Archive for the ‘Web Security’ Category

Online finance flaw: Ameriprise III – please make it stop

March 23, 2010

Online finance flaw: Ameriprise III – please make it stop: “NOTE: This issue was disclosed responsibly and repaired accordingly.

‘Now what?’, you’re probably saying. Ameriprise again? Yep.
I really wasn’t trying this time. Really.
There I was, just sitting in the man cave, happily writing an article on version control and regression testing.
As the Ameriprise cross-site scripting (XSS) vulnerabilities from August 2009 and January 2010 were in scope for the article topic, due diligence required me to go back and make sure the issue hadn’t re-resurfaced. 😉
I accidentally submitted the JavaScript test payload to the wrong parameter.
What do you think happened next?
Nothing good.
I reduced the test string down to a single tic to validate the simplicity of the shortcoming; same result.

At the least, this is ridiculous information disclosure, if not leaning heavily towards a SQL injection vulnerability.
As we learned the last two times we discussed Ameriprise, the only way to report security vulnerabilities is via their PR department, specifically to Benjamin Pratt, VP of Public Communications.
Alrighty then, issue reported and quickly fixed this time (same day)…until some developer rolls back to an old code branch or turns on debugging again.

We all know the ColdFusion is insanely verbose, particularly when in left in debugging mode, but come now…really?
I really didn’t want to know the exact SQL query and trigonometry required to locate an Ameriprise advisor.
Although, after all this, I can comfortably say I won’t be seeking an Ameriprise advisor anyway.

Please Mr. Pratt, tell your web application developers to make it stop.

Cheers. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)



Secret Service Paid TJX Hacker $75,000 a Year

March 23, 2010

Secret Service Paid TJX Hacker $75,000 a Year: “


Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez’s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt told Threat Level that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants. Gonzalez’s attorney did not respond to a call for comment.

‘It’s a significant amount of money to pay an informant but it’s not an outrageous amount to pay if the guy was working full time and delivering good results,’ says former federal prosecutor Mark Rasch. ‘It’s probably the only thing he was doing — other than hacking into TJX and making millions of dollars.’

Gonzalez’s salary highlights how entwined he was with the government at the time he participated in the largest identity theft crimes in U.S. history. Gonzalez, 28, is set for sentencing this week on three indictments covering nearly every headline-making bank-card theft in recent years, including intrusions at TJX, Office Max, Hannaford Brothers, 7-Eleven and Heartland Payment Systems (which alone exposed magstripe data on 130 million credit and debit cards). The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years.

Rasch says Gonzalez’s $75,000 is nothing compared to the million-dollar payouts some undercover informants get for high-risk, high-value cases such as Mafia investigations. But Gonzalez’s payments dwarf the meager handouts given previous computer crime informants.

Identity thief Brett Johnson, aka Gollumfun, said he earned $350 a week — the equivalent of about $18,000 a year — while working undercover in the Secret Service’s Columbia, South Carolina, field office helping catch card thieves. Johnson was recruited by the agency in 2005 after he was arrested buying merchandise with counterfeit cashier’s checks; his public service ended 10 months later when agents discovered that, like Gonzalez, Johnson was two-timing them, running a fraudulent tax-return scheme during his off hours that was bringing him an extra $5,000 to $6,000 each week.

Another carder, David ‘El Mariachi’ Thomas, worked undercover for 18 months for the FBI in 2003 and 2004 running a carding site called The Grifters out of a Seattle apartment. The bureau paid rent and expenses for him and his live-in girlfriend, and bought the computers he used to run the undercover operation, but didn’t pay him a salary.

In the 1990s, informant Justin ‘Agent Steal’ Petersen was reportedly paid $200 a week while helping the FBI build a case against Kevin Mitnick, then the number one hacker target on the government’s radar.

For his part, Gonzalez began working for the Secret Service when he was arrested making fraudulent ATM withdrawals in New York. Under the nickname ‘Cumbajohnny,’ he was a top administrator on a carding site called Shadowcrew. The agency cut him loose and put him to work undercover on the site, where he set up a VPN the carders could use to communicate — a supposedly secure communications channel that was actually wiretapped by the Secret Service’s New Jersey office.

That undercover operation, known as ‘Operation Firewall,’ led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to ‘Segvec’ and moved to Miami where he resumed his life of crime under the noses of the agents who were paying him. Authorities finally arrested him in May 2008. After many months, he directed them to a stash of more than $1 million in cash buried in a barrel in the backyard of his parents’ home.

Rasch says a number of factors determine what an informant is paid, such as whether they have specialized technical skills or have infiltrated an underground organization; whether they’re putting themselves or family members at risk; and whether the investigations they work involve stolen funds that the government has a good chance of recovering.

