Database and ERP Security and Best Practice Management
Up-to-date syndicated information on database & ERP privacy, security, audit and compliance
-
FrontRange Solutions Launches Discovery 9 to Improve the …
Posted on February 8th, 2010 No commentsFrontRange Solutions, the developer of Service and Infrastructure Management software for mid-sized and distributed enterprises today announces the launch of FrontRange Discovery™ 9, the all-in-one solution for finding and tracking all ... It is the most effective tool to help organizations retain control of their networks, minimizing risks and maximizing the opportunity to save costs.” For organizations currently deploying virtualized hardware, FrontRange Discovery 9 ... -
Perfect Solution: A shop of Computer Hardware & Software Solution …
Posted on February 8th, 2010 No commentsWe provide and help them improve business and reduce operational costs. We have warranty our assumable Products. We are Dealing in Annual Maintenance contract ( AMC ) for Business and Corporate Sector at reasonable Prices. ... -
Trends in Mobile Payments Are Frightening
Posted on February 8th, 2010 No comments
Question: Do I really want someone with an iPhone taking my credit card info?
Enormous buzz lately about all of the new players trying to turn iPhones and other mobile devices into credit card swipe terminals. Very scary. Just because someone can create a website does not mean they understand payments.
So many questions:
1. Does the solution use a cryptographically enable swipe reader?
2. Does the solution encrypt credit card information at the moment it is swiped?
3. Does the solution store any track data?
4. Does the solution encrypt all sessions back to the payment gateway?
5. Will it support tokenization?
6. Is the solution PCI PTS certified?
7. Is the solution PCI PA-DSS certified?
That's just for starters. Now add in questions about the security of the 3G network and proper WiFi configuration and security, and you could be creating the perfect recipe for massive credit card breaches. These things are designed to "democratize" the taking of credit cards by the little guys, but should payments really be democratized?
There's no constitutional right to take credit cards. Taking credit cards to fuel your business is a responsibility. It's our data you're playing with!
Very few merchants — especially the smaller ones — understand, or even care about, security.
Frightening.You can follow John on
here
Posted by John Kindervag
-
New IIA Thought Leadership Reports Provide Guidance on Fraud and SEC Proxy Disclosure Rules
Posted on February 8th, 2010 No commentsTo keep you abreast of the latest issues impacting the internal audit profession, The IIA recently released two thought-leadership reports. The first report, Flash Alert: New SEC Proxy Disclosure Rules, discusses the steps chief audit executives (CAEs) can take to demonstrate internal auditing’s vital role in supporting effective governance and risk management practices in light of the new U.S. Securities and Exchange Commission’s (SEC’s) Proxy Disclosure Rules. To gather this thought leadership, The IIA’s Audit Executive Center convened a select group of internal audit professionals to develop a list of 10 actions CAEs should take now to establish internal auditing as an integral part of the new proxy disclosure process. Read the press release here The second report, Knowledge Alert: Emerging Trends in Fraud Risk, summarizes the results of a recent IIA Flash survey on the state of internal audit efforts pertaining to fraud risk. According to the nearly 300 CAEs and internal audit directors and managers participating in the survey, the prevalence of fraud risks is a still a topic of much debate in many organizations. Among other key results, the survey found that programs in companies to manage fraud risks are becoming a higher priority, receiving more attention at the senior management and board level, and starting to become more effective. These and other reports are being published by The IIA’s Audit Executive Center. Stay tuned to similar thought-leadership reports and other special offerings from the Audit Executive Center or contact Donna Batten, IIA director of CAE Services, for more information. To download a copy of both reports, visit The IIA’s Knowledge Services Web page. . -
Litchfield DBMS_JVM_EXP_PERMS 0-day on Oracle
Posted on February 8th, 2010 No commentsAt last week’s BlackHat D.C., David Litchfield revealed 0-day vulnerabilities in Aurora, the Java implementation built into Oracle.
Vulnerabilities in the following packages: - DBMS_JAVA
- DBMS_JAVA_TEST
- DBMS_JVM_EXP_PERMS
allow an attacker to escalate their privileges to sysdba and take complete control of the database. It was successfully demonstrated how a low privileged user can grant themselves sysdba privileges, access on every file on the Oracle host server and execute those files, including a shell. It was also shown how to load binary code into the Oracle process and execute it. Finally a way to bypass Oracle Label Security was demonstrated.
There is currently no fix available from Oracle, however Oracle’s access control features allow for a workaround. By default EXECUTE is granted to PUBLIC for the above mentioned packages.
In order to protect against these current threats, database administrators should revoke execution privileges on these packages from PUBLIC and any other user that does not require them. The AppDetective and DbProtect ‘Object privilege granted to PUBLIC’ Oracle Vulnerability Assessment checks can be used to help find and remediate these privileges.
Application Security has also made available for download a custom policy and check to specifically find these privileges and learn if your Oracle databases are vulnerable. With Application Security, Inc.’s User Rights Review (URR) platform, customers will also be able to determine which users can exploit the vulnerability as well as an explanation of how to fix the vulnerability.
Team SHATTER also suggests adhering to the following general security considerations to minimize the risk of new attacks like this:
- Always stay up-to-date on the latest security patches
- Minimize the attack surface by only installing and enabling functionality that is required for the business task
- Remove all unused default components, accounts and databases
- Assign only minimal privileges required
- Assign privileges through roles, not directly to users
Related links:
SHATTER Security Bulletin -
Video: Do you want Microsoft Software Assurance?
Posted on February 8th, 2010 No commentsDo you want or need Microsoft’s Software Assurance? A couple of basics of why or why not, and how an external party can help. Less than 15 seconds of a very unpainful “sell”, but some basic and very useful information about when Software Assurance is needed.
-
Increasing Online Insurance Self-Service Adoption
Posted on February 8th, 2010 No commentsInsurance online self-service continues to gain momentum, but customer adoption remains low. We found that 55% of US online adults who own insurance have not visited their insurance provider's Web site in the past year. eBusiness managers for direct and agent-based insurers struggle to increase adoption due to an array of problems including the infrequency of insurance interactions, customers' channel preferences, and limited functionality. eBusiness managers are seeing some glimmers of hope, though, with increased adoption of certain activities like online bill pay and a solid business case for online self-service. eBusiness executives must "plan the work and work the plan" by developing a comprehensive strategy and using an array of tactics to increase customers' adoption. -
The State Of The PMO
Posted on February 8th, 2010 No commentsIn the fall of 2009, Forrester Research in partnership with the Program Management Office Specific Interest Group (PMOSIG) of the Project Management Institute conducted a survey of the PMOSIG membership about the state of the PMO. The survey results provide a reasonable benchmark on how PMOs are functioning today and confirm our thinking about how PMOs are continuing to evolve into strategic governance structures. PMOs have multiplied within organizations and now extend beyond IT. -
SharePoint 2010: Search Improved, But Think Twice About FAST Search Upgrade
Posted on February 8th, 2010 No commentsMicrosoft recently unveiled the public beta of SharePoint Server 2010 and the public beta of FAST Search for SharePoint. Information professionals will welcome the new ability to centrally manage metadata, as well as improved search for people functionality in SharePoint. In fact, Microsoft has improved SharePoint's integrated search capabilities to the point where the upgrade to FAST Search Server 2010 for SharePoint may prove unnecessary. Of course, Microsoft-centric enterprises will short-list FAST when they want to invest in an advanced enterprise search tool; the pricing and packaging are compelling relative to the alternatives. But if centralized search administration and a common developer experience is not your top priority, then FAST Search Server 2010 for SharePoint should be just another new, unproven product to stack up against alternative enterprise search platforms -
London 2012: Athletes And New Services Will Push Boundaries, Not The Underlying Technologies
Posted on February 8th, 2010 No commentsIn the first of our series of reports on the information and communications technology (ICT) behind the London 2012 Olympic Games, we looked at the six lessons that vendor strategists can draw from planning the biggest show on earth. When it comes to technology, the Games need solutions that are dependable, work with minimal risk when they are needed, and can scale. These factors point toward a cautious solution — and that is what the London 2012 Games are going to get. It is the athletes and the services deployed at London 2012 that will push the boundaries, not the underlying ICT that underpins a successful event. This leads to four important lessons for vendor strategists: 1) leading-edge is not always the best solution — dependable matters most; 2) keep it simple, stupid — don't overengineer it; 3) cautious technology deployment does not inhibit service innovation; and 4) testing ensures success. This has clear parallels in the B2B space: ICT is important and a key enabler, but it is the performance of the business that matters most. -
Web Application Firewall: 2010 And Beyond
Posted on February 8th, 2010 No commentsHaving been thrust into the spotlight by payment card industry (PCI) data security standard (DSS) requirements three years ago, Web application firewall (WAF) — a technology that detects and blocks attacks against Web applications — has significantly matured. It's taken on a decidedly interesting identity, and standalone WAFs are almost nonexistent. In its place are solutions that include additional network functionality like content acceleration, application visibility, authentication, and database monitoring. We dub this new family of products "WAF+". Forrester estimates the 2009 market revenue of the WAF+ market to be nearly $200 million, and the market will grow by a solid 20% in 2010. Security and risk managers can expect two WAF trends in 2010: 1) midmarket-friendly WAFs will become available, and 2) larger enterprises will gravitate toward the increasingly prevalent WAF+ solutions. -
B2B Tech Field Marketers Must Adapt To Remain Relevant
Posted on February 8th, 2010 No commentsField marketers in the technology industry are challenged as their corporate colleagues introduce more marketing automation and increasingly leverage the digital marketing opportunity for business-to-business (B2B) communications. The more traditional field marketer role of being a local subject matter expert, sometimes known as the local product champion, is diminishing. Additionally, the Web tends to promote a global strategy with little consideration of international differences in technology adoptions and culture. With this background, field marketing professionals, responsible for specific territories, need to ensure that their territory is addressed appropriately by their corporate colleagues, as well as ensure that they are not disintermediated by these shifts. Successful field marketers will re-define their role for the new decade to become even more empowered to influence company sales growth. -
TV Advertising Budgets Are Under Siege
Posted on February 8th, 2010 No commentsForrester and the Association of National Advertisers (ANA) surveyed 104 US advertisers representing nearly $14 billion in measured media budgets. More than half of them — 62% — told us that TV advertising is less effective than it used to be. That's in line with what they told us in 2008. Advertisers want more accurate measurement and the option for more targeted and clutter-free ad inventory. Meanwhile, US marketers are willing to explore alternatives to the 30-second TV commercial as they shift budget from TV to social media, banners, and search. More forward-looking marketers are ready to experiment with online video ads, branded entertainment, and interactive TV. We recommend that advertisers get ready for the future of television, by preparing to deliver targeted commercials, delivering true branded entertainment experiences, and embracing the connected TV. -
Securing Java In Oracle and DBMS_JVM_EXP_PERMS
Posted on February 7th, 2010 No commentsDavid’s Java/Oracle security research has been made public by the Blackhat conference in DC before it is patched by Oracle. Additionally there is some misinformation going round that this work only affects 11.2 which is incorrect as it affects 10.2.0.4.3 as well. These vulnerabilities are theoretically easy to fix but since theoretical is not good [...] -
IT World: IT maintanance
Posted on February 6th, 2010 No commentsThere are just a few places to save money in your IT shop, and one of them is cutting back on IT maintenance. To help save money, ...www.fiercecio.com/story/it-maintenance-loses.../2009-09-23 - - - .... Free trial CMMS software.www. imonitsoftware.com/ - - - · IT Maintenance Contract Tips Increase Your Profitability Got a good IT Maintenance Contract? Attract more great IT maintenance clients with proven IT Maintenance Contract secrets now.www.computerconsultingkit.net /. ... -
Oracle Breaks Regular Patch Cycle Because of Zero-Day Bug
Posted on February 6th, 2010 No comments
Oracle has released an out-of-band patch for a critical vulnerability in the WebLogic Node Manager utility. The company was forced to take this step after exploit code has been publicly released by a security research company without any notification in advance.
According to an official description from Oracle's site, "Node ... (read more) -
A Lazy Pen Tester’s Guide to Testing Flash Applications
Posted on February 5th, 2010 No commentsYesterday, I received a post in the Pen-Test mailing list requesting for tips/resources on penetration testing of flash applications. While there are some tools and white papers available, I could not find many authoritative resources which wraps the entire spectrum of flash security testing of RIA applications. So here is an endeavor to detail out the steps of testing. I will keep this post only to outline the essential steps or points. Please feel free to recommend additional inclusion of tools and techniques. The idea is to come up with a comprehensive paper which can be used by pen-testers to test flash based Rich Internet Applications (RIA).
A short unnecessary introduction on Flash RIA
Adobe Flash (formerly Macromedia Flash) is a multimedia platform originally acquired by Macromedia and currently developed and distributed by Adobe Systems. Since its introduction in 1996, Flash has become a popular method for adding animation and interactivity to web pages. Flash is commonly used to create animation, advertisements, and various web page Flash components, to integrate video into web pages, and more recently, to develop rich Internet applications. Source: en.wikipedia.org/wiki/Adobe_Flash
Conventionally, RIA developed with Adobe Flash technology consists of a frontend application compiled as an SWF/AIR object to be executed by the Flash Plugin inside the User’s Browser or the AIR Platform installed on the User’s System. This interactive application provides a user Interface to the end-user and in turn communicates with a backend server for its business logic over protocols like HTTP/AMF, HTTP/SOAP, HTTP/REST etc.
The security angle..
Similar to any widely used web application and software, a RIA can also be a victim of most common and dangerous security Issues. For example, since most Flash based RIAs are backed by an application for its business logic which in turn uses a database, a Flash based RIA might also be vulnerable to common application vulnerabilities like SQL Injection if user input is not sanitized properly. Quite logical huh?. Attackers can also utilize Flash to execute mass exploitation, for example backdoors or malware entirely written in Flash/ActionScript or BOFs against player/plugin or browser.
It is quite general to deduce that security flaws may also be present in the core environment (which includes the OS and web browsers) that can be exploited regardless of the applications (including Flash Player) running in that environment. A recent paper from Adobe suggests that the approach of Adobe is to implement robust security within its own products while “doing no harm” to the rest of the environment (in other words, to introduce no exposures to the rest of the environment, nor allow any avenues for additional exploitation of any existing platform security weaknesses). This provides a consistently high level of security for what Flash applications can do (as managed within Flash Player), regardless of the platform. Because Adobe products are also designed to be backwards-compatible when possible, some environments may be more vulnerable to weaknesses in the browser or operating system, or have weaker cryptography capabilities. Ultimately, users are responsible for their choices of platforms and maintenance of appropriate operational environments.
Vulnerabilities in flash RIA can be broadly classified under two categories: client side vulnerabilities and server side vulnerabilities. Let’s review each one of these very quickly:
Client Side Vulnerabilities:
Amongst the various vulnerabilities that might affect a Flash Application on the client side, some of the most common ones are:
Flash parameter Injection: It might be possible for an attacker can inject global Flash parameters when the movie is embedded in a parent HTML page. These injected parameters can grant the attacker full control over the page DOM, as well as control over other objects within the Flash movie. There is nice detailed paper by the IBM Rational guys on this vulnerability. You can download it here.
Cross Domain Privilege Escalation: Cross Domain inter-mixing of content and data is done based on access policy defined in crossdomain.xml of the serving domain for the SWF object. If the access policy is too open, then under certain circumstances, it might be possible for an attacker to supersede the original SWF object with his own malicious version or access the DOM of the hosting domain.
Cross Site Scripting: Depending on access policy, a Flash SWF can access its host DOM for various functional use cases. A Flash SWF can in turn modify the DOM of its host and if it does so based on un-sanitized user input, it might be possible to perform a conventional XSS attack on the host DOM.
Cross Site Flashing: Cross Site Flash (XSF) occurs when an SWF objects loads another SWF Object. This attack could result in XSS or in the modification of the GUI in order to fool a user to insert credentials on a fake flash form. XSF could be used in the presence of Flash HTML Injection or external SWF files when loadMovie methods are used. OWASP has a testing guide for XSF. Although not comprehensive, still it is a very good point to start. Read it here.
Server Side Vulnerabilities
Flash Applications seldom makes remote calls to a backend server for various operations like looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Flash Applications built with Adobe Flex SDK usually use AMF Objects exchanged over HTTP Protocol as a method of communication. AMF Remoting calls are essentially RPC like calls where the Flash Application is calling a given method defined on the server on a specific AMF Endpoint. An attacker can intercept and tamper the AMF data to compromise the server.
In most of the cases the application server responsible for providing Business Logic to a Flash RIA frontend is a standard web application and can be affected by the very same vulnerabilities as any other web application like as described by the WASC Threat Classification Project.
Testing Flash Applications: Objectives and Approach
A Flash Security Testing exercise for a Flash Based RIA is conducted with the following objectives:
- Identify the application entry points and test for possible vulnerabilities in the SWF Object itself.
- Identify the remote server with which the application might communicate for its business logic requirements.
- Identify the protocol with which the SWF Object is communicating with its back-end server. In most of the cases, the protocol will either be SOAP/REST or AMF.
- Identify and enumerate all the functionalities exposed by the back-end application.
- Penetration Testing of the individual functionalities exposed by the back-end application for standard application security vulnerabilities.
Client Side Testing
Client side primarily relates to static analysis of the flash application. The idea of static analysis of a Flash SWF Object is to decompile the SWF file and attempt to do a white box testing approach by looking into the source code of the Flash SWF File. Basic approach to test client side vulnerabilities is :
- Decompile SWF files into source code (ActionScript) and statically analyzes it to identify security issues such as information disclosure (hard coded).
- Audit third party applications without requiring access to the source code.
- Common vulnerabilities includes hard coded login credentials, internal IP disclosure, etc.
- Apart from analyzing the SWF file, it is also important to analyze the code responsible for generating the HTML file that embeds the SWF object. Under certain circumstances in might be possible to manipulate the FlashVars variable through which SWF inputs can be influenced.
There are however automated tools like HP SWFScan available to do this job upto a certain degree.
Server Side Testing
The best straightforward way to do a server side testing for flash based RIA applications are as follows:
1. Extract Gateway
- Load the flash e.g http://foo.com/bar.swf in a browser with service capture/burp proxy/charlesproxy running .
- Decompile the SWF using swfdump and grep the gateway patterns. Also get a list of all the urls in SWFdump.
2. Enumerate service/methods
- Try amfphp.DiscoveryService on all gateways using Pinta.
- Use Pinta for AMF calling even if the services and methods are manually entered and hence can be helpful in testing remote methods.
- If it fails try extracting them using regex from SWFDump using the following regular expression.
Services:–"\"([a-zA-Z0-9_]*)\"“ with filter as “service” (conventional)
–"destination id=\"([\\w\\d]*)\"“
3. Make AMF calls
- Use Pinta to call remote methods using different test parameters.
- Single quote (SQL injection), neighbor parameters (Direct Object Reference).
Testing the backend application once the exposed functionalities are enumerated should be more or less conventional to standard web application security testing methodology just that a different protocol (AMF serialized calls in this case) is used for interacting with the server and invoking the functionalities.
Checklist of Vulnerabilities to be tested
- Cross Site Scripting
- Malicious Data Injection
- Insufficient Authorization Restrictions
- Secure Transmission
- SWF Information Leak
- Minimum Stage Size for Anti-ClickJacking
- SWF Control Permission
- Untrusted SWF in Same Domain
- Clickjacking
- Privilege Seperation
- Cross Domain Policy Audit
- Uninitialized Variable Scanning
- Remote Method Enumeration
- Business Logic Testing
This is a brief guide to testing flash applications. Comments are welcome to make it better and more comprehensive. At the end, we intend to publish a freely available whitepaper to pen testers for testing flash based RIA. Additional sections included in the paper will also carry due credits as received in the comments section below.
-
Online Shopping Sites May Be Sharing Your Credit Card Data
Posted on February 5th, 2010 No comments The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the retailer you are shopping with your credit card number:
"Information about joining the membership program and its ramifications, including the fact that the consumer is agreeing to transfer his or her credit or debit card account information, is buried in fine print and cluttered text."
My gut tells me that this violates the spirit, if not the letter, of the PCI Data Security Standard. According to the PCI DSS:
"Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access to cardholder data."
It is probably safe to assume that the business agreement around the data sharing identified by the New York AG's office did not include language surrounding PCI compliance.
An MSNBC story on the investigation puts it this way:"Here’s where things really get smarmy. Even though you did not give that second company any account information, they will bill the credit or debit card number you used to make the original purchase. You didn’t have to provide your account number because the “trusted” retailer gave it to them for a cut of the action."
My guess is that this is being done outside of the security and PCI folks at these companies. In fact, this type of usage of credit card information is one of the biggest areas of push back our clients get internally. We often hear complaints from security teams that they are having difficulty enforcing PCI and other security initiatives because marketing and business intelligence management claim that they "need" credit card numbers to run their businesses. Really bad idea. No one "NEEDS" credit card numbers for anything except completing a transaction. They may "USE" credit card numbers for other business purposes, but they do this at the risk of their entire organization. True credit card security will only happen when there is a fundamental mindshift in organization so that they understand that credit card numbers (or any other personal or private information for that matter) is not theirs to use in any way they want, especially for marketing purposes.
Expect to see other states get involved. Nothing will shut this practice down faster than legal departments being forced to respond to a whole bunch of subpoenas.
Posted by John Kindervag
-
Meta tags – UK Business Forums
Posted on February 5th, 2010 No commentsI'd personally say that they are a "must" but you could save a few pennies by knowing what content management system your blog runs on. If it's wordpress there's free plugins available that will let you put meta tags on each post quite .... knows anything about your business, your eCommerce provider, the package used, and your contract with them. If you have no ongoing maintenance contract, then it's perfectly normal to be charged high for any work that needs doing. ... -
My trip to China
Posted on February 5th, 2010 No commentsJust a few pics from my visit to China. If you think it’s cold here, try walking around for 5 minutes on The Great Wall.
-
Using Digital Channels To Create Breakthrough Multichannel Experiences
Posted on February 5th, 2010 No commentsOperating in a multichannel environment isn't new, but it's becoming increasingly complex. Customers spend more time online and increasingly use digital channels to do more than just buy goods — they now routinely use digital channels to gather information, transact, and obtain help. In response, organizations must incorporate more digital channels into their multichannel strategies and tactics, including mobile and social media. Succeeding won't be easy: Few companies are committed to supporting effective multichannel experiences. Companies that don't address this effectively put the relevancy of their digital channels, and perhaps even their brand image, at risk. To create and sustain breakthrough multichannel relationships across digital channels, eBusiness executives must deploy the right tools, like channel-appropriate communications, and rethink organizational structures to ensure that they are focused on the customer, not the channel. -
Banking CIOs: Keep Your Eye On The Ball
Posted on February 5th, 2010 No commentsAs the banking industry begins its climb out of the recession, banks are looking for ways to provide new services, foster better relationships with customers, integrate business processes and technology in new and better ways, and preserve or increase market share — all in an environment of consolidation and heightened competition. Banking industry CIOs should be aware of innovations and developing technologies that will help them shape their organizations for competitive advantage. Forrester notes eight small tech companies to watch as they innovatively address key banking processes and challenges. -
Trends 2010: North American Retail Banking eBusiness And Channel Strategy
Posted on February 5th, 2010 No comments2010 is shaping up to be a much better year for retail banking. While there will undoubtedly be lingering effects of the recession, the industry feels that that the worst is behind it. So what should eBusiness and channel strategy executives expect for 2010? Forrester believes that executives should start planning for the recovery that will impact not only their budgets but also consumers' attitudes and appetites. They should focus on projects that provide broader metrics to better run their businesses and integration efforts to make multichannel interactions seamless for their customers. In addition, a better understanding of and deeper appreciation for marketing disciplines will become increasingly important for success as a channel executive. -
Mapping The Customer Journey
Posted on February 5th, 2010 No commentsLeft to their own devices, companies often neglect customers. But they don't need to. We recommend that organizations use customer journey maps to examine interactions from their customers' points of view. Mapping the customer journey requires five steps: 1) Collect internal insights; 2) develop initial hypotheses; 3) research customer processes, needs, and perceptions; 4) analyze customer research; and 5) map the customer journey. To get the most value from these journey maps, companies need to widely share findings, take action on insights, and sustain the learnings over time. -
Leveraging Customer Satisfaction, Loyalty, And Perception To Drive B2B Tech Success
Posted on February 5th, 2010 No commentsIn the tech sector, 2009 was challenging. A down economy paired with high uncertainty in purchasing decisions made it particularly hard for strategists to defend their competitive position. Vendors focused on retaining and acquiring clients that in 2009 were becoming increasingly sophisticated and less loyal in their buying decisions. Forrester's total vendor experience (TVE) research focuses on the macro drivers of enterprise clients' experience to help vendors better understand how loyalty, satisfaction, and perception (in terms of brand and market positioning) interact. Overall, we found that vendors must put more emphasis on the soft factors in a client relationship and invest more in their brand to drive stronger differentiation and loyalty in the market. -
Web 2.0 Pivot Attacks
Posted on February 4th, 2010 No commentsAny penetration tester would agree that pivot attacks, designed to compromise a secondary host to more effectively attack primary targets, are incredibly powerful. Organizations tend to have difficulty protecting all hosts at all times, which is why proper network segmentation is vital should loss of control occur on any one node. Often it’s easier to compromise a host from behind rather than head on. Case in point, a hacker used a pivot attack to break into Heartland Payment Systems and pilfer 130 million CC#s. A SQL injection exploit was used to get a foothold in a non-payment-network-host leading to the eventual data compromise. Recently I had a thought that pivot attacks exist in a Web 2.0 world as well, they are just not typically viewed that way.
Many websites automatically load in content from remote resources (JavaScript, Flash, more HTML, images, etc.), which are hosted by third-party providers. These resources normally embed advertisements (DoubleClick), traffic counters (StatCounter), user trackers (whos.amung.us), games (Pogo), videos (YouTube), and thousands of other forms of dynamic content. These are often generically called “Web page Widgets,” things Web page might want to include in their pages for their visitors. There are thousands, maybe tens of thousands of these types of providers. Let’s look at some top mainstream media websites to see what widget hostname they include:
TechCrunch
ad.doubleclick.net
ads.undertone.com
altfarm.mediaplex.com
b.scorecardresearch.com
bs.serving-sys.com
button.topsy.com
cdn.undertone.com
edge.quantserve.com
googleads.g.doubleclick.net
img.mediaplex.com
mp.apmebf.com
network.realmedia.com
partner.googleadservices.com
pubads.g.doubleclick.net
s0.2mdn.net
services.crunchboard.com
static.ak.connect.facebook.com
widget.startups.com
www.facebook.com
www.google-analytics.com
www.oracle.com
www.sun.com
www.tumri.net
ytaahg.vo.llnwd.net
NY Times
ad.doubleclick.net
admin.brightcove.com
ads.pointroll.com
at.amgdgt.com
brightcove.vo.llnwd.net
c.brightcove.com
googleads.g.doubleclick.net
graphics8.nytimes.com
load.tubemogul.com
markets.on.nytimes.com
receive.inplay.tubemogul.com
static.inplay.tubemogul.com
timespeople.nytimes.com
video2.nytimes.com
64.191.193.124
Wall Street Journal
ac3.msn.com
ad.doubleclick.net
adsyndication.msn.com
om.dowjoneson.com
online.wsj.com
s.wsj.net
www.marketwatch.com
CNN
ads.cnn.com
b.scorecardresearch.com
edition.cnn.com
i.cdn.turner.com
i.cnn.net
metrics.cnn.com
svcs.cnn.com
USA Today
ad.doubleclick.net
ads.adsonar.com
ads.revsci.net
altfarm.mediaplex.com
b.scorecardresearch.com
content.usatoday.com
gannett.gcion.com
i.usatoday.net
img-cdn.mediaplex.com
img.mediaplex.com
js.revsci.net
media.fastclick.net
mp.apmebf.com
optimized-by.rubiconproject.com
pix04.revsci.net
r1.ace.advertising.com
rd.apmebf.com
tap-cdn.rubiconproject.com
usata1.gcion.com
usatoday1.112.2o7.net
Washington Post
ad.bizo.com
ad.doubleclick.net
ads.adsonar.com
ads.bluelithium.com
ads.revsci.net
altfarm.mediaplex.com
bp.specificclick.net
custom.marketwatch.com
fls.doubleclick.net
js.revsci.net
media.washingtonpost.com
mp.apmebf.com
In a Web security context, these websites essentially allow arbitrary executable code, supplied by the third-party, complete access to the browser DOM and the user’s session information. *Exception being IMG SRC loads* That means they can hijack accounts by stealing authentication cookies; change the news or ask for passwords by altering what the user sees on the screen; redirect users to malware laden websites; force browsers to attack other systems, and more. By including Web widgets from an uncontrolled source on your pages, the third-party’s entire infrastructure must be included as part of the implicit trust model. These dangers have been previously discussed by Tom Stripling where the third-party service provider was assumed to be the potential nefarious source. I think the concern lies a bit deeper, where a malicious Web 2.0 pivot attack comes in.
If a bad guy, APT or a less-skilled adversary, wants to surreptitiously compromise a (relatively) hardened Web presence (or its users), they don’t necessarily need go after the target directly, they could instead go after the aforementioned third-party providers. How many of these third-parties take security as seriously as their customers do? Assumed few, but we really don’t know for certain. Please comment below is you have experiences here to share? How many organizations really check up on the third-party’s security posture or even know enough take this risk into consideration? Again, some do, but very few in my personal experience. The organization might dismiss the concern by saying something like:
"If X gets hacked we'll have bigger problems on our hands."
Important to add is that during a Web 2.0 pivot attack no traffic is directly seen by the primary target, which basically makes it impossible for them to detect/thwart the attack before a compromise. Post third-party compromise, it might be nearly as hard to detect a Web widget code update unless you can somehow monitor the content changes in unexpected ways. This of course assumes the primary target knows how, when, or if the third-party changes the code (rare). Not to mention the inclusion of Web page widgets is almost always beyond the visibility of a security team, because this process is largely managed through marketing / product management (not so much application development) and can easily happen at any time with zero notice.
Pen-testers to my knowledge can’t/don’t use this type of pivot attack because the third-party is usually another organization, unwilling to grant security testing authority, and therefore out of the scope of the engagement. Also important is that in a network pivot attack you may still be limited in what you can do on a host due to network secregation, ACLs etc. but in JavaScript space, you are basically God.
Yes, the HTML 5 sandbox would be really nice to have. -
Security Alert For CVE-2010-0073 Released
Posted on February 4th, 2010 No commentsHi, this is Eric Maurice again.
Oracle just released a Security Alert with a fix for the vulnerability CVE-2010-0073, which affects Oracle WebLogic Node Manager. This vulnerability was recently publicly disclosed and the organization that discovered this vulnerability did not attempt to contact Oracle prior to releasing detailed technical information about it.
A successful exploitation of this vulnerability may result in a full compromise of the targeted server on Windows. On other platforms (Unix, Linux, etc.), the attacker may gain access to the targeted server with the same privileges as the WebLogic server processes. This kind of vulnerability further highlights the need to use "least privilege" as much as possible on operating systems for running sensitive processes and applications. Additionally, note that many organizations have firewall policies preventing connection to the Node Manager administrative port by external users, thus preventing the exploitation of the vulnerability by anonymous Internet users.
Oracle strongly recommends that WebLogic customers apply this fix as soon as possible, and review their network access policies to possibly further restrict TCP/IP access to the WebLogic Node Manager to very few trusted staff.
For more information:
- Oracle's security vulnerability fixing policies (including Oracle's policies when working with external security researchers) are available on http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html
- The Critical Patch Updates and Security Alerts page is located on http://www.oracle.com/technology/deploy/security/alerts.htm
- Information on how to subscribe to Oracle security notifications are posted on: http://www.oracle.com/technology/deploy/security/securityemail.html
-
Turkey, Germany, York, Holland and the Oak Table book
Posted on February 4th, 2010 No commentsI was away most of last week to teach my class How to perform a security audit of an Oracle database in Istanbul, Turkey including the travel out and back. It was a good class, very well attended and some....[Read More]
Posted by Pete On 02/02/10 At 06:37 PM
-
The Oracle listener password algorithm
Posted on February 4th, 2010 No commentsThere has been a thread on my forum for a couple of years discussing the Oracle listener password algorithm. The thread is titled " Key and algo for encrypting the listener password ". This thread discussed the issue of being....[Read More]
Posted by Pete On 01/02/10 At 07:39 PM
-
Two new Oracle root kits
Posted on February 4th, 2010 No commentsDennis has made two great posts about Oracle rootkits on his blog. The first is about creating a backdoor into the Oracle binaries and logon process/function by replacing the C library function kziaia() so that if the user presented is....[Read More]
Posted by Pete On 20/01/10 At 02:06 PM
