Web related security entries. Anything that has to do with PHP/ASP/JSP, including Apache, IIS, Macromedia flash, etc.

Fuzzing Samsung Kies

Android fuzzing is always fun – seems that whenever we fuzz an android app it crashes within seconds.

Samsung Kies was no different. With the help of the talented Juan Yacubian (who built the Kies module in no time) we launched beSTORM against Kies… And saw it crash in record 23 seconds (just over 1,100 attack combinations).

Next on the agenda: install gdb for Android and build the proper payload.

Samsung Kies Crash


REVIEW: “The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski

BKTNGWEB.RVW   20121207

“The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski, 2012, 978-1-59327-388-0, U$49.95/C$52.95
%A   Michael Zalewski
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2012
%G   978-1-59327-388-0 1-59327-388-6
%I   No Starch Press
%O   U$49.95/C$52.95 415-863-9900 fax 415-863-9950 info@nostarch.com
%O  http://www.amazon.com/exec/obidos/ASIN/1593273886/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/1593273886/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   299 p.
%T   “The Tangled Web: A Guide to Securing Modern Web Applications”

In the preface, the author dismisses security experts as academic, ineffectually worried, and unaware of the importance of the Web.  (Zalewski makes reference to a “confused deputy problem” being “regularly” referred to in academic security literature.  I’ve never heard of it.)  He blames them for the current insecure state of Web applications.  I suspect this is a bit unfair, given the “citizen programmer” status of huge numbers of Web projects, and the time and feature pressure this places on the rest.  It is unfortunate that some security specialists have not regarded the Web as significant, but it is critical that most security specialist don’t know how to program, and most programmers don’t care anything about security.

He also says the book is about repentance, and a step towards normalcy.  (Normalcy is not defined.

Chapter one is an introduction, both to information security, and to Web application development.  Starting off by misattributing one of Gene Spafford’s quotes, the author complains about any and all attempts to structure or define security.  (Rather inconsistently, while he derides taxonomies, he does recommend designing systems so as to deal with “classes” of bugs.  The difference between a class and a taxon is not explained.)

Part one outlines the principal concepts of the Web.  Chapter two starts us off with the URL (Uniform Resource Locator), noting some of the problems with different types of encoding.  From this point in the book, each chapter concludes with a “Security Engineering Cheat Sheet,” listing potential problems, and suggesting broad approaches (without details) to dealing with those issues.  HTTP (the HyperText Transfer Protocol) is the subject of chapter three, primarily concerning the handling of user data.  (Since the author is fond of quotes, I’ll give him one from Tony Buckland, several years before the invention of the Web: “The client interface is the boundary of trustworthiness.”)  Chapters four to eight cover HTML (HyperText Markup Language), CSS (Cascading Style Sheets), browser scripting (concentrating exclusively on JavaScript), non-HTML data (mostly XML), and plug-ins.

Part two turns to browser security features.  Chapter nine talks about isolating content, so that different sites or documents don’t interfere with each other.  Determining where and to whom a page belongs is addressed in chapter ten.  Chapter eleven expands the details of problems caused by allowing disparate documents to interact.  Other security boundaries, such as local storage, networks, ports, and cookies, are reviewed in chapter twelve.  Recognizing content, when the “Content-Type” description may be problematic, is in chapter thirteen.  Chapter fourteen suggests ways to deal with malicious scripts.  Specifically setting or raising permissions is discussed in chapter fifteen.

Part three looks ahead to Web application security issues as they may develop in the future.  New and coming security features are noted in chapters sixteen and seventeen.  Chapter eighteen reviews the all-too-common Web vulnerabilities (such as cross-site scripting and “Referer” leakage).

Absent the complaints about the rest of the security field, this is a decent and technical guide to problems which should be considered for any Web application project.  It’s not a cookbook, but provides solid advice for designers and developers.

copyright, Robert M. Slade   2013   BKTNGWEB.RVW   20121207

Nopcon 2013 is here

Douglas Adams is still right: No language has the phrase “As pretty as an airport”. But in my humble opinion, airports have come a long way in the last 10 years. Or maybe my expectations have become so low, I can’t be disappointed. Either way, it seems to me going through an airport isn’t as bad or boring or inconvenient as it used to be.
I’m not just talking about the East-Asian airports (Hong Kong, Seoul, Singapore) which have always been stellar. Even the infamous American airports are newer, and more convenient.

I’m giving you this airport cheer-leading chant because if you live in Europe, you should go and check out how much your airport has improved since you’ve last seen it. Then, take a flight to Istanbul. Not just because Istanbul is one of the nicest cities in Europe but also because Nopcon is taking place June 6, and has some very interesting and incredibly original speaker lineup: Moti Joseph, Nikita Tarakanov, Gökhan Alkan, Svetlana Gaivoronski, Canberk Bolat and Ahmet Cihan (aka Hurby). Nice!

More info here: http://www.nopcon.org/

S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

Why can’t my laptop figure out what time zone I’m in, like my cell phone does?

