cat slave diary

Blog

  • How today’s Twitter Attack Might Never Have Been

    I feel sorry for Twitter – they have the poster child of low value apps (which usually means no security controls or review), and then all of a sudden, they get done over using such a simple attack that it’s generous to call the attack a “hack”. Of course, because of the targets – Barak Obama, Stephen Fry (the world’s best comedian bar none), who are HIGH value targets, Twitter is feeling the pain of applied media heat today.  

    Twitter on Monday said the hacker had broken into 33 accounts by gaining access to tools used by its support team.

    “These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck,” wrote Twitter co-founder Biz Stone in a blog post. “We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.”
    – from ZDNet

    If Twitter had simply built their software (in 2006) to follow the 2005 OWASP Guide 2.0, they would have been safe today in 2009. 

    Security Principles

    I cribbed and re-phrased these from the 2002 Guide 1.0, which were in turn cribbed from the seminal Saltzer and Schroeder’s 1975 paper. This stuff is not new.

    This is all about application architecture. If Twitter had designed their admin app to be non-reachable from the Net, the attack would have failed. If they had made users unable to perform admin tasks, they would have been safe. If they had defense in depth, they would at the very least known about the attack. If they had separated admin tasks from user tasks properly, they would have been safe. If they had not hidden the URL or parameters to the admin interface, they would have been safe as it would have been unreachable.

    These are all design time considerations, one that is ultra important … even when you design a low value application.

    Access Control

    • Principle of least privilege
    • Centralized authorization routines
    • Authorization matrix
    • Controlling access to protected resources – All functions must be access controlled

    If ANY of these had been followed, they would have been safe. 

    Administrative Interface

    • Best practices – describes the Twitter issue completely. It would be the new example if I was writing this today.
    • Users are not admins, admins are not users.
    • Divide the admin interface off into its own app, unreachable from the Internet.

    If ANY of these had been followed, they would have been safe. 

    In general, we know and have documented the solutions to these ultra common issues. Here’s my rule of thumb – if you design insecurely, you WILL be broken into. Security Architecture is a MUST. 

  • 2009 – The Year of WebAppSec Solutions

    “He who controls the present, controls the past. He who controls the past, controls the future” – Orwell, 1984

    Looking back at the last few years, we’ve made some huge leaps at swatting at issues that bit us in back in the past, but still have not made a huge fundamental leap to controlling the future, and in particular controlling the risk from VALUE attacks, such as phishing, crime ware, and process issues (aka business logic issues).

    I’ve been interested in process issues for a long time as its the easiest way to get VALUE out of a system. One the earliest web app sec attacks was against CDNOW back in the mid 90’s. They preceded and were bigger than Amazon for a long time. Ultimately, Amazon acquired CDNOW. Why? Apparently, they had a cool front end shopping cart, a payment system and a shipping system. Sure enough, the shipping system took a bunch of hidden fields and accepted a “paid=yes” type of flag. So essentially, you could fill in the hidden fields with the CDs you wanted and skip ahead to the ship bit, and get free stuff. End of story, they’re part of Amazon today instead of the other way around. The opportunity cost of being insecure for CDNOW can be measured in billions and will continue to rise as the years go on. That one attack wasn’t the end of the business, but it set them along the path.

    So why in 2009 we do we allow 1995 era attacks to succeed? Why is this stuff not taught at University? Why are the business folks who make really bad decisions allowed to continue on doing the same old, same old, when they should know – do know – that it’s going to cost them a lot more in the long run?

    So let’s look at the lows and highs of 2008:

    Highlights of 2008:

    • PCI compliance starts to hit merchants. They still suck, but they’re unlike before, they’re now going to have to fix their stuff or go out of business
    • PCI 1.2 updated to OWASP Top 10 2007. Awesome. 
    • OWASP has a huge security summit in Portugal, deciding on future directions, and an awesome set of security conferences around the world. I think we have hit critical mass
    • OWASP Application Security Verification Standard Released

    Low lights of 2008:

    • Phishing and malware links as tracked by APWG rose to its highest level ever. 
    • Massive compromise of credit cards continues – vendors continue to flout PCI regulations and common sense.
    • SQL injection attacks launch a million malware infestations

    This basically means that attackers have been noted by the mainstream media and others as attacking VALUE through web apps, and not assets, like pwnage. They don’t care about the mechanism so much as the money. This has been my view for at least five years. I don’t care about if you control a 100,000 bot fleet – your just desserts are coming soon in your very own dawn raid. I do care if you can steal from 95,000,000 folks or defraud thousands with one e-mail.

