The magazine you!re reading was put together during an extremely busy few months that saw us pile up frequent flier miles on the way to several conferences. You can read about some of them in the pages that follow, specifically RSA Conference 2009, Infosecurity Europe 2009 and Black Hat Europe 2009. This issue brings forward many hot topics from respected security professionals located all over the world. There!s an in-depth review of IronKey, and to round it all up, there are three interviews that you!ll surely find stimulating. This edition of (IN)SECURE should keep you busy during the summer, but keep in mind that we!re coming back in September! Articles are already piling in so get in touch if you have something to share. Mirko Zorz Editor in Chief Visit the magazine website at www.insecuremag.com (IN)SECURE Magazine contacts Feedback and contributions: Mirko Zorz, Editor in Chief - [email protected] Marketing: Berislav Kucan, Director of Marketing - [email protected] Distribution (IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit permission from the editor. Copyright HNS Consulting Ltd. 2009. www.insecuremag.com Qualys adds Web application scanning to QualysGuard Qualys added QualysGuard Web Application Scanning (WAS) 1.0 to the QualysGuard Security and Compliance Software-as-a- Service (SaaS) Suite, the company!s flagship solution for IT secu- rity risk and compliance management. Delivered through a SaaS model, QualysGuard WAS delivers automated crawling and test- ing for custom Web applications to identify most common vulner- abilities such as those in the OWASP Top 10 and WASC Threat Classification, including SQL injection and cross-site scripting. QualysGuard WAS scales to scan any number of Web applica- tions, internal or external in production or development environments. (www.qualys.com) Integrated protection for smartphones: Kaspersky Mobile Security 8.0 The new version of Kaspersky Mobile Security provides protection against the wide range of threats facing smartphone users. For instance, SMS Find can locate the exact whereabouts of a lost smartphone. After sending an SMS with a password to the lost device, the user receives a link to Google Maps containing its exact coordinates. The Anti-theft module of Kaspersky Mobile Security 8.0 makes it possible for the owner of a lost or stolen smartphone to remotely block access to or completely wipe the memory of the device by simply sending a codeword via SMS to his/her number. (www.kaspersky.com) www.insecuremag.com "" 5 SSH solution for real-time inspection and audit of encrypted traffic SSH Communications Security announced SSH Tectia Guardian, a new technology solution that enables real-time session and file transfer monitor- ing with IDS or DLP integration capabilities, as well as replay of sessions for post-session auditing of encrypted traffic. This unique security solution enables both real-time inspection, and full re- play of SSH, SFTP, Telnet, and RDP traffic and sessions to meet compliance, governance, audit- ing, and forensics requirements in enterprises and government entities. (www.ssh.com) Acunetix Web Vulnerability Scanner 6.5 now available Acunetix announced new "file upload forms vulner- ability checks" in version 6.5 of the Acunetix Web Vulnerability Scanner (WVS). Other key features in the new versions are the new Login Sequence Re- corder, Session Auto Recognition functionality and improved cookie and session handling. With the new Login Sequence Recorder and Session Auto Recognition module, WVS can automatically login to a wider range of authentication forms using dif- ferent authentication mechanisms, while with the improved cookie and session handling. WVS is now able to scan a broader range of dynamic web applications effectively. (www.acunetix.com) Wi-Fi kit for disaster response and temporary events Xirrus announced a portable, pre-packaged kit designed for the rapid and simple de- ployment of Wi-Fi networks in temporary applications. Unlike other Wi-Fi networking solutions which require many different components, the Xirrus Wi-Fi Array integrates everything needed to deploy a large coverage, high density Wi-Fi network supporting up to hundreds of clients into a single device. This makes the Wi-Fi Array the ideal fit for portable applications such as disaster re- sponse command posts; high-density events such as conferences and expositions; and short-term events such as festivals, markets, and fairs. (www.xirrus.com) PGP launches Endpoint Application Control PGP has announced PGP Endpoint Application Control, a product that blocks malicious and unauthorized software, including applications, scripts and macros, from executing on a user!s system by automatically enforcing policies using whitelisting technology that explicitly allows only trusted and authorized software applications. By leveraging PGP Endpoint Application Control as another layer of data defense, customers can ensure business