All Entries Tagged With: "applications"
Hacked Facebook applications reach out to exploit sites in Russia
From: AVG Blogs | Roger Thompson
Hi folks,
All the social networking sites have issues with calling out to exploit pages. Usually what happens is that someone’s website gets hacked, and because they link to it from their MySpace or Facebook page, their contacts and friends sometimes get drawn to the attack sites. This is quite common, and we’ll write about it soon, but today’s story is a little different, in that these seem to be actual Facebook applications that have been hacked. (Please note that the application developer(s) are innocent victims too, and did not intend for their games to be hacked.)
The first one we noticed was CityFireDepartment, which seems to be a sort of online game that allows a player to become a fireman. (Please DO NOT GO to this application until it is cleaned up).
This is how it’s supposed to look… (Click image to enlarge)
But what you see instead is something like this (especially if you are not patched)…
If you’re not patched, the next thing you see is this… (note the “Your computer is infected” warning in the bottom right corner of the screen):
Followed by…
And if you have a nifty change notification tool, like WRremote, you’ll see that you are already nailed, with sys files already having been installed.
At first, we thought this was a deliberate hack attempt by the developers, but when we looked at the source code for the web pages, we found this iframe injected into the source…
Interestingly, this line changes at least once a day, and calls to a different exploit site, so the bad guys are still exploiting the hole, whatever it is. And also interestingly, some of their users are also telling them they have a problem. Here are some of the comments…
Initially, we thought that the applications were deliberately acting as lures, but it now seems to us that they are victims themselves. The difficult part for them will be to find and plug the hole that the data snatchers are using to hack the applications.
The other applications where we have detected the hack include (we don’t include direct links to them in order to save you):
- MyGirlySpace
- Ferrarifone
- Mashpro
- Mynameis
- Pass-it-on
- Fillinthe
- Aquariumlife
There could easily be lots more, but that’s what we’ve noticed with this particular hack.
It’s a tricky world out there folks, keep safe.
Database Auditing for Control System Applications
Author: Jason Holcomb
Whether it’s for real-time, historical, or some other purpose, there are databases of all shapes and sizes in control systems. Two questions regarding these databases:
1.) How do we verify that they are in a secure state?
2.) Can we learn or measure anything about the application security from the data inside them?
Tenable added database audit capability to Nessus earlier this year and I recently had the opportunity to further explore the new feature. The Database Compliance Checks plugin is in the same family as the the Windows and Unix compliance plugins. The difference is that instead of authenticating to the OS, it authenticates to the database. From there it can call built-in database functions and run SQL.
So to answer question 1, Tenable provides audit files based on the CIS Benchmarks for Oracle, SQL Server, and MySQL. I tested on Oracle and MySQL and found that – no surprise here – there are many settings that can be improved upon from the default install. The Oracle audit file checks around 50 different configuration items. They range from simple password policy to more database-centric security settings such as the default tablespace for user accounts and restricting critical table access to the DBA and SYS accounts. These benchmarks are a good starting point for checking database security.
For question 2, let’s look at a simple example of a control system application setting in a database that we can audit. Say we want to verify that an operator audit trail is enabled for our HMIs. We know there is a setting in the GUI that dictates audit logging and that the value is stored in a database. The setting allows for different levels of audit logging but we want to just verify that is it not disabled.
The first step will be to identify the table and test an SQL query to pull back the information we want to evaluate. We find the value in the t_hmi_cfg table and use this query:
select cfgvalue from T_HMI_CFG where cfgname like ‘audit-trail’;
The query brings back the value ‘1′. Through a series of changing the value in the GUI and running this query, we learn that the value is ‘0′ when audit logging is disabled. We can then write a Nessus database audit check to verify that the value is set to something other than ‘0′. Here is the audit check:
<custom_item>
type : SQL_POLICY
description : “Verify that the audit trail is enabled for operators.”
sql_request : “select cfgvalue from T_HMI_CFG where cfgname like ‘audit-trail’;”
sql_types : POLICY_VARCHAR
sql_expect : regex: “[^0]”
</custom_item>
This a simplistic example but hopefully illustrates the power of being able to audit values in a database. For systems with the right architecture, this opens up a whole new world of configuration auditing which gives the asset owner even more assurance and insight into the security of their SCADA or DCS applications. The Nessus report looks exactly like any other Bandolier/Policy Compliance report:
Since database auditing wasn’t available when we started the project, you will not find it in the current Bandolier audit files. I suspect this will change as we develop audit files for new applications and update the files for the existing set. Database auditing won’t apply to every application but for those where it is applicable, the security auditing capability will be greatly enhanced.
