Holy anti-feature, batman

I had the opportunity to attend at talk by Mark Russinovich, of Sysinternals fame, during last week’s Trustworthy Computing Conference.  The topic of the talk was about security boundaries in Windows, and more specifically, what is not a security boundary.  The talk was very interesting, and I don’t want to reveal too much here, but there was one part of it that stuck with me and has been bothering me for a little while now.  One of the technologies he addressed was Patchguard, or Kernel Patch Protection, which was introduced in 64-bit Vista and Server 2008.  Patchguard is intended to keep programs from patching, hooking, or otherwise tampering with the internals of the NT kernel.  It does this by periodically taking a checksum of some important structures in the kernel (SSDT, interrupt table, HAL tables, etc) and comparing the current value with the previous one.  Any discrepancy here will indicate that the kernel has been subverted.  If it notices any changes to these structures, it throws an exception which throws a blue screen error.  Sounds good, right?  Sounds like a great new security feature, no more rootkits!  Well, not really.  The truth is, KPP really does nothing to stop malicious code, and in fact, is pretty useless in doing so.  Mark revealed in his talk, that that was never the intention of KPP, but rather, it was conceived as a way to force legitimate developers to stop using these techniques in their own programs.  See, most anti-virus and security products will use some level of system hooking in order to get a good view of activity.  In fact, one of Mark’s very own tools, RegMon, hook’s the SSDT to watch registry activity.  He even wrote a publication about the technique!  The problem with kernel hooking is that it is entirely unsupported and significantly reduces stability.

So here’s what I don’t understand.  Microsoft has recognized that system hooking leads to instability.  They’ve decided that programmers aren’t good enough to extend a kernel function safely without throwing a blue screen exception, so now they’re not going to allow us to hook certain system structures (pfft, allow is a funny thought).  But, instead of actually fixing the gaping holes in their system, they’re going to simply watch for system hooking, and then guarantee that the system will crash, by causing the crash.  Oh yeh, and they are going to blame it on the developer.  It’s like a car company deciding that talking on your cell phone while driving is dangerous, so they’re going to create a system that detects if you’re on the phone and then drives the car off the road for you.  That will show you! 

I just don’t understand this anti-feature.  There are plenty of legitimate reasons for hook these system functions, and it can be done safely.  I know it can because Mark has done it, and I’ve done it.  If you don’t want developers to subvert the kernel, then provide a complete API that we can use to extend and monitor the system, and fix the problems with your system that allows someone to take write-protected virtual memory, map it to physical memory, strip all the restrictions off of it, and send it back patched.  Don’t just come behind perfectly valid code, throw an exception and blame it on us. 

Safari Carpet Bomb (Update)

I love being right.  Remember the Safari carpet bomb I posted about back in April?  Remember how Apple said it wasn’t a “security concern” and I scolded them for it?  Well, now it’s got interesting.  Apparently there is a known flaw in Internet Explorer that allows a website to execute any program on the user’s desktop without their consent.  Normally, this flaw isn’t as much of a concern because all new executables downloaded (by anything but Safari) get marked with an alternate data stream tag that indicates that is from the Internet Zone.  Any time an application with this tag is opened, the user is prompted and the action must be explicitly allowed.  Now when we include Safari’s carpet bombing technique that downloads an exe without notification or ADS marking, then this IE flaw becomes a critical security concern.  This is a great example of what is called a blended threat.  Two seemingly innocuous bugs combine to create a gaping security hole.  The IE team was not concerned with their bug because there was no way to get an unmarked exe onto the desktop without the user knowing, and the Safari team wasn’t concerned with their’s because you couldn’t execute the exes that it downloaded automatically.

So yeh, here’s the MS Security Advisory. 

Vista’s Despised UAC Nails Rootkits

PC World – Business Center: Vista’s Despised UAC Nails Rootkits, Tests Find

PCWorld has a story about test conducted AV-Test.org that was supposed to rate the most popular anti-virus products ability to detect rootkits.  For people that don’t know, a rootkit is a program that takes complete control of a system, and tries to hide itself deep within the operating system.  They are notoriously difficult to detect once they are installed.  The most interesting result from this test wasn’t necessarily the results about which product detected what, but the revelation that Vista’s security framework, specifically User Access Control (UAC) was really effective at preventing rootkit infection.  The test took 30 rootkits written for Windows XP and tested various anti-malware and anti-rootkit suites.  Some of them scored fairly well, but none were perfect.  Of the 30 XP rootkits, only 6 would actually run on Vista, and in order to get them to run UAC had to be disabled.  This means that UAC has significantly raised the bar of entry for rootkits on Windows.  This shouldn’t really come as a surprise to anyone familiarly with this area, but there seems to be a lot of loud mouths shouting that UAC is worthless and should be disabled.  I have an anecdote that tells a different story.

