According to the announcement, the operation will “engage” on June 20, 2013. As we know from past events, actors may be compromising sites now only to release the results as part of the operation. Potential targets may have already seen activity that could later be associated with this announcement.

Did your company prepare for #OpUSA?  How much time and resources were spent handling this threat?  Is there such a thing as being overly prepared?  How can you predict the impact of the next threat?

In this months Threat Intelligence Briefing we cover the Syrian Electronic Army. A podcast and research report are included.

OWASP Top Ten 2013 will be released in April or May, let’s take a quick look

At RSA this year, Feross.org released an HTML5-based hard disk filler which succeeded in engaging enough subdomains to exploit the 5MB local storage data permitted per domain. Ultimately, this led to all available space on the victim machine being allocated, resulting in consequences such as denial of service. While this is clever, HTML5 also introduces another feature called the File System API which makes hard disk filler attacks even more convenient...

Over the last few years, interest in hacktivist organizations and state sponsored hacking groups has increased greatly around the world. The lines are blurred when comparing independent groups that operate in support of their government or country and those that are directly sanctioned by nation states. The Syrian Electronic Army (SEA) is a group based in Syria, which claims to operate independently in support of Syrian President Bashar al-Assad. 

FIRST is busy working on the upcoming Common Vulnerability Scoring System (CVSS) Version 3, which is scheduled for release in June 2014. Among other things, FIRST is looking to improve scope, scoring tips, authentication versus privilege, and chaining of vulnerabilities. A question that is often discussed in software security circles is whether CVSS is an applicable measuring stick for weaknesses that are discovered using techniques such as static and dynamic analysis. 

If you happen to be around Amsterdam this week, you might want to come listen to two talks I will give there. One of the at the HackIntheBox conference discusses hacking power plugs, or at least those used to charge electric cars, while the other at an OWASP Netherlands meeting discusses challenges and innovative solutions for pen-testing RESTful web services.

I've been reading the Common Weakness Enumeration (CWE) at http://cwe.mitre.org and thinking about categories that would be difficult for a static analysis tool to handle. Complementing this effort, I’ve also been examining test suites which contain examples corresponding to those CWE vulnerabilities, in particular the Juliet Test Suite for Java.  The vast majority of the Juliet cases are well-directed toward the vulnerability they are intended to address, but some provide interesting examples of cases which may be difficult for static analysis to correctly identify.  Each of the Java examples below contains a String which is used in such a way that makes the vulnerability difficult to detect by a static analyzer, hence other techniques could be used to identify the security issue.

CWE 506: Embedded Malicious Logic

The code segment below attempts to hide something.

       String encodedPayload = "D48EL1EvqH8KyfyE";
       try {
           String s = new String(decrypt(encodedPayload));
           Runtime.getRuntime().exec(s);
       } catch (Exception e){
         // handle e
       }

Here, decrypt() stands for a function which unwraps a potentially harmful program that’s concealed deliberately.  It may be a call to javax.crypto.Cipher.doFinal(…) in decryption mode or a Base64 decoder for example.  It’s a bad idea to call exec() on anything that had been decoded.  A static analyzer can easily flag Runtime.getRuntime.exec() as a dangerous function or command injection, but since the intention of the String is unknown, it’s difficult to associate the String with the specific CWE being tested.  Another example illustrates the difficulty of the inferring the meaning of a String:

CWE 523: Unprotected Transport of Credentials

A test from suite the provides an example where the meaning of a String is difficult for a static analyzer to infer.  Below, a simplified version of the original:

  public void test(HttpServletRequest request,
                         HttpServletResponse response) throws Throwable {
    PrintWriter out;
    try {
      out = response.getWriter();
      out.println("<form action='http://hostname.com/j_security_check' method='post'>");
      out.println("<table>");
      out.println("<tr><td>Name:</td>");
      out.println("<td><input type='text' name='j_username'> </td></tr>");
      out.println("<tr><td>Password:</td>");
      out.println("<td><input type='password' name='j_password'> </td>");
      out.println("</table><br/>");
      out.println("</form>");
    } catch(Exception e){
      // handle Exception
    }
  }

Unlike the previous example, there is no dangerous API call here.  The security issue is using HTTP instead of HTTPS within an HTML form which transmits the username and password parameter values in clear text.  Unfortunately, static analysis is unlikely to examine the contents of the String at compile time, and so will not infer the problem.  It’s a peculiar case and not subject to a pattern, but the vulnerability could be caught by a dynamic analyzer which examines the content of http requests and responses.

