Tag Archives: security

Sony PlayStation network hacked, some disclosure, questions remain

Sony has posted information about the “illegal intrusion on our systems” that has caused the PlayStation Network (PSN) to be closed temporarily. PSN is necessary for playing online games and downloading music and videos.

Sony has disclosed that:

Between April 17 and April 19 2011 an attacker gained access to “user account information”

The information includes:

name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

The information might include:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained

The remainder of the information is mainly generic advice on fraud prevention. Many comments to the blog post make the reasonable point: why were they not informed earlier?

How many users are on PSN? The number 75 million is widely reported. In January Sony claimed over 69 million PSN members.

It is easy to say that Sony should have operated a more secure system. Making a judgment on that is hard because there is a lot we do not know. Was this information encrypted? Sony says passwords were stolen, which may mean they were unencrypted though that is hard to believe; or that they were encrypted but likely to be easily decrypted, which is perhaps more likely. On the other hand the fact that encryption is not mentioned in the post tends to suggest that none of this information was encrypted.

The scale of the incident makes it remarkable but the fact of network intrusions and personal data being stolen is not surprising, and likely much more of this happens than is reported.

The state of internet security overall remains poor and what we see constantly is that security best practices are ignored. Convenience and the desire of marketers to grab as much personal data as possible constantly trumps security.

Here is Kim Cameron, Microsoft’s identity architect, writing in 2005:

We should build systems that employ identifying information on the basis that a breach is always possible. Such a breach represents a risk. To mitigate risk, it is best to acquire information only on a “need to know” basis, and to retain it only on a “need to retain” basis. By following these practices, we can ensure the least possible damage in the event of a breach.

The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts. For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed.

Cameron’s thoughtful and excellent “laws of identity” lack take-up within Microsoft as well as elsewhere; the CardSpace system that was built to support it was scrapped.

An example of the low priority of security around the web is the prevalence of “password security answers” as Sony describes them. This is additional information that allow you to recover an account if the password is forgotten, especially if the email address associated with the account is no longer in use. Contrary to the impression given by the forms that require the information, these questions and answers reduce your security in order to ease the burden on support. They break Cameron’s laws of identity by providing the third party with information that it does not need, such as mother’s maiden name, though of course you can provide fictional answers and in fact I recommend this.

Personally I am also one of those people who never tick the “save credit card details” box. I am happy to enter them every time, rather than hand them over to a system of unknown security. Some sites do not let you make purchases without saving credit card details; as I recall, Amazon is one of them, and Apple another. This means the consequences of security breaches at these companies are greater, though I imagine they also make more sales since the friction of the purchasing process is reduced.

I am not optimistic that internet security will improve in the near future, though I guess that major breaches like this one are a force for reform.

Update: In a new post Sony says that credit card data was encrypted but personal data was not. I am surprised if this included passwords; but the IT world is full of surprises.

How an RTF file can install a virus when opened

There is an analysis by Rob Rachwald over on the Imperva Data Security Blog of how an RTF document can carry a virus, in this case a trojan executable. RTF (RIch Text Format) is generally considered safer than the Microsoft Office .DOC format since it cannot include macros; but the vulnerability in this case is in the software that parses the RTF when it is opened in Microsoft Office on Windows or Mac – though in this case the actual payload is Windows-only so would not normally affect Mac users.

Unfortunately this code may run when previewing a document in Outlook, which normally embeds Word, so it is potentially rather damaging.

Rachwald traces how the embedded trojan evades anti-virus, installs itself into the Windows system32 folder, and creates a remote shell application.

It does appear that the vulnerability was patched in November 2010. Still, it is interesting that the insecure code survived in Microsoft Office at least back to Office XP Server Pack 3 in 2004 and probably earlier.

I mention it partly because the analysis is a good read, and partly to highlight the fact that even RTF documents may not be safe.

Adobe Document Center shutting down, protected documents to become unreadable

The what? Well, few people used it which is why it is shutting down; but the Adobe Document Center is a service for protecting documents, somewhat similar to Microsoft’s Rights Management Services except that it is provided as a hosted subscription service; though I am not sure that it ever made it out of beta and actually started charging. You can use it with a PDF or Microsoft Office document to restrict who can access it and set an expiry date.

At least, you could. I have received an email (because I must have tried the beta back in 2006) informing me that the service is shutting down on April 2nd 2011:

Important: This means that after the Service shuts down you, or anyone you have distributed documents protected via the Service, will no longer be able to open/access these documents. We strongly encourage you to use Adobe Acrobat to un-protect these documents before the Service is shut down.

Time to make a mental note: protected documents are high-maintenance and there is always a risk of losing your data.

