Friday, July 31, 2015

Forget Ninja's and Pirates, Application Security is Like This!

Photo 1: exploded thumbnail
Today I was using LinkedIn and noticed a message was posted about the upcoming Black Hat and DEFCON security conferences in Las Vegas.  At the bottom of the persons post there are a bunch of thumbnail images of contacts we both have in common.  If you have browsed a few articles on LinkedIn you probably have seen these thumbnails before.

Photo 1 is the result of hovering my mouse over one of the contacts at the bottom of the authors post.  These are the contacts we have in common.  Again, nothing new here, you have probably seen this before.  I noticed in the exploded view, the HTML entity tag for ampersand, circled in red, looked out of place.  At first, I was thinking perhaps this person entered the entity tag directly.  Some people online enter some strange stuff to get your attention, especially security people.

When I opened the persons profile, Photo 2, I noticed the ampersand was shown not the entity tag.  What can we do with this knowledge?  Well probably not much, at least just yet.  The point is there is a bug in LinkedIn application code that is screwing up escaping of entity references.  The code is getting confused between HTML code and characters the user types from the keyboard.
Photo 2: profile view
Why is the confusion between the characters we type and HTML code important?  It's precisely in the area of escaping and character encoding where we find Cross-site Script Injection (XSS) vulnerabilities.  XSS is not anything new and it's listed on the OWASP Top 10 (A1) but it's listed as A1 on the OWASP Top 10 for good reason, it's pervasive.

In this LinkedIn example, the ampersand is likely a programming bug and nothing more.  We can't do much with an ampersand that's changed to an entity reference.  However, if it were possible to include code within our tag lines it may not be properly escaped or improperly rendered.  Of course, the code would have to be short since there are limitations to the number of characters that can be stored in a tag line.  If a vulnerability could be found here, the benefit to an attacker is that they can hijack LinkedIn user browsers who view the exploded thumbnails, Photo 1.  On a site like LinkedIn this is probably a lot of users.

In closing, I am not showing you LinkedIn vulnerabilities.  I have no idea if there is a vulnerability in this code.  In fact, I don't want to know.  I have conducted no testing against these interfaces or used any tools.  All I have proven is that there's a program bug and we can write blog posts about bugs safely online.  Security begins by noticing what's around you.

See you at DEFCON next week!

Thursday, July 30, 2015

Forget Internet of Things, You Already Have Spies In Your Home!

First things first, what hell is Internet of Things (IoT)?  Very simply, the IoT movement intends to connect a wide
variety of electronics, embedded devices, and sensors to the Internet.  As practical example, some makers of city street lights have Internet enabled their bulbs.  On the surface, Internet lightbulbs appear as useful as Internet connected refrigerators but a distinct advantage is that these bulbs will alert a central office when replacement is necessary.  In a city with hundreds, or thousands of street lights, a proactive message of an inoperable light eliminates significant effort driving around to check bulbs.

Other manufactures are enabling medical devices like Pulse Oximeters with full TCP/IP stacks, to monitor patient blood Oxygen levels.  On the other hand, cardiac Pacemakers have been wireless for some time.  Former Vice President Dick Cheney had the wireless feature on his pacemaker turned off due to security concerns.  Someday embedding IoT sensors in cereal boxes and other grocery items may eliminate self-checkouts all together.  Push your cart out the door and your account is bank account is debited automatically.  A store clerk is only needed to weigh vegetables, or to help you find something - the grocery store of the future.

Once you get the hang of the IoT concept, it does not take a lot of imagination to understand how Internet connected devices are beneficial.   What might take some imagination is how you can protect yourself in the age of IoT.  Throughout the development of IoT efforts the security community and press has been quick to alert the public to the vulnerability du jour.  Attention focuses sharply where exploitation of vulnerabilities may lead to serious injury or death.  Public education around IoT security is important.  No argument we need to continue educating, but there's a message being lost in the press background noise.  The message is that, the spies are already among us!  Don't let the newness of IoT distract you.  Internet devices in your home and the homes of your friends or family have been monitoring you for some time.  To understand what I mean, let's take my home as an example.  Let's take a look at some of the Internet connected devices I have in my home.

Apple Watches
Computers (OS X, Windows, Linux)
HP Printer
Zigbee gateway (Solar System)
HP Smart Switches
AT&T U-Verse Access Point
Wireless-N Router
Wireless-N Bridge
Flatscreen TV w/Internet stack
Misc gear: Wifi Raspberry PIs, Wifi Pineapple, Wifi enabled drones, Cisco SIP phones, and more

Today your smartphone can spy on your home network, collect the data, and hide it's activities by sending data back over private cellphone networks.  Your printer can be hijacked, malware installed, and made to perform reconnaissance of your home or office.  Other devices like telephones, copiers, and fax can be similarly exploited and demonstrated years ago at the DEFCON security conference.  In my home, I reflashed my router firmware with OpenWRT, a Linux like operating system.  With OpenWRT in place it's easy for me to sniff any traffic ingressing or egressing my home network to detect comprised computers.  But a hijacked device with malware installed, or a vendor with a complete disregard for your privacy, can do the same.  Whether or not these devices are spying on is irrelevant.  The public should not have to rely upon the morals or good intentions of manufactures to be secure in their home or on their persons.  Our home networks should be battle hardened and withstand a single rouge vendor, bad smartphone app, or exploited device.  Security controls for our home and our person should exist so we can be "verifiably" secure.  Trust be verify is a basic tenant of security and applied in business.  A challenge for the security community is to develop better protections for the home and people.