continuity with always-on protection and not have to worry about malicious software entering their networks. (www.pgp.com) www.insecuremag.com "" 6 Web penetration testing live CD The Samurai Web Testing Framework is a live Linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on test- ing and attacking websites. The developers included the tools they use in their own security practice. (sourceforge.net/projects/samurai) RIM launches BlackBerry Enterprise Server 5.0 RIM launched BlackBerry Enterprise Server 5.0 which supports advanced IT ad- ministration features and smartphone controls that help improve the productivity of mobile workers and meet the demands of large-scale, mission critical enterprise deployments. It enables a secure, centrally managed link between BlackBerry smartphones and enterprise systems, applications, corporate phone environments and wireless networks. (www.blackberry.com) New StoneGate FW-1030 appliance with firewall capabilities Stonesoft introduced the StoneGate FW-1030 appliance with firewall capabilities. It provides data security for small enterprises and remote offices combined with StoneGate's built-in high availability features that guarantee always-on connectivity. With perimeter protection and internal network segmenting ca- pabilities, the FW-1030 prevents computer worms from spreading and contaminating an organi- zation's internal network. It provides built-in solid-state disk technologies that emphasize reliability and durability while using 50% less power compared to similar appliances. (www.stonesoft.com) New release of RSA Data Loss Prevention Suite RSA announced enhancements to the RSA Data Loss Prevention Suite, its suite of data security products that are engineered to discover, moni- tor and protect sensitive data from loss, leakage or misuse whether in a datacenter, on the network, or out at the endpoints. The allows organiza- tions to secure sensitive content in a way that saves time and stream- lines processes for data security personnel. Sensitive data at rest can now be moved or quarantined automatically and users can apply self- remediation for emails quarantined due to violations. (www.rsa.com) New services to secure Web applications from TippingPoint TippingPoint announced its Web Application Digital Vaccine (Web App DV) services, a two-part approach to address the security threat posed by Web applications. This set of services enables users to maximize their security investments, while reducing the risk of attacks through custom-built Web ap- plications. (www.tippingpoint.com) www.insecuremag.com "" 7 Malware researchers are very careful with the samples they analyze. They know several types of malicious files can execute their payload even without being opened. Up until now, the consensus was that malicious PDF docu- ments were harmless as long as you didn't open them with a vulnerable ver- sion of a PDF reader, usually Adobe Reader. My research shows that this is no longer the case. Under the right circumstances, a malicious PDF document can trigger a vulnerability in Adobe Reader without getting opened. The JBIG2 vulnerability vulnerabilities. Malware authors started ex- ploiting this JBIG2Decode vulnerability before In March, Adobe released a new version of Adobe was able to release a fix. They man- Adobe Reader to fix several bugs. One of the aged to create PDF documents that cause the fixes is for the notorious JBIG2 vulnerability. buggy JBIG2 decompression code to malfunc- tion in such a way that shellcode is executed, The PDF format supports several image com- which ultimately downloads a Trojan. pression algorithms; you're probably familiar with JPEG. JBIG2 is another compression al- I will use the following malformed JBIG2 data gorithm. Adobe's implementation of the JBIG2 to trigger an error in the vulnerable JBIG2 de- decompression algorithms contained bugs compression algorithm in Adobe Reader. that could lead to arbitrary code execution: i.e, www.insecuremag.com 8 Some user interaction required When you install Adobe Reader, a Column Handler Shell Extension is installed. A column How is it possible to exploit this vulnerability in handler is a special program (a COM object) a PDF document without having the user that will provide Windows Explorer with addi- opening this document? The answer lies in tional data to display (in extra columns) for the Windows Explorer Shell Extensions. file types the column handler supports. The PDF column handler adds a few extra col- Have you noticed that when you install a pro- umns, like the Title. When a PDF document is gram like WinZip, an entry is added to the listed in a Windows Explorer window, the PDF right-click menu to help you compress and ex- column handler shell extension will be called tract files? This is done with a special program by Windows Explorer when it needs the addi- (a shell extension) installed by the WinZip tional column info. The PDF column handler setup program.