If you were one of the lucky ones presenting at BlackHat next week, then you get yet another perk:  an invite from Google and Cenzic to attend our exclusive speaker party.  (And if you were one of our favorite non-speakers, you might have gotten an invite thrown your way.)  All tickets have been given away - so you know who you are.

Speaker party details:
Date:  Tuesday, August 5
Time:  9 PM to Midnight
Location:  Centurion Tower Penthouse, Caesars Palace

And be sure to attend our own Tom Stracener’s (Strace) presentation he’s doing with Robert Hansen (RSnake) on Bots and Malware.  

We’ll see you in Sin City – I’m sure it’ll be a hot one!

by
Angel Oberoi
AOberoi@cenzic.com

This Gartner video on applications security is hot off the production press and you can be the first person to view it by either filling out the Web reg form or contacting me directly.

By watching this 45 min. Gartner video presented by Neil MacDonald, Research VP at Gartner and John Weinschenk at Cenzic, you’ll learn the following best practices in protecting your company’s data and corporate reputation:

1. How to start testing all your Web applications (and how often)
2. If you should you test deployed Web applications (i.e. ones in production)
3. If you should buy a traditional software tool or use a SaaS solution
4. If limited in funds, is black box or white box testing a priority

by
Erin Swanson
Eswanson@cenzic.com

I reported this XSRF vulnerability almost a year ago to Singlesnet.com and got no response, so I've decided its time to share it with the community.  The root of the problem is Cross-Site Request Forgery (XSRF) using an off-domain POST.  Now some of you may not be familiar with XSRF attacks so I will summarize the root cause. 

XSRF attacks exploit a Web site's trust of its own user -- its a way of getting a user to make a request to the Web application that they are unaware of and do not authorize.  In other words, the attacker causes your browser to make a request to the Web site that has deleterious effects.  Now some of these attacks can involve malicious links (i.e. you follow the link and subsequently take an unintended action within the Web application).  Another variation of the attacks can involve forms. The attacker creates a malicious form that autosubmits with a piece of JavaScript.  You view the form, and your browser makes a request to the target application on your behalf and the attacker controls the content.

Now to Singlesnet.com:

Their site architecture allows you to change your password without supplying your current password. 

Bad idea. 

Basically, your account password, contact email, and username can all be automatically changed in one fell swoop.

The proof of concept has been removed.  If you wanna know how it works, you’ll have to figure it yourself ;-)

by
Tom Stracener
TStracener@cenzic.com

Cenzic’s SmartAttack arsenal now has enhanced support for injection highlighting in cross site scripting vulnerabilities (BugtraqID 29829).  This new vulnerability (PHP 'rfc822_write_address()' Function Buffer Overflow) was added to Cenzic’s Web Server Vulnerabilities SmartAttack library today. 

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of product is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

After a dreadful flight from California, I arrived in DC last night for the 2008 SANSFire event.  But the quality of the event and the people who've dropped by our booth (#400) have made the cross country trip worthwhile. 

So if you are in the DC area this week, stop by the Woodman Park Marriott Hotel and see how we can improve your Web app security.  We’ll also give you a free lunch on Saturday if you attend our presentation (details below):

Cenzic, Inc. Lunch and Learn Presentation

Title: 
“Stay Ahead of the Hacker Curve - Common Mistakes to Avoid in Securing Web Applications.”
Speaker: 
Ed Bender, Director, Technical Services
Date / Time: 
Saturday, July 26, 2008 at 12:30 pm - 1:15 pm

by
Angel Oberoi
AOberoi@cenzic.com

I've been exchanging some emails with someone from O'Reilly about writing a book on application security / Web hacking.  He asked me some really great questions, and one in particular got my attention. How would I write an interesting and exciting book?  Wow.  Secondly, how would my book be different from the others that have been published?

First, this is a book -- that if published -- I want it published by O'Reilly alone.  So if by some miracle I am approached to write this book by any other publisher, the answer is No.

First, some concept art:  What do you think of this image as the cover?  >>

The biggest problem with security books these days is that they are boring as hell. It’s not the result of unimaginative or untalented authors, but a result of the increasing institutionalization and commoditization of security skills, training, and education.  You might ask what do I mean by that. 

I was in the security culture as far back as the late 80s, when I was in junior high.  I remember getting a copy of "The Conscience of a Hacker" in 1986: "This is our world now... the world of the electron and the switch." 

In the 90s, Hacking was thought of (by many of us) as a martial art not a criminally institutionalized behavior: you learned how to hack, how to turn yourself into a lethal, albeit virtual, weapon, for the sake of doing so in and of itself.

When I started doing security work professionally in 1999 there were only a handful of colleges in the US that offered degrees in information security. You got into security work largely by being trained by someone who knew it: so despite its growing commercialization the 'industry' was still very much like a system of medieval guilds. Largely, most of the well-known researchers were former hackers who had started companies of their own. Let’s not forget "SecurityFocus" was started by Aleph One, most well-known at the time for his paper "Smashing the Stack for Fun and Profit."  Many of us continued to think about security as a martial discipline: you mastered the techniques that would allow you to break into computers and networks because it was an art form, and that knowledge was a form of electronic self-defense that could be put to use ethically in the security industry. The spiritual heart of hacking has always been close to the martial arts.

