cat slave diary

Category: Security

  • So your Twitter has been hacked. Now what?

    So I’m getting a lot of Twitter spam with links to install bad crap on my computer.

    More than just occasionally, these DM’s are sent by folks in the infosec field. They should know better than to click unknown links without taking precautions.

    So what do you need to do?

    Simple. Follow these basic NIST approved rules:

    Contain – find out how many of your computers are infected. If you don’t know how to do this, assume they’re all suspect, and ask your family’s tech support. I know you all know the geek in the family, as it’s often me.

    Eradicate – Clean up the mess. Sometimes, you can just use anti-virus to clean it up, other times, you need to take drastic action, such as a complete re-install. As I run a Mac household with a single Windows box (the wife’s), I’m moderately safe as I have very good operational security skills. If you’re running Windows, it’s time for Windows 8, or if you don’t like Windows 8, Windows 7 with IE 10.

    Recover – If you need to re-install, you had backups, right? Restore them. Get everything back the way you like it.

    • Use the latest operating system. Windows XP has six months left on the clock. Upgrade to Windows 7 or 8. MacOS X 10.8 is a good upgrade if you’re still stuck on an older version. There is no reason not to upgrade. On Linux or your favorite alternative OS, there is zero reason not to use the latest LTS or latest released version. I make sure I live within my home directory, and have a list of packages I like to install on every new Linux install, so I’m productive in Linux about 20-30 minutes after installation.
    • Patch all your systems with all of the latest patches. If you’re not good with this, enable automatic updates so it just happens for you automatically. You may need to reboot occasionally, so do so if your computer is asking you to do that. On Windows 8, it only takes 20 or so seconds. On MacOS X, it even remembers which apps and documents were open.
    • Use a safer browser. Use IE 10. Use the latest Firefox. Use the latest Chrome. Don’t use older browsers or you will get owned.
    • On a trusted device, preferably one that has been completely re-installed, it’s time to change ALL of your passwords as they are ALL compromised unless proven otherwise. I use a password manager. I like KeePass X, 1Password, and a few others. None of my accounts shares a password with any other account, and they’re all ridiculously strong. 
    • Protect your password manager. Make sure you have practiced backing up and restoring your password file. I’ve got it sprinkled around in a few trusted places so that I can recover my life if something bad was to happen to any single or even a few devices.
    • Backups. I know, right? It’s always fun until all your data and life is gone. Backup, backup, backup! There are great tools out there – Time Capsule for Mac, Rebit for Windows, rsync for Unix types.

    Learn and improve. It’s important to make sure that your Twitter feed remains your Twitter feed and in fact, all of your other accounts, too.

    I never use real data for questions and answers, such as my mother’s maiden name as that’s a public record, or my birth date, which like everyone else, I celebrate once per year and thus you could work it out if you met me even randomly at the right time of the year. These are shared knowledge questions, and thus an attacker can use that to bypass Twitter, Google’s and Facebook’s security settings. I either make it up or just insert a random value. For something low security like a newspaper login or similar, I don’t track these random values as I have my password manager to keep track of the actual password. For high value sites, I will record the random value to “What’s your favorite sports team”. It’s always fun reading out 25 characters of gibberish to a call centre in a developing country.

    Last word

    I might make a detailed assessment of the DM spam I’m getting, but honestly, it’s so amateur hour I can’t really be bothered. There is no “advanced” persistent threat here – these guys are really “why try harder?” when folks don’t undertake even the most basic of self protection.

    Lastly – “don’t click shit“. If you don’t know the person or the URL seems hinky, don’t click it.

    That goes double for infosec pros. You know better, or you will just after you click the link in Incognito / private mode. Instead, why not fire up that vulnerable but isolated XP throw away VM with a MITM proxy and do it properly if you really insist on getting pwned. If you don’t have time for that, don’t click shit.

  • Infosec apostasy

    I’ve been mulling this one over for a while. And honestly, after a post to an internal global mail list at work putting forward my ideas, I’ve come to realise there are at least two camps in information security:

    • Those who aim via various usual suspects to protect things
    • Those who aim via various often controversial and novel means to protect people 

    Think about this for one second. If your compliance program is entirely around protecting critical data assets, you’re protecting things. If your infosec program is about reducing fraud, building resilience, or reducing harmful events, you’re protecting people, often from themselves.

    I didn’t think my rather longish post, which brought together the ideas of the information swarm (it’s there, deal with it), information security asymmetry and pets/cattle (I rather like this one), would land with the heavy thud akin to 95 bullet points nailed to the church door.

