Learn Security Testing Basics at uTest University

Data breaches, hacking, and other security leaks have been in the news for months now. Earlier this year, the Heartbleed bug affected the data security at big names like Google, Yahoo, Instagram, Pinterest, and Netflix. Organizations of all sizes from coast to coast are constantly dealing with security threats and breaches. New York suffered 900 data breaches last year, according to a report from the State Attorney General. In California, an insurance company inadvertently exposed the social security numbers of 18,000 doctors on a public web site.security-lock

It seems that the trend of big data breaches making the news is not stopping. This PC World article points out the 5 biggest data breaches of 2014 so far and the list includes recognizable names like eBay, Michaels Stores, and the Montana Department of Public Health. All of this media attention puts the security industry – and security testing – in the spotlight.

You can get up to speed on security testing using our course track, which includes:

Continue Reading

Security News You Won’t Want to Miss

It's secure because it says so.Sometimes news comes in waves, and with the recent conclusion of the Black Hat conference in Las Vegas, there’s quite a bit of security news floating around. Here are a few things we thought were especially interesting:

BREACH: The New SSL Attack That’s Hard to Stop

SSL underlies much of the Internet’s security, and attacks against it can be devastating. We want secure transactions with ecommerce sites, safe transmission of passwords, and assurances that we’re interacting with the right people online. Thwarting SSL’s cryptography can undo a lot of that trust and power, making it difficult for people to securely interact with each other online.

This is why many people are worried about a demonstration at Black Hat showing a new method for breaking SSL cryptography called BREACH. The researchers who discovered the method showed that in certain scenarios involving data compression they could extract the underlying ciphertext or secret securing a connection. The attack is complex, but the results were astonishing. During the presentation, the researchers were able to uncover the ciphertext securing an Outlook Web Access session in under 30 seconds.

Unfortunately, there’s no good fix for this problem right now, although Ars Technica has a couple of ideas. The most common recommendation is that you should disable server-side compression. In addition, a member of the Ruby community has also proposed a clever solution that simultaneously offers improved security against cross site request forgery attacks.

RSA Encryption: It May Be Weaker Than We Thought

Also at Black Hat, four security researchers gave a presentation about how the RSA and Diffie-Hellman cryptography algorithms may be cracked in the next 5 years. The researchers believe that new techniques will emerge in the next few years that simplify solving the discrete logarithm problem, which will subsequently cripple these algorithms.

So what does it all mean? Well, RSA turns out to be the foundation of a whole lot of cryptography, including the above mentioned SSL. (It’s not been a good week for SSL.) Breaking RSA would permit attackers to crack SSL and read or modify your personal information (assuming they didn’t get their fill from the BREACH attack).

So what’s the solution to this problem? Well it turns out the NSA, when not reading the emails of regular Americans, has for the last several years recommended we all switch to elliptic curve cryptography (or ECC for short). In a rare case of international agreement, it turns out the Russians have been saying the same thing.

The only catch? Many of the patents for ECC are currently owned by Research In Motion, making it hard for anyone to get a head start implementing it on a global basis. We may be stuck with RSA for a little bit longer.

Problems With Chrome: Password Storage

Continue Reading

Linux Kernel Vulnerability Creates Headaches

Broken TuxAre you a Linux system administrator? Are you running a kernel that’s newer than at least 2.6.37 (or 2.6.32 on CentOS)? Then you might want to pay attention. A newly discovered kernel vulnerability allows users to escalate their privileges to root level. That means that anyone who has access to the command line can gain root access on just about any recent Linux system.

Ars Technica outlines some of the major issues, while Reddit has a deeper and more technical explanation. Here’s a quick summary:

Deep inside the kernel, in the performance counters subsystem, is a rather innocuous looking signed integer variable. However, in other portions of the code, the same variable is treated as an unsigned integer. The problem is that it’s possible for a user to provide a very large unsigned integer to the process, and when that unsigned integer encounters the signed integer, it gets transformed into a negative number. That means that while I might input BIG_NUMBER, once it finally percolates through the code it becomes -DIFFERENT_BIG_NUMBER.

If you’re a former C developer, you’re probably starting to see how this goes wrong. This particular integer just so happens to be used as an array reference, and C is perfectly happy to reference anywhere in memory an array reference says to look. A clever attacker can use the incorrect negative index to write data into invalid portions of memory which are eventually executed by other processes. Both the bug and the exploit are pretty classic and standard stuff.

