Monday, May 31, 2010

Media Covering Security is so Frustrating

Look, I'm not going to echo the FT article which quotes some anonymous Google employee that "Google is ditching Windows" ... but this bares emphasis.  I'm not one to take many journalists seriously [except for someone like Brian Krebs] since security is just such a complex subject few do anything short of echoing hype a writing pieces that make little sense - so again ... why post this?

Well ... I like to read articles of all types often for no other reason than to pick out the absurd pieces of "fact" that hide within.  This ...this is a win-by-2-point-conversation-in-overtime kind of awesome.  Let me set it up for you...

Over the years Microsoft was the poster child for crappy security - that no one will deny.  Over the years those who get it eventually acknowledged that the reason for this was predominantly because they were the popular kid on the block.  Having something like 90%+ market-share on business and home user desktop operating systems pretty much paints a big, blinking bullseye on your forehead.  This doesn't necessarily mean you're any more or less secure than any other competing platform - it just means that you're a target a hundred-fold more than everyone else.  Unfortunately for the boys and girls in Redmond they actually were pretty shoddy on security so that culminated into a perfect situation for security trolls, OS bigots and Mac advertising executives.

Things have changed, however, and Microsoft's flagship operating systems currently are leaps and bounds more secure than much of the competition ... so when the FT writer drops in a quote like this ...I had to laugh out loud:
“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.
Really?  Moving away from Windows to Mac?  For what, better security?  Really?  OK then...

This demonstrates one of two things: either the writer completely made that up (which I'm leaning towards) demonstrating a complete lack of security understanding ...or their source at Google gave that quote between mopping floors.  The other option which of course is very legitimate is that the Google source demonstrates the obvious lack of security understanding we all have grown to expect from the Google minions.  I'll leave that one alone though...

So, back to this "article" ... which is either entirely made up (as someone on Slashdot has pointed out due to the quote of 10,000 employees - Google has north of 20,000 Mr. Journalist) or a sad attempt to gain clicks and buzz by getting on the sensationalist bandwagon with the inflammatory topics of Windows(+1) and Google(+1). I guess David (the author) achieved what he wanted to if he just wanted clicks ...but I don't suspect he'll be winning any long-term respect with anyone who has a clue.

So - is Google ditching Microsoft?  Who cares, I say.  We all know there is a trifecta of love between Microsoft, Google and Apple but there's no story there.  Quite frankly what I find more shocking is that Google hasn't moved over to their Chrome OS completely for internal purposes.  What's sort of telling for me is that Google is still on Windows.  No one will accuse Google of being privacy OR security -conscious.

So why all the hubub ...bub?

Edit-- The bobbleheads are showing up!  Henry Blodget cites an already suspect (and I'm being polite) source...  Can someone get a Google source to confirm this story before it spreads like the BP oil disaster?

Friday, May 28, 2010

Software - Silent, Deadly and On Your Machine


While my other blog is read-only during the migration to another platform I thought I would blog a little more frequently here...one of the things I saw float by on Twitter this morning was this link about Adobe going to a more frequent patching schedule.

I made the obligatory joke about Adobe going to a daily patch schedule simply because of all the security bugs they've had issues with lately - but seriously, there are bigger problems than Adobe.  You may be saying to yourself - "What's worse than Adobe's current security problems?!" Good question.

Think about how much software you have on your desktop, laptop or whatever you're reading this on right now.  Now, go look.

So did you discover a ton more software than you knew was installed?  What about all those people who bought their computers at Best Buy, "pre-loaded" with dozens of apps they may or may not even know are on their computer.  So what about the patch cycles for all those apps?

You think Adobe has a bad rap for all the security vulnerabilities they include free in their apps, but that's kind of like everyone picking on Microsoft a while back.  When you're the most popular kid on the block you come under more scrutiny, and are picked on more than everyone else... which I guess is fair if you want to be #1.  It's not how bad your software is, necessarily, it's how you handle it.  Now, I'm not defending Adobe's record - because we all know how awesome that has been lately - but think about everything else out there!

How often do you check for updates on some of the software on your computer?  Ever?