The last product that I worked on was essentially a rootkit.  It was a component of a broader intrusion detection system which needed real-time information about what was going on in the system.  We wrote a simple device driver that intercepted all events within the kernel and logged them out to a database.  This means that every file, registry key, key pressed, port opened, etc, was visible to this program and logged.  We originally wrote it to work on XP, and an application to install it as a service, which involved a couple of calls to the Service Controller to install it.  If the user was running with an Administrator account (which everyone in XP does) then the driver would be loaded completely invisibly.  That means that any program that you have ever installed could very easily be spying on everything you, or any other user on your machine does.  I say it could be “very easily” doing this, not because the code is particularly easy to write, but that the Internet is absolutely littered with rootkit code, especially the .cn domain.  A little while ago we decided to update our driver to work under Vista.  Since rootkits are essentially an extension of the operating system, they become very dependent on certain structures and features of an OS and tend to only work under that version.  So we had to change the code a little bit to get it to run, but for the most part, it was the same program.  The only real difference between the two version was that on Vista, even if the user is logged in as Administrator, the installation of the service would fail if it wasn’t elevated with a UAC prompt.  Privileges in Windows works with tokens; each user and group has a token, there is a system level administrator token, etc.  When a program starts, it is given the token of the user, and is run with what ever permissions that the user has.  So, users of the Administrator group in XP would pass along Administrator, or system level, permissions to any applications.  The difference between XP and Vista, is that when a user is in the Administrators group their token in Vista is not a complete system access token.  For an application to receive system level access, it must be spawned by a system level user group (SYSTEM, LOCAL SERVICE, etc) or being elevated by an administrator with a UAC prompt.  This prompt assures that the user behind the keyboard is aware that they are giving this application complete access to the system.  Sure, it can get a little annoying from time to time, but I’d rather have a prompt alerting me every so often as opposed to a rootkit silently being installed.

Safari Carpet Bomb

When you’re writing a web browser, every bug should be considered a security issue.  Even if the bug seems simple and inconsequential, chances are someone will try to exploit it to harm users.  Nitesh Dhanjani over at ONLamp has a post about three different bugs he has found in Apple’s Safari web browser.  Now, to be clear, I’m not deriding Apple for having bugs in Safari.  These types of programs are very complicated and never bug free.  What I find troubling is their response to the submission.  Nitesh says that he submitted all three bugs that he found to Apple, and they responded by saying that they don’t consider two of the bugs a security related issue at this time.  I must object loudly to this.  Here is the bug:

It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

That means that any website can download anything and the user isn’t even notified or asked.  How is this not a security issue?  A large amount of malware relies on getting an executable onto a machine, and then convincing a user to run on it.  How about dropping a worm named Safari.exe, or Word.exe onto someone’s desktop, and the next time they go to open it they infect their machine.  Nitesh demonstrates this bug by littering the users desktop with tons of unwanted files.  While this is annoying, it’s fairly pointless and obvious.  If you think like an attacker for a minute you can come up with more sneaky and nefarious ways to use this hole.  I can’t seem to understand why Apple’s security team doesn’t recognize this as a security concern.  I mean, it’s sort of their job to look at every bug and see how it can be exploited to cause harm.  Nitesh also wanted to congratulate the team on their communication:

Before I get to the details, I want to make it extremely clear that the Apple security team has been a pleasure to communicate with. I sent them a couple of emails asking for clarifications, and they responded quickly and courteously every time

That’s wonderful that they’re talkative, but shouldn’t it bother you that they are dangerously wrong?

Safari Carpet Bomb – O’Reilly ONLamp Blog

Unaccountable Authority

I have a problem with certificate authorities.  I hate that most people have no idea what they are even though they deal with them every time they browse the web.  Show of hands, does anyone understand what these dialogs are talking about?

