Tuesday, February 17, 2009

Worlds Top Vulnerability Discoverer


Who's the worlds most frequent discoverer (and discloser) of security vulnerabilities?

It's not not a name you're likely to be familiar with (sorry "best in the world" team ;-)

With a staggering number of 612 public vulnerability disclosures through to the end of 2008, sitting in pole position, is Luigi Auriemma. Luigi managed to oust r0t (finally) sometime last year. I think that the fact that r0t appears to have "retired" from the vulnerability discovery business probably helped.

For full stats and analysis, I've posted a more detailed blog over on Frequency-X -- Top-10 Vulnerability Discoverers of All Time (as well as 2008) - Who's in Pole Position?

Monday, February 16, 2009

Timing of the Inevitable

Over the last week there have been two inevitable accidents. Inevitable in the sense that we all knew it could happen, and that it would happen eventually. Last week two satellites collided, and this morning it was announced that two nuclear submarines collided (as to precisely when this incident actually took place, I'm not sure).

What does that have to do with cyber security? Not a lot really, but perhaps this week could also so some particularly gruesome hash collision?

Granted there'll be no clanging of steel, dents and scrapes, or chunks of rubbish floating around in orbit. But it's interesting to note that while something is as inevitable as a hash collision, so few organizations actually factor them in to their security models - even as an extreme contingency.

Ask yourself this, with all the applications and authentication methods you rely upon today to do your daily work, what would a hash collision mean to you or the business you work for?

Monday, February 9, 2009

BitDefender Portugal up against the ropes now...

It would seem that Unu over at HackersBlog has been busy over the weekend and had BitDefender under the cross-hairs.

Looks like the BitDefender Portugal Web site is vulnerable to SQL Injection (just like Kaspersky's from earlier in the weekend) as there's a new hack walk through on HackersBlog relating to the escapade.

There's a few screenshots depicting the level of access to backend data (thoughfully redacted to hide some of th more confedential information) - including user ID's and customer address details.

I'm not sure how big the BitDefender Portugal business operation is, but this doesn't bode well for their customers. I'm hoping that the site administrators are already working on the issue because, while Unu may claim to not collect the personal information available through the SQL Injection attack, it's still very easy for others to replicate attack and harvest those customer details for themselves.

UPDATE: 10:30am EST
I neglected to mention that the BitDefender Portugal Web site is actually operated by a business partner/distributor operating in the region - so there is no threat to BitDefenders worldwide sites. This kind of software distributor model is common place within the industry.

That said, it's no comfort for BitDefender customers in Portugal. Nor is it particularly good for BitDefender in Romania (head office) - because, for all intents and purposes, bitdefender.pt delivery is their choice.

In addition, to this, it would seem that the BitDefender side has been taken down for maintenance (and so too has the distributors site - were they on the same host? (same IP address))

Saturday, February 7, 2009

Kaspersky USA Portal SQL Injection Attack

It would seem that the USA portal of Kaspersky (the Anti-virus vendor) is vulnerable to SQL Injection.

Unu over at HackersBlog has illustrated a full SQL Injection attack against usa.kaspersky.com

Through the attack vector, Unu describes the level of access obtained including full access to "EVERYTHING" such as user credentials, activation codes, lists of bugs, admins, shop, etc.

I hope that Kaspersky administrators fix this vulnerability rather quickly as they no doubt have a large customer base, and it would appear that all those customers are now exposed.

On top of that, this type of critical flaw can probably be used to usurp legitimate purchases and renewals of their products - which could include the linking to malicious and backdoored versions of their software - thereby infecting those very same customers that were seeking protection from malware in the first place.


