Chronology of data breaches and hacking incidents

The good folks at privacyrights.org maintain a comprehensive list of data breaches starting from 2005, you’ll be surprised to see there are 10 reported incidents in the first 11 days of 2008. At the end of the page there is an interesting figure:

TOTAL number of records containing sensitive personal information
involved in security breaches in the U.S. 217,393,476

Folks at the Web Application Security Consortium maintain The Web Hacking Incidents Database a list dedicated to reported web application hacks. During the first 11 days in 2008 there appears to be only one webapp incident reported, in contrast to the data breaches list. It’s time companies reported pro actively on WebApp hacks, just like how they are mandate by law to report data breaches.

OVS makes debut in the US and Canada

What better to start the year than to write that my last post (SaaS with a twist) is a reality in the US under the name OVS – Open Value Subscription. Wow that was too soon! MS does really think it is a business model that they can pull off well in the US and Canada. The news appeared in MS Small Business Community blog:

Open Value Subscription launching in the U.S. and Canada! Attention Microsoft Partners… We are thrilled to announce that on March 3rd, 2008, Microsoft will be launching the Microsoft Open Value Subscription Program in both the U.S. and Canada.

I caught it on Redmond Channel Partner, read more at: http://rcpmag.com/news/article.aspx?editorialsid=9392

It will be interesting to see the pricing model of these offerings, considering that it was designed to attract bargain hunters and occasional MS office suite users in developing countries.

SaaS with a twist

With all the buzz lately about SaaS (Software as a Service) Microsoft seems to have introduced a new twist into the game. Microsoft India is offering Office 2007 as a pre-paid edition. More like pre-paid phones the thick client application suite is available for purchase at ~$30 (Rs. 1500) for 6 months and can be renewed every 3 months thereafter. While a model like this may not work out well in markets that demand perpetual licences. Seems like a nice way to attract students and small business that just want to pre-pay when they cant deal with Open Office or Google Docs! Will we see such a model in the US? Time will tell !!

Titles for Security Vulnerabilities

PHP PWN

One of my biggest pet peeves is arguing with other security experts. I think my main problem is that some hackers in the community get such big ego’s that they are not willing to listen, and believe that they are always in the right, what I call, “old school mentality”. Old school mentality comes from hackers who hung out in IRC channels and heard the questions, “How do I hack”, or “Can you teach me how to hack”, way too many times.

I am digressing a little, so back on subject, The most recent discussion that I had was the following:

I identified a parameter in a web application that was sent to the application server to be rendered. The URL was similar to that below:

http://www.victimssite.com/blah.php?i=“><?php print(997*1009);?>

The inserted code was then ran on the application server and then rendered back to the user. (in this case “1005973” was printed in the page)

Now, this is where the fight that I mentioned before begins. Some people call this “Server Side Include Vulnerability.” (SSI) Which I hate to tell you is not the case. You can use this vulnerability to cause an SSI Vulnerability, but it in of itself is not what the vulnerability should be identified as.

Standard SSI vulnerabilities are very similar to what you see above, but the payload would look like this:

http://www.victimssite.com/blah.php?i=“><!–#printenv –>

Now, this is doing something different then the previous code presented above. This code would print the environment variables. The difference between the two, is that this code is handled by the web server (Apache) not the application server (PHP).

If the code is truly a Server Side Include, it is handled by the web server, if not it is a “type” of code injection. But my research doesn’t bring up an actual “term” for application handled code injection vulnerability other than “Code Injection”.

Code injection is an umbrella term for many different specific types of vulnerabilities, including SQL Injection, Cross-Site Scripting, OS command injection, and even SSI Vulnerabilities.

I have no idea how this issue should be resolved so that the know-it-all’s will stop calling things by the wrong names. 🙂 Just my two cents.

VMWare and Bridged networking failure

I was using VMWare Workstation 6 for Linux and figured a weird thing that with Wireless connection on the host machine, the guest could not obtain an IP address in bridged mode. The Windows guest would throw an error “An error occurred while renewing interface Local Area Connection : unable to contact your DHCP server. Request has timed out.” This is a weird phenomena. I’m not quite sure what the reason is for this failure, but it does work if the host has a wired connection. May be VMWare Workstation would get better with these things in future. Do we see any patches coming soon? Or may be it is a “limited feature” software and a marketing gimmick to sell other (more expensive versions such as GSX server).

Do hollywood screen writers read IEEE Spectrum?

The other day was going through some of my old books and noticed a copy of IEEE Spectrum from Feb 2002, the cover keeps me wondering do Hollywood screen writers read IEEE Spectrum? Having seen the movie Transformers (ya! I also know its adapted from a comic) I wonder whats next probably an old IEEE Spectrum should tell !

 

IEEE Spectrum to Transformers

PCI Compliance to mandate Application Security Testing

Chris Eng has an excellent post on his observations from the PCI community meeting in Toronto. To quote from his blog entry at: http://www.veracode.com/blog/?p=63

Requirement 6.6 of the PCI-DSS becomes mandatory in June 2008 and requires all web-facing applications to either undergo a code review OR be protected by a web application firewall.

For all AppSec companies this could be good fodder, I except to see many ‘code-review on a budget’ offerings. But code review done right is time consuming and expensive, PCI should also provide the option of doing a webapp pen-test from a certified third party. This will help many small-mid size companies be PCI complaint while not hurting their budget.

Fit the web on your mobile phone

While there are a few popular sites that have mobile versions of their offerings, Phones and PDAs are small enough that viewing non-mobile adapted page becomes cumbersome with all the unnecessary layout tags and extra horizontal scrolling. Browsers like Opera Mobile and Mini proxy the content through their servers and optimize the page for mobile viewing. Pixel browsers do similar proxying techniques but offer the entire page as a zoom-and-select image, this preserves the layout of the page. DeepFish Microsoft’s research project though a closed beta is promising endeavor on this front.

Read more »

Skype and Anti-Debugging protections

If you are one of the casual reversers like me and only reverse code when you feel you are wronged by a software manufacturer, skype should be the software for you.

I have a software installed on my machine and upon starting skype I got this interesting error:


So I set out on my hunt to find what instructions were being executed on my CPU (there’s nothing wrong with that …isn’t it?). I found that there was an interesting piece of code that was checking for the presence of debuggers.  Specifically the presence of \\.\ntice which is the name of the service which CompuWare Device DriverStudio runs the debugger as.  Click on the thumbnail below to look at the disassembly.

Inside a debugger

What was interesting was a simple JMPS instead of a JE could help someone change the way their CPU was behaving (i.e., not allowing skype to run).

As Stewie Griffin would say “Victory is mine!”.

SketchCast your thoughts!

Have you been having ideas lately but no time to write about them? Now you can cast them to the world no I don’t mean podcast just sketchcast it! A pretty neat idea that transforms the traditional white board drawings to the Internet. Hmm! I wish the service morphs into a free WebEx type service where you can collaborate and share the white board.

SketchCast = White Board + Voice + Broadcast

Here a thought for SketchCast 2.0 -> Interactive Sketchcast + Share Whiteboard + Multiplexed Voice Chat

« Previous PageNext Page »