{ Comments on this entry are closed }
From the monthly archives:
February 2008
PayPal warns against using Apple's Safari:Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer.A perfectly valid reasoning. A couple of Mac users cannot seem to understand the precaution suggested.In other news, Apple customer service
If you read my review of the Web Application Hacker's Handbook you may remember I made the following point:
The authors talk about repurposing ActiveX controls but do not mention that this also applies to signed Java applets, which can also expose dangerous methods in exactly the same way.
In this post I'm going to discuss a security flaw in a Java applet signed by Sun Microsystems. The vulnerability lets us drop an arbitrary file to an arbitrary location on the file system on Windows platforms, subject to the user's permissions and, if in IE7, depending on whether Protected Mode is on or not. The applet in question has been updated to fix this issue and the NGS advisory is here.
Before I talk about the applet itself, lets take a brief look at the components of a signed JAR:
- A signed Java applet consists of a JAR file (a zip archive) containing the application class files, a manifest, one or more signature files and a signature block.
- The manifest holds a list of files in the JAR that have been signed and a corresponding digest for each file, typically SHA1.
- A signature file consists of a main section which includes information supplied by the signer but not specific to any particular jar file entry, followed by a list of individual entries whose name must also be present in the manifest file. Each individual entry must contain at least the digest of the corresponding entry in the manifest file.
- The signature block contains the binary signature of the signature file and all public certificates needed for verification.
For anyone interested in the verification process, this paragraph from the Java Plug-in Developer's Guide gives a good description. In practice, the user is presented a dialog like this:
Contrast this to the dialog box that IE7 presents when installing a new ActiveX control (and note that I clicked for "more options" to show the always install/never install options):
The difference from a security perspective, is obvious*: Sun want you to always trust the publisher, Microsoft want to ask you every time. For anyone wondering if you only see this behaviour with Sun-signed applets, this is the default behaviour for all signed applets (don't believe me? Go check out the Hushmail applet). It is worth noting, however, that the checkbox is only ticked if the certificate chain verifies all the way up to a trusted Root CA certificate. If the certificate has expired, or is self-signed the checkbox will not be ticked.
This is a pretty interesting design decision. If you click "Run" in the Java dialog box above, you're allowing all existing and future applets signed by the same publisher (strictly the same certificate) to automatically run regardless of the website they are loaded from and the parameters they are instantiated with. So even if you have some level of confidence in the applet that you are about to run, if the publisher produced a buggy applet and signed it with the same certificate, a malicious website can repurpose it and silently use it against you. Scary, huh? This is one of those useability vs. security trade-offs**. Even if the applet is cached on your machine, if the certificate is not in the trusted store, you will be prompted every time its instantiated. If you're the IT manager of a large corporation and your Intranet homepage has a signed applet, you probably don't want your users to see a security warning everytime they open a browser.
Now for the actual vulnerability... The JNLPAppletLauncher is a "general purpose JNLP-based applet launcher class for deploying applets that use extension libraries containing native code." What this means is an unsigned applet that requires a signed native code extension such as Java 3D can be launched via invoking the JNLPAppletLauncher and passing it a JNLP file that references both the original applet and the extension. There are some demos here; FourByFour is a great example of Java 3D in the browser (though tic-tac-toe on a 4x4x4 cube... its not exactly Guitar Hero III).
The JNLPAppletLauncher had a simple directory traversal flaw exploitable on Windows platforms. The applet reads extensions from the JNLP file, whose location is passed as a parameter during the applet instantiation. The extension path is examined for the parent path sequence "../". On Windows of course, this is insufficient - the failure to check for "..\" ultimately allows us to drop an arbitrary file on the file system. The extension path is concatenated to the base URL so we end up with something like:
http://attackerdomain/..\..\..\..\..\..\windows\system32\file.dll
If you're thinking this is an invalid URL, you're right. You'll need a hacked up web server to honour it, or at least the ability to modify the httpd.conf on an Apache server. A request for a file below the web root will cause Apache to generate an HTTP 400 (Bad Request). We can translate this into an HTTP 302 (Redirect) via the ErrorDocument directive. The applet will follow the redirection and download the content to the path "..\..\..\..\..\..\windows\system32\file.dll".
Sun have now fixed this issue so the applet you can retrieve from https://applet-launcher.dev.java.net is no longer vulnerable. Since the JAR is not an officially supported product, there will be no Sun Alert released. And given the prerequisites for this attack (you have to coerce a user into visiting a malicious web site then have the user agree to run the control [unless of course they have trusted Sun as a publisher] then you need a hacked up web server), I do not consider this issue to be especially serious. That said, its worth checking your Java trusted certificate store to see exactly which publishers you currently trust. You can get to this via the Java Control Panel (C:\Windows\system32\javacpl.cpl):
Anyway I'll be revisiting signed applets in a future post. In the meantime, my advice is beware of always trusting the publisher.
