Search



SpiderLabs Services
Resources

Research Stats

Categories

Security Advisories

Trustwave Press Releases

10 May 2013

SpiderLabs Radio May 10, 2013 w/ Space Rogue

This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave's Threat Intelligence Service and covers IE 0-day hits Labour, Syrian Electronic Army hits E! Online and The Onion, Guccifer returns, $40 Million cyber heist, OpUSA becomes OpDud, BX1 extradited, name.com, John Dvorak. media sites hit, I'm a Slutty Moron, Evernote and China? and a lot more!

Listen to SpiderLabs radio in iTunes.

Or you can download the MP3 file directly here.

Or listen right from your browser with this embedded player.

Posted by on 10 May 2013 at 15:59 in SpiderLabs Radio | | Comments (0)

Introducing the Burp Notes Extension

As a Security Analyst I spend a significant amount of time working in tools like Burp Suite. On any given project I need to keep track of a large number of requests, responses, and various scan results. Conveniently, I can store all this in a single state file to keep for future referral. I also use a number of external scripts that have important output, but that ends up in a spread of text files that I have to keep track of. With that in mind, and the revamp of the Burp Extender API, I have decided to create an extension to make organization a bit easier.

The Burp Notes Extension adds a tab to the interface where I can create and manage text documents and spreadsheets.  From the main tab a user can create new documents, load previously saved data, and save any currently open documents. I've also added the ability to import and export documents so that they can be easily reused for each project. One of the apparent limitations of the API is that it does not provide integration with Burp’s state functionality; all documents within the Notes tab are saved and loaded externally to the state file. I have taken care, however, to make sure that users are prompted to save before anything closes to make sure data isn’t lost. State integration is on the top of my list once that functionality becomes available.

Continue reading "Introducing the Burp Notes Extension" »

Posted by on 10 May 2013 at 11:00 in Penetration Testing, Tools | | Comments (0)

5 ways to protect your E-Commerce site

The Trustwave Spiderlabs team frequently responds to E-commerce data breaches. The number of website breaches that we are working continues to rise. There are a handful of reasons for this rise.

  • We are approaching saturation in the "brick and mortar" Point of Sale breaches. Attackers have been after these systems very aggressively for the past few years. They're not going to stop stealing, they are just going to find new targets.
  • It's getting easier. There are some very sophisticated scanning tools on the market that are either free, cheap or already pirated by attackers. These tools are incredibly efficient at pinpointing and exploiting website vulnerabilities. We see Havij and SQLmap on a weekly basis.
  • The payoff! E-commerce sites are still storing large databases full of personal information and cardholder data. The black market for this information is well established and an attacker can easily monetize what they steal. It's not unusual to see 50,000 - 100,000 records in an E-Commerce database. The sale price of a data record can vary from a few dollars up to about $25 per record. That's a lot of money!

Continue reading "5 ways to protect your E-Commerce site" »

Posted by on 10 May 2013 at 08:30 in Incident Response, ModSecurity, Payment Card Industry, Penetration Testing | | Comments (0)

09 May 2013

Microsoft Advance Notification for May 2013

There will be ten bulletins released by Microsoft next Tuesday and one of those should be for the recent Internet Explorer zero-day discovered earlier this week.  Buletin 2 should cover the remote code execution of the IE-8 0day while Bulletin 1 will also cover RCE in IE 6 thru 10.  We suspect Bulletin 1 will fix the issue discovered during the PWN2OWN competition at CanSecWest earlier this year.

Bulletins 3, 4, and 10 are in Windows itself including .NET. They are rated Important and cover Denial of Service, Spoofing and Elevation of Privilege vulnerabilities.

Bulletins 5, 6, and 7 are all rated Important and all three result in remote code execution in parts of Microsoft Office. Specifically Communicator and Lync, Publisher and Word in that order.

Bulletin 9 is also rated as Important and results in Information Disclosure in Windows Essentials. Don’t get confused with Security Essentials. Windows Essentials is a free software pack for Windows 7 that includes Mail, Movie Maker, Messenger and other useful apps that Microsoft gives away.

 

Posted by on 09 May 2013 at 15:11 in MAPP | | Comments (1)

08 May 2013

Alina: Casting a Shadow on POS

Over the pastfew months, a number of malware families targeting Point of Sale (POS) systems have been discussed. First there was Dexter (Seculert / SpiderLabs), then there was its big brother vSkimmer, and more recently there was Dump Memory Grabber / BlackPOS. One of the most interesting threads of commonality between these samples is the command and control (C&C) structure used between them. Utilizing a C&C communication channel for data exfiltration, while previously rare, has become more and more common in POS malware. I'd like to use this blog post to discuss another similar sample that I recently got the chance to look at, named Alina. We’ve seen Alina on a number of active forensic cases in the past few months, which is how I was originally made aware of this malware family.

Alina is not completely unknown in the reversing community. Xylitol has a nice writeup on a slightly older version, which you can find here. While an excellent read, I'd like to use this opportunity to dig into the mechanics of the malware further. There are a number of versions of the Alina malware family. For this post, I’m going to focus on version 4.0, which looks to have been created on February 7th based on the PE timestamp information. I have some newer versions, but I’m going to hold off talking about those until my next blog post, where I will discuss the evolution of this malware family and the changes made between revisions. So without further adieu, let's dig in.

Continue reading "Alina: Casting a Shadow on POS" »

Posted by on 08 May 2013 at 09:30 | | Comments (0)

05 May 2013

Mayday! 0-Day

While many workers around the world were celebrating the May 1st events, the US Department of Labor website got hacked and was used to redirect browsers to a 3rd party site which served a new IE 8 0day exploit, known as CVE-2013-1347. Microsoft already released an advisory about it last Friday.

Having a quick look at the in-the-wild exploit code, it can be seen that the exploit creator targeted only victims running IE 8 on windows XP computers, by using Javascript that triggers the exploit based on the user agent. However, the exploit can work with IE8 on other versions of Windows such as Windows 7. The reason for limiting this attack to Windows XP users is currently unknown. 

Apparently, the attackers collected technical statistics on the victims’ browser plugins BEFORE serving them with the IE exploit, for example whether plug-ins from their antivirus product, from Fiddler Proxy or from TamperData are installed. That information is then sent to the aforementioned 3rd party site. 

According to a tweet from one of Metasploits’ exploit developers, a module for this CVE will be released soon. Therefore an increase in exploit attempts of this CVE is quite likely.

And to the good news: Trustwave SWG Server (versions 10.1 and higher) blocks this attack out-of-the-box using its generic protection engines, without any further update, thus maintaining good record of blocking the recent 0-day attakcs.

Posted by on 05 May 2013 at 14:40 in MAPP, Secure Web Gateway, Zero-Day | | Comments (0)

03 May 2013

SpiderLabs Radio May 3, 2013 w/ Space Rogue

This weeks episode of SpiderLabs Radio hosted by Space Rogue covers Living Social, Reputation.com, Syrian Electronic Army, CyberBunk/SpamHaus/Cloudfare weirdeness, Google Play Kills AutoUpdate,  Al Qassam cyber Fighters, Rogue Admin mines bitcoins, Foie Gra, Levenworth Hospital, Ketchikan Middle School, and Itella Posti
 and a lot more!

Listen to SpiderLabs radio in iTunes.

Or you can download the MP3 file directly here.

Or listen right from your browser with this embedded player.

Posted by on 03 May 2013 at 16:01 in SpiderLabs Radio | | Comments (0)

01 May 2013

TrustKeeper Scan Engine Update - May 1, 2013

The latest update to the TrustKeeper Scan Engine is now available.  It adds coverage for more than a dozen vulnerabilities, including several recent vulnerabilities in Cisco and Oracle products. Newly covered vulnerabilities also include recent vulns in Microsoft Active Directory (including ADAM and AD LDS as well as the usual AD) and MySQL. 

Continue reading "TrustKeeper Scan Engine Update - May 1, 2013" »

Posted by on 01 May 2013 at 15:36 in TrustKeeper Scan Engine | | Comments (0)

30 April 2013

XML External Entity (XXE) Execution Disabled in ModSecurity v2.7.3

On February 27, 2013, the ModSecurity project team was notified by security researchers from Positive Technologies that they had identified an XXE flaw in ModSecurity.  Here is the CWE info for XXE -

Screen Shot 2013-04-30 at 12.23.48 PM

Continue reading "XML External Entity (XXE) Execution Disabled in ModSecurity v2.7.3" »

Posted by on 30 April 2013 at 12:03 in Application Security, ModSecurity | | Comments (0)

26 April 2013

SpiderLabs Radio April 26, 2013 w/ Space Rogue

This weeks episode of SpiderLabs Radio hosted by Space Rogue covers HostGator, twitter twitter twitter, SPAMHaus, Rueters, LulzSec, DDoS, Java, JailbreakMe and a lot more!

Listen to SpiderLabs radio in iTunes.

Or you can download the MP3 file directly here.

Or listen right from your browser with this embedded player.

Posted by on 26 April 2013 at 15:02 in SpiderLabs Radio | | Comments (0)

« Posterior | Anterior »