Most web sites today use one form or another to generate their web site content. Some utilize the “offline” database back-ended approach, where pages are generated every so-often but the web site itself is made of static pages (HTML). Others utilize the “on-line” database back-ended approach, where pages are generated on-the-fly whenever a user requests them.

It is considered harder to hack an “offline” database back-ended web site, as you have no direct way to influence the content displayed by the web site if you send the web site malformed data. However as most webmasters would tell you the “offline” approach is harder to maintain, is slower to adapt to changes in content and requires greater thought into what is placed on-line - as content can take several minutes to hours to propagate into the static web site, that is why most of today’s web sites use the “on-line” approach.

This comes at a price - I will skip the hardware and software aspects - security wise of course. As the web site is built according to user provided data, this opens up the opportunity for the user in this case malicious in nature to manipulate the results returned by the server.

How common is it to see a web site get defaced via an IIS/Apache vulnerability? not very, and it usually occurs due to some newly discovered vulnerability in the mentioned products. How common it is to see a web site get defaced via a Windows/Linux vulnerability, it is roughly the same as seeing an IIS/Apache web site get defaced because of use of an old version of the software.

What is more common? web sites that get defaced due to improper usage of user provided data. These vulnerabilities are usually divided to the following categories:

• Cross Site Scripting
• SQL Injection
• Code Execution

Would it be difficult to detect these vulnerabilities? no, would it be difficult to avoid having them in the first place? no.

Therefore why are these vulnerabilities still present in high profile web sites? I could name a few such web sites, major news agencies and broadcasting networks, but it won’t help the end-user or the web site’s owner. Everyone knows there are numerous solutions of preventing, detecting and stopping these vulnerabilities from happening, so why isn’t it happening?

Are web site vulnerabilities, such as those caused by bad usage of user provided data, considered low risk vulnerabilities? I don’t think these vulnerabilities can be regarded as low risk.

Take this example, I was able in a few minutes of wandering through one of these news agency, which utilizes the unbreakable Oracle database, to discover the complete structure of their articles table/schema as well as read any entry present in the table by utilizing columns such as author, date, priority and keywords - that would be otherwise impossible to use through their normal web access interface.

The next logical step for a hacker discovering this would be to insert or modify an article found in the database, insert into it some form of malicious content - I can name a few: Ad-Ware installing page, fraud related “donation” button, etc. Does this sound factious? nope, it has been done and there is nothing stopping anyone from doing this again.

As history has taught us, these kind of vulnerabilities would go unnoticed until someone will write a worm that would exploit these vulnerabilities to skip from one server to another, which like CodeRed, will create enough havoc to create an understanding by the security community to the importance of addressing such vulnerabilities.

Future NOTE: Even if I say that such a worm will be written, it doesn’t mean I wrote it

What constitutes a crime?
What crime is more serious than another?

Both questions of great magnitude that I fear to even begin and approach in this blog. Still, whatever the answer is there is one thing I am sure of; it isn’t black and white.

In the changing world we live in with constant revolutions of a grand magnitude happening continually, with a global economy, Internet society and many others, we all try and cope. Our world is used to a major revolution in our way or life and how we think once every few dozens to hundreds years, allowing us time to adjust.

In today’s world we no longer have that luxury.

I often struggle with how law enforcement today operates. Organizations whose business it is to keep the public safe are years behind on what’s actually going on. Where they are not behind they often face policy from above that tells them not to work on “cyber”-issues (I hate “cyber-”) as there are far more pressing matters about.

That policy is correct. Catching murderers and rapists is by far more critical than catching the kid next door in his latest “computer prank”. Plus, petty theft is something the public cares about. “Hackers”.. well. We are often proud of our overly intelligent kids and the feats the accomplish.

As I already said though - nothing is ever black and white unless it is how we view it. Online crime is no longer about kids. It is not a bored employee who hates his boss and tries to hack the company’s servers after-hours. Online crime is a business.

