Archive for category Web Security
Adobe Apologized for a 16 month-old-Bug
Posted by Mourad Ben Lakhoua in News, Software Security, Vulnerabilities, Vulnerabilities & attacks, Web Security on February 9, 2010
Adobe Company has officially apologized for the flash player 16 month old vulnerability that is still not fixed.
According to Adobe the bug has been eliminated in the beta flash player 10.1, but there still not yet a stable version for this release.
The bug officially was reported on the 22nd of September 2008 and all Flash player plug-in since the 9th version are affected. Many hackers used this gap to inject malicious code on victim’s machine.
Currently Adobe experts provided a special web page to check this vulnerability. The exploit really work you can test it following this link but before clicking you should make sure that you have another page open on the same browser.
Adobe Product Manager Emmy Huang promised that on the next Flash player 10.1 releases the vulnerability will be fixed without giving any sign on the final version date.
you can install the Adobe Flash Player 10.1 from Here.
make sure you subscribe to my RSS feed!
Donbot Leads a Way To Twitter Spam
Posted by Mourad Ben Lakhoua in News, Social Networking, Web Security on November 21, 2009
One more time major botnets are using social networking websites to spread spam.
Symantec’s MessageLabs warned lately that DonBot are started a new massive spamming message, the Lab detected from 18 November 4% of global Spam traffic.
The spam message includes an offer to work from home with a 100-200 dollars daily salary and to be considered for this opportunity the victim should send an initial payment and wait for the golden ticket.
The message also includes an image with link to redirect victim to twitter page and gives hackers a way to hijack Twitter accounts and spam other users.
This shows that more http links in instant messaging conversations are making a way to “instant malware.”
If you are receiving a message on Twitter try to not click directly on the short link and to check the original URL. By checking on LongURL.org which can helps in expanding the URL and avoid phishing, malware, and viruses by examining short URLs before visiting them and Find out where links really take you.
You can also use on Mozilla firefox Tamper Data plugin that helps to test web application security and track request and responses from the URL Link.
make sure you subscribe to my RSS feed!
Quick Tips to Fight DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security, cybersecurity on November 21, 2009
On previous post we shared the way to prepare our system to DDoS attack and the way to mitigate the risk. Now it is important to react in the good moment and make an effective action during the attack. Monitoring routers connection can help victim to detect the beginning of the attack.
First we should monitor the open Syn connections:
# Netstat-na | grep “: 80 \” | grep SYN_RCVD
At the normal situation the number should not pass the three connections. If there is more open connection than you are under attack and you should start by dropping these connections.
This is for the SYN-Flood case but for the HTTP-flood it is more complicated to detect, First you need to count number of Apache processes and number of port 80 connections:
# Ps aux | grep httpd | wc-l
# Netstat-na | grep “: 80 \” | wc-l
Next you need to check the IP-addresses list:
# Netstat-na | grep “: 80 \” | sort | uniq-c | sort-nr | less
To be sure that there is HTTP-flood attack is impossible but you can assume that you are under attack if one address in the list is repeated too many times. Additional evidence can be made using tcpdump:
# tcpdump -n -i < interface > -c 100
the Tcpdump will help you in tracking the source of the attack if a big number of packets targeting a single port / service (cgi-script or web directory).
Finally we have to start to work around the situation by dropping malicious IP-addresses. You can block IP’s directly from the router.
On the FreeBSD we can take some steps to avoid DDoS:
1 – Reduce the packet request time (protection against SYN-flood):
# Sysctl net.inet.tcp.msl = 7500
If an ACK is not received in this time, the segment can be considered “lost” and the network connection is freed.
Move your server in a blackhole when a TCP packet is received on a closed port. When set to ‘1′, SYN packets arriving on a closed port will be dropped without a RST packet being sent back
# Sysctl net.inet.tcp.blackhole = 2
# Sysctl net.inet.udp.blackhole = 1
Limits ICMP replies to 50 per second (protection against ICMP-flood):
# Sysctl net.inet.icmp.icmplim = 50
Increase the maximum number of sockets to the server that can be open (protection against all types of DDoS):
# Sysctl kern.ipc.somaxconn = 32768
Finally enable a kernel feature called DEVICE_POLLING (significantly reduces the load on the system during DDoS Attack):
1. Compiling the kernel with option “options DEVICE_POLLING”;
2. Activate the mechanism of polling: “sysctl kern.polling.enable = 1″;
3. Add the entry “kern.polling.enable = 1″ in / etc / sysctl.conf.
These are a well balanced steps to mitigate getting exposed for Distributed Denial of Service Attack.
make sure you subscribe to my RSS feed!
Universal Tips to Avoid DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security on November 15, 2009
There are some points that can helps to carefully prepare our systems to avoid Distributed Denial of Service:
1- Prepare a simple and fast way to reboot remotely servers exposed to external network (webservers ,mailservers ,application servers..) this can be using SSH, we can also create a second network interface to access the server while the main channel is down.
2- Keeping all software packages up to date, to protect our systems from DoS attacks that exploit bugs in the available services.
