March 2009

If Cane Toads, why not computer viruses?

Those in the Australian state of Queensland are having a cull of cane toads, a pest.  I don’t know whether it would work, but the mass reduction of a pest population is, generally speaking, a good thing.  It may not eliminate the problem once and for all, but a sharp decrease in population is usually better than a constant pressure on a species.

So, is there any way we can get some support going for a mass cull of computer viruses?  Most currently “successful” viruses are related to botnets, and botnets are often used to seed out new viruses.  Viruses are used to distribute other forms of malware.  Doing a number on viruses would really help the information security situation all around.  (I have, for some years, been promoting the idea that corporations, by sponsoring security awareness for the general public, would, in fact, be doing a lot to reduce the level of risk in the computing and networking environment, and therefore improving their own security posture.)

File upload security recommendations

In my security career, I have always found file upload module to be one of the most favorite playground for hackers. There are many detailed documents mentioning the guidelines for following secure upload mechanism. Going through them will surely give you a sense of high level of insecurity in file upload module.

So jotted down points which I would take care or recommend for secure uploads.

Proper file type checks: Check for atleast basic parameters like filesize, mime-type etc and allow only a selected MIME type wherever possible. Make a white-list of file extensions to be allowed for upload. Try to keep away from executable files and scripts where possible. Set minimum and maximum file size for upload. This will prevent Dosing the webserver by uploading huge files and exhaust the storage space.
Random filenames and folder: Do not allow user input to specify the destination directory or file name of uploaded documents. Good practice is to rename the document to some random value and track them in your Database. In short guessing the name of the uploaded file should be made difficult for the attacker.

Upload Directory Security: Upload all files outside your web directory. Possibly separate the upload directory from application and system directories/drive. This can help mitigate issues related to resource exhaustion & directory traversal. Set proper folder permissions (chroot() ). Do not allow user to choose the upload folder. Avoid giving writable permissions to users. Instead webserver like apache can be given writable permissions while preventing users from RWX access on the upload folder.

Prevent users from directly accessing the files in the upload directory. Files can directly be stored on the server or other alternative would be to store the files as blobs in database instead. However blobbing for very large files can affect DB performance and also the malicious data if uploaded will be directly saved in database without validating.

Neutering the file like renaming it to some random value or XORing or compressing the file in some way so that the OS doesn’t interpret it as executable etc. will help increase the security barrier.

Anti Virus Scan: Scan the upload files for any virus or malicious content. You can even try out ModSecurity which has a feature for inspecting files on upload, which you can combine with some antivirus. The advantage is that you get to block the HTTP request before the file even gets into your system. Alternatively files can also be scanned immediately just after it is uploaded. Both are affective in their own way and can be adapted accordingly depending on their implementation challenges. Other content filtering techniques include icap or CVP which are worth a thought.

File name Validation: While allowing users to upload the files, we allow them to specify the name the files should be referred to. Application should validate these file names for any XSS attacks.

Uploading and saving uploaded sensitive documents in encrypted form: Sensitive data needs to be uploaded via SSL and saved on the server in encrypted form to protect against eavesdropping. The file can also be encrypted while uploading instead of doing so while saving on the server. There are different products which can help you do this like AspEncrypt etc.


Page tokens: Use unique tokens for upload forms. This can help mitigate the less known Cross-site File Upload Attacks. Thus the attacker cannot upload malicious or illegal content on victim’s account. And if the victim is a web-admin, attacker can help himself upload any malicious file to the directories which is otherwise restricted to other users.

Error page: Do not reveal too much info in the error page like the directory path etc which can help attacker in further attack. Use customized error page.

Proper verb: HTTP POST verb is preferred over HTTP PUT or GET verb as it is comparatively more secure.

ACL: Limit “upload module” access to required users or groups wherever possible.

Logging user activities: Log all activities of the user like in this case, IP of user, size of the file, directory to which file was uploaded etc. This is help us know if any attacks were made against your server and if they were successful.