  

  

I’m going to venture a guess that not many people raised their hands.  So you’re all told to look for certain visual cues when browsing sensitive sites (banking, etc) but I’m sure no one ever told you what they mean or why they’re necessary.  I’m about to tell you why it is all utterly stupid.

SSL

This all pertains to sites which deal with sensitive information, like your bank’s website, or any log in screen.  The goal is to establish a unique encryption session between your computer and the server, so that eavesdroppers aren’t able to steal your valuable information as it gets sent along the line.  This is accomplished by using the Secure Socket Layer (SSL) protocol.  SSL uses public-key cryptography to securely establish a session (symmetric) key that is used to protect the subsequent data.  This is how it works:

• Client (you and your browser) connects to a server over https:// (port 443)
• Server sends you it’s public certificate – This certificate contains the server’s public key .
• Client generates a random number, encrypts it with the server’s certificate and sends it - This number is the premaster key
• Server takes the premaster key along with some other random numbers that were exchanged and generates the session key

Now that you and the server have agreed on the same key all the data sent from this point forward will be encrypted.

So, some questions should come to mind:

Can’t someone eavesdrop on the key creation and thus obtain the session key?
    No.  The session key is made up of three random numbers hashed together, two of which will be available to an eavesdropper, and the third (the premaster key) will be encrypted with the server’s public key, so that only you and the server know what it is.

How can I trust the server’s certificate?
   Well, each certificate is signed by a certificate authority.

What’s a certificate authority?
   It’s a company that signs certificates.  You see, a website will generate a public/private key pair and then send out a Certificate Signing Request (CSR) out to a CA who will take the public key and attach a digital signature to it and return it to the site.  Now the website can distribute this signed certificate so it can’t be faked.  When a browser receives a certificate, it verifies that the certificate has been signed by one of it’s trusted CAs

So, where do I get a trusted CA certificate?
   Chances are, you already have them.  Your computer, web browser, and java VM  all ship with root trusted authority certificates in their respective certificate stores.

Wait, who are these CA’s again? 
   Here is a list that I found googling: Catsdeep FreeSSL, Comodo, Digicert, Digi-Sign, Digital Signature Trust Co., Ebizid, Enterprise SSL, GeoTrust, GlobalSign, LiteSSL, Network Solutions, Pink Roccade PKI, ProntoSSL , QualitySSL, Rapid SSL, Real digital certificates, Secure SSL, SimpleAuthority, SSL Certificate Management Site, SSL.com, Thawte Digital Certificates, The USERTRUST Network, Verisign, XRamp Security

That’s a pretty big list full of companies I’ve never heard of.  Why should I trust them?
   Well, they’re big companies, with a lot of money invested in this.  Plus, how can you not trust them, with names like those, they must be secure!

In all seriousness, that last question is exactly the problem I have with certificate authorities. We have absolutely no reason to trust them.  Worse than that fact though is that nobody understands just how much trust we are placing in these companies.  We are taught as users to not be bothered with all of the magic that is going on between the browser, the ca, and the server, and to just assume that if there is a lock on the corner of your screen than you are safe and everything is good.  This gives the CA a level of unaccountable authority because not only are we incapable of noticing any wrong doing on their part, we are completely ignorant of their existence!  It’s a wonder scenarios like this aren’t more prevalent:

http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

For those that don’t like to click on links, this is a security bulletin about Erroneous VeriSign-Issued Digital Certificates that attackers are using to sign invalid certificates.

The certificate authority is the main point of failure in the X509 and SSL system.  I can’t for the life of me understand why any person in the field of security could conclude that giving a single company that much authority over an entire protocol is a good idea.  They build these massively complicated, mathematically intense systems for protection, and then leave it open to a single entity for trust.

I wrote this post under that assumption that most users don’t know what a certificate authority is, or even vaguely what is happening during a secure connection.  I feel like this illustrates a failure in the security community, much more so than in the individual user.  We walk a fine line in the computer security field, constantly afraid that if we require the slightest bit of effort from a user than they are not going to use the technology.  That’s all understandable, but if you go so far as to completely remove them from the process you leave them incapable of protecting themselves and fill them with a false sense of security.  By not even being aware of the most essential component in SSL security, it is impossible for anyone to know what to do if there is a failure somewhere along the line.  If the connection gets attacked, the protocol will rightly fail and the user will be presented with a choice; proceed anyway, or stop.  How is the user supposed to make the correct decision here?

