[SecurityRatty] tag: defective

$13 Billion of U.S. Taxpayers Money was Stolen or Wasted in Iraq.

Thu, 25 Sep 2008 00:03:00 +0000

This article in yesterday's "Washington Post" was sickening to read but hardly comes as a surprise.

It is also sad to read that there was most likely involvement by Iraqi Government officials and U.S. contractors. The investigator who testified as to the waste and theft was fearful of his life as 32 of his fellow investigative co-workers have been killed.

One scheme involved officials from the Iraqi Defense Ministry setting up a front company that received $1.7 Billion in U.S. funds to buy guns, armoured vehicles and other equipment. Only a small percentage was ever purchased and in one case, they had bullet-proof vests delivered that were defective and useless.

In another case involving Iraqis and U.S. contractors, $24.4 million was spent on an electricity project that "only existed on paper". The worst part was that money sent to the Defense Ministry was discovered to have been diverted to Al-Qaeda and found its way to bank accounts in Jordan and other places.

Let us hope the Government spends the proposed $700 Billion bail out funds in a more responsible and accountable manner.

MBTA Hacking Injunction Lifted

Wed, 20 Aug 2008 01:49:55 +0000

Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary:

The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

“The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk,” said EFF Staff Attorney Marcia Hofmann. “A presentation at a security conference is not some sort of computer intrusion. It’s protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security — the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not.”

This sets a good precedent for future cases, and perhaps next time a similar situation arises, a judge will not be so quick to issue a gag order. It’s not a happy ending yet though, as the original lawsuit is still in effect.

As Chris Wysopal pointed out last week, the MBTA’s ire is misdirected. Rather than suing the vendor who sold them the defective system, they sued and attempted to silence the students who discovered the weakness. This is 2008, not 1988 — did they honestly think a gag order would prevent the information from reaching the general public? The DEFCON presentation was already available on the Intertubes prior to the injunction being issued, and the MBTA attorneys included a copy of the confidential whitepaper with their filing, thereby making it public.

I guess you wouldn’t expect that a transit authority would have paid any attention to theCiscogate fiasco from a few years ago. That presentation never got out either, did it? All that taxpayer money the MBTA spent on ridiculous lawsuits and restraining orders could have been put toward fixing the security flaws. What a concept.

Ex-Congressmans Firm Made Defective Tank Deal With Iraq

Thu, 10 Jul 2008 08:00:00 +0000

If, someday, there are T-shirts sold in Iraq that read, "the United States invaded our country and all we got were these crappy tanks," you can thank former Rep. Curt Weldon’s arms-dealing firm, Defense Solutions, for the new outfits. The company got itself a contract to refurbish Soviet-era tanks for the Iraqi government under a deal with such lopsided terms it likely would have been illegal under U.S. law.

Q&A: Want better security apps? Make vendors accountable, Geekonomics author says

Thu, 06 Mar 2008 11:00:00 +0000

Security software vendors have gotten away with writing defective and insecure code only because the market has allowed them to, according to David Rice, the author of Geekonomics.

Chip & PIN terminals vulnerable to simple attacks

Tue, 26 Feb 2008 17:33:32 +0000

Steven J. Murdoch, Ross Anderson and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy in May, though an extended version is available as a technical report. A segment about this work will appear on BBC Two’s Newsnight at 22:30 tonight.

We were able to demonstrate that two of the most popular PEDs in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a “tapping attack” using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED’s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.

In addition to the PIN, as part of the transaction, the PED reads an exact replica of the magnetic strip (for backwards compatibility). Thus, if an attacker can tap the data line between the card and the PED’s processor, he gets all the information needed to create a magnetic strip card and withdraw money out of an ATM that does not read the chip.

We also found that the certification process of these PEDs is flawed. APACS has been effectively approving PEDs for the UK market as Common Criteria (CC) Evaluated, which does not equal Common Criteria Certified (no PEDs are CC Certified). What APACS means by “Evaluated” is that an approved lab has performed the “evaluation”, but unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control.

This process causes a race to the bottom, with PED developers able to choose labs that will approve rather than improve PEDs, at the lowest price. Clearly, the certification process needs to be more open to the cardholders, who suffer from the fraud. It also needs to be fixed such that defective devices are refused certification.

We notified APACS, Visa, and the PED manufactures of our results in mid-November 2007 and responses arrived only in the last week or so (Visa chose to respond only a few minutes ago!) The responses are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their “layers of security” will detect fraud. There is no evidence to support these claims. APACS state that the PEDs we examined will not be de-certified or removed, and the same for the labs who certified them and would not even tell us who they are.

The threat is very real: tampered PEDs have already been used for fraud. See our press release and FAQ for basic points and the technical report where we discuss the work in detail.

