Temptation and Security

Ahhhh. We recently made an amazing discovery in our company, and I am so tempted to write about it here. But it would be absolutely unfair and inappropriate. Also, it would cost my anonymity, which I value a lot. But it’s sooo cool, I can’t wait to get it out. (Yes, you can now imagine an angle on my one shoulder and the devil on the other).

Generally, this seems to be a problem in security. People like to boast, as it is good to be admired by others. It is hard for us to keep things secret. Only when something would make us look silly, we are interested in protecting the information.

People also like to be nice to others, so if someone is asked a question, he subconsciously wants to be friendly and answer the question. It is actually really difficult to tell the person: “I know the information, but won’t give it to you”. This is the reason why social engineering attacks work so well.

As a great example, have a look at the DefCon talk by Johnny Long last year on Google Video. The talk is almost an hour long, but take the time, it is definitely worth it. Apart from it being really funny, it shows how people from the audience like to yell out the right answer, even if it’s something you would not want everyone to know.

Picture of tempting cookie by YlvaS

Hard Disk Encryption Not so Secure as You Might Think

Usually I try not to just reiterate what is written elsewhere anyway. But this thing is so hot and amazing that I just have to provide you with a link: New Research Results: Cold Boot Attacks on Disk Encryption.

In a nutshell: Hard disk encryption master keys are stored in DRAM. However according to the research results of Princeton University, DRAM does not lose its content immediately, but rather only after a couple of seconds or minutes. If cooled (e.g. by spraying cooling spray on it), memory content can be preserved for multiple minutes and restored after booting from a malicious operating system.

I strongly recommend you read it for yourself.

Picture of a Hard Disk by cgommel

Open Source Surveillance Drone?!

It seems like this has been around for a while, but it was still completely new to me: DIY and Open Source Surveillance Drones (or UAV, short for Unmanned Aerial Vehicles). Already in 2007 they could be built for under $1,500.-. Here are two more links around the topic:

• DIYDrones.com
• Paparazzi – An DYI UAV including an GPS navigated autopilot (24C3 Talk)

I just can’t decide how I feel about this. The geek in me thinks it’s amazing and wants to build one for myself, however my paranoid alter ego is scared to death by the idea that anyone can build a surveillance drone for (in the meantime probably under) $1,000.- and follow me around. I probably wouldn’t even notice.

Picture of surveillance camera by Enjoy Surveillance

XSS When Payload is Limited

Another interesting posting by pdp from GnuCitizen: He found an XSS and XSRF flaw in Pownce, however this is not the interesting thing about the article.

What makes it worth reading is pdp’s technique to inject the javascript. Only a field of 16 characters at max is vulnerable as it does not escape the userinput. Any useful attack requires way more than just 16 chars.

What makes the technique work is that below the vulnerable field, there’s another field that takes user input but does in fact correctly escape it. In between the two fields there’s some HTML garbage. By just opening a script tag and a multiline JS comment, all that needs to be done in the second field is closing the comment and writing javascript code that works without using angle brackets or quotes.

As I’m writing this I realize that I’m probably not very good at explaining, so just have a look at the code and you’ll see what I mean:

[html junk]

*/<script>/*

[html junk]

*/document.write(atob(/PHN[...]EtLQ==/.toString().substr(1,56)));/*

[html junk]

By using the eval() function, you can actually execute arbitrarily long base64 encoded javascript.

Picture of small house by Dom Dada

Slow Week

It’s kind of a slow week in security. Of course there’re new vulnerabilities, but no new interesting vectors of attack or anything like that.

