So it seems that SquirrelMail 1.4.11 and 1.4.12 were recently backdoored. Similar to some high-profile backdoors in the past, this was done by modifying the distribution tarball on rather than infiltrating the source code repository [1]. In this case, the backdoor was detected when a user noticed that the MD5 published on SquirrelMail’s website didn’t match the calculated MD5 from the SourceForge distribution.

Since the SVN repository remained intact, we can’t go back and examine the backdoor in detail. However, we do have a newsgroup posting that sheds a little light on the …

Software Security Weaknesses – Avoiding and Testing
Bob Martin is giving a talk tonight at the Boston Software Process Improvement Network (SPIN) meeting on “Software Security Weaknesses – Avoiding and Testing”. The meeting is at MITRE in Bedford in the basement conference center of M-Building (the one next to the parking garage). Pizza and discussions at 6pm, talk at 7:10pm.

Its open to anyone.

BeanSec
BeanSec, an informal gathering of security professionals, is held the 3rd Wednesday of every month in Cambridge. It will be held tomorrow night from 6pm-9pm at the Middlesex Lounge, 315 Mass. Ave, Cambridge, MA. …

George Ou has an interesting analysis of Microsoft OS vs Apple OS vulnerability counts. Anything comparing the security of these two companies becomes controversial. I think that any analysis of vulnerability counts should include a paragraph on risk vs. vulnerabilities to diffuse the Mac fanboys. I might be able to leave my backdoor safely unlocked (a vulnerability) in the suburbs of Boston in Concord, MA. I wouldn’t do the same thing in Brooklyn, NY. Same vulnerability, different threat environment. Everyone readily admits that Macs have less risk on average due to their population and user base. This …

A few of us were hanging out in the Veracode kitchen the other day and got to discussing the idea of programmatically injecting vulnerabilities into software. This is essentially the opposite of the problem that most security vendors, including ourselves, are trying to solve — that is, detecting vulnerabilities. Clearly there’s not much business value in making software less safe, though you could imagine such a tool being used for educational purposes or a way to mass-produce QA test cases.

It sounds easy, right? Certainly it would be easy to inject the types of classic security problems that …

Network World has named Veracode to their 10 IT Security Companies to Watch. Sim Simeonov has some commentary on this is his blog.

Written by: Chris Wysopal

Recently I got a message from Kelley Jackson Higgins of Dark Reading. She was looking for some comments on Fortify Software’s new paper on “Cross Build Injection” or “XBI”. I had read the paper and, while I think the issues are real, the way they are framed they miss the big picture. So I figured I would partake in a little “XPI”, that’s “Cross Publicity Injection”, and take this opportunity to talk about the larger issue of accepting code into the build process. The Dark Reading article is here.

Whenever externally developed code of an …

XKCD has a funny web security theme today:

Written by: Chris Wysopal

We were more than pleased to read a new report by John Pescatore of Gartner recommending that security managers adopt the use of the Common Vulnerability Scoring System (CVSS) to support more repeatable, fast-acting vulnerability management processes.

This recommendation backs up the decision made by our CTO, Chris Wysopal, more than a year ago to adopt the CVSS standard as a part of the Veracode rating system.

Another interesting recommendation in the report is: “Enterprieses should ensure that processes are in place to detect, assess, and manage each software vulnerability class.” You’ll need a combination of static, dynamic and …

Sometimes when you are deep in the forest looking at one branch of one tree, trying to reduce false negative rates for detecting a specific class of software vulnerability, it is useful to step back and look at the forest of what is going on in criminal hacking.

Today we were throwing some ideas around the office about hacking techniques we had seen reported. This got the discussion flowing towards extrapolating and using techniques in new areas. The following is a list of old and new.

Gaining network access

• Popping open the TNI box outside someone’s house and running a phone …
  
  » Read the blog post in full here

Chenxi Wang of Forrester Research and Chris Wysopal, our founder and CTO, will discuss ways to secure applications before they are purchased and deployed in an enterprise — as a part of contract negotiations and the RFI and RFP process. More information on the seminar and instructions on how to register can be found on the Veracode site.

Earlier this week, I attended the first PCI Community Meeting in Toronto, a gathering organized by the PCI Security Standards Council to bring QSAs, ASVs, and other PCI stakeholders together in one room with the PCI Council. Let’s be honest here — in the security industry, discussing regulatory compliance is about as dull as it gets. On the other hand, compliance is also a major catalyst, sometimes the only catalyst, in convincing organizations to improve their security posture, so it’s important to understand. As might be expected, I focused my attention on the sessions dealing with …

We spend a lot of time thinking about hackers and abuse cases. This article entitled “Who Needs Hackers” by John Schwartz of the New York Times talks about how flawed systems, the increasing complexity of systems, and even mergers and acquisitions can make computer systems unreliable. The rush to market can lead to not enough testing. Pressures to ship software and hardware quickly and to keep costs at a minimum work against more secure and robust systems. These are the same pressures that lead to the flaws that hackers take advantage of as well.

One of my first “real” jobs in security back in the 90′s was working as an IT security engineer for a government contractor and internet backbone provider.  One of our tasks was finding people who bridged the internal network with the internet.  We found one guy who had been running his own ecommerce business on our external network.  He showed up on our scans because he had 2 network interfaces on his machine with one connected to the external network and one connected to our internal network.  …

Finally getting around to posting our materials from the talk that Chris Wysopal and I gave at BlackHat this year entitled “Static Detection of Application Backdoors.” Here are the slide deck and the accompanying whitepaper:

Static Detection of Application Backdoors (slides)
Static Detection of Application Backdoors (whitepaper)

Also, as a proof-of-concept, we had demonstrated using IDA Pro’s scripting framework to detect one of the backdoor examples that we discussed — suspicious cryptographic API calls. Specifically, it flags calls to known encryption, decryption, and/or key management functions where a constant value is passed to a specific argument position. This …

RSnake blogged on this first but I can’t help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they’re getting litigious. The abstract from the patent reads as follows:

A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure of the transaction baseline to obtain a modified transaction with malformed grammar; and transmitting the modified transaction to a target. The method may further include, receiving a feedback from the …