Just wanted to let you all know that I’m still alive and kicking. From what I’ve been told moving house is one of the more stressful things you can do. I’m unsure if this move is stressful or just plain exhausting. It feels like the packing, shifting, unpacking, cleaning cycle is never ending!

On info sec news I’m excited about talking about OpenSAMM at this weeks AISA/OWASP Perth meet up. I’m also in the process of building a new website that I’m personally quite excited about, but I’ll post more on that when I get a chance.

On a personal note, I’m playing a show with my old band tonight at The Bird in Northbridge. We haven’t played together for a few years so here’s hoping it goes well!

A while back I shot off a tweet about Joomla, it went something like this:

According to Exploit-DB you must have balls of steel to run Joomla.

Since then I just kept on seeing the posts flood in via the RSS…It was like an unrelenting wave of exploit after exploit. It made me feel very sorry for anyone who had anything to do with trying to administer a Joomla CMS. Seriously guys. Massive amounts of pity.

Then over the past few weeks I wondered what the breakdown of the exploits where, naturally the easiest (but not quickest) way was to pull the data from the exploit-db website and dump it into some spreadsheets.

Summary:

• Between the 19th of April 2006 and 5th of May 2010 there have been 619 reported exploits against Joomla
• About 44% are from 2010 alone
• 61% of the reported exploits are either SQL Injection or Blind SQL Injection
• Followed by 20% being Local File Inclusion exploits
• 137 different authors contributed to the exploits
• The user “AntiSecurity” contributed the highest number of exploits (66 exploits, about 11%)

Number of exploits over time:

Types of exploits:

A fellow Google Reader.. reader (lets call him Dre) pointed out an article recently about a guy who was re-signing up to all his online services (you know, the important stuff like MSN Live, Blizzard, Dominoes Pizza, Lord of the Rings MMO etc) and he was talking about his attempt to use the “+” notation to sign up using different email addresses that all transparently go back to his primary email address. Gmail has had this functionality for a while, in fact, Lifehacker wrote about “Instant disposable Gmail addresses” back in 2005. Where it failed though was that the “+” (plus sign) appeared to throw exceptions for a number of these services. In fact, it didn’t sound like he had any luck at all as most of the services seemed to have issues with the poor plus sign.

Another way to solve the problem is right there in front of you. Just shift your right ring finger down. That’s right. “.”. The full-stop.

Gmail allows you to insert as many of these wonderful characters where ever you like. So your email address is in fact name@gmail.com and n.ame@gmail.com and nam…………e@gmail.com, these are ALL valid. (Except if you use Google Apps for mail – sorry!!)

Now I know that this solution doesn’t really fit his requirement, but if you like to sign up to stuff and you’re unable to use the “+” sign, perhaps consider the handy “period” key. Keeping track of all the different dotted accounts is pretty simple. For example, you could email yourself to the dotted account with a comment saying “Hey me, I used this email address to sign up to Xbox live!”

Thanks Google!

I was talking with a friend of mine recently about how most of the AISA presentations, and even local OWASP meetings, that I’ve been involved with or gone to are all good, except that it’s mostly filled with security people who sort of already get security. So he suggested I go to a more developer-type event and that’s exactly what I did.

It was my first unconference and I didn’t really know what to expect. I also didn’t really know what my demographic was going to be (as opposed to AISA which is often info sec type management people – .. ), so I made a guess and assumed that mostly the event was filled with developers and a smidgen of designers. I don’t think I was far off.

My slidedeck is available from here http://www.slideshare.net/xntrik/barcamp-perth-40-web-security – just remember to switch the comments view to “Notes” to see all the actual content.

I was REALLY happy with feedback received both within the event and via twitter and hopefully have gotten a few more people onto OWASP material and mailing lists. I’m hoping to provide a more concise list of links and material but am leaving that for another post.

I’m a massive fan of the OWASP OpenSAMM project since first reading about it. Open Software Assurance Maturity Model (SAMM) is:

..an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

• Evaluating an organization’s existing software security practices
• Building a balanced software security assurance program in well-defined iterations
• Demonstrating concrete improvements to a security assurance program
• Defining and measuring security-related activities throughout an organization

Last week on the mailing list SecCom labs posted their audit framework based on the OpenSAMM, referring back to Nick Coblentz SAMM Interview Template and my own. The SecCom post made me realise I hadn’t posted my Scorecard/assessment spreadsheet anywhere – so here it is:

SAMM-Assessment V0.4

If you have any questions or feedback you can leave comments here, or probably more appropriate is to post them to the OpenSAMM mailing list.

I think there’s something fundamentally wrong when you’re biggest fear at the end of a risk assessment isn’t so much that you’ve got a “critical*” finding, but it’s that you don’t know how to tell management. It’s an interesting phenomena and I believe most information security people run in to it all the time. What compounds it and makes me completely gob-smacked is when the discussion turns to ways that you can downgrade the finding.

Say what?

And don’t try and pretend you haven’t been privy to these discussions. We’ve all seen it or heard of it happening. “What if we only account for a small population of users? What if we nudge up the value of our controls? What if…” I mean what they’re basically asking is “What if we just change some of these values and downplay what we as a group agree is the risk?”

