system executable such as svchosts.exe or event.exe in one of the folders. These are legitimate looking applications, so if you look in task manager, it is difficult to identify. However, the key here is that these files gets installed in a folder other than "C:\WINDOWS\system32" (in Windows XP). There are various tools such as "tlist" to identify which application (with the path) launched a process. The Trojan also make many registry changes, so understanding the registry structure and monitoring for changes is key here.

The Trojan then makes connections to various web sites that act as command and control centers and downloads tools that are required for 1) spreading to other machines 2) grab personal information from the machine, encrypt it and send it back the command and control center. One such tool it downloads is psexec, which is used to make connection to other machines in the network and then install the trojan there. In order to identify this behavior, security practitioners should have a good understanding of the normal behavior on the network and block unusual or unnecessary outbound connections from the internal network.

Some of the other key takeaways are:

  • Don't use or provide administrative credentials to the regular users, use of administrative credentials enable the ability to install programs.
  • Block all or unnecessary outbound access.
  • Monitor unusual traffic on the network, should have a good understanding of the baseline traffic.
  • Keep open file shares to a minimum or remove it altogether if possible. Periodically scan for open shares and audit it thoroughly.
  • Users should be made aware of the dangers of visiting unknown web sites, clicking on unknown links, and downloading unknown files.
  • Patch. Follow a strict vulnerability management process.
  • Keep the antivirus signatures up to date. Automate identification of infected machines
  • Be ready for incidents like this, practice incident response skills

Read some of the interesting write-ups on the Clampi virus / trojan.

Thursday, July 30, 2009

Vulnerabilities in Visual Studio Active Template Library

Microsoft released an out-of-band security bulletin to address security bugs in the Active Template Library. Microsoft strongly recommends that developers who have built controls or components with Active Template Library take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable. Many versions of Visual Studio application are affected.

What is Active Template Library?
The Active Template Library is a set of template-based C++ classes with which you can easily create small, fast Component Object Model (COM) objects such as ActiveX controls.

More details are here:

Saturday, July 25, 2009

Another large data breach involving credit cards

A breach at Network Solutions exposed a large number of credit card information. According to various reports, hackers inserted code on Network Solutions’ servers that sniffed customer credit card number and personal information. The breach affected accountholders of Network Solutions domain registration and Web services, as well as numerous online retailers that utilize the company’s hosting and online payment services.

After Heartland Payment Systems breach early this year, this is another payment gateway, which shows that hackers are increasingly targeting such organizations and credit card information in general.

More information is available here

Friday, July 24, 2009

SQL Injection videos

Along with XSS, SQL injection is one of the most dangerous and the most exploited web application vulnerability, I wrote about it here.

Many organizations and individuals struggle with differentiating network wide and data centric attacks and proving that Firewall and traditional perimeter security does not prevent many such attacks. Demonstrating data centric attacks is a great way to make them understand these types of threats and how to defend against them.

Just as a refresher, relational databases such as Oracle, MS SQL, Sybase, MySQL store data in the form of related tables of records. Such records can be accessed, queried, or modified by specially formatted statements. The standard format for these types of queries are made using a standard called Structured Query Language or SQL. With the need to access these records from a web front end, SQL injection attacks became popular. So, SQL injection is nothing but a set of SQL commands.

Wednesday, July 22, 2009

CISSP sample tests

Many CISSP aspirants ask me this question, what is the best source of free sample tests? Here is a great source, they have many sample tests covering CISSP domains, check it out.

Friday, July 17, 2009

Nmap 5

A new version of Nmap is out, some of the new features include: Addition of Ncat tool for data transfer, redirection, and debugging. This helps in interacting with web servers, mail servers or malware infected machines.

Addition of Ndiff tool to aid in the comparison of Nmap scans. It takes two Nmap XML output files and prints the differences between them.