More and more, software is moving to an auto-update model where it "checks in" every so often to the home base to check for updates, security or otherwise.  These pop up on your screen and I would venture to say that a good majority of people ignore the request for updates (these pieces of software have to ask for permission to update).  So silently, your computer has a ton of vulnerabilities you're not aware of that probably aren't patched.  Awesome.

So ... the next time you're ripping on Microsoft, Adobe or some other super-popular software about all the bugs they're patching - think for one second about all the other software that's on your computers that are rarely (if ever) patched.  How 'bout those bugs?

Wednesday, May 26, 2010

This passes for "hacking"?

Short post- just a quick thought because it's late and I just can't let this go...

I've never given the "Huffington Post" a second thought because it's generally accepted to be written by mildly retarded chimpanzees but this crap just drives me absolutely nuts.  I have a Google News feed for "hacked -limb -death" and I've gotten about 7-8 news articles about "hacked road signs" in Miami.

Wasn't this old news like ... months ago?!

Wait ...how is popping a roadway sign box, and changing what's on the signs "hacking".  Can we come up with a definition of hacking for the media to reference, so they don't go off and confuse vandalism with hacking repeatedly?

I get that hacking is the hot thing to report on ...and changed road signs are funny as hell - but this is just stupid. Dear media people: please get a clue and stop over-hyping everything as hacking.


...and now I'm off to add a "-Huffington" to the search terms ...*sigh*

Saturday, May 22, 2010

Why Security Pros Drink...

A colleague posted this to his Twitter feed today ...and I felt compelled to really read and comment on the whole situation with OpenCartOne quick note - this is OpenCart.com, not OpenCart.org -anyway...

Now, I read this post from Ben Maynard's blog (which is a worthy read, by the way so add it to your RSS readers) - and you should too before you go any deeper into this post ...go ahead I'll wait ...

...
......

OK, so now let's talk about what just happened.  Did you read the comments?  All of them?

Ben not only sent the developer an email explaining what CSRF is but sent that same developer links and tried to explain the issue.  This developer clearly "didn't get it".  But ask yourself ...is this that rare?

Now, I'm going to post the comment that really got me fired up from Daniel Kerr (the dev from OpenCart)... check this out:
Daniel Kerr says:
to be honest. this just shows the type of person be is. he thinks hes found some big hack and when i tell him to to stop wasting my time he goes around posting my emails in forums and his blog. ben is a prat.
this sort of problem even today effects big sites like gmail, paypal. you really think everything is down to the person who writes the script? or the web user?

Say what?!  I'd love to grab this Daniel by the shirt-collar and rub this ass-hat's face into the steaming pile of shit he just made for himself.  Are you kidding me?  Someone does your job of finding a security vulnerability in your code (a major one at that), politely tells you about it, and gives you resources to understand it better and you have the stones (or is it just ignorance now?) to call him names on his own blog?

What an asshole.

By the way, Ben went on to write his own patch for OpenCart ...and maintained it some.  But then the developer went to an entirely new level of mental midget ...he apparently broke the patch in the update of the OpenCart code.  *facepalm*

Now ... what have we learned from this experience?  I don't know about you but what I'm learning is that developers just aren't going to get it... today, tomorrow or after we force mandatory "secure coding" education on them.  They just don't get it.  The discipline of software development apparently requires such full attention of your mind that you cannot even squeeze the very thought of writing your code with an ounce of prevention.

...and this, my dear friends, is why we in InfoSec drink...heavily.

So you think if we pooled our pennies we could buy this OpenCart idiot a clue?

Friday, May 21, 2010

Missiles vs. Bytes - Appropriate Response to "Cyber War"

It's incredible the level of misunderstanding of the world of the Internet.  I don't dare say "cyber-space" because I've gotten to the point where I'm nauseated every time I hear someone pre-pend the "cyber" in front of words that are ordinary.