3- Restrict access to all admin services to only authorized users, for example using IP restriction for acceding devices like firewalls, routers and network devices so an attacker will not be able to lunch a DoS attack or brute force.
4- Monitor the traffic by installing network analyzing tools (Netflow) on the routers to help identify the attack in an early phase and react to prevent it as soon as detected.
5- Adding to /etc/sysctl.conf the following lines:
# Vi /etc/sysctl.conf
# Protection against spoofing
net.ipv4.conf.default.rp_filter = 1
# Check TCP-connection every minute.
net.ipv4.tcp_keepalive_time = 60
# Repeat the test in ten seconds
net.ipv4.tcp_keepalive_intvl = 10
# Attempts number before closing the connection
net.ipv4.tcp_keepalive_probes = 5
Here it is very important to note that the listed method aims only to reduce the risk of DDoS attack, and can protect against small botnets and you can consider 90% that your server is protected against these attacks. There is more sophisticated ways like load balancing method which is extremely expensive, so if a server fails all new clients will be redirected to a clustered server and provides a very high availability.
make sure you subscribe to my RSS feed!
DDoS Attack Target Swedish Police Network
Posted by Mourad Ben Lakhoua in Cybercrime, Web Security on November 2, 2009
According to thelocal news Swedish police website was subject for a DDoS attack last week. The result of this attack was a complete disrupt of the official website.
On the High traffic the server can treat about 800 requests per second but during the attack they detected about 400 thousand requests per second which is 5 times more than the normal high traffic.
The number of DDoS-attack has significantly increased to become one of the biggest threats on Internet, by looking at the history the beginning of DDoS attacks were mainly directed to disrupting IRC servers, but on 1997 there were a vulnerability on Microsoft windows TCP/IP that allowed hackers to send a lot of packets using several tools and dosing remote systems, another popular incident were on 2000 by turning down web service for many popular websites like YAHOO ,CNN, eBay and others, October 2002 Root DNS servers experienced a DDoS attack to make 7 of the 13 main servers out of service. And now we are seeing a lot of distributed denial of service (DDoS) attacks against social networking website like Twitter and Facebook…
Stopping DDoS attack depends on the whole internet community by protecting your machine from malware that could be used to run these attacks, the most popular Botnet’s are:
Conficker 10 million + Machine.
Kraken – 495 Thousand Machine.
Srizbi – 315 Thousands Machine.
Bobax – 185 Thousands Machine.
Rustock – 150 Thousands Machine.
Storm – 85 Tousands Machine.
make sure you subscribe to my RSS feed!
Cisco Intended to purchase ScanSafe, Leading SaaS Web Security Provider
Posted by Mourad Ben Lakhoua in Cloud Computing Security, News, Web Security on October 29, 2009
Cisco is about to purchase ScanSafe a web security company for a 183 million dollars. This step will allow Cisco to increase the competition with other big companies in this industry such as Symantec and McAfee.
ScanSafe provides products in the web filtering security services to protect corporate workstations and networks from hackers. You will already notice on the home page a message shows that “Cisco to acquire ScanSafe”.
Symantec and McAfee are the leaders in Computer security software field and are offering already a bunch of advance Cloud based security software with a high growth in sales that exceeds the traditional antiviruses.
This step will help Cisco to expand their security services to include Web security and email security services that are already provided by Ironport, so we expect a Total space security by Cisco.
make sure you subscribe to my RSS feed!
BrightCloud: Web Filtering URL Database
Posted by Mourad Ben Lakhoua in Internet, Web Security on October 25, 2009
Every day more and more people begin to store and process Data using Internet services or on servers over the Internet connection, Internet connection is used by all corporate and it is very important to make the usual work checking email searching for resources or updating your applications..
Well here there is a big threat from visiting infected website that can damage all systems and applications and using an integrated web security solution is very important to check that the visited URL is safe.
BrightCloud® offers Web Filtering Services for Security Applications, it has powerful data base that includes a huge list of infected website it can benefit the firewall to block any black listed websites so by integrating this solution with your current firewall you can eliminate a big risk to get infected.
Comparing to Google Safe Browsing API BrightCloud has 15x as many known malware sites which mean more 15x protection, updates its malware list with over 100,000 entries daily.
The most important that BrightCloud use a lot of sources, mechanisms and engines to monitor, detect, and update security categories. Some of them include honeypot (for spam and botnet’s), others can be gathered over a fake open proxies …
After collecting this information, security software or devices companies can take benefit from these advanced Data and make their solution more effective.
As a reference you can find Microsoft ISA firewall is using BrightCloud database and Palo Alto Networks is also using BrightCloud for their Firewall device.
Here is a link that provides the difference between BrightCloud API and Google Safe Browsing API, while you can find at this page latest Internet threat detected.
Now this is very important for any company to have such a solution because this work needs a lot of effort, knowledge and time to implement honeypot and detect malware and identify spams, while you can have all that by adapting BrightCloud to your Network.
make sure you subscribe to my RSS feed!