So to give a sign of life, I at least updated my blogroll. There are some really great and interesting blogs among them. Here in order of how much I like them:

• Heise Security: I like them because they compile lists like full discosure or bugtraq for me. I’ve long since canceled my subscriptions of the mailing lists themselves. The flamewars (especially on FD) are simply unbearable.
• GNUCITIZEN: Currently on of the best security research blogs. The guys at GNUCITIZEN really know what they are doing and found a couple of high profile vulnerabilities recently. (Hey, if someone from GNUCITIZEN is reading this: Please use better pictures to illustrate you postings 😉
• Michael Howard’s Web Log: Michael over at Microsoft writes about the security aspects in software development (on Windows platforms). While I’m not a developer, it’s still good to be kept up-to-date.
• SecurityBuddha: Everyone in security knows Mark Curphey. He’s one of the grandfathers of the OWASP Guide for example. Apart from being dreadfully funny, he raises lots of valid points.
• RiskAnalys.is: Amazingly, there are not only technical blogs, but also some about the management aspects of security. RiskAnalys.is is all about risk management. It’s written by the guy who invented the FAIR risk analysis approach, btw.
• Ivan Risic’s Blog: Ivan is the original author and developer of ModSecurity. While you know my opinion on Web Application Firewalls, it’s always good to have an eye on your enemy competition fellow combatants 😉
• HiredHacker: One of the newer entries in my RSS reader. I stumbled across the blog when I read about the Firefox vulnerability that was discovered by this guy.
• Security on Digg: This is mostly not very relevant to information security, but from time to time there’re some funny stories.

If nothing more interesting comes up, I’ll post a list of the funny entries in my RSS reader too…

Picture of snail on mouse pad by zenera

PCI your Security Problems Away

Hehe, so spot-on!

Strip by Mark Curphey.

Yes, it is…

Recently I wrote about the issues I have with web application firewalls. However today I’d like to give a short shout-out to the ModSecurity Blog and its newest article “Is Your Website Secure?“.

I like the message of the article so much, that I’ll just cite the according section:

[…] one of the following: web vulnerability scanning, penetration testing, deploying a web application firewall and log analysis does not adequately ensure “security.” While each of these tasks excel in some areas and aid in the overall security of a website, they are each also ineffective in other areas. It is the overall coordination of these efforts that will provide organizations with, as Richard would say, a truly “defensible web application.”

I do think that some of the activities mentioned above are more effective (and therefore important) than others, but generally, I couldn’t agree more. Very well put Ryan Barnett, thanks!

Picture of scary spider in its web by Vanessa Pike-Russell

Finding Virtualhosts

Web applications are often the most vulnerable of all applications in an IT infrastructure, as they are

• often proprietary built by the company, and therefore have not undergone the security tests that might have been performed with standard software and are
• reachable from the Internet, so anyone with an Internet connection can access them.

Additionally, more than one domain can be served from a single web server. Each domain is then considered a virtualhost.

It’s sometimes really difficult to find all domains that are served from an IP address, as there is no way in DNS to find out all domains that point to a certain IP. For an attacker or penetration tester, it is important to find as many virtualhosts as possible, as each one might contain vulnerabilities of their own.

The only way to do this is to build a large database with as many domain names as possible, complete with the IP address that these domain names point to. Luckily, there are a couple of tools that have done exactly that:

• YouGetSignal.com seems to be the newest tool and works pretty well. I did a couple of tests and it finds not only virtualhosts for .net, .com or .org, but also for local TLDs like .co.uk. According to the author of the tool, it simply uses search engine results to find as many domains as possible and performs DNS queries for them.
• Robtex Swiss Army Knife as they call themselves also can help to find virtualhosts, but the results are a little bit limited and partly out of date.

Picture of IT infrastructure where you literary have to find the web-server by kchbrown

Graduate from MIT (well, almost)

So, you’d like to go to MIT, but can’t afford the $46,350 per year? I just came across an amazing link: MIT Open Courseware. They have online about 1.800 MIT courses, complete with slides, exams and everything else delivered in the course of the course. What strikes me though, is that there is only one lecture about security online.

Also interesting are the blogs about IAP – the independent activities period which is currently taking place.

Picture of Boston at night by wumpiewoo

Video Recordings of 24C3

After missing the 24th CCC hacker conference (24C3) I’m glad to see that the video recorded talks are available now. Their wiki has a page that lists all sources from where they can be downloaded. That’s over 9 gig of video material and 4 days worth of security talks (each day having three parallel tracks). Find the schedule of the conference here.

Don’t expect me to post to this page for the next couple of days. I’ll be watching videos 🙂

Photo of crowd at 24C3 by bicyclemark