For security or IT gurus there are some actions you can take strengthen your home security posture.  Firewalls with a single zone of trust and DMZ are not going to be enough but there are some measures you can take.  Ideally every untrusted device should be on it's own network segment and unable to see other network devices.  Of course, this makes it really tough to configure your network.  More practically, you can segment your network by device type.  For example, there is no reason your broadband provider needs direct access to devices on your home network.  Insert a router between your home network and your broadband providers access point.  Your broadband provider will still see Internet traffic as it traverses the WAN but it blocks them from seeing your LAN traffic like, printing a documents, copying files between computers, etc.  The same approach can be used to dedicate a wifi segment to your smartphones.  This allows smartphones to see other smartphones but not other types of devices on the home network.  This type of configuration provides a stronger security profile but it's a lot of work to maintain, even if you know what your doing.  It's hard to predict the future of security controls but in the interim a router providing an easier ways to manage many untrusted devices for home users would be helpful.  Segmenting helps to isolate untrusted devices from each other and reduces the surface area available for reconnaissance or attack.

The problem with segmentation, firewalling, and traditional IT controls for the home is that you have to roll your own solution.  In my case, even though I have the knowledge to strengthen my home network I often avoid many improvements since it's too much maintenance effort to bother.  I spend enough time on the computer in my day job and I don't want extra IT homework at night unless the reward is great.  For the average home user, little if any combination of commercial gear and software exists that's helpful.  Security professionals have been beating the drum of virus scanners for years.  But virus scanners don't have the type of features necessary to protect home users today.  The best thing to do for home users is educate yourself on security so you can make the best decisions possible.  For those interested, I have a personal security page[2] you may find helpful.  Google also provided great article[3] that compares how home users protect themselves vs. how security experts protect themselves.  Follow the experts column in the graphic!

The point I would like to leave you with is that the future is now.  The security concerns of IoT are not something strange and far off in the future for experts to consider if IoT gains favor with industry.  Internet enabled devices are already in our homes, in our cars, on our person, they are inside of us, and they are already pervasive.

[1] open source White Hat Spy graphic
[2] Personal Security
[3] New research: Comparing how security experts and non-experts stay safe online

Tuesday, July 28, 2015

RT: (Video) Abby Martin Interviews Oliver Stone and Peter Kuznick on US Foreign Policy

Abby Martin (RT) interviews Oliver Stone (Academy Award Winning Director) and Peter Zuznick on US foreign policy and the Obama Administration's disregard for the rule of law.
"We[United States] are going into a second Administration that is living outside the law...does not respect the law as a foundation for our system." (Stone)
"We[United States] spend more on military security intelligence than entire world combined." (Kuznick)
"The United States is an open air Interment Camp." (Martin) 

In the interview Kuznick makes a point that the United States, through all of it's surveillance and aggression, fears something but that it is not addressing root causes of the concern.  Further that the predilection of the government for a culture is lawlessness is based upon an ideal of "American Exceptionalism", which is, if Americans do it then it must be right.  Perhaps more tangible to American's is the governments willingness to sacrifice the U.S. economy to achieve it's objectives.  For more information around the the economic impacts of security policy see my previous posts, A Crisis of Confidence Costs Real Money and a more recent update, Balkanization of US Products and Services Technology Accelerates.

Monday, July 27, 2015

My DEFCON 23 T-Shirt

I wanted to make up a cool t-shirt to wear to DEFCON 23 this year.  The graphic is on the front of the t-shirt with a small cutout of the back.  I know it's hard to read but it says, "In a time of universal deceit, telling the truth is a revolutionary act", a quote by George Orwell.  I loosely designed the t-shirt based upon a graphic for an Intercept story, "The Computers Are Listening".  I am not selling these t-shirts.  I made a single t-shirt for my own use only.

You can easily make your own t-shirt at  This link is not sponsored but instead provided as a service to readers.

Wednesday, July 22, 2015

How to Pick Your First Programming Language

I thought I would share a few initial impressions about a new infographic by I find interesting if programming is your profession.
Infographic: via

Java, C\C++, languages are not top paying which comes as a surprise.  I suspect other factors are involved.  For instance, the average MATLAB user may be more highly educated than the average Java or C\C++ programmer.  I don't know a lot about MATLAB but I suspect it's a research tool similar to Mathematica as opposed to a programming platform.  I don't see many software products delivered using MATLAB.

Another surprise is that Ruby is top of the stack for compensation.  Perhaps we are witnessing the market forces of supply and demand.  Historically there has always been less software developers than jobs available.  In the Ruby case, the ratio of available Ruby developers to jobs available may be better than say Java or C\C++.

To better understand the future supply to demand better, we may be be able to glean some information from the Geography and Popularity data presented.  For example, if you see a large number of job openings in Geography and a declining or stagnating trend in Popularity it may be an indicator of increasing pressure and increased compensation for developers.

Besides maximizing your compensation there are other factors you should consider like long-term stability of the market.  If we take Java or C\C++ as the example, their is no way these languages are dying out.  They are great first languages and learning the languages is relatively simple.  Learning how to use all the utility libraries and open source packages to make a commercial product can take years but as you grow so to will your compensation.  Learning is an investment in career worth making since compensation as shown is good overall compared to other languages and stability and demand for these languages will be high for the foreseeable future.

Once you start get Java or C\C++ down you should definitely consider a scripting language as a second language.  The reason is that scripting languages are generally faster to get a proof of concept rolling or quickly solve a research question.  Ruby is on the top of the pay chart but I have been playing around with Python.  I initially considered JRuby, a particular implementation of Ruby that offers some of the advantages of Java.   In the end,  I choose Python since I am a believer in the power of *NIX scripting and it's easy to get going on every flavor of *NIX.

Share It!