Ivan Ristic of SSL Labs, a research division of Qualys, talks about web security and endorses Google’s new SPDY protocol, which improves performance and is secure by default. Ristic emphasizes security should be by default, and not susceptible to mistakes by administrators and developers. He backs the idea that all web transactions should be done over SSL, and points out that often sites that use SSL fail to ensure the cookies are secure as well, often entirely defeating the purpose of using SSL in the first place.
Token Gesture: PCI Security Standards Council Introduces Encryption
This month the PCI Security Standards Council released a paper describing the use of tokens in place of the PAN (Primary Account Number). While this is far from being a magic bullet that solves all security issues inherent in credit card processing, and does not remove the need for PCI certification for card processors, in certain situations it could help considerably.
The fact is, the less frequently PANs traverse networks, the less chance they’ll be snooped. The basic idea here is practiced all over the Internet already. Instead of sending the PAN, encrypt it, and send a “token” instead.
The first analogy that comes to my mind is the use of salted hash functions to protect the contents of /etc/passwd on UNIX systems. Many years ago /etc/passwd, a text file involved in local authentication for UNIX, actually contained the passwords of all the users. After some time people took to encrypting the passwords with hash and salt, and later moving the encrypted contents out of /etc/passwd entirely into /etc/shadow.
This is similar to the process described here. Instead of authenticating a purchase by passing the actual PAN data, the PAN is encrypted or tokenized, and then decrpyted/detokenized at the other end. The analogy isn’t perfect, some tokens are multi-use, etc… but the basic concept is the same – encrypt the PAN so it’s not as often transmitted and stored “in the clear.”
While the idea of encrypting cardholder data is far from revolutionary, it’s at least encouraging to see the effort. Furthermore, the fact this isn’t a new concept means it should be easy for the engineers implementing it to grasp.
Tagged credit cards, encryption, PAN, pci, security standards, token, tokens
Microsoft still not ready for the Internet.
This month Microsoft pushed 13 security bulletins to address 22 vulnerabilities in its software. The 2 most notable vulnerable software issues were a flaw in the Windows DNS server, and 7 in their Internet Explorer browser.
The IE vulnerabilities affect all supported versions of Internet Explorer up to and including IE 9. The August Patch Tuesday update purportedly fixes errors in the way IE handles objects in memory and handles JavaScript handlers.
According to MS11-057, Microsoft said an attacker who successfully exploited any of the vulnerabilities could gain the same user rights as the local user, and the most severe vulnerabilities could allow remote code execution if a user uses IE to visit a specially crafted webpage.
Jason Miller, manager of research and development at VMware’s Shavlik Technologies, said the IE flaws and the Windows DNS error allows cybercriminals to attack systems remotely. Any time there’s a public vulnerability “out in the wild, it’s important to disclose it as soon as possible,” Miller said.
I remember as a young system administrator, back in 2000, maintaining a policy that no Windows host was allowed to receive connections directly from the Internet. This policy was a result of experience, because any time anyone deviated from the policy the Windows hosts in question would be compromised. As a result, we kept all the Windows hosts behind layers of firewalls, placed Sendmail hosts in front of the Exchange server, and reverse-proxies in front of IIS servers. At the time I remember thinking “well… Microsoft just isn’t mature enough to play on the Internet yet, that’s why we have UNIX/Linux.”
Seems not a lot has changed since then.
“Patching administrators also must address server-side vulnerabilities. MS11-058 addresses two privately reported vulnerabilities in the Windows DNS server. The flaws affect the server side rather than a client request to a DNS server. If the company DNS servers have caching of DNS relaying enabled, the system is at risk. Otherwise, if the DNS role is not enabled, users are not at risk, although they should still deploy the patch to be on the safe side,” Miller said.
Remote root attacks against DNS servers are so 1999.
I wonder if Microsoft will ever have an operating system that doesn’t require hand holding. My guess is as long as people vote with their dollars, the answer is “no.”
Tagged DNS, Internet Explorer, microsoft, MS11-058, MS11-0587, remote attacks, vulnerabilities
Amazon Web Services Announces IAM (Identity and Access Management)
Amazon was one of the first players to take cloud services seriously, and more importantly, to offer them to us. As an early adopter of EC2 and S3, I was excited to read on August 3rd they have added the ability for us to include our existing LDAP and Active Directory federations into their own security model.
For example, before if I wished to allow a user access to a home directory in Amazon’s cloud, I’d have had to create an AWS identity to manage. Since single sign on is a goal most IT shops (and in my case consultants) aspire to, it’s nice to be able to extend existing LDAP/AD trees into the cloud. Now, I can grant access to users locally in LDAP or Active Directory, and it will enable access with temporary security credentials which can sign AWS requests.
