Sunday, January 31, 2010

Google Inc. Zero Day Exploit Information

Written By: Boris Vaynberg & Avi Bashan

On January 12, 2010, Google announced that its systems were hit by a sophisticated attack that most likely originated in China ( This attack was a combination of known attack vectors, known as an Advanced Persistent Threat (APT) – which is an attack based on large resources, and coordinated elements of customized malicious code that is capable of targeting a wide range of security software. This blog post noted that this was not an isolated incident, but rather a deliberate attack that was launched on over 30 leading companies, including: Adobe, Juniper, and other leading international technology, media, finance, and security companies (

An internal investigation by Google revealed that the attackers used a previously unknown weakness (also known as a Zero Day Exploit) of the Internet Explorer browser (which affects all current versions from version 6.0 onward) and Adobe Acrobat Reader (which affects all versions prior to 8.0), in order to implant a Trojan horse. This Trojan horse used encrypted channel 443 to transmit information (

A little over a week ago (last Thursday), Microsoft released a critical security patch for this security breach (MS10-002) (, and it was publicized that the malicious code was leaked to the Internet, and is currently available to the general public. Adobe also released a security update (APSB10-02) for Acrobat Reader.

Upon analysis of the attack files, McAfee discovered that the code was compiled from a folder named Aurora, and therefore it is assumed that this is the name that was given to this operation by the attackers (

The Aurora attack was divided into two separate vectors which are not necessarily dependent on each other.

The first is the weakness vector which enables the malicious code to be run on any target system; the second is the malicious component installed on the system, in this case the Trojan horse, which provides malicious access to the information stored within the target system.

The first vector exploits two different weaknesses within the target computer which enables the installation of the Trojan. The first weakness is via the exploitation of an existing vulnerability in the IE browser, as previously mentioned. The additional vector exploits a weakness in the popular file reader, Adobe Acrobat PDF Reader.

Many companies have treated this series of events quite seriously and have deemed them significant, not because they represent a technological breakthrough in the field of information security (the discovery of these types of previously unknown weaknesses are prevalent with common and widely-used software such as IE, Adobe PDF Reader, and others); but rather due to the fact that the widespread launching of this attack technique against commercial companies on such a large scale is something that had not yet been witnessed before. In addition, there is place for concern that it is considerably likely that information that was stolen as a result of these attacks, is sensitive and valuable intellectual property belonging to the companies involved.

These recent events require us to reevaluate the map of threats we help our clients deal with on a daily basis, and raise important questions, such as:

-What is the level of effectiveness of current systems against these types of attack (Zero Day Exploits)?
- How can we know what is running within our networks at any given time, where and how does internal company information exit our internal networks?


Is this attack relevant to me, and how can I defend myself against it?

Defense against this attack is no different than the various attacks carried out on the Internet on a daily basis.

Defense against this attack is divided into two main elements, which address each of the vectors used in this attack.

1. Defense Against Weaknesses – The latest software security patches for all products in use should be installed regularly by your company.
• The IE security update can be downloaded by following this link:
• If Adobe Acrobat Reader is used in your organization, version 8.0 of the product should be installed. This installation can be found at the following link:

2. Defense against Trojan horses or any other malware that has infiltrated your company network can be performed in the following manner:
• Update antivirus signatures installed on organizational computers.
• Manually remove the Hydraq Trojan from client computers.
• Monitoring the data exit points from the organization's network to prevent data leakage.

For more information contact:

From script kiddies to organised cybercrime – things are getting nasty out there...

