Buffer Overflows Attacks Get Much, Much Harder

It’s been almost 16 years since Aleph One published his classic article titled Smashing The Stack For Fun And Profit. In it, Aleph One (whose real name is Elias Levy) laid out a template for executing buffer overflow attacks that any computer-savvy hacker could follow. Back then, developers were more naive about writing code with rigorous boundary checking, and most applications written in C and C++ had exploitable buffer overflow vulnerabilities. With the growth of connected applications over the Internet (written in C and C++, of course), hackers and worm writers remotely felled software from giants like Microsoft, Oracle, Sun Microsystems, and others. Buffer overflows became the scary monster security vulnerability of the late 90s and early 2000s, and even today discovering a buffer overflow is the grand discovery of all security exploits – conferring black-belt status on whoever finds one.

Since then, a lot has changed. Both Intel and AMD have made a number of improvements to x86, and modern computer architectures have made it much harder to exploit buffer overflows. In addition, newer compilers and operating systems have added a number of tricks that make exploiting compiled applications more difficult.

One of those techniques is Address Space Layout Randomization, or ASLR. Exploiting a buffer overflow requires knowing the location of certain memory addresses. It used to be that those addresses were predictable for a given application, but newer operating systems can shake them up each time the app loads. It’s like shuffling a deck of cards and then expecting you to figure out which card is the queen of spades on the first try. If you shuffle it the same way every time, I’ll figure it out pretty quick. But if you make your shuffle truly random, then I’m out of luck.

Microsoft will be improving their implementation of ASLR in Windows 8 to make it much harder to predict the location of addresses for an application as well as all the supporting libraries surrounding the application. That means it will be even harder for an attacker to predict addresses, which makes buffer overflows much harder.

Want to learn more? Ars Technica has a great post about how ASLR will be used to improve the security of IE10. Also, check out this article by Paul Makowski about all the things that have changed with computer security since 1996 that make buffer overflows so much harder to exploit.

Essential Guide to Mobile App Testing

SSL is Broken and Nearly Impossible to Fix

SSL is the protocol that underlies most of the Internet’s encrypted traffic, and lately many people have begun to realize that SSL is flawed in a pretty obvious and easily exploited way.

SSL relies on certificates to setup a secure connection between computers. Generating a certificate is easy, and it’s possible to create a valid certificate for any address on the Internet. Certificate authorities (or CAs) ensure trust and prevent mayhem by validating the certificate owner is who they claim to be and then adding a signature to a certificate labeling it as legitimate.

When you visit a secure website, your browser gets a certificate signed by an authority saying that this website is authentic. The browser compares that signature against its own built-in list of known certificate authorities (and their public keys). How many authorities does your browser know about? Try more than 600!

The SSL certificate authority model works well if you assume the authority treats its super-secret private key like the gold in Fort Knox: the key is only handled by a small group of Internet priests who open the vault in a solemn ritual, remove the key, calculate a signature using nothing but slide rules and chalkboards, and then hastily return their private key to the sacred vault. Obviously, most CAs skip this time consuming and expensive process and trust their computer systems to manage their private key securely in a way that’s resistant to theft by outsiders.

If you think 600 different people can secure their data perfectly, then have we got news for you. I could throw a party for 600 of the smartest people in the world, and chances are good that one of them would forget to wear deodorant. You simply can’t trust 600 different certificate authorities to properly manage their private keys.

And this is the problem. All it takes to compromise SSL is to get access to a single private key from one of the 600 certificate authorities. Once I have that, I can create a certificate claiming to be any site on the web, and your browser will accept it without question.

Continue Reading

Essential Guide to Mobile App Testing

Cyber Threats Get Top Level Attention

Cyber Hacking Threat Draws FBI AttentionLast month there were several reports of cyber attacks on water treatment plants ( Houston, TX and Springfield, IL come immediately to mind). The Springfield incident turned out to be a major miscommunication, but the Houston attack is holding strong and at least three other attacks have been confirmed by the FBI. These attacks were so real, in fact, that Michael Welch, deputy director of the FBI’s Cyber Division, recently announced that the FBI will be increasing its cyber budget by roughly 12%. Here’s a recap from Sophos’ Naked Security blog:

At a recent security conference Michael Welch, the deputy assistant director of the FBI’s Cyber Division, gave a speech where he discussed the issue of SCADA security.

Information Age magazine reported on his speech and quoted Welch as saying:

"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city."

… It’s great that Welch acknowledges the work we have to do in this area and even went so far as to suggest the FBI will double the size of their Cyber division in the next 12 to 18 months.

Sound too good to be true? Then it probably is.

Continue Reading

Essential Guide to Mobile App Testing

Missile Firing Predator Drones + Virus = Bad News

We recently wrote about the need for security testing on medical equipment, but it looks like an even larger virus threat has come to light – on U.S. Predator and Reaper drone weapons systems.

While an unofficial source said they suspect it’s benign, they also added, “But we just don’t know”.  The thought of an attack drone being hacked is a chilling to say the least.  Jalpnik has a nice write-up of some of their historic missions (and the virus) but this seems to reinforce the hypothesis that the United States is entering a “Code War”.

Here’s the crux:

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

For those interested, we have a new whitepaper on Software Security Testing.

Essential Guide to Mobile App Testing

Top Security Hacks of 2011

We’re just about halfway through the year but I’m calling it now: 2011 is the year of the hacker. Grim?  Maybe.  Just about every week there has been a new story about a company being hacked and it’s costing companies millions of dollars and even more for their brand reputation.

While only two of these hacks really impacted a company I use heavily, I thought I’d do a quick countdown on the top hacks of 2011 and the associated costs.

7) DropBox
The file-sharing site opened the doors for four hours this week, allowing anyone with a login to access other accounts.  It turns out that it was a self-inflicted wound and DropBox broke their own authentication system.  While the finacial impact probably won’t be released, just browse through the 600+ customer comments to see how the issue and their response impacted their brand.  It’s a bug, not a hack, but certainly something that could have been avoidable with ample testing prior to a full launch.

Responsible: Themselves.

Cost: A self reported “much less than 1%” of their more than 25 million users were impacted to an undisclosed extent.

6) MovableType / PBS.org
In a pure retaliation a group of hackers targeted PBS.org in response to an episode of Frontline’s portrayal of of WikiLeaks leaker Bradley Manning.  The hackers gained control of PBS.org and republished false information.  PBS was not able to immediately regain control and was forced to utilize their Facebook page as their primary news source.

Responsible: LulzSec.

Cost: One of their Sr. Correspondents, Judy Woodruff, wrote a post on “Calculating the Cost of an Attempt to Silence the Press”.  While they didn’t disclose any financial costs or specific user information loss, it has certainly been a struggle for them to regain control of their site and all of their content.

Continue Reading

Essential Guide to Mobile App Testing