Improved scripting engine (it was introduced in 4.5 version). This allows users to create simple scripts to automate a wide variety of networking tasks. Nmap added 32 more scripts, they are available here

Improved Zenmap Gui (also introduced in 4.5 version), which is a GUI version of Nmap. It comes with the capability to map a network then save as an .svg file (scalable vector graphic) for visual labeling, or documentation. These files can be used with the open source vector graphic tools like like Inkscape.

I grabbed the latest GUI version and ran a scan against my Linksys Router, here is the output:

If you want to learn more about Nmap, Fydor's book is the best hands down. Part of that book is available for free here

Friday, July 10, 2009

End of Milworm

A very sad day for information security professionals. One of the web sites that helped many incident responders, security researchers, PenTesters, and script kiddies alike is shutting down.

Here are some of the alternatives

Milworm Tarball

Update: The creator of Milworm, with the help of many others will keep the site up and continue to do the great work.

Friday, July 3, 2009

Twitter security problems

Are you a twitter user? If yes, you need to consider the many worms and other issues that affect twitter, here are some of the recent ones.

Apart from the many worms and exploits listed above, as early as last month it's SSL page was using MD5 hashing with RSA encryption, it has been corrected now. If you remember, back in December 2008, a group of researchers identified a problem with MD5 collision, which affects SSL sites signed with MD5 hash. The exact problem is described in the Microsoft security blog,

"An MD5 hash collision allows a malicious user to potentially generate a rogue certificate derived from a valid one. This user can then impersonate a valid site or person since both certificates look legitimate because the certificate hashes are the same. An attacker will have to lure a user to initiate an SSL/TLS connection, then the certificate will be validated by the client and it will seem valid. Thus, the user will think that it is establishing a safe connection with site or person when in fact it is connecting with the attacker."

Another method to verify this is using the "SSL Blacklist" Firefox add-on

Tuesday, June 9, 2009

Secunia PSI

Check my earlier post on this topic.

Secunia PSI is one of my favorite programs, a new release is out with some new features, check it out


Tuesday, June 2, 2009

Information Security Policies

While doing some research, I came across this Cisco study.

There are two interesting policy findings,

  • Majority of businesses (77 percent) have security policies in place.
  • More than half of the employees surveyed admitted that they do not always adhere to corporate security polices.

So, what are the reasons for it? In my view there are many possibilities,
  • Policies are not defined correctly
  • Users are not able to understand it
  • It is not aligned with the business processes
  • It does not have management's and business leader's buy-in
  • It is not communicated properly
  • There are no monitoring mechanisms in place to verify compliance
  • There are no action taken in case of policy violations

Sunday, May 17, 2009

Useful cheat sheets

Here is a collection of cheat sheets. I find them extremely useful

Windows command line cheat sheet

TCP/IP Cheat Sheet

Tcpdump cheat sheet

Linux Security Quick Reference

Oracle Security Cheat Sheet

Nmap & Nessus Cheat Sheet

Google Hacking and Defense Cheat Sheet

SQL Injection Cheat Sheet

Cross Site Scripting Cheat Sheet

Web application Cheat Sheet

XSS Cheat Sheet

Intrusion Discovery Cheat Sheet Windows

Intrusion Discovery Cheat Sheet Linux

Windows looking for compromise

Checking Unix / Linux for compromise

DDoS incident response cheat sheet

Security incident survey

Memory analysis cheat sheet

Forensic analysis cheat sheet

Saturday, May 9, 2009

Help create a safe Internet

Similar to security within an organization or security within a community, security within the Internet is also everyone's responsibility. Individuals must understand various cyber threats to protect not only himself, his family, and friends but the whole community. Recently stumbled upon a great site that gives security solutions for everyone that uses the Internet. The site, mysecurecyberspace is sponsored by Carnegie Mellon CyLab. 

Perimeter protection using Juniper Firewalls

I am re-publishing one of my earlier papers on Juniper Firewalls, even though this talks about an older version, the features are still relevant today.

Perimeter protection using Juniper Firewalls

In this information age where worms, viruses and various other Internet attacks proliferate, securing the perimeter becomes more and more critical for any organization. This paper looks at an economical solution for a small organization to protect the perimeter.

