Web related security entries. Anything that has to do with PHP/ASP/JSP, including Apache, IIS, Macromedia flash, etc.

Simple passwords are the solution

ZDNet has a nice piece on why cheap GPU’s are making strong passwords useless. They are right, of course (though it’s pretty much been that way for 20 years, since the need for /etc/shadow) but they missing the obvious solution to the problem.

The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible. We know how to do that, we just have to overcome a generation-old axiom about trivial passwords being easy to break (they are not, if you only get very few tries).

It’s not just cheap GPUs. Complex passwords are also the problem. Simple passwords are the solution.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

World’s first “Decode the Race car” Challenge!!

So I haven’t written for a while, and that’s mainly because setting up your own security consultancy takes a lot more time that I would have imagined, but hey, it’s been a fun ride so far.

So while everyone else is off writing about Sony, I figured that I’d lighten the mood here with something that I think is such a great idea. The guys at Secure Racing have a challenge coming up, which sounds like it’s going to be great fun, and it’s such a novel idea as well.

So taken directly from the Secure Racing website, here is all the information about the challenge coming up on the 19th June at Brands Hatch.

“Secure Racing, the Information Security industry’s motorsport team, has laid down a challenge to anyone with a flair for code-breaking or a passion for cryptography.

At the team’s first race on 19th June at the Brands Hatch circuit in Kent, the Secure Racing Aston Martin will feature a hidden coded message somewhere within its livery and decals. The question is – can you find it and decipher it?
This is the first time a motorsport team anywhere in the world has offered a competition like this on their car. Developed by the Threats and Vulnerabilities Team at PWC, it forms the basis of a competition for anyone who wants to test their mettle and win fantastic prizes. Anyone can enter.

One week after the race, one winner and nine runners up will be drawn at random from the first 100 correct answers that we receive. Later this year, the lucky winner will get to jump in the Secure Racing Aston Martin Vantage GT4 to experience the exhilarating speed of getting around a circuit alongside a professional race driver. The winner will also get tickets to join the team at the Silverstone British GT Championship round and, along with the nine runners up, they will also receive complimentary membership to the Secure Racing members club – the details of which will be announced on race day.
Anyone who attends the Brands Hatch race on 19th June will have a chance to get up close and personal with our Aston and therefore have the best chance of spotting and cracking the code. For those that can’t make it, we will be posting pictures of the car on our website a couple of days after the race so you can take part.
Those who find and crack our code should email their answer to richard.moss@secureracing.co.uk
Ladies and gentlemen – the fun begins here. Start your engines, the Secure Racing story is about to begin.
Discounted admission tickets available exclusively for Secure Racing fans at: www.motorsportvision.co.uk/secracing

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

The MSRC – now and then

It’s amazing to compare how the Microsoft Security Response Center handles vulnerability disclosures versus how things were just 10 or 12 short years ago.

Here’s a typical disclosure process 10 years ago (based on a very true story):

Us: (sending an email to secure@microsoft.com) we’ve discovered a vulnerability in an office product. Here are the technical details. Can you confirm the issue and let us know when it’s patched?
Microsoft: Thanks for reporting, bla bla, we’ll get back to you soon

[about a week passes]

Us: Hi MSRC, any news about our office vulnerability?
[no reply]
[Sending a personal email to an MSRC friend to speed things up]
Microsoft: Oh, thanks for reminding us. We’ll check with the office team

[another few days pass]

Us: Hello? Anybody there?
Microsoft: Oh, yes. That vulnerability thing. Here’s what we decided: (a) It’s not a vulnerability. (b) it’s not a problem with the office product but with the world (or the RFC) (c) The office team can’t recreate it (d) even if the vulnerability was real, it wouldn’t be exploited in real world scenarios
Us: are you kidding us? Did you actually look at the sample code we gave you?
[a few days pass. We are pondering if to go complete full disclosure or give them time to digest]

Microsoft: Ok, this time we actually read your advisory and yes, it seems to work. But it’s just a denial of service. Nobody will ever exploit it because of … [something that heap spraying/DEP bypass/code mutation made look ridiculous about a year later]
Us: [starting the get mad] look guys. We sent you PoC code. You actually want us to write an exploit code for you?
Microsoft: yes, that would help convince our developers

[Us, spending time writing code so that Microsoft is convinced to fix their own products based on free information while wasting our precious time]

Us: here it is
Microsoft: oh, wow, it really does run code. Ok, we’ll fix it in the next release cycle which should be right after the democratic primaries of 2012.