To illustrate this point, I want to see some comments.  Answer this question:  what do you do when you encounter a website with an invalid certificate?  Do you just click ok and view the site anyway?

Zero-Knowledge Proofs

I think I’m going to make Sundays “Learn About Cryptology Day”.  Here’s the first installment: Zero-Knowledge Proofs.  ZKP is an interactive process in which one party can prove that they know a secret without revealing any information about that secret.  In doing this, a ZKP must satisfy three criteria:

1. Must be complete in the sense that if a person follows the protocol and passes then they have successfully proved that they are honest (within reasonable probability)
2. Must be sound such that a dishonest party cannot fool anyone (within reasonable probability)
3. Must be zero-knowledge meaning it cannot reveal any information about the secret, thus a dishonest party cannot learn anything while faking the process.

Cave Example

To demonstrate a hypothetical system I need to introduce some characters.  ZKPs are usually a two party systems, there is a prover (Peggy) whose goal is to convince a verifier (Victor) something.  In this example, Peggy will know a secret that opens a door in a cave.  The cave is circular and there is a door on the far end that blocks the path.

Victor would like to purchase this password from Peggy, but he  doesn’t want to give her any money until he is convinced that she knows the password.  Peggy is not about to tell him anything about the password since that would devalue it.  Together, they devise a system that will convince Victor that Peggy knows the password but satisfy Peggy’s need to secrecy.

Peggy enters the cave by selecting a path, A or B, at random.  Victor does not know which direction she chose.  Once Peggy is beyond the bend, Victor enters the front of the cave, picks a direction, A or B, and shouts it to Peggy.  She must exit the cave in this direction.  If she has to pass the door to do this, then she must unlock the door with the password.  There is a probability of 0.5 that Victor will chose the path that Peggy entered and she can simply turn around an leave.  This at first might seem like it ruins the whole procedure, but consider the probability of Peggy successfully anticipating Victor’s request say, 100 times (0.5^100 = 7.8×10^-31).  The chances of this happening are sufficiently low to be considered within reasonable probability.  The protocol is shown below (images from Wikipedia)

NP Problems

A more realistic implementation of ZKP is done with NP-complete problems.  NP-complete problems are a set of problems that are computationally difficult to solve, but easy to verify given then question and the solution.  They are a subset of NP (Non-deterministic Polynomial time) class problems.  A common implementation of ZKP with an NP-complete problem is to use Isomorphic graph transformations and Hamiltonian cycles.  Given a graph G, a Hamiltonian cycle is a path around G that visits each vertex exactly once and returns to the starting vertex.  There are many different cycles for each graph, provided the graph has a cycle to begin with.  In this example, Peggy knows a graph G, and a Hamiltonian cycle.  Victor knows the graph, but not the cycle.  Peggy aims to convince Victor that she knows the cycle without revealing anything about it.

1. Peggy creates an isomorphic graph of G, call it H, and sends it to Victor. 
2. Victor now asks Peggy to do one of two things:  show that H is isomorphic to G, or give a Hamiltonian cycle to H.  By revealing the cycle of H Peggy proves that she knows the cycle of G, because it is trivial to transform the cycle of G to that of H if G and H are isomorphic. 
3. If Victor asked Peggy to show that H is isomorphic to G then she must provide the vertex translations needed to transform H into G.
4. If Victor asked Peggy for a Hamiltonian cycle for H then she transforms the cycle that she has for G and sends it to Victor.  This reveals nothing about the cycle of G since Victor won’t have the vertex translations and doesn’t know exactly how H is isomorphic to G.

This problem is exactly the same as cave, with a probability of 0.5 that Peggy will be able to fool Victor at each step.  Any NP-complete problem can be adapted and used in a ZKP, provided there hasn’t been a break through that allows NP-complete problems to be solved efficiently (P=NP).  The security of these systems rely on the number of times the system is repeated, each time making it more and more difficult for Peggy to continue to fool Victor. 

There are many adaptations of ZKP, including a non-interactive version, and research is ongoing trying to find ways to incorporate these into authentication systems and the Internet. Post questions in the comments section below.