Today that spirit has largely been lost.  People with security skills are becoming more common because security is being taught as a college course, a certification, or as a corporate awareness exercise.  I am not suggesting these things are bad, merely, that learning security in a classroom is a lot different from learning it like a martial art, that is, actively through both attacking and defensive techniques.

Today there are more and more professionals doing Web application security work than ever, and the majority of professionals use a relatively small set of tools.  By extension, most books emphasize tool-use over skills and critical thinking. It has become common to think of security as 'this tool' rather than 'this method.'

The problem with most security books, to be clear, boils down to two points:

1. The books are too generic and they eliminate the step of explaining how to take a vulnerability and move one step forward, to an actual attack. This knowledge, it is thought, is unessential and can only be used to do harm.
2. The books often emphasize using a tool or tools to find a vulnerability, without encouraging the user to understand the process by which the vulnerability is found. This knowledge is irrelevant, according to most thinking, because understanding the tool sufficiently grants a working knowledge of the vulnerability.

Teaching people to use security tools to get results is useful, and I am not saying that is what is at fault. But a failure to teach the underlying 'critical thinking' that is essential for understanding why a vulnerability exists, the signs or symptoms of its presence, how it can be found, how it can be exploited, and how to bypass defensive measures, results in incomplete training. Without training in the above things people easily become more dependent on the results of a scanner and they find it difficult to prove or verify that the vulnerability exists apart from the fact that the scanner says its there. Without the ability to craft exploits, they may be unable to produce a "Proof of Concept" when it is needed for a business reason, such as a report or presentation.

Teaching Web security skills as a martial art involves teaching people how to think about finding and exploiting application-layer vulnerabilities which involves critical thinking, instincts, and active investigation. Then proficiency in using technologies follows. The result does not manufacture a passive observer to the assessment process, but an active participant, one who uses tools because of their method, and knows and understands that method. What’s the difference between this and what is commonly taught today?  It’s being able to hack and application with a Web browser verses only being able to hack with a security scanner.

Does teaching someone to hack make a dangerous and criminal mind?  No, it makes a highly skilled professional.  Does teaching security in this way help to cultivate a potentially dangerous skill set?  Yes.

But let’s not forget, being in the military doesn't make you a murderer, but you are trained to kill.  Learning a martial art doesn’t make you violent but it does make you a deadly and capable master of self-defense.

by
Tom Stracener
Stracener@cenzic.com

Sun Java System Web Server Certificate Revocation Access Control Bypass vulnerability (BugtraqID 22973) was added to Cenzic’s CIA Web Server Configuration SmartAttack arsenal this week. 

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of product is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

I was down this weekend visiting Rsnake and we were working on our presentation for Black Hat bots & malware track (Xploiting Google Gadgets: Gmalware and Beyond).  Robert Hansen is really an amazing person, (and yeah that's almost a cliché to say given his notoriety).  But Robert's not just one of the top security experts in the world, he's a genuinely kind and generous person, both with his time and knowledge.

But damn. We were wrapping things up for the day and talking about the pieces of our presentation that were missing.  With absolute certainty malicious gadgets can hijack one another and act and behave as robust Web-enabled malware.  But we needed to demonstrate that a gadget could be automatically added to a user's iGoogle page without their knowledge or consent.

On that thought I took a smoke break to contemplate the issue.  About 2 minutes.

By the time I walked back into the office Robert had already created the code for silently auto-adding malicious Gadgets to a user's iGoogle page.

by
Tom Stracener
TStracener@cenzic.com

If you missed the June 30 PCI Compliance 6.6 deadline, don’t worry.  You can still get compliant fast by listening to this recorded Forrester Webcast and reading the corresponding slides.  Be sure to tune into the Q&A at the end of the recording for some common inquiries about PCI, as we had over 300 people attend the live event on June 25.

Fill out the Web form here, or email me directly for the information. 

Speakers:  Security expert
Chenxi Wang, Ph.D. from Forrester
and
Mandeep Khera from Cenzic, Inc.

by
Erin Swanson
Eswanson@cenzic.com

Multple McAfee domains are vulnerable to XSS attacks that can be used in various ways, not to mention phishing or doing drive by malware installs.  Plainly stated, if you are vulnerable to XSS attacks, then you are NOT PCI compliant. 

McAfee is a trusted name in computing and the presence of XSS vulnerabilities in their corporate Web applications is a case-in-point of the highly vulnerable nature of production applications.

Check out this HackerSafe video that illustrates:

1. Sites that are vulnerable to XSS are not PCI compliant. All of the sites in this video take credit card payments and store customer information.
2. The sites in this video have been vulnerable for months. Additionally, some have been advised multiple times and have simply ignored my notices. Their Hacker Safe branding is active and has not been removed at any time.
3. The ScanAlert Hacker Safe service claims XSS as part of its vulnerability checks; sites that are vulnerable to it should not be showing the Hacker Safe label in perpetuity.