above: User host and password for mysql.user


above: User table column header enumeration

An enumeration of table names yields:
codes
users
vouchers
affectstable
bugs_settings
bugshistory
bugstable
builds
categories
commentstable
computertable
editions
filestable
frontpage
grouptable
ignoretable
milestones
paks
pmtable
priority
repfielddetail
repfields
repfieldset
repoptiondetail
repoptions
repquick
severity
statustable
substable
userstable
admin_users
best_buy
cms
cyberCrimeRegs
email_list
fr_link
fr_link_import
interview_request
k_test_users
kbfaq
kbfaq_import
kbrub
kbrub_bu
kbrub_import
login_stats
menu
menu_relations
menus
node
partners
partners_bu
portal_cms_prod_ann
portal_cms_recent_articles
portal_cms_whats_new
portal_product_orders
product_names
retail_login_stats
retail_partners
retail_users
se_login_stats
se_partners
se_users
setup
shopping_com_sales
smnr_items
smnr_items_bu
trials
trials_bu
trials_downloaded_new
trials_rpts
users
users_bu
it_hardware
activation_code_problem
admin_users
best_buy
cms
cyberCrimeRegs
e5users
email_list
fr_link
fr_link_bu
fr_link_import
interview_request
k_test_users
kbfaq
kbfaq_bu
kbfaq_import
kbrub
kbrub_bu
kbrub_import
kbtop_pop
login_stats
menu
menu_relations
menus
ms_crm_files
ms_crm_files_support
ms_crm_intermediary
ms_crm_intermediary_bu
ms_crm_intermediary_support
node
opt_out
partners
partners_bu
portal_cms_prod_ann
portal_cms_recent_articles
portal_cms_whats_new
product_names
retail_login_stats
retail_partners
retail_users
se_login_stats
se_partners
se_users
setup
shopping_com_sales
smnr_events
smnr_items
smnr_items_bu
test_users
test_users_new
trials
trials_bu
trials_downloaded
trials_downloaded_new
trials_rpts
users
users_bu
virus_watch
columns_priv
db
func
help_category
help_keyword
help_relation
help_topic
host
proc
procs_priv
tables_priv
time_zone
time_zone_leap_second
time_zone_name
time_zone_transition
time_zone_transition_type
user
codes
stores
stores_bu
users

Monday, February 2, 2009

IBM ISS X-Force 2008 Security Trend & Risk Report Now Out

As the title says, the 2008 security trend and risk report is now out from IBM Internet Security Systems.

It’s taken a while, but the X-Force analysts who've obviously been beavering away since year end (and quite a bit before that too) have finally put down their pens and completed their investigations of the major security trends and risks of 2008. Yay!

The tome is a must read for any security professional out there – and I don’t use the word “tome” lightly. At 106 pages in length, the X-Force team have outdone themselves, and there’s something in there for everyone.

Given the breadth of security analysis covered within the report, I’m not going to list the highlights. You can find a 2008 summary within the report itself (which stretches on for 3 pages!) or, if you want something even shorter, you’ll find highlights of the highlights within the official press announcement.

What are some of the most interesting findings from my perspective?

Vulnerability Disclosures

The X-Force vulnerability analysis team recorded 7,406 new publicly disclosed vulnerabilities in 2008. That’s a new record – up 13.5 percent from the previous year, and representing 19 percent of all publicly disclosed vulnerabilities. While not quite an exponential growth, that curve continues to go the wrong way.

Also, the absolute number of vulnerabilities that businesses should be worrying about also increased in absolute terms – with Critical and High impact vulnerabilities representing 39 percent of public disclosures.

However, the really important thing to note is that this number – 7,406 – represents the minimum count of new vulnerabilities that were actually discovered in 2008. Many, many more vulnerabilities than that were uncovered during the year and never publicly disclosed – and probably won’t ever be made public. On the other hand though, it’s more than likely that the vast majority of those discovered-but-undisclosed vulnerabilities will be low on the CVSS scale and not something to loose sleep over. After all, which researchers want to go through all the effort of public disclosure write-ups for a low risk local DoS in “Jim’s Rifle Ballistics Calculator”.

Public Exploit Code Availability

Another critical finding is that 89 percent of public exploits were released on the same day (or before) the official disclosure of the vulnerability. What this really means is that preemptive protection is where modern security defenses need to focus.

Sure, while there’s only so much you can do for some new 0-day exploit for an unpatched default service on a popular operating system, a sizable chunk of this number has to do with entire families of vulnerabilities that are exploited the same way (using the same tools) – e.g. SQL Injection. If you have the right protection technology against SQL Injection, you’ll probably find it protects against last year’s SQL injection vulnerabilities as easily as it does for today’s 0-day and ones that’ll appear throughout 2009.

One word of warning though. The way in which Web browser vulnerabilities are being exploited (through the use of mass interconnected drive-by-download networks) means that 0-day threats are a real danger to anyone using a Web browser today. New exploits can find their way propagating to tens-of-thousands of new Web malicious sites within minutes. So, if theres one area of patching that now has to be at the top of any corporate security teams mind, it’s that of Web browser patching. I wrote about this and the new studies last year on the Frequency-X Blog (and more recently here) – Web browser auto-updating technologies need to improve. They need to get even faster and need to better encompass the myriad of plug-ins too.

Read the Report

I really do recommend that you take some time out to read the report. It’s a fascinating story of how Internet security has evolved throughout 2009.

However, try to be green and not print it out. 106 pages is a lot of dead tree.