    So I started thinking – why do people still promulgate stupid policies that have no bearing on evidence? Why do people still believe that policies, standards, and spending squillions on edge and end point protection when it is trivial to break it?

    Faith.

    Faith in our dads and grand dads that their received wisdom is appropriate for today’s conditions.

    Si Dieu n’existait pas, il faudrait l’inventer” Voltaire

    (Often mis-translated as “if religion did not exist, it would be necessary to create it”, but close enough for my purposes)

    I think we’re seeing the beginning of infosec religion, where it is not acceptable to speak up against unthinking enforcement of hand me down policies like 30 day password resets or absurd password complexity, where it is impossible to ask for reasonable alternatives when you attempt to rule out the imbecilic alternatives like basic authentication headers.

    We cannot expect everyone using IT to do it right, or have high levels of operational security. Folks often have a quizzical laugh at my rather large random password collection and use of virtual machines to isolate Java and an icky SOE. But you know what? When Linked In got pwned, I had zero fears that my use of Linked In would compromise anything else. I had used a longish random password unique to Linked In. So I could take my time to reset that password, safe in the knowledge that even with the best GPU crackers in existence, the heat death of the universe would come before my password hash was cracked. Plenty of time. Fantastic … for me, and I finally get a pay off for being so paranoid.

    But… I don’t check my main OS every day for malware I didn’t create. I don’t check the insides of my various devices for evil maid MITM or keyloggers. Let’s be honest – no one but the ultra paranoid do this, and they don’t get anything done. But infosec purists expect everyone to have a bleached white pristine machine to do things – or else the user is at fault for not maintaining their systems.

    We have to stop protecting things and start protecting humans, by creating human friendly, resilient processes with appropriate checks and balances that do not break as soon as a key logger or network sniffer or more to the point, some skill is brought to bear. Security must be agreeable to humans, transparent (as in plain sight as well as easy to follow), equitable, and the user has to be in charge of their identity and linked personas, and ultimately their preferred level of privacy.

    I am nailing my colors to the mast – we need to make information technology work for humans. It is our creature, to do with as we want. This human says “no

  • Marketing – first against the wall when the revolution comes

    A colleague of mine just received one of those awful marketing calls where the vendor rings *you* and demands your personal information “for privacy reasons” before continuing with the phone call.

    *Click*

    As a consumer, you must hang up to avoid being scammed. End of story. No exceptions.

    Even if the business has a relationship with the consumer, asking them to prove who they are is wildly inappropriate. Under no circumstances should a customer be required to provide personal information to an unknown caller. It must be the other way around – the firm must provide positive proof of who they are! And by calling the client, the firm already knows who the client is, so there’s no reason for the client to prove who they are.

    As a business, you are directly hurting your bottom line and snatching defeat from the jaws of victory by asking your customers to prove their identity to you.

    This is about the dumbest marketing mistake ever – many customers will automatically assume (correctly in my view) that the campaign is a scam, and repeatedly hang up, thus lowering goal completion rates and driving up the cost of sales. Thus this dumb move can cost a company millions in opportunity costs in the form of:

    • wasted marketing (hundreds of dropped customer contacts for every “successful” completed sale),
    • increase fraud to the consumer and ultimately the business when customers reject fraudulent transactions
    • lose thousands if not hundreds of thousands of customers, and their ongoing and future revenue if they lose trust in the firm or by the firm’s lack of fraud prevention, cause them to suffer fraud by allowing scammers to easily harvest PII from the customer base and misuse it

    Customers hate moving businesses once they have settled on a supplier of choice, but if you keep on hassling them the wrong way, they do up and leave.

    So if any of you are in marketing or are facing pressure from the business to start your call script by asking for personally identifying information from your customers, you are training your customers to become victims of phishing attacks, which will cost you millions of dollars and many more lost customers than you’ll ever gain from doing the right thing.

    It’s more than just time to change this very, very, very bad habit.

  • Responsible disclosure failed – Apple ID password reset flaw

    Responsible disclosure is a double edged sword. The faustian bargain is I keep my mouth shut to give you time to fix the flaws, not ignore me. I would humbly suggest that it is very relevant to your interests when a top security researcher submits a business logic flaw to you that is trivially exploitable with just iTunes or a browser requiring no actual hacking skills.

    If anyone knows anyone at Apple, please re-share or forward this post, and ask them to review my rather detailed description of my rather simple method of exploiting the Apple ID password reset system I submitted over six months ago with so far zero response beyond an automated reply. The report tracking number is #221529179 submitted August 12, 2012.

    My issue should be fixed along with the other issues before they let password reset back online with my flaw intact.

