Dailies
- Caoine
- Echoica
- Jina Bolton
- Lifehacker
- Overclockers Australia
- RiskAnalys.is
- Rory.Blog
- Schneier on Security
- Security Catalyst Community
- Security Ripcord
- Securosis.com
- Slashdot
- Whirlpool
Photos
Categories
- Books
- Computers
- Family
- Forensics
- General
- GTD
- Movies
- Music
- Profession
- Security
- University and Studies
- Web Development
Monthly archives
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- December 2006
- June 2006
- May 2006
- April 2006
- March 2006
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- February 2005
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
- July 2003
- June 2003
- May 2003
- April 2003
- March 2003
- February 2003
- January 2003
- December 2002
- November 2002
- October 2002
Search
Surf Jacking
Just finished reading about Surf Jacking from Ronald van den Heetkamp (and Sandro Gauci and Mike Perry), the demonstration movie that Sandro published really set in stone how interesting this vulnerability is. Sandro’s whitepaper describes the attack in detail, the primary attack scenario being the following:
- Victim logs into the secure web service at https://somesecurebank.com/.
- The secure site issues a session cookie as the client logs in.
- While logged in, the victim opens a new browser window and goes to http://www.example.org/
- An attacker sitting on the same network is able to see the clear text traffic to www.example.org.
- The attacker sends back a “301 Moved Permanently” in response to the clear text traffic to www.example.org. The response contains the header “Location: http://somesecurebank.com/”, which makes it appear that www.example.org is sending the web browser to somesecurebank.com. Notice that the URL scheme is HTTP not HTTPS.
- The victim’s browser starts a new clear text connection to http://somesecurebank.com and sends an HTTP request containing cookie in the HTTP header in clear text
- The attacker sees this traffic and logs the cookie for later (ab)use.
The first thing I did after reading this paper was to check my online banking, and I was relieved to see that the session cookies sent by the server were set to “Encrypted Only”.
Posted by Christian 
Posted in: Computers, Security, Web Development 
No Comments » 
11 August 2008
Two-Factor For All
…almost.
So, in the spirit of bringing ubiquitous two-factor authentication closer to the masses (because excuses are disappearing) I spent a few hours hacking together a Wordpress hack (plugin) that integrates Twitter’s direct message capabilities to provide a one time PIN when you log in to your Wordpress administration screen. The intent being that direct messages get sent to your mobile via SMS, hence SMS one time PIN generation, mimicking SMS PIN authentication as used by financial institutes.
Of course, by using this hack you introduce a number of dependencies, primarily that being Twitter’s service itself which doesn’t have a great track record, but also your mobile phone’s network. In addition, the fact that it is a hack, not a plugin, is also potentially a pitfall. The last issue is because I don’t actually know how to write a Wordpress plugin properly. Not for lack of trying, I can’t help it that one of the “pluggable” functions in Wordpress didn’t want to be overloaded. In fact, I’m not entirely sure that functions in version 2.6 can be overloaded(?).
I also have to admit that whilst the motivation is to introduce a second factor of authentication, such as a thing you know (your password) and a thing you have (your mobile phone), by using Twitter’s services you don’t actually need a mobile phone to get your PIN. So if you check your direct messages via the web interface, it’s actually a one-by-one factor authentication, not really two-factor, and we all know what 1 x 1 equals don’t we? But you get the point.
In regards to the good work done on the Phonefactor plugin I just want to comment that I was half way through this hack when I read about Phonefactor and it didn’t support calling Australia, so that meant I was out. The quality of their work is great though.
I’ll release the details soon..
Posted by Christian Posted in: Computers, Profession, Security, Web Development 6 Comments » 4 August 2008
Reverse Engineering Web Applications
Was having a discussion at work the other day with a colleague drawing parallels between current web application security/penetration testing and reverse engineering. I believe the comment was initially driven from the fact that a lot of the web app pen testing that we had been doing recently involved a large amount of client-side code (thanks a lot web two dot oh!), and that we had spent quite some time dissecting javascript trying to understand logic flows, and underlying service calls.
At first I was apprehensive about agreeing with him, immediately in my mind I was seeing a one-to-one relationship between reverse engineering and binary executable disassembly. I was thinking of reverse engineering as the process of running up a compiled, binary executable in something like IDA Pro, to map out how the executable functioned, or even the concept of network sniffing to understand a network protocol.
Of course, the more we discussed it, the more it started to make sense that perhaps web app sec testing was like reverse engineering. In the instance of the web application, we were actively trying to get a higher level understanding of what the application was doing, and how all its inter-related pieces functioned, trying to understand the relationship between the multiple frames, javascript files and functions, and of course the remote service calls. But there was still something that was making me differentiate between the two, and it came to me a few days later. (well one possible answer).
The difference being the goal of reverse engineering compared to web app sec testing. I was seeing web application security assessments as trying to uncover vulnerabilities, then using exploitation of the vulnerabilities to try and gain access to information or resources they shouldn’t be able to. (Tangent: Great couple of articles from Gnucitizen and Spylogic on the differences between Tiger Team Operations and Penetration Testing.) Whilst, in my limited understanding of reverse engineering, reverse engineering was more about ensuring that an executable wasn’t doing anything suspicious. More like malware reverse engineering, as opposed to traditional reverse engineering.