Secure Web Applications: Virtual Labs

Microsoft has put together a neat Virtual Lab were users can test run various web hacking techniques.  In the lab they have create a web application that is vulnerable to several different types of attacks.  You can load up the lab and actually perform an XSS hack, or do some SQL injection to deface the front page.  Each different attack has step by step directions as well as information about securing and protecting your own site. 

It is very much an IE and Windows website though.  The introduction is in Silverlight, and the rest of the page is a mashup of Flash and ActiveX controls.  Regardless, I think it is worth the time and effort needed to give this a run through.  It’s good for users as well as web developers to see the types of attacks on web applications that are possible. 

HelloSecureWorld [Virtual Labs]

Harris Institute for Assured Information at FIT announced

Harris has announced a donation of $5 million to Florida Institute of Technology today.  They will be building the new 24,000-square-foot Harris Center for Science and Engineering on Florida Tech’s Melbourne campus that will house the Harris Institute for Assured Information. 

This is very exciting news for us here at Florida Tech’s existing Information Assurance Center.  Despite the cramped lab space and small staff, the center has already been “recognized for its work and numerous government and national foundation contracts.”  The new grant from Harris and the new center being built will undoubtedly bring us more expertise and opportunities for research. 

You can read more details from the press release linked below.

Press Release [Harris]

A case for adblock: "Hackers Use Banner Ads on Major Sites to Hijack Your PC"

The economics of the Internet is very simple: websites publish content and place advertisements on the page to offset costs.  In most cases these advertisements are supplied by a third party ad agency.  Google AdCenter and Microsoft are huge players in this, as well as Amazon and many others.   Generally, these advertisements are nothing more than annoying.  Unfortunately this is no longer the case.  Hackers have created malicious banner advertisements and are using Doubleclick to get them hosted on legitimate sites.  So far, The Economist, MLB.com and Canada.com have all been infected.  Here is an except from Wired:

If you’ve seen any of the ads, you may have experienced something like this: You’re on a legitimate site. Your browser window closes down. A new browser window comes up, redirecting you to an antivirus site, while a dialog box comes up telling you that your computer is infected and that your hard drive is being scanned. The malware tries to download software to your computer and scans your hard drive again.

[Full Article]

In other advertising news, Engadget, a popular gadget blog, recently got into some hot water over an over the top and intrusive advertisement that was actually crashing people’s browsers.  Here are the related posts (the comments are a good read)

The elephant-sized ad in the room
Ad problems fixed — game on!

In light of all of this I have cranked up my Adblock and am now blocking any and all advertisements.  Ad agencies and websites together need to address this issue and gain my confidence back.  I’m surely not going to let my machine get infected by some advertisement I don’t want to see to begin with. For the uninitiated, I have added links to different ad blocking programs for different browsers.

Firefox: Adblock
Safari: Safari Adblock, Safari Plus
IE7: IE7Pro
Opera: Ad blocking built in.

Public Key Cryptography – RSA

In this post I plan to discuss the concept of public key cryptography and explain how the RSA algorithm works.  The inspiration for this post is two fold.  First, I’m currently working on a encrypted messaging application named Scytale which should be released relatively soon and secondly because I find it particularly fascinating.

Crypto-systems fall into two separate categories, symmetric and asymmetric.  Symmetric systems use a single key for encrypting and decrypting.  A simple example of this is the Caesarian Shift cipher, which takes the alphabet and shifts it a certain number of characters.  Below is an example of a Caesarian cipher with a shift of 4 characters.

Alphabet: abcdefghijklmnopqrstuvwxyz
Shift:       defghijklmnopqrstuvwxzyabc

attack at dawn = dwwdfn aw gdyq

The symmetric key used here would be 4.  This key would have to be known by both parties involved, and kept secret from any enemies.  Of course, this is a trivial example and not a very secure was to encrypt any information.  A more modern example would be the previous encryption standard DES, or the current standard Rijndael. 

Asymmetric crypto-systems are an entirely different breed.  They are called asymmetric because one key is used for encryption and another for decryption.   The parties involved can post their respective encryption keys publicly, and keep their decryption keys to themselves.  These systems are deeply rooted in mathematics and number theory.  In this post I will explain one of the more popular asymmetric systems, RSA.