Much like with every other society, the “attacker” may be a bored kid, a disgruntled employee or a small-time criminal. The “attacker” can also just as easily be the Mob, a competing company (industrial espionage) and maybe even a nation.

Who owns a gun in our world? Who owns a gun in the “cyber-”world? The comparison is very acute.

Today, this is not just FUD. Internet crime is no longer (ONLY) about kids trading bots like candy. Today it is about organized crime taking over and investing vast amounts of money in R&D of both their /technological/ and /operational/ capabilities.

We often do not see behind the scenes, but if we do take a few choice cases -
1. The Israeli Trojan Horse Scandal, where leading companies hired private investigation firms to spy on their competition using Trojan horses. The price-tag was 17K UK Pounds per computer being tapped, PER MONTH.
2. Google it, but there were similar cases discovered in the last 6 months in both the UK and the US.

I’ve personally been approached about doing such illegal “thingies” two times, thus far. Once by a middle-man and once by the CEO of a global private investigation firm. I didn’t take the jobs but it is pretty obvious that “hidden” world is very much alive. We just don’t hear about it _very_ often.

What we do hear about, see and get annoyed by every day is Phishing. It is public and might give us some sort of an indication to what this is all about.

The APWG reports thousands on thousands of new unique Phishing sites every month. Losses from Phishing in the US amount to 10-20 Million USD for some banks.

In Germany, there is a Phishing attack every few days by several different scammer groups. In each such attack about 2000 people get fooled and about 6 people do not get their money back (banks are very good at moving money around).
On average, about 6K Euro are lost per person. That’s 1.2 Million Euro per year, for one group. These numbers keep increasing.

It is estimated that globally, in the first half of 2005 roughly half a Billion USD were lost for scammers from Phishing alone.

All these numbers do not include damages, recovery and money paid for prevention.

What does this mean?

It means there is clear-cut ROI (Return on Investment - bahh, management talk) to the Bad Guys. They are not going to stop as long as the economics of it are in their favor and the only way to change the economics is to make it not worth their while.
Today they do not take much of a risk though, do they?

A second important point is that indeed, this is no longer just an ONLINE issue. Money is real. The attackers are not bored kids, they are more often than not the Russian Mob.

As an example for a meat-space connection; earlier this year a woman got her account cleaned up at a branch of her bank in the west coast, following her account details being phished.
A week later a FedEX package came in to a different branch of the bank - in the east coast.
That package held a fake check meant to re-fill that account.

Law enforcement has made incredible improvements in both ability and willingness to cope with online issues, especially these past two years. Still, they are under-staffed, often burdened by handling computers for meat-space cases over actual “cyber-” cases and the policy guys upstairs still do not see the problem for what it is.

That’s it in a nutshell. Next time, as time allows, maybe we will go into what actually gets done, who the players are and where we are all headed.

Gadi Evron,
ge@linuxbox.org.

I’m going to say some things, that might be the last thing I’ll ever be able to say (You’ll see why in the next paragraph ). Open source is as secure as much as the developers made it secure. It is not more secure then close source, and it’s not better then closed code. It’s merely code !

Most of the open source community (Hey I also develop open source tools and programs) try to sell us that Open = Secure. When Internet Explorer had a lot of security risks one after the other, firefox developers came and told us that in Open source it would have never happen. there are 10000000 (I must have missed few O ) eyes on the code so it’s can not be less secure, only more secure….

Ammm.. OK (I’m starting to look for a place to hide right about now )

The fact is, that for better, and more secure code, the first thing we have to do, is to educate people to think and be paranoid. Yeah! You can not trust any user input, any result of system function, and you must validate them over and over again.

You must check the input and see that it does not overflow the amount of memory you are willing to give your buffers.

You must sanitize (filter) any char you do not wish to see and have.
And escape anything that you must have, but may effect your program.