After reading the wiki about reverse engineering it become a lot clearer why they seemed to be related and yet different, even the term reverse engineering itself carries a degree of ambiguity. One of the quotes that wiki had that stuck out was “going backwards through the development cycle“, this term made a lot of sense with regards to the goal of reverse engineering, and even playing a small part in the goal of a pen test. And this is where I draw my twisted tale to its conclusion (or my conclusion from this twisted tale?).
Whilst the goals between reverse engineering and web application security penetration testing are quite different, most web app pen tests will include a component of reverse engineering to try and document and abstract what the application is doing. This is particularly the case due to the paradigm shift occurring at the moment with a lot of web apps pushing logic out to the client. So whilst a web app security test isn’t strictly reverse engineering, I think a lot of the same skills are used at different times.
Posted by Christian Posted in: Computers, Profession, Security, Web Development 1 Comment » 7 July 2008
No Excuses
If Blizzard is able to offer One Time Password Tokens for a MMORPG platform, then there is no longer a reason why your financial institute doesn’t offer the same. Be it fat tokens or SMS one-time text.
I’ve had a couple of conversations about what happens when the baseline for user authentication is reset. I believe in the next year or so that milestone will be crossed, where the majority of online systems which provide access to PII or finance data will have either authentication-level, or even transaction-level, second factor authentication/authorisation.
For the baddies, this means that their modus operandi will have to evolve as well, and perhaps we’ll see an increase in sophisticated, real-time phishing sites, or smarter and targeted malware or man-in-the-middle-ware. There’s just too much money and information out there for the stealing, so I can’t see them simply packing up their bags and calling it quits. It’ll be interesting to see what happens next.
Posted by Christian Posted in: Computers, Profession, Security, Web Development 2 Comments » 29 June 2008
The Power of Design to Fight Crime
Just read this article over on core77 summarising an event held by the UK Design Council which collected forty leading technology designers and manufacturers plus a group of young people to discuss “new ways of harnessing the power of design to protect young people from crime - particularly theft of ‘hot products’ like mobile phones and MP3 players.” This event was conceived after the Design Council released some stats that show that the majority of 11-16 year olds in England carry a gadget with them at some point and that one in eight have been the victim of ‘hot product’ theft in the past three years. I believe ‘hot product’ theft is where the product is stolen from them whilst they’re still using it, such as on the mobile (cell) phone, or listening to an iPod.
Core77’s excerpt provides the most concise overview:
The focus is on generating innovative design briefs which offer a clear business opportunity for manufacturers who will be encouraged to develop them into the next generation of crime-safe gadgets. [...] Home Secretary Jacqui Smith said:
“I am delighted that so many of our best designers have contributed their time and expertise to today’s event and I look forward to seeing genuinely new and commercially viable products flow from it. The role that good design can play in cutting crime is well established but success depends on effective partnerships between Government, the police and the design industry.”
At first I didn’t quite understand what they meant by utilising “design” to prevent crime, believing that it was more centered on architecture, such as developing city spaces which demote crime. But after skimming this article it started to make sense. Richard Farson explains this concept by discussing the power of design:
Design achieves its power because it can create situations, and a situation is more determining of what people will actually do than is personality, character, habit, genetics, unconscious motives or any other aspect of our individual makeup. Nobody smokes in church, no matter how addicted.
…
Recently, the design disciplines have received research attention indicating that the physical environments designers create may have positive effects never before realized, potentially reducing all of the measures of despair. For example, studies show that if children grow up in a home designed to permit a view of greenery, they are less likely to turn to addiction and crime and more likely to achieve in school. Such thoughtfully designed environments can reduce the frequency of divorce and other signs of family dysfunction. It is no longer far-fetched to predict that intelligent design will help prevent mental and physical illness, child abuse and suicide.
Richard also explains that this design power also has a ‘dark side’:
Because it is so powerful, design also has a dark underside. If mindlessly conceived or corrupted, design can produce depressing consequences. The design of cities that plan giant shopping centers can erode traditional communities by forcing neighborhood businesses to close. Massive highway construction can divide and rupture a neighborhood. Kafkaesque office designs of row after row of monitored employees, or maze-like cubicles, can dehumanize. Graphic designs in advertising can be dangerously misleading, promoting unhealthy products or unworthy candidates. Some designers think these bad designs greatly outnumber the good ones.
I believe that a lot of these principles can map to web application security principles as well. At a high level it’s easy to relate the concept that mindlessly conceived or corrupted design of a web application will have an impact upon how many vulnerabilities it may have. In addition, the design of a web application, either be through its presentation layer, or more subtly through the way that business logic is represented in HTML (for example) can also create a false pretense that the system is secure. A good example is a traditional design firm promoting the security of their applications because they utilise SSL/TLS to encrypt the site, when employing SSL may be good for protecting data in transit, but doesn’t help prevent vulnerabilities exposed through XSS or CSRF.