The security of RSA is based on the difficulty of calculating the prime factors of large composite numbers.  The system has three components:  Key generation, encryption, and decryption.

Key Generation

Each party that wishes to receive encrypted messages must first generate a key.  This key will have two parts, a public key and a private key.  To generate the key, two sufficiently large prime numbers are selected, p and q.  These two primes are multiplied together to form the composite number n.  The size of n is the strength of the system.  If the person wants 2048 bit encryption, then n must be a 2048 bit number.  The encrypting exponent e is now selected at random.  This can be any number, as long as it is greater than 1 and less than the Euler totient of n, and is coprime to the Euler totient of n.  The Euler totient of a number n is defined to be the number of positive integers less than n that are coprime to n. Because n is a composite number generated from two prime numbers, it is very easy to calculate it’s Euler totient (p-1)(q-1), if the two prime factors are known.  Now the decrypting, d, exponent must be calculated.  d is simply the inverse of e modulus the Euler totient of n.  The modulus operator (mod) is simply the remainder of division.  5 mod 2 is equivalent to 2, because 5/2=4 with 1 remaining.  Inverse in modulus arithmetic is trivial to find if the modding interger m (in this case the Euler totient of n) is known.  I wrote a Powershell script to solve the inverse mod which can be found here.  If the modding integer is not known however, it is quite difficult.  Here in lies the security of RSA:  for d to be calculated, the totient(n) must be known and for the totient(n) to be calculated, the prime factors of n (p and q) must be known.  Now the participants can publish their public key {e, n} while making sure to keep their private key {d, p, q} to themselves.

Encryption

A plaintext message M is converted into a series of numbers (usually base 64), and split into blocks the size of n.  Each block is encrypted separately and combined together to produce the cipher text.  Each block is raised to the exponent e and modded by n.  This is generally a quick calculation because e is usually small.

Decryption
 
A cipher text C is broken into blocks the size of n and decrypted separately.  Each block is raised to the decrypting exponent d and modded by n.  This operation can be done quite quickly by utilizing Chinese Remainder Theorem and Fermat’s Little theorem.  CRT states that if the modding integer can be broken into prime factors, then the operation can be broken into two smaller operations and then combined together.  This is shown below:
 

Yes, that looks pretty ugly, but it is significantly faster than computing the exponent without the theorem.  Because p and q are prime, d can be reduced quickly to d mod p-1 or d mod q-1, depending on the equation.  Also, since C will be larger than p and q, C can be quickly reduced to C mod p, or C mod q.  This greatly reduces the time needed to compute the plain text.

Let’s do an example.

Simple, eh? 

RSA has it’s drawbacks though.  For starters, the cipher text size is rounded up to powers of n, meaning the message will get very large quickly.  Also, the security of the system is based the difficulty to factor n into its two prime factors.  This is a very difficult problem if n is large.  The problem is, how large does n have to be?  So far, a 1024 bit n has been factored in a fairly reasonable amount of time.  For a message to be secure, a key size of 2048 bits to 4096 bits is recommended.  As technology improves, the key size will have to grow accordingly.  Elliptic curve cryptology, which can be adapted to any algorithm, is now being used in place of standard RSA to combat the key size problem.  I will introduce elliptic cryptology in a later post.

Later I will present several other crypto-systems and introduce Scytale when it is complete.

Hacking the iPhone: Throwing caution to the wind

I am sure everyone is fully aware of the ongoing battle between hackers and Apple engineers over unlocking the new iPhone and iPod Touch.  I don’t plan to take sides on the issue, it is really of little interest to me, but what is grabbed my attention is the complete lack of regard for the users security by both sides.

We are currently on round two of the hack.  The first break in was wiped out by the latest firmware update sent out by Apple.  The latest version utilizes a bug in the way the phone handles TIFF image files.  A specially crafted TIFF file, when supplied to Safari causes a stack based buffer overflow with the possibility of remote code execution.  How is this helpful to iPhone users?  Well, all applications run as root on the iPhone, meaning that once execution has been hijacked, the injected code is running with the highest permissions possible.  By simply browsing to a website and viewing this TIFF file, Safari is giving up complete read/write access to the entire system.  From the website http://toc2rta.com/:

So its offical we have released the tiff exploit code. You can navigate in safari to http://jailbreak.toc2rta.com on your Itouch or Iphone 1.1.1. It will crash your Safari but then you will be able to browse the file system with full read/write access.