  • Running Fortify SCA 3.80 on Ubuntu 12.04 64 bit Linux

    I have a bit of a code review job at the moment. It’s a large code base, and you all know what that means. LOTS OF RAM! So I got me a 16 GB upgrade. Then I found that I could only allocate 8 GB to a VM in VMWare Fusion. So here’s how to scan a big chunk of code with minimal pain:

    The default VM disk size for a Easy Installed Ubuntu is 20 GB, with 8 GB of swap. WTF. So don’t use Easy Install as you’ll run out of disk space doing a scan of a moderate sized application. I expanded mine to 80 GB after it was all installed, but if you are smart, unlike me, do it when you first build the system.

    To add more than 8GB to a VM in VMWare Fusion, allocate 8192 MB (the maximum amount) in the GUI whilst the VM is shutdown, open the package contents of the VM by right clicking the VM (I’m on a Mac, so if you rename a folder foobar.vmwarevm, it becomes a package automagically). Find the VMX file. Open it carefully in a decent editor (vi or TextWrangler or TextMate) – there is magic here and if you edit it wrong, your VM will not boot. Change memsize = “8192” to say memsize = “12384” and save it out. I wouldn’t go too close to your total memory size as you’ll start paging on the Mac, and that’s just pain.  Boot the VM. Confirm you have enough memory!

    First off, do not even try to do it within Audit Workbench. It will just fail.

    Secondly, it seems that HP do not test the latest version of SCA on OpenSuse 12.2, which is a shame as I really liked OpenSuse. There’s no way to fix up the dependencies without using an unsafe (older) version of Java, so I gave it up.

    Ubuntu, despite not being listed as a valid platform (CentOS, Red Hat, and OpenSuse are all listed as qualified), Ubuntu had a graphical installer compared to OpenSuse’s text only install. Alrighty, then.

    Install Oracle Java 1.7 latest using the 64 bit JDK for Linux. I did it to /usr/local/java/ Weep for you now have a massive security hole installed.

    Force Ubuntu to use that JVM using update alternatives:

    sudo update-alternatives --install "/usr/bin/java" "java" "/usr/local/java/jdk1.7.0_15/bin/java" 1 
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/local/java/jdk1.7.0_15/bin/javac" 1 
sudo update-alternatives --set java /usr/local/java/jdk1.7.0_15/bin/java 
sudo update-alternatives --set javac /usr/local/java/jdk1.7.0_15/bin/javac

    I created the following in /etc/profile.d/java.sh

    #!/bin/sh
JAVA_HOME=/usr/local/java/jdk1.7.0_15
PATH=$PATH:$HOME/bin:$JAVA_HOME/bin
export JAVA_HOME
export PATH

    Note that I did not tell Ubuntu about Java Web Start. If you want to keep your Ubuntu box yours, you will not let JWS anywhere near a browser. If you did this step, it’s best to delete javaws completely from your system to avoid any potential for drive by download trojans.

    Install SCA as per HP’s instructions. 

    Now, you need to go hacking as HP for some reason still insist that 32 bit JVMs are somehow adequate. Not surprisingly, Audit Workbench pops up an exception as soon as you start it if you take no further action to make it work. So let’s fix that up.

    I went and hacked JAVA_CMD in /opt/HP_Fortify/HP_Fortify_SCA_and_Apps_3.80/Core/private-bin/awb/productlaunch to be the following instead of the JRE provided by HP:

    JAVA_CMD="/usr/local/java/jdk1.7.0_15/bin/java"

    After that, Audit Workbench will run.

    Now, let’s work on ScanWizard. ScanWizard the only way really to produce repeatable scans that work without running out of memory. So run a ScanWizard. It’ll create a shell file for you to edit. You need to make the following changes:

    MEMORY="-Xmx6000M -Xms1200M -Xss96M "

LAUNCHERSWITCHES="-64 "

    There’s a space after -64. Without that it fails.

    Then there’s bugs in the generated scan script that mean it would never work when using a 64 bit scan. It’s almost like HP never tested 64 bit scans on large code bases (> 4 GB to complete a scan). I struggle to believe that, especially as their on demand service is almost certainly using something very akin to this setup.

