sPROXY

An interesting article written by Renaud Bidou, Deny All's CTO, was published today by 01 net. Entreprises. In this paper, Renaud describes the evolution of cross-site scripting (XSS) attacks and how this technique is used more and more by hackers to abuse Internet users and collect new slaves for their botnets. Thanks to 01 Net Entreprises for their trust. The article (written in French), can be found here:  http://pro.01net.com/editorial/534784/cross-site-scripting-attention-aux-degats/

‘Most likely’, says the Deny All Research Center

Recent events
In the last few weeks, Sony has been the target of two large-scale cyber attacks, which have impacted close to 100 million users of the Sony Playstation Network and Sony Online Entertainment services. According to the Financial Times, 23 000 credit card numbers were stolen, and other sources point to evidence that some of these are available for sale on underground networks.
 

Probable attack vector
Sony disclosed limited information hinting to the methods used by the attackers. Based on public information available to date, the Deny All Research Center (DARC) is drawing the following conclusions: click to read more (English)
 

Recent Facebooks hacks make wonder how it is possible that such visible and (hopefully) secured web applications can simply be compromised through users credential guess. The point is that intruders no longer exploit technical, but logical vulnerabilities. Allowing a “user” to perform thousands of authentication attempts within a few seconds is nothing related with the quality of the code. It is a lack of detection, for an abnormal behaviour which cannot be that of a human.
In such a case common detection techniques are no longer efficient. Indeed, they mostly rely on so called “patterns” or “signatures” which are to be found or not in specific parts of the request. Pattern matching and all the current variants proved to be pretty much efficient to prevent technical vulnerabilities exploitation, as long as their implementation is appropriate. But in the case of logical breaches there is nothing specific to “sign”, as requests are entirely legitimate from the protocol and application point of view.
Therefore a full range of attacks remains undetectable (and consequently unstoppable) with usual oldies but goodies techniques. Floods which would block an application, crawlers downloading an entire web site and brute-forcers trying to guess passwords get a free ride on the highway to applications.

At some level, security could be enforced by the application itself. Rate-limiting, cookie tracking or capcha mechanisms would efficiently prevent automated tools from acceding the application. But it would also impact users experience, from adding annoying steps in day-to-day site browsing, to complete connection deny for one or another technical reason. Moreover it requires application designers to be up-to-date with current logical attack techniques and efficient mitigation methods; far, so far away from their daily focus.

More info read the article of Renaud Bidou CTO of Deny All.
 

During "les Assises de la Sécurité" 2010, Renaud Bidou has done a conference on "extension of the field of combating" about how now CSO must also protect the web surfers from hackers.

if you want to see this presentation again, click here

With the success of online commerce sites, remote payment is entered in the customs. The rate of fraud made in the settlement of purchases on the Internet, however, remains 15 times higher than that found in the payments face-to-face. The Bank of France, which is charged by law "to ensure the security of means of payment" was then addressed the problem. She asked in 2010 to all banks to improve the security of online payments.

To help banks facing this challenge, Deny All creates : Client sanitization, a module which creates a "protective bubble" around the browser to prevent keyloggers (spyware) and other Trojans which may be present on the client's or employee's workstation from saving the user's data or, for example, compromising a financial transaction.
This option can be used in a number of sectors: banks, ecommerce sites or on-line gaming sites!!

More info, see Press Release or contact us

Deny All begins the year 2010 in terms of innovation with the launch of New Generation WAF: the version 4.0 of its flagship solution rWeb

Deny All, European leader in protecting and accelerating Web, XML and FTP applications, announces the latest version of its security solution for Web applications / XML with many innovations in the filed of security, performances and management.


Two major technological breakthroughs

► A tool dedicated to Web Services :
Most of Web Application Firewall (WAF) protect “classical” layers (HTTP, SMTP…) and therefore the protection of Web Services is disregarded. Today, rWeb is the only solution on the market to offer an integrated module, fully dedicated to Web Services. Very easy to use, it greatly increases the functional coverage compared to the previous version (3.8).

► Safety Web applications extended to the client :
Deny All innovates by extending security to the client, through a new feature in rWeb called Client Sanitization. This provides a "protective bubble" in the browser, avoiding for example keyloggers, spywares and other Trojans to record data from the Internet or compromise a financial transaction.

Vincent Rasneur ha ganado el concurso organizado por Hex-radios, el editor de la IDA software para ingeniería inversa. Se trata de un concurso de muy alto nivel, por tanto,¡una gran felicitación para Vincent!

http://www.hex-rays.com/contest2009/

"Nos alegra anunciar los resultados de nuestro primer concurso Hex-Radios de plugins! Los archivos recibidos son muy interesantes. Estamos seguros de que usted también los encontrará útiles y aumentará su productividad.

Si bien no hubo dificultades para determinar el primer puesto, el segundo lugar no era evidente, ambos candidatos fueron muy buenos. Al final se eligió uno, pero se decidió que el tercer lugar también merece el premio. De hecho, consideramos que todos los concursantes son buenos y merecen un premio, pero el número de ganadores siempre es limitado. Probablemente estaremos mejor preparados para la próxima vez.

Quisiéramos agradecer a todos los participantes sus envíos. Muchos de ellos muestran nuevas formas de utilizar y extender IDA. Vealo usted mismo a continuación ;)

Sin más preámbulos, debemos anunciar los ganadores. Ellos son:

1. Vicente Rasneur de DenyAll con el plagin DWARF
2. Marian Radu de Microsoft con el desensamblador para Adobe Flash
3. Ene Newger con el plagin IDAStealth

¡ Felicidades a los ganadores!"

IT(ea)-Time Roundtable :

   Backdoor Browser? Vulnerability of Web Applications

Participants : Mr. Stefan Strobel from Cirosec, Mr. Dr. Bruce Sams from OPTIMAbit GmbH and Mr. Thomas Kohl from Deny All  --> see video (in German)

   Web Application Firewall, an easy way to high level of security

Speaker : ”. Mr. Ingmar Ludemann --> see video (in German)

The DARC (Deny All Research Center), division of Deny All which focuses on threat analysis and mitigation, performed a technical analysis of the tool and the concept of the attack.
Therefore all Deny All customers can now be protected from this attack and any variant based on the same technique.
This is the first release of a patch for an Apache-based products against this attack.

You can read the Press release.
 

SIC (Seguridad en Informática y Comunicaciones) is, since 1992, the information security and IT systems security widest read magazine in Spain. Directed to CISOs, CIOs and other information security manager profiles, this Ediciones CODA publication serves as a cohesion tool for its professional readers in Spanish.
SIC Laboratory is the magazine section where security hardware/software products and tools are identified, examined, analyzed and evaluated.

In June, our leading product rWeb 3.8 has been evaluated and "the results of the test [for the White List] has led to very satisfactory values of around 98.2%. And the test results have been excellent with the Black List."
 

You can read the Spanish article.