Security Alert : Java 0 day Vulnerability , security patches released

This summary is not available. Please click here to view the post.

Upcoming Security and Hacking Conferences

Below is the consolidated list of upcoming popular security and hackers conferences. Those who are interested in attending or speaking in any one of these conferences can refer the link provided in the respective conference titles. 

   

Conferences	Location	Date
Positive Hack Days	Moscow, Russia	May 30-May 31 2012
SHAKACON 4.0	Honolulu, HI	Jun 18-Jun 21 2012
OWASP AppSec Research 2012	Athens, Greece	Jul 10-Jul 13 2012
Black Hat USA 2012	Lasvegas, NV	Jul 25-Jul 26 2012
DEFCON 20 Hacking Conference	Las vegas, USA	Jul 26-Jul 29 2012
C0C0N Infosec Conference	Trivandrum, India	Aug 3-Aug 4 2012
OWASP InfoSec India Conference	New Delhi, India	Aug 24-Aug 25 2012
TakeDownCon Hacking Conference and Training - Baltimore	Baltimore, USA	Aug 25-Aug 30 2012
Nullcon, Delhi	New Delhi, India	Sep 26-Sep 29 2012
Breakpoint 2012	Melbourne, Australia	Oct 17-Oct 18 2012
Ruxcon 2012	Melbourne, Australia	Oct 20-Oct 21 2012
t2 Infosec Conference	Helsinki, Finland	Oct 25-Oct 26 2012
Hacker Halted	Miami, USA	Oct 25-Oct 31 2012
Information Security Solutions Europe (ISSE) Conference	Brussels, Belgium	Nov 20-Nov 21 2012
TakeDownCon Hacking conference and Training - LAS VEGAS	Las vegas, USA	Dec 1-Dec 6 2012
ClubHack	Pune, India	Dec 1-Dec 2 2012
Passwords^12	Norway	Dec 3-Dec 4 2012

Happy Learning :-)  !!!!

System Hacking by exploiting vulnerability of Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier.

Oracle Java SE versions mentioned above is prone to a remote code-execution vulnerability in Java Runtime Environment. 

The vulnerability can be exploited over multiple protocols. This issue affects the 'Scripting' sub-component. 

This vulnerability affects the following supported versions: JDK and JRE 7, 6 Update 27 and earlier.

Here is the CVE update : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544

Demonstration

I have prepared a demo to show How this vulnerability can be exploited to hack a system.

OR

Visit direct link http://www.youtube.com/watch?v=FDiEZZ8xA3U is video is not clearly visible above. 

Disclaimer  : This video is made for public awareness purpose and author is not responsible for any misuse of this video. 

Prevention : 

Update the latest version of the components. 

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html 

“Fuzzing-Technique to maximize Web Application Pen-test results with minimal effort” -Part 1

“Performing penetration testing needs not only proper skills but also an efficiently effective approach that leads to results in the realm of our responsibilities. Fuzzing is one of the most important techniques by which a pen-tester can surface the web application vulnerabilities with less effort.”

In my consulting experience, it happened so many times I have come across a situation where I had limited time slot to perform a penetration testing of an application and that time I realizes that performing penetration testing needs not only proper knowledge and skills but also an efficiently effective approach that leads to results in the realm of our responsibilities. Fuzzing is one of those techniques by which a pen-tester can surface the web application vulnerabilities with less effort. In this article I have tried to cover below important aspects of fuzzing:

• Fuzzing basics
• How fuzzer works
• Factors influencing the fuzzing results
•  Points to remember while selecting or developing an open source fuzzer

Fuzzing Basic

In software testing fuzzing is basically called as technique to send a combination of random values to the server and observe how server respond to those random inputs. In application penetration testing there are two types of fuzzing prevalent today one is black box fuzzing and other is white box fuzzing. In former technique one throws random data to the server without having consideration of protocol specifications and data structure but this technique cover least amount of code and discover less vulnerability. While in white box fuzzing a pentester considers the data structure and protocol specifications, the fuzz data is only the variations of these data structure so it is very important to understand the selection of input elements while using white box testing. There are two main points one has to keep in mind while throwing the random data to the server through fuzzer; first, your selection of input elements should have to be valid enough to be processed by the server and second; fuzz data should have to be invalid enough that can make sever respond in an inappropriate way. In general before using any fuzzer for white box fuzzing one has to understand the framework of the protocol to make sure fuzz template does not breaching the protocol specifications and one can use RFC for this purpose.

