My Triangle Is More Secure Than Your Penny Whistle

 Computing, Security  No Responses »
Feb 282015
 

This is a little rant about those people who feel the need to jump on every announcement of a security issue with Linux or Windows, and claim their favourite operating system is more secure. These days such rants are little more than fanboyism, and childish at that. 

I'm an old Unix guy (and thus am into Linux rather than Windows), and in the past did used to ramble on about how insecure Windows was. And Windows used to be a complete disaster area when it came to security.

But that has changed. Whilst I'm still not a big Windows fan, the security of Windows itself has improved to the point where it's not too bad.

Of course there are plenty of software vendors out there who are completely clueless when it comes to security, so any time you add some piece of cool corporate software to a Linux or Windows server you're running a big risk. 

But back to the haters. 

The most irritating thing about the whole 'my operating system is more secure than your operating system' is a simplistic comparison of Linux and Windows. They are not directly comparible. – simply counting the number of security vulnerabilities in "Linux" and "Windows" is an overly simplistic comparson.

First of all, Linux has many more components than Windows; partally because Linux tends to throw in the kitchen sink, and partially because of a different philosophy – the "Unix way" is to build many small tools rather than one big tool. But just because Linux includes tons of stuff, doesn't make insecurities in all that stuff a problem on your server – for example, none of my web servers have a web browser installed so all those hundreds of web browser bugs are irrelevant to my servers. 

Windows itself has caught onto the trick that has been standard practice for decades – only install the stuff you actually need. Whilst there are popular Linux distributions that do the same thing (Debian, and Ubuntu amonst others), there are still some that tend to install far too much (RedHat, SLES, etc.).

Secondly the number of vulnerabliities does not take into account how serious each vulnerability is. Ten privilege escalation vulnerabilities comes nowhere close to a shellshock

When you come down to it, the choice of which operating system to run has less of an effect on how vulmerable your server is than who runs your server. A tightly controlled Windows server that is patched often and well configured is far more secure than a Linux server that is patched when installed (if then!) and then left alone by an administrator who assumes that "out of the box" configurations are suitable.

Not Victim Blaming. Risk Reduction.

 General, Security  No Responses »
Jan 302015
 

There's a game called "victim blaming" which is where people decide the victim of a crime is somehow partially or wholely respomsible – the old "if she hadn't worn such a short skirt …".

Which is rubbish of course. The perpetrator of a crime is the one responsible for carrying it out whatever the circumstances.

But the shouting down of the "victim blamers" can perhaps drown out messages that allow risk reduction, and allow certain myths to be perpetuated. For example, many women believe that they are more at risk from strangers whereas most rapists are known to the victim.

Take a slightly less contentious crime – a phishing spam that criminals use to empty the bank accounts of the victim. Whilst the criminal here is obvious – the person who used stolen credentials to empty the bank account, the criminal needed the victim to make certain risky decisions.

2015-01-29_1517As you cannot look at the link contained within that, it's worth pointing out that if you paste the URL into a notebook, you will get a brazilian site … and I strongly suspect that Lloyds Bank is not very likely to use a Brazilian site (.br) for hosting their online account service.

And we call such victims "gullible". In the case of phishing, there are some simple procedures to follow :-

  1. Email doesn't necessarily come from whom it claims to be from. I can send you an email that will look as if it comes from Goodluck Johnathon without having anything to do with his email account.
  2. Don't click on links in emails.
  3. If your bank sends an email asking you to do something, shut down the email and open a web browser and use your existing way of getting to your bank's web site. Same applies to shopping sites, your workplace's IT department, etc.
  4. If you are determined to use a link from an email, copy the link into a notebook and read it. Does it make sense? Does the first part mention an organisation that has nothing to do with the organisation it is supposedly from? Don't trust it.

Plus a whole bunch more.

Detailing and quantifying risks isn't victim blaming; it's empowering someone to make educated decisions about their behaviour

Sony’s Tale of Woe

 Computing, Security  No Responses »
Dec 272014
 

What with North Korea’s latest explosion of bile, Sony is having a network security issue that will be used as an example of how bad things can get for probably decades. The phrase “I’m in the middle of a Sony” will be regularly used within the industry for the worst types of incidents.

It is not clear just what happened to Sony during the incident, and it will quite possibly never be clear. There are rumours that it may be something as simple as a phishing attack, and the FBI has claimed it has recovered code with similarities to code used in previous attacks against targets the North Koreans would wish to target.

It seems pretty certain that the North Koreans were involved in the attack against Sony; in addition to the code fragments, the North Koreans have gone out of their way to claim the attack was orchestrated by themselves. Yes they denied the attacks, but in the same way that a little kid denies having stolen the cake with all the evidence on his face.

