Bryan Sartin joins us to discuss the 2010 Verizon Data Breach Report.  We will have our usual banter as well.

Use the links on the right side of the website to listen live!

The patches provided by Adobe for the problem are quite simple, and in most cases shouldn’t even require a restart of the ColdFusion services.  The impact of the vulnerability is huge.  As Rafal Los, who rightfully calls this a “Disaster”, points out, there are a lot of ColdFusion servers with the Administrator pages available to the world.

Even worse, the vulnerability can be exploited on versions 6-9 (CFMX6, CFMX7, CF8, CF9), but Adobe is only releasing patches for versions 8 and 9.

Now for my confession.  I’ve been working with (and frustrated by) ColdFusion since version 4.5.  I understand how CF developers work, and how poorly the servers are administered in most installations.  In his post, Rafal Los offers some Google dorks for finding CF servers, and states that “There is really no legitimate reason to have a ColdFusion Admin interface on the public internet … really, I can’t think of one… yet there are many results!”.  So why are there so many results?

It is a combination of factors, laziness I’m sure being close to the top of the  list, but there are others.  The primary reason that comes to my mind is the location of the ColdFusion Administrator directory, inside of the “/CFIDE/” directory.  This directory has other directories inside of it which are used by CF for things like form validation, rendering of graphs, etc. and as such some applications stop working if the entire directory is locked down.  This means having the administrator (who may know nothing about ColdFusion) has to try to lock down the directories individually (in Adobe’s defense, the most recent version has a Lockdown Guide written by Pete Freitag which is well done).  I think the security of ColdFusion has suffered as a result of this mixture of programming functionality and server administration.

Another problem is those older versions for which no patch is forthcoming.  CF developers are very wary of changing the version of CF their application currently works on.  Much of this comes from a botched move by Macromedia a long time ago, when their first version of ColdFusion MX 6 (6.0.0) became notorious for breaking apps and eating resources.  This means that there are now a lot of old applications which are on old versions of CF.

Unfortunately, ColdFusion is starting (well, continuing) to look a lot like PHP for its reputation in security circles.  Like PHP, CFML is easy to pick up, and makes it very easy to write applications.  It also makes it very easy to write insecure applications.  Most CF sites are vulnerable to SQLi, XSS, and LFI, much like PHP.  Now with a vulnerability like this in the core of ColdFusion, I can’t say the reputation it is gaining isn’t deserved.

• SANS: August 2010 Microsoft Black Tuesday Summary
• Threatpost: Inside Microsoft’s August Patch Tuesday
• Microsoft TechNet: Microsoft Security Bulletin Summary for August 2010
• Microsoft Security Response Center: August 2010 Security Bulletin Release
• Microsoft Security Research & Defense: Assessing the risk of the August security updates

After pulling together some of the information I wrote this paper called “Securing Self-Service Password Reset Functionality in Web Applications” in an effort to help educate developers and provide some guidance for them when adding this type of feature to web applications.

Of course, any comments or suggestions are welcome!

Securing Self-Service Password Reset Functionality in Web Applications (pdf)

Hosts:
Anthony Gartner – @anthonygartner http://anthonygartner.com
Chris Gerling  – @chrisgerling
Christopher Mills – @thechrisam
Andrew Borel –  @andrew_secbit

Guests:
Eddie Schwartz – @eddieschwartz

General topics:
BSidesLV http://www.securitybsides.com/BSidesLasVegas
BlackHat https://www.blackhat.com/html/bh-us-10/bh-us-10-home.html
Defcon https://www.defcon.org/html/defcon-18/dc-18-schedule.html

Shmoocon Woot Video http://www.youtube.com/watch?v=HJ0ypgZU_D0
NetWitness Visualize http://visualize.netwitness.com/

Brief panel on certifications.

iPhone App Now Available. http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

http://itunes.apple.com/us/podcast/securabit/id280048405

Upcoming events
South Florida ISSA’s Hack the flag and chili cook-off  Saturday August 14, 2010 from 12:00pm – 5:00pm
http://sfissa.org/index.php/sfissa-mm-events/htf-main/85-hack-the-flag-2010
Hacker Halted http://www.hackerhalted.com/ Tim Is speaking October 14th

Links:

http://securabit.com

Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

Update: Microsoft has published the advisory and patch. Details available here.

• Web App Security needs some work.
• Privileged users can be dangerous
• Organizations need to know what data they have and where
• The information is in the logs, but no one is looking
• Egress filtering is important
• Malware is getting more sophisticated and customized

None of this is really news to infosec pros, but it may provide some fodder when explaining needs to management, as the reports contain hard numbers (and pretty graphs).

Here are some of the most recent reports:

Verizon 2010 Data Breach Investigations Report (DBIR)

The big news here is that the DBIR now includes data from the U.S. Secret Service, giving the folks at Verizon more data to work with. The report is very well put together and does a great job of presenting the data it contains, including pointing out where the new influx of data from the Secret Service has impacted the data making trends appear different than they have in past DBIRs. The report is available here.

Akamai State of the Internet Q1 2010

Akamai’s large global network certainly allows them to see a lot of traffic, both normal and malicious. Only the second section of the report deals directly with security, but the rest still makes interesting reading. In addition to attack traffic data, the report also contains information on global connection speeds, US connection speeds and mobile connection speeds. The report is available here (registration required).

