08 May 2015

Vulnerabilities

Posts relating to the category tag "vulnerabilities" are listed below.

05 December 2014

The Problems with Security Badges, Seals and Marks

A paper presented at this year's Association for Computing Machinery (ACM) Conference on Computer and Communications Security discusses why security-related third-party seals are poor indicators of site security, and how in some cases can actually assist attackers to compromise the web sites.

Partial view of the content in the paper 'Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals'

Problems with one of the privacy seal providers have been in the news recently, and the paper Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals assesses the effect on a web site's security by including a security seal from service providers Norton Secured, McAfee Secure, Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy), BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity.

The paper's authors Tom Van Goethem, Frank Piessens, Wouter Joosen and Nick Nikiforakis examined the guarantees offered by these schemes, and the realities. Their findings were:

  • There is a lack of thoroughness, meaning insecure websites being certified as secure
  • Malware hosted on a certified web site can trivially evade detection
  • Some attacks can be facilitated by the seal scheme
  • Phishing attacks can be aided by the use of seals
  • The seals can be used to help attackers find vulnerable web sites.

The message is to concentrate on building and operating secure web sites, rather than using a seal to create the illusion of security. Application security through the software development life cycle (SDLC).

Posted on: 05 December 2014 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 November 2014

Game On at OWASP Cambridge and London

Next week I will be attending two free United Kingdom OWASP events, and providing a full talk at one of them.

Part of the OWASP Snakes and Ladders game board

Cambridge

On Tuesday 2nd December, I will speak for the first time at OWASP Cambridge about OWASP Cornucopia, the ecommerce website security requirement card game. Jerome Smith will present a second talk about a SSL Checklist for Pentesters.

Also at the event in Cambridge I will briefly mention the somewhat less serious application security awareness board game OWASP Snakes and Ladders and will be handing out free copies to everyone attending, kindly paid for by the OWASP Cambridge chapter. We will have time after the presentations to play both Cornucopia and Snakes and Ladders. On the subject of Snakes and Ladders, this week volunteers Yongliang He, Cédric Messeguer, Riotaro Okada and Ivy Zhang have generously translated the game for web applications into Chinese, French and Japanese.

Please register in advance for the free event in Cambridge The meeting will be held in the Lord Ashcroft Building, Room LAB003; 17:00 for a prompt start at 17:30 hrs.

London

On Thursday 4th December, OWASP London is holding its final event of the year in Skype's offices at 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST, 18:00 for 18:30 hrs start. Christian Martorella will be talking about Offensive Open-Source Intelligence (OSINT) — the process, techniques and how attackers are using it to prepare their cyber attacks. Afterwards project leader Matteo Meucci will speak about the new OWASP Testing Guide v4.

Then, as in Cambridge, I will mention OWASP Snakes and Ladders, with printed copies available for everyone, but this time paid for by the London chapter.

Please remember to register for OWASP London on Thursday 4th December.

Elsewhere

There are numerous other UK OWASP chapters — join their mailing lists to be informed of future meetings.

Seeking a bigger application security event? In January OWASP London will be organising a cyber security week, and AppSec EU 2015 is being held in Amsterdam next May. The call for research, papers and trainers for the latter are now open.

Posted on: 28 November 2014 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 November 2014

75,000 GBP Fine For SQL Injection From ICO But With 90% Discount

Lancaster-based apartment booking company Worldview Limited has been fined under the Data Protection Act for allowing unauthorised access to customers' details. The company operates under two UK brands, Citybase Apartments and Central London Apartments.

Although customers' payment details had been encrypted, the means to decrypt the information - known as the decryption key - was stored with the data.

The Information Commissioner's Office (ICO) press release states that a SQL injection vulnerability that existed for 3 years was the root cause, so this might imply the the decryption key was either stored in the database or the database could be used to read the key from elsewhere, such as the file system. The information taken included 3,814 payment card details; this mentions that both primary account numbers (PANs) and three digit security codes were accessed, which is even more interesting. The terms and conditions (Citybase, Central London) state:

Your payment card details will be securely held for the purpose of processing the booking until the day of check in. On the day of check-in, the credit card details are removed from our systems.

That's the travel industry problem of stored card data.

Apparently the fine would have been £75,000 but this may have put the company out of business. However, I suspect the fact that Worldview Limited will also be paying forensic investigation charges, card re-issue fees, card monitoring fees and fines relating to their PCI DSS contractual obligations will also have been taken into account by the ICO. However, £7,500 is a lot less than Worldview should be spending to ensure their customer data is secure. The fine is reduced further to £6,000 if payment is made by 1st December 2014.

The monetary penalty notice is available on the ICO web site.

The two "site security" pages on both web sites (Citybase, Central London) put a lot of faith in the use of "industry standard Secure Socket Layer (SSL) encryption technology" only:

When you submit your card details the information is encrypted (scrambled) so that it can only be read by the secure server, making the transaction as secure as possible.