Normally a corporation under attack from a state actor can be forgiven for getting opened up like a can of peaches, but this is Sony and a bunch of idiots who if they hadn’t lucked out by being in charge of North Korea would have trouble getting a job flipping burgers.

So Sony Pictures needs to have a good long look at it’s security. Two big tips for Sony:

First of all, change the name of the security team to the insecurity team. That is not a criticism of the team that does security at Sony right now, but because there is an assumption that the security team handles security and the rest of us doesn’t have to bother.

In reality, security is everyone’s responsibility.

Secondly take a second look at every recommendation that your security team has ever made and you have said No to. And reconsider.

On Being A Shellshock Rider

 Computing, Security  2 Responses »
Sep 262014
 

(With apologies to John Brunner for stealing and mangling the title of one his books which happens to be a considerably appropriate choice)

What?

The Shellshock vulnerability, where a 23-year old vulnerability in the bash Unix shell can sometimes be exploited by attackers to run their own code on a vulnerable server. So far this vulnerability has been found to be exploitable with certain popular services running on Unix-based systems (including Linux).

Why?

Because I happen to be one of those going around telling people to fix their servers. And because I needed a place to mouth off about some of the more idiotic reactions I have encountered.

How Bad Is It?

Well it’s unlikely that this will cause the collapse of human civilisation, and it’s probable that your fridge will continue to work.

It’s like being asked how long a piece of string is whilst you’re still hauling it in and have not found the other end yet. It could be a great deal worse than expected or a bit of a damp squib :-

  1. The exploits may be much harder to make use of than expected. An attacker needs to find the vulnerable scripts on the web servers out there, and unless a very common web applications is found to be vulnerable, this may not be that easy to find.
  2. There may be a lot more vulnerable devices out there than expected – all of the embedded devices that idiots are assuming are safe because they come with BusyBox could have bash installed as well because some developer found that their script worked with bash and not BusyBox.
  3. An attacker may accidentally release something like SQL Slammer and cause widespread disruption.

Ultimately we have to wait and see how bad it is likely to be. Peering in to a crystal ball is always dangerous but my best educated guess is that :-

  1. We won’t see an Internet melt-down.
  2. Some sites will be broken into and some of those will have data leaked. This will happen anytime between 23 years ago (yes it could have been exploited in the past) and 23 years from now.
  3. Some unexpected ways to exploit this vulnerability will be discovered – for example there are plenty of people who believe that Windows is safe from this; as it happens my Windows 2012 server does have bash installed on it.

Bash? Unix Shell?

Most early operating systems were controlled with some sort of command line where you would enter a command at a terminal, hit return, and then the computer would respond to your commands – a bit like DOS whose descendent can be discovered on a Windows system if you ever run cmd.exe. One of the innovations introduced by Unix was the concept of the user selecting which command processor to use and this command processor become known as the shell.

Most Unix shells allowed some level of programming initially to make repetitive interactive tasks easier to perform, but this eventually become shell scripting where useful functions could be made available persistently and to other users by writing a sequence of commands into a file.

The concept of replaceable shells allowed early Unix users to chose between various different shells – initially the Bourne shell (sh), and the C-Shell (csh), with improved shells coming along over time – the TENEX C-Shell (tcsh), the Korn shell (ksh), my shell of choice: Z-shell (zsh), and of course the Bourne Again Shell (bash).

The Vulnerability

Unix (and Linux … and Windows too) have the concept of environment variables where variables can be set to some value and that value will be available to child processes. As an example, the PATH environment variable is set when someone logs in, and is used to specify where to search for programs that are not supplied with a full pathname.

For instance, if you were to enter the command ls into a terminal window, this would be translated to the absolute path /bin/ls or c:\cygwin\bin using a the PATH environment variable.

Bash has a feature where it allows shell functions to be defined within an environment variable; however trailing code following the function is run.

Normally that would not matter, but when an attacker can provide the contents of the environment variable, then that attacker has a way of running their own code where they should not be able to.

Because it is the most serious way of exploiting this vulnerability discovered so far, everyone has concentrated on exploiting this vulnerability through a web server.

Most web servers use environment variables as a way of passing information about a request (i.e. data supplied by an attacker) to any scripts they run; when this script is a bash script or the non-bash script invokes another program via bash (very common amongst lazy programmers) then an attacker can run their own code on the server.

So What Is Vulnerable? And Exploitable?

Let us distinguish between vulnerable where a program with a serious flaw is installed, and exploitable where an attacker can make use of that vulnerability. Because if you just fix situations where a known exploit exists, you are still exposed to unknown exploits. And it is distinctly possible that attackers will develop more and more ways of exploiting this vulnerability over time.