Cheers
John
* Though the dialogs boxes look pretty similar and present the same information, the bottom panel is used to communicate different messages: Microsoft warn you that the file could harm your computer; Sun tell you that the certificate chains to a trusted root CA certificate (which is redundant, as they've already told us "the application's digital signature has been verified" in the top panel).
** If you want to check out some of the Java community's feedback to this dialog box, check out the comments on Stanley Ho's blog post from 2005, Deployment: Goodbye scary security dialog box!
{ Comments on this entry are closed }
I'm a big fan of the Mac as a computing platform. No, OS X isn't more secure than Vista. But there are a lot less folks looking to exploit it and it's certainly architected (as is Vista) in a more secure fashion than Windows XP.
But does that mean you should be using all of Apple's applications. Like the Safari browser? Not necessarily. The CSO (chief security officer) of PayPal goes on a bit of a tirade in this NetworkWorld article about why Safari isn't a good option - for those that care about security anyway.
The reality is that he's right. I personally use Firefox on all my devices (both Macs, PCs, and virtualized PCs running on my Mac). I do that because of NoScript. I've mentioned that plug-in before, but until it is ported to (or that capability included in) the other browsers, I'm not going anywhere. It's that important.
So yes, Safari is missing some stuff. Like no built-in phishing filter or support for extended validation SSL certificates. I find the former to be a much bigger issue than the latter, as evidenced in today's Daily Incite. But suffice it to say, these aren't deal breakers for me. It's all about NoScript and that drives me to Firefox.
Photo credit: karmablue
{ Comments on this entry are closed }
I was reading the entry for TCP at Wikipedia, one thing that caught my attention is the description of Out of Band data. The verbatim description:You are able to interrupt or abort the queued stream instead of waiting for the stream to finish. This is done by specifying the data as urgent. This will tell the receiving program to process it immediately, along with the rest of the urgent data. When
{ Comments on this entry are closed }
New VMware VMsafe™ Technology Allows the Virtual Datacenter to Be More Secure Than Physical Environments
Twenty Industry-Leading Security Vendors, Including CheckPoint, McAfee and Symantec, Endorse VMsafe Technology and Announce Plans to Build Interoperable Security Solutions
Cannes, FRANCE, February 27, 2008 – VMware, Inc. (NYSE: VMW), the global leader in virtualization solutions from the desktop to the datacenter, today announced new security technology called VMware VMsafe™, http://www.vmware.com/go/vmsafe, that protects applications running in virtual machines in ways previously not possible in physical environments.
To read more click here: http://www.vmware.com/company/news/releases/vmsafe_vmworld.html
---------
Wow, what an announcement today for security vendors looking to sell their wares to a growing base of customers taking advantage of virtualization and a great way for VMWare to help its customers secure networks created by VMWare!
This announcement from VMWare does highlight that VMWare is serious about helping their customers address security challenges. What is still to be determined however, is what this really means to customers. There were 20 security companies announced in the partnership and little information about what security problem each company is solving. I guess we should expect to see 20 press releases from these individual security companies in the near future.
My educated guess though, is that most security vendors will just be offering their existing security products that are in many cases physical firewalls, anti-virus, UTM, etc. The real value will be from solutions that bring unique value to the virtual environment vs. network designs that dictate routing traffic out of the Virtual Environment to a physical security appliance and back in. The other question is ; will the software vendors just be installing their software on the operating systems of Virtual Machines vs. Physical Machines?
Are there any real hooks being offered today that connect to VMWare and take advantage of these API's or are these things yet to come? My educated guess is that these are still things yet to come from the majority of the vendors in the program.
I've had the privileged of reading the API documents as the CTO of Montego Networks which is also part of the VMSafe program that was just announced and am very excited about the future possibilities of the program.
I'm excited to see the space finally get its due attention and am confident that the program will give birth to many new ideas and products that help solve the many security challenges introduced by virtualization.
There are so many vendors in this newly announced program. I hope to see quality from the program vs. marketing quantity!
{ Comments on this entry are closed }
I got a press call this morning from a guy looking to learn more about "virtual credit cards." These are one-time use numbers that protect your main credit card and can only be used one time on one site. This capability is available from a few of the large credit card banks. Check out more information at the Cardratings site.
The reality is that using these virtual credit card numbers are a pain in the butt. You have to either download some software or go to yet another web site to get the right credential to use it. Is it worth it? The answer is a big maybe.
If you are doing business with a totally new site, then it probably does. Credibility and trust are earned and until a vendor has an opportunity to earn my trust, I'd rather shield my true financial information.
On the other hand, you are now pretty much insulated since you will be reimbursed on any fraudulent charges on your card. But to be clear, having your credit card compromised is a huge hassle, so you want to avoid it.
Truth be told, I don't use virtual credit cards very often. But I am also very selective about the online merchants I use. As always, you are better safe than sorry.