Ponemone/ArcSight Cost of Cyber Crime Study

This study was sponsored by ArcSight, so there is a good amount of mention of SIEM systems and their benefits. The study still contains some interesting data on how much incidents can actually cost organizations (before, during and after an incident), with good information about the methodology used to arrive at the figures presented. The report is available here (registration required).

Digital Forensics Association “The Leaking Vault”

“The Leaking Vault” takes 5 years of data breach information taken from many different sources include FOIA requests, the Open Security Foundation, the Privacy Rights Clearinghouse, Sound Assurance, and the Identity Theft Resource Center. The result is a large amount of data which is sliced and presented in many different ways, providing some interesting incite into data breach notification (and the failures of them in some cases). The report is available here.

Cisco 2010 Midyear Security Report

The Cisco 2010 Midyear Security Report is less numbers focused than the reports listed above, but still interesting. The report is more focused on the changes in enterprises today and how those changes will impact security needs. This includes Mobile Devices, Virtualization and Cloud Computing, Social Media, and Government regulations. The report also includes information on worldwide spam volume. As an added bonus, the report also includes “The Artichoke of Attack” (page 21) which is by far my favorite graphic from any of these reports. The report is available here.

Hosts:
Christopher Mills – @thechrisam
Andrew Borel –  @andrew_secbit
Tim Krabec – @tkrabec http://www.SMBMinute.com
Nicholas Berthaume — @nberthaume https://www.bordergatewayprotocol.net
Anthony Gartner – @anthonygartner http://anthonygartner.com

Guests:
Guest: Lenny Zeltser – @lennyzeltser http://zeltser.com/

General topics:
Reverse Engineering Malware

New Linux Distro to analyze malware
REMnux: A Linux Distribution for Reverse-Engineering Malware
http://zeltser.com/remnux/
Based on Ubuntu
Released just 5 days ago – July 8, 2010
2500 Downloads so far
VMWare appliance
Live Distro going out to Source Forge soon
Enlightenment as window manager, (no gnome or kde)
Just what you need to do the analysis
Lightweight as possible
Tools
Emulate Services
Allow malware to interact with your own resources
how does it differ from CW Sandbox
Determine the signs of comprise to compare with your production environment
JS Unpack
Since it is an Ubuntu distro, you can roll a custom version for your environment or lab.
Intrigrrated into the Reverse Engining Malware course from SANS

SANS Digital Forensics Summit
The state of people relying on only antivirus for protection.

The innovator’s dilemma http://www.amazon.com/Innovators-Dilemma-Revolutionary-Business-Essentials/dp/0060521996
Microsoft Security Essentials http://www.microsoft.com/security_essentials/

http://www.sans.org/vlive/
Forensics 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
SANS vLive! FOR610 – 201001 – Monday, July 26, 2010 – Thursday, August 26, 2010
http://www.sans.org/vlive/details.php?nid=20668

Upcoming events:
BSidesLV http://www.securitybsides.com/BSidesLasVegas
BlackHat https://www.blackhat.com/html/bh-us-10/bh-us-10-home.html
Defcon https://www.defcon.org/html/defcon-18/dc-18-schedule.html
Tim is speaking http://defcon.org/html/defcon-18/dc-18-speakers.html#PanelHTF
Tim is also doing a skytalks schedule http://sudux.com/skytalks_web.jpg
Hacker Halted http://www.hackerhalted.com/ Tim Is speaking October 14th
South Florida ISSA’s Hack the flag and chili cookoff  Saturday August 14, 2010 from 12:00pm – 5:00pm
http://sfissa.org/index.php/sfissa-mm-events/htf-main/85-hack-the-flag-2010
These are the upcoming security cons and where you can find those of us that will be attending starting in less than two weeks.

Links:
Chat with us on IRC at irc.freenode.net #securabit

Hosts:
Anthony Gartner – @anthonygartner http://anthonygartner.com
Christopher Mills – @thechrisam
Andrew Borel –  @andrew_secbit
Jason Mueller – @securabit_jay
Tim Krabec – @tkrabec http://www.SMBMinute.com

Guests:
Christopher Boyd (Sunbelt Software)
http://en.wikipedia.org/wiki/Christopher_Boyd
http://www.vitalsecurity.org/
http://sunbeltblog.blogspot.com/

General topics:
Chris speaks about how he got involved in the position he is in now.  He also got into how he basically social engineers and discusses his blog.

Dodgy Dr Who Games
Orkut Shenanigans
The Sunbelt Security Blog
Fun with Internet Trolls
How Drugs and Stabby Things Led to a Career in Security
Internet Kill Switch
Twitter Agrees to Data-Security Audits
HacKid -http://www.hackid.org/

Links:

FTC Requires Twitter To Set Up Data-Security Audits
http://news.yahoo.com/s/nf/20100624/tc_nf/74031

Make sure you are there for Sunbelt’s next quarterly briefing entitled “Turning the Tables on Bad Guys:  Malware Unmasked”.  It will be at 9am and again at 2pm on August 25th, 2010.  Register here!

Chat with us on IRC at irc.freenode.net #securabit