My news feed has been flooded with articles like this one (Pentagon Says Military Response to Cyber Attack Possible) which when taken with the FUD & panic glasses off make absolutely no sense.  What's worse is that there are quotes from various Washington leaders like this one:

Asked about the possibility of using military force after a cyber assault, James Miller, undersecretary of defense for policy, said: "Yes, we need to think about the potential for responses that are not limited to the cyber domain." [DefenceTalk.com]
This type of thinking is very dangerous because, as the article goes on to say, we don't even quite have a handle on what would constitute an "act of cyber-war".  There are other problems with trying to use missiles to retalliate against bits too...

I think there are 2 glaring problems with the whole idea of identifying and declaring "war" on the Internet.  In order to be able to declare war - there has to be a clear definition of an "act of war".  We can almost define that in the real world.  Cornell has a pretty good definition of what constitutes an act of war ... but there is no clear understanding of how bits and bytes can be used to declare war, or even show international aggression.

Launching a DDoS is not equated to launching an ICBM, and no one in the international community will argue that it takes a physical act of aggression to actually start a war ...right?  War is a serious thing.  Lives are lost, misery and destruction follow.  These cannot be taken lightly in spite of some people's notions to the contrary.  The point here is that even something as serious as a successful attack against a power grid most likely wouldn't be considered an act of war, at least not by current thinking.  Physical destruction and the loss of life along with a threat to sovereignty would still likely be required to draw a military retaliation.

The other and perhaps more serious problem with this line of thinking is this - how can you be 100% sure that the purported attack is in fact originating from the nation-state?  If those of us in Information Security have learned nothing else about the way that attackers work - we've at least learned that attackers tend to like to use someone else's system/network to originate their attacks.  If I am North Korea, just as an example, and I want to attack the United States over the Internet I would naturally first stealthily compromise hordes of systems in, say, China.  I would then use those systems as launch-points for the attack against the US, and thus most likely avoid blame.  Also, in today's highly connected, distributed world of the Internet an attack would likely originate from thousands of sources globally which would make it nearly impossible to track.

So what are our political and military leaders saying, exactly?  Would the next GhostNet prompt a nuclear strike against China?  And if that's the thinking, how would that be justified to the International community?

There is a lot to consider, and while there is no true anonymity on the Internet, it is very possible to create such a complex attack (after all, any attack of this nature would necessarily be complex) originating from multiple locations and cloaked by zombie systems - that it may even be possible to trigger a "retaliation war" between 2 nations which really have nothing to do with the action - and that is my true fear.

So before you jump on the "cyber war" bobble-head bandwagon and start to echo the clearly clueless about how it's conceivable a military strike could be effective against "cyber war" ...please, think.  Your children's lives may actually depend on it.

...and remember - Friends don't let friends espouse 'cyber war'

Tuesday, May 18, 2010

Code So Bad, It's ...Secure?

This past weekend a friend called me up and said he was doing a security assessment of a web site that was put together by a 3rd party he had no faith in - and wanted to know if I was interested in spending some time channeling my evil (long story...read Twitter more if you don't get it) into this site's lack-luster security.

Not being one to turn down a good site-bashing I accepted and took out some of the tools that had been rusting in the back of the shed for a while, sharpened some utensils, and updated some software to modern versions ...and got ready.  I figured we'd drink some beers, have a little fun, ravage a database or two and call it an afternoon.  Little did I know what we were in for.

Todd showed up about 2'ish in the afternoon, and we quickly went to work.  Beers in hand we did some recon on the site, and without even needing more than 10 minutes we found several injection points, where the database was being directly exposed.

Here's where things get ...interesting.

Let me first say that we employed the flow-based methodology I've been talking about lately (video on my HP blog here) and quickly noticed that the site was all kinds of broken.  It became obvious when Todd pasted me one of the URLs he was working on via AIM that there was no regard for flow in the application.  One could go directly to a page deep within one of the registration flows without start to submit it without any of the hidden variables carried through ...that was indicative of what would soon prove to be a tragic, steaming pile of web code.

Another thing I quickly noticed is that I could change the POST requests to the server to GET requests, at will, and the server would process them as long as I included the appropriate parameters.  I could simply chain the POST parameters into the request like so:
POST /blah/verifyEmail.asp  --> GET /blah/verifyEmail.asp?param1=foo&param2=bar
which bugged me because once I started messing with this I realized I could cause the server to start doing some really weird stuff like stop responding!