We got new cell phones (mobiles, for you non-North Americans) recently.  In the time since we last bought phones they have added lots of new features, like texting, cameras, email and Google Maps.

This, plus the fact that I am away on a trip right now, and Gloria has to calculate what time it is for me when we communicate (exacerbated by the fact that I never change the time zone on the laptops to local time), prompted her to ask the question above.  (She knows that I have an NTP client that updates the time on a regular basis.  She’s even got the associated clocks, on her desktop, in pink.)

Cell phones, of course, have to know where they are (or, at least, the cellular system has to know where they are) very precisely, so they can be told, by the nearest cell tower, what time it is (or, at least, what time it is for that tower).

Computers, however, have no way of knowing where they are, I explained.  And then realized that I had made an untrue statement.

Computers can find out (or somebody can find out) where a specific computer is when they are on the net.  (And you have to be on the net to get time updates.)  Some Websites use this (sometimes startlingly accurate) information in a variety of amusing (and sometimes annoying or frightening) ways.  So it is quite possible for a laptop to find out what time zone it is in, when it updates the time.

Well, if it is possible, then, in these days of open source, surely someone has done it.  Except that a quick couple of checks (with AltaVista and Google) didn’t find anything like that.  There does seem to be some interest:


and there seems to be an app for an Android phone:


(which seems silly since you can already get that from the phone side), but I couldn’t find an actual client or system for a computer or laptop.

So, any suggestions?

Or, anybody interested in a project?

Blatant much?

So a friend of mine posts (on Twitter) a great shot of a clueless phishing spammer:

So I reply:
@crankypotato Were only all such phishing spammers so clueless. (Were only all users clueful enough to notice …)

So some other scammer tries it out on me:
Max Dubberly  @Maxt4dxsviida
@rslade http://t.co/(dangerous URL that I’m not going to include, obviously)

I don’t know exactly where that URL redirects, but when I tried it, in a safe browser, Avast immediately objected …

What happens when your user changes his password?

You just forced the user to change his password; periodic password changing is good policy, right?

Now lets see what happens next:

  • The user sends the password to himself by email, in plaintext, so he won’t forget. Now it’s in his inbox, viewable on the email ‘preview’ section to anyone shoulder surfing
  • He then writes it on a post-it note. The cleaning person threw out the previous password (but that’s ok, he finally remembered it). Now there’s a post it with the password in the top right drawer
  • He then sends it to his wife/friend/colleague who also uses the account sometimes. Now it’s in another person’s inbox, again in a preview pane. He might have typed their email wrong and sent it to someone else by mistake, or maybe they put it on a post-it note too
  • The next time he tries to login he will use the old password (that he remembers) and fail. Your system will lock him out, and he will call to have it released. Another false positive that makes the person auditing the log for lock outs not pay attention to the warnings
  • He will then sign up to the new and cool social web site and use this last password as his password there. It’s already on the post-it note: Why write another? This new social web site will soon be cracked and your user’s password will be available online

Remind me again why changing passwords periodically is good for security? Oh, I get it. You were just living up to the bad reputation and preventing ease of use.


SMS Apple (malware) spam on Bell Mobility (Canada)

SMS spam on Bell seems to have suddenly jumped.  On Tuesday, both Gloria and I got spam saying we had won something from Apple.  Today, we both got similar spam.

Today’s message came “from” 240-393-8527.  It asked us to visit hxxp://www.apple.com.ca.llhf.net [1]

Neither F-Secure nor VirusTotal had anything to say about it, but it is safe to assume that the site is dangerous.  Avast now blocks it.

In trying to contact Bell about this, I noted that Bell’s Website “contact” page lists a “Chat with us” function that simply does nothing if agents are busy, and no means of contacing Bell via email.  “How to escalate a complaint” returns the same page, with the same lack of response from the agent button.  When I finally did reach an agent, “he” was pretty clueless about the whole situation.  I strongly suspected “he” was a rather simplistic program.

Having Given the agent the information above, his response was to ask “Samuel: I understand. Have you registered under apple newsletter list?”  He then asked for my name and phone number (which I had previously given him at the beginning of the session), and then told me “Samuel: I unfortunately cannot unsubscribe that spam for you from here as I see in your account.”  He offered to cut the SMS/texting function on my account.

That’s it.  That’s the only solution.  Bell doesn’t have any spam filtering on SMS, even when the spam is as obvious, egregious, and malicious as this one.  (Yes, they do have a spam filtering option, if you want to pay them an extra $5 per month.  Given the quality of support, I think I’ll give that a miss.)

[1] Note that this isn’t apple.com, the trailing “domains” override that.  This domain is listed to:

Domain Name ………………… llhf.net
Name Server ………………… ns5.myhostadmin.net
Registrant Name …………….. jun wang
Registrant Organization ……… wang jun
Registrant Address ………….. shang hai shi xu hui qu
Registrant City …………….. shang hai
Registrant Province/State ……. SH
Registrant Postal Code ………. 200087
Registrant Country Code ……… cn
Registrant Phone Number ……… 02178861511
Registrant Fax ……………… 02178861511
Registrant Email ……………. yaobing349@hotmail.com