CWE 511: TimeBomb

This simple code segment runs a potentially malicious program if a conditional expression evaluates to true:

    int count = 0;    
    String m = “C:/tmp/malicious.exe”;
    while (count++ < 500000) {
      if (condition){
        Runtime.getRuntime().exec(m);
      }
   }

This segment is atypical behavior, as the conditional could compare the counter to a mysterious constant, or to a number from a java.util.Random object, or the expression could be a comparison involving dates or times.  Again, a static analyzer can’t determine the intent of the String but in this case could be made to recognize unusual code constructs, such as a comparison to the output of a random number generator within a loop, and so may be able to flag them.

It’s difficult for static analysis to handle certain Strings, since their meaning or intention may not be known at compile-time, particularly for CWEs where the security issue arises essentially at the time the program is run, rather than compiled.  The examples included above have the potential to be detected using a combination of complementary testing approaches such as runtime and/or dynamic analysis; the central point being that thorough testing may require more than one approach.

HP Software Security Research is pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2013.1.0.0008), and HP Fortify Runtime Rulepack Kits (version 2013.1.0.25).

On February 18, 2013, the American cyber-security firm Mandiant released a report detailing some of the inner workings of the Chinese PLA (People’s Liberation Army). This report is an example of the type of information DVLabs consumes on a daily basis in order to provide our customers with superior and timely protection against threats, known and unknown. The following breakdown describes TippingPoint protection solutions specifically relevant to the threats described in the report.

So, what happened at Pwn2Own this year? The question really should be: "What didn't happen at Pwn2Own this year?" Now that the dust has settled, let's step back and look at the carnage resulting from Pwn2Own!

Thank you for reading the latest threat intelligence briefing from HP Security Research, where we will cover topics like Global Malware Activity, ZDI Vulnerabilities and Actor Dispositions.

The big thing, as expected, at RSA this year was mobile security. With consumer devices such as smartphones (>600Mu) and tablets (>100Mu) entering the mainstream workplace it is natural that mobile security should be the number one security concern.  The biggest threat to mobile security is the proliferation of mobile malware – specifically Android malware which is growing at an alarming rate and threatening the entire enterprise ecosystem.

Disappointingly, even in the face of stout remediation measures such as the X-Frame-Options header, Cross-Frame Scripting (XFS) continues to exist and has enabled other, more popular vulnerabilities such as Clickjacking to take root and flourish. One of the most surprising findings we uncovered throughout our research in the HP 2012 Cyber Risk Report was the sheer number of websites that didn’t even attempt to set the X-Frame-Options header, which could just be because they don’t need it. Or do they?

Last week San Francisco welcomed the annual RSA Conference 2013. I was lucky to attend the conference for a day, and even though this presentation was dedicated to the topic of good old SQL injection, it got my attention.

Get ready for Pwn2Own 2013 at CanSecWest March 6th-8th in Vancouver, British Columbia where HP ZDI is offering more than half a million dollars (USD) in cash and prizes.

Thank you for reading the first of many threat intelligence briefings from HP Security Research, where we will cover topics like Global Malware Activity, ZDI Vulnerabilities and Actor Dispositions.

We're pleased to announce the formation of HP Security Research (HPSR), a new group that will provide actionable security intelligence through published reports, threat briefings, and content delivered through the HP security product portfolio.

RSA Conference 2013 begins in San Francisco next week with another round of engaging keynotes and informative sessions. HP Enterprise Security Products is delighted to bring to you a number of sessions that you wouldn’t want to miss.

The quality of a dynamic scan is partly dictated by the ability of the scanner to effectively communicate with the target application. The application architecture, underlying design patterns and applicable web frameworks are a few details WebInspect can effectively leverage to understand and accurately map out the attack surface of the application under test. With a variety of web technologies available, custom code, new frameworks and so forth, every scan could use a little tweak to make it more effective. This post is the first in a new series of tips and tricks that we hope will help our customers create quality scans using WebInspect.

I’m always pleased when “mainstream” media outlets cover computer security topics, especially when the coverage is intelligent. NPR did a good job this week with this piece discussing plans to grow the US Cyber Command by over 400%.

A few weeks ago I posted on the important new language around software security assurance enacted by the 2013 Defense Authorization Act and the unprecedented guidance issued by the DHS to universally disable Oracle’s Java platform in browsers due to serious security vulnerabilities. Now, the Pentagon is continuing this momentum with the announcement of plans to increase the number of specialized cybersecurity forces from 900 to 4,900.

