Monday, October 20, 2008

My picks for hakin9 news

| Armando Romeo |
hakin9 is bimonthly magazine about hacking and IT security, available in 7 languages, covering techniques of breaking into computer systems, defense and protection methods from a learn by practice perspective. This means you don't find abstract theory. Every article is supported by tested source code and proof of concept. This what makes the difference from other similar journals in my opinion.

I'm very proud to be a stable contributor to the magazine providing the hottest news in the industry for every issue.

I have complete freedom of choice both in picking the best news and what to write about them. This means you read unbiased reviews and vendor-independent tests.



(Image refers to issue n.5 available now, next issue cover is not yet finalized)

I just finished to write the last news for the next issue that should be available for everyone in a month. So I thought to list here my picks as a summary of what happened in the security industry in the last 2 months

  1. Clickjacking vulnerability explosion
    It was impossible not to write something about the most discussed vulnerability in the web application security field since weeks...
  2. Google Chrome release
    We all know the breakthrough of the month was the new browser released by Google...with annexed all the bugs shipped with it
  3. T-mobile data breach
    Over 11 millions customers data exposed...
  4. Privacy in the couterterrorism era
    Finally U.S. National Research Council realized that may be privacy of U.S. citizen has been abused too much in the name of the anti-terror fight
  5. Graphic cards cracking WPA2
    With new graphic cards, much more power is available for videogames...and wireless cracking
  6. World's most popular smartcard hacked
    The hack-the-rfid saga goes on with more issues for the top seller in the field
hakin9 is available in printed and digital version. If you want to become an author just mail me and I will route you to the right person.

Wednesday, October 8, 2008

ClickJacking Explained

| Yash Kadakia |
What is ClickJacking?
ClickJacking is a relatively old vulnerabilitiy that has been around since 2003-2004, however it has been recently brought back to life by Robert Hansen and Jeremiah Grossman. ClickJacking is a little bit difficult to explain however try to imagine any button that you see in your browser from the Wire Transfer Button on your Bank, Post Blog button on your blog, Add user button on your web-site etc. ClickJacking gives the attacker to ability to invisibly float these buttons on-top of other innocent looking objects in your browser. So when you try to click on the innocent object, you are actually clicking on the malicious button that is floating on top invisibly.

So while you are simply trying to close the javascript pop-up on your screen, play a flash game or interact with some ajax web-site -- you might really be clicking on the button to wire-transfer money to a russian bank account.

A slightly more technical description would be: A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items,' 'click to add Bob as a admin,' etc. It may then provide its own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it.

In other words, the hacker would dupe users into visiting a malicious page -- through the usual methods -- but then hide the nasty bits under what appears to be the real-deal content from a legitimate site.

How Serious is ClickJacking?
On its own ClickJacking doesn't sound to be a very serious vulnerability, since user interaction is required. However as I have always said, in the world of vulnerabilities 1+1 does not always equal to 2, and might just equal to 10^2. By this I simply mean, that ClickJacking in combination with other vulnerabilities could become a very serious issue.

Example - ClickJacking can Spy on your Webcam and Microphone
Just as I wrote this blogpost a new use for ClickJacking has been disclosed where it can be used to spy on your Microphone and Webcam. This is based on a new vulnerability discovered in Adobe's Flash Software and published about on Guya.net, Rsnake's Blog and Jerremiah Grossman's Blog.

A particular vulnerability exists in Adobe's Flash Software, which allows the malicious attacker to use ClickJacking to gain access to the user's web-cam and microphone.

The vulnerability works as follows:
1) You visit a web-page with a flash application/game embedded in it.
2) You click on the flash button.
3) Your click is "click-jacked" into allowing the server to access your web-cam and microphone.

Whatis really happening:
1) You visit the web-page, in the back the target application (in this case Adobe's Settings Panel) is loaded and made invisible. The Allow button is made to float invisibly.
2) While you click on the flash button, the invisible Allow button is floating on top of the flash button and actually receives your click.
3) The Flash application now has full permission to access your web-cam, microphone etc and even have it stream to a server where it is recorded for future viewing.

You can see a video of this in action at: Youtube and Vimeo.

Cross Posted from Yash Kadakia's Blog - ClickJacking Explained.

Sunday, October 5, 2008

Visa Mastercard and Ftc drivers for security investments

| Armando Romeo |
I've always thought that the only way for companies and organization to give some serious interest into security is through law enforcement, compliances and heavy fines on data breaches.

In places where security is still unknown and law enforcements cannot be taken in place, buying online or simply providing personal data is still a risk. I am thinking about those countries in which the internet based services are still not so spread and so green that any laws on this direction would slow down the investments on innovation in the field.


TJX, sure, demonstrated that compliance is not enough. But TJX serves as a case for all the other companies.

A driver for more investments in security. This is what the field needs to increase awareness of the problem, unfortunately.

The difficulty into configuring security investements into a mere ROI plan plays a big role here.
Lack of exact figures of both incidents and cost for insecurity makes things worse.
Convincing companies into spending on security involves now showing figures of fines and cost of insecurity.
And cases like TJX is just the most visible example.

Mastercard and Visa have published schedules of fines for merchants who are non-compliant and a further set of penalties for merchants who experience a compromise of Credit Card Data
In most cases credit cards theft costs $25 (€ equivalent) per card number disclosed
and the cost of the forensic investigation will also be levied.

This easily becomes hundreds thousand dollars for small merchants up to million dollars for bigger ones.

Moreover FTC, Federal Trade Commission, in the US, plays another driver role for security investments.

The fines applied on data breach, being it SSN disclosure or privacy policy violation, are extremely tough.
Companies that have experienced information security breaches are required to notify not only the individuals whose personal information was impacted but also numerous state regulators that will, in most of the cases, open an investigation that may take up to 2 years.

If the company is found to be in violation of the federal laws on privacy and data security retention has to face fines and obligation for the 20 years following the incidents. 20 years yes.
FTC enforces independent biennal security assessments, compliance papers and data retention policies revised periodically.

The cost of such incidents is a sum of legal expenses (that in many cases fall in class actions category), compliance cost, bureaucracy costs (not to be understimated here since it's a long process) and fines.

ChoicePoint Inc, agreed to pay $10 Million in federal fines for identity theft of 160,000 people
plus $5 Million to compensate people who suffered as a result of the breach.
These numbers talk on them selves without the need for further FUD (Fear Uncertainty Doubt).
FTC is only in the US. I'm not aware of anything similar in Europe.
US are serious about your privacy

Free Security Magazines