Written By: Stuart Okin
Published By: Microsoft Security Newsletter, December 2009

We have heard for some time that hackers have moved from script kiddies, trying to raise their profile, to the seedy and dark world of organised crime. The indictment of the hacker ring in Atlanta in early November for the $9.4 million RBS Worldpay ATM theft, is just one more example of the evolution in organised cybercrime and its sophistication in carrying out complex operations in short timeframes. This ring managed to coordinate an attack on more than 2,000 ATMs within a 12-hour period. Following less than a week of reconnaissance on existing vulnerabilities in RBS Worldpay security, the hackers began taking advantage of the vulnerabilities to acquire encrypted PINs through reverse engineering. This isn’t the first large scale instance of stolen encrypted PINs, which first emerged in the well publicised TJ Maxx theft, involving 11 hackers, and the stolen details of 40 million credit cards. It is believed in both cases that these criminals didn’t actually manage to crack the encryption, but rather bypassed security controls and elevated privileges, in order to function as super-users in the different systems - enabling these heists.

Organised cybercrime rings are beginning to resemble commercial entities, even with a range of pricing models, enabling more efficient attacks, which bring with them bigger returns. On some sites cybercrime is offered as a service today (perhaps we can coin the phrase CaaS!), where they offer a variety of services, such as crimeware - malware which automates cybercrime. Fill in a simple checklist; the operating system, type of attack (botnet, malware), and then the criminal ‘client’ (i.e. attacker) receives the capability of utilising infected computers to attack their target, with the ability to track progress through an online web portal. Cybercrime made easy at the click of a button! This is what we are now up against.

According to some pundits, cybercrime may have even surpassed drug trafficking in some countries as the most profitable illegal business. Furthermore, in the past cybercrime was more about the propagation of widespread, highly visible incidents, solely for the purpose of causing disruption and commotion, however, today these are being replaced by targeted, stealth attacks, often characterised by their invisibility to their victims.

The current method employed by cybercriminals today is the combined attack. Take as an example a recent attempted attack on a client of ours, a major international bank, where an internet port was targeted to divert attention from the more critical attack taking place simultaneously on a database, with sensitive account credentials. Vigilance is a critical factor in catching cyber attacks in real-time, however the ability to analyse the event in the context of the bigger picture is imperative in preventing these diversionary tactics.

Vulnerabilities which once upon a time could have been relegated to important but not necessarily critical, are posing much more serious risks. As an example, we have been working with another leading financial institution, where we identified a potential race condition in their Forex portal. The company’s Forex portal enables a client to purchase foreign currency in the amount their bank account holds, however, the portal vulnerability raised the possibility of valid simultaneous user sessions and as a result a malicious user could in essence open 100 or 1000 sessions at the same time, and purchase foreign currency that far exceeded their bank account limitation. The purchasing of an exorbitant amount of a foreign currency artificially elevates the currency’s exchange rate, and if the malicious user simultaneously purchases and sells large amounts of that currency, they will make a great deal of money.

Supporting these targeted attacks, especially in the area of blackmail, extortion and identity theft, are the increasing number of PCs which have been taken over by organised crime, forming the backbone of botnet armies. It’s estimated by the FBI that more than one million computers are “hijacked” annually by malicious botnets. While it is often perceived that hackers are utilising special methods and cutting-edge techniques, this often is far from the case; their power lies in the large amount of known attack methods and the associate high probability that applications are not protected against all of these. This is reflected in the continued massive rise in Phishing emails and linked spam (it is estimated that nearly 90% of emails today are spam), malware, malicious botnets (more than doubling in number from January to June 2009), worms, Trojans, SQL Injection attacks and site defacement attacks, which are some of the most common methods of attack utilised by cybercriminals – that still succeed many times over.

What makes the landscape increasingly challenging, is that the confidence in our current security controls and countermeasures is often undermined, from the bypassing of SSL at the Black Hat convention in July, through to the GSM A5/1 and DNS Kaminsky vulnerabilities; attacks previously believed as only “academically possible”. While it’s virtually impossible to hermetically secure software today, seeing the incredible lengths criminals will go to obtain valuable financial information, we cannot underestimate the existing weapons in our arsenal to combat cybercriminals – education and awareness.

How it is that people still circulate the emails that state that Microsoft and AOL will give 20p for every person the email is sent to? Poor training and awareness.

