Last month, I was contacted by a client to help resolve some security issues on her website (brabbly.com) When I visited the site, there did not seem to be any underlying issues, except for multiple pop ups, which I thought were legitimate ads from the site.

However, I was wrong. On talking to the owner, I found out that the site does not have any ads enabled on the backend. Therefore, I though of the usual culprit; using a nulled theme.

But then again, she swore that she was using a clean them from MyThemeshop.

With the possibility of using a nulled theme out of the way, I set up to investigate. I randomly looked at the code of about 10 sample pages.  The pages did not seem to have anything. The content was okay, just discussing things such as no bounce sports bras, big boob problems, best bra for neck and shoulder pain, and other related topics. It’s a blog about women lingerie.

Well, since the theme wasn’t nulled and the site didn’t appear to be hacked, what could be the problem?

Read on to find out.

I have been waiting for this is happen for a while now. Jeremiah and I discussed this about a year ago while thinking about the fastest way to deploy malware across the web. Our idea was slightly different but the same principles apply, buy your way on to the big sites with ads or convince a site to install a widget/JS snippet.

In this attack the malware distributors purchased ad space on the doubleclick network, uploaded encrypted flash ads that then did drive by malware installs. Here is a video that shows what happens when one of these banners is displayed and attempts to install malware.

This is a very interesting attack but here is what a lot of people fail to realize. Ads, widgets, flash etc are all programs that execute in your browser. Once I source code from another source (like the youtube movie above) I have given up control of my webpage to a third party. Youtube could change that code to do something completely different tomorrow and the only recourse I have is to notice it and remove the code from my site. While removing the code that calls the YouTube video will remove the attack vector from my site, I (really my users) where exposed for the time it was available.The malware people are already thinking about this as well. As demonstrated in the video above, they are not attempting to infect everyone all the time but do it to some people some of the time. Pretty tricky eh?I fear this is only going to get worse. Hold on to your seats, it is going to get bumpy.

Who’s up for another IT security story? I’m was sitting on my Xrocker wondering whether I should get back on Call of Duty or type something quick for this week. I opted for the latter and this is why you are reading this post.

Here is a real world story about a customer of ours, this was a few years ago and was one of the key points in bringing the F5/Mod_security/WhiteHat integrated solution to market.

This customer had a massive application written in ASP classic. Since it was in ASP classic it had massive numbers of SQLi vulnerabilities. Everything from Blind SQLi to the always fun SQL statements in the URL. The customer said this application was roughly 250,000 lines of code with SQL hardcoded throughout. The reason the customer had called WhiteHat is because they where working on a big deal with a potential client and this client was asking for a security report on the application. They where also in the early phases of rewriting the application in .NET (yeah) with an estimated completion date 1.5 years out.

After seeing our report (100+ SQLi and 300+ XSS) and after a protracted developer battle(yes XSS is not good) they where left with two not good options.

1. Lose the customer.
2. Stop the rewrite and spend a few months digging through old code to fix these issues

Now from a business point of view neither of those makes sense. At the time we where in the WAF hater camp but we saw that in this case it made total sense. The customer deployed a WAF, configured it using our vulnerability data, and was able to mitigate the risk in about 3 weeks.

Bottom line and what people continually fail it understand is that every current solution on the market today has its short comings. In security everything does. Is there one magic network solution that will prevent all network attacks? No. You have spent a ton of money protecting your network infrastructure. Let’s take a quick look at the list of things you probably have spent money on today:

1. Firewalls
2. IDS/IPS
3. Network Vulnerability Scanning
4. AntiVirus
5. Configuration and Patch Management
6. Database Scanning
7. Database Encryption

Guess what, none of that protects you from the rush of SQLi, XSS, and other web based attacks. All that money and you still have big gaping holes.

To properly attack the Web Application Security problem you should be doing all of these things:

1. Secure coding practices
2. Source code review
3. Black box testing
4. Web Application Firewalls
5. Developer Training
6. Configuration and change management

The reality today is that people underestimate the size of the problem and therefore do not have the budget to do all these things. You can stretch those budget dollars pretty far with an open source scanner and mod_security (software cost $0). WhiteHat is not that cheap but we are very cost effective, combined with mod_security you can go a long way. Need a more robust solution, WhiteHat + F5 can scale to 1000 of web sites in a very cost effective manner. WhiteHat and our WAF partners can knock items 3-5 off your list while you go work on getting your coding practices in place. Even after you get those practices in place you are still going to find vulnerabilities and having that “instant” mitigation ability is very comforting.

Robert over at cgisec sees the light as well. He has managed and is currently managing web site security for some of the largest most frequently attacked web sites on the planet.

My dad is a Aggie, sorry to see his school can’t secure their systems. If anyone is from Texas they know that the Aggie’s are the butt of many jokes. (Think Polish jokes, Texas style). One of my favorites:

How do you confuse an Aggie?

Put him in a round room and tell him to pee in the corner.

Bu dum bump, I am here all week folks!

I have grown somewhat numb to yet another college getting broken into. Sadly I think the security teams at these places are in a no-win situation. A culture of openness + lots of kids + lots of juicy PII and CC data = many places to fall over and leak data. Maybe RIAA can’t stop wasting time with P2P witch hunts and let the security people at these institutes of higher learning get back to securing the information of the students and faculty. Oh I can dream…

I recently dug my archives and found a story that was fascinating more than a decade ago. Below is an excerpt:

Alumnus hacks Texas A&M system: “A recent graduate of Texas A&M University is charged with hacking into the school’s computer system and illegally accessing information on 88,000 current and former students, faculty and staff members.

Luis Castillo must appear before a magistrate judge Wednesday.”

By the way, if you wondering what happened to the student, let’s just say your guess is as good as mine. Nowadays, rather than chase these small kids trying to hack into school systems, I spend my time restoring websites that have been hacked. Like this one of a client who writes MDF stethoscope review articles. It’s a funny world; how much 10 years can bring a difference in someone’s career.

Sources Mentioned: https://www.nurselly.com/mdf-stethoscope-reviews/