Before It Bytes!

Ok, maybe not THE last password

Well, after the tightly locked lips of Sony, RSA, and others, it’s nice to see a company being up front and honest with the users they store data for.

LassPass is a password manager which integrates with many different browsers and OSes (I haven’t really found many places it won’t run). It allows users to store passwords in a vault, which is then unlocked with a master password. The advantage to this, compared to other solutions, is that the data is then synced to their servers so that the passwords are available in all of those different places you use passwords.

Of course, the downside is that it makes them a big target. According to LastPass, all of the data in the vault is encrypted on the local machine, and then sent to their servers, so the data is encrypted even before it is sent.

But there is that master password, which of course would give an attacker the keys to the kingdom. According to a post on the LastPass blog they aren’t sure that something has actually happened, but they saw something they didn’t like (it sounds like perhaps in netflow data) and as such are now having all users reset their password to protect against the threat of someone brute forcing passwords against any stolen data.

Kudos to LastPass, as they seem to be very up front and honest about it, which is nice, given the recent history of data breaches. So, if you’re a LastPass user, looks like you will have to remember at least one new password.

More coverage:

LastPass blog: LastPass Security Notification

Krebs on Security: LastPass Forces Users to Pick Another Password

The H Security: Potential intrusion suspected in LastPass password service

Ghacks: LastPass Security Breach

Let the phishing begin!

If you stay in hotels, have a bank account or credit card, or shop (online, from your TV or good old fashioned brick and mortar), there’s a good chance you will be the proud new owner of some data breach notification emails. Yay.

Last week Epsilon Data Management notified its customers of a data breach. In turn it’s Epsilon’s customers, including hotel chains, banks, retail stores, etc. (see the Krebs on Security link below for a more complete list) are now notifying their customers.

Here is some great coverage, as well as possible implications and recommendations if your organization may be sharing data with third parties:

Krebs on Security: Epsilon Breach Raises Specter of Spear Phishing

CAUCE: Epsilon Interactive breach the Fukushima of the Email Industry

SANS Internet Storm Center: When your service provider has a breach

Email below from Best Buy Reward Zone:

__________________________________________________Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:


Barry Judge

Executive Vice President & Chief Marketing Officer

Best Buy


We feel better now knowing “the only information that may have been obtained was your email address and that the accessed files did not include any other information.”  We’re doomed if we need to rely on Geek Squad to help prevent us from future attacks.



Ashton Kutcher the poster boy for SSL?

Ashton Kutcher (@aplusk) was attending the TED Conference and it looks like someone may have run Firesheep against him to hijack his Twitter account. Two tweets were made by the hijacker:

Ashton, you’ve been Punk’d. This account is not secure. Dude, where’s my SSL?

Followed about 20 minutes later with:

P.S. This is for those young protesters around the world who deserve not to have their Facebook & Twitter accounts hacked like this. #SSL

It looks like the tweets are still in his feed, including a “kudos” to the people responsible. The cool thing is that a lot of mainstream media/entertainment/news outlets are covering this, so perhaps this is an opportunity to bring the issue of HTTP Strict Transport Security (HSTS) to wider attention. Or maybe more people will download HTTPS Everywhere. OK, maybe those are long shots, but maybe we could get a Public Service Announcement with Ashton and Demi Moore?

More importantly, maybe a high profile attack like this will get the attention of Twitter and Facebook.

Coverage from The Huffington post

Coverage from the LA Times

ZDI Makes good on release of vuln information

Back in August the Zero Day Initiative, a program founded by HP’s TippingPoint, announced that they would be making changes to their process due to vulnerabilities which  seemed to hang around forever. Because the timeline for disclosure of vulnerabilities had been controlled by the vendors, some appear to drag their feet on patching them. Anyone who has seen the Stack of Shame over on HNN knows what they mean. To avoid this, the ZDI implemented a six month deadline, after which details of the vulnerability would be publicly disclosed.

Well, the six month birthday has hit for some vulnerabilities, and the ZDI has started releasing the information on vulnerabilities for some big name vendors such as Microsoft, CA, Novell, SCO and even TippingPoint’s parent, HP.

The details are available over at TippingPoint’s DVLabs blog.

