An Ounce of Prevention is Worth a Pound of Cure

A conversation on Twitter this morning started out like this: @dinozaizovi: Finding vulnerabilities without exploiting them is like putting on a dress when you have nowhere to go. This clever analogy spurred a discussion about the importance of proving exploitability as a prerequisite to fixing bugs. While I agree that nothing is more convincing than a working exploit, there will always be a greater volume of bugs discovered than there are vulnerability researchers to write exploits. Don't get me wrong -- as a former penetration tester, I agree that it is fun to write exploits, it just...

Read More

We Need To Learn More About the RBS Worldpay ATM Attack

The size and scope of the RBS Worldpay ATM heist are unprecedented. The perpetrators stole $9M in a matter of hours from 2100 ATMs worldwide. An indictment was handed down on Nov 10, 2009. I am always on the lookout for indictments and trials related to computer crime because this is often the only time the details of the attacker's techniques and victim's vulnerabilities are released publically. For instance it wasn't until an indictment was issued in the Heartland Payment Systems breach that we found out how the attackers breached the perimiter. In that case it was a SQL Injection flaw on...

Read More

White Box Better Than Black Box

The WASS Project which Veracode contributed data to shows some nice benefits to White box (static) over Black box (dynamic) for many serious vulnerability categories. White box overall detects a higher prevalence of many categories which we can extrapolate to having lower FN rates. Now the sample set of apps is not the same so this can only be used as a trend. Static is better than dynamic in 5 out of 7 categories: credential/session prediction, SQL Injection, Path Traversal, Insufficient Authorization, OS Commandeering. In one category, insufficient authorization, dynamic is better and in...

Read More

From the 10 Years Ago Today Department

From the L0pht Archives: Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC 9.30.1999 The lack of client side security for internet transactions poses a huge security risk that online banks and others just seem to ignore. Tools such as BO2K and even simpler keystroke loggers can cut through the authentication used for "secure" web transactions to allow an attacker to authenticate as the hapless consumer. Dateline explores this problem on Sunday October 3rd at 7pm EST. Watch Cult of the Dead Cow demonstrate the attack and Weld Pond from the L0pht talk about whatis really...

Read More

Stealing PII is So 2007 -- They Want Your Endpoint

Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want higher value than this. They want to control the endpoint. They want access to your online financial accounts. They are succeeding. Controlling the endpoint within a business can net an attacker $100,000+. In "Real-Time Hackers Foil Two-Factor Security", Rob Lemos reports that an attacker was able...

Read More

Trust Your Own Code?! Trust Your Own Compiler?!

Trust has long been a favorite target of malicious individuals. Most people would say that proper management of trust is one of the primary cornerstones of information security. Trust is a relative term and all trust relationships should be examined with a very critical eye. Ken Thompson's seminal paper "Reflections on Trusting Trust", which won a Turing Award, addresses in detail why we can never be fully sure of the trust relationships in our development environment. The paper asserts that since people tend to only review the security of the source code of their programs, and not the...

Read More

SQL Injection Blamed for 7-11, Hannaford and Heartland Breaches

The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez. It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network. The indictment doesn't give any details of the technique that was used to leverage the SQL Injection vuhnerability to install the malware. I have my theories. Here are some potential ideas: xp_cmdshell was enabled and allowed the attackers to execute the commands of...

Read More

Connection Between Identity Theft and Cyberwarfare

There is an article in the WSJ, Hackers Stole IDs for Attacks, which discusses the role ID theft played in the Georgian government web site attacks last year. “Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information stolen from a person in France.” I have my own data point to share on this attack trend. My credit card number was used fraudulently to register 4 web sites from separate ISPs last Monday. The fraud...

Read More

Bytecode Analysis Is Not The Same As Binary Analysis

Gartner analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, or SPARC CPU, and statically analyzing bytecode, which runs on a virtual machine such as the Java VM or the .NET CLR. As more companies with software security testing technology wade into the "no source available" pool (come on in guys, the water is nice), it is important to understand what capabilities you need for software assurance when you don't have access to source. If the software you are...

Read More

BlackHat Picks 2009

It's time for the yearly BlackHat picks. Without further ado, here's where you'll have a good chance of finding me next week. Of course, you know what they say about the best laid schemes -- there is no way I will actually make it to all of these, but as of now, this is what's caught my interest: Day 1 John McDonald & Chris Valasek: Practical Windows XP/2003 Heap Exploitation Andrea Barisani & Daniele Bianco: Sniff keystrokes with Lasers /Voltmeters Mark Dowd, Ryan Smith & David Dewey: The Language of Trust Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism '...

Read More

Pages