    “How’s that working out for you?” – Dr Phil McGraw

    When we do something that is clearly not working, it is beyond time to do something different.

    Back in 2002, I was doing security architecture in web apps for some of my more forward thinking clients. I have a draft book in my OWASP folder on Web App Security Architecture I started in 2003. When I moved to the USA in 2006, security architecture was completely off the average US enterprise architect’s radar. Only today are seeing some traction in this space, and not everywhere. 

    Success stories elsewhere

    With air safety, various safety bureaus review crashes and make binding resolutions on pilots, manufacturers and airlines to remediate design issues and human factors. For example, in many cultures, a strong hierarchal society is the norm. More than a few co-pilots have sat meekly by, refusing to override their captain as they plowed straight into the ground. So the airlines were forced to change the human element in the cockpit, forcing sub-ordinates to take control when the situation warranted it.

    Air safety is a poster child for what can and should be done. From the early days when cowboys ruled the roost and many died, to today when only rail is safer per million passenger miles, air travel is one of the safest transport forms, despite being so inherently dangerous from a physics point of view (speed, height, traffic density, weather conditions, etc). We need to emulate air safety. Web application security is at the point where enforceable regulations are in their early days, like seat belts in cars were 50 years ago. 

    We can and must skip 50 years. I’m not a huge fan of heavy handed regulation as I feel it will stifle the next big thing if done wrong, but I think many languages and frameworks are settling around a few major paradigms. We can help them, and they must help their users. 

    We KNOW how to secure those meta-issues. We MUST secure those meta-issues. So here’s my 2009 Wish List:

    Education

    We have to educate those who come after us. This means getting into every CS and Software Engineering course world wide, and ensuring they have at least one mandatory security architecture / software security subject.

    All applications share exactly one feature: security. I don’t think you can be a sound practitioner unless you have at least heard about this most fundamental of issues. It’s like graduating accountants who have not completed Audit 101. It’s completely ridiculous that there’s no equivalent in most CS and software engineering degrees today. 

    I am also only going to speak at developer and architecture conferences. Speaking at security conferences is awesome and I usually get married or drunk or both, but it really doesn’t advance the state of the art. Architects and developers must get on board, and to do so requires their buy in. 

    Eliminate XSS and SQL injection

    We really need to get some basic technical things off the radar, so in 2010 and beyond we can deal with VALUE attacks. To that end, 2009 should be spent encouraging open source and vendors to fix XSS and SQL injection. We know how to fix these things. OWASP’s ESAPI has the canonicalization, input validation, and output encoding features that every application can use. Every modern framework has prepared statements or a safe(r) mechanism than dynamic statements.

    I encourage the OWASP leadership and those in leadership positions to take a stand on these two items. I call on all framework providers to make the simplest possible output mechanism XSS safe. I call on framework providers to deprecate and eliminate dynamic SQL queries, or at least make serious warnings pop up so that folks know that they should not be using those interfaces. I call on open software reporsitories to stop downloads of packages that have open CVE entries. It’s important to bubble up the importance of safe software, and we can’t do this by wishful thinking.  

    We can do this. It’s not a pipe dream. 

    Security Architecture Is a First Class Citizen

    It’s important to start putting security architecture in its place – which is every bit as important as the shiny buttons folks click or the processes businesses use to get stuff done. We cannot hope to eliminate design issues that allow VALUE attacks unless security architecture fu is strong within every organization writing software today. 

    Although history is written by the victors, we’re a long way from victory. Let’s get cracking!

  • Santy Paws Came To Town

    Well, that was a blast. 

    On Wednesday afternoon, I took Baby Girl to see Santy Paws (Satan Claws or Santa Claus, depending on if you believe in Ceiling Cat, Basement Cat, or are just a plain pagan). We stood in line for close to three hours. There was one Santa’s helper on duty, and for obvious reasons (being ridiculously old), he kept on taking breaks. You’d think Columbia Mall would  work out… 

    Thousands of parents  x $13.95 (at least) per sitting == they can afford more than one Santa, and possibly a few hundred Santa’s. 

    But no. Oh well.