Here’s another scathing article by ZDNet entitled, "McAfee's HackerSafe:  When all esle fails, rebrand it." 

by
Tom Stracener
TStracener@cenzic.com

The Apache ‘mod_proxy_http’ interim response denial of service vulnerability (BugtraqID 29653) was added to Cenzic’s CIA Web Server Configuration SmartAttack arsenal this week. 

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of product is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

I just came back from a whirlwind trip from Singapore where we presented our Web application security software to Quantiq and their clients. 

Quantiq is a Cenzic re-seller and they are very excited to have their clients protect their Web apps from hacker attacks using our product suite.  As you can see from the photo, it was a packed event, with over 100 people attending for the full day (8 AM to 6 PM).

Some of the topics I taught included:

• Common Web Application Attacks
• What is Web Application Security (Part 1 and 2)
• How to Handle AJAX and Web Services
• 360-Degree View of your Enterprise’s Application Security Posture
• Spidering and Navigation in Web Applications

So if you are in talks with Quantiq, inquire about Cenzic and Web application security.  They can hook you up.

by
Steve Maxwell
SMaxwell@cenzic.com

Sun Java System Application Server and Web Server JSP Information Disclosure Vulnerability (BugtraqID 29088) was added to Cenzic’s CIA Web Server Configuration SmartAttack arsenal this week. 

To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our website.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of product is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s websites to detect their security posture.   These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
ESwanson@cenzic.com

I hosted the OWASP Bay Area Application Security Summit at the Microsoft facility in Mountain View on June 25, 2008. This half-day summit was a great success, as we had excellent speakers, 80-90 participants, and great food / drinks.

I kicked it off with some trends about application security and how hackers continue to have a ball by breaking into sites and stealing important information and transferring funds.  In spite of 75% of attacks through the Web sites, a vast majority of the Web sites continue to be vulnerable with most corporations, government agencies, and Universities frozen in an inertia state and not taking concrete action to resolve this issue.

Speakers:

The ever-charming Dr. Chenxi Wang, principal analyst with Forrester, gave an excellent talk on Consumerization of Enterprises - a security conundrum.  Although not directly related to application security, the presentation covered an interesting insight into how consumer technologies like the iPhone and other Web 2.0 technologies can merge with an enterprise environment.  Enterprises want better control, security, compliance and confidentiality which, a lot of times, are in conflict with features offered by personal technology such as convenience, flexibility, and personalization. Having one identity for everything is also critical to have these two separate segments merge. She concluded by saying that we have to fix our security issues first before can even think about merging these two worlds... in other words, still a long way to go.

She was followed by the bright PH.D student from Stanford, Collin Jackson, who talked about some new Cross-Site Request Forgery attacks and defenses.  In a CSRF of course the attacker is exploiting the trust a site has in the user's credentials and we are starting to see more of these types of attacks.  Collin talked about a specific log-in CSRF attack which can trick the user into sharing the log-in information with the attacker.  He talked about three defenses including secret validation token, referer validation, and customer HTTP Header.

Tom Stracener from Cenzic was next and he talked about Google Gadget Security, or lack thereof.  With some very interesting examples, he shared the vulnerabilities in Google Gadgets and how hackers exploit implementation of these Gadgets.

Our final speaker was Neil Daswani from Google who gave a very exciting talk on how cybercriminals steal money using some very detailed examples of XSRF (same as CSRF) and XSSI (Cross-Site Scripting Inclusion).  Hackers are certainly getting very creative and very organized.

We ended the evening with a nice Spanish fiesta including wine and beer while networking and brooding about continuous security issues for the millions of Web sites out there.  All in all, it was a very productive day with some excellent presentations and intelligent audience participation on the various Web Application Security issues hounding the industry.

These presentations are all available on the OWASP Website: https://www.owasp.org/index.php/Bay_Area_Past_Events

by
Mandeep Khera
Mandeep@cenzic.com

If the majority of malware runs on the windows platform today, then tomorrow’s malware will run on the Web.  The design concept of the Web as a computing platform is bearing more and more fruit in the Web 2.0 world.  Plugins, Widgets, and Gadgets are bringing more power into the hands of the Web user, promising many new and exciting things. But the increasing power of Widgets and Gadgets (including the power resident in Google’s Advanced Gadget API) means the potential for security exposures, vulnerabilities, and Web-based malware is ever increasing.

Your application is secure, its source code has been audited, its external touch points and interactive features are resilient to attack -- until the user adds a vulnerable or malicious widget.  Furthermore, as Widgets or Gadgets allow more cross-domain interaction and potential vulnerabilities, these Web technologies are moving to the desktop, opening new avenues of attack that subvert the client computer via a vulnerability in third-party micro-application code.

The continuing commercialization and productization of widgets and gadgets is creating an environment of increased risk to the end-user.

by
Tom Stracener
Tom@cenzic.com