How is it that employees manage to download malware and Trojans to their workstations from social networking sites? An improper enforcement of security policies and lack of awareness of these new threats.

How are cybercriminals succeeding in simple attacks like SQL injection? An inability to align coding with security best practices in strong authentication and encryption and a lack of security training for software architects and developers.

How is it that we still see site defacement? Poor network monitoring practices and a lack of awareness of the risk.

Every simple attack method has a simple security countermeasure which was evidently improperly implemented, overlooked or taken too lightly. Cybercriminals aren’t carrying out simple attack scenarios because they’re incapable of more complex attacks, it’s because they don’t need to.

Monday, January 18, 2010

The Secure Software Development Lifecycle–Security from the Start

Monday 6 July 2009
France Telecom Open Tribune
Author: Nissim Bar-El, CEO & Chairman

According to a recent University of Michigan study, more than 75% of bank websites surveyed had at least one design flaw that could make customers vulnerable to cyber thieves. Unfortunately, this is not an uncommon phenomenon across the board for all types of sensitive applications today. With credit card data, and bank accounts constituting 22% and 21% respectively, of items most “on-demand” for online purchase, it’s not surprising then, that all leading research organizations predict a major incorporation rate of security within the software development stages by 2009. This is also known as a secure Software Development Lifecycle (SDL).

While developers usually schedule time into security cycles for securing the infrastructure layer, communication layer, and physical aspects of systems and products, along with ensuring proper work procedures; it seems as though security in the application level is not given adequate attention early in the development of the software. This, partnered with the fact that most application designers and programmers usually do not have the required expertise to develop a secure and robust application, even after following secure programming guidelines, makes it virtually unavoidable to encounter security flaws in complex systems. Other contributing factors could also be the lack of appropriate solutions in the market until now, such as quick and thorough source code analysis, that can be applied on non-compiled code, as well.

Like all other business-critical organizational processes that require planning and strategizing, it is nearly impossible to deliver a bug-free application if a proper and organized process is not implemented. What’s more, implementing security without a clear process can be based on inefficient processes, and insufficient internal communication between teams regarding relevant security issues.

As a result, normal day-to-day insecure products have many implementations and designs that may, if they are not implemented correctly, introduce security flaws and open the door for system users, legitimate or malicious hackers, to perform unauthorized operations. Exploiting these security breaches, intentionally or unintentionally, may harm the three crucial information security missions of every organization – preserving the availability, integrity, and confidentiality of the organization’s sensitive data.

Some of the popular and potentially debilitating forms for exploiting breaches of this nature include: privacy breaches through the gaining of unauthorized access to private and secret information; user impersonation and identity theft, a rapidly growing problem worldwide, this includes the performing of illegitimate activity against the system backend using the Web frontend; stealing corporate information or altering it; gaining full control of a Web server; site defacement; and even the possibility of launching Denial of Service (DoS) attacks. Depending on the severity of the breach, the consequences could include financial losses or potential reputational damages.

Taking into account the severe potential fallout from improper security design and implementation, the inevitable question arises, how is it possible that more organizations are not implementing secure Software Development Lifecycles? This process has proven, time and again, that it reduces costs incurred one hundred-fold if implemented in the first stages of development. Leading organizations like Microsoft, Gartner, and Forrester, have endorsed this approach many times, and have demonstrated clearly that organizations that implement an SDL plan that integrates security best practices throughout the software development lifecycle greatly reduce the number of defects and vulnerabilities. Doing so saves enterprises an inordinate number of man hour costs for future remediation purposes, which may bring about the potential delay of a product’s launch, as well as other financial losses that may result if security breaches go undetected and are exploited by malicious entities.

