Wednesday, January 27, 2010

The Decade’s 10 Most Dastardly Cyber crimes


It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.
Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium.
Read the complete article by Kevin Poulsen from Wired  magazine

Thursday, January 21, 2010

Cross site scripting scenarios


Web pages contain both text and HTML markup that is generated by the server and interpreted by the client browser. Web servers that generates static web pages have full control over client browser. But servers with dynamic pages do not have complete control over how their output is interpreted by the client. Question is, does the client side browser has enough information to recognize if the script is malicious or legitimate and take proper actions accordingly.
Many web servers generate web pages dynamically. For example, a search engine may do a database search and then build a web page that has the result of the search. Any server that creates web pages by inserting dynamic data into a template should check to make sure that the facts to be inserted does not contain any special characters (e.g., "<"). If the inserted data has special characters, the user's web browser will mistake them for HTML markup. Because HTML markup can introduce programs, the browser could interpret some data values as HTML tags or script and not displaying them as text.
If a web browser is not performing checks for special characters in dynamically generated web pages, then in some cases an attacker can choose the data that the web server inserts into the generated page. The attacker can trick the user's browser into running a program of the attacker's choice. This program will execute in the browser's security context for communicating with the legitimate web server, not the browser's security context for communicating with the attacker. Thus, the program will execute in an inappropriate security context with inappropriate privileges.
Todays browsers are capable of interpreting and executing scripts -- created in such scripting languages as JavaScript, JScript, VBScript -- embedded in the Web-page downloads from the Web server. When an attacker introduces a malicious script to a dynamic form submitted by the user, a cross-site scripting (XSS) attack then occurs. An XSS attack leads to undesirable effects. For example, the attacker gains the ability to capture the session information, peer into private user details such as ID, passwords, credit card information, home address and telephone number, social security/tax IDs, and so on. If the targeted Web site doesn't check for this type of malicious code, misuse of the user is probable.
Hackers take several steps to cut the risk of having the script identified as malicious, the attacker might encode it with a different encoding method, such as HEX. With this alteration, the Web site displays the malicious content on the page as if the displayed information is the valid content from the site. If the Web application doesn't confirm the comments, all the attacker has to do is to coax the user to select the malicious hyperlink, after which the Web application collects confidential data from the user. This enables the attacker to capture the user's session and steal the user's credentials, redirect to a page on another Web site, and then insert code that can poison cookies, expose SSL connections, access restricted or private sites, or even trigger a number of such attacks.
To stop the XSS, we need to understand the venues that are more prone to XSS attacks. Most obvious venues are
  • Banking web page
  • Online forum and search boxes
  • Email messages with malicious links
  • Search engines
  • Setting up an account
Banking Web page
For example, let us consider an hacker who wants to gather information on a user of a example banking website, www.example.com. Attacker needs Login ID and password to enter into the web site, as all banking web sites contain secure login.  Hacker may try using both username and password as "test". When the resulting error page comes back with a message that says that the user ID and password combination is wrong, the hacker finds himself in an ideal situation for inserting malicious code into the Web page. How?
He first enters the following into the ID text box: <script>alert('Test')</script>. Submits the form and then sees this JavaScript alert message: "TO BE DONE." Now he knows that the site is prone to an XSS-style attack. attacker then might introduce malicious scripts  into the URL that redirects the submitted user information to hackedsite.com.This code basically passes the user ID and password information of any user logging into the Web site along to the Web site of the attacker. Now that the script to hack the user ID and password is ready, the attacker sends e-mails and posts with attractive offers to banking Web site users employing this link. Prompted by the attractive offers, users might click on the link and log on to the banking Web site. The malicious script introduced by the attacker is executed by the browser and the data is passed to the hacker's Web site. The rest is a cakewalk for the hacker to log on to the banking Web site with the victim's credentials.
This situation is most probable in couple of scenarios like when a web server does not take adequate steps to ensure that the properly encoded pages are generated. And when inputs are suitably validated.
[ad#Google Adsense-1 Add Links]

Search Boxes and Online Forums

Search boxes and online forums are  most commonly attacked avenue. An attacker inserts malicious code between scripting tags that the Web page accepts and interprets, using FORM or APPLET tags, depending on the page used. Inserted malicious code can do all sorts of harm by stealing session information or cookies. Vulnerability of this sort is prevalent given that a Web designer needs to have knowledge of many languages and technologies like -- CGI, JavaScript, ASP, Perl, even HTML tags  can be used as a delivery vehicle for such attacks.