When Lush Cosmetics had an ecommerce incident in 2010-11 with a similar number of cards and other personal data compromised, there was no fine — just an undertaking (and of course the PCI DSS costs). I suspect this stronger response from the ICO reflects its view that SQL injection is a basic fault that is below any acceptable level of security.

Update 7th November 2014: Link to monetary penalty notice and details of early payment discount added.

Posted on: 07 November 2014 at 08:59 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 November 2014

OWASP Snakes and Ladders

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.

OWASP Snakes and Ladders Mobile Apps

Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects of good and evil, or virtues and vices. In this OWASP version, the virtuous behaviours (ladders) are secure coding practices and the vices (snakes) are application security risks. I have created two versions so far:

I created the game to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, I use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

OWASP Snakes and Ladders Web Applications

The game might be a useful transition from learning about the OWASP Top Ten Risks and before moving into the Top Ten Proactive Controls in a PCI DSS developer training session for example.

Snakes and Ladders Web Applications is available in German and Spanish, as well as in (British) English. Translations to Chinese, Dutch and Japanese are also in progress. The OWASP volunteers who are generously translating the text and performing proof reading are:

  • Manuel Lopez Arredondo
  • Tobias Gondrom
  • Martin Haslinger
  • Riotaro Okada
  • Ferdinand Vroom
  • Ivy Zhang

Print-ready PDFs have been published - these are poster sized A2 (international world-wide paper sizes). But the original files are Adobe Illustrator, so these are also available for anyone to use and improve upon. OWASP Snakes and Ladders is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence.

Just print out the sheet as large as you can make them. It is better to play using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

You can also follow two mock games on Twitter which upload a position image every hour:

Please enjoy and share.

Further information, and all the PDFs and source files, are available on the Snakes and Ladders project website. Please keep in touch by joining the project mailing list.

Posted on: 06 November 2014 at 08:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 November 2014

Payment Checkout Flaws and Bugs

The announcement last week by researchers from Newcastle University about a problem with Visa's contactless cards reminded me to mention again commons issues with checkout and payment functions in web and mobile applications.

Photograph of customers in a household lighting stand during Clerkenwell Design Week 2014

The Visa fault relates to not enforcing the same limits on transactions when using foreign currencies. The paper is being presented this week at the 21st ACM Conference on Computer and Communications Security in Scottsdale, Arizona. While we hope we would not make similar mistakes ourselves, almost every web/mobile checkout/payment system I come across has some sort of problems.

I do not believe I have mentioned it previously, but if you are developing an online payment API, mobile or web payment application, you should read a paper from Microsoft Research issued in 2011. How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores (presented at IEEE Symposium on Security & Privacy 2011 in Oakland, California) describes findings from research into the security of several web payment applications.

Many of these problems are data validation or authorisation issues, but can be labelled as "business logic flaws". My own checklist for reviewing payment application functionality is below:

  • Buy at arbitrary price
  • Buy at nil price
  • Buy without paying
  • Buy one at item at another item's price
  • Pay for one basket at another basket's price
  • Update the basket while paying for the original one
  • Voucher, gift card and discount enumeration or manipulation
  • Repeat order/payment
  • Missing "mandatory" steps
  • Refund after payment
  • Chargeback after payment
  • Pay customer instead of seller
  • Missing checks/enforcement of data validation/signing
  • Enumeration of accounts, customers, payment cards, baskets, orders, email addresses, phone numbers
  • Manipulation of out-of-band messages (e.g. emails, SMS, direct messaging)
  • Payment confirmation manipulation
  • Tax and currency conversion manipulation
  • Rate of use and floor limits
  • Staff/internal backdoors
  • Fraud opportunities
  • Test data/cards works/present
  • Third-party hosted content
  • Privacy contraventions
  • PCI DSS contraventions.

This does not describe every method, but I hope the list is of use to others anyway. Generic attacks (e.g. injection, path traversal, cross-site request forgery, man-in-the-middle, unpatched components) also crop up in ecommerce payment functions, like everywhere else.

Posted on: 04 November 2014 at 20:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 October 2014

OWASP Testing Guide v4

The OWASP Testing Guide team of volunteers has announced the publication of version 4 of the OWASP Testing Guide.

Partial view of the OWASP Testing Guide's contents showing the new formatting and typography

The creation of version 4 (PDF, HTML) lead by Andrew Muller and Matteo Meucci. The guide is the de-facto standard for performing web application penetration testing.

Following an initial overview, introduction and discussion of testing objectives, the testing guidance is structured in eleven main sections:

  • Information gathering
  • Configuration and deployment management testing
  • Identity management testing
  • Authentication testing
  • Authorization testing
  • Session management testing
  • Input validation testing
  • Testing for error handling
  • Testing for weak cryptography
  • Business logic testing
  • Client side testing.

The previous edition was a large step forward in the maturity of the testing guide, and this version 4 goes further. Congratulations to everyone involved.

If you are looking for what to test, and how to build a software security programme, see also these two other OWASP documents respectively:

All OWASP materials are free to download and use.

