[SecurityRatty] tag: lead

Expect iPhone, Fourth of July scams, security firm says

Thu, 03 Jul 2008 09:00:00 +0000

Next week's launch of Apple's new iPhone, coupled with the Fourth of July holiday in the U.S. on Friday, is likely to lead to more malware spam over the coming days.

Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security

Tue, 01 Jul 2008 15:03:10 +0000

In this interview, cloudsecurity.org talks to Guido van Rossum about Python, Google App Engine and security.

Guido is the creator of the Python programming language and more recently, Google App Engine team member. His involvement with the App Engine project was pretty late - the code “was almost ready for release” when he get involved. The security architect of App Engine was primarily project lead, Kevin Gibbs, supported by the rest of the App Engine crew and the Google Security Team.

The Interview

cloudsecurity.org: What security principles did you follow for App Engine?

GvR: While I can’t share any specifics on what we’re doing to secure App Engine, I can say that the main principle we’ve followed could be called “defense in depth”. We’re not relying exclusively on a secure interpreter, or any other single security layer, to protect our users.

cloudsecurity.org: Please provide some examples of how those principles played out in terms of the current implementation?

GvR: Sorry, we don’t divulge such information.

cloudsecurity.org: What criteria did you apply to Python module selection?

GvR: We first looked for modules that were useful and straightforward to audit. If a module was large or complex, we’d only audit it (fixing things we found) if it was deemed essential or at least useful for a large number of users; otherwise we’d exclude it.

cloudsecurity.org: What do you see as the security risks inherent in exposing an interpreter runtime in a shared environment?

GvR: I presume you’re asking about risks to users, like providing accidental access to data belonging to another app. We’ve taken extensive measures to isolate different apps from each other. For example, each app runs in a separate process, and the datastore prevents an app from accessing data belonging to other apps.

cloudsecurity.org: I recently attended a fascinating talk by Justin Ferguson (a Seattle based security consultant) at eusecwest in London. He gave a great talk exploring security vulnerabilities in language interpreters and specifically highlighted some security weaknesses in Python App Engine. What are your thoughts on his research and specifically the Python issues he highlighted? When do you anticipate they will get fixed?

GvR: We’ve anticipated all of the possibilities raised in Justin’s talk, and took measures to protect our users. Justin highlighted weaknesses in Python, but not in App Engine. Furthermore, our security model does not rely solely upon protections within the Python interpreter; there are additional protections that these external analyses have missed.

cloudsecurity.org: How do you contain an attacker that exploits bugs in App Engine from exploiting the underlying OS and potentially interfering with other users processes or attacking backend systems?

GvR: You are correct that there are strong measures in place, but I’m not at liberty to discuss details.

cloudsecurity.org: Python was the first language to get the App Engine treatment, what language is next and what are some of the language specific security challenges the team has had to deal with?

GvR: Although I can’t comment on what language is next, we are working on this, and have gotten a lot of great feedback from our developers. As far as language-specific security challenges, they stemmed mostly from the complexity of the Python interpreter. We spent a lot of time auditing this, and did a great deal more than just identifying buffer overflows. I can also add that Google is actively researching the security of interpreted languages. Google engineers routinely contribute security fixes to open source projects, including but not limited to Python.

cloudsecurity.org: How does the team decide when ‘enough is enough’ in terms of hardening the interpreter?

GvR: That’s not really how we approach it. We realize that security is an ongoing effort, and try to stay ahead of threats through continuous monitoring and testing.

cloudsecurity.org: Some commentators have suggested that perhaps the difficulty of auditing the implementation led to some modules being more heavily restricted than perhaps necessary. What are your thoughts on that and what plans, if any, are there to bring back code objects/functions that were eliminated in the initial release? (with the benefit of hindsight).

GvR: The only thing we are likely to put back is the _ast module, which was not audited based upon an underestimation of its usefulness (see my answer to question #3 above). We will also put back some dummy functions and other objects whose absence currently prevents some popular frameworks from being loaded without modifications. For example, some harmless functionality in the imp module will come back. We’re also looking into making urllib2 work (to some extent), though that’s not really a security issue but merely a matter of API adjustment.

cloudsecurity.org: It is reported that Google encourages small groups to go off and create. How involved were the Google security team with App Engine in terms of design and implementation review/testing? Given the dynamics, is it possible to have a meaningful security process that shadows the development process?

GvR: The Google Security team is involved in everything we do. They have been extremely helpful.

cloudsecurity.org: How can people report security weaknesses they discover in App Engine? What commitment does Google give in terms of dealing vulnerability reports?

