Top 10 Web Hacks of 2006

Jeremiah Grossman put together this year’s top 10 web hacks and boy is it fun. Zeno, and I had our hands in throwing our favorites into the pot but the list turned out to be pretty similar for all of us. So although it took countless emails to get threw the few discrepancies I think we all agreed on the top 10. Here’s his list:

Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model). This was really a huge breakthrough in the web app sec space. I was dying to find a way to do server sweeps in Java to circumvent Firewalls. Jeremiah took it to that next place and holy crap did it shake things up when he did. I don’t think people are going to look at their firewall the same way again.

Internet Explorer 7 “mhtml:” Redirection Information Disclosure. If you want complete cross domain leakage for the price of using Internet Explorer this is your one stop shop. I’m really surprised this hasn’t been closed down yet. Sure there are hacks to stop it, but no one is doing them, so for all intents and purposes this hole is open and will stay that way until Microsoft issues a patch. Don’t hold your breath on that patch though. It’s been months and it’s still open.

Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning. This was something I had tried and failed to do on a number of attempts. But smarter people than I figured out ways to do it by combining tricks and by shutting down connections (never thought of that one). Very cool stuff.

Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images). I think we’ve barely scratched the surface on this one. There are many scary things that could be done here by all sorts of different people for all sorts of motives. Why wouldn’t you want to know where people had been? It’s a profiling dream!

Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3′. I had a very funny conversation today with one of my readers. He basically said he’s going back to notepad. Yes, it’s that bad. And the more interesting part is - it’s getting worse by the day.

Forging HTTP request headers with Flash. I can’t tell you how many servers were affected by the Expect vulnerability but it’s in the millions and every one of them needs to be patched. This issue won’t be gone for a while yet and I think there is still a lot more to be done here.

Exponential XSS. This is the next evolution in XSS in my mind. So far we’ve stuck to horizontal XSS worms, that affect every user a little. Why not go vertical and affect every user a lot? Especially for targeted attacks this has a lot of scary potential.

Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII). I’ll be the first to admit I haven’t done nearly enough research beyond what I’ve been able to accomplish with my fuzzer. Thanks to Cheng Peng Su for opening all of our eyes to how powerful this could be for filter evasion. I just can’t wait to see what the next big issue is.

Web Worms - (AdultSpace, MySpace, Xanga). We can all say we were here when it first happened. It’s only going to get worse, folks.

Hacking RSS Feeds. Attacking rich applications that go out of the traditional boundaries of browsers is the wave of the future. As more devices and programs become web enabled you’re going to see a lot more of this stuff and a lot more newcomers in the space with mistakes of their own to make.

Can you believe all of that happened in one year? And that’s nowhere near everything. We didn’t even start talking about all the PHP stuff floating around (complete access to servers is bad - real bad) or any SQL injection stuff, etc… So love it or hate it, that’s our top 10!

Cambridge Solutions, a knowledge-based IT and BPO firm, has received the ISO 270001:2005 certification, joining a select few Indian companies to be awarded the highest certification standard in information security from the International Standards Organisation (ISO).
ISO 270001:2005 is the only international information security standard against which organizations can seek independent certification of their information security management systems.

Satyen Patel, Executive Vice Chairman, Cambridge Solutions, said, "In today's environment where security is of major concern, the ISO 270001 certification is a reinforcement of our commitment. It also gives us a competitive edge while pursuing new business opportunities."

The company's Singapore facilities are certified at the highest level, CMMI 5, the highest benchmark for management and engineering by the Software Engineering Institute (SEI). Cambridge's Chennai and Bangalore Centers are also certified at CMMI 5. Additionally, the Chennai Center is certified at PCMM 3.

source: http://www.zdnetindia.com/news/software/stories/nsl,164933.html

What is ISO 27001?

ISO 27001 is a specification for the management of Information Security. It is applicable to all sectors of industry and commerce and not confined to information held on computers. It addresses the security of information in whatever form it is held.

The information may be printed or written on paper, stored electronically, transmitted by post or email, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, ISO 27001 helps an organisation ensure it is always appropriately protected.

Information security can be characterized as the preservation of:

Confidentiality	- ensuring that access to information is appropriately authorized
Integrity	- safeguarding the accuracy and completeness of information and processing methods
Availability	- ensuring that authorized users have access to information when they need it

ISO 27001 contains a number of control objectives and controls. These include:

• Security policy

• Organizational security

• Asset classification and control

• Personnel security

• Physical and environmental security

• Communications and operations management

• Access control

• System development and maintenance

• Business continuity management

• Compliance

Why is Information Security Needed?

Information is now globally accepted as being a vital asset for most organizations and businesses. As such, the confidentiality, integrity, and availability of vital corporate and customer information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. ISO 27001 is intended to assist with this task. It is easy to imagine the consequences for an organisation if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it can (and has) led to the collapse of companies.

How do you start to implement ISO 27001? What is involved?

Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO 27001 involves three steps:

1	Creation of a management framework for information	This sets the direction, aims, and objectives of information security and defines a policy which has management commitment
2	Identification and assessment of security risks	Security requirements are identified by a methodical assessment of security risks. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks.
3	Selection and implementation of controls	Once security requirements have been identified, controls should be selected and implemented. The controls need to ensure that risks are reduced to an acceptable level and meet an organisation’s specific security objectives. Controls can be in the form of policies, practices, procedures, organisational structures and software functions. They will vary from organisation to organisation. Expenditure on controls needs to be balanced against the business harm likely to result from security failures.

One section of the actual standard provides guidance on its use.

Adopting ISO 27001 cannot make your organisation immune from security breaches. But, it will make them less likely and reduce the consequential cost and disruption if they do occur.

Being Audited to ISO 27001

Once all the requirements of ISO 27001 have been met, you can apply for an external audit. This should be carried out by a third party, accredited certification body. In the UK, the body should be accredited by UKAS (look for the 'crown and tick' logo).

The chosen certification body will firstly review relevant documentation. This should include the declared policy, scope of the ISMS, documents covering the risk assessment, risk treatment plan, Statement of Applicability and documented security procedures. The auditors will also be checking that you have identified and implemented the controls that are appropriate to your size and type of business. This process is normally carried out at your premises, being more beneficial to both parties.

This is followed at a later date by a full on-site audit to ensure that working practices observe these procedures and stated objectives, and that appropriate records are kept.

After a successful audit, a certificate of registration to ISO 27001 will be issued. There will then be surveillance visits (usually once or twice a year) to ensure that the system continues to work.

What are the Benefits of Certification to ISO 27001

Obtaining a certificate from a third party certification body demonstrates that you have addressed, implemented and controlled the security of your information. But the benefits don’t stop there. Certification also:

• Comforts customers, employees, trading partners and stakeholders – in the knowledge that your management information and systems are secure.

• Demonstrates credibility and trust.

• Can lead to cost savings. Even a single information security breach can involve significant costs.

• Establishes that relevant laws and regulations are being met.

• Ensures that a commitment to Information Security exists at all levels throughout an organisation.