Google fails to protect its mobile platform

The discovery of viruses in apps on Google’s Android Market is troubling. I like the fact that Android is open, and that you can easily install an APK (Android Package) from any source onto your device if you want to. That said, it is reasonable to expect that apps downloaded from the official Android Market will be virus-free, or at least that some attempt has been made to check them for malware.

Another problem which is apparently rampant in the Android market – and also to some extent in Apple’s app store – is app stealing, where someone takes an existing app, copies and re-uploads on their own account. In most cases it seems that the malware was on apps pirated in this manner.

Note that while it took Google less than five minutes to pull the malicious apps from the store, the original developer had apparently been trying for more than a week to get them pulled on copyright violation grounds.

Google takes 30% transaction fee for apps sold in the market. Enough, you would think, to check for malware.

Most seriously for the Android market, the situation for users is that apps on Android Market might be malware, whereas apps on Apple’s App Store are not. That is a big advantage for Apple, and one that you would have thought Google would want to counter.

The only winners here are the anti-virus companies, who will be delighted to inflict their subscriptions on mobile users just as they have on Windows desktops.

Microsoft’s BPOS password madness driving users to Google Apps

A friend uses Microsoft’s Exchange Online service for his small company. All was going well until one day he found himself locked out of his email. He had no idea why.

The reason, it turned out, was the password policy set by Microsoft and outlined here:

To help maintain security, you must periodically change your password. When you change your password, be aware of the following:

  • You cannot repeat your previous 24 passwords.
  • You must change your password at least once every 90 days.

In addition:

Microsoft Online Services uses an account lockout policy to help protect the accounts of service administrators and end users. The user can try to sign in to the Administration Center or the Sign In application five times. After five failed attempts with an invalid user name or an incorrect password, users are locked out for 15 minutes. This condition cannot be manually reset.

In this case, Microsoft’s PC sign-in applications prompted the user to change his password. He did so. All seemed well, except that his mobile – in which email settings are deeply buried – did not know about the password change and made repeated attempts to collect email. Result: lock-out, and a horrible user experience.

According to this thread, Microsoft has been so besieged with requests to remove the expiration policy that it solved them at a stroke: by refusing them all.

I find this curious. First, it is doubtful whether frequent password changes really enhance security. Users in this case need new non-repeating passwords every 90 days, which means they are more likely to be written down. Remember, you cannot repeat your previous 24 passwords.

Second, it is odd that BPOS admins do not have the ability to disable password expiration policies in their online management tools.

It may seem a small issue, but for some it is a deal-breaker:

At this moment it is not possible to disable password expiration at all. I opened a ticket and technical support told me multiple times they won’t offer that option anymore… It’s disappointing since I lose customers who choose Google Apps over Microsoft Online just because of the password issue.

Apparently this may be fixed in the forthcoming Office 365.

ASP.NET Padding Oracle fix released, time to patch for Windows administrators

Scott Guthrie’s blog reports that a fix is now available for the Padding Oracle attack, which enables successful attackers to break the security of ASP.NET applications. There are a few points of interest.

First, there is not one patch but several, and which ones you need depend both on the version of Windows and the version of .NET. Multiple versions of .NET may be installed on a single server.

Second, the exploit is rated “important” in Microsoft security-speak, rather than “critical”. This is apparently because in itself the vulnerability merely discloses information. However, Microsoft is treating it with a high priority because the vulnerability is likely to reveal information that would let the attacker go to to more sever actions such as taking over a server. Confusing, but to my mind it is as critical as they come.

Third, Guthrie’s blog notes:

We’d like to thank Juliano Rizzo and Thai Duong, who discovered that their previous research worked against ASP.NET, for not releasing their POET tool publicly before our update was ready.

The implication is that the POET tool may be publicly available soon – so if you are responsible for an affected machine, get patching! In fact, in the webcast on the subject Microsoft stated that “The potential for exploit is very high during the next 30 days.”

Fourth, the update works by “additionally signing all data that is encrypted by ASP.NET.”

Update: Marc Brooks has investigated and it looks like there is a bit more to it than that.

Finally, the update will be included in Windows Update but not immediately. Your choice is whether to risk a hack in the period before the automatic update appears, or endure the hassle of the manual downloads. Microsoft advises to do it as soon as possible for servers on the public internet.

I am not sure what percentage of systems are likely to be patched soon, but I’d guess that plenty of vulnerable systems will remain online and that we have not heard the last of this bug.

Crisis for ASP.Net – how serious is the Padding Oracle attack?

Security vulnerabilities are reported constantly, but some have more impact than others. The one that came into prominence last weekend (though it had actually been revealed several months ago) strikes me as potentially high impact. Colourfully named the Padding Oracle attack, it was explained and demonstrated at the ekoparty security conference. In particular, the researchers showed how it can be used to compromise ASP.NET applications:

The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework’s API! … The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise.

