150 Ways To Bypass Web Application Firewalls In One Tool

 

A tool for testing if Web application firewalls (WAFs) are vulnerable to around 150 protocol-level evasion techniques was released at the Black Hat USA 2012 security conference on Wednesday.

The tool and the research that went into its creation are the work of Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall.

Web application firewalls are designed to protect Web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload.

However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented, Ristic said.

The researcher tested the evasion techniques he found primarily against ModSecurity, an open source Web application firewall, but it’s reasonable to assume that other WAFs are vulnerable to some of them as well.

In fact, Ristic said he shared a few of the techniques with others during the research stage and that they had tested them successfully against some commercial WAF products.

Erwin Huber Dohner, head of research and development at Switzerland-based WAF vendor Ergon Informatik, confirmed after seeing Ristic’s presentation that the evasion methods are a problem for the industry.

Source: Tool released at Black Hat contains 150 ways to bypass Web application firewalls | Security – InfoWorld.

The question is will this public release of research kick-start a discussion as Mr. Ristic hopes?

Related articles

• Vulnerabilities in open source WAF ModSecurity (net-security.org)
• Protocol-Level Evasion of Web Application Firewalls (community.qualys.com)
• Web Application Firewalls and the False Sense of Security They can Create (acunetix.com)

 

“Android susceptible to sophisticated clickjacking malware”

Due to the loose restrictions Google places on it’s app-marketplace?

Clickjacking rootkits could pose the next big threat for the Android platform, according to a research team out of North Carolina State University. Led by computer science professor Xuxian Jiang, the team has developed a prototype clickjacking rootkit that’s more sophisticated than the other Android-oriented malware already out there.

This new prototype rootkit — which attacks the Android framework, rather than the kernel — differs from other malware in key ways, according to Jiang. “Unlike other rootkits for the platform, this one can function without a restart and without deep modification of the underlying firmware,” Jiang explained in a video in which he demonstrates the rootkit in action. “But it can still do all the things that a rootkit wants to do, such as hide or redirect apps.”

Source: Android susceptible to sophisticated clickjacking malware | Mobile security – InfoWorld.

In other words just as with other computing devices keep anti-virus software up-to-date.

Related articles

• Researchers create prototype Android clickjacking rootkit (androidauthority.com)
• “Clickjacking” Android could lead to app level phishing (h-online.com)

Widely used Web attack toolkit exploits unpatched MSXML flaw

(Photo credit: Wikipedia)

An exploit for an unpatched vulnerability in the MSXML (Microsoft XML Core Services) has been incorporated into Blackhole, one of the most widely used Web attack toolkits, according to security researchers from antivirus firm Sophos.

The security flaw is identified as CVE-2012-1889 and is what security researchers call a zero-day vulnerability — an actively exploited vulnerability for which an official patch doesn’t yet exist.

Source:  Widely used Web attack toolkit exploits unpatched MSXML flaw | Security – InfoWorld.

Be sure to keep that anti-virus up-to-date and also utilize the Fix-It tool Microsoft has made available.

Related articles

• Hackers exploit Windows XML Core Services flaw (infoworld.com)
• Danger! Unpatched Microsoft security vulnerability being actively exploited (nakedsecurity.sophos.com)
• CVE2012-1889: MSXML use-after-free vulnerability (eset.com)

“Cybercrime moves to the cloud”

Proof that there is always risk with technology despite advances.

The same flexibility and freedom companies get from having their software and services hosted in the cloud is enabling cybercriminals to conduct highly automated online banking theft — without doing much of the necessary information processing on their victims’ own computers.Security and privacy experts have long worried that criminals would launch attacks on the servers storing the data in cloud environments. But, a report released this week from McAfee and Guardian Analytics shows that criminals are now using the cloud infrastructure itself to get more capability out of their campaigns.”They are leveraging the cloud,” Brian Contos, senior director of emerging markets at McAfee, said in an interview. “This is the first time we’ve ever seen this.”

Read all the details:  Cybercrime moves to the cloud | Security & Privacy – CNET News.

Related articles

• Q&A of the Week: ‘The current state of the cybercrime ecosystem’ featuring Mikko Hypponen (zdnet.com)
• Debunking cybercrime myths (lightbluetouchpaper.org)
• Cybercriminals build massive banking fraud system in the cloud (pcadvisor.co.uk)

What’s up with port 79 ?