How a fuzzer works

To understand the high level structure of a fuzzer we need to list out our basic requirement of a fuzzer. At first we require a template generator that can generate a fuzz template to be used for fuzzing a particular protocol then we need a base request that will be used by the template generator to generate our fuzz template and finally we need a random inputs i.e. fuzz data to create a fuzz request. Now we are in position to sketch a primary structure of a fuzzer by establishing a logical relationship between our requirements and the same has been shown in the Figure 1.

Figure 1

While doing the penetration testing of an application the simple way of getting a base request if to use web proxy tool. If you have good understanding of the protocol then you can construct the fuzz template for a particular request and then you can use fuzz inputs or attack patterns one by one to create a fuzz request but this is a tedious task and prone to error so the better way is to use the available framework that can do this task for you in a much easier way. 

In the traditional approach, one can use web proxy to intercept the requests and manually edit the capture request to create a fuzz template. An attack pattern is supplied to the Input parameter(s) to create a fuzz request that is sent to sever and the received response is analyzed manually for possible vulnerability. If first attack pattern fails and does not gives any vulnerability then we again change the attack pattern and the same process continues till the issue is detected or all attack patterns is used. Let’s imagine a scenario where request has lots of input parameters and application itself is large then one would end up spending lot of time to detect only most obvious vulnerabilities.

To overcome with all such issues I would suggest using a framework or tool that supports not only capturing the base request and generating the fuzz template but also automate the attack pattern feeding in the input parameters one by one from the source of inputs supplied to it. OWASP WebScarab is one of such framework widely used by the pentesters that fulfills all such requirements; it can collect the base request and in few clicks one can generate a fuzz template; Just select the conversation having the parameters from the summary section and then right click on that conversation and select “use as Fuzz template”. Then one can provide the fuzz source that is basically the list of alternative inputs i.e. attack patterns to be used as value of selected input elements.

Similarly OWASP ZAP is another open source alternative for application security professionals. It has all fuzzing capabilities which a pentester requires during the application penetration testing.  

Factors influencing the fuzzing results

There are open source fuzzers available in the internet and in next part I’ll explain what one should keep in mind while selecting a fuzzer but as of now let’s suppose we have selected one general purpose fuzzer to perform a penetration testing but is that enough to get our desired results? Answer is no, apart from selection of good fuzzer; a right approach is also necessary to get maximum advantage of fuzzing technique.

Once you select the target elements to be fuzzed then the probability of finding vulnerabilities is influenced by various factors and fuzz input selection is one of the most important factors of it. One good approach to select your fuzz data is to use the attack patterns already discovered in conjunction with attack pattern you have written after your initial understanding of the application.  For example, if you want to use fuzzer for Cross Site Scripting then XSS cheat sheet is a good resource to prepare a list of already discovered attack pattern but it is important to remember that it can increase the probability of finding vulnerability but does not gives you guarantee, so it’s better to have initial understanding of target application and then customize your fuzz list with already discovered attack patterns. 

Secondly, lack of effective response analysis also makes a big difference in final results. In the list of hundreds of response there are possibilities that one can miss the valuable information that may be lead to vulnerability. If you know the probable response of fuzz value that can lead to vulnerability then it’s better to make a database and use the match case logic to analyze the response, it won’t only help you to find the issues effectively but also it will save your time of analyzing the most obvious vulnerabilities and essentially you will put your actual effort on finding out less obvious vulnerabilities.

Figure 2 shows an example to find out most obvious reflected cross site scripting issues using a fuzzer.  In this picture source of inputs is being integrated with the fuzzer to create a fuzz request and application response is matched with the same input source to detect the cross site scripting issues. 

Figure 2

One can automate the response analysis using Webscarab script manager plugin.

In next part I'll cover the "Points to remember while selecting open source fuzzer".  