‘If I’m working on a case involving $20 million in fraud and the government is likely to get some of that money back, $75,000 is chump change,’ Rasch says. ‘They don’t use paid informants that often…. Criminals will ordinarily cooperate [without payment] in return for a non-prosecution’ or sentence reduction.

The Department of Justice publishes nonbinding guidelines that discuss the necessity of monitoring informants and assessing a criminal’s suitability to be one, but they don’t provide standards for doing so.

Per the attorney general’s guidelines, two law enforcement representatives are required to witness any payment made to a confidential informant and document the payment in the case files, indicating if it’s for information, services or expenses. The informant must also sign or initial a written receipt.

At the time of the payment, the law enforcement agents are required to advise the confidential informant that the payment may be taxable income that must be reported to the IRS and state agencies.

The Secret Service’s embrace of Gonzalez as a professional informant may have reinforced his criminal behavior. Gonzalez felt he’d been rewarded for his preoccupation with computers, according to a letter written by his sister to one of his sentencing judges.

‘All this seemed okay at the time, but psychologically it was feeding an obsession that in the end would become my brother’s downfall,’ Frances Gonzalez Lago told the court in December.

Gonzalez is set for sentencing Thursday in U.S. District Court in Boston for the TJX, Office Max, and Dave & Buster’s breaches. He appears in front of a different judge the next day for sentencing on the Heartland, Hannaford and 7-Eleven thefts. The government is seeking a sentence of 25 years in prison.

Photo of Albert Gonzalez courtesy of Stephen Watt

See Also:

(Via Wired: Threat Level.)

BLADE: Hacking Away at Drive-By Downloads — Krebs on Security

February 24, 2010

BLADE: Hacking Away at Drive-By Downloads — Krebs on Security: “”

(Via .)

Patriot Hacker Hits Jihad With DDoS Attacks : Information Security Resources

January 8, 2010

Patriot Hacker Hits Jihad With DDoS Attacks : Information Security Resources

Patriot Hacker Hits Jihad With DDoS Attacks
January 7, 2010 by ADMIN · Comment
By Richard Stiennon, Chief Research Analyst, IT-Harvest
I had an interesting demonstration this evening from a hacker who goes by the handle ‘The Jester’ or in so-called l33t speak, th3j35t3r which is his Twitter ID.
Since January 1, The Jester has been systematically wreaking havoc with several websites he associates with Al Quiada and Jihadists via a Denial of Service attack delivered over the web through a Swedish anonimizer service (
The Jester has been documenting his attacks against,,,,,,,, since the beginning of 2010.
Early today he posted:
Official Presidency Website of …”

Suricata: A Next Generation IDS/IPS Engine

January 7, 2010

Suricata: A Next Generation IDS/IPS Engine: “

Last Thursday, I was very glad that the Open Information Security Foundation (OISF) released the first public beta version of Suricata. It has been three years in the making. Several new releases are expected this month culminating in a production quality release shortly thereafter. OISF describes Suricata an ‘an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.’ It is looking very promising.

The Suricata Engine and the HTP Library are available to use under the GPLv2. The new engine supports ‘Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards’. GPU integration allows the use of graphic cards to accelerate operations. Mike Cloppert in his post, ‘Detection, Bandwidth, and Moore’s Law’ pointed out:

It appears the authors well understand the point in this post, and the corresponding state of the art in solving parallel computing problems. GPU’s are emerging as a good commodity solution to parallel processing. This is covered in depth by a number of recent publications discussing parallelism, and I am by no means an expert in this field, so I will simply leave follow-up on this point as an exercise for the reader.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic, creator of Mod Security and author of the soon to be released book ‘ModSecurity Handbook‘. This integrates and provides very advanced processing of HTTP streams. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. Additional details have been provided by Ivan in his post, ‘HTTP parser for intrusion detection and web application firewalls.’ Ivan writes concerning the development, ‘For the first release of the parser the goal is to be able to parse HTTP streams reliably. In the subsequent versions I will work in the parser’s security properties (such as the ability to see through evasion attacks).’

New Ideas and Concepts

Quoting from the OISF announcement, some of the next generation capabilities include:

  • Multi-Threading: so very necessary.
  • Automatic Protocol Detection: the engine has keywords for IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB. Users can write rules to detect a match within a stream regardless of the port the stream occurs on. This is important for malware detection and control. Detections for more layer 7 protocols are being developed.
  • Gzip Decompression: the HTP Parser will decode Gzip compressed streams.
  • Independent HTP Library: the HTP Parser will be usable by other applications such as proxies, filters, etc. The parser is available as a library under GPLv2 for easy integration ito other tools.
  • Standard Input Methods: support for NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support will be available soon.
  • Unified2 Output: support for standard output tools and methods.
  • Flow Variables: it is possible to capture information out of a stream and save that in a variable which can then be matched against later.
  • Fast IP Matching: the engine will automatically use a special fast matching preprocessor on rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats).
  • HTTP Log Module : HTTP requests can be automatically output into an apache-style log format file for monitoring and logging activity completely independent of rulesets and matching.

