Security
Cutting Corners Doesn’t Buy You Anything
Jan 30th
There has been a lot of talk of identity theft, security threats and securing private data lately. You’ve all seen reports of a buggy company websites which exposes private data to the public, phishing scams or an employee using private data for personal use. It makes you think about all of the personal data that you make available each day, whether that be to social media sites, for online purchases or even your phone and utiliy provider. How secure is it?
From a service provider perspective, the minute we store a user’s private data, for example their username and password, we’ve taken on the responsibility of securing that data too. Let’s say a hacker somehow obtains a list of all our usernames and passwords. Either it was an inside job by someone who had access to the database, or the database was accidentally exposed to the public web. It doesn’t matter how. It just happened.
Now as a customer I wouldn’t be happy about my prvate data becoming available. However, I would expect the owner of the application in question to have taken sufficient measures to render it useless to third parties. At the very least, the password is going to be encrypted, right?
RIGHT?????
The answer – from experience – is way too often “unfortunately not”!
Don’t get me wrong, most system designers, developers and project managers are smart people. They think long and hard and often times come up with a reason to avoid taking the standard security measures which everyone sort of knows about.
They are wrong!
How can I be so sure? Because, when it comes to web-app security, cutting corners doesn’t buy you anything. It doesn’t save you coding time (in the long run). It doesn’t give your users a better experience. All it does is weaken the security of your web site, needlessly putting your users, your employer, and yourself at risk.
As the developer, you might think that it’s relatively unimportant if your user’s application password is exposed as plain text. After all, what’s an attacker going to do with, for example, forum credentials? Post angry messages on the user’s behalf? And what about the small business that requires private data from their customers to sign up for a company newsletter? Same thing here. The consequences of exposed data seem small.
But most users tend to re-use the same passwords, probably because they can’t remember the two dozen unique usernames and passwords they’re forced to have. So if you obtain their forum password, it’s likely you also have the password to something a lot more dangerous: online banking, PayPal, etc
So please allow me to state the obvious:
If you are storing plaintext passwords in a database, you are making a mistake!!!
A lot of developers – often times too late – move to hashed passwords. Even this is not enough to thwart a determined attacker. Hashes alone are better than plain text, but barely. Hashing the passwords prevents plaintext exposure, but it also means you’ll be vulnerable to astonishingly effective rainbow table attacks.
The solution here is salted hashes based on computationally expensive(!) hash functions which were designed for password applications. If you do not know what a “salted hash” is or why you should waste precious compute cycles for password storage – you need some help. Hire someone that knows. Otherwise, it’s only a matter of time before you pay for this…
So please let me take this opportunity to ask if you know of (or perhaps work on) any software systems that store passwords plain text in a database. If so, fix your software now:
- Salt and hash each and every password (use a computationally expensive hashing function such as bcrypt that was designed for password applications)
- Store the salt and hash – not the password – in your database.
- Throw the password itself away.
- Educate your fellow developers! This might feel like “development 101″,but not everyone knows what you know. Really!
You will be glad you did…
Know Your Enemy: Malicious Web Servers
Dec 15th
Even seemingly safe web addresses can be full of attack code aiming at vulnerable clients, according to a new study from the The Honeynet Project & Research Alliance(http://www.honeynet.org/). The findings also include that finds that methods such as blacklists can be surprisingly successful in stopping client-side attacks.
“The ‘black hats’ are turning to easier, unprotected attack paths to place their malware onto the end-user’s machine,” they said in the study, called “Know Your Enemy: Malicious Web Servers.”
Users can be led to malicious sites via links, typing in an address manually, mistyping an address or following search-engine results.
Using a “high-interaction” client honeypot called Capture-HPC developed by the Victoria University of Wellington, the researchers analyzed more than 300,000 addresses from around 150,000 hosts.
Analyzed were various site categories, including adult, music, news, “warez,” defaced, spam and addresses designed to grab traffic from users who mistype common web addresses. While some categories were more likely to contain malicious addresses than others, they could be found everywhere:
“As in real life, some ‘neighborhoods’ are more risky than others, but even users that stay clear of these areas can be victimized,” the report said. “Any user accessing the web is at risk.”
While the findings are not really surprising – the existence of this kind of attack is long known – the study also analyzed the effectiveness of safeguards against such infections in some detail, showing that blacklists, if regularly updated, can be a surprisingly effective way of blocking malicious addresses.
While the study also recommends regular patching, but this may not always be straightforward, since the a prevalence of attacks against plug-ins and non-browser applications becomes obvious: “Attacks also target applications that one might have not think about patching, such as Winzip”.