The good news is, the probability of the risk having been exaggerated in the first place is often quite high *phew* – so perhaps this “base-lining” is useful?

This is one of the reasons why I’m a fan of FAIR, it makes it easy to:

1. Reduce the probability of exaggerated risk statements in the first place – or at least make it more difficult for them to make it through to the end; and
2. Eliminate the fact that you can even result in a “critical*” finding without putting statements around the frequency of loss events and the probable loss, as opposed to worst-case loss – which we bang on about all the time which leads us to the sky-is-falling situation

*Nb: “Critical” adj. Whatever-the-hell you want it to mean.

Image thanks to: http://www.flickr.com/photos/pinksherbet/3484925590/

Zeus has been kicking around for at least 3 years now, and due to its age I often find myself applying this sort of fuzzy, whitewash filter over news or other media reports discussing it. I found it refreshing then when @justin_foster shared this TrendMicro PDF on twitter this evening that goes through the malware’s capabilities in a clear and concise format.

Good read (except for the very final few statements about the battle and fighting and such – listen AV vendors – we know you guys are fighting this WAR against viruses.. just .. quit with the emotion and reminding us of it so we can go back to worrying about all the other things).

Whilst discussing this paper with a friend he also pointed out Symantec’s Zeus report [PDF], whilst a little bit more dated, it perhaps contains more technical information.

If you’re more interested in how Zeus encrypts its config files you can go here.

And look, whilst I’m spamming the crud out of you guys make sure you’re following the Damballa blog too! They talk about this sort of stuff all the time.

Lets state some facts:

1. Most of your appliances (Firewalls, ID(P)Ses, Proxies, Email Gateways, Storage Devices, etc) have web interfaces for management
2. Most vendors recommend that these web interfaces should not be accessible to the public (except those vendors that provide their interfaces over the Internet in some form of *aaS)
3. All modern browsers provide a function to store your passwords

Now lets make some assumptions:

1. Many admins are lazy (or just not aware of the risks of these types of interfaces and auto password fields)
2. Most developers developing these backend web management interfaces are NOT accounting for external threat agents (i.e. – the only people who can access this interface are internal resources)
3. Many developers are not mitigating against common web attack vectors due to the above

Result?

I believe that most appliances are vulnerable to common Cross Site Request Forgery (CSRF – Yeah, It Still Works) attacks. I don’t mean that they’re partially vulnerable by implementing basic (and known to be ineffective) referrer checking, I mean they’re probably not even doing the simple stuff like ensuring that parameters received are from POST requests as opposed to GET requests. I believe this so much that I even offered pints* out to those people finding interfaces without these weaknesses.

We’ve done test after test of appliance interfaces and it’s not even a surprise any more when you find non-idempotent GET methods that simply require an appropriate “Authorization” header to perform functions such as adding a new admin user, resetting the device to factory defaults, or simply shutting down the system. More often than not you don’t even need to lure an administrator into clicking anything, you can just include these GET statements in a bunch of webpages or emails (or RSS feeds) under the clever disguise of an <img> tag.

So come on appliance vendors, pick up your game. Stop trying to imagine that there is a ‘gator-filled-moat between the administrators accessing your products and the nasty web. The browser is the OS, and the people managing your appliances have Twitter and Facebook and God-knows-what open on different tabs. Look, we’ve made it easy for you – just have a read of the OWASP Cross Site Request Forgery Cheat Sheet. Even a little double-serving of Cookies can help (nom nom). Better yet, if you’re building a web management interface for your appliance utilise pre-built security controls, such as OWASP’s Enterprise Security API (ESAPI), this library even comes with FREE anti-CSRF methods? Amazing!

*Nb: You have to come to Perth to collect :)

(This interface goes from Shotgun to Hoover! – Which do you want?)

http://www.flickr.com/photos/nnova/ / CC BY 2.0

.. if it’s available via an unencrypted, unauthenticated portion of a public website?

I don’t really think so.

Slashdot reports:

“According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government’s ‘website firewall security’ for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is ‘akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.’ The matter has been referred to the police, who are now investigating. But how did the paper ‘hack’ the website? They entered the unannounced URL. Security by obscurity at its finest.”

Don’t worry people, @DDrazic, @Gillis57 and @Isidort are on the case. We’re proposing a multi-pronged effort to strengthen the Australian Government’s “website firewall security”, including a 2nd line defence provided by physically locating SAS troops next to all Government Firewalls, IDS and IPS’. These will be further reinforced with Stormtroopers and either a serving of Chuck Norris or perhaps @Isidort himself (who claims he’s quicker, deadlier and prettier – hard to know I believe).

Following on from my last post referring to KPMG’s fraud report, PricewaterhouseCoopers also released some fraud survey results, summarised here:

• 40% of Australian organisations surveyed reported at least one incident of fraud compared to the global average of 24%
• 37% of the frauds reported by Australian organisations over the 12 month period cost in excess of AUD$1mil, more than double the global average (17%)
• 52% of the Australian organisations surveyed experienced an increase in the number of incidents compared to the previous 12 months
• 60% of organisations believe they are unlikely to be a target of fraud in the next 12 months

You can read the full article here: http://www.pwc.com.au/media-centre/catch-fraud-early-feb10.htm