Security Architecture Cheat Sheet for Internet Applications
- Business Requirements
- Infrastructure Requirements
- Application Requirements
- Security Program Requirements
To print, use the two-page PDF version; you can also edit the Word version for you own needs.
#1: Business Requirements
Business Model
What is the application’s primary business purpose?
How will the application make money?
What are the planned business milestones for developing or improving the application?
How is the application marketed?
What key benefits does the application offer its users?
What business continuity provisions have been defined for the application?
What geographic areas does the application service?
Data Essentials
What data does the application receive, produce, and process?
How can the data be classified into categories according to its sensitivity?
How might an attacker benefit from capturing or modifying the data?
What data backup and retention requirements have been defined for the application?
End-Users
Who are the application’s end-users?
How do the end-users interact with the application?
What security expectations do the end-users have?
Partners
Which third-parties supply data to the application?
Which third-parties receive data from the applications?
Which third-parties process the application’s data?
What mechanisms are used to share data with third-parties besides the application itself?
What security requirements do the partners impose?
Administrators
Who has administrative capabilities in the application?
What administrative capabilities does the application offer?
Regulations
In what industries does the application operate?
What security-related regulations apply?
What auditing and compliance regulations apply?
#2: Infrastructure Requirements
Network
What details regarding routing, switching, firewalling, and load-balancing have been defined?
What network design supports the application?
What core network devices support the application?
What network performance requirements exist?
What private and public network links support the application?
Systems
What operating systems support the application?
What hardware requirements have been defined?
What details regarding required OS components and lock-down needs have been defined?
Infrastructure Monitoring
What network and system performance monitoring requirements have been defined?
What mechanisms exist to detect malicious code or compromised application components?
What network and system security monitoring requirements have been defined?
Virtualization and Externalization
What aspects of the application lend themselves to virtualization?
What virtualization requirements have been defined for the application?
What aspects of the product may or may not be hosted via the cloud computing model?
#3: Application Requirements
Environment
What frameworks and programming languages have been used to create the application?
What process, code, or infrastructure dependencies have been defined for the application?
What databases and application servers support the application?
Data Processing
What data entry paths does the application support?
What data output paths does the application support?
How does data flow across the application’s internal components?
What data input validation requirements have been defined?
What data does the application store and how?
What data is or may need to be encrypted and what key management requirements have been defined?
What capabilities exist to detect the leakage of sensitive data?
What encryption requirements have been defined for data in transit over WAN and LAN links?
Access
What user privilege levels does the application support?
What user identification and authentication requirements have been defined?
What user authorization requirements have been defined?
What session management requirements have been defined?
What access requirements have been defined for URI and Service calls?
What user access restrictions have been defined?
How are user identities maintained throughout transaction calls?
Application Monitoring
What application auditing requirements have been defined?
What application performance monitoring requirements have been defined?
What application security monitoring requirements have been defined?
What application error handling and logging requirements have been defined?
How are audit and debug logs accessed, stored, and secured?
Application Design
What application design review practices have been defined and executed?
How is intermediate or in-process data stored in the application components’ memory and in cache?
How many logical tiers group the application’s components?
What staging, testing, and Quality Assurance requirements have been defined?
#4: Security Program Requirements
Operations
What is the process for identifying and addressing vulnerabilities in the application?
What is the process for identifying and addressing vulnerabilities in network and system components?
What access to system and network administrators have to the application’s sensitive data?
What security incident requirements have been defined?
How do administrators access production infrastructure to manage it?
What physical controls restrict access to the application’s components and data?
What is the process for granting access to the environment hosting the application?
Change Management
How are changes to the code controlled?
How are changes to the infrastructure controlled?
How is code deployed to production?
What mechanisms exist to detect violations of change management practices?
Software Development
What data is available to developers for testing?
How do developers assist with troubleshooting and debugging the application?
What requirements have been defined for controlling access to the applications source code?
What secure coding processes have been established?
Corporate
What corporate security program requirements have been defined?
What security training do developers and administrators undergo?
Which personnel oversees security processes and requirements related to the application?
What employee initiation and termination procedures have been defined?
What application requirements impose the need to enforce the principle of separation of duties?
What controls exist to protect a compromised in the corporate environment from affecting production?
What security governance requirements have been defined?
Additional Resources
OWASP Guide to Building Secure Web Applications
ISO 27002 Standard: Code of Practice for Information Security Management
BITS Standards for Vendor Assessments
Security Guidance for Critical Areas of Focus in Cloud Computing
Payment Card Industry (PCI) Data Security Standard (DSS)
How to Write an Information Security Policy
IT Infrastructure Threat Modeling Guide
Post-Scriptum
This cheat sheet is distributed according to the Creative Commons v3 “Attribution” License. File version 1.2.
