Since the disclosure debate has been beaten to hell and every argument has already been presented I won’t make a long winded rant/argument, I’ll just very briefly summarize my views.
Goal every party involved: make the end user more secure
With the above being said, lets go over the responsibilities of the two typical parties.
Researcher:
Disclose vulnerability to vendor as soon as possible.
Don’t disclose to public until vendor has fix*
*If vendor is taking a irresponsible amount of time to fix:
- apply pressure to vendor
- seek help of 3rd party to apply pressure to vendor
- disclose vulnerability to public.
Summary of researcher responsibilities:
By not disclosing the vulnerability immediately to the public the researcher is saving the end user from a 0day situation. If the vendor is taking a irresponsible amount of time to fix then it may be necessary to play hardball with the vendor and possibly release to public before there is a fix. It ultimately does not make the end user more secure if the vendor is taking a irresponsible amount of time to fix it because if there is a bug in the software, we have to assume that the hacker underground already knows about it and are possibly using it. So by disclosing the vulnerability after the irresponsible amount of time puts a great amount of pressure on the vendor to release a fix asap.
Vendor:
Provide a line of communication that researches can use to contact the vendor directly
Listen to researches
Respect researches
If a flaw is found, collaborate with researcher to provide a reliable fix in a timely manner
Fix flaw in a responsible amount of time.
Announce vulnerability and fix.
Summary of vendor responsibilities:
Fairly simple. Vendors have often not accepted that there is a flaw in their software, smeared/discredited researchers, and generally not open to the security research community. Vendors have been getting a lot better at this, but it’s still not perfect. Also, of course, a fix needs to be issued in a timely matter. Taking months and months to fix a bug leaves the end user more and more at risk. That’s it, like I said, simple.
Tags:
PHP is a very easy language to pick up on and learn in a short amount of time. How to install and run a LAMP stack is very well documented and not hard at all. Also, as outlined in my last post, PHP does not have a easy to use security framework or tools to easily implement basic security into a web application. These three things lead to the code that is in the link below, to inexperienced developers creating incredibly insecure web applications, and ultimately to PHP getting a bad security wrap.
http://preview.tinyurl.com/24eyrpj
There isn’t much to say about this code, it does not work, it’s sloppy, it’s not preventing much, it only checks the query parameters and not the values, and overall… WHY! Why are you not just using mysql_real_escape_string() on your user input that goes into SQL statements?!?!
This is why PHP gets a bad security wrap. Because inexperienced developers create insecure applications, and PHP does not give you the quality tools to create a secure app.
Tags:
So last month was the month of PHP bugs, put on by on of my favorites, Stefan Esser. So lets take a look at one of the vulnerabilities that was released by Stefan. Go ahead and take a look at the vulnerability for a minute, I’ll wait…
OK so you might say, “so what”? it’s a typical input sanitization vulnerability, those are found every day in various web apps. But there is a slight twist on this one and I think it’s a very important point to make. Taking a quick look at the code you might see an obvious SQL injection staring you in the face, “..from rra where id=” . $_GET["rra_id"]);..”. But go on and read a little more, they are validating user supplied data with a regex to make sure it’s what they expect. So all is good, right? Well they are validating the variable from the $_REQUEST superglobal instead of from $_GET. What’s wrong with this is that while they might seem the same, they are very much not the same. $_REQUEST can contain things from $_POST and $_COOKIE, as well as $_GET. So an attacker can place a string that passes validation in $_COOKIE and a SQL injection string in $_GET that will be passed to the SQL query. So overall, the developer had the right state of mind (to validate input) but lacked in the execution. But could some blame be put on PHP for giving the developer poor tools to work with? ($_REQUEST) read below…
I believe this represents the state of PHP security. I believe that PHP is harder to secure than other web programming languages/frameworks and has many caveats that can get a programmer in trouble if used wrong, or used at all. Is this the shortcomings of the developer or PHP? An argument can be made that it’s both parties faults. I will argue that PHP could do a better job to give developers good quality tools and frameworks that they need to put good security in place on their web applications. Notice I used “good” very often because PHP does provide some tools, but I think they could be made much better. Especially when we are putting more and more information on the web and putting more trust into web applications. After all, PHP was originally designed for small personal home pages, never for the large scale applications that it’s being used for today. So maybe it’s time for something to change.