A few features to look forward to in a few weeks:

  • Global Flow Variables: the ability to store more information from a stream or match (actual data, not just setting a bit) over a period of time allowing comparing values across many streams and time.
  • Graphics Card Acceleration: using CUDA and OpenCL to make use of the processing power of even old graphics cards to accelerate the IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance.
  • IP Reputation: will allow sensors and organizations to share intelligence and eliminate many false positives.
  • Windows Binaries: will be released once there is a reasonably stable body of code.

Folks Behind It

The team is listed on the OISF site. It is an all star cast including Matt Jonkman, Victor Julien, Will Metcalf, Nathan Jimerson, Margaret Skinner, Josh Smith, Brian Rectanus, Breno Silva Pinto, Anoop Saldanha, Gurvinder Singh Dahiya, Jason MacLulich, <a href="
“>Jason Ish, Kirby Kuehl, Dennis Henderson, <a href="
“>Martin Solum, Ivan Ristic, <a href="
“>Pablo Rincon, and Gerardo Iglesias Galvan.

I also wanted to point out some of the heavy hitting organizations involved. The initial funding for OISF comes from the US Department of Homeland Security (DHS), the US Navy’s Space and Warfare Command (SPAWAR), and a number of private companies that participate in the OISF Consortium. The OISF is a part of the DHS Homeland Open Security Technology (HOST) program. OISF works with Open Source Software Institute and has received legal guidance from the Software Freedom Law Center.

OISF is a US nonprofit, a 501c(3) and will not commercialize, sell, patent, copyright, or profit from the engine. OISF Consortium members are donating coders, equipment, and financial support in exchange for the ability to commercialize the engine. The important take away is that OISF has long term support for future development of Suricata.

Final Thoughts

Suricata is a very exciting and promising IDS/IPS engine. It has a great group of people behind it and future development appears secured. It is a project that is in the early stages. Do not expect to download it and simply install on a production environment. For testing the software and providing feedback, the engine and the HTP Library are available for download. To keep apprised of the latest developments join the oisf mailing lists where you discuss and share feedback. The blog of Victor Julien, Suricata’s lead developer, is another great source for the latest news and information.

To finally answer the burning question: why the name Suricata? According to the OISF site, Suricata comes from the Latin genus name for the meerkat and ‘the Meerkat takes security and vigilance as a life or death responsibility. There is always at least one individual on guard, watching, ready to alert the entire organization. Very much like an IDS sensor. It is always watching, always ready to alert you to danger. Or something like that…’

(Via System Advancements at the Monastery.)

Shared Threat Monitoring Protects Enterprise

December 11, 2009

Shared Threat Monitoring Protects Enterprise: “

By Michael O’Connor, President of IronClad Consulting

Recently, as detailed by Anthony Freed of, Larry Clinton of the Internet Security Alliance presented information to Congress regarding security and protecting privacy in cyberspace.

First of all, it is encouraging to hear that these kinds of discussions are being presented in D.C. Thanks to Larry Clinton and his team for representing these very important issues.

I agree with the feel of Larry’s suggestions — that it is not necessarily ‘compliance’ that will resolve our concerns, and that more practical means must be established.

If this is so, I would recommend ongoing monitoring as the key. And if monitoring is the key, how does this affect businesses, individuals, and personal privacy?

And what role does government play, if any? Can we balance good monitoring and security with privacy?

My laptop is monitored constantly by security software. In return for the service, I voluntarily give up some information.

However, this information is about my system and not me personally (other than standard billing info, which is public anyway, minus the credit card data).

Do you think a similar solution could be implemented business-wide, to help monitor and keep businesses free from harmful attacks?

Perhaps ‘compliance’, in such a model, would be gained by agreeing to opt in to the monitoring system.

Going along with one of Larry’s future objectives – information sharing – threats exposed in such a system could become immediately beneficial to other businesses that are hooked in.

Some companies are already attempting this strategy. The general concept is to create a sort of ‘reputation’ around the data elements of the transaction.

The more unique the data elements and the more clients use (and contribute to) the reputation, the more valuable the reputation becomes.

Reputation can be tied to elements such as an IP address (as with MaxMind), a ‘client device ID’ (CDI, as with 41st parameter, Kount, or iovation), a credit card number (as with Visa’s neural network), and so on.

Ostensibly, the most unique and valuable data element would be the client device ID.

It provides a much more concrete identification mechanism than the other, dynamic and changeable elements such as email address, shipping/billing address, name, phone number, etc.

