Security is not a eight letter word

[rant] SSL=Security

gauravphoenix — Thu, 17 Jul 2008 17:10:00 GMT

<rant>

When in the world people will understand SSL is just one aspect of security. Are we still living in 90s?

This is a tax filing season in India. And being onsite I want to file it online. And ALL of the web sites I visit they assure me my data is safe because they use SSL.

Most of the successful reported attacks compromise app layer. Even after so much of noise in media about app security, why people don’t put – “Secured by WAF” or “Security Reviewed by XYZ” on websites- that would give me more hope.

</rant>

Forgot password security design

gauravphoenix — Sat, 16 Feb 2008 08:35:00 GMT

To err is human. To forget is even more human

Let’s delve into some of the design considerations. Your comments are greatly appreciated.

1. Pre-Canned Questions or User Defined Questions ?

My colleague Rocky blogged about it. A must read!

2. Never send password by email.

Internet is ugly..lots of sniffers running, email servers getting hacked etc.

3. Never display current password on screen. Even though if you set no caching, some proxy server might not honor it.

Generate a temporary password when user successfully answers question(s). Needless to say, generated password should be a strong one.

4. When temporary password is used, force user to change it when she logins in first with temporary password

5. Use POST

Consider this: if the URL of forgot password page which shows password when user successfully answers questions looks like-

www. Domain.com/forgotpassword.aspx?challenge=X&response=Y

Now imagine if there is some ad displayed on same page and user clicks on it what goes in referrer header of http? It’s the URL of originating page and in our case its having challenge and response in URL? You don’t want other domains to know your user’s passwords, right?

6. Verify it’s a human who is requesting password on his/her alternate email address. Use Human Interaction Proofs (HIPs) like CAPTCHA for same.

7. Though I won’t recommend sending links to alternate email address to reset password, if absolutely necessary, force the link to expire in few minutes, say 15 minutes.

a. The reset password link should be nonce- one time use only.

Security Summit 2007

gauravphoenix — Thu, 15 Nov 2007 03:31:00 GMT

I will be speaking at http://www.microsoft.com/india/security/ss-dev.aspx

Drop me a mail if you want to meet me in person at Chennai and/or Kolkatta.

Gaurav.Kumar@youknowwhat.com

CryptAcquireContext with CRYPT_SILENT flag

gauravphoenix — Tue, 30 Oct 2007 23:33:00 GMT

I tried to open a file. I got accessed denied error. No problem, lemme check ACL and finally the “effective permission”. Oh! I have full access. Hmmm…..What could be wrong? OK, lemme see if the file is encrypted. Yes, it is. Do I have corresponding certificate? Yes, the thumbprint matches with the certificate available in my user store. So, what the heck could be wrong?

I spent hours debugging the problem. Here is what was happening-

I had exported the EFS certificate and while importing back, I had enabled strong private key protection. This option makes will give you a warning or ask a password whenever private key is accessed by any application. Since EFS runs as service, it could not give the prompt and I was denied access to the file.

Moral of the story-

If you have an application that needs to access private key of a certificate, take into consideration that private key might have been protected by password. This is very important for applications which run in services mode and call CryptAcquireContext CRYPT_SILENT flag..

SQL sevrer Lock table and Hollywood business

gauravphoenix — Thu, 25 Oct 2007 22:44:00 GMT

Could there be a security risk by locking a database table? Even if there is a risk, could it impact Hollywood?

Consider this.

Suppose you are running a website which provides movie tickets (Or DVD rental) booking service. As new movies are released, the demand is high, and things move quite fast. You may be having just 10 seats vacant and there are 100s of users trying to book seats. Normally you will confirm booking only when payment has been done AND seats are available. What if you charge the customer and latter on find out seats are not available. In situations where the commodity you are providing changes very frequently you have two options.

1. Lock the database table for lets say 5 minutes and let user complete the transaction. If time has elapsed and user has not completed the request (payment), you can release the lock and make the resource (like movie tickets) available for other users.

2. Deny the request and tell user that when she initiated the request and till the time payment was processed, the available quantity/price has changed. Based on the business, you can take decision. If movie tickets have a constant price, you can confirm the seats based on new availability. It is being assumed that time taken to process payment is negligible.

While the first option provides more usability and less security, second option provides more security and less usability. Security folks, stop yawning:)

Now let discuss what the security vulnerability in first option is. An attacker could easily automate ticket booking request and lock the resources forever. In case you are thinking of blocking automated requests based on IP address, attacker could use freely accessible proxies to make request.

Note that in the second option I said that It is being assumed that time taken to process payment is negligible. Actually, one could still attack this with more frequent requests. Even if you are locking the data base table for few seconds, one could send large number of requests from different proxies.

Finally, lets discuss what is the best way to handle this vulnerability proactively. Other techniques like validating the card are reactive and more complex to implement.

HIP. Yea, Human Interaction Proof like Captchas. I agree that these images are quite annoying sometimes but they are definitely less annoying than getting to know you could have seen the latest hollywood movie if you had a better luck.

This brings us to the conclusion that Captchas needs to be used whenever automated requests from end users can impact your business.

Note that we have taken the example of movie tickets booking web application. The vulnerability discussed above can be used against most of the ecommerce web applications.

IIS authentication methods

gauravphoenix — Mon, 22 Oct 2007 00:34:00 GMT

No, this is not yet another tutorial on how to use IIS authentications methods. This post is about how to find out "effective" authentication method.

Q: In the pic below, what will be the authentication method used by IIS?

