EnableSecurity VOIPPACK is finally out! We would like to thank everyone who made this possible. VOIPPACK can be purchased from our reseller Immunity in the US or directly for the rest of the world.

More information about pricing and video demonstrations can be found in the product page.

This article first appeared in EnableSecurity newsletter 0×0001. Subscribe to the newsletter by sending an email to newsletter@enablesecurity.com.

It is often easy to calculate risk incorrectly. This may be due to lack of information or because one is not looking at the big picture. One particular topic that came up a month or so was prioritizing XSS on a main website which has no sensitive information, only informational content. The sensitive information is available on a different site to which the main website links. In many cases, such sites are not considered worth fixing within a reasonable time and tend to stay vulnerable because other tasks of higher priority come up. That is, until one of the following scenarios happens:

• Blackhat SEOs target your site to help increase their google ranking
• No better or worse phishing attack than having your website include a form asking for a username and password which are sent to a Taiwanese webserver. This especially applies if your service is a target of phishers.
• Displaying of fake articles and press releases on your website, or redirection to malicious executables making it appear that your legit site is sending malware.
• The media catches on and publishes details of the vulnerability - this is what just happened to American Express in the past days.

Note: we are no longer accepting beta testing requests for VOIPPACK. Thanks for everyone who contributed to the beta testing!

VOIPPACK is nearing release stage - stay tuned.
For the high definition (HD) version of this video visit this page.

VoIPPack adds VoIP capabilities to Immunity CANVAS. For more information about VoIPPack take a look at the product page. We are currently running a private beta so send us an email to apply as a beta tester.

The following is a taster showing sipautohack scanning a target network, identifying PBX server, enumerating the extensions intelligently and finally cracking the password for each extension on the PBX. More demos here.

This is an update of what’s been happening on this end:

• Issue 19 of (IN)SECURE Magazine is out, and with it you’ll find a report on RSA Europe 2008 and an article called “How security can hurt us” by yours truly. The magazine has a number of high quality articles and is  freely available from the main website.
• Upcoming research: Vulnerabilities and tools related to Web Application Firewalls. Wendel Guglielmetti Henrique combined his and my research and presented it at H2HC. The presentation was called “Playing with Web Application Firewalls”. Additionally, I presented my research at a local ISACA chapter. This research is still in its initial stage but is already showing significant results. Will be putting a separate post on this.
• The blog at Acunetix now features posts by yours truly on (you guessed it) Web Application Security.
• If you are based in Malta, then you might be interested in the Malta Infosec linkedin group that will be organizing some informal events “real soon”. The blog is at Maltainfosec.org.

Currently at RSA Europe in London and the Keynote is about to start. While we’re being given a Discovery Channel styled lecture on Alan Turing, I’ve been marking the sessions that have a potential of being interesting. Marked the following:

• Security Remodelling - Benjamin Jun
• Locking the Back Door: New Backdoor Threats in Application Security by Chris Wysopal
• A dialogue with ENISA
• VoIP Threats and Countermeasures by David Endler (conflicts with the talk by Chris Wysopal)
• Evolving threat landscape: Do we have to trade off browser functionality for security and privacy? Craig Spiezle (Microsoft)
• Security Testing in Web 2.0 World by Billy Hoffman
• SQL Smuggling by Avi Douglen
• Regular expressions as a basis for Security Products are dead by Steve Moyle
• Blinded by Flash: Widespread security risks flash developers don’t see by Prajakta Jagdale
• Mobile Banking and Identity Theft: Can your phone protect your identity? Patrick Bedwell

Then there’s quite a few “special interest groups” that look intriguing as well.

Meanwhile Arthur W. Coviello of RSA is talking about why the way we do security fails, and suggesting a better approach. Talk about Information Risk Management Stategy, and picking on regulations and compliance.

I’ll be posting live updates on twitter.com/sandrogauci. If any visitors are around, feel free to send me a msg.

Note: this article originally appeared on EnableSecurity Newsletter #0×0001. To subscribe send an email to newsletter@enablesecurity.com.

Most contemporary software attempts to perform automated updates for  one thing or another. Maybe it’s a patch for the software itself, or simply a list of additional files that are required for day to day operations. Security software such as Antivirus software needs to be  automatically updated if it wants to protect against the latest threats instantly. Although of these updates do not have any sort of precautions for man in the middle attacks, no one seemed to care until the past few months.

It is only the latest DNS cache poisoning flaw that made researchers and security folks tick and start realizing that the upcoming patch might not be what it seems. Then Evilgrade came out. This software is an exploitation framework which allows penetration testers to demonstrate upgrade related flaws in the following software:

• Java plugin
• Winzip
• Winamp
• MacOS
• OpenOffices
• iTunes
• Linkedin Toolbar

Meanwhile security advisories keep coming out identifying new software which is vulnerable to this attack:

• InstallShield Update Agent - Remote “Rule Script” Code Execution Vulnerability
• PartyGaming PartyPoker Malicious Update Vulnerability

I’m sure that this is only the tip of the iceberg and there is more to come.

Automated updates can be a life saver, and certain products cannot do without them (like Antivirus software). However (security) updates in particular should not be introducing this kind of security issue!

If you’re a software vendor you have a responsibility to make sure that your automated updates are signed and verified in a secure manner

The newsletter issued yesterday included an advisory on Mail.app’s insecure storage of S/MIME on the email server. The main problem is that people making use of S/MIME expect encryption to protect them from a snooping mail server, and the default “store drafts on mail server” option does not respect this.

At this stage Apple did not release anything to address this issue because it might require architectural changes. I understand that - however publishing a solution to this issue does not have to consist of a patch. This is why I’m publishing the advisory and the below solutions, so that clients that are concerned about this can mitigate.

If you would like to stick to Mail.app:

• Go to the Preferences and select the account from the accounts tab
• Select the “Mailbox behaviors” tab
• Uncheck the option “Store draft messages on the server”

Otherwise some other email clients are not vulnerable because they encrypt the drafts emails before they are sent to server.

The first issue of the newsletter is out! Included the articles of interest:

• Upcoming EnableSecurity projects
• Events: RSA Europe 2008
• New advisory: Apple’s Mail.app stores your S/MIME encrypted emails in clear text
• Surf Jack updates and what is Surf Jack anyway?
• Cross Site Scripting on your non-sensitive website?
• Your magnetic stripe credit card is going away
• Does your software check for updates? You might be in trouble…
• Selected Security news

Some of these articles will eventually find their way to this blog or other locations. Others will remain exclusive to the newsletter.

To get access to the newsletter simply send me an email to newsletter@enablesecurity.com.

The latest issue of the free digital security publication is out and includes some thought provoking articles:

• Browser security: bolt it on, then build it in by Jeremiah Grossman
• Windows driver vulnerabilities: the METHOD_NEITHER odyssey by Anibal Sacco
• Insecurities in privacy protection software by Shrikant Raman
• Compliance does not equal security but it’s a good start by Jack Danahy

This issue also includes my column which talks about why the latest happenings in the security industry should shake us to our senses. The idea is that we need to realize that some of the Internet technologies that we rely on have fundamental flaws.

Here’s a download link.