Sunday, June 27, 2010

Twitter Settles Charges that it Failed to Protect Consumers' Personal Information

It is just not information security professionals like me complaining about privacy issues on social networking sites, others are taking a hard look at this as well including the US Federal Trade Commission (FTC). I reported in an earlier post that US Senators send a letter to Facebook, now FTC gets involved in a complaint against Twitter.

FTC issues an administrative complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. FTC employs the FTC Act to impose sanctions on firms that exhibit unfair or deceptive practices, such practices that they feel would likely result in the disclosure of personal information.

There has been many similar complaints in the past but this is the first case against a social networking service.

According to the FTC's press release, Twitter has agreed to settle FTC charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information. According their complaint,  some of the breaches on Twitter system were possible due to a failure to implement reasonable safeguards. The complaint originated from some of the high profile breaches including that of Barack Obama before he became the President.

According to FTC, Twitter failed to implement some of the following safeguards:


* requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites or networks; 
* prohibiting employees from storing administrative passwords in plain text within their personal email accounts; 
* suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts; 
* providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users; 
* enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days; 
* restricting access to administrative controls to employees whose jobs required it; and 
* imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses. 

As part of the settlement, Twitter is required to implement a variety of data security safeguards including "a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years".

The main document of FTC complaint is here 

Some of safeguards mentioned even though highly important, these are very hard to implement for many small businesses. FTC has some strong words for organizations in what they claim they do in terms of securing consumer information.

"When a company promises consumers that their personal information is secure, it must live up to that promise,"

I touched the topic of do we really need more regulations in the privacy area, here. For many organizations, there is no incentive to spending money on security related activities, this is where the value of regulations comes in. Data privacy regulations require organizations to invest in a minimum level of security controls. Such minimum level of security controls reduce the probability of a data breach and resulting harm.

Even though many of the US and other countries privacy laws mandate only "reasonable" or minimum security, for many businesses that is not enough. While discussing the new Massachusetts privacy law I commented this:

"organizations should look at this and other regulatory requirements as "minimum standards" and look upon setting up a higher level for themselves. Remember that Compliance != Security"

The key takeaway is that organizations must take a hard look at their privacy policies and implement the specified controls to safeguard customer information. Information security practitioners should convey this to their business and technology leaders and implement such protection mechanisms or face sanctions.

Tuesday, June 22, 2010

Wireless Penetration Testers... SANS need your input

I received this from the SANS mailing list for GIAC certified folks.

The GIAC Wireless Penetration Testing and Ethical Hacking (GAWN) JTA
committee has recommended an updated set of certification objectives, and we
are conducting a formal Job Task Analysis.  We are seeking Wireless Security
subject matter experts to vote on proposed changes and rate the relevance of
each certification objective.

If you have wireless security background and experience, especially if the
experience involves penetration testing your input will be valuable in
shaping this certification.  Please note that if your background does not
include experience with wireless security, we are unable to use your input
for the survey at this time.

Your name may be listed in the validation report if this certification is
submitted for ANSI accreditation.  This survey will take an estimated 15
minutes of your time and can be accessed at the link below.  The survey will
be available through 12:01 AM on 7/1.


https://www.surveymonkey.com/s/GAWN2010JTA

Thank You.

Chris Carboni
GIAC Technical Director
GCIH, GSNA, GCWN, GCFA

Saturday, June 12, 2010

Data leaks, 0-days, and mass infections

June so far has been a busy month for 0-days, data leaks, and mass infections. If this is not news for you, jump to the analysis section at the end.


Windows 0-day


A new vulnerability has been identified and POC code has been published for this Windows 0-day affecting the help functionality.


Windows use what is called as HCP protocol when the helpctr.exe executable is invoked to open the help files and connect using the HCP URI. HCP is similar to the HTTP protocol and uses a similar prefix hcp://


The vulnerability is due to not validating URLs while using the HCP protocol, this allows passing arbitrary scripts to the operating system. In order to exploit this vulnerability, one has to invoke the help file to connect to a specially crafter URL. Such specially crafted URL could be sent in an email enticing the user to click on it. Once exploited, the adversary could assume the rights of the logged in user. So, if the user is logged on with administrative privileges, the adversary could take over the entire system.


Microsoft issued an advisory and recommends removing or unregistering the HCP protocol through a registry setting.


The full disclosure and the POC is here and the Microsoft advisory is here                 

If you recall, this is not the first time vulnerabilities have come up in the "help" function. Here are the last two announcemets.


Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution



Mass script injection attacks

Several sites were the victims of a mass script injection attacks. The common point was that all were running ISS/ASP.net, the general behavior which is observed on the affected sites include insertion of a particular script (ex: "http://ww.robint.us/u.js"). 


Another round of injection attacks was reported yesterday, affecting about 1000 sites. This time the script  points to "2677.in/yahoo.js". 


More information available here, here, and here


Wordpress script injection attacks

Thousands of WordPress blogs and other PHP-based sites were the victims of injection attacks, they were injected with a malicious script aimed at infecting visitor's machines with rogue security products.

More information, available here


AT&T iPad owners email leak

Gawker reported that they were given data on 114,000 iPad user accounts by intruders who hacked an AT&T server.

As per the technical details released by Gawker, it involved spoofing the user-agent in the header to make AT&T's servers respond to a request for harvesting the data.



Analysis

What's common on all these attacks? 


It is input validation. 


Input validation is the source of various attack techniques such as buffer overflows, cross-site scripting, SQL injection, and manipulation (query string, form field, cookie, header, etc). Input validation refers to how the application filters, scrubs, or rejects input. Proper validation should be done for variety of inputs such as type, length, format, and range.


Detection and prevention methods include 

  • Network IPS, which can look at the script inserts and alert 
  • Host IPS and file integrity monitoring tools
  • Web application firewalls that can block the inline scripts.
  • Log monitoring - Proper log monitoring can identify script and file injection attacks
  • URLSCAN - This Microsoft tool is an ISAPI filter that intercepts every request the web server receives from the Internet and scans each request for anything unusual such as scripts.
  • URLRewrite - Another tool, it has similar functionality as the URLSCAN. The major difference is that with URLREWRITE allows you define regular expressions, so it is much more flexible and powerful.





One interesting aspect that you may have noticed is the India connection in the mass injection attacks, specifically the domain 2677.in has an India TLD. Let's try to get more information on this.

lab:$ whois 2677.in

Domain ID:D4266272-AFIN
Domain Name:2677.IN
Created On:10-Jun-2010 10:33:51 UTC
Last Updated On:10-Jun-2010 10:33:52 UTC
Expiration Date:10-Jun-2011 10:33:51 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:TS_11029084
Registrant Name:liu xiaowei
Registrant Organization:liu xiaowei
Registrant Street1:huang he lu 28 Hao
Registrant Street2:
Registrant Street3:
Registrant City:zhou zhou
Registrant State/Province:henan
Registrant Postal Code:450001
Registrant Country:CN




This has an India TLD but registered in China. Let's look at where is it hosted



lab:$ host 2677.in
2677.in has address 95.211.130.71

lab:$whois 95.211.130.71

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL

So, as you can see, it was registered in China, has an India domain but hosted in Netherlands. This shows the international reach of cyber criminals making it difficult for organizations and law enforcement to act against them.

Sunday, June 6, 2010

Another Adobe 0-day

Adobe announced a new vulnerability affecting Flash and Reader products. As per the report, this is being actively exploited in the wild.
Over the past year or so we started seeing more PDF reader based attacks and there have been numerous exploits during this time. A recent report published by f-secure confirms this.
Source: f-secure
Last year, some of the major Reader vulnerabilities included the JavaScript bugs, the JBIG2 compression algorithm vulnerabilities, and memory corruption vulnerabilities.

Back in March this year, Didier Stevens published another interesting attack, he discussed a POC relating to the /launch functionality in PDF files. More information is available here.
So, with Adobe PDF Reader having all these vulnerabilities, what are our options?
Online services like Google Docs can display pdf documents right in the web browser. The advantage of this method is that the pdf is not executed on the user's computer system which means that any exploits will have no effect. 

Firefox has a plugin to open PDF documents in Google Docs, this plugin, GPDF can be found from the Mozilla repository.

Saturday, June 5, 2010

More on Cloud Computing

In my three part essay (here, here, and here) on Cloud Computing, I covered mainly the security concerns and how organizations can prepare themselves before getting to cloud based computing solutions.

If you are looking for real world case studies in the cloud computing space, then read on.

In 2009 US federal government started a cloud computing initiative for the public sector agencies. As part of this initiative, a recent report was published, which gives an overview of this effort. 

In this "state of public sector cloud computing", the Federal Chief Information Officer gives details on their approach to leverage cloud computing technology.

The report also gives details on common characteristics and various deployment models available with cloud computing. The report concludes with many case studies of cloud computing implemented at various agencies. The major areas include software development, software testing, CRM, email systems, web based application, etc.

The case studies are detailed and provides the reason and some of the benefits achieved by using cloud computing solutions.