Johnny Long has a great auction of stuff available for his I Hack Charities organization. There is some good stuff, and it is a good cause.
- Joshbw
Go bid on Stuff
Leave a Comment
On CAPTCHAs
RSnake has a post on Google’s new image orientation test to detect humans (or computers, depending on your point of view), and quite correctly he points out that it is simply a probability game to break it. When it comes down to it, I don’t think we can definitively tell a computer and human apart with a specific cognition test, as it is just a matter of time before computational power and algorithmic cleverness solve that cognitive test. However I also believe we are thinking about CAPTCHAs the wrong way- we shouldn’t try to identify an automated script but rather we should make it too expensive for the script to be practical. Encryption can be broken with sufficient time, it is technically possible to just brute force AES 256, but this doesn’t deter its use. We know its problem space and work factor are sufficiently large to make brute forcing computationally impractical even if technically possible. The same principles should apply to the design of a CAPTCHA test, though it has many more constraining factors (it must be complex and hard for a computer, but easy for a human, and take into account human disabilities, etc).
So when new CAPTCHA techniques come out we shouldn’t immediately lambast them simply because they don’t provide the definitive test to distinguish a computer adversary, but whether they sufficiently increase the work factor. If they do, the spammers and other folks are going to opt to exploit a competing service with a lower work factor, because it will increase their throughput and arguably make them more money. In the specific instance of Google’s new proposal it would seem to reduce the work factor if one was simply guessing, since the chances of guessing the image orientation is much higher than a random 8 digit alphanumeric string, however with the advances in OCR techniques most alphanumeric CAPTCHAs are being analyzed rather than guessed (the success rate seems to change daily, so I don’t know how that compares to guessing the image). The real question is whether it is easier, faster, and more reliable to analyze the images and determine which way is upright, and I think that is entirely dependent on the images chosen as well as whether a correctly oriented comparison image can be obtained (which would make the analysis pretty easy) or if it had to be algorithmically determined without comparison (which may be hard). In the examples given, I think the gum ball machine and guitar are poor choices for images, since there is an easy linear line that can be used to determine orientation, probably with slightly better than 25% accuracy, since the line will either point up, down, left, or right, and the “weight” or proportions would allow for an educated guess on whether vertical or horizontal orientation is more likely. The more complex the picture, with less clues towards orientation, the better.
Personally, though, I like the MSR pet finder CAPTCHA. It may be easier to break, but I think it serves a noble secondary purpose.
~ Joshbw
Bad Practices #412
Dear Web Developers,
It’s not kosher to request login information for other websites. Both LinkedIn and Facebook are guilty of asking for your various email credentials so they can harvest your address list under the guise of “making it easier to find your friends” and they are by no means unique in this practice. Doing so does two things- first it makes users accustomed to disclosing credentials to websites unrelated to the site the credentials correspond to. Phishing is a huge issue folks, and we have a hard enough time just getting users to be aware that they really are on their bank website. About the last thing we want is to water down that message and get them accustomed to providing that information on sites they clearly see aren’t the site corresponding to the credentials. Unless you move to two factor authentication the only real way to protect against phishing is user education and training, and this practice completely torpedoes that effort.
The other issue is that you are introducing another link into an already vulnerable chain. Not only does google have to worry about the gmail credentials being properly handled on their site (only sent over SSL, hashed in the database, no sql injection to disclose them, etc), but they now have to worry about how your site secures those credentials (I bet you aren’t hashing the values, since you need to use them outside your system) and they really have no control over it.
So Please, quit asking for credentials to other sites- don’t do what attackers do, otherwise you don’t give people an easy way to distinguish between the two.
~ Joshbw
Disagree with the Concept or Implementation
Jeremiah Grossman asks a series of questions on his blog trying to determine if we disagree with the concept or implementation of WAFs, Certifications, Trust Logos, and Compliance Regulations, so I will indulge the questions.
For WAFs I agree with a certain concept of them. I believe they are bandaids rather than solutions, but that bandaids have their place. The solution is to fix the code and ultimately the robustness of the code is the only real defense for a website. However a problem can be fixed *immediately* with a WAF- a good SDLC would require time for the code to be changed. A root cause of the problem should be analyzed and the application should be inspected for related problems (very likely if the bug got into the code once, it got in more than once). The changes should be thoroughly tested to ensure that functionality is not jeopardized, that the fix works, and that different problems were not introduced. A proper change control process should manage the deployment of the fix. In short, I believe that even if resources can be thrown at the problem immediately, it does not follow that the fix would likewise be immediate. (Tangent- I believe that Firefox is too aggressive on their patch to market strategy and likely takes shortcuts that they shouldn’t. I think it better to fix something right than fast, but I am not certain that Firefox agrees) Web App Firewalls allow an interim fix to put in place between disclosure and a coded solution, and in reality not many organizations can throw immediate resources on the volume of issues that they have. WAFs also offer a bit of defense in depth, which isn’t a bad thing. So long as people focus on that conceptualization of a WAF I think things are fine- my issue is when they are treated as a solution in and of themselves, at which point their limitations will be apparent. A WAF is a generalized appliance, not a specialized solution for a specific site (even with good rules). It doesn’t understand business context and so won’t catch things like unathorized or unintended access.
Professional Certifications I believe serve little point. Their implementations are almost entirely horrible and conceptually there is no certification that says that I will be successful for a given role in a specific organization. They are a decent marketing gimmick to put on a resume to get a bit of attention, and organizations may enjoy advertising how many CISSPs they have to assure clients, but ultimately I will not trust a third party organization in place of my own impressions. When I look at the resume of a candidate I am going to look at what experience is listed to narrow down the folks I want to talk to, and then I am going to probe their knowledge to make sure that it satisfies the needs of my organization. Since that is my inclination when looking for coworkers for my own group, I put absolutely no stock in the number of certifications in outside orgs that I might engage with.
Website Trust Logos are horribly implemented- I can’t think of a single logo peddler whom I believe does a sufficient job of assessing a website (except for PCI Scanless, which is one of the few logos that does *exactly* what it claims to). I will let you in on a little secret though, since I don’t see great harm in it. I have a pair of ADT security placards outside of my home, but no security system installed. If a would be thief is going down my block he is going to see the signs in front of my house, with the possibility of an alarm system backing it up, and opt to hit my neighbor that has no visible security system advertised. It is an entirely deterrent based approach, and while worthless if anyone calls my bluff, the bluff in and of itself is not without utility. I see the various logos as something similar. At the end of the day there is nothing backing them up (and even if they weren’t utterly terrible, in order to make them at all cost effective they aren’t going to be anywhere near as thorough as a proper pen test) but if I have to choose between two otherwise equivalent websites to break into, I am going after the one that didn’t bother to even get the logo. Also, consumers don’t know any better, so it is a cheap way to get them to trust you.
And compliance regulations vary in the effectiveness of the implementations, but I don’t disagree with the concept. My view on regulations in general are that they are a way of mandating certain things that are societaly beneficial, but not necessarily beneficial to the bottom line of a company. As such, left to capitalistic pressures in a vacuum, those things would never happen (or only happen in companies not completely governed by the bottom line). For example, from an economic standpoint it is cheapest for a company to just dump pollutants in a nearby stream rather than properly dispose of them most of the time (depending on the economic power of the locale, and how likely it is for serious legal threats to originate out of the action)- see mountain top removal mining for just such a mentality in action. Thus the government needs to impose regulations to ensure that societal wellbeing is also taken into account. Conceptually I see nothing wrong with the interests of individual entities and the interests of the society being balanced by regulation- that is an optimal solution to natural trends in pure capitalism that allows for most of the efficiency of the system while managing some of the drawbacks.
The flaws arrive in the actual implementation of the regulations. If implemented poorly they can prove to be too much of a burden, overly hard to implement or understand, not fully effective, or as usually the case, all three. PCI is a great example of this- Heartford was a nice and shiney gold partner, following the regulations, and it did absolutely nothing that actually stopped the disclosure of card information. At the same time, the overly specific nature of PCI means it has to be constantly revised, that more secure solutions can technically be non-compliant, and that it is a huge burden to understand and implement the mandates. The whole thing would be much better off if it said that systems and communication channels that deal with card information must have both confidentiality and integrity maintained, followed with recommended baseline guidelines. Rather than check the controls in place, the QSA simply checks to see if they can extract card information. The problem is that PCI is too focused on checklists and not at all focused on what it actually hopes to achieve, so its implementation is pretty worthless.
Regulations only work if they are clear, their restrictions are reasonable, and if they are focused on ensuring *a* solution to the problem, rather than *one* solution to the problem. If I had to choose between my bank information being stored on an encrypted drive in a generally open data center and questionable asset disposal programs, or plain text in a data center with detailed background checks for all employees, strictly enforced physical controls that limit access to the box, and a thorough and consistently applied asset disposal program, I am going to choose the latter because that organization has a clear intent on security, rather than on meeting a checkmark on a list. (ideally I would want the latter with an encrypted drive). I think most security regulations lose focus on this.
~ Joshbw
On Accepting Payment
I was paying my cell phone bill on the carrier’s website because I was lazy and waited until the last minute- in the process it occured to me, why do I have to fill out all of this credit card information again? The short answer for this particular site was that I had recently moved and not updated my information with them, but in broader terms, why do I have to do that for every freaking website? Why are companies so quick to want to handle payment information themselves? The transaction charges may be a bit cheaper per transaction, but I cannot in any way imagine that dealing with the PCI DSS every year really makes the net process noticeably cheaper, at least if they are honest in their approach to the process.
At some point in the distant past I was paranoid about who I gave my card to, and was horribly discerning. This site looks sketchy, or this site has a retarded security seal so is obviously not secure, or whatever, so they don’t get my business. Despite this paranoia, I have had my card information stolen and used (or at least attempted to be used) three times. In two of the instances my scary good at profiling my behavior fraud protection kicked in and charges never even posted to my account (there is something truly to be paranoid about- whatever profiling algorithms they use, they are horribly accurate about knowing your behavior), the third a handful of small charges hit my account in $20-$40 increments. The thief was using the card information sparringly to sign up for membership websites, I believe, in order to steal contact lists to use for spam. I reported the charges to my bank and they went away. At some point I realized that it was impossible for me to control my card data, it was just as possible for a waiter to skim the information when they took my card as it was for someone to compromise a website and take it. I can’t feasibly protect that asset, and banks know that, which is why consumers essentially have zero liability. At the end of the day the banks want me to spend with the card, so they will do what the need to, accept some risk, in order to keep me spending. I don’t worry about financial loss when my card gets stolen, I worry about the inconvinience in not having it for 10 days as my bank issues me a new one.
Which comes back to the point with my cell phone carrier- it was inconvinient for me to change my information on their site, and amazon, and netflix, and threadless, and thinkgeek, etc. I would rather they simply all allowed PayPal as that way I only have to change my information once. Moreover, I am more confident that one site that specializes in payment transactions will be able to save me the inconvinience of having a new card issued because they leaked the information than I am that a whole host of sites that accept payment as a small subset of their business. In general I am not a fan of single sign on, but that is because it allows one point of failure to compromise multiple assets. With payment it is different, as it allows multiple points of failure to compromise a single asset unless you centralize it.
Using a centralized payment service isn’t just about saving me inconvinience though. To tie back into the first paragraph, handling payment yourself is a pain in the ass. Complying with PCI is non-trivial, and even if you think you are doing everything right, a QSA checking over your system may not agree. On top of that, PCI is absolutely no guarantee that you are actually protecting card information, simply that you are in compliance, as Heartland (PCI gold member for the win) demonstrated. You still have liability if you do have a breach of payment information. With PayPal a third party is handling all of that headache- they are responsible for conforming to PCI, you have no payment information to leak, and the customer doesn’t have as much headache managing payment information.
There are drawbacks. There is a danger of one or a few handful of payment systems like PayPal essentially becoming a payment monopoly (or duopoly) if everyone switched to centralized payment, which would effect prices. The per transaction cost is higher, and a new login is introduced into the process flow on the website. It also doesn’t work well for companies that may not know the exact charge up front, for example FedEx which gives you an estimated shipping cost but won’t apply the real cost until they actually weigh the package in their facility, and apply initial and revised charges to a card. Finally, for those subscription based services, PayPal makes it really easy to centrally manage, which means they make it really easy to cancel. Especially in this economy I doubt companies with reoccurring charges really want consumers to be able to look at all of their reoccurring charges in one place- they might realize where all of their money is going.
Still, I think being able to transfer the risk to someone else is a pretty compelling argument.
~ Joshbw
Putting Vulnerabilities in Perspective
CGI Security via AppSec Notes complains that Netflix has not fixed all of their CSRF vulnerabilities. You can no longer access account information, billing information, change shipping address, or anything of value, but you can still add movies to someone’s queue. This apparently still bothers the author who has a note of annoyance that Netflix hasn’t completely fixed everything yet. I think this loses sight of realistic business goals of security- from an enterprise perspective one addresses security vulnerabilities in order to protect revenue or prevent damage. It is a cost benefit analysis, weighing whether allocating resources to address a particular vulnerability allows the greatest capitalization of those resources.
I’d posit that Netflix does not believe preventing CSRF attacks that add movies to the top of a queue to be the most effective use of those development resources. When looking at the impact and likelihood of this sort of CSRF attack the associated risk comes out quite low:
Impact- no direct loss of capital or resources, some level of brand damage. Some customers may very well be so pissed over getting sent some embarrassing video that they leave completely, which is a drop in revenue, however I would posit that these people are probably the minority. More people are likely to be pissed, complain, and probably get a free month as a token apology (loss of 1/12 of the yearly revenue for those people) but complaining smacks of efforts so I don’t imagine that this number will be horribly large either. Then there is the group that will be pissed and do nothing, no appreciable loss. Next is the group that is confused because they didn’t order that particular embarrassing video, no appreciable loss. Finally there is the outlier group that is hard to predict- the group where a couple gets an embarrassing movie, gets in a fight, and seperates over a movie (I live in a town where two middle aged men shot each other because of an argument over who parked their oversized SUV too close to the other oversized SUV, so I fully imagine there are people who would overreact to a movie). This might be a loss of a subscription, maintain the status quo, or a gain of a subscription because now the newly separated couple both wants a subscription, whereas they accounted for only one before.
There is also brand damage should this get media coverage once it is exploited. That is a hard thing to put dollars on.
Likelihood- For this to be exploited a customer needs to visit another website that actually carries out the CSRF attack. For that to happen the other website would need to choose actively to be malicious to Netflix instead of carrying out CSRF against a website that would allow monetary gain- there is no personal gain in exploiting this, only vandalism (which isn’t quite the correct word, but in the same spirit). The visitor needs to be logged into Netflix, and they need to be people who don’t frequently manage their queues otherwise they would notice the movie prior to it being sent (and may still react badly, but I posit that even fewer people would if they caught the movie before it shipped). Of Netflix’s 10 million subscribers I would assert that the number that would fall victim to this is small enough to be indistinguishable from zero.
Let’s look at the likely attacker- this isn’t organized crime, or any accomplished Blackhat. Those people are after money. This hypothetical attacker is likely a malcontent teenager who thinks it is funny to screw with a Netflix queue. That mostly rules out the attacker owning their own site that gets enough traffic to exploit this from, and also mostly rules out the attacker knowing of XSS or SQLi flaws in websites that do get enough traffic for this to exploit this from. It leaves their dinky website that pretty much only gets visited by their friends on IRC (or whatever script kiddies use these days)- probably some random blog on blogspot or something similar. In other news this will be exploited from a location that will not attract any noticeable number of Netflix subscribers.
So the likelihood is pretty nonexistent, the impact is very low, and thus the risk of losing subscribers because they were exploited is essentially 0. The risk of brand damage from press coverage isn’t much higher- someone in the press needs to find out about this flaw, grok what the heck the flaw really is, actually have a victim so they can tell a story about, and then compete for airtime with Company X is laying of 50,000 employees and congress is too incompetent to fix things. I predict the tampered roadsigns warning about zombies gets more press coverage. Finally the viewers need to care. TJ Max is our security story, biggest public data loss to date (with Heartland possibly taking the crown), and anecdotally the people I know who shop there weren’t even aware of it, and upon me explaining it STILL DIDN’T CARE. Netflix subscribers are a slightly different demographic, but I don’t see people getting really worked up about hearing that maybe they might be sent the wrong movie.
So why should Netflix fix this problem, instead of working on features that may attract more customers? The people who found this flaw care because it is their flaw- it matters because it is theirs. Unfortunately that doesn’t sway companies. For any vulnerability that is found it isn’t enough to point out the vulnerability- a business case also needs to be made for addressing the vulnerability. That is the reality of enterprise security- everything is cost/benefit analysis. If the risk is low, the response will reflect that. I’d love to see all vulnerabilities get addressed as much as the next security professional, but that is idealism rather than realism talking.
~ Joshbw
Perspective on Security
From XKCD:
IE 8 Clickjacking Protection
Eric Lawrence has a pretty thorough writeup on the IE 8 blog concerning *some* protection that IE 8 now offers to avoid clickjacking. In essence there is now a new response header that can be sent back, X-FRAME-OPTIONS, that instructs IE on which behavior should be followed if the website happens to be in a frame, and can be used in conjunction with same origin to ensure that only that domain may frame a particular page.
This is by no means a bullet proof fix especially as it is up to web developers to actually go and use the response header. I can hope that other browser vendors, as well as previous versions of IE, implement this header and behave in the same manner as it will increase uptake (just as the gradual support by browser vendors of HTTP Only has seen a corresponding uptake of people using it to protect cookies). It’s nice to have an option to control frame behavior without hack-y javascript (at least in IE, whose framebusting javascript is no where near as good as in every other browser). Regardless, as this is a server side fix it is up to developers to do something- clients are still stuck using NoScript on Firefox as the only solution they have control over. It will be a long time before this change has any impact.
~ Joshbw
Concerns
Yesterday my debit card was deactivated. After calling my bank it turns out that a retailer I had shopped at (whom my bank very annoyingly refuses to disclose) had their card database ripped off, so my bank pro-actively canceled my card. I am a bit annoyed that my notification of this was my card being killed, and that I am now without a debit card for a week until the new one arrives (considering there isn’t a branch of my bank within 2000 miles of me, this is a bit more than an inconvenience), but I can’t be too pissed about the bank being so proactive about this.
There are also a couple of lessons that are apparent. First, the retailer seems to have been able to suppress the data breach. I am sure there is some agreement where they opt to notify banks but only if the banks keep mum about the breach. Second, I personally have no real risk associated with my card being compromised- it is annoying but I am not liable for any fraudulent charges and my bank seems very proactive about even preventing fraudulent charges to begin with. Third, the response seems entirely mundane. There is no big how-to-do. Data breaches have become so common place it is like finding out a politician is crooked. I think we are at the point where we assume a “when” rather than “if” mentality towards our cards being compromised, which is sad as it reduces the urgency towards security.
Furthermore, over the holidays (note to Bill O’Reilly, who according to twitter’s lack of login attempt monitoring, is apparently gay now [now I know why Colbert calls you Papa *Bear*], there are many holidays at the end of December, hence plurally referring to them as holidays rather than Christmas) I caught up with several family members, and it came out that most were not even aware of the TJX data breach, and even finding out, don’t care. We in the security community love to throw that around as the big example, but I don’t think we realize that it is an example pretty contrary to our message. Here is the largest credit card compromise ever, and most of their customers don’t even know, and those that do don’t really care. They suffered a pittance of expense as a result of the breach. The real lesson is that most people don’t care about credit card theft, it isn’t really a big deal, and successful handling of the media response can largely mitigate a breach. All of that sucks for our message to improve security.
But really, isn’t all of that true? To customers a credit card theft means worst case having to sit on the phone with your bank and go without your card for a while. Credit card theft is a regulatory head ache, but the real pain comes from true identity theft. This is where the title of this post comes in. Thinking about this I started hypothesizing where there is the risk of true identity theft. The places that have all of the information to steal id is a much smaller population, but many of them have really crappy security. Banks and financial institutions are an obvious choice, but they actually are usually pretty on top of things (relative to IT systems as a whole). However any place that accepts your credit information for financing are also likely targets- places like card dealerships, jewelry stores, furniture stores, and any other place that sells something expensive. Many of these places have very shoddy IT systems, pieced together by small local vendor shops who have no clue about security. As an example, my coworker went to buy a car from a local used car dealership that accepts credit applications over the web, password protected, however the forgot password functionality simply accepted the email address and echoed the password to the screen. Worse, if one entered the email address of a sales person (conveniently on their business cards they hand EVERYONE), you get an admin password, able to view all credit applications and results. So a would be attacker gets both absolutely everything they need to steal someone’s identity AND how much that identity is actually worth.
Also on the list of potential targets to get ID information are universities. The schools have all of a student’s demographic and personal information, often including bank account numbers for the deposit/withdrawal of money, but certainly SSN and birthdate (some schools even use SSN as the student number), maintain these systems well after graduation, and update them with information about alumni (where they live, work, etc). They are also renown for terrible security and are a perfect target for ID thieves.
So while all of the other voices are calling this the year of webappsec and such, I am in disagreement. I think we will see some big pushes at big companies, but we will also continue to see big blunders at big companies. I further think it will be years before general webappsec knowledge is prevalent enough to protect places like local car dealership websites, and university IT systems, and as the big boys get locked down we will increasingly see attacks against these smaller, and in some ways more lucrative resources (blackhats get fewer but more valuable records with less effort). This may be the point we get enough momentum to start moving security, but it will be a long time before this momentum has an effect on the average consumer.
~ Joshbw
What a crock
In a recent conversation with a colleague on SSL and how it worked, it occurred to me that I really had no idea what extended verification certificates actually did, other than turn the address bar green and display the company name. What was the “extended verification” that made EV certs better than normal certs? In a normal SSL connection the client can do a reverse lookup based off of the cert to verify the host, but DNS poisoning would obviously render this worthless. Do EV Certs have some magic in their “extended verification” that addresses this shortcoming?
In a word, no. There is no technical advancement in the EV cert. There is no technology that makes the EV certificate a better option than a normal cert, that works around the weakness of the regular cert in verifying hosts. What the EV means is that the cert authority no longer does a half-assed job verifying that they are issuing a certificate for a particular company to that company. They do a bit more background checking so that they can attest that the company listed in the cert is really the same company requesting it. It is brilliant marketing, as you are paying double to three times the cost of a normal cert just to turn the address bar green and to get the CA to actually do some checking on who requests a cert.
The thing is, despite the fact that there is no technological benefit of this, and the fact that current cert prices should have already included verifying the requester, that stupid green address bar is probably worth the money just to increase customer confidence. But go ahead and be bitter about it, since that shade of green is going to cost you another grand for each certificate. Man is Verisign brilliantly evil in their product ideas, right up there with the guy who conned children into buying pet rocks.
~ Joshbw