The fix is remarkably simple: change the signed integer to an unsigned integer. Most people will need to contact their Linux vendors to get an updated version of the kernel, while those who are true diehards can of course compile a kernel themselves. Either way, if you manage a Linux machine of any kind, you should definitely upgrade as soon as possible. An exploit is already floating around in the wild.

More details are also available from Red Hat. This is CVE-2013-2094, for those of  you keeping track of such things.

Browser Security Bug Can Fill Your Hard Drive

HTML5A universal truth in software security is that your security can come crashing down with one person’s new discovery. So it was with several different web browsers when a clever researcher discovered a new trick to coerce a browser into filling its hard disk with garbage. All a user needs to do is browse to the wrong site on the web, and bye bye disk space.

How does this amazingly clever attack work? Feross Aboukhadijeh explains it in a recent post on his blog where he also links to a proof of concept site that really will fill up your hard drive. (The blog post link above is safe. What you click after you end up on Feross’s blog is up to you.) Here’s how the whole problem works:

HTML5 allows websites to ask a browser store information about a users’s session on the disk. It’s pretty nifty feature, expanding the power of websites to store session data beyond the miniscule amount permitted by a cookie. The HTML5 spec is also pretty clear that browsers should set a limit on how much a particular site can store:

User agents should limit the total amount of space allowed for storage areas.

What Aboukhadijeh discovered is that subdomains might not count against the same limit. That means that if my browser permits each site to have 5MB, then 1.example.com, 2.example.com, 3.example.com, etc. would each get 5MB. A clever attacker just needs to create a long list of subdomains and then coerce the visitor’s browser into loading them all at once.

So is this a bug with HTML5 or the browsers?Continue Reading

Ruby on Rails Security Vulnerability Throws Apps Off Track

150px-Ruby_on_Rails.svgOver the past several years, the web development community has been enthralled with Ruby on Rails. The combination of the Ruby language with the Rails framework has proven extremely powerful, and many of the web’s top sites are built using the two technologies. For example, sites like Twitter, 500px, Groupon and more were all built with Ruby on Rails as their framework. Both new and veteran developers have adopted the platform because of its ease of use, rich library of components, and outstanding tools.

Late last month, the gleam of Ruby on Rails dulled considerably as a new class of security attacks emerged targeting the framework. Like many security vulnerabilities, the attacks started out as academic exercises which were quickly spun into automated attack bots designed to knock over Rails servers en masse.

Today, anyone who runs a Ruby on Rails server who hasn’t applied an update is probably already compromised. Think that’s overstating things a bit? Patrick McKenzie sounds the alarm loudly in his blog post titled What The Rails Security Issue Means For Your Startup:

It is imperative that you understand that all Rails applications will eventually be targeted by this and similar attacks, and any vulnerable applications will be owned, regardless of absence of these risk factors.

Still think that’s overstating things? Continue Reading

Top 10 Signs You’re Not Ready To Be A Security Tester

Becoming a security tester can be tough. It requires deep training and expertise in system architecture, computer engineering, network theory, and human psychology. Learning these skills can take considerable time, and it may take years for a tester to truly become a security master.

If you are learning to be a security testers, here are 10 signs you’re not quite ready for the job:

10. Your password appears on this list.

9. Your concept of social engineering is to throw a really great party and then figure out how each person can have the best possible time.

8. You think 56 bit DES ought to be good enough for anyone.

7. You can’t remember if your doctor gave you a SQL injection with your last set of vaccinations.

6. You think Van Eck phreaking is the title of Armin Van Buuren’s latest album.

5. You start looking for a mop when you hear someone mention a buffer overflow.

4. You think phishing means getting stoned and going to a concert by that band from Vermont.

3. When you hear OWASP, you reach for a can of bug spray.

2. You think that cross-site scripting is a fancy form of calligraphy.

1. You worry that if the private key doesn’t open up a little more, it will never be accepted by its friends and public_key will always be the popular one.

Buffer Overflows Attacks Get Much, Much Harder

It’s been almost 16 years since Aleph One published his classic article titled Smashing The Stack For Fun And Profit. In it, Aleph One (whose real name is Elias Levy) laid out a template for executing buffer overflow attacks that any computer-savvy hacker could follow. Back then, developers were more naive about writing code with rigorous boundary checking, and most applications written in C and C++ had exploitable buffer overflow vulnerabilities. With the growth of connected applications over the Internet (written in C and C++, of course), hackers and worm writers remotely felled software from giants like Microsoft, Oracle, Sun Microsystems, and others. Buffer overflows became the scary monster security vulnerability of the late 90s and early 2000s, and even today discovering a buffer overflow is the grand discovery of all security exploits – conferring black-belt status on whoever finds one.