Us: Ok, forget it. We’re going full disclosure

Microsoft: no, wait wait wait. We found your name on the world wide web and now realize you’re legit. Ok, we’ll fix it. Happy now? We might even mention your name in our advisory if/when that happens.

If it sounds familiar, that means you were disclosing vulnerabilities to vendors in the early 2000’s or late 1990’s. If you think I’m exaggerating, it’s only because you didn’t.

But here’s the amazing thing. Just a few years later, some radical changes started to happen. The big dysfunctional dinosaur that was MSRC became an efficient, friendly and if I didn’t know it, I would think it’s a different company altogether. Here’s a real recent discussion:

Us: Hello MSRC, here’s information about an office vulnerability
Microsoft: Hi, thanks for reporting. I checked the information, went over the sample code and have some technical questions [some intelligent questions here, basically they are doubting the findings but being really careful to check all the angles first]

[technical discussion continues for a couple of days with questions and answers going back and forth]

Microsoft: Ok, we get the picture now. Thanks for reporting. Here’s the guy that is going to be responsible for your case.
[a few days pass]
Microsoft: Ok, we now know it’s a […] vulnerability and not a […] one. We’ll pass it to the relevant team, just wanted to keep you posted
[further proactive updates and niceties continue until disclosure time. Credits, the end.]

What could have possibly caused this radical change that made MSRC focus on the technical side instead of the PR, not to mention being so research-friendly? New team? New procedures? Full disclosure forced them to see the truth? Too many beers at defcon finally showed them the light? Whatever they are taking, I wish they could spread some around. Most of the other vendors could use that. Yes, I’m looking at you Google.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

The decline of credit cards

At the BC ISMS User Group meeting last week we were concentrating on the relationship between the ISO 27000 family of standards, and the PCI-DSS (Payment Card Industry Data Security Standards, usually just known as PCI).  PCI-DSS is of growing concern for pretty much anyone who does online retail commerce (and, come to that, anyone who does any kind of commerce that involves any use of a credit card).

It kind of crystalized some ideas that I’ve been mulling over recently.

Over the past year or so, I’ve been examining some situations for small charitable organizations, as well as some small businesses.  Many would like to sell subscriptions, raffle tickets, accept donations, or sell small, specialty items over the net.  However, I’ve had to consistently advise them that they do not want to get involved with PCI: it’s way too much work for a small company.  At the same time, most small Web hosting providers don’t want to get involved in that, either.

The unintended end result consequence of PCI is that small entities simply cannot afford to be involved with credit cards anymore.  (It’s kind of too bad that, a decade ago, MasterCard and Visa got within about a month of releasing SET [Secure Electronic Transactions] and then quit.  It probably would have been perfect for this situation.)

Somewhat ironically, PCI means a big boost in business for PayPal.  It’s fairly easy to get a PayPal account, and then PayPal can accept credit cards (and handle the PCI compliance), and then the small retailer can get paid through a PayPal account.  So far PayPal has not created anything like PCI for its users (which is, again, rather ironic given the much wilder environment in which it operates, and the enormous effort phishing spammers make in trying to access PayPal accounts.)  (The PayPal Website is long on assurances in terms of how PayPal secures information, and very short on details.)

This is not to say that credit cards are dead.  After all, most PayPal purchases will actually be made with credit cards: it’s just that PayPal will handle the actual credit card transaction.  Even radical new technologies for mobile payments tend to be nothing more that credit card chips embedded in something else.

These musings, though, did give a bit more urgency to an article on F-commerce: the fact that a lot of commercial and retail activity is starting to happen on Facebook.  Online retail transactions aren’t new.  They aren’t even new in terms of social networks or a type of currency created within an online system.  Online game systems have been dealing with the issue for some time, and blackhats have been stealing such credits and even using them to launder money for a number of years now.  However, the sheer size of Facebook (third largest “national population” in the world), and the fact that that entire population is (by selection) quite affluent means that the new Facebook credit currency may very quickly balloon to an enormous size in relation to other currencies.  (We will leave aside, for the moment, the fact that I personally consider Facebook to be tremendously divisive to the Internet as a whole.  And that Facebook does not have the best record in terms of security and privacy.)  Creation of wealth, ex nihilo, on a very, very large scale.  What are the implications of that?

