Intego has found that a trojan’ed version of iWork 2009 is doing its rounds on the usual Bittorrent places as Pirate software.    Link here to advisory

Installing the software installs the software in question - but also installs a Trojan horse - to quote Intego below:

“The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.”

I admit it, when I wrote my “Security predictions for 2009“, I didn’t expect the 1st prediction to be potentially met by end of January…    I believe his could well become a botnet.

Trojans have been a common risk if you download pirate software for years - so anyone doing this should already be aware of the risks of doing so…. although admittedly Apple users have had it light compared to PC users, with not many being targeted at them.

Is this, as I predicted last year, the first in a wave of attacks aimed at Apple users?

In recent months, financial bloggers have really hit the press with in some cases scarily accurate predictions.

In this linked BBC News article, the BBC are reporting that Park Dae-sung has been arrested for the spread of false information by his government and may be facing 5 years in jail. This despite successfully predicting the demise of Lehman Brothers (1 week prior), and massive slides in the South Korean currency. The government are arguing that his very predictions move the market, and were affecting the money markets. Scarey in a way..

Robert Peston also moved the markets last year when he gave an exclusive “rumour” of a merger between the HBOS and Lloyds banks back last October. This was also quoted in the observer as having the possibility of being investigated by the SFO, but I can’t find any more recent updates.

The worry I have really is given the financial markets trust these bloggers so much and they have so much ability to move the markets in a positive or negative ends.    This leads to the possibility for potential insider trading to also more concerning items:

My concern is knowing the above - if a prominent bloggers account was hacked and was then used by hackers for nefarious ends. Recently several Twitter accounts have been hijacked - which shows blog/messaging services can be vulnerable.

For example imagine a hacker posting a bank was in severe financial problems on a prominent blog. At worst this could lead to a run on the bank, and thus the bank failing. At best, if its a respected blog, it’d cause a temporary blip on the world financial markets. Temporary as once the real blogger discovered the hack he’d probably remove the post..

The issue you see is RSS however - the moment the Hacker posted the message it’d blip on many peoples screens globally… and the message would be out there. After all, most people I know prefer to use a RSS reader than use the native websites nowadays. Hacking is also big business nowadays, with a lot of money being made by Russian hacking groups. These would easily have money available to “short” a stock and thus have good cause to make it want to drop like a stone.

Will we this year see the markets moved by a Hacker? I wonder….   Or have we already seen this and its just not been spotted by the FSA or US regulators (SEC)?

I could completely fall on my face with this attempt and make a fool of myself - but my aim is to make some specific predictions of what will occur in 2009 which I will revisit next year.. so here goes:

1. More 0-day attacks

This year, overall for me personally 0-day’s have not overall ever really caught on inside the large organisation I work for (that is our specific countermeasures have worked). That said 0-days for which there is no patch available at time of real exploit do appear to be increasing greatly… and I can see this continuing - Only today there has been a 0-day exploit for IE for example.

2. First Mac Viruses and Spyware will start to appear

This may well be a contentious one - I know the underlying security of OS X due to it being BSD based is better than the Microsoft world. I’m also not talking about the viruses/spyware to date, which mainly relies on browser flaws. I’m talking botnets/spam engines. However the numbers as Steve Jobs puts it speak for themselves. With Apple seemingly having a 21% US market share if the linked article is to be believed, I cannot seriously see hackers and the Spyware writers will ignore this amount of “sitting” duck targets. After all, how many Mac users do you know that run AV?

3. AV vendors will continue to move away from the “signature” mentality.

With the amount of viruses being released on a daily basis, and the amount of signatures therefore that result, AV vendors will start concentrating more on behaviour analysis than the traditional signature analysis, and combine the approaches. Some AV companies are already going down this path I admit,so this is quite an easy prediction - but I think all will start to adopt sandboxing and similar techniques in order to prevent 0-day attack.

Background:

I totally agree with the Conservative policy mooted in this Register article.

