[Owasp-hartford] July 2008: IT Security Tidbits

[McGovern, James F (HTSC, IT)]

Traveling outside the United States with a computer

In May, a US court ruled that border agents can search your laptop or
any other electronic device when you're entering the country. They can
take your computer and download its entire contents or keep it for
several days. Customs and Border Patrol has not published any rules
regarding this practice. 

Many people now appreciate the benefit of hard drive encryption which is
especially important if your computer is lost or stolen. The challenge
here is that the border agent is likely to start this whole process with
a "please type in your password". Of course you can refuse, but the
agent can search you further, detain you longer, refuse you entry into
the country and otherwise ruin your day. 

The latest tactic is to hide data using tools such as PGP disk and
Truecrypt (open source). While customs agents might poke around on your
laptop, they're unlikely to find the encrypted partition. (You can make
the icon invisible, for some added protection.) And if they download the
contents of your hard drive to examine later, you won't care.

Some companies already are altering their policies to provide employees
with forensically clean laptops for travel while others are encouraging
the usage of USB drives and memory cards that support encryption since
they can be easily placed into luggage without most folks paying
attention to them. The funny thing about this practice is companies on
one hand attempting to comply with the law of protecting personally
identifiable information while on another, attempting to hide
information from law enforcement.

Password stealing Trojan is aimed directly at the enterprise

The seven-year-old Coreflood botnet is quietly stealing thousands of
passwords from corporate users and other large organizations, thanks to
recent enhancements that allow it to spread like a worm, researchers
say. Coreflood, which started out as a simple Trojan in late 2001, has
been reiterated more than 100 times during its long lifespan. But with
the enhancements, the Trojan now has the ability to infect Windows
administrators' machines and then use their privileges to infect all of
the other machines in the administrator's domain.

Coreflood can be shut off with an antivirus signature that prevents it
from spreading. The problem is that it's a password stealer, Most of the
damage is done as soon as you're infected. It doesn't do much good to
use a signature-based defense to shut it down hours or days later, after
it's already got all your passwords.

Spring Framework allows attackers to alter data and hijack Web
Applications

Researchers today revealed two new security vulnerabilities in the
Spring Framework -- a commonly used, open-source environment for
developing Java applications.The first vulnerability allows an attacker
to append queries or other data to user input in a database field, which
could make it possible to take action on behalf of the user or break
into and modify the application itself. For example, you could go in and
modify the state and transaction history of a stock trade.

It allows the attacker to bypass client-side security and potentially
overwrite database fields using an HTTP proxy. It's not SQL injection,
since you can't read the fields, but it would allow you to potentially
jump into other people's accounts, raise privileges, change data that
you had already previously written and [previously] validated, and so
on.

The flaw, dubbed "ModelView Injection" takes advantage of a design flaw
in Spring, which doesn't provide sufficient default safeguards in the
link between the application "model" -- the actual data that the user is
trying to reach -- and the "view," which is the graphical presentation
that the Web application uses. Most Spring applications automatically
bind the model and the view in a one-to-one match, so that you can send
more data in the request, and Spring will automatically append that
data. A savvy attacker could use this flaw to query the application for
more information or actually make changes in data fields.

The second vulnerability would require more knowledge and effort on the
attacker's part, but is potentially more dangerous, Its called "Data
Submission to Non-Editable Fields," the flaw allows attackers to query
the application for information. It would allow an attacker to read any
of the Java source code of a vulnerable Website, which could reveal all
sorts of sensitive information that wouldn't normally be visible to an
attacker.



*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-hartford/attachments/20080724/94233ee4/attachment.html