But wait, thats still does not give us secure programs and code, only start making us understand better the risks. For example, Off by one can happen to every one… specially after alcohol is involved

And what about the user control our function jumps (you know change hard coded our machine code of the program), or inject us with system functions of his like… We can sanitize the input we getting back form the function, but we can not control what happen on the function itself…

Or even bugs that we didn’t thought we had, and someone found them and exploit them. Or as Knuth one said: “I just proved that my claim is right, but I haven’t tested my code with a compiler” (I’m quoting from memory…)

But I just realize that thats not the thing I needed to start with… I should have said, that we are not educated to think in more secure manners. In high schools and universities we are taught to assume that the user input is somewhat correct, and all we need to do is focus on the functionality of the program.
We are also taught that there is only one “right” way to do thing and thats the professor way

So before every one starts jumping and accusing something to be more/less secure, lets start teaching people to do things in a more secure way… So how do we start ?

This was on NetworkComputing, pretty funny:

—–

The Zen of Password Management

Stage 1: Denial
They don’t really mean that I have to change my password. It’s just a suggestion, really, more of a guideline than a hard and fast rule. Really, that warning will go away if I ignore it.

Stage 2: Anger
I will NOT change my password. I can’t believe that the security of the entire company depends on me changing my password at this time. It’s just a silly policy that IT uses to exercise digital control over the rest of the world.

Stage 3: Fear
But if I change my password I might forget it! I like my password the way it is - right now. I probably won’t be able to remember what I changed it to and then I’ll have to ::shudder:: call the help desk. Oh god, why is this happening to me?

Stage 4: Acceptance
Okay, I’ll change my password but I won’t like it. I guess maybe it really is important. After all, someone used Mary’s password to hack into the corporate database yesterday and now we’re under investigation by like every agency with a three letter acronym. I’ll do it, but I hope they don’t think I’m happy about it.

Stage 5: Wonder
Hey, that wasn’t so bad. I remembered what my password is and when I told Bob and Jim and the counter guy at Starback’s about the phrase technique I use to remember it they thought I was pretty cool. I’m sure the guy at Starbuck’s was writing down my method so he could use it himself.

Stage 6: Joy
Wow, this new password is great! I wish I’d thought of it before. In fact, I’ve changed all my passwords to match the one I use at work! Gmail, Hotmail, PayPal, eBay… everything! It’s such a great password! I love it! Maybe I’ll name my first born after it!

Two weeks later …

Stage 1: Denial
I can’t believe I changed my password and told the counter guy at Starbuck’s about it. I can’t believe he used it to buy a giant cheetoh on eBay with my PayPal account and spammed everyone at corporate HQ from my Hotmail accout. At least he didn’t…oh my, why are those men in suits with dark glasses coming my way? They aren’t, they’re just … out for a stroll. I’m sure of it. Turn around and face the screen and whistle, they’ll just pass me by, I just know it!

—–

Gadi Evron,
ge@linuxbox.org.

An exploit that I can not give you exists for Mozilla (Gecko) based web browsers, and I also tested it on KDE’s Konqueror to find out that the problem exists there as well…

The bug was found by Georgi Guninski. For those who don’t know him, he is almost a “bug hunter for hire”.

So why can’t I give you the exploit ?

Well Mr. Guninski wrote the following in his Exploit:

Cannot be used in vulnerability databases
Especially securityfocus/mitre/cve/cert

And when we (SecuriTeam) sent him a private email about it, he told the entire world:

no.

you don’t have my permission.
try buying a licence with ca$h.

BTW If you really wish to see the Exploit, you can visit bugzilla

So I have one question, what ever happened to the idea of full disclosure?! I believe in it, and I saw how good it does for many products, that only when exploits and advisories came out, the vendor actually fixed the problems …

SonyxTeam has released a downgrader for the PSP. The downgrade works by exploiting a buffer overflow in libtiff which resides in PSP’s toc2rta 2.0. The downgrade utilizes the overflow as there is no other way to run non-Sony approved software on the PSP 2.0. The downgrade opens up the PSP device to independent software development for Sony’s device which hasn’t been Sony-approved.