Being a member of an IT security team you realise that user-education and actions are what invariably lead to data loss… and a problem with users is their apathy and reluctance to change.

If you tell a user to do data transfer in this “secure” manner - you’re safe, If you use your old process you risk going to jail. I think this one change would focus their minds quite well..

Users in large companies sometimes do try and hide behind the “process” shield, instead of challenging a potentially risky insecure data request from a client/partner in many cases…

For example I still see users internally who are unaware that email is by nature an insecure medium - of course unless a secure pgp or s/mime link is setup in advance of the email being sent…

Thankfully we now have technology in place to spot and stop many such instances from occurring now (in email at least), with the email’s in question being redirected to compliance instead of the end-recipient so they can be educated as to proper data transfer methods. Of course the technology isn’t perfect, user education is the main thing here, and legislation and personal responsibilty for loss is the good thing.

So, hats off to the conservatives - a step in the right direction.

Part of my current role (in fact the main piece now) is Web Application Security Testing. Which means I get paid to hack around with corporate and non corporate web apps (ie, Apps we buy vs app’s we build).

Web application bugs although currently looked by some to not be serious are gathering in momentum and becoming more common - only recently a lot of websites were compromised by Chinese hackers using SQL injection. XSS in particular can also be used to great effect in just one example of many to send a session cookie off site to hacker base - and thus giving them access to the logged in users data.

Over the past year I’ve tested around 40 apps in total, some complex, some simple. Major security defects have been found in all apart from one application during this time.
The fact is, regardless of the language an Web application is written in, it typically is vulnerable to one of the below 3 in my findings.

• SQL Injection
• Cross Site Scripting (XSS)
• Privilege Escalation

The above is not a full list, but its the basics and believe it or not even in 2008 SQL Injection is still the most common flaw we find! For a better view of what you should be doing to stop this, OWASP is a good website to start with.

Of these bugs SQL Injection and Cross site scripting are usually the easier to spot, and also to get developers to fix - and it is surprisingly easy to fix these first two by not trusting user input, and filtering it before it hits database in case of SQL injection, or is formatted back to users ( in case of XSS both preferably). There are good tools to test both in a semi-automated way in the form of a firefox extension here - we use this in combination with commercial tools to test for this in combination with manual testing (for SQL injection typically) with database traces running. Manual testing is far easier if you can see the queries being executed on the database (though you can’t do this in a black-box test where you have no access to remote database obviously.).

Privilege escalation however can be more tricky to both test and find in my experience at least. Its almost always a manual test - as the commerical and free tools do not do as good as job at finding this as they do the XSS/SQL bugs. In my testing I have found that some developers however still seem to think that simply hiding menu’s from a lesser priviledged user is a way to secure their application (though thankfully this is a minority!)..

One application I tested recently did at least get this right, but used a very predictable bash64 encoding to hash message ID’s within the messaging in the app (where critical data was being passed over this) They wrongly assumed the algorithm they devised was strong enough to protect themselves….. as it didn’t look predictable to the developers (who had no experience of that kind of work). The problem was they had negected to do a check when the page was loaded as to whether user had rights to read that message. That simple fix was enough to secure the app…

Where I work at least, we finally are integrating Web security at project design and initial build stages - so finally security is being taken seriously at day one (This is reducing the critical bugs found at testing) - Is this happening elsewhere?

Overall though is it not time for Web developers to take security more seriously? My hit rate on serious defects is showing that in some cases its the last thing on their mind when developing - and those that do make a effort, they sometime miss the mark leading to a nasty bug.

For information, the tools I use daily are : IBM Appscan, Paros, BURP, XSS/SQL-Inject, althugh these are not the only ones - I have a list that fills my screen - of various proxy’s, header modifiers, request modifiers etc, encryption tools etc.

I don’t want to say its the best, but I’ve been using Debian, Ubuntu and other APT based Linuxes for years now.

Web App security:

I havn’t been blogging in a while due to a sudden influx of work…