    Change this bit of the scan shell script:

    FILENUMBER=`$SOURCEANALYZER -b $BUILDID -show-files | wc -l`

if [ ! -f $OLDFILENUMBER ]; then
        echo It appears to be the first time running this script, setting $OLDFILENUMBER to $FILENUMBER
        echo $FILENUMBER > $OLDFILENUMBER
else
        OLDFILENO=`cat $OLDFILENUMBER`
        DIFF=`expr $OLDFILENO "*" $FILENOMAXDIFF`
        DIFF=`expr $DIFF /  100`

        MAX=`expr $OLDFILENO + $DIFF`
        MIN=`expr $OLDFILENO - $DIFF`

        if [ $FILENUMBER -lt $MIN ] ; then SHOWWARNING=true; fi
        if [ $FILENUMBER -gt $MAX ] ; then SHOWWARNING=true; fi

        if [ $SHOWWARNING == true ] ; then

    To this:

    FILENUMBER=`$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID -show-files | wc -l`

if [ ! -f $OLDFILENUMBER ]; then
        echo It appears to be the first time running this script, setting $OLDFILENUMBER to $FILENUMBER
        echo $FILENUMBER > $OLDFILENUMBER
else
        OLDFILENO=`cat $OLDFILENUMBER`
        DIFF=`expr $OLDFILENO "*" $FILENOMAXDIFF`
        DIFF=`expr $DIFF /  100`

        MAX=`expr $OLDFILENO + $DIFF`
        MIN=`expr $OLDFILENO - $DIFF`

        SHOWWARNING=false

        if [ $FILENUMBER -lt $MIN ] ; then SHOWWARNING=true; fi
        if [ $FILENUMBER -gt $MAX ] ; then SHOWWARNING=true; fi

        if [ $SHOWWARNING = true ] ; then

    Yes, there’s an uninitialized variable AND a syntax error in a few lines of code. Quality. Two equals signs (==) are not valid sh/bash/dash syntax, so obviously that was well tested before release! Change it to = or -eq and you should be golden.

    After that, just keep an eye out for out of memory errors and any times you notice it saying “Java command not found”. To open a large FPR file may require bumping up Audit Workbench’s memory. I had to with a 141 MB FPR file. YMMV.

    You’re welcome.

  • Zombie Apocalypse – Economic armageddon using Gresham’s Law

    I was heartened to find out that someone was given grant money for a study that demonstrates that the fresh brains market in a zombie apocalypse would peter out after six months. Afterwards, the earth would be either empty (most likely) or a wasteland with few zombies.

    So that gave me an idea. Gresham’s Law, crudely stated, says that bad money drives out good money. My thesis is that the market for high quality security assessments (=”good money” e.g. skilled manual review) is being driven out by the prevalence of low / unknown quality security assessments  (=”bad money”) in a rush to the bottom in terms of fees. This correlates with an increase in business loss as attackers stop putting up alert boxes and start stealing (brains) from the population.

    So is there any hope? Do we need hope? Could we have a market in the post-trust Internet?

    Let’s have a thought experiment – what would the Internet look like post zombie apocalypse (or if you’re Paul Fenwick, a post singularity AI overlord who turns out not to be our friend). Could commerce exist and in what form if we totally (and I mean totally debased) the security market to the point that there is no trust on the Internet?

    Of course it would look like this:Let+Me+Show+You+My+Pokemans+pokemanscover

     

    What would that look like for traders in an all lolcats world?

    In my view, the signs of a post-zombie apocalypse are:

    • The market would mainly consist of small unregulated trades, much like drug deals today you see on TV crime shows;
    • There will be a limited market for large trades, and large trades would be highly regulated in a walled garden;
    • There is very limited to no trust;
    • Trades would be done in places that are not particularly consumer friendly (ether “friendly” to mall owners like Amazon or Etsy, or dark places like the Silk Road);
    • There would likely be an arms race of sorts between the main actors in the market, such as targeted phishes of oppressed ethnic minorities or other outgroups;
    • There would be little to no enforcement as there’s basically no detection;
    • There would be minimal to no proactive security measures being undertaken, where this “technology” is essentially unknown the market or deeply hoarded by those who actually know.

    In my view, much of the signs are starting to crop up now, with the dark net market of malware, infected machines, and illicit substances traded for virtual currencies.

    We are at a turning point for trust. Either we must support the market in a way that punishes weak security or bad money, and rewards leading security practices, or we give up and embrace the smaller and more diverse dark market. There’s still money to be made – for some – in the dark market.

    What do you think the future of the security market looks like?