    Baby Girl was awesome. She hung out in line with me even though she had little to do, and couldn’t go crawling or exploring – which as every parent knows is a recipe for Total Munchkiness. However, she was happy for the most part – including the first bit when we shuffled past Santa’s Grotto on the way to the entrance some hour or so ahead. She liked what she saw – kids sitting on this old man’s knee and stuff going on. However, looking back now, I think it may have been the computer and the cameras. She’s an awesome geek grrl and loves her gadgets.

    The line went on and on. When she got too antsy, I gave her some puffs and water. After about two hours, she started getting really antsy, trying to stand up and get out of the stroller. So I fed her one of the last pre-made bottles. Awesome baby girl returned. I didn’t know how much longer she’d last as it was well past nap time, but I persevered. She let the slightly older girls just in front of us touch her face and play with her toys on the front of the stroller. Things were looking good, even though I really wished she had taken a nap.

    She was ultra good right until the end. Santa took a break just before me, and as he walked past, Baby Girl started to show the five early signs of being tired, which is being a bit crotchety and rubbing her eyes and being a bit of a munchkin. Oh well, only a few more minutes. 

    So Santa came back, and I quickly put her on his lap thinking this could be a one shot deal, all the while making sure she could see me. I didn’t even let go of her hand before…

    WAAAAAAAAAAHHHHHH!

    Tears started flowing, tears of real fear. She stared at Santa, pulled away towards me, and started gulping air. Not good. Although I secretly (okay, not so secretly) wanted a photo of her crying as that makes an awesome 21st birthday picture, I didn’t want what came next…

    BAAAAAAAAAAARRRRRRRRF!  WAAAAAAAH!

    Santa got it good, and so did baby girl’s costume and the floor. Suffice to say, as she’s growing up fast she doesn’t do inoffensive and small up chucks any more. She did a veritable projectile exorcism of toddler barf. It stunk of mostly digested puffs, milk, lunch and formula. Poor baby girl!

    I took her to the men’s bathroom, which thankfully had a change area, and got her cleaned up and changed into emergency  civilian clothes.

    She looked at me so sadly that I couldn’t take her back to go sit on the old man’ s lap again. I’m reasonably certain Santa was relieved as well.

    So no Christmas photo with Santa this year. Of course, from the Silver Lining in Every Bad Cloud Situation Department: I have an awesome story for her 21st birthday! Yay!

  • A review of 2008

    Last year, I made the following observations / resolutions. Let’s check out how well I did:

    • Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife. 

    I think I succeeded at this one

    • Lose some weight and mean it this time. What New Year’s Resolution is complete without this one?

    Although I am lighter (149 kg down from probably ~ 155 to 160 kg), I’m not significantly lighter. I could have been close to 100 kg if I had stuck to an appropriate diabetic friendly diet and exercised more. I blame baby girl. JOKING. I’m a member of the cult again, and I have diary entries for walks and gym, so hopefully this time next year, may be I could be closer to 100 kg than I am today. 

    • Finish at least one piece of first class research in the web app sec field

    Nope. Not even close. Started a few though. And that’s the subject of my next post – what to look forward to in 2009.

  • IE exploit spreading via SQL injection

    It’s no news that the latest 0day for IE is spreading via SQL injection attacks. What is news is why are we still suffering from SQL injection? We’ve known for over eight years how to utterly end SQL injection. I’m sick of writing about it. We should not be talking about SQL injection any more. 

    This is a call to arms – SQL injection is a done deal. It stops today!

    I call on:

    • Acquirers of software to inspect nvd.nist.gov and determine if the software your about to acquire has ever had SQL injection. If so, make sure it does not use dynamic queries today. If it does, do not acquire or use it. 
    • Managers of software libraries to investigate all software in their possession in the same way. If it has had SQL injection in the past, it’s likely that it still has dynamic queries today. Write to the project and demand a version that has no dynamic queries. Make transition plans to get off faulty software if they do not respond or cannot respond in a reasonable time frame. We did this for the Y2K effort, it’s not that hard
    • Open source project houses such as Google Code, Microsoft’s CodePlex and SourceForge should put projects on notice that have dynamic queries that their downloads page will be disabled by Dec 31, 2009 if they have any dynamic SQL queries in them. I know this is a lot of work, but I can’t think an easier way to provide outreach to so many projects simultaneously.
    • CISO and CIOs and lead architects to outlaw the use of dynamic and concatenated queries in your policies and coding standards and to mandate the use of un-injectable alternatives
    • Developers to stop using dynamic queries and concatenated strings in prepared statements. With all haste, migrate all your code to prepared statements, stored procedures (noting that these still may have issues), or an alternative data storage mechanism, such as Hibernate or Active Record 
    • Frameworks to deprecate and eliminate dynamic SQL query interfaces (Java’s Statement, PHP’s mysql interface, etc) with extreme urgency. Today, they should emit warnings in DEBUG mode, and in six months to a year, they should cease to exist
    • Frameworks should inspect prepared queries in DEBUG mode, and if there’s a WHERE clause without a placeholder, the query should raise a warning during compilation or runtime depending on how your language operates. Of course, there are SQL queries that have where clauses that are static, but these are the exception not the rule. We need to help developers pin point weak statements, so a pragma or comment mechanism to shut the warning down would be helpful too
    • If you audit or review source code, you should mark all dynamic SQL queries critical. Because they are critical risks. Without understatement or hyperbole, dynamic queries are an obvious clear and present danger to the world’s IT infrastructure and they simply do not need to exist.  

    SQL injection stops today! There’s an awful lot of code that needs fixing, so let’s get cracking.

  • WordPress 2.7 released with easter egg

    As I noted a few weeks ago, WordPress has had an obfuscated easter egg in it for some time.

    Despite reporting this security defect / software engineering malpractice to two different WordPress folks (the author of the excellent WP development blog, and the security team’s e-mail), 2.7 was released with the easter egg. 

    Hopefully, this will be resolved in a future release.

  • I fear mitochondria

    I was having lunch today at a nearby Chinese restaurant. I was seated next to some young folks who were loudly having a biology discussion. I tuned in because I’m a geek, but I kept my mouth shut after I heard one bad science moment after another.

    Unfortunately, the discussion quite quickly changed from being a biology discussion to a metaphysical discussion about whether mitochondria see us as the parasite or vice versa. Whilst I am not a biologist, I do receive “Nature” and therefore have the right to blog mindlessly on this topic and any other science related topic.

    From what limited understanding I scraped from the Wikipedia article, mitochondria and us are at best symbiotes, but the reality is that without mitochondria we would be nothing and without us, our specific types of mitochondria would not exist. Therefore, I doubt the mitochondria fear me any more than I fear the trillions of them running around my body right now.

    In the next few minutes, the discussion on the next table did not get any closer to making any sense. In the end, I realized that they were design students (I am lunching near Madison Ave). Nothing wrong with design and fashion per se beyond its obvious superficiality and banality, but it’s obvious that science is not a part of their education.

    I wonder about this country’s long term future. The USA needs folks who at the very least understand science and do not fear it.

  • Diabetes: One Year To The Day

    This is the one year anniversary of being diagnosed with type 2 diabetes. It’s been an interesting year, and I’ve learnt a lot about what it means to have diabetes, and it’s definitely impacted my diet.

    The biggest change is a sad one for me – some of my favorites are simply not good for me. I can’t eat a bunch of stuff, including white rice (> 200 mg/dL blood glucose for even small amounts), which eliminates so many foods and makes eating commercial asian food basically off limits. Pretty much everything white – white flour, white bread, sugar, potatoes, etc, is off limits.

    Another loss, which I feel sad about the most is alcohol (I do have the very occasional drink, but I’ve had less than 1 litre of alcoholic drinks in the last year, mostly beer, and I usually pay at the finger jab for it too).

    In some ways, knowing that I have diabetes helps explain some of the things I have had wrong with me for a while, but in other ways, I’m sort of frustrated as I’m at the very low end of the diabetic scale. My A1C is 6.1 for several endocrinologist visits. I’ve been put on some interesting medications, including one that helped me mostly get over my needle phobia. Nothing concentrates the mind more than having to inject yourself three times a day. However, that med made me feel quite ill, so I was able to stop it.

    The one disappointment is that I’ve not had much luck in losing weight, which is a key component of getting off the various medications I’m on. I really need to spend way more time at the gym as my diet is optimized to the point that I’m no longer losing weight by eating less (and different). My body is extremely good at making me awesomely tired and exhausted rather than giving up the fat reserves. The only way to beat this thing is get the metabolism moving. I hope this time next year, I will have better news on the weight front. The good news is that I now fit into the clothes I came to the USA in, but that’s not as good as I wanted or expected of myself.