Stay tuned for when I post an example of where it was the clear fault of the developer and a great example of why PHP is thought of as one of the most insecure web app programming languages.
Tags:
One of the things I was looking forward to the most with my new MacBook Pro was the AES-NI instruction set on the i7 Arrandale that would greatly speed up AES operations. Well, it seems like this is not being utilized by OSX (or PGP?). Below are some benchmarks, pre and post whole disk encryption with PGP 10.0.1. I’m not very impressed, from looking at other benchmarks[1] of what AES-NI can do I expected better results.
pre encrypt
one two three
post encrypt
one two
I believe I will continue to use PGP WDE, it’s not a noticeable slowdown, and the peace of mind it gives me is priceless (and performanceless?)
[1] http://www.tomshardware.com/reviews/clarkdale-aes-ni-encryption,2538-7.html
Tags:
I came across a great tool that reviews your Facebook privacy settings and lets you know if you have any settings that will allow the outside world to see your information. It’s quick, easy and works great.
http://www.reclaimprivacy.org/facebook
Tags:
Facebook introduced a great new feature that protects it’s users from unauthorized access to their accounts. I urge you to check it out an enable it!
Cool things I’ve found:
If you get a notification about a bad guy logging into your account and you go and deactivate that computer from your list it will force close their session.
Shortcomings:
It does not give you any information on where the location of the computer is, other than what the “user” types in. A phisher could type in “home” for the computer name but they are really logging in from Egypt. That would be a nice piece of information to provide the account holder.
Does not protect against session hijacking, if a bad guy can intercept your cookies from a logged in authorized account they won’t be bothered by this security feature.
http://blog.facebook.com/blog.php?post=389991097130
Tags:
At Facebooks yearly f8 conference, Mark Zuckerberg introduced a couple new things to Facebook that will affect its user’s privacy.
The first is what Facebook calls “Open Graph Protocol”, which allows websites to interface with some of Facebooks features and user data. Their flagship feature that will come from this is “like” that people can put on their websites. This will allow the website to have a news feed on their website of pages that people have been “liking” on their site, check out cnn.com for an example.
The second big change introduced at f8 was the ability for all applications to store user data indefinitely. This is a huge change from the previous regulation that user data could only be stored for 24 hours. This means that your Facebook profile information is only one developers mistake away from being compromised, or one shady app away from your data being sold off to who knows where. But people who develop Facebook applications are great programmers.. right?! well the scary part is that any average Joe with a little programming experience can put out a Facebook application and store user data forever.
My advice to you all, disable the “Open Graph Protocol” by going to “Privacy Settings > Applications and Websites” and unchecking the checkbox. I would also urge you to go through the list of applications that have access to your profile data and clean it up! I have deleted all applications except official Facebook applications. Taken from the article below, I have included steps on how to delete an application from your Facebook. The other link has more information on the Facebook open graph changes. And to get all the details, watch the keynote at the last link.
- Click on “Account” at the top-right of the screen.
- Click “Application Settings”
- Change the “Show” drop-down box to “Authorized.” This will show all the applications you’ve ever given permission to.
- In the resulting list, click the “X” button on the far right next to each app you want to remove to delete it.
- On the pop-up box that appears, click “Remove” then click “Okay” on the next box confirming the app was deleted.
http://www.readwriteweb.com/archives/how_to_delete_facebook_applications_and_why_you_should.php
http://www.pcworld.com/article/194886/facebook_5_privacy_settings_you_must_tweak_now.html
http://www.facebook.com/f8
Tags:
Note: All files I reference here can be downloaded in a .zip file at the bottom
As I was un-bricking my WRT54G (v3.1) that I will be using on my graduation cap, I had a hard time following the .pdf file included with the jtag cable because it was so disorganized. So I’ll outline the steps I followed below. Please use the steps below as a guideline only, it will not contain every detail you may need.
- Use a soldering iron to remove the solder from the jtag holes on the PCB. I used a cloth to clean off the solder, but buying a proper solder suction device will work better.
