Wednesday, April 20, 2011

Highlights of Cisco's 2010 Security Threat and Trends..


Extract from Cisco 2010 Annual Security Report:
Whether they’re creating malware that can subvert industrial processes or tricking Facebook users into handing over login and password information, today’s cyber criminals have a powerful weapon at their disposal: the exploitation of trust. They have become skilled at convincing users that their infected links and URLs are safe to click on, and that they are someone the user knows and trusts. And with stolen security credentials, they can freely interact with legitimate software and systems.
When trust is exploited, more damage can be done with fewer intrusions—the criminal essentially has been given permission to wreak havoc on compromised systems and software. “Miscreants are continuing to find new and creative ways to exploit network, system, and even human vulnerabilities to steal information or do damage,” says John N. Stewart, vice president and chief security officer for Cisco. “The challenge is that we need to block their exploits 100 percent of the time if we are to protect our networks and information. They can be right once;we have to be right all of the time. We need to be ever vigilant in our efforts to protect our assets, information, and ourselves online.”
continue Reading: http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2010.pdf

Sunday, April 10, 2011

Cache Poisoning

Description:  The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although only the user of the local browser instance will be affected.
To successfully carry out such an attack, an attacker:
  • Finds the vulnerable service code, which allows them to fill the HTTP header field with many headers.
  • Forces the cache server to flush its actual cache content, which we want to be cached by the servers.
  • Sends a specially crafted request, which will be stored in cache.
  • Sends the next request. The previously injected content stored in cache will be the response to this request.
This attack is rather difficult to carry out in a real environment. The list of conditions is long and hard to accomplish by the attacker. However it's easier to use this technique than Cross-User Defacement.
A Cache Poisoning attack is possible because of HTTP Response Splitting and flaws in the web application. It is crucial from the attacker's point of view that the application allows for filling the header field with more than one header using CR (Carrige Return) and LF (Line Feed) characters.

Wednesday, April 6, 2011

Double Encoding

Description: Cross-Frame Scripting (XFS) is client-side attack related to Cross-site Scripting (XSS). In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then javascript executing in the attacker's page steals data from the third-party page.
XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a Cross Site Scripting Flaw to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw.

Sunday, April 3, 2011

CSRF - Cross Site request forgery

Description:  Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.
For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request.
In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.
Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.
Synonyms: CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.
Example:The following characteristics are common to CSRF:
  • Involve sites that rely on a user's identity
  • Exploit the site's trust in that identity
  • Trick the user's browser into sending HTTP requests to a target site
  • Involve HTTP requests that have side effects
·         Related control:  Checking the referrer in the client's HTTP request will prevent CSRF attacks. By ensuring the HTTP request have come from the original site means that the attacks from other sites will not function. It is very common to see referrer checks used on embedded network hardware due to memory limitations. XSS can be used to bypass both referrer and token based checks simultaneously. For instance the Sammy Worm used an XHR to obtain the CSRF token to forge requests.
·         "Although cross-site request forgery is fundamentally a problem with the web application, not the user, users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session." -http://en.wikipedia.org/wiki/Cross-site_request_forgery#_note-1
·         Tokenizing

Saturday, April 2, 2011

Standard or Premium SSL


VeriSign now a Symantec company, a world leader in Secure Socket Layer (SSL) Certificate provider offers two certificate type as base category. Each Standard and Premium SSL has their subcategory as SSL, Intranet SSL and Extended Validation SSL. But what is the main difference between them??
SSL certificates perform three functions: a) They encrypt the transaction b) They provide verification to the visitor of who they are dealing with. c) They provide insurance cover against secure transactions being cracked and intercepted. Any certificate of a given key size will provide the same degree of encryption, regardless of cost. Even common "security errors" such as the certificate being expired or self-signed make no difference to the strength of encryption.
Extended Validation SSL Certificates give high-security Web browsers information to clearly identify a Web site organisational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organisation name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox 3 also supports Extended Validation SSL. Other browsers are expected to offer Extended Validation visibility in upcoming releases. Older browsers will display Extended Validation SSL Certificates with the same security symbols as existing SSL Certificates.
Key Difference between Standard and Premium certificates:
Due to regulatory issues the browsers came out before the year 2000 had limited capability to upstream it encryption to 128 bit encryption, which means browsers were able to perform only 40 bit to 56 bit encryption. Hence SGC (Server Gated Cryptography) was introduced which enables older browsers to connect to a site using 128 bit encryption even if the normal browser encryption rate is 40 or 56 bit.
Reason 1: SGC/Premium Certificates are costly and only available with certain vendors like Verisign. However do we really need to go for Premium SSL. The price difference between a Premium EV SSL and Standard EV SLL is 1499 and 995 AUD respectively.

Old Browser Usage Is Very Low

Server Gated Cryptography was created in response to US government legislation on the export of strong cryptography in the 1990s. Microsoft developed Server Gated Cryptography and Netscape developed "step-up" technology to enable 128-bit SSL encryption with export browser versions. However in 2000, US Export law was changed to allow the export of strong crypto and Microsoft released IE 5.5 and IE 5.0.1 SP1 which allow those browsers to connect at 128-bit without using an SGC SSL certificate.
Who uses Internet Explorer 5.0 and lower these days? Of course, it depends on who you ask, but let's look at some statistics (as of Jan, 2011):
WebReference.com: IE 5.x usage is 1.23%, IE 4 usage is 0.03% & W3 Schools: IE 6.x usage for Dec 2010 is 4.4%
Not very big numbers. You need to ask whether the extra money for an SGC SSL certificate is worth supporting that small percent of the market. Still, 1% of visitors can mean a lot of money to many businesses and no one wants to have to turn anyone away. But, there may be a far more important reason NOT to use SGC Certificates.
Reason 2: Insurance? Insurance claim for Premium certificate is 250,000 USD and 100,000 USD for Standard Certificates. But I have never heard of a claim on certificate insurance, although they may well have happened. What would be the cost to you (or your customer) if a transaction was intercepted? For most businesses I suspect that the level of cover on cheap certificates would be more than adequate. It's basically a rort selling unnecessary insurance.
Reason 3: Using Premium certificates means encouraging users to use old browsers which in turn will make their browser more prone to hacking. These old browsers may be un patched/Unsupported and opens the door for phishing and other type of attacks. Do you want users of older browsers to fall prey to that and then blame you? There are literally hundreds of security flaws in those older browsers that malware authors can take advantage of.
To know more on why not to use old browsers, read this article form Paypal and onPhishing..