Saturday, October 30, 2010

Firesheep - New tool to hijack open wireless sessions

Ian Gallagher and Eric Butler’s Firesheep plugin for Firefox has made lot of news this week. They published this tool at the Toorcon conference.

More than anything it demonstrates security risks when you connect to open wireless networks. Wireless networks are broadcast in nature, which means that clients associated with a particular network have the ability to “see” or “capture” all the traffic passing over that broadcast network. Certain network interface cards and operating systems comes with that ability to capture and others don't.

This tool makes it easy to capture that traffic and shows all the users who are connected on that network and are accessing a pre-configured set of web sites (includes many of the well known social networking and public email sites). The tool, then gives an option to access those user's accounts by taking over or attaching to the session. The tool does this by a method called sidejacking or session hijacking, where the session IDs (contained in session cookies) exchanged between the web site and the user’s browser in an unencrypted channel gets stolen from the open wireless packet captures and using those session IDs, the tool establishes connection to the web sites.

Typically web servers generate these session IDs and is unique to a user for a particular session. Session IDs are sent by the server to the client either in a cookie or as a hidden variable. A person who happen to hijack the session ID gets the same privilege as the real user. The problem lies in encryption of the traffic throughout the session between the web server and the client. Many web sites do this only for the initial login to ensure that the login credentials do not get stolen. However, the post login traffic, which contains these sessions IDs and cookies are exchanged in an unencrypted channel. The session IDs and cookies ensure that the users do not have to login every time they use the web page, during a session.

For those in the web application security world, this is a well known attack and has been part of the OWASP top 10 vulnerabilities or risk for many years. It is not the first tool that performed this type of attack. Back in 2007, Robert Graham revolutionized sidejacking with the introduction of the Hamster and Ferret tools, which had the similar capabilities but Firesheep is more user friendly and even non-geeks could use this at an open wireless network.

The best preventive method is to force encryption during all stages of information exchange between the web server and the client. This is an effort from the web server side and many are moving towards that. Other options include, plugins such as HTTPS-everywhere, No-script and Force-TLS, which essentially forces encryption at all times for the web sites that gives this option.

The slides of their Toorcon talk and the tool is available here

Saturday, October 23, 2010

Is privacy, information theft, and data breaches are big issues today?

You bet. It is evident from the fact that many of the leading newspapers such as New York Times, Washington Post and Wall Street Journal are carrying out news items and their own investigations into the privacy issues and data breaches. Indian news papers are nor far behind, Times Of India reports such cases on a regular basis, even Dilbert is getting into this.

US Government is also working on new legislations that enforces more privacy related controls. It is also  encouraging to see that Congressmen are more concerned about privacy breaches. The recent Facebook privacy issue caught the attention of Congressmen Edward Markey and Joe Barton, the two Congressmen have asked Facebook to answer questions regarding the Wall Street Journal report.

Corporations are also becoming more concerned about privacy and information theft. In a recent survey of 800 senior executives at global firms, commissioned by Kroll, it was found that information theft was the most-reported form of fraud, with 27.3% of those surveyed reporting an incident of information theft in the previous 12 months, compared to 18% who reported information theft over the previous 12 months in 2009. It was also found that for the first time data theft has surpassed physical theft.

The complete report is here.

As information security practitioners what can we do to help? This calls for better monitoring, new detective/preventive controls and more improvements in the areas of people, process and technology to tackle this problem.

Tuesday, October 19, 2010

Facebook - more privacy issues

An investigation conducted by Wall Street Journal, my former employer, found that many of the most popular applications on Facebook have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies. This is true even if you set your profiles to Facebook's strictest privacy settings.

The article is here

The problem is that applications like Farmville runs on top of Facebook using "iframes" and it lets the application developers do whatever they want to do with the application including providing ads and sending whatever information they can collect from the browser such as IP address, browser cookies, etc.

Wednesday, October 13, 2010

Stuxnet update

A loyal reader commented on my Stuxnet post mentioning that BitDefender has a free tool to remove the malware.

From the BitDefender blog:

BitDefender has added generic detection covering all variants of Stuxnet as of July 19, thus protecting its customers since day zero. Computer users that are not running a BitDefender security solution can now eliminate Stuxnet from the infected systems by running the attached removal tool. The tool can be run on both 32- and 64-bit installations and will eliminate both the rootkit drivers and the worm.

The tool can be downloaded from here.

Saturday, October 2, 2010

State of Software Security

Veracode, the company involved in application security testing, published a report on the finding from their assessments. This report represented 2,922 applications assessed by Veracode in the last 18 months. Some of their observations are below.

  • More than half of all software failed to meet an acceptable level of security and 8 out of 10 web applications failed to comply with the OWASP Top 10
  • Cross-site Scripting remains the most prevalent of all vulnerabilities
  • No single method of application security testing is adequate by itself
  • The security quality of applications from Banks, Insurance, and Financial Services industries was not commensurate with their business criticality
The complete report is available here.

Friday, October 1, 2010

What is Stuxnet?

Stuxnet is a malware that spreads via removable drives; it has been getting lot of press lately. Malware spreading through removable devices is not a new concept, so what is special about this malware? It is the first malware that was designed to inject code into SCADA systems.

The initial attack vector is the malicious shortcut files (.LNK) that take advantage of the Windows operating system vulnerabilities that was recently identified ( MS10-046 ). Back in July, I wrote about this vulnerability here.

When a drive containing malicious .LNK file  is accessed using an application (Windows Explorer or Internet Explorer), it tries to render the file that points to a malicious executable. What is interesting is that the user need not double click on the .LNK file to trigger the vulnerability; just opening the folder containing the malicious file is enough to get infected.

Once executed, the worm is designed to search for SCADA systems manufactured by Siemens. Once the targeted SCADA systems are located, the malware uploads its own code to the programmable logic controllers of the SCADA system, and changes the whole behavior of the SCADA systems. Even though the initial attack vector is the malicious shortcut files, in the second stage it exploits an application vulnerability within the Siemens SCADA systems. This vulnerability, a hard coded password, is exploited to actually upload the code.

Check the below links for more information on this worm