IAM enables you to control access to AWS service APIs and specific resources. IAM also enables you to add granular conditions which control exactly how a user can use AWS, such as time of day, their IP address, or even if the connection is SSL or not.
IAM can be used to grant your employees, and applications access to AWS service APIs, using your existing identity systems such as LDAP or Active Directory.
It is now possible to enable your mobile and browser-based applications to securely access AWS resources by requesting temporary security credentials that only grant access to specific AWS resources, for a a specified period of time.
Tagged Active Directory, AWS, cloud, LDAP
Reddit Founder Accused of IP Theft
Aaron Swartz, co-founder of news site Reddit, was indicted Tuesday on charges of breaking into the MIT network and stealing documents from JSTOR, an archive of academic journal articles. Specifically, the indictment charges Swartz with wire fraud, unlawfully obtaining information from a “protected” computer, and recklessly damaging a protected computer. If found guilty the penalty is a hefty 35 years in prison and up to 1 million dollars fine.
According to prosecution, Swartz obtained access via a wiring closet in the basement of an MIT building. From there he accessed JSTOR and downloaded some 4.8 million articles. According to the indictment Swartz intended to make all of these journal articles free via a file sharing site. Of the 4.8 million some 1.7 million were accessible “for pay.”
Some background on Swartz. Swartz is an online political activist and programmer. He is founder of the nonprofit Demand Progress, a civil liberties advocate group. According to the current executive director of Demand Progress the indictment “makes no sense” and called the charges “bizarre. It’s like trying to put someone in jail for allegedly checking too many books out of the library.”
According to JSTOR “We stopped this downloading activity, and the individual responsible, Mr. Swartz, was identified,” the statement said. “We secured from Mr. Swartz the content that was taken, and received confirmation that the content was not and would not be used, copied, transferred, or distributed.”
Now, regardless of your opinion on to what degree this is activism, and what degree this is theft, a couple of statements I’m reading just don’t make sense. For one, JSTOR claims that such a massive download harmed their servers. Really? Please explain to me how he physically damaged servers by using them for what they’re intended for, namely making files available for download.
The other thing that really annoys me is the comment by JSTOR “We secured from Mr. Swartz the content that was taken.” Ok, so you know the content is digital, right? If we follow the analogy that his crime is akin to checking out too many library books, this makes sense, but the thing is they didn’t need to get their books back. The articles in question are digital.
If JSTOR and or MIT plan on suing Mr. Swartz, they should at least be clear that they are suing him for “intending to make copyrighted materials public.” So, he didn’t actually even commit the crime yet, he just intended on it.
The elephant in the room, at least for me is how they were able to act so quickly and apprehend Swartz before he had a chance to make the files available. To me, this stinks of setup. Swartz is a political activist, and unfortunately in this and many other countries that makes him a target. Given the political climate surrounding new legislation that could make it criminal to even play copyrighted material over 10 times on youtube, one could see how Swartz could have a target painted on his back. Furthermore, During the time of the theft, Swartz ironically was a fellow at Harvard University, through which he could have accessed JSTOR services. Curious, no?
In any case, Swartz was released on $100,000 bail and a trial date of September 9th.
Tagged Aaron Swartz, demand progress, Harvard, IP theft, JSTOR, MIT, reddit
Cyberspace, the DoD’s 5th Domain
Years ago I remember sitting around at the office with a former boss of mine, who literally scoffed at the idea of foreign governments or independent agents using the Internet as a medium of warfare against the US. I told him to “strap in” because it was already happening, and it would only become more prevalent.
Well how about that? Last week the Wiliam Lynn of the Department of Defense released a 40 page unclassified version of its first-ever cyberspace operations strategy. It’s a new domain, if you will, for our military branches formerly just land, water, air, and space … and now cyber-space.
Perhaps due to the fact the agency was victim to the attack in March, when foreign attackers stole 24,000 odd sensitive files from the Pentagon? No wait, maybe it was the fact we’ve lost data regarding missile tracking systems? How about satellite navigation? Unmanned drones? Jet fighters? The answer is an unequivocal “yes.” We have lost data about all of those things to foreign hackers.
Since the version released was the civilian, not secret version, it doesn’t go into a ton of detail. It basically stresses increased network resilience and generally being prepared in the event something truly horrible comes our way from cyber-space. It doesn’t go into details, and it says nothing about offensive maneuvering.