Integration of Enterprise Security API (ESAPI): An Approach

If an application security professional is dealing with 100’s of application, and want to integrate ESAPI in their Enterprise wise SDLC then I must say it will be one of the challenging and interesting tasks in application security. Integrating ESAPI needs a very systematic approach targeting to Development Community. For enterprise wise integration, I have chosen following approach keeping two Goals in my mind:

1.  Transition must be simple, smooth and accurate.
2. Vulnerability occurrence must be reduced in future developments as well.  

Here comes:

Preparation Phase:

• PP1: Understand ESAPI first, you can choose sample applications which have higher number of vulnerabilities; it will help you to understand in depth with less effort. Alternatively, SwingSet application is a good resource for this purpose.
• PP2: Write secure coding guidelines for your organization’s development community and explain each recommendation code sample using ESAPI.
• PP3: Write a Mapping document for each application that will clearly tell in detail the use of ESAPI methods.

Implementation Phase:

• IP1: Organize Application security training-secure coding for development community, demonstrate each vulnerability using vulnerable applications and their code, and then demonstrate the same application/code that is patched using ESAPI.
• IP2: Demonstrate the application mapping document of that application which you have prepared in PP3.
• IP3: Publish the secure coding guidelines for the development community and encourage developers to use it.

Audit Phase:

• AP1: Check the usage of correct API in any application using your mapping document of that application (PP3 can be used as audit checklist).
• AP2: Help development community in using correct ESAPI methods in correct places.

One last thing, those are equipped with Fortify, effort will be reduced significantly in steps PP1, PP3, AP1 AND AP2.  

All the best!!!

Alert: New Social Engineering Attack

I am reproducing a mail which I received from a information security group. This is a new social engineering attack and these types of social engineering attacks can be minimize by social awareness campaign only. I am contributing my cents through my blog.

It all started when I received a call from someone claiming that he was from my mobile service provider and he asked me to shut down my phone for 2 hours for 3G update to take place. As I was rushing for a meeting, I did not question and shutdown my cell phone. After 45 minutes I felt very suspicious since the caller did not even introduce his name. I quickly turned on my cell phone and I received several calls from my family members. I called my parents and I was shocked that they sounded very worried asking me whether I am safe. My parents told me that they had received a call from someone claiming that they had me with them and asking for money to let me free. The call was so real and my parents even heard 'my voice' crying out loud asking for help. My parent was at the bank waiting for next call to proceed for money transfer. I told my parents that I am safe and asked them to lodge a police report. Right after that I received another call from the guy asking me to shut down my cell phone for another 1 hour which I refused to do and hung up. They keep calling my cell phone until the battery had run down. I myself lodged a police report and I was informed by the officer that there were many such scams reported. MOST of the cases reported that the victim had already transferred the money! And it is impossible to get back the money.

Be careful as this kind of scam might happen to any of us!!! Those guys are so professional and very convincing during calls. 


Be Safe and Stay Alert!

Hackers need your help first to succeed

Many of you may surprise to hear this but in most cyber security incidents it has been found that they succeeded because victims have helped them first. Today I am going to explain how a user may help cyber criminals.

Awareness: Social Engineering attacks are one example where attacker successfully executes attacks and      victim couldn’t prevent it because of lack of awareness of latest attack trends and their countermeasures.   Today knowledge should not limit to using a system; we all need to update our self with the latest security trends and must be aware how to use a system securely. 

Ignorance:  It is being said that “Real knowledge is to know the extent of one's ignorance” and attackers work on same principle to come inside your trusted boundary. Let me explain with one example, it is advisable that user should change their passwords after certain period of time. How many of us are following this? Similarly there are few set of guidelines that one should follow while using this sophisticated system.

Rely: It’s a human nature that we usually rely on someone very easily who care for us or who think about us and most of the times we judge people in day to day interactions but in an Internet platform these classic judgments methodology are one of the soft and useful weapon of cyber criminals. Phishing attack is one example which is executed by using two common human behaviors- Rely and Ignorance. Don't rely too much on labels, for too often they are trap.  

Finally, I would like to say that Awareness is not expensive so do not try Ignorance and must Rely on acquisition of knowledge.