Email messages with malicious links

An attacker can send an e-mail about a banking Web site to a user. Suppose the e-mail contains a link with a malicious script embedded into the URL. The user may be prompted to click on the link and log on to the Web site, whereby the attacker can seize the user's log on information. The same is true on a dynamically generated page if a link has malicious code in it. Consider the example of a malicious URL that might be a part of the page. If the attacker has the application display a set of HTML, trouble may creep in. Both the IMG and IFRAME tags allow for a new URL to load when HTML is displayed.

Search engines

Search engines that echo the search keyword that was entered are also vulnerable to such attacks. This is because malicious code can be entered as a part of the keyword search input that is executed when the user submits the search. Dangers can include accessing undesirable or private regions of the Web site.

Setting up an account:

When a user submits a form during e-mail account setup or during submission of a form with data in it, the Web application might show the same information after accepting the information as entered. The input content entered can contain such malicious information that may be executed by the browser. This can lead to leaking of critical information from the session and might expose private avenues of the Web server.

XSS attack consequences: Stolen cookies

Cookie theft occurs when the cookie issued by the application is hijacked for malicious purposes by an attacker. By suitably inserting script code into the URL that invokes the portion of the site that uses cookies and is vulnerable, the attacker captures the cookies and can cause damage to content as well as mimic business functions and perform fake transactions.

What an end user can do to protect from XSS?

Below are the ways that a user can choose to cut the impact of XSS attack.
  • Disable scripting when it is not required.
  • Do not trust links to other sites on e-mail or message boards. They may contain malicious code with damaging potential.
  • Do not follow links from sites that lead to security-sensitive pages involving personal or business information unless you specifically trust them.
  • Access any site involving sensitive information directly through its address and not through any third-party sites.
  • Get a list of attacks and the sites and boards they happened on and be careful if you need to visit one of them.

Tuesday, January 19, 2010

Open source linux IDS/IPS from OISF


The Open Information Security Foundation (OISF) is a non-profit foundation organized to build a next generation IDS/IPS engine. The OISF has formed a multi-national group of the leading software developers in the security industry.  In addition to developers and a consortium consisting of leading cyber security companies, OISF after three years have  first released their Suricata Engine! The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.
Multi-Threading
Amazing that multi-threading is new to IDS!
Automatic Protocol Detection
The engine not only has keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match within an HTTP stream for example regardless of the port the stream occurs on. This is going to revolutionize malware detection and control. Detections for more layer 7 protocols are on the way.
Gzip Decompression
The HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine.
Independent HTP Library
The HTP Parser will be of great use to many other applications such as proxies, filters, etc. The parser is available as a library also under GPLv2 for easy integration ito other tools.
For detailed overview and download click here

Sunday, January 17, 2010

Open source: How e-voting can be done


I found this article by By Paul Venezia from computer world discussing about how e-vote can be done.
Author discusses his views on  current e-voting systems and Open Vote Act  and how it should  enact laws that prohibit the use of any voting system  and how it does not provides a paper audit trail, and how to  mandate that companies use government-approved voting code without modification when building proprietary systems.
For detailed report on this topic from computer world click here

Wednesday, January 13, 2010

Open source fix for flash security holes


Open source solution for Flash security holes:
To prevent the frequently recurring security issues in Adobe's software from being exploited, Felix "FX" Lindner of Recurity Labspresented his open source "Blitzableiter" (lightning rod) project at the 26th Chaos Communication Congress (26C3). The tool analyses and cleans up Flash code before playback and is designed to prevent security holes in Adobe Flash from being exploited. Flash is one of the most commonly used points of entry for attackers who try to compromise PCs during visits to web pages. the Blitzableiter tool checks SWF files for their integrity. Embedded ActionScript code is detected, analysed and cleaned up. The wrapper can also verify whether embedded objects such as JPEG images comply with the specification.
To read the full article from H-Secure, click here
Previously, Adobe was warning of a new zero-day vulnerability in its popular Reader and Acrobat applications that is being actively targeted by attackers in the wild.
In an advisory released mid December,, Adobe acknowledged reports from several security vendors that a new malicious PDF file was discovered in some email attachments targeting the Adobe flaw. Adobe said the remote code execution vulnerability is in Reader and Acroobat 9.2 and earlier versions
To learn more about adobe zero day vulnerability, click here 