Well that’s just grand.

The fact that this exploit has been received so well by users and tech writers alike confounds me.  Why would anyone be celebrating an exploit like this?  Do they not realize that if Niacin and Dre have figured out how to malform the bytes of a TIFF file correctly then someone else probably has too?  Someone who might not be so friendly?  The thought of mobile malware should be troubling to everyone.  Imagine for a minute, a worm that dials 911 on your cell phone on loop, or even one that makes a call to a 900 number when your phone is idle.  There are serious ramifications with a bug like this, and everyone, not just iPhone users, is at risk until Apple fixes this.

Apple claims that they are protecting users by not allowing third party applications to run on the iPhone or releasing an SDK.  Steve Jobs was quoted in a Newsweek interview saying, “Cingular doesn’t want to see their West Coast network go down because some application messed up.”  What he has failed to realize is that his engineers aren’t nearly good enough to keep hackers out of the iPhone (an impossible task).  All this has done is put thousands of people at risk because users are forced to find a way to root their phone so they can run the applications they want.

Just like the previous firmware update, version 1.1.2 will undoubtedly fix this bug in Safari and render the unlocking technique useless.  Faced with the prospect of losing all of their third-party applications, many users will chose not to update their device.  In other words, people will be choosing to run a buggy, exploitable browser in order to use their device the way they want to.  That is a scary thought.  Apple needs to remedy this situation quickly, and do as much as they can to reverse this notion that hacking is good, and updating is bad.  The existence of this exploit should not be celebrated, people should be worried that the security of their phone is so porous.  Hopefully this will all be resolved before a serious outbreak of malicious mobile code hits us all.

Phishing Social Network Sites

“Lazy web developers are the reason I’m still around phishing”

Ha.ckers.org has posted an interesting interview with a phisher who makes a living hacking social networking websites.  Of course, you have to take what the hacker says with a grain of salt, considering he is a criminal and goes by the anonymous name of “lithium”.  That being said, it is still pretty interesting to hear from an 18 year old high school drop out who has stolen over 20 million IDs.  He claims that once he has a user’s social networking password he can break into their email address or other accounts because “5 times out of 10 the person uses the same password for their email account.”  Here’s a good tip:  never reuse the same password. 

Ha.ckers.org is a web-application security blog run by “security gods” RSnake and id.  They post relevant and accurate information about current security issues.  Also, not to be missed is the full-disclosure forums at sl.ackers.org. 

Despite the growing threat, websites and applications are becoming more and more permeable leaving unsuspecting users at risk.  The best way to defend yourself is to become aware of the techniques and capability of the attackers, and to practice strong security habits. 

Scripting on Windows – PowerShell 1.0

For years Windows users and administrators have had to live without an inadequate scripting shell environment.  Sure, there is Perl, Python, and CMD.exe, but those never really could keep up with the all-in-one Swiss army knife of a shell Unix administrators gets to use.

Enter stage left:  Windows PowerShell.

Described as both a shell and a scripting language and designed for IT professionals and administrators, PowerShell provides all of the functionality expected from a scripting shell plus some more.  There is a free book available online that serves as a nice introduction to the program.  The download requires you to log into your .NET passport account.  If that’s a problem for anyone, let me know.

It is important to note how PowerShell is fundamentally different from all other shells.  Unlike most shells, PowerShell uses an object-oriented model based on the .NET framework for input and output.  Here is an excerpt from Frank Koch’s free text, “Windows Powershell” explaining what that means:

PowerShell’s object-oriented concept makes the standard parsers for Unix shells (analyze/evaluate) and text-based information with all its problems and error proneness completely superfluous. To make this clearer we provide the following example: Assume that you would like to have a list of all processes that consume more than 100 handles. With a traditional Linux shell you would call up the command for displaying processes (ps -A). The command then returns a text list. Each line would contain information about a process, separated by spaces. You would parse these lines with a tool, filter out the process ID and then query this with another program to find the handle number. You would then parse these text-based results, filter out the relevant lines and then finally display the relevant text.