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Unreal reality

When I was a teenager, back when dinosaurs ruled the earth, and Disneyland was the only Disney amusement park, I was taken to said theme park for the first time.  I was immediately struck by the total artificiality of the place, and the fact the everybody wanted it to be so.  For some reason I could not get the idea out of my mind, that if you dug a pit, entrenching sharpened stakes on the floor of it, and put ropes up to manage the line, people would line up and jump in.

I was forcibly reminded of this by a story about the coverage of the Japanese quake and tsunami, and the use of smartphones and social media to document the event and disseminate the information as never before.  We are used to “reality” television which is completely unreal, and an unusual reality strikes us as fantastic.

And I’d like to reiterate my advice to prepare for the next disaster: get trained in emergency management and response.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

CanSecWest, chrome 0-days, breaking the Blackberry fortress

CanSecWest was fun, met a lot of people researchers, consultants and customers. Lot of them came to hear good quality lectures and I believe they have found them.

Quite a few came to see the buzz around Pwn2Own and I don’t think they could have missed the shouts of victory and the press eagerly interviewing them after their triumphant wins. I also had a chance to meet a few of our SSD researchers which shared some thoughts on the Pwn2Own even highligting the fact that 15K isn’t that much anymore for a IE8 vulnerability that can bunk its protected mode, or get you elevated privileges on the Chrome browser – I have to agree on that. This probably means there are a few chrome 0-days out there, but they are simply being sold for larger amounts of money.
Also got a chance to talk to a few of the mobile researchers that were quite impressed with the BlackBerry find, highlighting how ground breaking that was, as being the first publicly done and documented breach into the BlackBerry “fortress” – I am not sure if it is in fact the first one but it was impressive none-the-less.

For all those that came and talked to us in our booth about the SecuriTeam Secure Disclosure, just in case you didn’t write it down, the way to reach our program is by emailing SSD@beyondsecurity.com, we also offer our existing researchers a 1,000 USD bring-a-friend offer – if you need more details email me.



    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

New computers – Mac (operations and video)

The review of the Mac functions in my little book is sometimes annoying in terms of the jargon used: does “go straight to the corresponding window” mean that the window becomes active, or comes to the foreground? Does it open a window if it doesn’t exist? Does it relate to programs, or just folders? You need to work through the material with the book in one hand, and the Mac under the other. (This process is not aided by inconsistencies in the operation of the Mac itself. As I was working through this content I tried to create a new document from within the TextEdit program, and found that I did not have any options to create a file in any of the new folders I had established previously. Later in the chapter there was mention of dragging folders to the Dock, and so I tried that to see whether it would allow me to use that folder. Lo and behold, now I could create files in any of the new folders I had made, not just the one I dragged to the Dock. Handy for my purposes, but not very informative in terms of why it worked that way.)

(More inconsistency: hiding the Finder behaves differently from other applications. And hiding used with Expose can give you some very … interesting effects. So far I have not had the nerve to play with hiding, Expose, and Spaces all at the same time.)

One of the constant claims made by Mac devotees is that the Mac is better at media. Well, over the past couple of weeks we’ve had occasion to try and watch a couple of TV shows over the Internet. (Once we just forgot: once the cable went out in the middle of the show.) Since the current desktop is seven years old, I figured that the Mac should be given a chance to prove its worth and strut its stuff. We watched one show on the desktop, and one on the Mac.

Mac: total FAIL. Choked, gasped, stopped for no apparent reason (no, it wasn’t the net feed dying: it skipped a bunch of the show, and went to the next series of ads), would not respond to commands, and overall a general lack of “good viewing experience.” The old desktop was grinding away with the fan running full out most of the time, but at least it played the show all the way through.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Shut off switches and unicorns

Commentators are now agreeing with what I wrote two weeks ago. It’s now clear there is simply no way to effectively shut down the Internet.

Typically, this is where the skynet references come in, except that this version of skynet is not a computer brain, it’s the sum of you and me and the other human users. The People’s republic of the Internet, if you will.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.