  • Decoding wp-admin/js/revisions-js.php easter egg

    From time to time, I look at WordPress, which as you may have guessed, runs my blog. It’s had a spotty security history. If I can find something in a few minutes, I’ll help out as it’s my data at risk.

    But then they go and do this:


    <?php

    if ( !defined( 'ABSPATH' ) )
    exit;

    /** @ignore */
    function dvortr( $str ) {
    return strtr(
    $str,
    '\',.pyfgcrl/=\\aoeuidhtns-;qjkxbmwvz"<>PYFGCRL?+|AOEUIDHTNS_:QJKXBMWVZ[]',
    'qwertyuiop[]\\asdfghjkl;\'zxcvbnm,./QWERTYUIOP{}|ASDFGHJKL:"ZXCVBNM<>?-='
    );
    }

    $j = clean_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
    $n = wp_specialchars( $GLOBALS['current_user']->data->display_name );
    $d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );

    wp_die( <<<EOEE
    <style type="text/css">
    html body { font-family: courier, monospace; }
    #hal { text-decoration: blink; }

    <script type="text/javascript" src="$j"></script>
    <script type="text/javascript">
    /* <![CDATA[ */
    var n = '$n';
    eval(function(p,a,c,k,e,r){e= ... crap deleted ...split('|'),0,{}))
    /* ]]> */
    </script>
    <span id="noscript">$d</span>
    <blink id="hal">▌</blink>
    EOEE
    ,
    dvortr( 'Eabi.p!' )
    );

    So what does it do? Let’s undo this obfuscation one thing at a time:

    The Caesar Cipher was easy – I created a new PHP file with the dvortr() function and the strings to be decoded. They came out as:


    Don't let this happen again. Go Back.
    Danger!

    The packer was also easy, I changed the code to pump out the HTML on the command line, plonked that back into Eclipse, and changed the definition of eval to alert, one of the more evil / stupid things JavaScript can get up to:


    eval = alert;
    eval(...)

    I then copy and pasted the code in the alert pop up and re-formatted it in Eclipse.

    Guess what? It’s got another layer of obfuscation, again using the same crappy caesar cipher. Figuring out the strings and what it does it pretty easy from that point on.

    Interestingly, when Firebug stumbles across code it thinks is compressed JS, it stops showing you the code. WTF? You can still step through it one line at a time, but the compressor is NOT a security mechanism, and hiding it will not stop me. I will report a bug with the Firebug team as stopping the display of JavaScript is a defect, not a feature to protect the revenues / reputations of compressors.

    So, decoding in multiple passes, the final output is this:


    Self-comparison detected.
    Initiating infinite loop eschewal protocol.
    Self destruct in... 3
    2
    1

    It’s an easter egg error message when a revision comparison fails. Or something like that. This is completely unnecessary – there’s no dark secret here requiring this level of sneakiness, and it’s an excellent place for malicious folks to hide attacks.

    The code is so obscure, that no static analysis tool can inspect it, or security auditor would normally take the time out to look at it, and yet it may contain an XSS or DOM injection, or it may contain malware if the download is corrupted, or a fake version comes out

    I really wish that folks who think this sort of thing is necessary really stop to think about the amount of time it took them to craft this particular gem

    It would be best to delete this – and every other WP easter egg – now before it infects any 2.7 installations. Easter eggs are incompatible with secure software.

  • OWASP EU Summit

    Although I am unable to attend, I hope you can attend the OWASP EU Summit, to be held next week in Portugal.

    There’s going to be lots of discussion about OWASP’s various projects, and work out futures for all of them. It’s going to be a defining event in OWASP’s existence, and I wish I could have been there.

    You can find out more about the summit here:

    http://www.owasp.org/index.php/OWASP_EU_Summit_2008

    I’ve left my run fairly late for the projects I contribute to (the OWASP Guide, Top 10, Coding Standard, etc), which is a shame, but since chairing a session requires some dedication and time, I couldn’t find folks on the ground in time to replace me. There was talk of me presenting remotely via Skype, but I haven’t followed that up, and the calendar looks very full. We’ll see if there’s a way I contribute in other ways.

    I still need fresh victims^H^H^H^H^H volunteers for the OWASP Developer Guide, Top 10 2009, and Coding Standard. Please e-mail me vanderaj @ owasp . org if you can help write a paragraph or two per day.