Wednesday, January 23, 2008

Are you helping someone Harvest your Passwords?

Do you ever reuse passwords? If not, can you really keep them all straight. Which password goes with which site? I will assume that on more than one occasion you have mistakenly entered one of your other passwords while trying to log into a website.Consider for a moment all of those failed logins that the webserver handles. What if the webserver logged the username and the incorrect password that was entered. In many cases the incorrect password would be a typo. But in other situation it would be the legitimate password of that user at another site.

If the owner of this webserver wanted to be particularly malicious, they could keep track of the usernames and failed logins and then attempt these combinations at other popular sites. gmail, yahoo, ebay, amazon, myspace, bankofamerica, chase. I imagine you have a login account at at least one of those sites.

What can you do? The obvious and least helpful suggestion is to not enter a valid password at the wrong site. However, an actual suggestion to help is to consider a secure password storage. There are several options out there. I would recommend the program called Password Safe. This application lets the user create a master safe, with a single master password, to store all other passwords securely. You add a website name and the username and password. After that you can double click on the saved password and copy it into the password form of the website. You don't even have to see the password after you initially set it. If you really want to take passwords to the next level you can use the random generator built into the tool. This lets you generate a random password when you create the entry (obviously you have to set this same password for the web site account).

If you go to try out pwsafe I recommend a couple of things.

1. Make the password for pwsafe strong (ie the master password). But at the same time, don't make it something crazy that you will forget since you would lose access to all your other passwords. There are lots of guides out there on how to pick strong passwords. One method which is effective and easy to remember is to pick a pass phrase. For example, the following could be your passphrase:

The little brown fox ran into the barn.

This passphrase contains 39 characters and would not be quickly guessed by anyone. Also remember, the only people which will have access to pwsafe are the people with access to your computer.

2. If you are afraid you are going to forget your master password, go ahead and write it down and store it somewhere securely. Yes, I said you can write down your password. The key is to still store that piece of paper somewhere that is not accessible to others (ie not on your monitor, under your keypad, or in your wallet). You may be questioning my suggestion and think that if its written down then someone could find it and gain access to all of my other passwords. True, that would be bad. But we don't want you to forget the master password and completely lose access to everything in pwsafe. And if you really feel threatened about unknown people entering your house, searching through your stuff and taking a piece of paper with a sentence on it and then using that to hack into your computer...well, invest in better locks for your doors and stop using computers.

I certainly got off the initial topic. I think it is an interesting threat that is posed by simply entering incorrect passwords into site we use each day. Pwsafe has worked well for me and I wanted to provide that suggestion along with a few tips. Best of luck.

-Michael Coates

Sunday, January 20, 2008

Hotspot web browsing over DNS

Public wifi hotspots are starting to get a little smarter. I've noticed more networks blocking ICMP. While ICMP is normally used to test if machines are alive and perform other diagnostic tasks, it can also be used as an alternate channel. Several tools are freely available which create an IP tunnel over the ICMP protocol. If you're not familiar with this idea, check out this paper for a more thorough description.

So, lets take this idea of tunneling over ICMP and think about the current hotspot configuration. One thing hotspots haven't considered is IP over DNS. I've confirmed at several hotspots that the prior to paying for service a user can performing the following:

  1. You can perform DNS resolutions to the default DNS server

  2. You can perform DNS resolutions to an arbitrary DNS server.


The main problem is item #2. By allowing DNS lookups to arbitrary DNS servers you are creating an opportunity for an alternate channel over DNS requests.

Consider the following:
Mobile Laptop
-The mobile laptop is configured with a proxy of localhost:<some port>
-A proxy application is running on the laptop which accepts web requests, inserts them into the data of a dns request and forwards them over port 53 to a remote DNS server

Remote Server
-A remote server is configured with a proxy application which accepts dns requests and pulls the web request from the data portion of the dns packet
-The server application makes the web request, receives the response
-The server wraps the response into a dns response message and sends it back to the laptop

Mobile Laptop
-The proxy application receives the response and sends it to the browser.

The end results would be full web browsing that is tunneled over dns request/response. There really is no reason why you couldn't expand this idea to a full TCP/IP connection tunneled over DNS. That would just take a little bit more work.
-Michael Coates

Saturday, January 12, 2008

14 year old hacks train - Security by Obscurity Fails

If you haven't seen this story yet then you'll be in for a surprise. A 14 year old boy in Poland hacked into the train control system and was able to take control of the train junctions. Several trains derailed causing numerous injuries, but luckily nothing worse.