Long Island University notifies students of mailing error

Tue, 12 Feb 2008 06:53:50 +0000

Technorati Tag: Security Breach

Date Reported:
2/12/08

Organization:
Long Island University

Contractor/Consultant/Branch:
None

Victims:
"all students who were enrolled at Long Island University in the calendar year 2007"

Number Affected:
~28,000

Types of Data:
Student names, addresses and Social Security Numbers

Breach Description:
"During the week of February 4, University officials discovered that some IRS 1098-T “Tuition Statement” forms for 2007, that had been delivered to the Post Office in what may have been defective mailers supplied to the University, were damaged by Post Office processing machinery. Student names, addresses and social security numbers were on these forms and may have been exposed."

Reference URL:
Long Island University online notification
Newsday.com online report

Report Credit:
Long Island University

Response:
From the online sources cited above:

Long Island University is notifying approximately 28,000 students that their personal data may have been exposed to potential identity theft.

The personal data of all students who were enrolled at Long Island University in the calendar year 2007 may have been exposed.

This exposure affects the University’s two main campuses - Brooklyn and C.W. Post; and its regional campuses.

The personal data includes names, addresses and Social Security Numbers.

Earlier this week, University officials discovered that some IRS 1098-T "Tuition Statement" forms for 2007, that had been delivered to the Post Office in what may have been defective mailers supplied to the University, were damaged by Post Office processing machinery. Student names, addresses and social security numbers on those forms may have been exposed.

one side of each envelope was missing adhesive, according to LIU officials, which caused about half of the statements to be damaged by U.S. Postal Service processing machinery

At this time Long Island University has no indication that this data has been accessed or used by anyone. However, the University recognizes the seriousness of this exposure and the need to inform the affected students as quickly as possible.
[Evan] In this day and age, this is a prudent decision to notify students quickly. LIU deserves credit.

"Long Island University deeply regrets that personal information may have been inadvertently exposed to potential identity theft," Long Island University President David Steinberg said.
[Evan] The leader of the school addressing the situation is another good call in my opinion.

We are notifying all the affected students by letter. We also have established a "Notification of 1098-T Data Exposure" link on the University’s website, set up a hotline (516-299-2553); and provided information to students that will help them protect their personal information.

"The likelihood of identity theft is low," said LIU treasurer and vice president for finance Robert N. Altholz. "But for some period of time the names, addresses and Social Security numbers were available to the people in the post office
[Evan] The additional risk posed by this breach is relatively low. It appears that the information was only exposed to Post Office personnel. I don't feel comfortable with confidential information being sent in the mail, but this happens everyday, especially during this time of year (tax time).

A Victim Reaction:
"Of course, I don't feel good about having my personal information out there," said junior education major Joanna DeMauro, who attends C.W. Post. "This is the first I am hearing about this incident."

Commentary:
As I read the school's breach notification and response, I come away with a sense that the school really does care about the personal information of their students. This is another one of those breaches that could have easily been "swept under the rug". The school is clearly not trying to hide anything. They even have a prominently displayed link on their homepage that reads "NOTIFICATION OF 1098-T DATA EXPOSURE"

The school deserves some credit for their prompt and clear response.

How many IRS forms are sent through the mail this time of year with Social Security numbers on them?

Past Breaches:
Unknown

Automating web application security testing

Mon, 16 Jul 2007 07:40:00 +0000

Posted by Srinath Anantharaju, Security Team

Cross-site scripting (aka XSS) is the term used to describe a class of security vulnerabilities in web applications. An attacker can inject malicious scripts to perform unauthorized actions in the context of the victim's web session. Any web application that serves documents that include data from untrusted sources could be vulnerable to XSS if the untrusted data is not appropriately sanitized. A web application that is vulnerable to XSS can be exploited in two major ways:

Stored XSS - Commonly exploited in a web application where one user enters information that's viewed by another user. An attacker can inject malicious scripts that are executed in the context of the victim's session. The exploit is triggered when a victim visits the website at some point in the future, such as through improperly sanitized blog comments and guestbook entries, which facilitates stored XSS.

Reflected XSS - An application that echoes improperly sanitized user input received as query parameters is vulnerable to reflected XSS. With a vulnerable application, an attacker can craft a malicious URL and send it to the victim via email or any other mode of communication. When the victim visits the tampered link, the page is loaded along with the injected script that is executed in the context of the victim's session.

The general principle behind preventing XSS is the proper sanitization (via, for instance, escaping or filtering) of all untrusted data that is output by a web application. If untrusted data is output within an HTML document, the appropriate sanitization depends on the specific context in which the data is inserted into the HTML document. The context could be in the regular HTML body, tag attributes, URL attributes, URL query string attributes, style attributes, inside JavaScript, HTTP response headers, etc.