About the Author: Lenny Zeltser leads the security consulting practice at Savvis. His team provides security assessments, design, and operational assistance for business-critical IT infrastructure. Lenny also teaches malware analysis at SANS Institute, explores security topics at conferences and in articles, and volunteers as an incident handler at the Internet Storm Center.
Deliberately Insecure Web Apps For Learning Web App Security
If you are setting up a penetration testing lab you might was some insecure web applications for learning web application security. Irongeek has a great list that he is keeping up to date. I have copied a few of them into this post. Don’t forget to visit Irongeek for more information.
BadStore
Link: http://www.badstore.net/
Platform: Perl, Apache and MySQL
Install: Meant to run by booting a Live CD, but I’d recommend using my Live CD VMX
Notes: Easy to set up, and it’s nice that you can run it from a VM with a little work. Just make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only).
Damn Vulnerable Web App
Link: http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install Apache/PHP/MySQL on.
Notes: When I first posted Mutillidae, Ryan Dewhurst emailed me and told be about a project he started a few months before mine. His is also PHP/MySQL based, and looks prettier than mine. :) I’ve yet to play with it much, but I may be using some of his code in the near future to expand Mutillidae.
Hacme Series from Foundstone
Foundstone has put out a whole series of venerable web applications you can learn from and test your skills against. Some are harder to install than others since a few are quite old by web standards and the installers require outdated MSSQL services that don’t work the same way as the more up-to-date ones. Still, with a little work you should be able to get them installed on a modern system. I can’t guarantee all of them are designed to only listen to the local loopback, so if you decide to run them on a production network I highly recommend you use a VM set to use the IP addresses that are only available from the local host OS (NAT or Host-only). One of the great things about the Hackme series is the diverse programming platforms they are written in. As I said in the intro paragraph, most web development platforms have similar common vulnerabilities, but it’s nice to know what to look out for on your specific environment. Most of them I have limited install note on, but I’m working on testing them out.
Hacme Travel
Link: http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Platform: Windows XP, MSDE 2000 Release A, Microsoft .NET Framework v1.1, C++
Install:
Notes:
Hacme Bank
Link: http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Platform: Windows, IIS, .Net 1.1
Install:
Notes:
Hacme Shipping
Link: http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Platform: Windows XP, Microsoft IIS, Adobe ColdFusion MX Server 7.0 for Windows, MySQL (4.x or 5.x with strict mode disabled)
Install:
Notes:
Hacme Casino
Link: http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Platform: Ruby on Rails
Install: Installer that sets up a built in WEBrick server
Notes:
Hacme Books
Link: http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
Platform: J2EE application, Java Development Kit
Install:
Notes:
Foundstone also hosts video solutions for Hacme Travel v1.0 and Hacme Bank v2.0.
Mutillidae
Link: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install Apache/PHP/MySQL on. I have personally tested it in XAMPP under Windows and Linux.
Notes: Mutillidae is my personal project to implement the OWASP Top 10 Vulnerabilities. It’s designed to be easy to follow and geared towards a classroom environment. Think of it as a noob’s WebGoat.
Stanford SecuriBench
Link: http://suif.stanford.edu/~livshits/securibench/
Platform: J2EE application, Java Development Kit
Install: Looks like it’s another “by hand” install.
Notes: Includes a bunch of venerable J2EE web apps, such as: jboard 0.30, blueblog 1.0, webgoat 0.9, blojsom 1.9.6, personalblog 1.2.6, snipsnap 1.0-BETA-1, road2hibernate 2.1.4, pebble 1.6-beta1 and roller 0.9.9 .
WebGoat
Link: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Platform: J2EE web application
Install: Self contained Tomcat server you can run from a directory under Windows or Linux
Notes: Love the fact it’s so self contained and easy to run. By default it only listens on the loopback address, so you can run it from your workstation a production network with little worries.
WebMaven (AKA: Buggy Bank)
Link: http://www.mavensecurity.com/WebMaven.php
Platform: Perl CGI scripts
Install: You have to install this on a box with a web server and Perl CGI support. The creators recommend Xitami for the sake of ease. Makes sure that you don’t put the server on a production network.
Notes: I’ve not played with this one much. The website for WebMaven says it was the basis for WebGoat v1.
Other Resources
The Heorot forum also has a collection of Live CDs you can use as targets in learning pen-testing. They are not necessarily web app focused, but they may still be useful to you.
