Sunday, September 26, 2010

SiliconIndia Security Conference on October 2

Received the following from SiliconIndia

SiliconIndia is organizing Security Conference on October 2, 2010 in Bangalore. At the Conference, there will be two tracks: System & Network Security and Web Security. There will be exciting technical sessions, delivered by the people who know Security best. You will learn from top industry experts and leading-edge peers. You'll experience a complete technical immersion, shared with a developer community that is passionate about all exciting developments in the security world.

To register, please visit: 

Conference on Improving the Technology Trustmark

IT- Circular.jpg

Would be of interest for India based readers

Saturday, September 25, 2010

Web Application Configuration Analyzer (WACA)

Microsoft published a new tool, Web Application Configuration Analyzer (WACA). This tool scans a server against a set of best practices recommended for production servers. The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications.

It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine.

Scan a machine for more than 140 rules
Generate HTML based reports
Compare two scans to view the differences
Export results to Excel
Export results to Team Foundation Server

You can download the tool from Microsoft here .

Twitter worm Social Networking security debate

A cross site scripting vulnerability in Twitter was exploited this week and it was used to send random tweets to all the followers. The attack leveraged a common Javascript feature, “onmouseover”, which allows developers to program discrete actions when visitors move their mouse cursor over a designated area of a web page. So, depending on the number of followers a person has, they all get these random tweets. Check the Kaspersky blog for more information on this

Even though Twitter closed this vulnerability, the lot of damage was done and it prompted New York Times to assemble an online debate on social networking security.

The contributors included some big names like Ross Anderson and Edward Felten

I particularly liked Ross Anderson’s comments

The discipline of security economics teaches us that large systems often fail because incentives are poorly aligned; if someone guards a system while someone else bears the cost of failure, then failure is likely. Persistent security failures have the same general causes as market failures, and monopolies are particularly bad

So as people move from the open environment of the Internet to the walled garden of Facebook, we can expect security to get worse. But that's not all; there are at least three further problems. First, Facebook has a strong incentive to collect as much personal information as possible from its users for sale to advertisers.
Second, Facebook is trying hard to be the world's identity service provider of choice, so that people use their Facebook account to leave comments on blogs, newspapers and community Web sites. This will make Facebook an even bigger target.

The entire online debate is available here . This is great stuff and must read for social networking security enthusiasts.

Saturday, September 11, 2010

New Adobe Reader 0-day

This week Adobe published an advisory for the Reader, from the advisory:

"This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild."

What is interesting about this vulnerability is that the exploit is so sophisticated that it affects all versions of Windows and it bypasses all windows controls including DEP and ASLR. I wrote the following while explaining DEP and the security benefits.

"Last month's Adobe Acrobat critical vulnerabilitythat existed in a function called util.printd leads to a memory corruption causing code injection also could have been prevented if organizations had the DEP enabled on their machines."

Metasploit blog analyzed this exploit and identified the following:

* Vulnerability Type: Stack Buffer Overflow
* Bypasses DEP: Yes
* Bypasses ASLR: Yes
* Exploit Requires JS: Yes
* Vulnerability Requires JS: No

Friday, September 10, 2010

OAuth and Twitter's implementation

Last month Twitter officially started using OAuth for all third party authorization to user's data. What is OAuth and what does this mean to regular users?

OAuth is product of the Internet Engineering Task Force having an RFC number of 5849. It provides a method for users to authorize third party applications access to their resources without sharing their credentials. The protocol originated from the need to provide delegated access such as mashups to user controlled resources, the first version was released in 2007. It is now a widely used protocol by many web sites.

One good example is a web user granting a third party service provider such as photo printing service access to the user's private data (photos). In this scenario, the user doesn't need to share the credentials but just an authorization to access the private data. 

The service provider is responsible for all the authentication with the third party. Typically, the third party signs up with the service provider and request specific access to the user's private data and the provider prompts the user to provide the specific authorization. Upon receiving the authorization, the provider lets the third party access the private data using an access token. Yahoo developer site provides an excellent overview of this authorization process.

Are there any known risk?

A recent article at Arstechnica talks about the insecurities of Twitter's OAuth implementation where the writer was able to compromise the secret OAuth key in Twitter's very own official client application for Android. Once the secret key is compromised, a token can be requested to provide access to user's data. Users unknowingly clicks on the authorization request, which exposes their private data.

Key takeaways

Key takeaway for the end users are 
  • Be aware of third party applications that you allow access to your data. 
  • You should periodically check what applications are installed and remove unnecessary ones. 
  • Also understand that changing password does not revoke access for these applications.