Scanning for BGP hosts that are vulnerable?  From the ISC:

ISC reader Yew Chuan reports that he is seeing a steady increase in probes to tcp/79 (“finger”). Our own DShield sensors confirm this observation, as is visible on the image below. It’s been a while since we last had exploit attempts on tcp/79, and hardly anybody is using/running “finger” anymore these days. So .. what’s up? Anyone got packets?

Update 1330 UTC: Scanning for tcp/79 has been seen by many ISC readers, and most say the IP blocks it originated from are in China and Taiwan. No packets yet – looks like everyone has tcp/79 blocked, and only recorded the initial “SYN”.

For more info from the comments check out:  ISC Diary | What’s up with port 79 ?.

Related articles

• Malware Infection Forces Printers to Print Garbled Data, Researchers Say (pcworld.com)

Cyber Weapons Take

An interesting opinion:

It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.

There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.

Stuxnet was originally deployed with the specific aim of infecting the Natanz uranium enrichment facility in Iran. This required sneaking a memory stick into the plant to introduce the virus to its private and secure “offline” network. But despite Natanz’s isolation, Stuxnet somehow escaped into the cyberwild, eventually affecting hundreds of thousands of systems worldwide.

This is one of the frightening dangers of an uncontrolled arms race in cyberspace; once released, virus developers generally lose control of their inventions, which will inevitably seek out and attack the networks of innocent parties. Moreover, all countries that possess an offensive cyber capability will be tempted to use it now that the first shot has been fired.

Read the rest:  Stuxnet Will Come Back to Haunt Us – NYTimes.com.

Citadel Banking Malware Evolving, Spreading Rapidly

A computer trojan targeting online banking software is rapidly spreading and evolving thanks to the open source development model being utilized by its creators.

Called Citadel, the new piece of malware is based on ZeuS, one of the oldest and most popular online banking Trojans. ZeuS was abandoned by its creator in late 2010, and its source code leaked online a few months later.

Since its public release, the ZeuS source code has served as base for the development other Trojans, including Ice IX and now Citadel.

“Seculert’s Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011,” the security company said Wednesday in a blog post. “The level of adoption and development of Citadel is rapidly growing.”

Seculert has identified over 20 botnets that use different versions of this Trojan. “Each version added new modules and features, some of which were submitted by the Citadel customers themselves,” the company said.

The most interesting aspect of Citadel is its development process, which is similar to the ones behind community-supported open source projects. “Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement,” Seculert said.

Like its parent, Citadel is sold as a crimeware toolkit on the underground market. The tookit allows fraudsters to customize the Trojan according to their needs and command and control infrastructure.

However, the Citadel authors went even further and developed an online platform where customers can request features, report bugs, and even contribute modules.

So is a new trend in malware being seen? Seculert believes it is.

The security company believes that the success of this Trojan could drive other malware writers to adopt the open source model. “This recent development may be an indication of a trend in malware evolution,” Seculert said.

Related articles

• Researchers Warn:Trojan evolving through ‘open source’ development (netsecurityit.wordpress.com)
• Collaboration Fuels Rapdid Growth of Citadel Trojan (krebsonsecurity.com)

Hackers Outwit Security Systems

Thanks to “Man in the Browser”, even up-to-date anti-virus software combined with the latest generation of online banking security doesn’t protect those using online banking.

A test witnessed as part of a BBC Click investigation suggests even those with up-to-date anti-virus software could be at risk.

There is no specific risk to any one individual bank.

In the test the majority of web security software on standard settings did not spot that a previously unseen piece of malware created in the software testing lab was behaving suspiciously.

The threat does not strike until the user visits particular websites.

Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered.

Some versions of the MitB will change payment details and amounts and also change on-screen balances to hide its activities.

With the additional security devices, the risk of fraud is only present for one transaction, and only if the customer falls for the “training exercise”.

“The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking,” said Daniel Brett, of malware testing lab S21sec.

“[Although] many products won’t pick this up, they’ve got a much bigger scope, they’re having to defend against all the viruses since the beginning of time.”