This is alarming simply because of the huge number of ASP.NET applications out there. It is not only a popular framework for custom applications, but is also used by Microsoft for its own applications. If you have a SharePoint site, for example, or use Outlook Web Access, then you are running an ASP.NET application.

The report was taken seriously by Microsoft, keeping VP Scott Guthrie and his team up all night, eventually coming up with a security advisory and a workaround posted to his blog. It does not make comfortable reading, confirming that pretty much every ASP.NET installation is vulnerable. A further post confirms that SharePoint sites are affected.

It does not help that the precise way the attack works is hard to understand. It is a cryptographic attack that lets the attacker decrypt data encrypted by the server. One of the consequences, thanks to what looks like another weakness in ASP.NET, is that the attacker can then download any file on the web server, including web.config, a file which may contain security-critical data such as database connection strings with passwords, or even the credentials of a user in Active Directory. The researchers demonstrate in a YouTube video how to crack a site running the DotNetNuke content management application, gaining full administrative rights to the application and eventually a login to the server itself.

Guthrie acknowledges that the problem can only be fixed by patching ASP.NET itself. Microsoft is working on this; in the meantime his suggested workaround is to configure ASP.NET to return the same error page regardless of what the underlying error really is. The reason for this is that the vulnerability involves inspecting the error returned by ASP.NET when you submit a corrupt cookie or viewstate data.

The most conscientious ASP.NET administrators will have followed Guthrie’s recommendations, and will be hoping that they are sufficient; it is not completely clear to me whether it is. One of the things that makes me think “hmmm” is that a more sophisticated workaround, involving random time delays before an error is returned, is proposed for later versions of ASP.NET that support it. What does that suggest about the efficacy of the simpler workaround, which is a static error page?

The speed with which the ASP.NET team came up with the workaround is impressive; but it is a workaround and not a fix. It leaves me wondering what proportion of ASP.NET sites exposed to the public internet will have implemented the workaround or do so before attacks are widespread?

A characteristic of the attack is that the web server receives thousands of requests which trigger cryptographic errors. Rather than attempting to fix up ASP.NET and every instance of web.config on a server, a more robust approach might be to monitor the requests and block IP numbers that are triggering repeated errors of this kind.

More generally, what should you do if you run a security-critical web application and a flaw of this magnitude is reported? Applying recommended workarounds is one possibility, but frankly I wonder if they should simply be taken offline until more is known about how to protect against it.

One thing about which I have no idea is the extent to which hackers are already trying this attack against likely targets such as ecommerce and banking sites. Of course in principle virtually any site is an attractive target, because of the value of compromised web servers for serving spam and malware.

If you run Windows servers and have not yet investigated, I recommend that you follow the links, read the discussions on Scott Guthrie’s blog, and at least implement the suggested actions.

Anti-virus software continues to fail

I received an email from Trusteer noting that anti-virus detection rates for the latest Zeus variant are very low. This analysis shows that at the time of writing only Panda, among the major anti-virus products, picks it up. Does this mean we should all switch to Panda? No, because next time it will be one of the others that works, or none of them will work. You can only sympathise with users who imagine they are protected from malware because they have security software installed which tells them so.

The solution? Well, white-listing, visiting only trusted web sites, not opening attachments, keeping your OS fully patched, and so on. None of them perfect.

Alternatively, a new model of computing. One of the attractions of locked-in platforms like Apple’s iPhone and iPad is that they are harder to infect. Google’s forthcoming Chrome OS is even better designed from a security perspective. I am surprised that this aspect of cloud+device computing does not get more attention.

Decompiling Silverlight

A Silverlight application is a .NET application. Most developers will be aware of this; but it is worth noting that whereas ASP.NET code executes on the server and is not normally available for download, Silverlight code is downloaded to the client and can easily be decompiled. It is almost as easy to view as JavaScript code in the browser.

If you want to investigate this, the first thing to do is to find the .xap file which contains the Silverlight application. You will likely find this in your browser cache, or you can download it directly from the web site hosting the application. If you have out-of-browser Silverlight apps, they are usually located at:

C:\Users\[username]\AppData\LocalLow\Microsoft\Silverlight\OutOfBrowser

Copy the .xap file somewhere convenient, and rename it to have a .zip extension. Then extract the files. The result looks something like this:

image

Next, you need a .NET decompiler such as Redgate .NET Reflector. Run Reflector and open a .dll file containing application code. Select a method, and Reflector does its best to show you the code. It does a good job too:

image

The purpose of this post is not to encourage decompiling other people’s code, but rather to make the point that even though Silverlight code is “compiled”, it is trivial to read it – just in case anyone thought it was a bright idea to store passwords or other authentication secrets there.

The solution is to never to put anything security-critical in client-side code. Second, you can use an obsfuscator such as dotfuscator to make the decompiled code harder to read.