The R(evolution) of Bug Hunters

Getting real money for computer security research is making its way from early development and ideas to mainstream, and bug hunters probably have mixed feelings, like teenagers. Its an interesting concept that might actually work. What will become of the vulnerability market when something like this becomes popular?

Either way, these guys are basically saying no more freeloading, Mr. Vendor.

Exploiting our security models?

I’m sitting in CanSecWest.  We’ve just had a talk on platform-independent static binary code analysis.  (It isn’t really platform independent: just translating from specific instruction sets.  Not that it isn’t cool: REIL is a sort of RISC version of an assembly version of pseudocode.)  The presentation, and what they’ve done so far, is fairly abstract.  They are approaching the analysis with a type of Turing machine, and, with a sort of lattice-based state machine model, hoping that the transforms they can see with their model, are close enough to what the actual program will do in an actual machine in order to tell you if there is teh possibility of a bug or an exploit.

So, it’s kind of complex.  We are applying some highly abstract, theoretical stuff, pretty directly to the real world.

Now, in the abstract world, it’s been more than 25 years since Fred Cohen proved that this type of thing will never completely work.  Either you are going to get an infinite number of false positives (false alarms, where you spend time chasing down problems that aren’t problems), or an infinite number of false negatives (which is our current situation with security: our tools aren’t telling us about the problems that do exist), or both.

(One of the authors responded to this point that he chose to err on the side of false positives.  A reasonable position if you are doing research.)

However, this system is so complex that it got me thinking: they are hoping that the model and transforms they have put together is close enough to reality that it will give them useful results and help, but they really don’t know.  What if we are now to the point where our security tools and models, themselves, have gaps that can hide problems, and be exploited?

(There was a reason the original security models were so simple …)

uCon Security Conference 2009

uCon Security Conference 2009 materials have been released!

Advanced SQL Injection Slides  
Hacking PDF Readers Slides  
Intro to Windows Kernel Security Development Slides  
From theory to practice: Bringing down the house with EXTENDED DHCP Exhausting Attack Slides  
Practical (Introduction to) Reverse Engineering Slides  
Secure Log Centralization, Analysis & Security Visualization Slides  
Ut cognitione visus: ut ipso intellecto – BinNavi v2 Slides  
GSM For Fun and Profit Slides  
Dispelling the myths and discussing the facts of global cyber-warfare Slides  
Advanced Payload Strategies: What is new, what works and what is hoax? Slides

Carder spam or not?

I received this email today:

Good morning!

I inform you about site where people trade in stolen credit cards. As i’m a holder of visa classic i’m sincerely
exasperated at appearing such sites in your hosting. I beg of you to take strong measures and don’t be indifferent to heart-break of other people. This complaint will be sent to the FBI.

Best regrads, Jon Shirov.

At first I was shocked, why would someone allow such a site to still be up even though someone reported it to the FBI. I had to do something.

Rushing to the rescue I looked at the site and it appears to be a pretty straight forward scam-sell site, you come there and buy stolen goods.

Why have I been notified only now I wondered… I looked back in my spam log and what do you know the same email appears more than once in my spam folder with different names, dates and of course email addresses :)

I am not sure what the scam/spam’s purpose is, apparently they want you to go to their site and see what they have to offer – you might be a potential customer to their operation.

I of course didn’t dig in to the site, nor am I interested in buying anything found there – on the other hand I will also not report this to the FBI as the site is not hosted inside the United States (It is hosted in Russia), nor is its domain under a US registrar (ends with a SU).

Whoever knows of a place to report such sites to please let me (us) know.

Everything new is old again – vulnerability management

Yes, we have to know, and assess, and analyze, and manage, vulnerabilities.  Yes, it is a complicated task.  So now this is the next big thing, is it?

Well, when you look at it, it is the same task we have always had to do under the name “risk management.”  Except that it is in a smaller compass and more limited extent and application.  Nothing particularly wrong with concentrating on one aspect at a time–as long as you realize that is what you are doing.  Not thinking that you are somehow seeing something new.