SSLStrip : HTTPS stripping attack
Posted by Mourad Ben Lakhoua in Vulnerabilities & attacks, Web Security on October 17, 2009
Moxie Marlinspike demonstrated another way to compromise SSL based website at the BlackHat DC 2009,which is the HTTPS stripping tool called SSLStrip.
For example if we are looking to check our email on Gmail, we open our browser and we start typing the address: mail.google.com or gmail.com, and we don’t care about the page if it starts http:// or https://, because we know that it turns out automatically. Switching to protected resources is carried out through the normal http-protocol and it is possible to intercept it.
Moxie Marlispike has presented his second program called SSLStrip, the Idea behind the SSLStrip is that it can help attacker to intercept the request for a secure connection from the victim and force him to communicate over non secure http connection.
The tool is developed with python and it replaces secure links to non secure. So the picture is wonderful a server sends the entire content in secure channels for all clients, and the victim does not receive any warning or even suspect that he is using an unsecured connection. All traffic is not encrypted and in clear.
Moxie Marlinspike has run his tool SSLStrip on Tor proxy and in 24 hours he managed to get the following number of authentication credential:
- login.yahoo.com – 114
- Gmail – 50
- ticketmaster.com – 42
- rapidshare.com – 14
- Hotmail – 13
- paypal.com – 9
- linkedin.com -9
- facebook.com – 3
Actually SSLStrip is a very advanced way that combines homographic attack to create a Man In The Middle, this type of attack is based on user confusion to make him believe that the website is legitimate.
make sure you subscribe to my RSS feed!
SSLSniff: How it works?
Posted by Mourad Ben Lakhoua in Vulnerabilities & attacks, Web Security on October 9, 2009
Using emails, control panel, electronic banking system all these operations and others should be fully secure and protected. If all data are transmitted over a secure SSL connection many people think that it is fairly secure. But the question is that true?
The answer is yes but not 100%. To transmit data like login and password in a clear text is unsafe because an attacker can easily intercept, modify or replace it. That is why instead of using HTTP to check mail or to authenticate users we use secure HTTPS which is slower but provides encryption over SSL protocol.
SSL is built on asymmetric key. The public key is distributed to everyone, and with it data are encrypted. And each user has a private key to decrypt the data on the server. The public key is available from server to client and is issued as a certificate signed by the CA (Certification Authorities), and contains the following:
- Dates of Issue
- validity (date of expiring)
- The total (unique)reference of the issuer
- Public key publisher Name (source of certificate)
Actually there are two types of website certificate, the first is Root CA which is the most trusted and it is embedded in the browser so it can guarantee that the site is legitimate, the second is intermediate CA this one also can be used for signing website but it does not guarantee that the site is legitimate and are not embedded in the browser.
Now let’s imagine this scenario:
We have certificate for Sectechno.com; it is the last link at the certificate chaining (Root CA- Intermediate CA – Intermediate CA – Sectechno.com). Why don’t we make the site also as an intermediate? For example paypal.com or whatever the chain will looks like this (Root CA – Intermediate CA- Intermediate CA – Sectechno.com – paypal.com).
So here the browser will not check the value of these fields and he will determine it as a Root CA for paypal.com website and you can create certificate to any domain without the browser suspect that it is not a valid one.
This type of attack was demonstrated by Researcher Moxie Marlinspike at the Black Hat conference by using his tool SSLSniff , the SSLSniff allow a hacker to perform MITM (Man in the Middle) attack by intercepting all traffic that client request over the HTTPS protected website(login ,password…). So an attacker can create a certificate for a certain website and sign it with an existing certificate, and sniff all data sent by the victim and the vulnerability remains unpatched in Microsoft’s CryptoAPI.
Microsoft are planning for next week a bunch of patches for several products, about 13 fix to repair 34 vulnerabilities but there still nothing mentioned about the CryptoAPI bug.
make sure you subscribe to my RSS feed!
Defeating SSL Vulnerability Remain unfixed
Posted by Mourad Ben Lakhoua in News, Vulnerabilities & attacks, Web Security on October 4, 2009
It has been now Nine weeks since Moxie Marlinspike demonstrated the “new” way of attacking SSL at the Black Hat security conference by the help of his tool, called SSLstrip he was able to make a man-in-the-middle attack on normal, insecure http traffic and replaces links to secure https pages with normal http, so after a user submit the login and password or credit card credential the attacker can find all details in clear without the notice of victim.
Well Microsoft Internet explorer still not fixed to this vulnerability as well as other browser that support CryptoAPI, so here we have a great risk for our resources like VPN and Mail servers.
Actually the Bug ignore all characters like “/” and “0” but organization looks at the domain name, with or without these characters.
So an attacker can create a valid certificate name for your site and use it for example we need to issue a certificate for thoughtcrime.org than the string will be as follow:
www.bankofamerica.com\*thoughtcrime.org
Now the browsers that process SSL-Certificate over Microsoft library are Google Chrome, Apple Safari and Internet Explorer. On the other hand developers of Firefox fixed this Bug just few days after the Black Hat presentation.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Web Security category.
SUBSCRIBE