Based on the information in the articles, the boy's "hack" was simply building a device that could send the correct signals to the train track control system. The device was created from a TV remote control and communicated with the train controls over infra-red.

The obvious problem here is that there wasn't any actual security implemented. I imagine that the designers of the train control system figured that most people wouldn't try, or be able, to create such a device, therefore they would be secure. However, this is the problem with security by obscurity, the item (in this case the ability to control the train system) is only secure when people don't know how to access it. So if these remote controls suddenly went on sale at your local grocery, everyone could control the trains. This is precisely why you can't rely on obscurity; just hoping that people don't figure out how to access your system. Instead, implement strong authentication to access the control system and use an encrypted stream of communication. There are a variety of options. The bottom line is that a securiy threat analysis has to be performed and security has to be implemented. We can't just keep hoping that nothing bad will happen and ignore fundamental security practices.

-Michael Coates

Tuesday, January 8, 2008

Hotel snooping on your browsing activity?

If you are concerned about browsing privacy you may want to think twice about using your hotel network.

I'm currently at a hotel that is using Superclick to provide wired and wireless access to the hotel rooms. I don't expect exceptional download speed while at a hotel; however, I never expected to have my entire browsing experienced monitored and logged by the ISP.

While on the Superclick network I determined the following:

  • All non-SSL URL requests are intercepted by Superclick and fed to their webserver as a URL parameter

  • The Superclick server retrieves the requested page, drops it into the main frame of a frame set and returns the frame to the browser

  • The returned frameset always includes a Superclick php file in the top frame, presumably to maintain control of the user's browsing experience


For example, if the user requests google.com, the following request is made

Superclick_Redirect

Notice that google.com is passed to the Superclick site (12.4.217.194) as a parameter.

Now, Superclick retrieves google.com and wraps it inside a frameset, making sure to insert its own php code in the top frame. Take a look at the page source.

Superclick Frame Wrap

So, not only will the ISP have you network traffic logs, but now they also have complete control of your browsing experience. From my observations, it appears these actions are not taken for SSL sites; however, I wouldn't trust much of anything thats going on at this point.

Lastly, this little modification also leaves the user with the random occurences of the URL not matching the site you are on. Yes, you heard me right, Superclick will serve you up the requested page and somehow, not update the URL in your browser window. It seems that this happens when you follow a new link to a page on another server. In the page below you can see that I am on the Disney site while the URL still says ESPN.com

Superclick URL Error

Here's a snapshot of the broken back button too. Clicking back will just take me to Superclick's redirectr, which sends me to the page I started from, thereby eliminating the ability to go back at all.

Superclick messes up back button

How can you tell if your hotel is pulling these shananigans on you?

  • The 'back' button will mysteriously stop working.

  • All urls will end in a question mark (see previous image)

  • Viewing the source of any page you've browsed to will show a frameset with the Superclick site injected nicely into the top frame.


I'm not the only one who has commented on this hotel activity http://www.sans.edu/resources/securitylab/266.php

Happy browsing....

-Michael Coates

Update June, 2006:

Looks like more ISPs are thinking they have the right to monitor and inspect all your traffic for the purpose of injecting adds and making money.

http://blog.wired.com/27bstroke6/2008/06/isp-spying-made.html

http://blog.wired.com/27bstroke6/2008/05/charter-to-inse.html

Thursday, January 3, 2008

More security is not better security

When will people learn...

I've maintained a health care spending account over the last year. An outside company manages the account and provides web access to view balance information, spending etc. I have always been frustrated by this site since they require a phone call during business hours in order to reset your password. But hey, it works and isn't too annoying.

Well, lets leave that piece aside for a moment. This particular site (which will remain nameless) has continued to implement absolutely atrocious security controls. First, when you attempt to login to the site you have to enter your account number. If the account number is not valid, then you can not proceed to the login screen where you will enter the password for the account. Unfortunately, the validation of the account number is done client side via a javascript. Determining valid account numbers from the javascript is trivial. Not only is their solution ineffective, it actually puts them in a worse situation. Now, an attacker can use the javascript algorithm to determine a whole range of account numbers that are valid.

After you enter your account number you move to the next "control". The screen asks you to enter a one time password which has been mailed to the email account listed in the account. I went along with things and logged into my email, retrieved the passcode and entered it to the site. But then I got curioius. A quick ctrl+u and I found something that should have died years ago.... The security code which was emailed to my account for "security purposes" was sitting there in a hidden post variable for all to observe.

The moral of this story? If you are going to spend money on security solutions (because we all know how it ends up costing quite a bit of $$ to get anything coded) then make sure the security you are paying for actually works.

-Michael Coates