Posted on: 07 October 2014 at 18:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 September 2014

AppSensor 2x2x2

OWASP AppSensor co-project leader John Melton has published two further AppSensor v2 assets.

Screen capture of the AppSensor 2 web site showing the headings on the user guide section - instrument your application, test and deploy the system, monitor, and tweak as necessary

AppSensor defines how to implement application intrusion detection and automated response.

Website 2.0.0

John has designed, coded and written a new standalone website for AppSensor. It was published on Friday and includes a brief description of the concept, an overview, getting started information and a user guide for the reference implementation. In John's words, the objectives were to:

  • Explain the high level concept in a simple way and point people back to the project site and the book for more detail
  • Give developers a nice entry point to the project - modelled after other framework/library sites
  • Give us more flexibility in how we present the project (not just wiki format)
  • In the future, hoping to have live demos.

I think it succeeds on the first three of these, and I will help if I can with the final statement.

To provide feedback or to contribute, please use the project's general mailing list.

Code 2.0.0 beta

If the new website wasn't enough, John has also been putting in many hours of coding to finish developing the new standalone version AppSensor reference implementation. On Sunday he announced the beta release of version 2.0.0.

The reference implementation currently supports three execution modes:

  • REST web service
  • SOAP web service
  • Local (embedded Java).

John is hoping a final release can be arranged for October/November.

To provide feedback or to contribute, please use the project's code development mailing list.

2x2x2

So the AppSensor project now has a new guide, a new website, and will imminently have a final release of the version 2 code. I am thrilled. I will be highlighting this new code when I speak at the London API event tomorrow evening. If you are attending that, I will have some free printed copies of the AppSensor Guide with me — if you would like one, please ask me a question about AppSensor.

Posted on: 16 September 2014 at 07:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 July 2014

Cyber Security in the Utility, Energy and Manufacturing Sectors

The Ponemon Institute has published the results of a survey examining how utility, energy and manufacturing organisations are addressing cyber security threats.

Photograph showing people in one of the service tunnels under the Thames Barrier, London

Critical Infrastructure: Security Preparedness and Maturity draws from interviews with 599 global IT and IT security executives in 13 countries, with a third of the responses from Europe.

The report demonstrates that although there is a high level of awareness, the priority given to reducing cyber risk is low, with a resulting low level of IT security maturity. Regarding actual incidents and breaches, there seem to be a high proportion of, or at least awareness of, accidents/mistakes, with negligent insiders being the highest rated threat. I think I'd like to see data for each of utility, energy and manufacturing as I suspect there will be marked differences in the threats.

From a monitoring perspective it seems that "real-time alerts are not effective" and that "more than 80 percent are false positives".

I think that's a "could do better" report.

Posted on: 23 July 2014 at 19:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 July 2014

Dr-Ing Heiderich Visits OWASP in Edinburgh

Earlier this year when I spoke at OWASP East Scotland in Edinburgh, Dr.-Ing. Mario Heiderich was also scheduled to speak but his journey was cancelled due to industrial action.

Photograph of the screen on an RBS NCR ATM displaying, in white text on the blue background, 'RBS - Windows XP Professional Build - Build RNCR205 In progress - Phase 4a of 7 - DO NOT REBOOT'

His previous absence was a disappointment to everyone, but his visit has been rescheduled to this Thursday. He will be presenting on the same subject "The Inner HTML Apocalypse: How mXSS Attacks Change Everything we Believed so Far" . This will introduce and demonstrate a recent technique called mutation-XSS, showing there is still a lot to be discussed about XSS attacks, than just reflected, persistent and DOM based cross site scripting (XSS).

Dr.-Ing. Heiderich is a researcher at Ruhr University Bochum and the director of a security consultancy and penetration testing company, and not to be missed if you can get to Edinburgh on Thursday 17th July - 18:00 hrs for an 18:30 hrs start.

All OWASP chapter meetings are free to attend, but you need to register. The event is being held at Edinburgh University's Informatics Department, 8th Floor, Appleton Tower, 11 Crichton Street, Edinburgh EH8 9LE.

Posted on: 15 July 2014 at 07:33 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 July 2014

Application Security Testing Magic Quadrant 2014

While on the topic of magic quadrants, the 2014 magic quadrant for application testing vendor products has also been released.

Partial screen capture of the introductory text from the Gartner Application Security Testing Magic Quadrant report

The report examines application security testing (AST) products and services spanning:

  • Static AST (SAST) i.e. automated application source, byte or binary code scanning
  • Dynamic AST (DAST) i.e. runtime automated testing
  • Interactive AST (IAST) that combines elements of both SAST and DAST.

The report is available "free" after registration from many of the vendors named, and here for Gartner subscribers, where it can also be purchased for a mere $1,995.00.

Interesting findings, but not quite what i would expect from seeing some of these in use in real life.

Posted on: 11 July 2014 at 13:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Vulnerabilities : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.226.143.14 on Sunday, 24 May 2015 at 22:07 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk