By Kathleen Lau , Computerworld Canada , 08/21/2009

Cybercriminals could start to take advantage of the popularity of search engines like Google as vehicles for relaying malicious code to botnets every time a particular keyword is searched for, said one Vancouver-based security expert.

Creators of botnets could potentially inject code in various Web sites and choose particular keywords that nobody is yet using on the Web, said Vaclav Vincalek, president of Pacific Coast Information Systems (PCIS) Ltd.

Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with Netcordia’s NetMRI: Download now
“If the botnet starts using Google for special keywords and finds the code and executes, you can start using Google as the transmission of the code or instructions to these botnets,” said Vincalek.

“Basically, (the search engines) will do the dirty work.”
Read More

Whither the weather?
By John Leyden • Get more from this author

Posted in Anti-Virus, 20th August 2009 10:18 GMT
Watch the Application Security Regcast, right here
Measured and non-partisan US TV channel Fox was left looking rather silly after it forgot to renew the anti-virus subscription on an on-air PC.

Attempts to switch to a weather forecast were interrupted after the PC concerned displayed a prominent warning that its Norton AntiVirus had expired. The presenter concerned didn’t miss a beat in describing a weather front over New Jersey, and clicked on a dialogue box to remove the message.

Still, viewers couldn’t have failed to notice the prominent red-bordered message.

A video clip of the amusing snafu can be found on the Fail Blog here

by Rohan Sethi / Aug 20,2009 / Tags: security, ADS, threat

Alternate Data Streams in NTFS (NT file system) is a rather unknown compatibility feature in Windows NT systems. It was introduced in NTFS with the intent of compatibility with HFS, or the old Macintosh Hierarchical File System. The Primary Function of ADS is to hold metadata about files: Writing details in summary of a text document (right clicking the TXT file, selecting properties, and then selecting the summary tab) gets attached as an ADS.

So what’s so special about ADS?

One may think, “A text document’s summary is stored as ADS… so what?” Well, there’s more to it — executable code can also be stored as an alternate data stream without the Timestamp, listed File’s size or running process name being modified. Moreover, files with ADS are almost impossible to be detected by native file browsing techniques like Windows Explorer or the command line; software that can identify them are few and far in between…

Exploiting ADS

The lengths a malicious hacker can go to hide his tracks can be astonishing, and this is what makes ADS the worst nightmare of a System Administrator. Due to the concealed nature of ADS, detecting and preventing execution of malicious code is intricate.

Once a hacker has acquired administrator access on the system, he’ll strip off all information of concern, covering the detection of his presence and will try to install a backdoor (a remote access Trojan) for easy future access. This backdoor needs to be veiled from the system administrator, this is where ADS comes to in – it can be used to hide files on the breached system, evading detection and executing them without the knowledge of the sys admin.

The ability to hide executable code in an invisible form inside ADS can also make viruses difficult to be detected within a file system, because most virus scanners only verify the default data stream of files. Major Anti-virus vendors point out that ADS must be loaded into the memory before execution and thus will be detected with real-time scanning (when a file is scanned after it is loaded in memory (just after commanded to execute), the type of scan is known as a “real-time” scan). The problem with this approach is that many network administrators do not run real-time scanning on their servers or workstations due to performance issues.

Denial of Service (DoS) attacks that exploit the use of ADS also exist. It is the difficulty of detection that increases the threat. For example, it is quite common for an attacker to create a file large enough to fill up the system partition on a Windows NT/2000 system, to crash the server due to lack of space for temporary files. When using the main stream of a file in such an attack, the violating files are easily identified due to their abnormally large size. By using Alternate Streams here, it can be made difficult to detect where the violating files are located on the system. Another attack exploiting ADS can be launched by creating a large number of alternate streams, more than 6,000 on a specific file. If the attacker or the system tries to access the default stream of the file, the system’s response slows considerably and in worst case, the system crashes thus creating a Denial of Service.

Moreover, this vulnerability is not confined to the NTFS file system; any other file system that uses streams for alternate data is vulnerable.
Read More

Dan Goodin, The Register 2009-08-21
For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user’s cookies, according to a web security expert.

“ The reality is that not enough of these companies at that level, particularly in the financial sector, properly do intake for vulnerabilities. ”

Russ McRee, HolisticInfoSec.org
The XSS, or cross-site scripting, flaws made it possible for phishers to send Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics. The holes could also allow criminals to steal browser cookies used to authenticate online accounts.

In the five months since Russ McRee of HolisticInfoSec.org first identified the bugs, Ameriprise offered customers statements like this one, which assures visitors that “no one without the proper web browser configuration can view or modify information contained on our systems.” And yet, not one of the half-dozen warnings McRee sent was answered.

“The reality is that not enough of these companies at that level, particularly in the financial sector, properly do intake for vulnerabilities,” said McRee. “There should be something on their site that says ‘If you see a security issue on our site, please report it.’”

It was only earlier this week that federal prosecutors revealed that another garden-variety web vulnerability, known as an SQL injection, was the chink that allowed Albert Gonzalez and other hackers the toehold they needed to steal more than 130 million credit card numbers from card processor Heartland Payment Systems and four other companies. Like SQL injection flaws, XSS vulnerabilities have been around for more than a decade and are routinely discounted as insignificant by many of the websites plagued by the bugs.

Indeed, Benjamin Pratt, Ameriprise’s vice president of public communications, played down the severity of the bugs brought to his attention, saying they affected only one portion of the company’s site.

“It’s an important point to note that none of our client data can be exposed by this,” he said shortly after being alerted to the bug. “There’s no one at risk here. Like any other vulnerability, we’re aware of it and we’re moving as quickly as we can to repair it.”

He said Ameriprise officials have no way of verifying that the bugs were reported as long ago as March, but in any event he said that there are no plans to review any of the mechanisms the company may have in place to receive notifications from the public about website vulnerabilities.

“There are plenty of customer service and other phone numbers available on our website,” he said. “I can’t speak to that specific experience.”

It’s not the first time a major financial services company has been caught sitting on a bug that could undermine the security of its online customers. In December, web application developers fixed several XSS holes on the website of American Express, more than two and a half weeks after McRee reported them to company representatives.

That bug was particularly embarrassing because Amex is a founding member of the PCI Security Standards Council, the group that sets the rules governing the Payment Card Industry. According to the rules, sites that suffer from XSS vulnerabilities are not compliant with payment card industry data-security standards.
Read More

It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before.