Mar 2011 - 網站漏洞風水(香港version) - Webapp Security Fengshui (Hong Kong version)(Researchers: Darkfloyd x AlanH0 from VXRL)

雖然我們不是陳振聰這位出"色"風水師, 挖洞可以賺十億八億, 我地嘗試找出些基本網站漏洞, 點知佢地好兒戲, 每個site放五分鐘就搵到漏洞. 90個websites搵到1-2個漏洞. Total over 150個漏洞!

其實，好多公司以為（包括政府,banks同金管局）搵個security scanner掃下就叫做交功課，做滲透性測試（Penetration Test(又要局限個tester唔可以搞乜搞乜。你估下入侵者會同你講哩 啲顧住你飯碗嘅rule?

坦白講，我地真係「係咁二」玩下，都大把漏洞。香港網站保安真係要留心下。簡單一句：「好乍」。

仲有，penetration test同audit係snapshot basis,隔一排先做，諗住整個web application firewall就搞掂，真係天真無邪：）外判左個網站俾人develop,但有漏洞都不知情，大公司都係一樣。

我仲記得嗰陣喺間歐資保險公司做risk management，嗰部門淨係識做report,條所謂IT risk manager淨係識俾啲好高層次嘅comment,有好嘅governance但著重交功課文化，一樣無用。

最搞野連大公司御用交功課嘅Big 4，網站都有SQL injection同XSS，你公司掉幾球落只得一、兩年做penetration test經驗嘅人，真係慷慨。

我地一路仲搵緊漏洞，小則XSS，大則連個有個人資料嘅database都可以dump到，幾時唔知到你嗰間？

事實唔係個個人都有勇氣面對和承認，唔好俾人入侵完先叫「唔好」。敵不動，我們也先動。做多些有持續性嘅pre-detection控制和執行secure system development lifecycle及令各崗位的IT professionals都有security awareness，才是良方。

In these two months, We have done a large scale of simply vulnerability digging and check whether banks and companies have put controls in Web application. We have referred to OWASP Top 10 but only spent 10-15 minutes to each site. Amazingly, we have got over 120 vulnerabilities out of 80 companies. Some banks, listed companies and departments from Hong Kong government has carried out "regular" audit and penetration test, we are doubtful whether they are just running a scanner and find nothing, they feel safe and secure and treat security as a kind of "homework". Did they undertake real test? Did they undertake secure system development lifecycle? 

By the way, we have found that we could potentially dump thousand records of job applicants (name, address and phone as well as their applied position) from a well-known listed MNC company, we have reported this issue via a connection but they simply don't take care of the issue seriously. We will publish it soon if they do not pay attention to it. In addition, we are glad some banks CERT teams have reached us for rectification and more details. 

We will publish a detailed white paper with recommendation. Please stay tuned, dudes. By the way, the crawling for vulnerability is still on-going.

For more details, please visit www.vxrl.org -> blog and we will publish the sites with vulnerability. ;-)

Aha, the tools we have used are: Google, Firefox and manual penetration test "Kungfu""

1. You pay money to big 4 to seek for assurance, however, their sites exhibits XSS and SQL injection flaws, it is quite conflicting.

2. XSS everywhere in various HK banks...etc.

3. Merri Lynch, i-Bank...nothing special in security :)

Aug 2010 Blackhat and DEFCON talks in Youtube

Balancing Pwn Trade Deficit (Speakers: Val Smith, Colin Ames and Anthony Lai)

URL: http://www.youtube.com/watch?v=vZPdcf_FFh0

Power of Chinese Security (Speakers: Anthony Lai, Jake Appelbaum, Jon Oberheide)

URL: http://www.youtube.com/watch?v=Dy7qrO8ryk8

Mar 2010 -Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads

By: Anthony Cheuk Tung Lai (posted on March 2, 2010)

At the Malware Domain List web site (Malware Domain List, 2009) simply input “PDF” in the search box, and a number of malicious sites marked with “PDF Exploit” are listed. This reflects how popular malicious PDF files are as a malware carrier currently. It is difficult for end users to realize that popular sites and PDF files sent by friends may actually be infected with shellcode and exploits. Besides PDF malware, fake anti-virus software is also popular as a payload downloaded to victim machines luring end users to voluntary click to scan their computers, installing a malicious executable payload.