Every time a new update to the malware is released, it takes the security companies a number of weeks to learn how to spot it – to learn its common features.

But one security company did privately concede that, if this threat had come from a source not known to be bad and started communicating with a web address also not on the black-list of “bad” sites – until they had discovered and analysed it – it probably would have beaten their protection.

The key in this cat-and-mouse game continues to be the user and how high they set want to set their security settings on anti-virus software.  But even then NOTHING is 100% secure when it comes to data.

Related articles

• Hackers outwit online banking identity security systems (annozijlstra.wordpress.com)
• Hackers may be able to ‘outwit’ online banking security devices (go.theregister.com)
• New ‘Man In The Browser’ Attack Bypasses Banks’ Two-Factor Authentication Systems (gizmodo.com.au)

Phishing Your Employees 101

Now this is an interesting approach.

The Simple Phishing Toolkit includes a site scraper that can clone any Web page — such as a corporate Intranet or Webmail login page — with a single click, and ships with an easy-to-use phishing lure creator.

An education package is bundled with the toolkit that allows administrators to record various metrics about how recipients respond, such as whether a link was clicked, the date and time the link was followed, and the user’s Internet address, browser and operating system. Lists of targets to receive the phishing lure can be loaded into the toolkit via a spreadsheet file.

The makers of the software, two longtime system administrators who asked to be identified only by their first names so as not to jeopardize their day jobs, say they created it to help companies educate employees about the dangers of phishing scams.

As pointed out, it’s almost a necessity to have something like this today.

It seems that not long ago, the idea of organizations phishing their own employees was controversial. These days, there are a number of organizations that offer this awareness training as a service. If you’d rather design and execute the training in-house, SPT looks like a great option.

Related articles

• Phishing: US Government or ID10T? (renaevans.wordpress.com)
• Phishing – Run From the Hook! (zachner.me)
• Recursive phishing email (boingboing.net)

Make Stopping DDoS a Priority

With DDoS attacks on the rise, the traditional approaches to stopping them aren’t adequate anymore.

Whereas older DoS attacks would affect servers by using up resources–signaling the start of a conversation, with no intention to actually converse–a DDoS typically is designed to affect the network by creating so much traffic that the WAN link(s) become saturated, unable to carry “normal” traffic. You may have noticed at home that, if you stream a video, your Web browsing gets slowed down. A DDoS is the same concept taken to an industrialized (and weaponized) scale.

I asked Jim MacLeod, product manager at WildPackets his recommendation on thwarting these attacks. Via e-mail, e said that traditional approaches to DoS mitigation such as using ACLs (access control lists) or firewall rules to keep attack traffic from reaching the server are not adequate because three factors in a DDoS require a different reaction.

First, the attack is against the network infrastructure, not the servers. A firewall can only protect what’s behind it, so if it’s on premise, it can’t prevent the WAN link from being flooded. DDoS responses often require coordination with the WAN carrier to block the traffic upstream.

Second, the attack is going to come from a large number of IP addresses. The scale will make it impossible to add entries by hand for each node. While it’s possible to filter aggregated blocks of addresses to create fewer rules faster, the “wolves among the sheep” nature of botnets implies that the addresses will be widely dispersed rather than clustered together, so a lot of legitimate traffic would potentially be blocked too.

Finally, the speed at which the attack commences–sometimes referred to as a “thundering herd” effect–doesn’t leave much time to react to counter the problem.

So the best approach?

MacLeod suggests that the key to combating DDoS attacks is to turn the attack’s strength into its weakness. Industrial-scale attacks will be diverse in source addresses, but fairly homogenous above the IP layer. Many of these attacks are surprisingly simple from a protocol perspective, but they rely on brute force, not cleverness. What you need to find is a signature or behavior within the packets common to the attack traffic, but not on your normal traffic. If your packet analyzer dashboard has visualizations or expert analysis, your tool may even identify a useful characteristic for you.

The ultimate key to making prevention a priority is to have a mitigation plan.

Related articles

• DDoS: When Size Matters… Or Not? (paulsparrows.wordpress.com)
• DDoS Tools Flourish, Give Attackers Many Options (informationweek.com)
• 10 Strategies To Fight Anonymous DDoS Attacks (informationweek.com)