- Email: [email protected]
Vista security verdicts roll in
www.infosecurity-magazine.com
March 2007 ISSN 1353-4858
Featured this month The security risks of AJAX/web 2.0 applications Web 2.0 has become a generic phrase summing up everything that is hot and new about the internet. However, underneath it lie some fundamental concepts, including the writeable web, increased audience participation, and a move away from traditional ‘click and wait’ web applications, in which input was delivered on a page by page basis. AJAX (asynchronous Javascript and XML) is a programming mechanism that has enabled developers to deliver a better experience to web users. However, just as basic Javascript validation mechanisms did before it, AJAX-based applications may be subject to abuse by intruders who can launch attacks designed to bypass login scripts, for example. Programmers and project managers must come to terms with the tension between a better user experience and the potential for security flaws. One way to resolve them is to use robust coding techniques to protect applications. Paul Ritchie, a security consultant at penetration testing company SecureTest, examines the underlying concepts of AJAX and then evaluates some potential attack vectors. Turn to page 4...
Our changing network borders Deperimeterisation is a concept that seems intuitive to many modern security researchers, and yet for the longest time organisational security practices operated along entirely different lines. Companies would pursue the ‘ring of iron’ model, using the perimeter as a single line of defence. Anyone on the outside of the perimeter was an enemy, while those on the inside were regarded as friendly. Such distinctions have become increasingly untenable in recent years, as developments including mobile working and cross-domain web services have blurred domain boundaries. Consequently, organisations have turned to a more granular notion of security, in which resources are protected at a more local level. Bruce Potter, founder of the Shmoo Group of security professionals, evaluates the most pressing needs both for companies who are actively embracing the deperimeterisation trend, and those that are being swept along in its wake. Turn to page 18...
Vista security verdicts roll in Microsoft’s concerted cross-product security effort came under fierce scrutiny from security vendors and testers in February, and the results suggest that several types of malware could be redeveloped to attack Vista with a good chance of success. Keyloggers and bot programs are still capable of undermining system security, according to experts, although some may need some redevelopment work. Turn to page 2...
Contents NEWS
Vista security verdicts roll in Expert pushes the envelope with passport RFID crack
1 2
FEATURES The security risks of AJAX/ web 2.0 applications Paul Ritchie of SecureTest looks at the potentiaC and XML, and suggests some preventative measures. 4
Maximising the ROI of a security audit Many managers have come to fear security audits, worrying that they may uncover discrepancies that could embarrass them. In truth, says ISACA member Ron Westcott, a well-managed audit can provide peace of mind. 8
Software testing for security In many software development projects, testing only occurs at the end of the development cycle, often almost as an afterthought. This can have severe implications on software security. Stephen de Vries outlines a methodology for integrating security tests into the heart of the development process. 11
Network discovery and its security applications Traditionally, network discovery for tools such as asset management software is handled actively, scanning the network for devices. Dominic Storey suggests a more passive approach and looks at some of its benefits. 15
Our changing network borders As the boundary between the inside and outside of a company blurs, administrators and security managers are faced with challenges that permeate everything from software development to roles and identities. Bruce Potter explores some of them. 18
REGULARS News in brief Events
3 20
ISSN 1353-4858/07 © 2007 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS
Editorial office: Elsevier Ltd The Boulevard, Langford Lane Kidlington, Oxford OX5 1GB, United Kingdom Production Editor: Steve Barrett Tel: +44 (0)1865 843239 Fax: +44 (0)1865 853971 Email: [email protected] http://www.infosecurity-magazine.com/related/nese.html Editor: Danny Bradbury Email: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Senior Production/Design Controller: Lin Lucas Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) LImited
2
Network Security
Researchers within Symantec’s Advanced Threat Research team ran 2000 unique instances of malicious code against Vista using a self-built testing framework. The results, published in early March in a report called The Impact of Malicious Code on Windows Vista, found that 70% of the malware samples ran on Vista, but that due to underlying changes in the system only 6% were able to achieve a full compromise and only 4% survived a reboot. The operating system’s security enhancements blocked a significant number of malware exploits, said the report, which pointed to the user account control (UAC) feature as particularly obstructive for existing malware. However, several attack vectors could be used to undermine some of the security enhancements, the report suggested. Such vulnerabilities included the ability to unblock firewall traffic in restricted user mode while operating under user account control. This made it