Thus, gathering these – and especially sharing them – would provide an excellent foundation for a monitoring system.

Ideally, both government and private sectors would contribute to the system, which would provide real-time updates and warnings concerning devices that were previously known to be used in fraudulent activities.

But what of privacy concerns?

An intrinsic benefit of CDI is that it does not hold Personally Identifiable Information (PII) within it.

You’re just looking at the device – and ideally the reputation surrounding it – rather than the person or private information behind the device.

The privacy concern becomes moot.

Granted, any client looking at the transaction has private information on their end (a retailer looking at the invoice, for example), and they could easily connect the PII and CDI together for their own purposes, but the PII portion would not be shared within the overarching monitoring system.

Moving full-circle back to the role of government, were they to adopt such a monitoring system and require that businesses take part in it as a requirement for a new kind of security ‘compliance’, we might see a positive shift from the bookshelf-breaking paper-based compliance of the past.

*   *   *

Stay Informed With ISR News Alerts:


by FeedBurner

*   *   *

Follow us on Twitter

*   *   *

Michael O’Connor has been working in various operational management positions since 1994, and with online payment in particular since 2000. In 2003 he began a focused foray into fraud prevention while leading a team at, where they prevented millions of dollars in potential fraud losses from hitting the company’s bottom line. Michael was also fortunate enough to have served on the advisory board of the Merchant Risk Council and assisting in the training of an FBI CyberCrimes unit. Ironclad’s core objective is to make businesses safer and profitable by providing unbiased consultation in the areas of payment facilitation, compliance, risk assessment, and fraud prevention best practices. The threats are inbound. Are you Ironclad?™

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to

(Via Information Security Resources.)

Security feature of Internet Explorer 8 unsafe

November 26, 2009

Security feature of Internet Explorer 8 unsafe: “The cross-site scripting filter of Microsoft’s browser reportedly contains vulnerabilities that allow the very cross-site scripting attacks it is meant to prevent”

(Via The H Security.)

In-Q-Tel Invests in FireEye

November 19, 2009

In-Q-Tel Invests in FireEye: “J. Nicholas Hoover writes on InformationWeek:

The independent venture arm of the U.S. intelligence community, In-Q-Tel, has invested in cybersecurity company FireEye, the company announced Wednesday.

In-Q-Tel and FireEye didn’t disclose terms of the agreement, or which intelligence agencies are particularly interested in the technology. However, in a release, they said that the investment ‘will extend FireEye’s cyber security product development and stealth malware technical capabilities to protect against cyber threats.’

The intelligence community has a clear interest in cybersecurity investment. At a conference earlier this month, deputy secretary of defense William Lynn said that more than 100 foreign intelligence agencies are actively trying to hack into federal government systems. The NSA recently announced plans to build a $1.5 billion cybersecurity data center in Utah.

California-based FireEye sells an out-of-band security appliance that monitors all inbound network traffic, employing a blend of signatures and heuristics to analyze traffic for evidence of suspicious behavior. After identifying suspicious traffic, the appliance captures and replays the traffic on virtual machines running in the appliance, which imitate real PCs. If those PCs are compromised, FireEye alerts administrators. By routing the traffic to a virtual machine, FireEye claims it is able to mitigate false positives. The virtual machines are invisible to the customer’s production network.

More here.

(Via Fergie’s Tech Blog.)

Gumblar is back with a vengeance

November 18, 2009

Gumblar is back with a vengeance: “ScanSafe reported that 29% of all Web malware blocks in October 2009 were the result of Gumblar. This series of website compromises, collectively dubbed ‘Gumblar’ takes a multi-pronged approach, insta…”

(Via Help Net Security – News.)

McAfee Threats Report: Third Quarter 2009

November 6, 2009

McAfee Threats Report:  Third Quarter 2009

By David Marcus, Paula Greve, Sam Masiello, and David Scharoun

McAfee Labsâ„¢

  This continues to be a fascinating year for online threats, malware of all types, and cybercrime in particular. In this quarter’s McAfee Threats Report we will discuss new findings, look at continuing trends, and unearth a few surprises.

  We continue to see rapid growth in malware. Web-based threats have reached new highs. Celebrity deaths, and news events in general, serve as lures in scams, spams, and phishing attacks. Disasters especially attract a large audience of potential victims. Fraudulent security products continue to scam unsuspecting users out of their money. Chinese pharmacy spam runs were the rage for a month or two. Google searches lead to more and more threats. We also observed some very interesting events in the world of cybercrime. One of the most surprising recent trends is the rise in pirated movie and software sites.

  Our researchers noticed 300 percent growth this quarter in websites that distribute pirated movies and software. Is this increase due to the economic downturn, or is technology at a point where it is easier to download feature-length movies on the day they become available in theaters?