(ISC)² has announced a certification for application development security called Certified Secure Software Lifecycle Professional (CSSLP).  According to their site, CSSLP seminars will be offered beginning "early 2009" and exams will start June 2009.  There will also be an "experience assessment window" starting September 30th in which candidates may submit "Accomplishment Records" for review - accepted qualified applications will get the $650 USD exam fee waived.  Similar to the CISSP, the CSSLP requires four years of experience in four or more of the topic areas listed below, endorsement from a current (ISC)² certified individual, and a commitment to the (ISC)² Code of Ethics.

I am planning on being at the Gartner ITxpo Symposium in Orlando, FL from October 12th-16th for the Security and Risk Management track.

If you are going to be at ITxpo or live in the Orlando area, please drop me a note at http://riosec.com/contact so hopefully we can meet up at the event or in the evening.

- Christopher

Google has announced a new browser, called "Google Chrome" that aims to improve the way applications are delivered on the web.  In typical Google fashion, they've created a comic book that depicts the features of the new browser.  The browser should be officially released tomorrow at www.google.com/chrome (edit: site is now up!).  Below are a more details I've gathered about the security features of this upcoming browser.

As they say in the comic book "when we started this project, it was a very different landscape from when other browsers started."  This difference in focus is apparent due to the plethora of announced design decisions which, if done as stated, should create a much more secure browser.  Read on for some of the details.

Note: Previously I created a quick post on creating GIFAR files.  This post is to expand on the topic with additional information and a new (and much improved) video.

At BlackHat, security researchers Billy Rios and Nathan McFeters presented "The Internet is Broken" which contained information on GIFARs, a term meaning GIF image files combined with Java ARchives (JAR).  These files could be uploaded to sites that allow image uploading (such as many site's member photos), to run code in the context of that site - getting around the "same origin policy" that browsers impose.  This works because GIF images (along with many other file types) store their header in the beginning of the file, and ZIP archives (which is what JAR files are made of) store their data at the tail.

The folowing video demonstrates this technique.

Overnight the Metasploit DNS exploit module continues to evolve to more devistating effect.  Perhaps most importantly, a new module was introduced based on feedback from Cedric Blancher named Auxiliary::Spoof::Dns::BailiWickedDomain, which replaces the nameservers for a domain, allowing an attacker to redirect all traffic for the entire domain through them.  Showcasing the ease of use of the Metasploit Framework, this entire exploit is written in 330 lines, including comments!

As previously predicted, HD Moore has checked in an exploit for the DNS vulnerability originally discovered by Dan Kaminsky.  This auxiliary module is named "DNS BailiWicked Attack" (Auxiliary::Spoof::Dns::BailiWickedHost).  Written by |)ruid and hdm, this appears to be a fully functioning, easy to use exploit.

From the exploit module code:

As mentioned previously, many GUI applications running under the RemoteApp feature in Windows Server 2008 or Citrix Application Publishing can be coaxed into running an unintended application for a remote advisory.  Although it appears that the user is only running a single application, the server launches a full desktop environment in the background. 

It's also easy to do without the proper security in place.  For example, although an administrator can hide the address bar and menu bar in IE, an attacker could just as well right click, choose View Source, then File > Open from the Notepad window that appears.  Although this can also be blocked, there are other methods waiting in the wings.  In fact, I've found at least 10 ways to break out of Internet Explorer alone.  The following technique can help prevent these issues.

Recently ICANN changed the IP address for the L.root-servers.net DNS root name server from 198.32.64.12 to 199.7.83.42.  What happened next is interesting.

According to Renesys Blog, three separate sites advertised the IP space containing the previous IP of the L root name server.  One of these sites, ep.net (AS4555) apparently had a legitamate reason to do so - they are the owners of the space.  Two others, Community DNS (AS42909) and Diyixian.com (AS9584) also followed suit.  It's possible that they had permission from the owner to do so.  What's interesting is that these providers apparently operated functioning DNS servers on those IP addresses.  This could be done to redirect (hijack) traffic, but it does not appear to be the case, according to the article.  Apparently no one noticed that this happened because the sites continued to serve up valid root zone responses.

As they point out in the article, why would anyone want do do so?  Root DNS traffic would be a staggering amount of traffic, and the hardware alone to respond to those requests would be pretty impressive.

Hijacked IP space (both accidental and purposeful) is a common phenomenon.  Although BGP announcements should be filtered at the upstream Service Provider (SP), often they are not.  It may be possible that an attacker could exploit this to drive a portion of the Internet traffic through them, or to perform a denial of service on the DNS infrastructure.

Hopefully we'll hear more about what caused the (probably innocuous) advertisements of L.root-servers.net.