possible to unblock firewall traffic by sending a message to the necessary dialogue box from the malware via the API, said the Symantec report. Microsoft responded that other safeguards in Vista would require the user to explicitly allow the event. “Specifically, with a default and best prctice installation environment, UAC would prompt the user to provide administrator credentials to complete the unblock function,” said a spokesperson. Another attack involves the manipulation of user-owned registry keys to insert load points for malware such as keyloggers, according to Symantec experts. Such attacks would have to be stealthier, they suggest, because of the built-in Defender anti-spyware scanner. “With access to sensitive information, networking capabilities, and the ability to survive system reboots, we expect that threats already have the required functionality in order to propagate in the Windows Vista environment today,” said the report. The company’s OneCare anti-virus system scored the lowest in a test run by AV Comparatives, which used a total of 497,608 pieces of malware. The Austrian project, co-ordinated by senior AV tester
Andreas Clementi, pitted OneCare against 16 other antivirus titles. The software, which scored lowest with just 82%, was the only one not to make the entry-level Standard quality rating, according to the monthly test. The version of OneCare tested was 1.5, which shipped at the end of January and was the first version to share the same malware detection engine as the Defender anti-spyware system. The OneCare team blog calls OneCare a superset of Defender. “This service is tested by numerous organizations and Windows Live OneCare is still certified by the International Computer Security Association (ICSA) Labs, the industry’s central authority for research, intelligence, and certification testing of products,” said a Microsoft spokesperson. Gerhard Eschelbeck, CTO of Webroot, found similar results to Symantec in his company’s more limited test earlier in January, which involved 25 pieces of malware. The majority of malware executed successfully, but a small minority implemented its payload, he said. “The Beyond keylogger passed through and executed well and logged keys, and so on. It was probably the most generic keylogger written, using standard APIs.” In January, security firm eEye Digital Security claimed to have found a vulnerability in Vista that could enabled a restricted user to be escalated to system level access. Microsoft had not yet resolved this issue in mid-March, although in February it patched a security flaw in Vista’s malware detection engine that could have given attackers control of a system.
Expert pushes envelope with passport RFID crack An RFID security expert has extended a previous attack on the UK Government’s RFID-enabled passport, this time demonstrating a way to read it without even seeing it. The attack means that passports could be read in transit to ...continued on page 20
March 2007
March 2007 ISSN 1353-4858
Featured this month The security risks of AJAX/web 2.0 applications Web 2.0 has become a generic phrase summing up everything that is hot and new about the internet. However, underneath it lie some fundamental concepts, including the writeable web, increased audience participation, and a move away from traditional ‘click and wait’ web applications, in which input was delivered on a page by page basis. AJAX (asynchronous Javascript and XML) is a programming mechanism that has enabled developers to deliver a better experience to web users. However, just as basic Javascript validation mechanisms did before it, AJAX-based applications may be subject to abuse by intruders who can launch attacks designed to bypass login scripts, for example. Programmers and project managers must come to terms with the tension between a better user experience and the potential for security flaws. One way to resolve them is to use robust coding techniques to protect applications. Paul Ritchie, a security consultant at penetration testing company SecureTest, examines the underlying concepts of AJAX and then evaluates some potential attack vectors. Turn to page 4...
Our changing network borders Deperimeterisation is a concept that seems intuitive to many modern security researchers, and yet for the longest time organisational security practices operated along entirely different lines. Companies would pursue the ‘ring of iron’ model, using the perimeter as a single line of defence. Anyone on the outside of the perimeter was an enemy, while those on the inside were regarded as friendly. Such distinctions have become increasingly untenable in recent years, as developments including mobile working and cross-domain web services have blurred domain boundaries. Consequently, organisations have turned to a more granular notion of security, in which resources are protected at a more local level. Bruce Potter, founder of the Shmoo Group of security professionals, evaluates the most pressing needs both for companies who are actively embracing the deperimeterisation trend, and those that are being swept along in its wake. Turn to page 18...
Vista security verdicts roll in Microsoft’s concerted cross-product security effort came under fierce scrutiny from security vendors and testers in February, and the results suggest that several types of malware could be redeveloped to attack Vista with a good chance of success. Keyloggers and bot programs are still capable of undermining system security, according to experts, although some may need some redevelopment work. Turn to page 2...