Monday, January 11, 2010

List of 370 twitter banned passwords


Twitter has recently made it so that when you sign up for an account you can't use one of those very obvious passwords. Below list is a set of words that tweeter coded as insecure and tweeter wont allow any users to use them during account sign up. To view the list, right click to see the source code of the registration page.
To make you choose secure password, Firefox has an add-on that generates secure password.
For more detailed report click here
Here is a list of these passwords (Thanks to The Wundercounter for publishing the list):
  • 111111
  • 11111111
  • 112233
  • 121212
  • 123123
  • 123456
  • 1234567
  • 12345678
  • 131313
  • 232323
  • 654321
  • 666666
  • 696969
  • 777777
  • 7777777
  • 8675309
  • 987654
  • aaaaaa
  • abc123
  • abc123
  • abcdef
  • abgrtyu
  • access
  • access14
  • action
  • albert
  • alexis
  • amanda
  • amateur
  • andrea
  • andrew
  • angela
  • angels
  • animal
  • anthony
  • apollo
  • apples
  • arsenal
  • arthur
  • asdfgh
  • ashley
  • august
  • austin
  • badboy
  • bailey
  • banana
  • barney
  • baseball
  • batman
  • beaver
  • beavis
  • bigdaddy
  • bigdog
  • birdie
  • bitches
  • biteme
  • blazer
  • blonde
  • blondes
  • bond007
  • bonnie
  • booboo
  • booger
  • boomer
  • boston
  • brandon
  • brandy
  • braves
  • brazil
  • bronco
  • broncos
  • bulldog
  • buster
  • butter
  • butthead
  • calvin
  • camaro
  • cameron
  • canada
  • captain
  • carlos
  • carter
  • casper
  • charles
  • charlie
  • cheese
  • chelsea
  • chester
  • chicago
  • chicken
  • cocacola
  • coffee
  • college
  • compaq
  • computer
  • cookie
  • cooper
  • corvette
  • cowboy
  • cowboys
  • crystal
  • dakota
  • dallas
  • daniel
  • danielle
  • debbie
  • dennis
  • diablo
  • diamond
  • doctor
  • doggie
  • dolphin
  • dolphins
  • donald
  • dragon
  • dreams
  • driver
  • eagle1
  • eagles
  • edward
  • einstein
  • erotic
  • extreme
  • falcon
  • fender
  • ferrari
  • firebird
  • fishing
  • florida
  • flower
  • flyers
  • football
  • forever
  • freddy
  • freedom
  • gandalf
  • gateway
  • gators
  • gemini
  • george
  • giants
  • ginger
  • golden
  • golfer
  • gordon
  • gregory
  • guitar
  • gunner
  • hammer
  • hannah
  • hardcore
  • harley
  • heather
  • helpme
  • hockey
  • hooters
  • horney
  • hotdog
  • hunter
  • hunting
  • iceman
  • iloveyou
  • internet
  • iwantu
  • jackie
  • jackson
  • jaguar
  • jasmine
  • jasper
  • jennifer
  • jeremy
  • jessica
  • johnny
  • johnson
  • jordan
  • joseph
  • joshua
  • junior
  • justin
  • killer
  • knight
  • ladies
  • lakers
  • lauren
  • leather
  • legend
  • letmein
  • little
  • london
  • lovers
  • maddog
  • madison
  • maggie
  • magnum
  • marine
  • marlboro
  • martin
  • marvin
  • master
  • matrix
  • matthew
  • maverick
  • maxwell
  • melissa
  • member
  • mercedes
  • merlin
  • michael
  • michelle
  • mickey
  • midnight
  • miller
  • mistress
  • monica
  • monkey
  • monster
  • morgan
  • mother
  • mountain
  • muffin
  • murphy
  • mustang
  • naked
  • nascar
  • nathan
  • naughty
  • ncc1701
  • newyork
  • nicholas
  • nicole
  • nipple
  • nipples
  • oliver
  • orange
  • packers
  • panther
  • panties
  • parker
  • password
  • password1
  • password12
  • password123
  • patrick
  • peaches
  • peanut
  • pepper
  • phantom
  • phoenix
  • player
  • please
  • pookie
  • porsche
  • prince
  • princess
  • private
  • purple
  • pussies
  • qazwsx
  • qwerty
  • qwertyui
  • rabbit
  • rachel
  • racing
  • raiders
  • rainbow
  • ranger
  • rangers
  • rebecca
  • redskins
  • redsox
  • redwings
  • richard
  • robert
  • rocket
  • rosebud
  • runner
  • rush2112
  • russia
  • samantha
  • sammy
  • samson
  • sandra
  • saturn
  • scooby
  • scooter
  • scorpio
  • scorpion
  • secret
  • sexsex
  • shadow
  • shannon
  • shaved
  • sierra
  • silver
  • skippy
  • slayer
  • smokey
  • snoopy
  • soccer
  • sophie
  • spanky
  • sparky
  • spider
  • squirt
  • srinivas
  • startrek
  • starwars
  • steelers
  • steven
  • sticky
  • stupid
  • success
  • summer
  • sunshine
  • superman
  • surfer
  • swimming
  • sydney
  • taylor
  • tennis
  • teresa
  • tester
  • testing
  • theman
  • thomas
  • thunder
  • thx1138
  • tiffany
  • tigers
  • tigger
  • tomcat
  • topgun
  • toyota
  • travis
  • trouble
  • trustno1
  • tucker
  • turtle
  • twitter
  • united
  • vagina
  • victor
  • victoria
  • viking
  • voodoo
  • voyager
  • walter
  • warrior
  • welcome
  • whatever
  • william
  • willie
  • wilson
  • winner
  • winston
  • winter
  • wizard
  • xavier
  • xxxxxx
  • xxxxxxxx
  • yamaha
  • yankee
  • yankees
  • yellow
  • zxcvbn
  • zxcvbnm
  • zzzzzz
[ad#Google Adsense Horizondal banner 468-60]