Another technique that can block attacks would be to use a less popular browser, such as Opera: “Despite the existence of vulnerabilities, this browser didn’t seem to be a target”.
The data used for the study as well as the paper can be found here: http://www.honeynet.org/papers/mws/
Common Sense and Network Security
Dec 15th
Within the past few of months, two of our clients were encountering severe security breaches. In other words: They “got hacked”. Were they big multi-million dollar enterprises? No – they both were Vancouver based SMB’s with less than 100 employees. It is always amazing how little importance small and medium size ventures pay to network security. The most often heard question is…
Why Would Someone Want to Hack Into a Small Business Like Ours
For many reasons! First of all: It’s nothing personal! If you still think of “hackers” as guys in trench coats sitting dark rooms littered with pizza boxes, only lit by the glow of monitors: Think again. People are always amazed by the following demo: Take a freshly installed Windows machine with disabled firewall. Connect it to the internet and leave it alone for 30min. Now run a virus scan – whoa! That’s just 30 min. This is what your company network is facing every single day. So let’s face the fact:
Your Network is Under Attack
I am not trying to create panic. It’s a simple fact every sysadmin doing her job knows. Accept it! It’s real, and it’s probably happening right now. Go check!
Almost all attacks you are facing are widespread, automated attacks against large portions of the network. To use a common analogy, you are not dealing with a criminal mastermind spending all night trying to break into your house, but rather with a small time crook using a whole bunch of generic keys bought on ebay, trying to get into each house on the street by trying each key in every lock.
Aside from viruses spread via email, password guessing attacks as well as the automatic exploit of security holes in the software installed on both server and clients accessible from the outside world are the most common forms of attacks. The good news is: Since the attacks are generic, they can be easily prevented, using common sense and widely available, mostly free tools.
What Are They After?
The question is still out there: Why would someone try to infiltrate your network in the first place? Spammers will try and get their hands on your address books – already verified (by you!) email addresses are worth real money! Also, they often times will install software on your machines which helps distribute SPAM emails. If you notice emails being sent from your network get frequently stuck in other spam filters, it’s probably because you got blacklisted as a source of spam. This is very difficult to reverse and can mean a severe hit to your company’s credibility. Not to mention a waste of your computing and network resources as well as person hours to clean the system.
Often times the successful attacker will also routinely scan your system for credit card numbers and passwords stored on your hard drive.
Another common usage of infiltrated systems are targeted attacks against other networks – so called distributed denial of service (DDOS) attacks. The intruder will install software on your (and thousands of other) machines that “sleep” until they receive a start signal, at which point they bring the target network to its knees by flooding it with too many requests. This so happened to amazon, ebay and many other of the big players.
Thing get embarrassing when client related information get exposed and the source tracked back to your company. Remember that you are responsible for taking “appropriate measures” to protect your client’s information. While you might be able to demonstrate this in front of the court of law, it will be much harder to regain your client’s trust.
Apply Common Sense
Use secure passwords! Amazing how often the “number one rule” gets violated! The most basic form of attack applies a dictionary and name lists to guess username and passwords. Networks allowing remote access – via web forms, shell or VPN – and username/password combinations like “paul/paul” are easy targets.
Maintain a firewall for your network and configure it conservatively – only allow access to really essential ports. Ideally, only allow access from trusted IP addresses. If the person responsible for your network can’t explain to you in easy words what a “port” is, you are in big trouble! Ask her – now!!!
Utilize Intrusion Detection Systems (IDS) such as OSSEC or SNORT. If this for some reason proves unfeasible, at least use easy to install tools the like of denyhosts.
Scan emails BEFORE they reach the client machine. For some reasons it seems almost impossible to prevent employees from opening unknown attachments (“Oh look – someone I don’t know sent me a postcard! Lets open it…”) – curiosity kills the cat. Virus scanning emails before they get delivered to the client is a vital element in combating SPAM and preventing virus infestations.
Educate your employees! Knowledge is the best defense. Trust me: The time and money it takes to raise awareness amongst your workforce is nothing compared to spendings on system recovery, damage analysis and control. Some of our clients hold their employees personally responsible for carelessly imposing security risks on their network.
Update all your machines on a regular basis – especially the operating system. Apply the latest security patches for every software installed on your machines.
Regularly virus scan all machines in your network, use up-to-date virus libraries.
Check your server logfiles regularly for suspicious activities.
Encrypt your data using strong encryption! Thus, even if your network gets breached, the intruder wont be able to access any vital data.