The short answer to the question of what is vulnerable is that every device with bash installed is vulnerable.

To those thinking that only Linux servers are vulnerable, the list of what is vulnerable will probably come as a bit of a surprise :-

  1. It should be assumed that all iThingies (iPhones, iPads, etc.) have bash installed. After all, OSX has been confirmed to be vulnerable and the iThingies run something very similar.
  2. Android phones can run bash and it may be installed by default. If it is, then it is vulnerable.
  3. Windows machines do not come with bash installed by default, but that does not mean that it has not been installed at a later date. Any large corporate application that started life as a Unix-based application may well have an installation of bash lurking somewhere within it.
  4. Similarly for any other non-Unix based servers (VMS, IBM Mainframes, etc.). In fact I would not be surprised if the proportion of IBM mainframes with a vulnerable version of bash installed is surprisingly large.
  5. Embedded devices, or the Internet of Things. One of my pet peeves is the assumption that because people usually find BusyBox installed on devices they are familiar with, that they assume that all IoT devices have BusyBox and not bash. All it takes is one developer who finds their funky script doesn’t work with BusyBox but does with bash to result in an IoT device to have bash installed.

In the long term, it is possibly the last category that is the most exploitable because such devices are rarely updated, are assumed to be safe, and are frankly the most likely to be running rancid code that is easily exploitable.

Mitigations

With worms actively exploiting this hunting down all the vulnerable web servers, it’s time to ask about means to limit the damage :-

  1. Why haven’t you patched yet? Hasn’t the vendor released the patch? If not, go and shout at them.
  2. Turn off any services that you don’t need. Now.
  3. Why does your web server need to make connections to the outside world? First indications are that the worms out there at present download a second stage to start behaving badly. If your server can just do it’s job but cannot download stuff then any worm won’t be able to fully activate. This is not a panacea as you can still be exploited, but you cannot be automatically exploited.

Naked Celebrities!

 General, Media, Security  No Responses »
Sep 042014
 

So apparently a whole bunch of celebrities have had their naked selfies leaked by some “hacker”. As to how this was done, we don’t really know and will probably never know given that Apple is so secretive. But we can guess some possibilities :-

  1. The hacker built up a list of possible account names – jennifer (Jennifer Lawrence) might be a good one to try – and then tried the top 100 dumbest passwords against each one in turn. You would not get every single account this way, and a fair few would turn out to be a fan of Jennifer Lawrence rather than the celebrity herself. But you would get a few that way.
  2. The hacker targeted the celebrities with a phishing attack – basically asking the celebrity what their account password is. This sounds too unlikely to succeed, but with a plausible looking login page it does work surprisingly often. It’s not just the terminally stupid that fall victim to such attacks; the victims are really those who are too trusting and often in too much of a hurry.
  3. The next method a hacker might use is to tackle Apple’s password reset service which uses “memorable information” such as the name of your first school, your mother’s maiden name, etc. There is always a bit of a problem with “memorable information” such as this – it isn’t really that private, and a celebrity is likely to have “leaked” all such private information over time.
  4. Through some unknown vulnerability in Apple’s iCloud service. Given that we suspect that iCloud has certain “issues” with security (apparently Apple has no intruder lock out to make password guessing attacks harder), this isn’t impossible but I would guess that it is less likely that the two more obvious attacks above.

There’s a great deal of hateful “slut-shaming” going on over this celebrity leak which apart from anything else is really missing the point. It may be embarrassing for naked selfies to be leaked, but other personal information could be dangerous if leaked – the celebrity’s home address and alarm codes?

It is not the victim’s fault; it’s the fault of the anonymous (at the moment) hacker.

But the victim can improve their behaviour to make it harder to victimise them :-

  1. First of all if you’re called Jennifer Lawrence, don’t use any permutation of your name as a username; or even enter that as your full name into any cloud service. Make one up.
  2. Make sure you are using a sensible password. It needn’t be excessive, but anything that is just a single word is just not good enough.
  3. Be less trusting with your acount credentials. Make sure you know what the location bar in your browser is and where it is, and check it when you login. And don’t click on links in emails.
  4. If the service you are using offers two-factor authentication, turn it on.
  5. Learn about security; you are a target. Don’t go overboard (but see step 6), but spend an hour a week doing a little reading and taking steps to improve your personal security.
  6. Hire or befriend a geek who can act as your early warning system for threats. And someone you can go to for advice.

Note that I haven’t said “don’t take naked selfies” – it may be a bit foolish, but a life without a bit of foolishness is hardly a life at all.

And of course most of those suggestions work for ordinary people and not just celebrities!

 Older Entries  Newer Entries