The SDL provides process-level requirements that define how security should be integrated within each product’s development process, in particular specifying activities that should be performed at each phase of the process. The objective of this process is to minimize the number and quality of security related flaws in the initial design, code, and documentation, and to detect and remove these flaws as early in the development lifecycle as possible. An ideal practice that should be instated throughout the secure development is ongoing source code analysis, that will provide in real-time the security vulnerabilities that exist in the code, which will then facilitate the mitigation of the breaches without delaying the production process. In addition, the SDL allows senior management to receive a clear view of the current level of product security, enabling them to reach an objective decision on whether to release the product or not.

Comsec Consulting has been actively providing its services around many intricate facets of application security for more than two decades. This accumulated experience has enabled Comsec to cultivate a bird’s-eye view of the many complexities in this field. This knowledge has been the foundation for the development of in-house proprietary tools, tried and true methodologies relating to all aspects of Information Risk Management, and even an advanced technology for client-specific, customized source code analysis, all of which contribute to the continuous evolution of SDL. These methodologies and technologies have facilitated the successful implementation of comprehensive end-to-end SDL processes over the past years. These processes have included extensive hands-on practice by Comsec’s multi-disciplinary security consultants with services like: Software Security Policy Development, Procedures and Guidelines Formulation, Design Evaluation, Code Review, Penetration Testing, Security Reviews, along with Software Security Training and Awareness.

The objective of the SDL is to formulate a process in which information security is involved in the development lifecycle; where a formal SDL that is tailored to suit an organization’s needs is one of the best methods to realize an enterprise’s security goals.

A typical SDL process is comprised of the following stages:

 Stage One: Requirement Analysis
At this stage of the process the team verifies whether a specific system, application, module, feature, or software (or any other product) complies with specific predefined security requirements such as industry best practices, leading international compliance standards (ISO:27001, PCI:DSS, ITSec, SOX, and others), policy and procedure definitions, along with RFP requirements.

 Stage Two: Architecture and Design Evaluation
This evaluation stage will include a study of the application and a review of the conceptual and design level. The review will generate a report regarding problematic security considerations in the application architecture, and/or design, as it relates to the application, network, system, or product involved.

 Stage Three: Security Code Review
One of the most important stages in the SDL process is the performing of security code review. This is the most effective way to find vulnerabilities on the source code level – one of the main reasons it is a requirement by such leading international compliance standards, such as PCI:DSS. In order to mitigate risks, Comsec provides a unique and professional service for security code review, which provides quick and accurate results, virtually free of false positives. The Comsec security professionals fuse their accumulated and in-depth knowledge in application security to customize scripts to your organization specific business context, and uncover breaches only human logic and intuition are capable of exposing.

 Stage Four: Overall Security Testing
Utilizing the user interface, browsing, and various functional procedures of the application, issues will be examined during security testing, such as the following: user registration process, password management, user management, system timeouts for sessions and dialogs, user login processes, SSL usage, security interfaces and any other components that may influence the security of the product.
All the various scenarios and types of penetration tests aimed at assessing the quality of the operating security mechanisms is carried out. Information Security Product Evaluation provides assurance that the product will comply with security “best practices”, provide the security expected whenever it is required, and will not expose its consumer to new security vulnerabilities. The purpose of this stage is to examine the inherently planned information security level of a product with the intention of ensuring the highest standards of information security, while also focusing on product integration with the working environment.

 Stage Five: Ongoing Maintenance
This stage includes maintaining security levels with new releases, regression testing to ensure constant security, and overall process improvement. This stage ensures that new vulnerabilities are not introduced as a result of faulty planning and ongoing management.

The above model exhibits the different stages of the SDL process, and the necessary phases in each stage to ensure the success implementation of the secure SDL.