The ColdFusion Directory Traversal vulnerability

There has been a lot of noise over the past week about the ColdFusion Directory Traversal Vulnerability.  If you haven’t heard, the basic issue is that ColdFusion allows the inclusion of just about any file on the server (usually Windows servers) to be included by using either a URL parameter or form parameter.  Without special encoding the vulnerability will let you grab any file ending in “.xml”, but by adding a “%00” to the parameter, just about any file gets included in the normal display of the ColdFusion Administrator login page.  This means that no authentication is required to pull this off.  The flaw is in the internationalization tags being used by the Administrator pages which include XML files to render the text for different languages in the CFAdmin section.  In turn the XML files aren’t really XML files, but instead are files containing large switch/case statements which, according to the arguments, spit out the value for the piece of text the XML file is called with.  The flaw is that the code calling the file uses user input to decide which file to grab, but doesn’t properly sanitize the request, allowing the inclusion of other files from the same disk the CFAdmin section is living on.  As Adrian Pastor points out, CF runs under the SYSTEM account by default, which means access to any file on the drive.  Including the CF configuration files which may include things like database connection settings (with passwords saved which can be decrypted easily).  Adrian also points out that once an attacker gains access to the CF Admin, it’s game over.

The patches provided by Adobe for the problem are quite simple, and in most cases shouldn’t even require a restart of the ColdFusion services.  The impact of the vulnerability is huge.  As Rafal Los, who rightfully calls this a “Disaster”, points out, there are a lot of ColdFusion servers with the Administrator pages available to the world.

Even worse, the vulnerability can be exploited on versions 6-9 (CFMX6, CFMX7, CF8, CF9), but Adobe is only releasing patches for versions 8 and 9.

Now for my confession.  I’ve been working with (and frustrated by) ColdFusion since version 4.5.  I understand how CF developers work, and how poorly the servers are administered in most installations.  In his post, Rafal Los offers some Google dorks for finding CF servers, and states that “There is really no legitimate reason to have a ColdFusion Admin interface on the public internet … really, I can’t think of one… yet there are many results!”.  So why are there so many results?

It is a combination of factors, laziness I’m sure being close to the top of the  list, but there are others.  The primary reason that comes to my mind is the location of the ColdFusion Administrator directory, inside of the “/CFIDE/” directory.  This directory has other directories inside of it which are used by CF for things like form validation, rendering of graphs, etc. and as such some applications stop working if the entire directory is locked down.  This means having the administrator (who may know nothing about ColdFusion) has to try to lock down the directories individually (in Adobe’s defense, the most recent version has a Lockdown Guide written by Pete Freitag which is well done).  I think the security of ColdFusion has suffered as a result of this mixture of programming functionality and server administration.

Another problem is those older versions for which no patch is forthcoming.  CF developers are very wary of changing the version of CF their application currently works on.  Much of this comes from a botched move by Macromedia a long time ago, when their first version of ColdFusion MX 6 (6.0.0) became notorious for breaking apps and eating resources.  This means that there are now a lot of old applications which are on old versions of CF.

Unfortunately, ColdFusion is starting (well, continuing) to look a lot like PHP for its reputation in security circles.  Like PHP, CFML is easy to pick up, and makes it very easy to write applications.  It also makes it very easy to write insecure applications.  Most CF sites are vulnerable to SQLi, XSS, and LFI, much like PHP.  Now with a vulnerability like this in the core of ColdFusion, I can’t say the reputation it is gaining isn’t deserved.

Microsoft drops the patch bomb

Well, the August 2010 Microsoft patches are out.  And man, are they out! 14 bulletins, 34 vulnerabilities. 8 rated critical. Countless reboots! There’s a lot to go through here, but here is some coverage which may help you evaluate this hot mess of patch:

Securing password resets in web apps

Recently a developer asked me about how he should perform password recovery in his new web app. The first recommendation I had was not to do recovery, but reset instead. I searched for some information aimed at developers on password reset functionality and was surprised at what I found. While I found a lot of information about what not to do, I didn’t find much now what should be done.

After pulling together some of the information I wrote this paper called “Securing Self-Service Password Reset Functionality in Web Applications” in an effort to help educate developers and provide some guidance for them when adding this type of feature to web applications.

Of course, any comments or suggestions are welcome!

