Dragan on Security

For more than thirty years, Visa has helped to set industry standards for secure payments between consumers and merchants. Verified by Visa protects online merchants in the following ways:

• You, as merchant, are not liable for fraud resulting from the unauthorized use of Visa cards.
• Fraud on your site is reduced.
• Your customers enjoy a safer place to shop.
• Transaction discount fees are lower in many cases.

Verified by Visa can provide merchants with significant savings in fraud-related costs. Merchants who use Verified by Visa are protected from fraud-related chargebacks on all personal Visa cards—credit or debit, domestic, or international—whether or not the issuer or cardholder is participating in Verified by Visa, with limited exceptions.

More about Verified by Visa here.

3-D Secure(TM) Acquirer and Merchant Implementation Guide is here.

Software development has been transformed into a issue of national security as a result of IT globalization, according to a warning from former U.S. cybersecurity czar Andy Purdy. “Companies are looking for the least expensive source of production, but there isn’t enough concern about the security of these networks and the data being stored on them,” he reported. “If the software is being developed in a part of the world that poses a risk we need to address this.” As special government employee on the U.S. Department of Defense Science Board Task Force on Software Assurance, Purdy is attempting to improve the quality of software and broaden collaboration via a partnership between the public and private sectors. At the AusCERT 2007 IT security conference, Purdy urged delegates to support the U.S. Homeland Security Department’s Software Assurance Program, whose goal is to decrease software vulnerabilities through international collaboration. He lauded software vendors for their recognition of the software quality problem and their attempts to rectify their development processes. Purdy commented that security must be embedded in the software development lifecycle, and pointed out that the Software Assurance Program focuses on the areas of people, processes, technology, and acquisitions. The initiative’s acquisitions component will involve the release of guidelines for outsourcing and offshore software development.

Read: Computerworld - Globalization has made software development a national security issue. 

In recent post I wrote about NIST competition for new cryptographic hash function. NIST (National Institute for Standards and Technology) published now comments received on the hash algorithm requirements and evaluation criteria. Among others, big companies (Microsoft, IBM) sent their comments. See comments: Crypto Hash Update.

Interesting article: Software - PCI DSS compliance low as June deadline looms: Survey reveals alarmingly low levels of compliance for PCI DSS with only 3% of merchants ready.

Top line survey findings include:

• 85% of respondents are aware of the standard, a significant improvement given only 40% knew about PCI when the last Logic Group survey was conducted 12 months ago
• 52% of surveyed companies have already assessed the impact PCI compliance will have on their businesses
• 60% of companies surveyed are currently at the PCI assessment phase
• 20% of respondents haven’t even started the journey to achieving compliance
• 68 % of merchants rated the support they have received as being insufficient
• 71% of respondents have committed to achieving PCI compliance over the next 18 months.

Here is small list of tools for cracking passwords. It is listed in order: tool, URL, and short description.

• Dictionaries / Wordlists ftp://coast.cs.purdue.edu/pub/dict/, http://packetstormsecurity.org/Crackers/wordlists/dictionaries/ - Word lists that can be used in most password-cracking utilities.
• Hydra http://www.thc.org/thc-hydra/ A fast network logon cracker that supports many different services.
• John the Ripper http://www.openwall.com/john/ A password-cracking utility.
• L0phtCrack http://www.atstake.com/research/lc3/index.html A password-cracking utility for Windows.
• LSADump2 http://razor.bindview.com/tools/files/lsadump2.zip An application to dump the contents of the LSA secrets on a machine, provided you are an administrator.
• PWDump2 http://razor.bindview.com/tools/files/pwdump2.zip A utility to extract the Windows SAM database.
• PDDump3 http://www.ebiz-tech.com/html/pwdump.html A utility to remotely extract the Windows SAM database.
• VNC Crack http://www.phenoelit.de/vncrack/ A password-cracking tool for VNC.

Note: But… some domains expired and some companies acquired by bigger ones. :)

This, recently updated page, is an index of password recovery procedures for Cisco products. For security reasons, the password recovery procedures listed, require physical access to the equipment. See: Cisco - Password Recovery Procedures.

Recently, this blog experienced attacks or better to say XSS bug testing which, fortunately, was unsuccessful.

Yesterday John Martinelli has discovered a vulnerability in the Redoable theme for WordPress (I don’t use this theme - lucky again), which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the “s” parameter in the WordPress installation’s index.php script is not properly sanitised before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

The vulnerability is confirmed in version 1.2. Other versions may also be affected. Solution is to edit the source code to ensure that input is properly sanitised.

See Original Advisory here.

Here is test to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable: Internet Explorer 7 navcancl.htm Cross-Site Scripting Vulnerability - Secunia.

If you are vulnerable, text similar to this will appear: 

The content of this page is controlled by the phisher, although the Address Bar displays http://www.google.com.

A phisher could easily have been spoofed this to look like a genuine Google page, or any other website like your bank or favorite shopping site, asking you to enter sensitive data (Credit card details, passwords and usernames, and so on).

See more here.

WEP is dead and here’s the proof - explanation how attack on the 802.11 wireless security protocol works: Gone in 120 seconds: cracking Wi-Fi security | The Register.

Availability of new version of OSSEC (Open Source Host-based Intrusion Detection System) has been announced today at SecurityFocus mail list dedicated to intrusion detection systems.

OSSEC performs log analysis, file integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

This new version comes with lots of new features, including:

• Support for OpenBSD PF logs.
• Support for compiled (c-based) decoders.
• New options for composite rules.
• Additional granular e-mail options: http://www.ossec.net/dcid/?p=75
• Option of SMS format in the e-mail output. 
• Support for Zeus WebServer logs.
• Support for daily/chained checksum of alert logs: http://www.ossec.net/wiki/index.php/Know_How:LogSign

A large re-design of the internal architecture of analysisd (ossec process responsible for decoding and analysis) has been completed, greatly improving performance and organization.

• More information at: http://www.ossec.net/wiki/index.php/News
• Changelog: http://www.ossec.net/announcements/v1.2-2007-05-16.txt
• Download the new version: http://www.ossec.net/en/downloads.html