Phishing


Phishing:

One of the hot topic of 2009 Information Security industry is phishing. According to a Truster's  recently released report with the sample of 3 million users over the period of 3 months time, it is identified that 45% of the time, users were spoofed into a fake  log on page.  The report also claimed that  most of the discovered phishing sites are live and also has the capability to bypass anti-spam and anti-phishing protection if any present on the victims browser.  Banking along with online shopping cart users are the most targeted and affected among the phishing victims.Below graph from Phishtank shows phishing sites by country of host for Nov 2009.

In phishing attack, hackers create an almost identical looking replica of a chosen banking or online shopping web site , then attempt to trick users to show personal information and log in credentials like user name, password, PIN number. Trapped user will fill the form thinking it as the legitimate website , exposing wide window of opportunity to hackers to misuse  victims sensitive information.
Hackers uses various phishing techniques to victimize users to make them access their fake web page, one such method is by sending email that pretend to be from your debit or credit card company asking you to update your personal information. Being a look-alike of a legitimate website, recipient will click on the link in the email, they are directed to the fake website and where they are tricked to expose their information.
To stay protected, below are some of the steps a user can take:
  • Check for digital signature, unless the email is digitally signed, email cannot be trusted to pass on the sensitive information.
  • Be aware of such fake emails, remember it is highly unlikely that your bank will ask your sensitive information by email.
  • When there is a need to fill in your log in details in a webpage look for https in your URL box. Also look for lock symbol on the lower right hand corner of the web browser. Double clicking the lock will enable your access to digital certificate. If you don't see both https and secure lock do not give your information. Alternatively contact your bank by telephone.
  • Instead of clicking the link from your email message, try typing the URL into your web browser .
  • Mozilla's current version 3.5 has good anti phishing functionality and using Mozilla Firefox may provide more advantage over phishing sites.
  • Make sure to update your web browser of choice with updated security patches.
  • Check your bank account regularly once making transaction, if you note any suspicious activities, report your bank immediately
  • Always report "phishing" or “spoofed” e-mails to the following groups:
  1. forward the email to reportphishing@antiphishing.org
  2. forward the email to the Federal Trade Commission atspam@uce.gov
  3. forward the email to the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
  4. when forwarding spoofed messages, always include the entire original email with its original header information intact
  5. notify The Internet Crime Complaint Center of the FBI by filing a complaint on their website: www.ic3.gov/
Phishing statistics for the month Dec 2009.

Phishing statistics below are from 1st December 2009 records from phishing. While visiting the below mentioned websites make sure to verify the above mentioned tips and minimize the risk of getting victimized.

Popular Targets

Top 10 Identified TargetsValid Phishes
1PayPal10,361
2Internal Revenue Service870
3Tibia784
4eBay, Inc.458
5Facebook439
6Bank of America Corporation270
7JPMorgan Chase and Co.202
8HSBC Group201
9Google146
10HSBC121

Phishing URLs

In November, 278 phishes (5% of valid phishes that month) used an IP address (i.e. http://12.34.56.78) and 4,980 (or 95%) used a domain name (i.e. http://example.com).
Top 10 Domains (valid phishes)
1atspace.com (237)
2submissionradio.com.au (67)
3oksamyt-inter.com.ua (60)
485studio.pl (50)
5sisek.net.ua (49)
6virtualbattlespace2.com (44)
7wilsden.com.au (40)
8110mb.com (39)
9aidastreasures.com (37)
10dezigner.ru (34)