Contents NEWS
Vista security verdicts roll in Expert pushes the envelope with passport RFID crack
1 2
FEATURES The security risks of AJAX/ web 2.0 applications Paul Ritchie of SecureTest looks at the potentiaC and XML, and suggests some preventative measures. 4
Maximising the ROI of a security audit Many managers have come to fear security audits, worrying that they may uncover discrepancies that could embarrass them. In truth, says ISACA member Ron Westcott, a well-managed audit can provide peace of mind. 8
Software testing for security In many software development projects, testing only occurs at the end of the development cycle, often almost as an afterthought. This can have severe implications on software security. Stephen de Vries outlines a methodology for integrating security tests into the heart of the development process. 11
Network discovery and its security applications Traditionally, network discovery for tools such as asset management software is handled actively, scanning the network for devices. Dominic Storey suggests a more passive approach and looks at some of its benefits. 15
Our changing network borders As the boundary between the inside and outside of a company blurs, administrators and security managers are faced with challenges that permeate everything from software development to roles and identities. Bruce Potter explores some of them. 18
REGULARS News in brief Events
3 20
ISSN 1353-4858/07 © 2007 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS
Editorial office: Elsevier Ltd The Boulevard, Langford Lane Kidlington, Oxford OX5 1GB, United Kingdom Production Editor: Steve Barrett Tel: +44 (0)1865 843239 Fax: +44 (0)1865 853971 Email: [email protected] http://www.infosecurity-magazine.com/related/nese.html Editor: Danny Bradbury Email: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Senior Production/Design Controller: Lin Lucas Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) LImited
2
Network Security
Researchers within Symantec’s Advanced Threat Research team ran 2000 unique instances of malicious code against Vista using a self-built testing framework. The results, published in early March in a report called The Impact of Malicious Code on Windows Vista, found that 70% of the malware samples ran on Vista, but that due to underlying changes in the system only 6% were able to achieve a full compromise and only 4% survived a reboot. The operating system’s security enhancements blocked a significant number of malware exploits, said the report, which pointed to the user account control (UAC) feature as particularly obstructive for existing malware. However, several attack vectors could be used to undermine some of the security enhancements, the report suggested. Such vulnerabilities included the ability to unblock firewall traffic in restricted user mode while operating under user account control. This made it possible to unblock firewall traffic by sending a message to the necessary dialogue box from the malware via the API, said the Symantec report. Microsoft responded that other safeguards in Vista would require the user to explicitly allow the event. “Specifically, with a default and best prctice installation environment, UAC would prompt the user to provide administrator credentials to complete the unblock function,” said a spokesperson. Another attack involves the manipulation of user-owned registry keys to insert load points for malware such as keyloggers, according to Symantec experts. Such attacks would have to be stealthier, they suggest, because of the built-in Defender anti-spyware scanner. “With access to sensitive information, networking capabilities, and the ability to survive system reboots, we expect that threats already have the required functionality in order to propagate in the Windows Vista environment today,” said the report. The company’s OneCare anti-virus system scored the lowest in a test run by AV Comparatives, which used a total of 497,608 pieces of malware. The Austrian project, co-ordinated by senior AV tester
Andreas Clementi, pitted OneCare against 16 other antivirus titles. The software, which scored lowest with just 82%, was the only one not to make the entry-level Standard quality rating, according to the monthly test. The version of OneCare tested was 1.5, which shipped at the end of January and was the first version to share the same malware detection engine as the Defender anti-spyware system. The OneCare team blog calls OneCare a superset of Defender. “This service is tested by numerous organizations and Windows Live OneCare is still certified by the International Computer Security Association (ICSA) Labs, the industry’s central authority for research, intelligence, and certification testing of products,” said a Microsoft spokesperson. Gerhard Eschelbeck, CTO of Webroot, found similar results to Symantec in his company’s more limited test earlier in January, which involved 25 pieces of malware. The majority of malware executed successfully, but a small minority implemented its payload, he said. “The Beyond keylogger passed through and executed well and logged keys, and so on. It was probably the most generic keylogger written, using standard APIs.” In January, security firm eEye Digital Security claimed to have found a vulnerability in Vista that could enabled a restricted user to be escalated to system level access. Microsoft had not yet resolved this issue in mid-March, although in February it patched a security flaw in Vista’s malware detection engine that could have given attackers control of a system.
Expert pushes envelope with passport RFID crack An RFID security expert has extended a previous attack on the UK Government’s RFID-enabled passport, this time demonstrating a way to read it without even seeing it. The attack means that passports could be read in transit to ...continued on page 20
March 2007