Security News You Won’t Want to Miss

It's secure because it says so.Sometimes news comes in waves, and with the recent conclusion of the Black Hat conference in Las Vegas, there’s quite a bit of security news floating around. Here are a few things we thought were especially interesting:

BREACH: The New SSL Attack That’s Hard to Stop

SSL underlies much of the Internet’s security, and attacks against it can be devastating. We want secure transactions with ecommerce sites, safe transmission of passwords, and assurances that we’re interacting with the right people online. Thwarting SSL’s cryptography can undo a lot of that trust and power, making it difficult for people to securely interact with each other online.

This is why many people are worried about a demonstration at Black Hat showing a new method for breaking SSL cryptography called BREACH. The researchers who discovered the method showed that in certain scenarios involving data compression they could extract the underlying ciphertext or secret securing a connection. The attack is complex, but the results were astonishing. During the presentation, the researchers were able to uncover the ciphertext securing an Outlook Web Access session in under 30 seconds.

Unfortunately, there’s no good fix for this problem right now, although Ars Technica has a couple of ideas. The most common recommendation is that you should disable server-side compression. In addition, a member of the Ruby community has also proposed a clever solution that simultaneously offers improved security against cross site request forgery attacks.

RSA Encryption: It May Be Weaker Than We Thought

Also at Black Hat, four security researchers gave a presentation about how the RSA and Diffie-Hellman cryptography algorithms may be cracked in the next 5 years. The researchers believe that new techniques will emerge in the next few years that simplify solving the discrete logarithm problem, which will subsequently cripple these algorithms.

So what does it all mean? Well, RSA turns out to be the foundation of a whole lot of cryptography, including the above mentioned SSL. (It’s not been a good week for SSL.) Breaking RSA would permit attackers to crack SSL and read or modify your personal information (assuming they didn’t get their fill from the BREACH attack).

So what’s the solution to this problem? Well it turns out the NSA, when not reading the emails of regular Americans, has for the last several years recommended we all switch to elliptic curve cryptography (or ECC for short). In a rare case of international agreement, it turns out the Russians have been saying the same thing.

The only catch? Many of the patents for ECC are currently owned by Research In Motion, making it hard for anyone to get a head start implementing it on a global basis. We may be stuck with RSA for a little bit longer.

Problems With Chrome: Password Storage

Continue Reading

Essential Guide to Mobile App Testing

Linux Kernel Vulnerability Creates Headaches

Broken TuxAre you a Linux system administrator? Are you running a kernel that’s newer than at least 2.6.37 (or 2.6.32 on CentOS)? Then you might want to pay attention. A newly discovered kernel vulnerability allows users to escalate their privileges to root level. That means that anyone who has access to the command line can gain root access on just about any recent Linux system.

Ars Technica outlines some of the major issues, while Reddit has a deeper and more technical explanation. Here’s a quick summary:

Deep inside the kernel, in the performance counters subsystem, is a rather innocuous looking signed integer variable. However, in other portions of the code, the same variable is treated as an unsigned integer. The problem is that it’s possible for a user to provide a very large unsigned integer to the process, and when that unsigned integer encounters the signed integer, it gets transformed into a negative number. That means that while I might input BIG_NUMBER, once it finally percolates through the code it becomes -DIFFERENT_BIG_NUMBER.

If you’re a former C developer, you’re probably starting to see how this goes wrong. This particular integer just so happens to be used as an array reference, and C is perfectly happy to reference anywhere in memory an array reference says to look. A clever attacker can use the incorrect negative index to write data into invalid portions of memory which are eventually executed by other processes. Both the bug and the exploit are pretty classic and standard stuff.

The fix is remarkably simple: change the signed integer to an unsigned integer. Most people will need to contact their Linux vendors to get an updated version of the kernel, while those who are true diehards can of course compile a kernel themselves. Either way, if you manage a Linux machine of any kind, you should definitely upgrade as soon as possible. An exploit is already floating around in the wild.

More details are also available from Red Hat. This is CVE-2013-2094, for those of  you keeping track of such things.

Essential Guide to Mobile App Testing

Browser Security Bug Can Fill Your Hard Drive

HTML5A universal truth in software security is that your security can come crashing down with one person’s new discovery. So it was with several different web browsers when a clever researcher discovered a new trick to coerce a browser into filling its hard disk with garbage. All a user needs to do is browse to the wrong site on the web, and bye bye disk space.

How does this amazingly clever attack work? Feross Aboukhadijeh explains it in a recent post on his blog where he also links to a proof of concept site that really will fill up your hard drive. (The blog post link above is safe. What you click after you end up on Feross’s blog is up to you.) Here’s how the whole problem works:

HTML5 allows websites to ask a browser store information about a users’s session on the disk. It’s pretty nifty feature, expanding the power of websites to store session data beyond the miniscule amount permitted by a cookie. The HTML5 spec is also pretty clear that browsers should set a limit on how much a particular site can store:

User agents should limit the total amount of space allowed for storage areas.

What Aboukhadijeh discovered is that subdomains might not count against the same limit. That means that if my browser permits each site to have 5MB, then 1.example.com, 2.example.com, 3.example.com, etc. would each get 5MB. A clever attacker just needs to create a long list of subdomains and then coerce the visitor’s browser into loading them all at once.

So is this a bug with HTML5 or the browsers?Continue Reading

Essential Guide to Mobile App Testing

Ruby on Rails Security Vulnerability Throws Apps Off Track

150px-Ruby_on_Rails.svgOver the past several years, the web development community has been enthralled with Ruby on Rails. The combination of the Ruby language with the Rails framework has proven extremely powerful, and many of the web’s top sites are built using the two technologies. For example, sites like Twitter, 500px, Groupon and more were all built with Ruby on Rails as their framework. Both new and veteran developers have adopted the platform because of its ease of use, rich library of components, and outstanding tools.

Late last month, the gleam of Ruby on Rails dulled considerably as a new class of security attacks emerged targeting the framework. Like many security vulnerabilities, the attacks started out as academic exercises which were quickly spun into automated attack bots designed to knock over Rails servers en masse.

Today, anyone who runs a Ruby on Rails server who hasn’t applied an update is probably already compromised. Think that’s overstating things a bit? Patrick McKenzie sounds the alarm loudly in his blog post titled What The Rails Security Issue Means For Your Startup:

It is imperative that you understand that all Rails applications will eventually be targeted by this and similar attacks, and any vulnerable applications will be owned, regardless of absence of these risk factors.

Still think that’s overstating things? Continue Reading

Essential Guide to Mobile App Testing

Top 10 Signs You’re Not Ready To Be A Security Tester

Becoming a security tester can be tough. It requires deep training and expertise in system architecture, computer engineering, network theory, and human psychology. Learning these skills can take considerable time, and it may take years for a tester to truly become a security master.

If you are learning to be a security testers, here are 10 signs you’re not quite ready for the job:

10. Your password appears on this list.

9. Your concept of social engineering is to throw a really great party and then figure out how each person can have the best possible time.

8. You think 56 bit DES ought to be good enough for anyone.

7. You can’t remember if your doctor gave you a SQL injection with your last set of vaccinations.

6. You think Van Eck phreaking is the title of Armin Van Buuren’s latest album.

5. You start looking for a mop when you hear someone mention a buffer overflow.

4. You think phishing means getting stoned and going to a concert by that band from Vermont.

3. When you hear OWASP, you reach for a can of bug spray.

2. You think that cross-site scripting is a fancy form of calligraphy.

1. You worry that if the private key doesn’t open up a little more, it will never be accepted by its friends and public_key will always be the popular one.

Essential Guide to Mobile App Testing