GvR: There is a standard process for submitting security issues. See http://www.google.com/corporate/security.html. Google moves very fast to protect its users when a verifiable security vulnerability is reported.

cloudsecurity.org: One concern is the potential misuse of App Engine to exploit security vulnerabilities in visitors browsers. This is not a new problem per se, shared hosting providers know all about this. But with Google and other Cloud providers, the scalability potential is much higher. What are your thoughts on this and what pro-active steps is Google taking to detect and terminate evil apps?

GvR: This is high on our list of concerns. We deal with this through a combination of restrictions on what you can do (e.g. certain HTTP headers and ports are off-limits) and, again, monitoring.

cloudsecurity.org: Beyond App Engine, what role do you think Python will play in the Cloud both now and in the future?

GvR: Sorry, I’m not prone to philosophizing about the future.

cloudsecurity.org: Trust is often cited as a barrier to enterprise adoption of Cloud Computing. What role do you personally think Google can play in building that trust?

GvR: I think trust is built up over a long period of experience. Our actions in terms of being open to our users will be the most important factor in establishing trust. Of course, Google’s reputation also helps: everybody understands that Google doesn’t want its name associated with a bad product.

cloudsecurity.org: Looking at the Cloud Computing landscape beyond Google, what are your thoughts on the current state of Cloud Computing and Security?

GvR: It’s obvious that Cloud Computing is only just taking off. The next few years will be very exciting.

cloudsecurity.org: Lastly, what are some of your favourite App Engine apps?

GvR: There are too many to enumerate. If you insist on a highlight, well, I like Rietveld (http://codereview.appspot.com), a tool for collaborative code review which I (largely) wrote myself. It is open source and includes some essential components from Mondrian, a similar internal tool which I created before I joined the App Engine team.

Thanks

My thanks to Guido for his time and sharing his views.

25 Mac OS X Security Vulnerabilities Fixed in Apples 2008-004 Security Update

Mon, 30 Jun 2008 22:09:44 +0000

Apple has shipped a new Mac OS X update that addresses 25 documented vulnerabilities that could lead to arbitrary code execution attacks. Apple fixes in this 2008-004 Security Update code execution flaws in Launch Services, SMB File Server, System Configuration, VPN and WebKit. Fixes for six highly critical Ruby, a popular open-source scripting language, vulnerabilities are [...]

Trojan lurks, waiting to steal admin passwords

Mon, 30 Jun 2008 20:00:00 +0000

Writers of a password-stealing Trojan horse program have found that a little patience can lead to a lot of infections.

Hackers Selling Stolen Credit Cards Lead To Montgomery Ward Parent Company Breach Exposure

Sat, 28 Jun 2008 21:52:17 +0000

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward. The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy. It now runs a Wards.com Web site along [...]

Can you hear me now?

Fri, 27 Jun 2008 06:56:10 +0000

Verizon released a very interesting Data Breach report that analyzes over 500 forensic reports on their system over a number of years. It is great work by Verizon to gather this data and to publish it. Of course a consultant I go into lots of companies where they could learn a lot just by being more open and talking through issues with peers in other companies. Would be great to see other companies follow Verizon's lead.

I suggest you read their report, and I would like to add a little color to their findings from the perspective of the swamp I spend most of my time in - Web services security. Granted it is just one report, but the data run counter to a lot of conventional security "wisdom":

Who is behind data breaches?

73% resulted from external sources
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

The internal/external divide is pretty silly these days, as is companies' recanting "inside the firewall and outside the firewall", I spend most of time hooking things up together precisely _so_ they intereoperate remotely. The firewall is a speed bump at best. At any rate external sources is a primary concern in Web services security, because - hey look our Web service front end just made your Mainframe/As400/Unix DB/ CICS/whatever accessible remotely. This is great from a functionality standpoint, but the issue is that these back end systems were never designed with anything remotely resembling an Internet threat model. Additionally, the Verizon team's findings around business parties and multiple parties strikes at the heart of a number of popular misconceptions in Web services security - "well its just B2B and its behind a firewall."

How do breaches occur?

62% were attributed to a significant error

59% resulted from hacking and intrusions

31% incorporated malicious code

22% exploited a vulnerability
15% were due to physical threats

A couple of things to note here - malicious code in my opinion is likely to be the biggest problem in Web services security going forward. There is a large gap waiting to be exploited here. You have no control over the other end of the pipe plus a massive attack surface, the only thing lacking is the attacker's ability to find and exploit which I strongly suspect is just a matter of time. Wrt hacking an intrusions we have the remote, passive nature of web security to blame here in Web services world. Paraphrasing Jeff Williams, the problem is that an attacker can just try an attack if it doesn't work, try again, again, and so on. This partially because of the loosely coupled nature of the systems, but it is also because commonly used information security protocols have diverged from reality are modeled using an object-centric mentality, where you "own" the object you are protecting and can afford to put passive controls around.