According to Lynn “The cyberthreats we face are urgent, sometimes uncertain and potentially devastating as adversaries constantly search for vulnerabilities,” Lynn said in a statement. “Our infrastructure, logistics network and business systems are heavily computerized. With 15,000 networks and more than seven million computing devices, the [Defense Department] continues to be a target in cyberspace for malicious activity.”
Soldiers will be prepared for various wartime scenarios such as “degraded cyberspace operations for extended periods and disruption during a mission.” I wonder if these soldiers will be fueled by typical mess hall fare, or will they live on a diet of Red Bull and Hot Pockets? Will “Reveille” be sounded for these particular soldiers at 4 in the afternoon? Will they wear normal military dress or will Slayer shirts suffice? I digress…
Besides training cyber-soldiers, the DoD has deployed a system of sensors and other software to gather intelligence, a giant intrusion detection network if you will.
Android Malware, David and Goliath, etc…
In case you’re blissfully unaware of mobile phone news, allow me to tell you one of the biggest headlines. Google-backed Android and Apple’s iPhone are in a battle to determine dominance in the cell phone market.
Incumbent iPhone has been criticized of being the behemoth player in the market, the Goliath to Android’s Open Source David. Apple have been accused of being heavy handed, charging fees for those who would write apps for their platform, and being overly critical of what is allowed past their sentries, and into the Apple App store. They’ve even been slammed for charging an additional 30% of each sale, the capitalist evil of it all!
In short, Apple has been acting as Apple always has. They keep their hardware and software linked. In what many view as the stupidest thing Apple ever did, back in the 80′s unlike Windows they didn’t enter into agreements with outside hardware makers. The result was Windows growing to a giant buggy monopoly, while Apple stayed small – yet functional.
What we see today in the iPhone vs. Android battle reminds me not of Android being the underdog, the Linux if you will, to Apple’s Microsoft. What we’re seeing in these Android app marketplaces is all of the confusion and security-hole-ridden infestation of a Microsoft bloated giant, without the benefits of the peer oversight usually associated with Open Source projects.
I must confess that when I first learned and downloaded Google’s Open Source Android code way back when, I was excited that just maybe the community would have a shot at the mobile phone market. What we have instead is utter chaos.
Is it the money? Probably.
Unlike the Linux kernel, and major Open Source distributions, these Android app marketplaces seem to lack code review. Not intending on throwing out the baby with the bathwater here. The conspiracy theorist in me almost thinks Apple has hired a clandestine team of hackers to write and distribute Android malware via backwater app stores in order to sully the name of Android for people who don’t understand the difference between Android and the various marketplaces that peddle Android apps.
About a month ago Android made the news because of the Dream Droid Lite set of malware, an encore to the Dream Droid set from a month before that. Now we have a new round of Android malware.
Similar to the Droid Dream this new malware doesn’t rely on the user to manually launch the infected app to start it. Like a proper virus the malware can change its next connection time and the command-and-control server the Trojan “mothership” uses to communicate with the malware on the infected device. It can initiate an app download and create several install-related prompts that direct the victim to download other apps, send the user to malicious web addresses, and even update itself.
Obviously, Android users can protect themselves by downloading apps only from trusted sources and developers known by name and perhaps rating. In short the user has to treat their phone like it were a Windows based computer. I don’t know about you, but as much as I like the computer like features of my smart phone, I like that ultimately it isn’t a computer first, it’s a phone. I have enough computers in my life to worry about, and Im willing to bet most of you do as well.
Without further ado, the latest two stars in the world of Android malware are …
HippoSMS: Researchers at North Caroline State University found this one on alternative app markets in China. It’s designed to incur charges by sending SMS messages to a hard-coded premium-rated number. Yikes!
Zitmo: A banking trojan, this piece of trash poses as a banking activation application, and then forwards all your SMS messages to a remote web server in hopes that one-time passwords banks send to customers for an extra authentication factor can be first be grabbed by the knuckleheads that birthed this crap.
I understand that choice is an important thing in the marketplace, and that before you install anything anywhere, CAVEAT EMPTOR. Still, for now I’m happy me and my iPhone don’t have to worry about it.
Tagged android, dream droid, droid dream, hippoSMS, iphone, Malware, smart phones, Zeus, zitmo
White List, Black List, Forensics. Finding a Needle in a Haystack.
A common theme in information security, since its inception, has been the concept of white lists and black lists. Whether the threat is from a virus or SPAM, typically people start by building black lists. Databases of “fingerprints” for viruses, or known SPAM messages. Eventually the black list gets so large people revert to white lists – that is, assume everything is suspect unless it’s on a list of known acceptable entities. For example, when the volume of SPAM becomes too great, one sure fire way to block it is to only allow people in your address book to send you mail. There are even services built around this concept, such as spamarrest.