Since then, a lot has changed. Both Intel and AMD have made a number of improvements to x86, and modern computer architectures have made it much harder to exploit buffer overflows. In addition, newer compilers and operating systems have added a number of tricks that make exploiting compiled applications more difficult.

One of those techniques is Address Space Layout Randomization, or ASLR. Exploiting a buffer overflow requires knowing the location of certain memory addresses. It used to be that those addresses were predictable for a given application, but newer operating systems can shake them up each time the app loads. It’s like shuffling a deck of cards and then expecting you to figure out which card is the queen of spades on the first try. If you shuffle it the same way every time, I’ll figure it out pretty quick. But if you make your shuffle truly random, then I’m out of luck.

Microsoft will be improving their implementation of ASLR in Windows 8 to make it much harder to predict the location of addresses for an application as well as all the supporting libraries surrounding the application. That means it will be even harder for an attacker to predict addresses, which makes buffer overflows much harder.

Want to learn more? Ars Technica has a great post about how ASLR will be used to improve the security of IE10. Also, check out this article by Paul Makowski about all the things that have changed with computer security since 1996 that make buffer overflows so much harder to exploit.

SSL is Broken and Nearly Impossible to Fix

SSL is the protocol that underlies most of the Internet’s encrypted traffic, and lately many people have begun to realize that SSL is flawed in a pretty obvious and easily exploited way.

SSL relies on certificates to setup a secure connection between computers. Generating a certificate is easy, and it’s possible to create a valid certificate for any address on the Internet. Certificate authorities (or CAs) ensure trust and prevent mayhem by validating the certificate owner is who they claim to be and then adding a signature to a certificate labeling it as legitimate.

When you visit a secure website, your browser gets a certificate signed by an authority saying that this website is authentic. The browser compares that signature against its own built-in list of known certificate authorities (and their public keys). How many authorities does your browser know about? Try more than 600!

The SSL certificate authority model works well if you assume the authority treats its super-secret private key like the gold in Fort Knox: the key is only handled by a small group of Internet priests who open the vault in a solemn ritual, remove the key, calculate a signature using nothing but slide rules and chalkboards, and then hastily return their private key to the sacred vault. Obviously, most CAs skip this time consuming and expensive process and trust their computer systems to manage their private key securely in a way that’s resistant to theft by outsiders.

If you think 600 different people can secure their data perfectly, then have we got news for you. I could throw a party for 600 of the smartest people in the world, and chances are good that one of them would forget to wear deodorant. You simply can’t trust 600 different certificate authorities to properly manage their private keys.

And this is the problem. All it takes to compromise SSL is to get access to a single private key from one of the 600 certificate authorities. Once I have that, I can create a certificate claiming to be any site on the web, and your browser will accept it without question.

Continue Reading

Cyber Threats Get Top Level Attention

Cyber Hacking Threat Draws FBI AttentionLast month there were several reports of cyber attacks on water treatment plants ( Houston, TX and Springfield, IL come immediately to mind). The Springfield incident turned out to be a major miscommunication, but the Houston attack is holding strong and at least three other attacks have been confirmed by the FBI. These attacks were so real, in fact, that Michael Welch, deputy director of the FBI’s Cyber Division, recently announced that the FBI will be increasing its cyber budget by roughly 12%. Here’s a recap from Sophos’ Naked Security blog:

At a recent security conference Michael Welch, the deputy assistant director of the FBI’s Cyber Division, gave a speech where he discussed the issue of SCADA security.

Information Age magazine reported on his speech and quoted Welch as saying:

"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city."

… It’s great that Welch acknowledges the work we have to do in this area and even went so far as to suggest the FBI will double the size of their Cyber division in the next 12 to 18 months.

Sound too good to be true? Then it probably is.

Continue Reading

Missile Firing Predator Drones + Virus = Bad News

We recently wrote about the need for security testing on medical equipment, but it looks like an even larger virus threat has come to light – on U.S. Predator and Reaper drone weapons systems.

While an unofficial source said they suspect it’s benign, they also added, “But we just don’t know”.  The thought of an attack drone being hacked is a chilling to say the least.  Jalpnik has a nice write-up of some of their historic missions (and the virus) but this seems to reinforce the hypothesis that the United States is entering a “Code War”.

Here’s the crux:

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

For those interested, we have a new whitepaper on Software Security Testing.