Think your identity is safe because you take all the necessary measures to protect yourself? Think again!!
Sep
21
2010
Twitter Hacked – onMouseover Bug
XSS (Cross Site Scripting) vulnerability hits twitter.com.
The flaw used simple JavaScript function to call onMouseOver which created an event when the mouse is passed over an area of text. The user was then redirected to a third party site without the users consent.
Twitter’s @safety account tweeted Tuesday morning, “We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.”
As of 10:00AM EST twitter issued this statement “This should now be fully patched and is no longer exploitable.”
Mashable estimates that the security flaw “has been widely exploited on thousands of Twitter accounts.” TechCrunch reports the onMouseover exploit may have spread to as many as 40,000 tweets in just 10 minutes.
Have you seen it? How has it affected you? Let us know below.
Sep
14
2010
Stack-based buffer overflow – Adobe Reader and Acrobat 9.3.4
A Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart Independent Glyphlets (SING) table in a TTF font.
This still unpatched vulnerability is actively being exploited in the wild. Exploits do not require JavaScript to be enabled within Adobe Reader and do not require write access to any directory. Confirmed exploits against Adobe Reader 9.1.0, 9.3.0, 9.3.4 running on Windows XP, Windows Vista and Windows 7 have been reported.
Here is the exploit code in the PDF that’s circulating in the wild:
A Metasploit module is included in the most recent version. Adobe claims to be working on a fix, lets see how long…
Sep
03
2010
Internet Explorer 8 | Arbitrary Sites allowed to tweet
A new vulnerability and Proof Of Concept (PoC) code has been posted to the Full Disclosure mailing list. Chris Evans says:
A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix. The bug permits — for example — an arbitrary web site to force the victim to make tweets.
A harmless example has also been posted on his site (see below)
http://scary.beasts.org/misc/twitter.html
This bug appears to be strictly related to Internet Explorer and no fault of Twitter. At this time there does not appear to be a resonable workaround. This appears to be a Cross-origin CSS attack which uses the style sheet import to steal confidential information from a victim website, hijacking a user’s existing authenticated session.
Chris continues to state that there is evidence to suggest that Microsoft has been aware of this since at least 2008.
Update: another PoC has been posted:
http://skeptikal.org/exploits/twitter/twitter_xss.html
How long do we have to wait for a fix?
You can protect yourself by using NoScript, RequestPolicy, or other client-side protections.
Aug
04
2010
Verizon and USSS Release 2010 Data Breach Report
Expanded Study Finds More Insider Threats, Greater Use of Social Engineering, Continued Strong Organized Criminal Involvement
Recently Verizon, in collaboration with the United States Secret Service, released their 2010 Data Breach Report. I would like to take a moment to share my praise, concerns, and general findings. 
I’ll begin with business practice findings. In the past, it was emphasized that there was a gap in termination procedures as pertains to access removal from network assets. Based upon the metrics brought forth from this report (an astounding 26% increase in breaches attributed to “insider” threats), this is still a persistent issue. Here, another concern arises when one mentions the concept of segregation of duties; often trusted “insiders” have unhindered or UNDERhindered access to a broad pool of resources.
As corporations fail to recognize this, and respectively provide resource access controls and limitations, this will continue to be an issue. Interestingly enough, the percentage of breaches implicating business partners has dropped by 23%. One may attribute this to the increased business awareness and legal controls implemented in the contract phase over the past year. If this trend continues (which it should, as the public is more aware than ever of the threats “in the wild”), this number should continue to drop at a decreasing rate.
Additionally, the report indicates that a vast 48% (26% increase) of breaches discovered over the past reporting period involved privilege misuse to some extent – while only 40% of breaches involved “hacking” proper (-24%). This continues to make it obvious that nefarious users do not necessarily have to be “hackers,” and may employ conventional information gathering tactics to procure sensitive data. This may be attributed to the presence of the inevitable “human layer,” and can only be mitigated through a strong, broad-scale, employee education policy. If the point is still unclear, it was reported that 28% (a sizable increase since 2009) of breaches made use of social engineering tactics at some point.
While a corporation may have the most “locked-down” and “secure” internet presence, it remains possible that a loose-lipped employee may still unknowingly play a role in facilitating a data breach.
On a rather interesting (read: disturbing) note, 79% of reported victims that were subject to the Payment Card Industry Data Security Standard (PCI-DSS) had NOT achieved compliance. 86% of breaches were preventable via use of reasonable, simple-to-intermediate controls. While PCI may only provide a baseline data security model, following the standard ensures that basic defense mechanisms are in place – and, if a breach happens, the standard assures that the incident will at least be tracked to some extent. On a somewhat related note, 86% of breach victims had substantial evidence logged, yet 61% of breaches were reported by a third party. This indicates to me that log correlation/SIEM tools are not in place (or underreferenced) in many scenarios; avoid becoming a victim by implementing a strong log reference policy. The burden of sorting through can be eased significantly by use of common string parsing tools.
Some examples of commercial-grade log/event correlation and management tool vendors include LogLogic, ArcSight, and Q1 Labs. By the way, PCI 10.6 mandates log maintenance.
As far as demographics are concerned, the report continues to indicate that the focus of data breaches remains within the Financial Services, Hospitality, and Retail sectors. This does not surprise me, and should not surprise anybody; Cash is King. Note, however, that this may be attributed in part to the fact that – in the United States (the primary source for the data contained within this report), these sectors are required to adhere to strict breach reporting requirements (due to such regulatory standards as PCI and HIPAA).
On a closing note, the report indicates that approximately 13% of the reported breach cases involved organizations that had recently been involved in a merger or acquisition (as opposed to 9% in 2009). This indicates the all-too-obvious truth that, in the common flurry associated with large-scale corporate policy changes, security assurance is frequently sacrificed.
Based upon reading this report, I believe that – in a world where cyber crime continues to be on the rise – large companies need to take a moment to smell the coffee. Making small sacrifices in project deadlines and procuring additional software resources (e.g. log correlation tools, which are essential for far more than just security) to ensure their bottom lines are not only met, but exceeded, while maintaining brand stability.
The 2010 report may be found here
Verizon’s 2009 report (not collaborated with USSS) may be found here