In my opinion this is the first time a buffer overflow has been used for “good“, i.e. execute a good piece of software, rather than for “evil“, execute a bad piece of software. It would be interesting to see how would Sony react to this, and whether this will speed Sony’s responsiveness to software vulnerabilities found in their product.

This was just posted by Paul Vixie, and I believe it is the shortest and most to-the-point summary of the problem that I’ve seen.

The discussion was about alternate roots and people using alternate roots, causing chaos on the Internet by hurting the stability and flow of the domains/DNS system, and thus the Internet.

Some may say, they suck! Others may say - who can blame them?

—————————————-

(”Christopher L. Morrow”) writes:

>> So… Why is it again that folks want to balkanize the Internet like this?

the dreams fulfilled and/or still promised by the internet mostly involve
some kind of disintermediation, increases in freedom or autonomy, that kind
of thing.

in that context, centralized control over things like address assignments
and TLD creation is like fingernails on a chalkboard. a lot of folks feel
that “if it has to be centrally controlled, then $me should be in charge”
or at best “if it has to be centrally controlled, then $me want a voice.”

this desire is more powerful than any appreciation or understanding of the
benefits of naming universality or address uniqueness. human nature,
especially when individuals interact with herds, is predictable but not
necessarily rational.

>> I’m confused by the reasoning behind this public-root (alternate root)
>> problem… It seems to me … that there is no way for it to work, ever.
>> So why keep trying to push it and break other things along the way?

i think it’s because of what margaret mead wrote:

“Never doubt that a small group of thoughtful, committed people can
change the world. Indeed, it is the only thing that ever has.”

the internet is supernational. control over it is held by the ruling
political party, and their backers, in one country. thus there’s plenty of
money and power ready to back the next hair-brained scheme to break the
lock, even if (as i expect) lack of naming universality would be worse
than lack of naming autonomy.
– Paul Vixie

—————————————-

Gadi Evron,
ge@linuxbox.org.

One of the most damaging misconceptions in the world of security is the phrase “there is no 100% security”. This phrase is from the time of the security alchemists – the black-magic-voodoo-witch-doctor experts that knew how to install configure a firewall or harden a UNIX machine when it was a full-day task that required unusual expertise.
Back then, security was complicated and thus mysterious. Security experts were the selected few, and the common people needed and relied on them. In return, the priests chanted obscure statements such as “security is as good as the weakest link” (translation: after I fix this problem you will need to hire me to strengthen the second-weakest link) and my favorite phrase of all: “there is no 100% security”. The original intention of this phrase was to pack the 10 page legal disclaimer into a one-liner: “if someone hacks you after I finish securing your network, that’s not my fault”.

Only it backfired.

The “common people” tend to take things at face value. If you tell them there is no complete security, they understand just that – and the natural conclusion is that if there’s no complete security, why spend a small fortune on a partial solution? We might as well spend the bare minimum that’s required; we’ll never reach 100% anyway, the expert said so himself!

And so you have a whole generation of sys admins telling their boss that if they can’t spend a fortune on security they might as well do nothing. If only I had a nickel for every time I heard the “100%” as an excuse not to invest money in security…

But this climate is finally changing. How can I tell? First, the ’security for dummies’ books and courses. This is the equivalent of teaching farmers to read the bible, taking away the power from the Church. Second, the availability of automated tools that make it easy for the average sys admin to secure their network properly (no, it’s still not 100%. But so is every other thing in life). And finally, people like Ira Winkler, formerly the NSA, who says “[people] could prevent 95 percent of their problems by making a few simple changes in the way they do things with what they have already”. Amen.

> Your registered name is included to show this message originated from eBay. Learn more.

We are saved, eBay solved Phishing.