The solution presented in this paper involves the use of low end Juniper Firewalls.

Internet attacks are performed in a variety of ways and Juniper Firewalls provide protection for many of these attacks, below is a brief description of various ways an attacker may try to intrude into an organization’s network.

  • Ping Sweeps
To understand the network layout an attacker uses various reconnaissance techniques including pinging various internal hosts that may or may not respond to pings

Juniper Firewall can reject all Ping requests after a specified threshold.

  • Port Scanning
The purpose of this method is to identify the open ports and once an open ports is found further scanning can be done to identify the version of the application and exploit the vulnerabilities found in that application.

Juniper Firewall can detect and drop the scan attempts after a specific threshold. The Firewall can also detect and stop the scans with various options like SYN-FIN, no flags, all flags etc.

  • IP options scanning.
An attacker uses this scanning option as a reconnaissance step to gain more knowledge of the network. Majority of these options are never used in a typical network and Juniper Firewall can detect these scan

  • IP spoofing attacks.
An attacker uses IP spoofing technique -where it makes the intermediary device to think that the packet came from a trusted source- to gather more information about the network and attack the network.

Juniper Firewalls can be configured to drop this kind of packets.

  • Denial-Of-Service attacks.
Denial-of-service attack is an attempt to make a targeted device resource unavailable to its users by sending huge amount of traffic to that device. If such an attack originates from multiple source devices or networks then it is called Distributed Denial-Of-Service attack. These attacks can take many forms like SYN floods, UDP floods, ICMP floods etc

Juniper Firewall can prevent such attempts by assigning thresholds that limit the number of permitted session from a source IP and to a destination IP. It can also be configured to use SYN proxy to identify and drop incomplete sessions. Similar protection can be configured to protect from ICMP and UDP flood attacks.

Apart from these protections, the Juniper Firewall can also protect against OS specific attacks like Ping of Death, WinNuke and Teardrop attacks

  • Malicious URL protection
Some URLs entered by the attacker facilitate attacks based on legal but malicious HTTP requests designed to break the server. Many exploits on Web servers have been based on URLs that were technically legal but employed buffer overflows or similar techniques.

Juniper Firewall examines the data payload of all HTTP packets, if it identifies a malicious URL it blocks that packet from passing through the firewall. The Firewall can also be configured to look at fragmented packets.
  • Virus scanning
A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Juniper Firewall supports both internal and external scanning for viruses.

  • Spyware protection.
Spyware is a program that gathers user information through the user's Internet connection without the user’s knowledge, usually for advertising purposes.

Juniper Firewall can be configured to block incoming spyware, adware, keyloggers, and related malware to prevent it from penetrating the organizations perimeter.

  • Web filtering
Web filtering enables an organization to manage Internet access by preventing access to inappropriate web content.
Juniper Firewall supports both integrated and external web filtering

  • Deep Inspection
Deep Inspection is a mechanism for filtering the traffic permitted by the firewall, where it examines Layer 3 and Layer 4 packet headers and Layer 7 application content and protocol characteristics in an effort to detect and prevent attacks

With the Deep Inspection enabled, the Juniper Firewall scans the packet for patterns that match those defined in one or more groups of attack signatures or protocol anomalies, which you can either define yourself or download to the security.


Firewalls are the first line of defense for organizations that do not own the perimeter Routers and care must be taken to configure the device to properly ward off various attacks. Even though securing the perimeter is an integral part of Information security, organizations should practice Defense-In-Depth strategy where security is provided in layers to protect the various information assets.

Wednesday, May 6, 2009

McAfee threat report

McAfee released their first quarter threat report. Here are some of the important data from the report,

  • McAfee TrustedSourceT recently has observed malware-laden email and spam originating from a variety of government agencies and banking institutions in Russia.
  • The top 10 countries dominate in spam production, contributing nearly 70 percent of the total and far outdistancing the other 200-plus countries in the world. Tope 10 countries are US, Brazil, India, South Korea, China, Russia, Turkey, Thailand, Romania, and Poland.
  • The top seven countries hosting websites with a malicious reputation are also in the top 10 hosting phishing, spam, and malware/spyware sites.

So, what's the best way to deal with malicious traffic from these countries? If your organization can afford to block traffic from these countries or select countries, block the whole IP address range at the external Router or Firewall level. Always use "supernets" while blocking to make sure that the Firewall or Router uses the resources efficiently.

To get more information on the IP addresses allocation and whois lookup, use the following links

Friday, April 24, 2009

Spending Budget wisely

Where would you put your security budget? On client side security, buy a new end point protection or NAC because you know that there are plenty of client side exploits and users are one of the weakest links or you would rather put that dollar on a new database monitoring tool? In this difficult economic conditions it is very important to understand where to put your money.

The new Verizon data breach report provides some of these answers. Here is some relevant data,

Report shows that for the big computer crime cases in 2008, the vast majority involved data from servers (Online Data 94% of cases). In only 17% of all cases were End-User Systems involved in any part of a target. In only about 1% of cases (one case out of 90, Figure 16) were End-User Systems part of the attack pathway. The very same data, when viewed by the percent of records lost, shows that 99.9% of records were taken from servers, while just 0.01% of the records were taken from End-User systems.

At the end of the day, organizations should identify the risk and determine where and how they should spend the money.

Thursday, March 12, 2009

SQL Injection #1 attack vector

The new WHID report notes that SQL Injection was the #1 attack vector in 2008. One interesting snippet from the report is shown below, it shows that the #2 attack vector is "unknown". What does it tell us? The organizations that reported the incident had no clue how the incident happened and the number one reason for that could be that there is no instrumentation to look at the attack traffic and malicious behavior. Monitoring is the key here, good logging and understanding the normal behavior of business related traffic goes long way in understanding the threats and identifying incidents. Another reason for this could be the inability of the internal staff to identify attack vectors and decode malicious traffic.

Attack / Vulnerability Used %
SQL Injection 30%
Unknown 29%
Cross-Site Scripting (XSS) 8%

The full report is available here

Friday, February 27, 2009

People Search

Recently discovered a new tool called pipl to find people online. It is amazingly accurate and accumulates information from a variety of sources including facbeook, myspace, amazon etc. If you are into security assessment / penetration testing, it is a very good data gathering tool.

Monday, February 16, 2009

Lesser known Nessus plugins

We all know that Nessus is a powerful vulnerability scan and audit tool, it currently has more than 25,000 plugins to scan various operating systems and applications but what are some of the lesser known but powerful plugins? Here I list five of those plugins, which are extremely useful in a corporate environment.

  1. Nikto plugin. Using this plugin you can automate the application assessment in the organization and the greatest strength is that you can incorporate the results into Nessus and you can present the report along with other vulnerability findings.
  2. Installed software discovery. One of the challenges we face everyday involve identifying and preventing unauthorized software on the desktops and servers. Nessus offers multiple plugins to identify and create an inventory of installed software.
  3. Wireless SSID discovery. In your organization do you know how many active wireless networks are there? Even more intriguing is do we know how many of your desktops are associated with a wireless network? This particular Nessus plugin can identify active wireless domains for each desktops or laptops in your organization. This is invaluable for not only identifying which devices are susceptible to wireless threats but also ensures compliance with your internal policies and standards like PCI
  4. Auditing disabled USB drives. Many organizations have policies that prevent the use of USB drives but how do we ensure that all desktops and servers are in compliance with this policy? Nessus offers an .audit file to scan the devices to verify that the system indeed has locked the USB drives.
  5. Scanning for administrator access. Nessus offers various plugins to identify administrator privileges, some of the important ones are,
SMB blank admin password, It enables you to find servers with blank administrator
Users in "domain administrator" and local administrator group. This enables
           you to find the users who are part of this important administrator group.

For more information visit the Nessus plugin page