Comsec’s professional experience and research has clearly confirmed that, when executed correctly by a team with the proper in-depth expertise in the SDL process, the integration of an SDL into the product development practice will in effect:

* Reduce overall costs
* Increase development efficiency
* Improve application security
* Reduce time-to-market of new functional features
* Improve the degree of the application security maturity
* Allow senior management a clear view of product security
* Ensure effectiveness of security efforts
* Ensure efficient use of development resources
* Lead to increased customer satisfaction

About Comsec:
Comsec Consulting (TASE: CMSC), is a leading provider of Information Security and Operational Risk services to organizations worldwide. Founded more than two decades ago, Comsec operates offices in the United Kingdom, Netherlands, Poland, Turkey, France, Israel, and has affiliates in the Far East. Comsec covers all aspects of Information Security, from strategy and architecture, planning, design, ERP security services, and advanced security solutions, to PCI and ISO 27001 compliance, for all market sectors. In addition, Comsec provides deep level application threat assessment and testing services to leading software development companies and enterprises across the globe.

How much do you spend on IT Security? Do you really know?

By Stuart Okin , managing director of Comsec Consulting UK
Published: May 1 2009 09:37 | Last updated: May 1 2009 09:37

What a business is spending on its IT could amount to 2 per cent of revenue – a figure that should make everyone sit up and think.
Consider a global hi-tech company, operating in about 20 countries, with a user population of 10,000 and revenues of £850m. Such a company would need to make sure the following areas have all been attended to:

● Process activity – such as risk assessments, audit and penetration tests
● People activity – such as awareness campaigns, security and compliance training
● Development activity – such as re-coding applications with security vulnerabilities
● Technical controls – such as AV, firewalls, intrusion detections systems, patch management
● Operations and incident management – monitoring network and security
● Fraud prevention – including investigation services

The heads of security within companies I have spoken to over the past couple of months do not know how much they spend on IT security. But the cost of IT security could be between 0.01 and 2 per cent of revenue. In the case of imaginary company, this would equate to a potential £17m.

I have been working with a large enterprise in pulling together a model to understand the true cost of IT security. Both my sponsor and I believe we can produce huge financial savings, through standardisation, consolidation, better utilisation of what is in place, improved supplier management, and implementing fraud mitigation solutions.

Any change programme requires investment. The first step, therefore, is to work out what is spent today on IT security, in order to make a business case for investment.
One head of security I spoke to at a large financial organisation, called their IT security “a cottage industry within the company”. This is because the last few years have seen the security agenda break up into a fragmented model – it has been pushed away from the centre.

This does have some benefits, as it moves security closer to the coal face, resulting in improved awareness and responsiveness, but it can also lead to silo thinking, with the implementation of costly point solutions, localised standards and isolation of good practices.

The concern I have is that if a business does not know what it has across the entire organisation, then how does it know whether it has the appropriate tools and operations in place to minimise risk to the business.
Businesses should use the recession to open up opportunities: for IT security leaders, this means being proactive in order to help the business save money and improve the overall security environment.

However – be warned – this will mean the IT security leader will need to take on responsibility and accountability.

Copyright The Financial Times Limited 2009

Decreasing the Risk of Fraud and Embezzlement in ERP Systems

Written by Medi Karkashon-Mizrahi, ERP Security Division Manager

The gradual implementation of ERP systems has united all of the business processes into one comprehensive system on the one hand, and on the other has opened the opportunity to carry out various fraud and embezzlement actions through the system. The existence of a number of factors, such as general authorizations, non-segregation of duties, incorrect policies and procedures, and inadequate design and maintenance of sensitive databases – all these are breaches through which one can conduct fraud and embezzlement. The identification and auditing of these issues will significantly decrease the risk for a potential attack.

The words “fraud” and “embezzlement” are a concern for diverse organizations and managers. This issue is raised repeatedly due to the variety of fraud and embezzlement cases that were recently exposed across the globe.

Fraud and embezzlement is carried out when three elements occur:

1. Pressure (to carry out the act)

2. Attitude (of the malicious party)

3. Opportunity

The first two elements are not and cannot be controlled by the organization. However, opportunities to carry out fraud are abundant due to the failure to manage information systems and the non-implementation of suitable control mechanisms.