What commonalities exist?

66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls

Many of the attacks against Web Services are not difficult, in my training class, we'll typically execute 8-10 different attacks in a two day period. But the big one from this list is the first one - the amazing amount of attack surface offered up by Web services. Brad Hill has done a good job articulating these issues in SOAP/XML/WS-*, but at an enterprise its even bigger than those standards - the thing is we use Web services to make stuff interoperate, to make stuff reusable, and to virtualize endpoints. Great stuff if what you want to do is decentralize your business, but this creates oceans of space for attackers to roam. When you look beyond the Visio and the IDE view of web services, and get to the runtime there is an amazing amount of detritus left behind by all these layers.

D.C. Gun Ban Lifted - Thank You Supreme Court!

Thu, 26 Jun 2008 22:23:00 +0000

The news came like music to my ears (and to hundreds of thousands of other ears across the country, I dare say). Law abiding citizens in the District of Columbia would be allowed to protect their homes and families.

The vote was not unanimous by any means - the historical decision was arrived at by a 5 to 4 vote to remove the ban prohibiting District residents from obtaining handguns. In a WTOP radio interview today, the NRA lobby spokesman, Chris Cox, spoke about the need for cities such as Chicago and San Francisco to fight to have their Second Ammendment rights re-instated.

Mr. Cox also gave notice to D.C. Mayor Fenty that he would have to honor the Supreme Court's decision, even though it is well known that the Mayor is a fierce opponent of allowing law abiding citizens to protect themselves and their loved ones with the aid of a firearm. Mayor Fenty was later qoted as saying; "More guns will mean more crimes".

Apparently the Mayor's flawed and at this stage, thread-bare reasoning, did not influence the majority of Supreme Court Justices. I would dearly love to be able to ask the Mayor this one question; how has the ban on handguns, which has been in effect in the District of Columbia for the past 32 years, helped to cut down on violent crime involving the use of ILLEGAL firearms? I am sure that I am not the only one who has heard D.C. referred to as; "The murder Capital of the World". Are drive-bys, and drug/gang related homicides ever committed by a law abiding citizen? How could having a firearm in one's home lead to more crime?

I put it to you Mr. Mayor, that the exact opposite would/will happen. All of those two-bit gun wielding punks on your streets who think they are big and bad because they have a "piece" jammed in their waist bands will think twice before burglarizing the home of a law abiding citizen who just might be pointing the noisey end of a 45 pistol at them. It is a well known fact that D.C. and Maryland criminals are very reluctant to break into a Virginia home as they know that Virginians have easy access to weapons.

Of course this latest ruling does not in any way mean that we'll all be walking around downtown with concealed firearms. Far from it, I am sure. Justice Scalia pointed out that restrictions will still be in place. As it should be. Law abiding citizens do not want to see convicted Felons carrying guns nor should those suffering from mental disorders or with a history of violent domestic abuse be allowed to access guns. Similar to what we have in Virginia, it is realistic to expect that guns will be banned from Government buildings and schools.

As the owner of a security firm who protects clients from harm and as someone allowed to carry concealed in Virginia and Maryland, I would hope that those of us who are properly licensed and insured in the District will be able to carry concealed there. I wouldn't even mind if the Mayor acted like a proper politician and found a way to tax us for the privilege.

He can even insist that all future gun holders undergo a mandated safety course. Being a certified security training school, we're ready to get on board with the training program today!

Is this a case of; "Do as I say, not as I do"?

Wed, 25 Jun 2008 23:23:00 +0000

I think it is a shame when a Police Officer acts like a Politician. It seems like this might be what happened to the Police Chief in San Francisco.

It has leaked out that Chief Heather Fong has not qualified with her service weapon in years. She actually admits to it but blames the lapse on her busy schedule. This poses two really pressing questions. Firstly, what would she do if she was getting into her vehicle going to or coming from work and she witnessed a grievous felony taking place? If she pulled her weapon, she would most definitely not be able to respond in a manner befitting a trained Police Officer who had undergone requalification every 6 months as is her Department's policy. Would she even be qualified/legally covered to use her weapon after going years without re-training?

Secondly, how is she able to administer punishment to other officers who have failed to re-qualify when she herself is facing disciplinary charges? What kind of message is she sending out? Apparently, in San Francisco there seems to be one law for the street cops and another for high ranking officers. This must do wonders for morale.