Recently, the concept of the white list has made it’s way into data forensics. So called “data reduction software” can reduce the time it takes to search a system, by removing known-good files, such as operating system files. Computer forensics software like AccessData’s Forensic Toolkit automate the screening of files for specific profiles and signatures during a forensic investigation.
When a drive shows up in the office of a computer forensics team, the first thing to be done after cloning the drive is to eliminate as much information as possible from the research, in order to enable the researcher to focus on what’s important. Limiting the set of information to be studied means more time is spent looking at what is important, and less time weeding through typical files associated with Windows or other known software. In fact, NIST has created a National Software Reference Library, designed to collect software and incorporate file profiles from the software into a Reference Data Set (RDS). The RDS is a collection of digital signatures of known, traceable software applications. It currently contains data for about 11,000 software applications.
At Spohn consulting we employ a similar technique when searching a client’s network for malware. We have a database of known good ports and after we collect information from all the hosts on the network we can rather quickly eliminate the fingerprints of known good services and processes, which enables us to focus on what isn’t normal.
Tagged black list, forensics, NIST, RDS, SPAM, VIrus, white list
Where There’s a Will There’s a Way
I read an excellent article recently from some really smart folks over at Netragard. Basically these guys were asked to do a penetration test for a network with only ooutward facing IP address, no open services, and social attacks off the table. They weren’t allowed to call and ask users to reset passwords or anything like that, or even email users at the client company.
Read their article to learn the specifics of the attack, but suffice it to say they decided not to go with mailing USB sticks to everyone at the company, bundled with a zero-day attack, since most companies disable auto-run of inserted media as a windows policy now.
I thought about a solution to this before I read their elegant attack, and about as close as I got was to aquire a list of employees and then mail USB sticks to their homes, since auto-run policies probably don’t cover home machines, and very often home machines access office networks. The only other thing I could think of off hand would be to try to target them and try to lure them over to malicious ads, but I feared I would accidentally get the wrong people, since there’s no way I could be positive I was only “attacking” the clients.
Summed up their attack was brilliant, if time consuming. Buy some USB mice, modify said mice with a USB hub board, attach mini flash drive to USB hub, insert contents back into mice, along with zero-day attack just waiting to reach out and contact to metasploit should anyone plug it in. Repackage mice, and mail them to the client company.
Anything that plugs into a computer can potentially be an attack vector. Brilliant!
Tagged penetration test, pentest, USB
Chromium, and Meet the New Standard, HSTS
Everyone in the information security field knows HTTPS is more desirable than HTTP. “Back in the day” HTTPS was computationally expensive and thus reserved for banking sites and email (although in practice many email providers didn’t provide this or enforce an HTTPS only policy). Now the burden of doing all those HTTPS calculations has long been moved from the web server itself onto
special hardware SSL accelerators, there is no reason to use HTTP for anything.
Google is spearheading the change toward SSL. Recently in the Chromium Blog, a new standard HSTS was mentioned. HSTS allows a site to send a request to a browser that it be contacted via HTTPS.
Additionally, a new resource for the current version of Chromium browsers such as Chrome, URL chrome://net-internals/, includes many new interesting details including control of the browser’s use of HSTS. For example, you can force a particular domain to use only HTTPS.
Chromium version 13, currently the beta build, will force all GMail loads to use HTTPS, even if the user specifies HTTP in their user preferences. It uses the HSTS system mentioned above to do this.
Another set of changes in Chromium browsers have to do with certain browser error messages. When an HTTPS page is loaded but contains elements which are loaded over cleartext HTTP, many browsers will display an error or notification letting users know that there are mixed HTTP and HTTPS elements.
Google is putting a lot of focus on this in the upcoming versions of the Chromium browsers, because of so called “mixed scripting” vulnerabilities, whoic are caused when a page served over HTTPS loads a script, CSS, or plug-in resource over HTTP. This allows an attacker with network access to the network of his victim to replace the content of HTTP requests. A man-in-the-middle attacker (such as someone on the same wireless network) can typically intercept the HTTP resource load and gain full access to the website loading the resource.
A less severe but similar problem in the same arena can be caused when a page served over HTTPS loads an image, iFrame, or font over HTTP. A man-in-the-middle attacker can again intercept the HTTP resource, and substitute their own but normally can only affect the page appearance.
Tagged chrome, chromium, HSTS, HTTP, SSL Accelerator