It’s heartening to see the government investing substantially in computer security, but at the same time, the investment calls even more attention to a core challenge facing the industry: poor integration of security into technology and computer science education. More than a year ago I participated in a workshop comprising industry, government, and academia with the purpose of making recommendations for addressing exactly this problem. It turns out, there’s no easy solution. We have to address deficiencies in university curriculums, instructor knowledge, textbooks and lab exercises, job requirements, and many more areas. Even with all these challenges, the biggest problem preventing us from properly educating the next round of computer scientists in security is a lack of attention on the problem.

One week after President Obama signed the 2013 National Defense Authorization Act, which lays out strong new requirements for software security assurance on many federal systems, the Department of Homeland Security US-CERT released Alert TA13-010A advising users to universally disable Oracle’s ubiquitous Java platform in web browsers. The alert cites a widely-exploitable vulnerability reported on Thursday, but also comes in the year after Java surpassed Adobe Reader as the most exploited software worldwide representing roughly half of total attacks.

While the recommendation to disable software is unusual for US-CERT, the inconvenience to users is much less than if a similar alert were issued for other popular targets, such as Adobe Reader or Microsoft Internet Explorer, because modern sites rarely use Java in the browser (Applets). Disabling Java could cause problems for users of legacy web applications, especially in outdated enterprise environments, but the guidance won’t interfere with the activities of most users.

Disabling Java is good security advice for now, but it’s also a red herring. The real issue is the impact insecure software has on our businesses and lives. In the public sector the 2013 National Defense Authorization Act requires many federal systems to be reviewed for vulnerabilities using automation technology, such as static analysis, and that their owners develop remediation strategies and track the results for detailed reporting to Congress after a year. What gets measured gets done!

Over the last decade the software industry gradually accepted that security is a core requirement of good software and not something that can be bolted on. It’s time to for the private sector to take the same approach as public sector: treating software security more like science. The right mixture of technology, security intelligence, and process is needed to build secure software, but without specific metrics for success and an organizational willingness to change, achieving software security assurance will remain elusive.

I think I am a typical Netizen, I use password generator to generate passwords for websites that I care about security/privacy, but I do reuse passwords here and there occasionally….

HP Software Security Research is pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2012.4.0.0006), and HP Fortify Runtime Rulepack Kits (version 2012.4.0.40).

Authentication is required when accessing backend systems (systems running on a secured network which only application servers have access to).  The documentation of many of the REST client APIs suggests the use of Basic Authentication over HTTPS.  Depending on the way the developers implement basic authentication over HTTPS, your application could have a serious problem.

In the world of software security, claims are very rarely backed up with actual and factual data. Plenty of fictitious lists can be found ranging from lists with the top vulnerabilities to what you really should do to make your software secure. Luckily, there is the BSIMM* community which gathers data from companies with a security initiative to build a model to find out what companies on planet earth are really doing, and what really works within their organization and what does not. Once a year, people in charge of carrying out these software security initiatives at large enterprises meet...

This year, the BSIMM conference was very powerful. This year presentations came from the companies which were the most advanced in one of the twelve practices. For each presentation, a person in charge of such mature security initiative explained what activities they carried out in the practice they dominate and how they exactly fill the practice in. Really eye-opening to see that top vulnerability lists do not apply to real companies, what the actual cost/benefit is of having a software security initiative, what amount of money is spent on penetration testing compared to all other activities, how architectural analysis can be done for real, ... For organizations which take software security seriously, this community is invaluable.

(*) BSIMM (pronounced “bee simm”) is short for Building Security In Maturity Model. The BSIMM is designed to help you understand, measure, and plan a software security initiative. The BSIMM was created by observing and analyzing real-world data from 51 leading software security initiatives.

Regular Expression Denial of Service (ReDos) is nothing new, but I think it didn’t get enough attention it deserves.

For all of those who were interested in seeing my "Web Framework Vulnerabilities" talk at BlackHat USA but couldn't make it, I am giving an abridged version (1 hour instead of 3 hours) of the talk at OWASP AppSec USA in Austin, Texas next week.

AppSec USA 2012

I had the pleasure of recording an episode of the Silver Bullet Podcast with Dr. Gary McGraw, which was just posted. Gary and I focus this episode entirely on software security. We talk about Fortify and how my job changed as it morphed from a 7 person startup to a 200 person company eventually acquired by HP.  We also discuss BSIMM4, which I helped to co-author this time. Near the end of the episode we dive into mobile security and tomato growing, both topics close to my heart this year.