One thing we quickly noticed was that while the site was hillariously SQL injectable (nearly every database call didn't properly sanitize), there were some frustrating things that made this code difficult to totally invade.

Even though the developer apparently cared nothing for sanitizing database query input parameters (one could insert the ' character into nearly every parameter value without fail.  This produced strangely familiar SQL errors such as this one ...
Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near 'xxx'.
/IncludeDir/includeDir1/includeData.asp, line 44.
Naturally we focused on this for a minute ...but what was interesting was that the xxx was a 3-digit number that was nowhere in the http request.  This was concluded to be a "default" for the site, and we moved on to try and modify that in addition to the obvious SQL injection.

Submitting this POST to the SQL server, yielded more 'near' SQL errors, so nothing particularly interesting:
username=Grover%40SesameStreet.org'&type=&groupId=&mode=&action=submitRequest
although ... adding this showed us that the developer had at least used the SQL trim() function to remove white-space:
username=Grover%40SesameStreet.org'select @@version--&type=&groupId=&mode=&action=submitRequest
thus producing this:
Incorrect syntax near 'select@@version'.
After playing with different character combinations, encoding types and tricks we had the following information on the site and its developer ...
  1. many characters were being trim() 'd including the % + and white-space
  2. the developer was surely inserting data dynamically into queries
  3. stored procedures were being used (we found an error identifying "sproc_InsertData")
  4. parameters were not typed
  5. there were at least 2 stored procedures being used here (why?!) which would break attack strings in strange ways across different queries(??)
So after all that, and about 10 hours of hacking away, calling people who were SQLi ninjas much smarter than us ...we had nothing.  Clearly the code was bad, and we were able to poke at the database.  Unfortunately, due to some of the developer's antics, we (nor anyone we reached out to) could figure out a meaningful way to get a complete [injected] query through to extract data.

The best I can figure is this ...the developer tried to create complex, robust code but instead ended up writing a steaming, twisted pile of crap which was so bad it was almost reasonably secure.

This is the worst kind of failure because it fosters that smug feeling of "I stumped the hackers"... remember, we are limited by time & resources...the bad guys ARE NOT.  They WILL get you.

Wednesday, May 12, 2010

Thoughts on Data Breach Notification Legislation

So ...Canada's Alberta province has finally seen the light, and is the first province in Canada to enact Federal-level data breach notification laws.  Woohoo.

So why am I so excited you ask?  Because ...big deal.  Another "notification law".

So soon you Canadians up there will be just like us in the US ...you'll get letter after letter telling you the companies you've trusted with your personal and private data have let you down ...oh - and here's a year of "free credit protection, thanks for playing".  It's all crap.

So we have PCI and other "compliance" regulations which turn into check-the-box exercises in due-diligence and "baseline absolute minimums"... and then we have the after-the-fact "notification" laws...

I'm still not excited ...but I should be right?  Why?

When there is an actual way to mandate corporate responsibility not just 'absolute minimum security' ...then I'll be happy.  Until then...congrats to Alberta, I guess.

Saturday, May 8, 2010

The FBI [Wants] Found Your Stolen Money!

I've gotten some very creative phishing scam emails in the past - but this one ...these guys are creative!

Basically it purports to be from the FBI Director (Robert Mueller) telling you that there was in investigation of some sort into some stolen money via a Nigerian scam and that there is a settlement that will be paid to you.

I thought I'd take a minute to analyze this ...it's still got some subtle issues that make it obvious that it wasn't written by anyone official, or with English as their primary language.

First, let's see how the letterhead looks...
--

Anti-Terrorist and Monitory Crimes Division.
Federal Bureau Of Investigation.
J. Edgar. Hoover Building, Washington D.C


ATTN: BENEFICIARY

--
That's certainly interesting, and official-looking!  Why would anyone second-guess an email coming to them straight from the FBI at the J. Edgar Hoover building?!  Oh but look at some of the punctuation ... "J. Edgar. Hoover Building..."  Did you notice the period after Edgar?  Why would that be there, unless you just don't understand the original address...  Next, the "ATTN: BENEFICIARY" is in all CAPS, why?

Let's look further, at the opening text-
--

"This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke,Sanusi Bello none officials of Oceanic Bank, none officials of Zenith Bank and some impostors claiming to be the Federal Bureau Of Investigation agents. During our Investigation, it came to our notice that the reason why you have not received your payment is because you have not fulfilled your Financial Obligation given to you in respect of your Contract/Inheritance Payment. 


So therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in the total amount of $800,000.00 USD which will be deposited into an ATM CARD which you will use to withdraw funds anywhere of the world. You now have the lawful right to claim your funds which have been deposited into the ATM CARD."

--

Whoa!  Did you find the subtle issues I highlighted above the first time you read through?  This text is tricky indeed because it first tells you that someone is scamming you as "impostors" and then proceeds to tell you that the reason you haven't gotten your $800,000 is that you "haven't fulfilled your financial obligation"... which is interesting - starts to sound like they want money from you, doesn't it?  Why would the FBI write with such obvious grammatical errors?  And furthermore, who says "it came to our notice" anyway?

Let's read on, it's starting to get juicy.  For those that have fallen for this obvious scam, the interest has been peaked, and now they're going to set the hook and get you to part with your money in exchange for that $800,000.00 ...but how?  Check out this opening sentence!
--

Since the Federal Bureau of Investigation has been involved in this transaction, you are now to be rest assured that this transaction is legitimate and completely risk-free as it is our duty to Protect and Serve citizens of the United States Of America. All you have to do is immediately contact the ATM CARD CENTER via E-mail for instructions on how to procure your Approval Slip which contains details on how to receive and activate your ATM CARD for immediate use to withdraw funds being paid to you. We have confirmed that the amount required to procure the Approval Slip will cost you a total of $200 USD which will be paid directly to the ATM CARD CENTER agent via Western Union Money Transfer / MoneyGram Money Transfer. Below, you shall find contact details of the Agent whom will process your transaction: 




CONTACT INFORMATION 
NAME: MR. PAUL SMITH 
EMAIL : paulsmith4@gala.net
TELEPHONE NUMBER : +234-803-624-0664


Immediately contact Mr. Paul Smith of the ATM Card Centre with the following information: 
Full Name:
Address:
City:
State:
Zip Code:
Direct Phone Number:
Current Occupation:
Annual Income:

--
Notice a few things here... First off look at how they re-assure you that the transaction is legitimate and risk-free ..."trust us, we're the FBI"... oh - really?  Next they set the cost at $200 to get your $800k in this "legitimate and risk-free" transaction.

Let's look at a new element I've been seeing lately ...these scam-monkeys are asking for your current occupation and annual income!  Interesting ...think about why they would want that to scam you...

One last part to look at...
--

Once you have sent the required information to Mr. Paul Smith he will contact you with instructions on how to make the payment of $200 USD for the Approval Slip after which he will proceed towards delivery of the ATM CARD without any further delay. You have hereby been authorized/guaranteed by the Federal Bureau Of Investigation to commence towards completing this transaction, as there shall be NO delay once payment for the Approval Slip has been made to the authorized agent. 


Once you have completed payment of $200 to the agent in charge of this transaction, immediately contact me back so as to ensure your ATM CARD gets to you rapidly. 


FBI Director 


Robert Mueller.

--

So, once you've given them your personal details (sucker!), then Paul Smith will contact you and tell you how to give them your hard-earned money too.  Of course, Paul Smith is not on the hook for completing the rest of the transaction... Mr. Robert Mueller, the FBI Director is... say what?!  Of course you need to send the payment by Western Union, as it's not able to be tracked once you send them your cash... awesome.

I say we all send Mr. Paul Smith an email ... let's tell him (using any of the fake email accounts y'all have out there) how much we appreciate the constant amusement he provides us.

I would love for the FBI to get to know the real Paul Smith ...but I suspect that won't be happening anytime soon.

Don't be stupid ... please don't even for one half-second fall for these idiotic scams.

../end
Google+