  • Argumentum ad antiquitatem

    This post is not in Latin, but essentially a call to the Information Security industry to end policies based upon argumentum ad antiquitatem, which includes:

    • Password change, complexity and length policies and standards that simply don’t make sense in the light of research and tools that show that we can crack ALL passwords in a reasonable time. It’s time to move on to two factor authentication, alternatives such as OAuth2 (i.e. Facebook/Twitter/G+ integration) or Mozilla Account Manager, and random long passphrases for all accounts.
    • “Security” shared knowledge questions and answers. These are commonly used to “prove” that you have sufficient evidence of identity to resume access to an account. We see these actively exploited continuously now. Unfortunately, most familiies including ex-spouses have sufficient knowledge of the identity and access to the person’s identity documents that such questions, no matter how phrased (like “What was your favorite childhood memory”), are simply unsafe at any speed as more than ONE person knows or can guess the correct answer.
    • That requiring authentication is enough to eliminate risks in your application. Identity and access management is important, but it’s only part of the picture.
    • That enforcing SSL or access through a firewall is enough to eliminate risks in your application. Confidentiality and integrity of connection is vital, especially if you’re not doing it today, but it’s only part of the picture.
    • That obfuscation is enough to deter hackers. Client side code is so beguiling and the UX is often amazing, but it’s not safe. Business decisions must be enforced at a trusted location, and there’s little business reason to do this twice. So let’s get that balance right.

    What are some of your pet “argumentum ad antiquitatem” fallacies?

  • Securing WordPress with obfuscation

    So in a fit of security through obscurity, I renamed my WordPress database tables and promptly broke WordPress with a highly informative “You do not have sufficient permissions to access this page.” error message when accessing wp-admin.

    Changing the prefix is easiest done with a new installation, but my installation dates from the very first versions of WordPress when the dinosaurs roamed. Due to WordPress’s design, changing the database prefix (‘wp_’) is not as straightforward as you would expect.

    Edit wp-config.php

    In this exercise, we’re going to change from the default “wp_” prefix to “foo_”. If you’re doing this for security through obscurity reasons, don’t use “foo_”, use something you made up. Trust me, my prefix is NOT “foo_”. In wp-config.php, change:

    $table_prefix  = 'wp_';

    to

    $table_prefix  = 'foo_';

    Once you’ve saved the file, your WordPress installation is now officially broken. Move fast!

    Rename your tables

    use myblog
show tables

    and for each of the tables you see there, do this:

    rename table wp_options to foo_options;

    At this point, your blog will now be viewable again, but you will not be able to administrate it. Accessing /wp-admin/ will say “You do not have sufficient permissions to access this page.”

    Fix WordPress Brain Damage

    Let’s go ahead and fix that for you:

    UPDATE foo_usermeta SET meta_key = REPLACE(meta_key,'wp_','foo_');
UPDATE foo_options SET option_name = REPLACE(option_name,'wp_','foo_');

    You’re welcome.

  • Time to update knowledge

    This might be telling folks to suck eggs, but if you are doing secure code reviews and your development skills relate to type 1 JSP and Struts 1.3, it’s really time you got stuck into volunteering to code for open source projects that use modern technologies. There’s heaps of code projects at OWASP that need help, including helping me with code snippets that are in a modern paradigm.

    I don’t care what technologies you choose, but your code reviews will not be using Type 1 JSPs or Struts for that much longer – if at all. Time to upskill!

    I suggest:

    • Ajax anything. Particularly jQuery and node.js. GWT is on the wane, but still useful to know
    • Spring Security, Spring Framework and particularly Spring Web Flow are essential skills for any code reviewer doing commercial enterprise code reviews
    • .NET 4.5 and Azure are killer skills at the moment, particularly as Windows 2012 has just been released. Honestly, there is a good market to be a specialist just in this language and framework set, as it’s literally too large for any one person to know.
    • Essential co-skills: Continuous integration, agile methodologies (you have updated your services to be agile aligned, right?), and writing security unit tests so your customers can repro the issues you find.

    It’s important to realise that good code reviewers can code, if poorly. Poor code reviewers don’t code and have never written a thing. Don’t be a bad code reviewer.

    I do not suggest Python, Ruby on Rails, or PHP as these are rare skills in the enterprise market, but if they scratch your itch, go for it, but be aware that these skills do not translate out to commercial code review jobs. The fanbois of these languages and frameworks will hate on me, but honestly, there’s no reason to learn these languages except for the occasional job here and there, and if you’re any good at the list above, PHP in particular is easy to pick up. Fair warning, it’s a face palm storm waiting to happen.

  • OWASP Developer Guide – time for a new meeting

    If you are participating in the OWASP Developer Guide, I want to have another status meeting Friday next week.

    Friday 2nd November 1300 UTC
    Saturday 3rd November 0000 AEDST (my time zone)

    Come be my friend on Google+, and ask to be in my OWASP Guide circle. This circle can participate in the Hangout.

    Hope to see you there!