Of course we know that you have a busy schedule Chief, but it is hard to believe that you couldn't find an hour once every six months to run out to the range and "pop a few off". You would hardly have to wait in line like everyone else. Have you forgotten what every Police Officer (and armed security officer for that matter) is taught, that using a weapon is based upon muscle memory? In other words, if you don't use it, you lose it.

People like Chief Fong are supposed to lead by example and shame on them when they don't. Do the right thing Chief, bring a sandwich to work with you and go out to the range on your lunch break. You shouldn't put yourself above the law.

Minimizing the Attack Surface, Part 1

Tue, 24 Jun 2008 15:09:34 +0000

What was the first thing you learned about network security? There’s a good chance it had something to do with port scanning. After scanning a few boxes, you realized that modern operating systems have a lot of open ports by default, meaning a lot of services. Some had an obvious purpose, like telnet on tcp/23 or ftp fon tcp/21. Others left you wondering, what the heck is listening on tcp/515 or tcp/7100? And remember, you couldn’t ask Google because it didn’t exist (well, maybe it did depending on when you got into security).

Your first real lesson about locking down a host was how to reduce its attack surface. You learned how to disable services using /etc/inetd.conf. Then you learned about rc.d and how to prevent unnecessary services from being launched at startup. Next, maybe you configured the Xserver to disallow remote connections or moved on to removing setuid permissions from files. As you worked, you’d periodically re-scan the box to gauge progress, asking yourself “have I removed everything I don’t need?” The underlying motivation, of course, is that an attacker can’t hack something that isn’t there.

You learned how to extend those concepts to the network — configuring firewall rules, router ACLs, VLANs, etc. Segmenting the network. Creating a DMZ. No need to dwell on this, you get the idea.

Eventually, people realized that applications had an attack surface too. Web servers and application servers got a lot of attention, followed closely by custom web applications. “What do you mean you can execute SQL queries against my database? That’s impossible, I have a firewall!”

Some companies, the ones who could afford it anyway, started to build security into their development cycle. Doing threat modeling during the design phase made sense, because hey, it’s much cheaper to fix security holes in a whiteboard drawing than it is to rewrite your authorization module from scratch after it’s in production.

Let’s talk strictly about custom web applications now. What I’ve observed is that most development groups, even the ones who actively engage in threat modeling, do not understand their web application’s attack surface. The lead architect can whiteboard a high-level diagram of all the major components and how they interact. Individual developers can go a bit deeper, telling you which files they touch, what database permissions they need, or how various pieces of data are encrypted in storage. At the end of this exercise you have a complete picture of the processes, data flows, protocols, privilege boundaries, external entities, and so on, and you’re well on your way to understanding all of the potential attack vectors.

Or are you?

What often gets overlooked or glossed over is the impact of external libraries or packages. Nobody writes everything from scratch. A typical list of third-party libraries for a Java-based Web 2.0 application might include DWR, GWT, Axis, and Dojo, plus about 30 other libraries to do everything from logging to parsing to image manipulation. Nine out of ten times, the libraries will be installed in full, using the default configuration from page one of the README file.

Why is this relevant? Because just as those old Unix boxes exposed unnecessary services, libraries expose unnecessary code. Let’s say you installed Dojo to simplify the process of creating an HTML table with rows and columns that can be sorted on demand. Did you remember to remove all the .js files you didn’t need? Or maybe you installed Axis or DWR or anything else that has its own Servlet(s) for processing requests. Have you compared what that Servlet can do against what you need it to do?

A fictitious example may help illustrate further. Imagine you just downloaded a new library called WhizBang. You follow the installation instructions to define and map two servlets in your web.xml file, WhizServlet and BangServlet, and you configure it to integrate with your web app. After a bit of trial and error, it’s functional. Yay! This is where most developers stop.

Nobody asks, “how much of this do I actually need?” Case in point, what if your application only uses WhizServlet? BangServlet is still exposed, and you don’t even use it! Similarly, what if WhizServlet takes an “action” parameter which can be either “view”, “edit”, or “delete”, and your application only uses “view”? You’re still exposing the other actions to anybody who knows the URL syntax (pretty trivial if it’s open source). You wouldn’t expose large chunks of your own code that you weren’t using, so why should it be any different with libraries?

This post is getting kind of long so I’m going to split it up. In the next post, I’ll continue the discussion of attack surface minimization, as well as some of the tradeoffs that go along with this approach.

Q&A: The DNSChanger Trojan

Tue, 24 Jun 2008 13:00:36 +0000

Christoph Alme is the Principal Engineer and Team Lead of anti-malware research at Secure Computing Corporation. He is the inventor of several patent-pending key technologies in the field of proactive...