Photo credit: pt
{ Comments on this entry are closed }
SharK definitely dumbs down Trojan creation, requires no programming skill at all. It allows for the creation of malware with features such as:encryptionpolymorphismcustom payloadsvirtual machine detectioncompressiondebugger detectionpassword miningremote managementsoftware inventoryactive process and network connection informationcapture desktop and webcam imagesrecord audiolog keystrokesanalyze
{ Comments on this entry are closed }
It really is amazing how many open wireless network you can find. If you are somewhat technical, get a wireless scanner (like NetStumbler) and see what you can find. Once you are in there, you can use an open source tool like Metasploit to attack, I mean test, the machines you find on the open network. Statistically, you'd probably be successful in compromising machines a majority of the times you try.Yes, that's scary stuff. It's also why the first step on Security Mike's Guide is to secure your networks. One of the common misconceptions is that you need to stop broadcasting your SSID, which is the network identifier of your wireless network. I'm with Steve Riley on this one. He does a pretty good treatment about why it doesn't matter whether you broadcast or not.
Whether someone can see your network or not is besides the point. The real question is whether they can access it. By doing some very simple security configurations on your wireless router, you can make it a LOT harder to penetrate.
Photo credit: dasmart
{ Comments on this entry are closed }
In the physical world we have all grown to understand that there are many types of security solutions that are needed to secure your environment. We purchase products like Switches with ACL's, Firewalls, Intrusion Prevention Devices, Patch Management Appliances, Network Access Control appliances and many times we for go "best of breed" and go for the "all in one" approach and deploy UTM devices.
So what has changed for the virtual environment? Nothing really. Those same types of choices and things need to be looked at and considered.
But! The Vendor community would lead you to believe that you don't need various types of security products in your virtual environment. They would also lead you to believe that you only need their solution. In fact, they all compete against each other to some extent.
I'm sure if you were to ask Reflex who their competitors were, they would tell you Blue Lane and Catbird, or if you were to ask Catbird who their competitors were, they would say Blue Lane and Reflex. I know this because I use to site these companies as competitors myself while serving as the Chief Product Officer at Reflex Security.
As a vendor we spend so much time trying to show our value that we loose sight of the real value of security solutions working together to provide a comprehensive and secure solution vs. a single point solution.
Think about this for a moment. None of the following vendors really compete with each other, in fact they can complement each other:
Blue Lane - Provides Inline Patch Management
Reflex Security - Provides Intrusion Prevention
Montego Networks - Provides Secure Switching (Firewalling + Switching)
Still Secure - Provides IPS
Catbird - Provides IPS
Now, you can say Reflex, Catbird and Still Secure compete but the rest are very different.
The real question is how do you deploy a Firewall, Patch Management and Intrusion Prevention products in your virtual environment. Well, one way is to deploy them in "series" and each product will require a dedicated virtual switch. Take a look at the picture bellow and you will see how messy the design looks:
<-- Click to Enlarge
Each time a packet has to enter and leave a vSwitch you will experience some performance degradation; however this is a requirement by VMWare if you want to install "guest-based" security appliances.
This security product to vswitch, to security product, to vswitch is very much like an A/D (analog to digital) conversion that takes place on digital networks. Each time you make an A/D conversion you introduce noise and noise introduces signal loss, which introduces poor performance or sound quality.
Not to mention its just really messy looking!
So, how does one deploy the security products one needs in the virtual environment without causing a performance challenge and how do we get the vendors to stop competing and start joining forces to deliver solutions that work together?
Well, one way of doing this is to put some intelligence in the switching architecture so that it can play "traffic cop" and send traffic to the needed security applications. This type of design would be security in parallel vs. in series. Take a look at the bellow graphic and it will be more clear:
<-- Click to Enlarge
You'll also note from this picture that the Security Switch in the center is already able to see VM to VM communication and by it playing traffic cop as well as switch and firewall it can also extend its VM to VM capabilities to security products that do not have that ability.
In the previous picture, products were deploed in series and there was no VM to VM Patch Management, or VM to VM Intrusion Prevention or VM to VM Network Access Control. What you were able to get was VM to Physical Patch Management, Intrusion Prevention, etc.
With a product such as a Virtual Security Switch you get VM to VM everything hooked up to the Security Switch.
What a concept! Companies partnering to provide a comprehensive security solution. No competing, each company focuses on their core competencies and works together to give customers what they really need.
Think about it, does McAfee compete with NetScreen? Did Checkpoint compete against Tipping Point back in the early days? No, we had Firewalls, Anti-Virus, Intrusion Prevention products all co-existing and many of these vendors partnered with Extreme and Foundry since they were the connectivity point of the network.
I think the virtual network is no different, so vendors, please stop confusing the market and telling customers they only need IPS, or only need Firewall, or only need Patch Management. What customers need is choice and the ability to have the products they choose co-exist without causing major performance and management challenges.
-JP
{ Comments on this entry are closed }
I mentioned before that suid binaries are getting scarce. In Linux, since 2.6.19-rc5-mm2 posix file capabilities are implemented. It was introduced into mainline in 2.6.24-rc2.As an example let's look at the ping program, as you may know ping needs CAP_NET_RAW to generate raw packets and the old practice is to make the ping executable binary suid root. Tinyping is a small assembly version of ping
{ Comments on this entry are closed }