Securing Self-Service Password Reset Functionality in Web Applications (pdf)

Out-of-band patch for .LNK vulnerability

Microsoft has announced that they will be releasing an out-of-band patch for the .LNK vulnerability today (August 2nd), most likely due to the increased use of the vulnerability in malware such as the Stuxnet family (great write-up from Microsoft’s Malware Protection Center blog here). More (excellent) coverage is available at the Krebs On Security blog.

Update: Microsoft has published the advisory and patch. Details available here.

Interesting reports released

In an effort to make sure that those of us not attending the fun in Vegas are left out, a number of interesting security related reports have been released in the past week or so. In all the reports include a lot of data to be digested, but the takeaways from these seem to be:

  • Web App Security needs some work.
  • Privileged users can be dangerous
  • Organizations need to know what data they have and where
  • The information is in the logs, but no one is looking
  • Egress filtering is important
  • Malware is getting more sophisticated and customized

None of this is really news to infosec pros, but it may provide some fodder when explaining needs to management, as the reports contain hard numbers (and pretty graphs).

Here are some of the most recent reports:

Verizon 2010 Data Breach Investigations Report (DBIR)

The big news here is that the DBIR now includes data from the U.S. Secret Service, giving the folks at Verizon more data to work with. The report is very well put together and does a great job of presenting the data it contains, including pointing out where the new influx of data from the Secret Service has impacted the data making trends appear different than they have in past DBIRs. The report is available here.

Akamai State of the Internet Q1 2010

Akamai’s large global network certainly allows them to see a lot of traffic, both normal and malicious. Only the second section of the report deals directly with security, but the rest still makes interesting reading. In addition to attack traffic data, the report also contains information on global connection speeds, US connection speeds and mobile connection speeds. The report is available here (registration required).

Ponemone/ArcSight Cost of Cyber Crime Study

This study was sponsored by ArcSight, so there is a good amount of mention of SIEM systems and their benefits. The study still contains some interesting data on how much incidents can actually cost organizations (before, during and after an incident), with good information about the methodology used to arrive at the figures presented. The report is available here (registration required).

Digital Forensics Association “The Leaking Vault”

“The Leaking Vault” takes 5 years of data breach information taken from many different sources include FOIA requests, the Open Security Foundation, the Privacy Rights Clearinghouse, Sound Assurance, and the Identity Theft Resource Center. The result is a large amount of data which is sliced and presented in many different ways, providing some interesting incite into data breach notification (and the failures of them in some cases). The report is available here.

Cisco 2010 Midyear Security Report

The Cisco 2010 Midyear Security Report is less numbers focused than the reports listed above, but still interesting. The report is more focused on the changes in enterprises today and how those changes will impact security needs. This includes Mobile Devices, Virtualization and Cloud Computing, Social Media, and Government regulations. The report also includes information on worldwide spam volume. As an added bonus, the report also includes “The Artichoke of Attack” (page 21) which is by far my favorite graphic from any of these reports. The report is available here.

0days for Java Deployment Toolkit

Two researchers, Rubén Santamarta (@reversemode) and Tavis Ormandy have both posted proof of concept code today for exploiting a vulnerability in the Java Web Start functionality included in Sun’s Java since Java 6 Update 10.  The functionality is designed to make it easier for developers to deploy applications to end users.

In both cases the researchers were able to exploit the insufficient validation of parameters which are passed to the javaws command when used to deploy an application via a web page.  The end result is that an attacker would be able to launch a .jar file of their choice, almost silently on the user’s machine.

The exploits appears very simple, and Tavis did contact Oracle regarding the issue, but was told that the vulnerability is not severe enough to justify releasing and out-of-band patch for the issue.

Mitigation for the vulnerability can mean setting ActiveX killbits for Internet Explorer, or using file system permissions to block access to the Java Deployment Toolkit (npdeploytk.dll) from running.  More information on mitigation is available in the links below.

Currently the vulnerability is only exploitable on Windows versions of Java, but Rubén points out:

Although Linux contains vulnerable code, I was unable to exploit it in the same manner. It likely can be exploited by using the proper sequence of command-line arguments, but the sudden release didn’t allow me to research into this issue.I was focused on Windows at the moment of the disclosure.

So that may only be a matter of time.

More information and the POC code can be found here:
Full Disclosure Mailing List – Java Deployment Toolkit Performs Insufficient Validation of Parameters

Reverse Mode – [0DAY] JAVA Web Start Arbitrary command-line injection – “-XXaltjvm” arbitrary dll loading