- Insert the jtag connector into the holes and solder it on.
- Copy giveio.sys to c:\windows\system32\drivers\
- Run loaddrv.exe and install and start c:\windows\system32\drivers\giveio.sys
- Turn off your router, connect the jtag cable to the router and the other end to a computer.
- Turn the router on.
- Run tjtagv2.exe -probeonly and you should get back *** REQUESTED OPERATION IS COMPLETED ***. If not, check your jtag connections on the router, it may be backwards, some pins may be touching, or have a bad connection.
- Run tjtagv2.exe -erase:nvram
- Run tjtagv2.exe -erase:kernel
- Run tjtagv2.exe -erase:cfe
- Run tjtagv2.exe -backup:wholeflash
- Run tjtagv2.exe -erase:wholeflash
- Use Skynet CFE to make a CFE bootloader for your device. Make sure you have the latest version of the program. Put the resulting CFE.bin file in the same directory of your tjtagv2.exe file.
- Run tjtagv2.exe -flash:cfe
- Download firmware for you router
- Connect a computer to the router over Ethernet and assign it a static 192.168.1.0/24 address.
- Power cycle the router, and right after you give it power run the below command. You may need to try this a few times to get the timing right. You can also use the included tftp program in the .zip file if you don’t want to use the Windows cli command.
- Run tftp -i 192.168.1.1 PUT firmware_name_here.bin
- Give it a minute or so to reboot and you should have a working router!
For more fun stuff you can do with your WRT, check out Linksys WRT54G Ultimate Hacking
.zip file with programs you will need.
Tags:
If you have not already read, there was recently a wave of WordPress blogs that were hacked [1][2]. This was caused by two things. One, WordPress stores your database credentials in clear text in the wp-config.php file. Two, the file permission for that file are 644 (read granted to everyone) with a by the book base installation. The latter being the root of the problem.
In an article recently published by Darkreading[2] “Barry Abrahamson, systems wrangler for WordPress, says the attacks appear to have targeted weak file permissions. “File-level permissions and Web server security are the responsibility of the hosting environment, not the application,” Abrahamson says. “WordPress can be installed a number of ways, and many hosts have built custom installers. I am not sure how WordPress was installed in these cases.” ”
Well, I feel that WordPress is responsible, since they are able to fix and address the problem. If a default installation of your product where the vendor instructions for installation were followed, is vulnerable in some way shape or form, then it is your problem and your responsibility to fix it. It’s typical for a vendor to pass the buck to someone else – “oh it’s not our problem, it’s the responsibility of <insert excuse here> to deal with it”. Why would it be the responsibility of the hosting provider to check to make sure the websites that their users are running are secure? That makes no sense, the vendor should make sure their application has a secure base installation. And it’s a one line code fix for crying out loud! PHP has a built in function to do this!
chmod("wp-config.php", 0600);
and
if (substr(decoct(fileperms("wp-config.php")),-1,3) > 0)
{
// display message to admin that their wp-config.php file is readable to global
}
So I’ve just demonstrated that WordPress can detect and fix this problem in less than 5 lines of code, yet they are saying it’s not their problem. /facepalm
And I installed WordPress by downloading the tar.gz file right from WordPress.com and setting it up manually, following the instructions from WordPress.com, and my wp-config.php file had 644 permissions on it. So it is your problem, WordPress, don’t try passing the blame onto someone else. I’m sick of vendors doing this and it really frustrates me that they won’t own up to it and take security seriously.
/rant
[1] http://blog.sucuri.net/2010/04/details-on-network-solutions-wordpress.html
[2] http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224300052
Tags:
So I won’t be officially done with school until the fall, but I will be participating in the graduation ceremony in May. Now I’ve seen some creative things that people have put on their graduation cap, so I’ve been thinking about something I could put on mine. And it finally came to be. What if I put a fully functioning, batter powered, WRT45g Linksys wireless router on top of my dome… jackpot. I could even make it relay the wireless network that’s provided by the campus, or have it just serve up a webpage with my résumé on it, either way it should bad ass, right?! So below is a picture of what the inside of a WRT54g looks like. That’s what will be going on the top of my cap. Let the project begin!
Tags:
