Archive for the ‘security’ Category.

Cross Site Cooking

Michal Zalewski identifies a new class of attacks, that he dubs Cross Site Cooking:

There are three fairly interesting flaws in how HTTP cookies were
designed and later implemented in various browsers; these shortcomings
make it possible (and alarmingly easy) for malicious sites to plant
spoofed cookies that will be relayed by unsuspecting visitors to
legitimate, third-party servers.

While a well-coded web application should be designed to resist attacks from hostile HTTP clients, these new attacks turn every browser into a hostile HTTP client, and it’s a good bet that many web applications are hanging on a pretty thin thread of “this can’t happen” assumptions, soon to be violated. Expect a large number of embarrassing vulnerability reports to ensue.


GP* articles on Financial Cryptography

I am enjoying the series of articles on business growth and fraud at the Financial Cryptography web site.
The overall theme is that, whatever level of technical perfection you achieve in a money-handling system,
things really only get interesting once the business takes off — at which point an equilibrium is reached based both on what you implemented and on how much it’s worth attacking.
The first article started the series a bit slow and abstract; for me, I like details.
The latest installment, the most concrete so far, is a case study regarding e-Gold, with some bonus comments regarding WebMoney. Note that even without technical flaws, your business is still affected by attacks on the whole business ecology (much of it out of your direct control): partners, customers, complementary businesses, reputation mongers.

Astronomical nonce sense

Ed Felten discusses an interesting dispute among astronomers regarding how long scholars should withhold discoveries so they can retain exclusive access and get credit for more original papers. (Aside: As I note in his comments, while this is largely self-governing because everybody has incentives to publish, there are occasional extreme examples of scholarly hoarding, such as the decades-long embargo on publication of some Dead Sea Scroll materials.)

The security angle on this is that the dispute is about whether the Spaniards scooped the Americans by reverse-engineering a temporary name published in an advance abstract of a paper. The temporary name contained a date that could have served as an index into a telescope activity log, revealing the position of the newly-discovered object.

The lesson is that a cookies or nonces (temporary data values to be used only once) should usually, in security applications, be content-free (long, random, unpredictable, and generated with a random number generator not prone to reverse engineering itself). Structured or predictable nonces can lead to information leaks or to vulnerability to forgery. Short nonces fall to brute-force search.

Outwitting the Witty Worm

Kumar, Paxson, Weaver: “Outwitting the Witty Worm: Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event” is a brilliant forensic analysis. Their overview:

Many Internet worms use pseudo-random numbers to scan the IP address-space. In this project, we reverse engineered the state of the pseudo-random number generator (pRNG) which the Witty worm used to generate packets. By combining our knowledge of Witty’s code with the pRNG state, we performed a detailed recreation of the worm’s spread. We were able to discover several characteristics of the infected systems, including their uptime, network access bandwidth, and number of disks. Additionally, we were able to find specific details about the worm author’s deliberate targeting of a US Military base, and determine the identity of Patient 0, the system used to launch the worm.

and there’s interesting followon discussion at SecurityFocus.

Policy Metaphors

  • Do not open the thermostat. Call Facilities to adjust. A mechanic will visit twice a year to adjust it, to secure the Allen screws, and to scold you about opening it. (Note: those unsolicited visits don’t happen any more.)
  • Wave arms periodically to turn lights back on. (Note: Many creative mobiles and lightweight origami figures have been invented, with the common feature of being light enough to catch ambient airflow.)

myNetWatchman’s SecCheck

myNetWatchman’s SecCheck is a handy tool available as ActiveX or DOS executable. It dumps out a bunch of configuration detail from your system:

  • Currently active processes
  • Defined services
  • Startup folder items
  • Startup Registry Key contents
  • Applications listening for inbound connections
  • Applications with active network communications
  • Active Browser Helper objects (BHOs)
  • Installed ActiveX controls
  • Module dump (DLLs) for all active applications

If you don’t mind trusting the executable content from myNetWatchman, it’s faster and easier than downloading a bunch of separate tools (fport, etc) to do the same thing.

iPod Medical Imaging

Via Roland Piquepaille’s Technology Trends: iPod Imaging:

… several thousands of doctors are using the free OsiriX software to manage their medical images on their iPods and Macintoshes …

It’s an interesting route-around of the usual IT solutions (which offer not enough space and are less convenient). My cursory inspection of all the linked-to articles and software documentation shows zero discussion of privacy, security, and HIPAA — yet. Is sending a medical image via iChat secure enough?

PPTP and WEP: No more room for nails in the coffin

Two hoary protocols get even more final nails driven into them:

Color Laser Printers embed serial numbers in printed documents

Government Uses Color Laser Printer Technology to Track Documents:

Next time you make a printout from your color laser printer, shine an LED flashlight beam on it and examine it closely with a magnifying glass. You might be able to see the small, scattered yellow dots printer there that could be used to trace the document back to you.

According to experts, several printer companies quietly encode the serial number and the manufacturing code of their color laser printers and color copiers on every document those machines produce. Governments, including the United States, already use the hidden markings to track counterfeiters.

Peter Crean, a senior research fellow at Xerox, says his company’s laser printers, copiers and multifunction workstations, such as its WorkCentre Pro series, put the “serial number of each machine coded in little yellow dots” in every printout. The millimeter-sized dots appear about every inch on a page, nestled within the printed words and margins.

“It’s a trail back to you, like a license plate,” Crean says.

[via Alex Pang]

[see also Ed Felten]

FireWire’s physical memory access

Maximillian Dornseif’s Red Team: FireWire round-up has several links on using Firewire (IEEE 1394, Sony i.Link) to access physical memory, without any software cooperation from the target host. He just presented at the PacSec/core04 conference. He publishes sample code. He points out that this could be very useful for forensic analysis of live systems. He demonstrates how the technique can be used for privilege escalation or spying. He points to several security advisories that arose out of this discussion.