On a deeper level, such as taking into account what the Internet provides for crime, I think the principles still align as well. If it wasn’t trivial to perpetrate crime remotely, anonymously and on such a large scale would it be so prevalent? Probably not. The Internet was not initially designed with a security hat on so of course it’s insecure at a low level.
Posted by Christian Posted in: Computers, Security, Web Development No Comments » 18 May 2008
Using Yahoo Pipes to Gather AU Data Disclosure Information
Whilst I whole-heartedly enjoy reading (chasing more like it) my 100 or so security blogs, sometimes the noise that’s generated by a couple of those blogs is overwhelming. One feed in particular, whilst been really interesting and providing a constant source of information, is also particularly good at being filled with white noise, and that is the PogoWasRight Privacy News Feed. When trying to squeeze in some feed reading time at work, I often find myself skimming this blog, or simply marking all items as read. Unfortunately, that means that from time to time I may miss an interesting privacy article or disclosure relating to Australia. I guess, until the Privacy Act is amended to mandate compulsory disclosures these types of articles only come around from time to time. Trying to engage and involve myself in the Australian information security profession often means that I have to be able to cite certain incidents that happened closer to home.
Introducing my first Web 2.0 MashUp. Actually, it’s more like a strip-down as it’s not so much as mashing data together as stripping it apart. By using Yahoo Pipes it was really simple to create a new feed which takes in the PogoWasRight feed, and then apply an advanced searching mechanism (read: item.title regex “^AU”) to output a new feed which is available here. (Who needs 1000 monkeys typing at 1000 type-writers?)
Now I’m sure there’s plenty of other really useful stuff that could be done, but I think this is a pretty good start. For all you other budding Mashers there’s plenty of documentation and training vids to be found within Yahoo Pipes
Posted by Christian Posted in: Profession, Security, Web Development No Comments » 4 March 2008
The Effect of CSRF on a Forensic Investigation
Whilst I mostly agree with the issues raised in this article over at Dark Reading [Exploit Could Taint Forensics], there is one comment that really ground my gears, and I would recommend that the author/editor get their technical facts straight before publishing.
These investigations often rely on a user’s Web browser cache and history to reconstruct a user’s suspicious activity, so if the user’s machine is infected with CSRF, that data isn’t reliable and an innocent user could be mistakenly accused of wrongdoing when it was actually an attacker behind it.
My concern is focused on how a user’s machine can get infected with CSRF as if CSRF is a form of malicious software, when CSRF is not an “infectious” type of software.
I’m not going to go into what CSRF is as a quick check of Wiki is sufficient.
Regardless of this slip up, the issue of these sorts of exploits tainting a forensic investigation is a valid point. Of course, a thorough review of a user’s web history could potentially unveil the site which instantiated the CSRF attack, and highlight that the user’s web history may not be a good source of evidence in a case. This of course does not mean that this evidence is not good evidence, it just has to be reviewed appropriately.
Posted by Christian Posted in: Computers, Security, Web Development No Comments » 29 January 2008
Virtual Private Server Security
I’d never really heard about this until reading this article from digg, where the developer wanted to setup a hosting environment for his upstart wizz-bang webapp really quickly. So instead of purchasing a piece of “shared web hosting”, he purchased a “Virtual Private Server” from Slicehost.
For $20 a month you have a slice with 256MBs of RAM, 100GB transfer, a complete virtual machine (read: root access), and an IP address. All running your choice of Ubuntu, CentOS, Gentoo, Debian, Fedora or Arch.
This seems to raise a number of security risk concerns that I hope people are taking seriously, especially as this product appears to be marketed at developers, who we all know are fantastic at securing their resources. Instead of having the security of the servers handled by on-staff, security / server admins you let the client secure their own servers. I can’t help but think that surely this increases the likelihood of these hosts getting compromised. Let alone when(if) we start seeing hypervisor exploits emerge.
Posted by Christian Posted in: Computers, Security, Web Development No Comments » 8 January 2008
Risks of 3rd Party Content
Recently came across this fantastic presentation by Tom Stripling from the webappsec mailing list on the Dangers of 3rd Party Content. If you happen to be involved in any web development, or web content management or providing security/risk feedback to people who implement this stuff this presentation is a must-read.
Some of the key points I got from this presentation:
- The different risk implications depending on the use of iframe or inline 3rd party content
- The motives for a malicious attacker wanting to deface or compromise your website VS The motives for a malicious attacker wanting to deface or compromise a 3rd party who provides content to numerous websites
- How mature are your due diligence processes?
- “Would you ever allow anyone to deploy any kind of HTML/Javascript/whatever to your production applications without checking it first?”
Posted by Christian Posted in: Security, Web Development No Comments » 1 December 2007
Web Application Security Professionals Survey
Jeremiah Grossman has posted another “Web Application Security Professionals Survey“.
Previous surveys results are pretty interesting, as seen here, and I do believe that a number of themes will be unchanged. Such as, developers still don’t know or care enough about security, and that the general feedback on the effectiveness of tools to help with web app security is far from flattering.
Posted by Christian Posted in: Computers, Profession, Security, Web Development No Comments » 29 October 2007