I suppose that is why I got this spam email message in my Inbox the other day:

> *eBay sent this message from Kathy Halmoes. (SamsungLTD).*
> Sender registered name is included to show this message originated from eBay.
> Learn more .

Ahh, so much for that assurance that it came from eBay. The ideas some people come up with…

Gadi Evron,
ge@linuxbox.org.

I really like it when people invent new terms.

It can be Spit and Spim for Spam coming from sources other than email. It can be Pharming for Phishing that is done by “misusing” DNS. It’s always “new” and always invented by a commercial company.

Annoying, but it’s how things are. One has to find ways to get MEDIA attention.

The latest invented term is “Ransomware”:

http://www.networkworld.com/buzz/2005/092605-ransom.html

Basically, a Trojan horse will get on your machine and without warning will at some point encrypt your files. Then the attacking party will demand some cash for the files to be restores/opened.

It’s a pretty cute idea, but it is nothing new. The whole idea behind Trojan horses is to be able to do stuff such as this, covertly, Whether for quiet spying or for overt annoying and destroying.

True, this way of employing the said Trojan horse is fascinating, but no more than that.

Leaving the Trojan horse itself behind, let us discuss the concept of online extortion for a bit.

Online extortion is one of the silliest ideas I ever heard. Not because it doesn’t work out for the Bad Guys, but because it simply makes no sense to the Good Guys.

Say you are in meat-space and you run a convenient store in down-town [Bad City here]. A gang comes by and threatens that if you don’t pay them protection money they will burn down your store.
It is pretty clear that in fact:
1. They will burn down your store if you don’t pay up.
2. It is likely that they will not burn down your store if you do.
3. They will come back for more if you pay them.
4. It is also likely that if another gang comes by and demands some money, the original gang will protect you from the new one.

Online, you have no face. You never really know who you are talking to. You have no guarantee that they are real, what they mean toward you and if they are trust-worthy.

Say somebody emails your CEO and says: “Pay up 10K bucks or we will DDoS you out of business”.
That can be rough on any company and especially on companies whose business models are based on being online, still -
Say you pay up:
1. What prevents the Bad Guys from attacking you anyway?
2. What prevents that Bad Guys from not attacking you regardless, wasting their resources on someone who won’t pay?
3. The Bad Guys cannot protect you from other Bad Guys.
4. There are so many Bad Guys out there, who is to say others won’t attack you?

And besides, meat-space basics apply here - if you give them money, they will come back and they will also bring friends. Unlike real life they cannot burn down your store. Whatever they do you can most likely come back from it and you can most likely also prepare for it.

The solution is simple. If your business model demands Internet access and you make money off the Internet, you should invest in protecting yourself accordingly.

DDoS is a problem, but one that you can cope with, especially if you plan ahead and consult with the right people, beginning with your uplink ISP and ending up with people who actually understand DDoS and security.

Trojan horses? “Ransomware”? It all comes down to planning security for your organization - in-depth.

Besides, as part of your business continuity plan (plan security, it’s not a bad idea) you could.. *shock* backup your files regularly?

I can’t teach anyone how to do security in one blog entry, but the points I am trying to make are:
1. Security is something you need to invest in, over time and as part of a through plan.
2. Online extortion is a scam,

Any of these threats can hurt you but you can either respond to them as a micro-issue and make sure that because somebody smuggled something on an airplane using their shoes no one will ever again smuggle anything on an air plain using their shoes, or you can make sure airline security is better all-together. There is always a new threat out there, dealing with each on-the-spot doesn’t really work and will end up draining more funds.

As to online extortion, I do not belittle the issue in any way. I do believe though that most who are forced to deal with it do not really understand the problem.

The times come where meat-space organized crime is getting involved with a lot of what’s going on online, and if we don’t get ready now, we will simply fall behind.

I’d like to thank Paul Schmehl for a conversation we had on the subject a couple of years back, he gave me some very good ideas to consider.