The following are some (by no means complete) examples of XSS vulnerabilities. Let's assume there is a web application that accepts user input as the 'q' parameter. Untrusted data coming from the attacker is marked in red.

Injection in regular HTML body - angled brackets not filtered or escaped

Your query '' returned xxx results

Injection inside tag attributes - double quote not filtered or escaped

blah">">

Injection inside URL attributes - non-http(s) URL

javascript:evil_script()">...

In JavaScript context - single quote not filtered or escaped

In the cases where XSS arises from meta characters being inserted from untrusted sources into an HTML document, the issue can be avoided either by filtering/disallowing the meta characters, or by escaping them appropriately for the given HTML context. For example, the HTML meta characters <, >, &, " and ' must be replaced with their corresponding HTML entity references <, >, &, " and ' respectively. In a JavaScript-literal context, inserting a backslash in front of , ', " and converting the carriage returns, line-feeds and tabs into , and respectively should avoid untrusted meta characters being interpreted as code.

How about an automated tool for finding XSS problems in web applications? Our security team has been developing a black box fuzzing tool called Lemon (deriving from the commonly-recognized name for a defective product). Fuzz testing (also referred to as fault-injection testing) is an automated testing approach based on supplying inputs that are designed to trigger and expose flaws in the application. Our vulnerability testing tool enumerates a web application's URLs and corresponding input parameters. It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyzes the resulting responses for evidence of such vulnerabilities. Although it started out as an experimental tool, it has proved to be quite effective in finding XSS problems. Besides XSS, it finds other security problems such as response splitting attacks, cookie poisoning problems, stacktrace leaks, encoding issues and charset bugs. Since the tool is homegrown it is easy to integrate into our automated test environment and to extend based on specific needs. We are constantly in the process of adding new attack vectors to improve the tool against known security problems.

Update:
I wanted to respond to a few questions that seem to be common among readers. I've listed them below. Thanks for the feedback. Please keep the questions and comments coming.

Q. Does Google plan to market it at some point?
A. Lemon is highly customized for Google apps and we have no plans of releasing it in near future.

Q. Did Google's security team check out any commercially available fuzzers? Is the ability to keep improving the fuzzer the main draw of a homegrown tool?
A. We did evaluate commercially available fuzzers but felt that our specialized needs could be served best by developing our own tools.

Automating web application security testing

Mon, 16 Jul 2007 07:40:00 +0000

Injection in regular HTML body - angled brackets not filtered or escaped

Your query '' returned xxx results

Injection inside tag attributes - double quote not filtered or escaped

blah">">

Injection inside URL attributes - non-http(s) URL

javascript:evil_script()">...

In JavaScript context - single quote not filtered or escaped

In the cases where XSS arises from meta characters being inserted from untrusted sources into an HTML document, the issue can be avoided either by filtering/disallowing the meta characters, or by escaping them appropriately for the given HTML context. For example, the HTML meta characters <, >, &, " and ' must be replaced with their corresponding HTML entity references <, >, &, " and ' respectively. In a JavaScript-literal context, inserting a backslash in front of \, ', " and converting the carriage returns, line-feeds and tabs into \r, \n and \t respectively should avoid untrusted meta characters being interpreted as code.

How about an automated tool for finding XSS problems in web applications? Our security team has been developing a black box fuzzing tool called Lemon (deriving from the commonly-recognized name for a defective product). Fuzz testing (also referred to as fault-injection testing) is an automated testing approach based on supplying inputs that are designed to trigger and expose flaws in the application. Our vulnerability testing tool enumerates a web application's URLs and corresponding input parameters. It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyzes the resulting responses for evidence of such vulnerabilities. Although it started out as an experimental tool, it has proved to be quite effective in finding XSS problems. Besides XSS, it finds other security problems such as response splitting attacks, cookie poisoning problems, stacktrace leaks, encoding issues and charset bugs. Since the tool is homegrown it is easy to integrate into our automated test environment and to extend based on specific needs. We are constantly in the process of adding new attack vectors to improve the tool against known security problems.

Update:
I wanted to respond to a few questions that seem to be common among readers. I've listed them below. Thanks for the feedback. Please keep the questions and comments coming.

Q. Does Google plan to market it at some point?
A. Lemon is highly customized for Google apps and we have no plans of releasing it in near future.

Q. Did Google's security team check out any commercially available fuzzers? Is the ability to keep improving the fuzzer the main draw of a homegrown tool?
A. We did evaluate commercially available fuzzers but felt that our specialized needs could be served best by developing our own tools.