Depending on how well cutting and filtering of information from the text lists functions, this approach is more or less reliable. But, for example, if the title of a column in the output changes and the process names are then too long, you will certainly have problems.

PowerShell uses a fundamentally different approach. You also start with the command get-process, which returns all running processes in the operating system. Only here they are returned as an object list made of process objects. These objects can then be investigated for their attributes and directly queried – therefore you do not have to examine any text lines and split them into columns.

There is another good explanation that can be found by following this link.

I haven’t spent a lot of time exploring the uses or getting comfortable with the syntax, but it quickly becomes apparent how powerful and useful this application is.  Consider the following script:
(from “Windows Powershell” by Frank Koch”)

$a = new-object -comobject excel.application
$a.Visible = $True
$b = $a.Workbooks.Add()
$c = $b.Worksheets.Item(1)
$c.Cells.Item(1,1) = “Service Name”
$c.Cells.Item(1,2) = “Service Status”
$i = 2 get-service | foreach-object{ $c.cells.item($i,1) = $_.name;
$c.cells.item($i,2) = $_.status; $i=$i+1}
$b.SaveAs(“C:\Users\Public\Documents\Test.xls”)
$a.Quit()

Can you guess what that does?  Here’s the neatest part, because of line 2 ($a.Visible=$True) I was able to watch all of this happening in an instance of Excel that was opened in the background.  The scope and capability of this application leads to my next point, security.

It appears that Microsoft has learned some lessons from JavaScript and ActiveX scripting in regards to security.  Scripting is disabled by default, meaning any local or remote scripting file (*.ps1) cannot be run.  Built into PowerShell are four different security settings, in regards to signed scripting.

Restricted (Default) - No scripts are run
Allsigned - Only signed scripts are run
Remote - All remote scripts must be signed.  Unsigned local scripts will run
Unrestricted - All scripts are run

Beware, this setting can be changed by any user that can run the application, even if they aren’t an Administrator.  It’s very nice to see Microsoft implementing some security by default considering this will be included into Windows Server 2008 (Longhorn).

Windows Powershell
Powershell Team Blog
Windows PowerShell Script Repository

Testing Tools – Process Explorer

Any substantial computer programs interfaces with and relies upon many different system objects.  These objects include files, network and physical devices, and other programs.  Each time a program interacts with one of these objects, there is an assumed level of trust associated with the action.  For example, if the program is opening a file, it assumes the file is correctly formatted.  Often times programmers fail to implement robust input validation into their applications, meaning that any error (benign or malicious) can harm their program.  As a software tester, and especially a software security tester, these interfaces are an important area to test. 

Before you can test a program, you have to know where to look.  A comprehensive map of all the entry points to the program needs to be mapped out.  This is sometimes called the attack surface.  Process Explorer, by SysInternals, is one of the best tools available for mapping out a Windows application and determining its interfaces.  Process Explorer shows a real-time view of all open processes.  Depending on the selected mode, the program will also display all open handles a process is using, or all of the DLLs and memory-mapped files currently in use.  Look closely at the file handles and you will see that Process Explorer also included network device handles, like \Device\Ip.  Programs that interface with the network should be tested with more scrutiny.  The data gathered from this program will provide a great footprint of an application and give you a good starting point for testing. 

By no means is Process Explorer designed solely for software testers.  This programs gives you absolutely tons of information about your system and the processes running on it.  This application is invaluable for anyone who wants insight to their computer or an application, and is a good supplement for Window’s default Task Manager.  Later I will post about tools that dig deeper into an application and reveal precisely what files and registry keys are opened, read, and written to at any given time.  For now though, this should be a good start.

Security Testing Tools – Sysinternals

One of the goals of this blog is post helpful tools and tips regarding software security testing and writing secure code.  Hopefully someone will read one of these posts and it will help them write safer, and better code. 

Over the next few months I will be posting different tools that can be used to discover faults in applications, and potential security problems.  These tools will include process and handle enumerators, web proxies, fuzzers, and any other tool I consider useful and important.

For starters, I have added a link to Sysinternals on my Blog Roll to the right.  Sysinternals was a company started by Mark Russinovich and Bryce Cogswell in 1996.  They created numerous tools for application debugging and analysis.  These tools are offered for free and are essential to a security tester.  Give a look around at them on your own if you’d like.  I will be revisiting many of them individually in the coming months.