Also, I am waiting to hear from Dan Hubbard from Websense to find out what really happened in the story discussed (see URL to article above).
[ Having just heard from Dan this issue is dated back to May 2005:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194 ]

Gadi Evron,
ge@linuxbox.org.

Although the article isn’t new, it is still good reading material to those that are looking into implementing some sort of RFID for security or identification.

“The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle immobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems. A preliminary version of the full academic paper describing our attacks in detail is also available below.”

To summarize the article you can do almost anything with their DST simulator and reader:

• Sniff a DST tag in a victim’s pocket
• Crack the key in a DST tag
• Start a car
• Buy gas

“Nice” poster outside the school, a bit stranger than you would expect though:

http://isc.sans.org/charityurls.php

You may have to choose a category (NEW).

Gadi Evron,
ge@linuxbox.org.

This item recently hit the news:
http://blogs.securiteam.com/index.php/archives/65

About how by listening to keyboard key strokes, one can re-build the original message typed.

I recently posted about this somewhere else.

Side channel attacks are not new. You can listen to the keyboard, cpu, hdd, etc. You can go with EM radiation. You can use a telescope to view through a window a reflection off a wall. All you have to do is Google.

But yes, side channel attacks are cool. Thing is, there are usually *much* easier ways of doing things.

A Trojan horse can also be considered a side-channel attack if we are talking encryption, which is exactly the difference between how crypto guys and security guys think.

If you ask a crypto guy what the best way of breaking RSA is, you’d get a complicated answer with if’s, maybe’s and math. If you ask a security guy (or in this case, me), I’d just say use a Trojan horse.

For crypto guys, once an algorithm is found weak it is no longer trusted and they try and develop new ones, which is good for their science. As security people the more vulnerabilities are found and fixed the more secure we feel (except for worrying that the coders suck and the holes will keep showing).

Back to side-channel attacks, try Googling for what Adi Shamir has to say on them. I love this subject. It’s way cool.

Jeremy Richards from ncircle recently posted the following links to a mailing list I am on, detailing just a few of the possible side-channel attacks out there:
1) Acoustic Cryptanalysis.

“Adi Shamir, Eran Tromer have done some remarkable research into a side
channel attack that is able to extract private RSA keys just by monitoring the
sound output of your computer!”

2) Power Analysis.

“DPA is a powerful tool that allows cryptanalysts to extract secret keys
and compromise the security of smart cards and other cryptographic devices
by analyzing their power consumption.”

3) LED Leakage.

“A previously unknown form of compromising emanations has been
discovered. LED status indicators on data communication equipment, under certain
conditions, are shown to carry a modulated optical signal that is significantly
correlated with information being processed by the device….Experiments show that
it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable.”

Try also Googling for TEMPEST for the classics.

Gadi Evron,
ge@linuxbox.org.

A post at Code Project brings to light the first case I have seen to making two binary version of two different pieces of software that while both have the same MD5, one is dubbed evil while the other is dubbed good.

The evil piece of software can do anything good or evil that the good piece of software doesn’t, while still having the same MD5 signature.

For the time being the resulting binary files require an extractor to “release” the piece of software embedded within it, but this is no big deal as most of software you download from the Internet comes packed and requires some sort of an extractor or running an installation program.

http://www.washtimes.com/national/20050921-102706-1524r.htm

The US put a satellite in space to help jam other satellites.

Naturally, technology such as this exists for many years now and out dates Information Warfare by a few years.

However, by putting active targeted weaponry in space, what’s next? Just because it is EM radiation does not mean it is not a weapon.

I believe that weapon development to counter satellites is going to become more and more in the spot light in the next few years.

From blinding spy satellites through disturbing ground communication all the way to (maybe) HERF and EMP.

It’s not all about missiles, however much Americans like them. One thing I do know is - if the Americans have them, soon China and the EU will as well if they don’t already.

Gadi Evron,
ge@linuxbox.org.