A German airline says they spend ten times more on security than ten years ago

“Our security costs have increased tenfold since 2001,” Lufthansa Cargo spokesman Michael Göntgens told Deutsche Welle. “If the German government is considering a surcharge to cover costs for additional security measures, we all need to sit at the table to discuss the issue. Freight companies with their major hub in Germany, like us, need to be competitive.”

They don’t tell us what they spent ten years ago, so the multiplier is a bit misleading. They should say what percentage of their budget is spent on security. Rough estimates usually say spending 10-12% is the optimum range. Lufthansa might have been spending 1% and only after a 10x increase are now able to actually start to address the risks.

Unlike passenger airlines, freight companies are still not required to screen 100 percent of their airborne cargo. Significant changes in the way air freight is screened could have a major impact on the wider economy, as about one third of the world’s trade by value is now transported by aircraft.

It is always more expensive to build security into a process late, but the cost of not adding security (impact on the wider economy) could be even higher.

Funny analysis of protester risks, comparing Wisconsin and Egypt, by Jon Stewart on The Daily Show:

Here are ten Lift answers for the OWASP Top 10 vulnerabilities by David Pollak on Liftweb, Thu, 22 Oct 2009:

1. Lift is resistant to XSS attacks. By default pages are composed in
   XML rather than Strings. It takes the developer extra work to insert XSS
   strings into output rather than having to make sure each String is properly
   escaped before being cat’ed to the output.
2. Lift is resistant to SQL Injection attacks because mapper and JPA do
   not compose Strings into SQL statements, but rather bind well typed
   parameters into prepared statements. So, if you go the normal path, you get
   SQL injection resistance. If you want to manually craft a String to send as
   a query, in mapper you have to “sign” the string with the time, date and a
   certification that you’ve reviewed the String for SQL Injection problems.
3. Lift never shells out. You can’t cause a file to be executed from a
   Lift app unless your app manually uses Java’s Runtime.execute() call.
4. By default, Lift creates opaque GUIDs to refer to components on the
   server side (whether that’s a function to execute when a form field is
   submitted, what to do on an Ajax call, etc.) By default, it’s easier to use
   this callback mechanism than advertise a primary key or other sensitive
   piece of information. Lift also has the KeyObfuscator which will create a
   session-specific mapping of primary keys to opaque ids. Using
   KeyObfuscator, you can send JSON objects to the client with stable primary
   keys that are obfuscated and not usable outside the current session.
5. By default Lift’s form fields contain GUIDs that are cryptographically
   impossible to predict. It’s not possible to do CSRF because one does not
   know the name of form fields (they are not stable)
6. Lift has different production vs. development mode error messages.
   There’s little information that leaks about underlying configurations, even
   exceptions, in production mode.
7. Lift uses the container’s session management (usually JSESSIONID) for
   session management. As far as I know, Jetty, Tomcat, Glassfish are secure
   in terms of the way they deal with sessions. Of course, anything that’s not
   over SSL is vulnerable to a cookie stealing attack.
8. Crypto key storage is a container-level issue. See #7
9. See #7
10. Lift’s sitemap is the best and most secure integration of UI and
    page-level access. You can look at the sitemap to determine the access
    control rules for a given page (it’s declarative) and it’s enforced long
    before your page gets accessed.

Liftweb also maintains a “Seven Things” site with six answers to the OWASP Top 10

• A1: Injection – Lift’s Mapper and Record do proper escaping of query strings before they are sent to the backing store.
• A2: XSS – Lift keeps the rendered page as a DOM until very late in the page rendering cycle. This allows Lift to automatically HTML escape Strings before they are sent to the browser.
• A3: Session Management – Lift uses the J/EE container’s session management, allows for generation of new sessions on login, and keeps passwords hashed at all times with per-row salt.
• A4: Direct Object References – Lift forms do not expose direct object references, but instead keep the object references server-side and issues a session-specific token that refers to the objects.
• A5: CSRF – Lift uses session-specific bindings between HTML elements and the server-side behaviors associated with those elements. The bindings cannot be predicted so it’s not possible to issue Cross Site requests that invoke session-specific bindings.
• A8: URL Access – Lift includes SiteMap which provides declarative rules for access to URLs in the application. SiteMap will deny access to URLs unless the criteria is met for accessing the specific URL.

Secumania posted on February 4th a a privilege escalation flaw in Metasploit 3.5.1

By placing a DLL file in the %systemdrive%\framework\postgresql\bin it is possible to get it loaded by a program (postgres.exe) that is executed by the frameworkPostgreSQL´s service executable (pg_ctl.exe), every time the service starts, with NT AUTHORITY\SYSTEM user privileges, being able to run arbitrary code in the local system. Notice the service startup is set to automatic by default.

I know, I know, you’re probably thinking “who runs this on Windows?” Metasploit has fixed the problem, perhaps ironically, by following the Microsoft Windows Application Specification (e.g. Requirement 4.4: Run in a secure Windows environment from January 21, 2000) a little more diligently in their Feb 9th release of 3.5.2. OMG that’s nearly 432,000 seconds in 0-day time since disclosure!

The new installers fix this issue through two changes: first, we’ve moved the default installation to %ProgramFiles%, which does not normally allow non-admin write access; second, we explicitly remove any inherited permissions for the “Users” and “Authenticated Users” groups. For users who prefer not to re-install Metasploit, you can use the following commands to fix the problem:

Vista and newer:

icacls c:\framework /inheritance:d /t
icacls c:\framework /remove *S-1-5-32-545 /t
icacls c:\framework /remove *S-1-5-11 /t

For systems older than Vista, you will need the xcacls.vbs tool available from Microsoft.

xcacls.vbs c:\framework /E /R SID#S-1-5-32-545 /T

Note that the “Authenticated Users” group doesn’t exist before Vista, so you only need to remove “Users”.

This issue is mitigated by the fact that it only affects multi-user Windows installations with low-privileged accounts, a scenario we believe to be a small percentage of our users.

Cue the evil cackle/laugh. Is that meant to be a hint? A liability disclaimer? Metasploit knows full well that those who choose to run Windows installations always run with high-privileges. Srsly now.

Metasploit must monitor download data for Windows version of the program, so maybe they could qualify their statement with something like “a small percentage of our tens of thousands/hundreds of…Windows users”. Even better would be if they could say “Dear HBGary, your installation of Metasploit…”. Kidding. Everyone knows HBGary used home-grown pentest tools as part of their custom CMS.