If you took more than 2 seconds to answer this, you need to read this post.

Notice that anonymous access is selected with Integrated, Digest and Basic authentication. So which one is finally used by IIS?

Here is how to find out-

1. First of all, if anonymous option is selected, no form of authentication takes place. So, it’s always Anonymous vs. rest of the others authentication. It’s evident that in above case, anonymous access will be used.

Now, let’s talk about other form of authentications.

2. If .NET passport authentication is selected, it takes precedence over integrated, digest and basic authentication. You can experiment by selecting .NET passport authentication, as soon as you select it, other authentications options (integrated, digest and basic) will be grayed out.

Remember that first point is still valid, if anonymous access is chosen with .NET passport authentication, anonymous access will be used not passport authentication

3. Now we are left with 3 options- Integrated, Digest and Basic. Here, integrated authentication will be given precedence. So, if all three Digest, basic and integrated authentication methods are selected, only the integrated auth will work.

4. Last but not the least, between digest and basic auth, Digest auth is given precedence.

The best way to remember all this is to keep following order in mind-

1. Anonymous

2. .NET Passport

3. Integrated

4. Digest

5. Basic

The one on the top is given preference.

Lets spice it up a bit.

What happens when you select Anonymous option with Integrated Authentication AND asp.net web.config file demands that Windows authentication should take place (and access denied to anonymous users) This is what happens under the hood-

1. IE sends non authenticated request to IIS

2. IIS passes it on to ASP.NET

3. ASP.NET demands Windows authentication

4. IIS asks IE to use Windows authentication

So, effectively integrated authentication will be used. But the precedence order given above is still valid. First, anonymous access will be used and latter on it is up to the asp.net web.config to demand whatever authentication.

Note that in this post it is assumed that IE and IIS are used as web browser and web respectively. In general, the authentication method is negotiated. More or less, above given order holds true in most cases.

Wishing you a happy secure coding,

Gaurav.

Unnecessary authentication part II

gauravphoenix — Mon, 15 Oct 2007 23:13:00 GMT

Here is another example. I stumbled upon this website (see attached pic) which was asking me username, password AND HIP (captcha image)

I hadn’t made any wrong password attempts and also checked it from my home connection. I just don’t understand why would one need HIP when no brute force attempt has been detected.

Usability vs Security is a tough call, but asking for HIP unnecessary isn’t smart.

DPAPI entropy tip and importance of obfuscation

gauravphoenix — Wed, 10 Oct 2007 17:02:00 GMT

Have you ever wondered why CryptProtectData function asks for "Optional Entropy"?

Entropy in crypto world is defined as "randomness". Though is quite difficult for a computer to generate true random value, in this context of DPAPI one can choose a random string oneself and use it in the CryptProtectData function.
Though the official definition of CryptProtectData funtion says its optional value and one can provide NULL to the function, it has its own security value.
Consider this:
You application encrypts the data using "user store" and you do NOT provide entropy to CryptProtectData function.
What if some other application (malware?) running under same credential decrypts the data? What is stopping a malware to do it?
It's actually the entropy. Always use a strong, hard to guess entropy to prevent other applications sneaking at your data.

Now the fun begins.

What is stopping a malware to use reflection to get the entropy value?
The answer is obfuscation. It makes it hard for other applications to look at entropy value and thereby protecting the data encrypted using DPAPI.

Moral of the story:

Always provide entropy to CryptProtectData when using user store to encrypt the data. Do not supply NULL
Use obfuscation

Happy secure coding,
Gaurav

Unnecessary authentication

gauravphoenix — Wed, 03 Oct 2007 15:13:00 GMT

After a long time I called up my share broker customer support. They are India’s one of the best and biggest broker.

I was greeted with an automated message “please dial your customer id”. I did. And then “please enter your PIN”. I did. And then comes the automated message – “this service is available only between 10AM -6PM”

Bulldung. If they service is not available why ask for user id and PIN. Why increase attack surface unnecessarily??

As I said, security is not just eight letter word. It’s a state of mind.

RMS myth

gauravphoenix — Mon, 17 Sep 2007 14:01:00 GMT

A few weeks back I got a link to a software which enables the options disabled by RMS. So its like if I get one RMSed email which has "do not reply all" set, I can run software which will enable the reply all button on my outlook bar. And hence, RMS got hacked.

Bulldung.

RMS is supposed to prevent inadvertent leakage of data. Running a software that enables the control disabled by RMS is surely wilful bypassing the barricade erected by RMS.

gethash() is not security function

gauravphoenix — Sun, 09 Sep 2007 00:32:00 GMT

Consider getHash() function. Going by the name, one could think of it as some sort of "hashing" in cryptography word.

Let me warn you, its NOT a function to be used for data integrity assurance. It is NOT a security related function. I stumbled upon this function while I was doing a code review and was shocked to know it was being used to take security related decision.

here is moral of the short story-

use cryptographic hash functions like SHA-256 and don't go by name of functions like gethash()

when not to use DPAPI

gauravphoenix — Fri, 27 Apr 2007 15:20:00 GMT

DPAPI is great. only when used in appropriate scenario.

Consider this,

You encrypt data using DPAPI and latter move ( not copy) the data to the other machine. Now you try to decrypt the data on other machine and it fails. Okay, you change the password to the one on first machine. Still it doesn’t work. It wont work. its not designed to be that way. It will work only if the new machine is part of same domain and roaming profile is enabled.

To cut the story short, DPAPI is designed to encrypt Connection Strings and similar security settings. It is not meant for general purpose data encryption.