The implementation of control mechanisms and the correct system management are critical issues in the implementation of an ERP system. This, due to the fact that these systems store sensitive information on suppliers, clients, employees, sales, budgets, revenue, and additional confidential business information. Furthermore, this working environment presents various opportunities for fraud as described below.

When a product goes into production, a great deal of effort is invested in improving the functionality of the system and in successful implementation amongst the users. As a direct result, many users (including regular employees, consultants and implementers) receive wide system authorization. These wide authorizations are a common phenomenon in many organizations due to the fact that the latter believe it will shorten the time to production.

ERP systems are extremely complex, and there are a number of possibilities to receive wide authorizations in the entire system. In SAP systems, for example, user management is based on user definition, profiles, rules and objects. The user can receive wide authorizations from a problematic profile, can be ascribed incorrect rules or receive objects that are breached.

The removal of wide system authorizations is not a simple task, an organization must recognize the various possibilities, repair them, and manage each separately. The misidentification of wide authorizations increases the organization’s exposure to fraud and embezzlement.

ERP systems register business transactions in real-time. This fact decreases the chance both to prevent fraud and to identify the fraud as soon as possible. For example, if a person stole inventory from a certain company, and at the same time rearranged the inventory application in the ERP system, it would be extremely difficult to discover the embezzlement. The existence of system audits can prevent such an occurrence.

Companies should identify the problematic focal-points in the system and implement real-time audits that decrease the exposure.

ERP systems work via one database, a fact that improves the flow of information and process integration on the one hand, and on the other causes a situation where the majority of the company’s processes are managed under one system. If in the past, procurement was carried out by a buyer on system X, and the payment was carried out via system Y, now these two actions are carried out in a single ERP system. Thus, if the company did not implement a user management scheme that preserves the role distribution principle, most likely there are violations of role distributions. Various embezzlements across the globe could have been avoided if the company had implemented a role distribution principle, which states that each process – from start to finish – will not be conducted by a single individual, rather at least one other person will be involved for auditing and authorization.

Companies should identify the violations of the role distribution principle, repair them and manage them regularly.

The implementation of an ERP system usually includes the assimilation of sensitive procedures such as Signatory Authorization, Procurement Authorization, Supplier Payment Authorization, etc. In the past, these procedures were assimilated through physical measures, however today many organizations have adopted automatic mechanisms instead. The incorrect assimilation of these procedures may cause employees to carry out faulty actions that cannot be prevented.

Companies should implement a suitable audit framework that decreases the occurrence of these situations.

The transfer to an ERP environment is usually conducted from a variety of Legacy systems which manage sensitive data such as employees’ bank account numbers and customers’ price terms. Today, all this data is managed in one system with one database. The conversion process is complex and usually requires exporting data from system X, improving the data and importing it to an ERP system. If the sensitive data is exposed to hostile factors during one of these three stages, it is possible that data will be leaked to unauthorized factors or damaged intentionally. The infrastructure for the correct and efficient management of processes in the system is based on a trustworthy database of master data (for example, payment to a supplier which is carried out in accordance with the payment date, the way of payment and bank account – all master data; collecting payment from a customer is carried out in accordance with the way of payment and customer discounts – both master data). Thus, the management of master data is a potential basis for conducting fraudulent activities.

Companies should identify the sensitive data and carry out periodic examinations on the data’s verity and maintenance by system users.

The problematic focal points should be dealt with in two phases. The first, identification of these focal points, and the second – establishment of a continuous auditing framework that will prevent and decrease the chance of exposure.

ERP systems such as SAP and Oracle are large and complex in regard to the number of implemented processes they store, the huge amounts of data they store and their way of operation. Thus, the identification and proper treatment of the problematic focal points requires skill and deep knowledge of the system.

Comsec Information Security has developed proprietary methodology to conduct Fraud and Embezzlement Assessments in ERP systems in general and SAP systems in particular. The uniqueness of this methodology is derived from work plans that refer to the specific, problematic focal points in each ERP system, whilst emphasizing a continuous auditing framework.