Archive for January, 2008

New Secure Coding Standards

January 22nd, 2008 by

This has probably been a long time coming, but CERT has announced that they will be hosting a wiki containing secure coding practices for C and C++. This codification of numerous industry best practices and rules of thumb into a single referable source will make the lives of consultants easier when performing code reviews. From Robert C. Seacord of CERT:

The CERT/Coordination Center at the Software Engineering Institute at Carnegie Mellon University has lead a community effort to develop secure coding standards for the C and C++ programming languages. This work is being performed on the secure coding wiki at
www.securecoding.cert.org. In particular, we have made significant
progress on the CERT C Programming Language Secure Coding Standard since work first begun over a year and half ago and our progress as been reviewed by the ISO/IEC WG14 international standardization working group for the programming language C at both the London and Kona meetings.

This has probably been a long time coming, and I will be interested to see what, if any, review tools come out to compare a code base against the standard.

Links:

C – https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secu…

C++ – https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageI…

Posted in SDL | No Comments »

When looking at a privacy policy…

January 17th, 2008 by

Ten things in a privacy policy that should make your spidey sense go off…

1. "We may use logs to analyze trends, administer the Site, track user movement in the aggregate, and gather broad demographic information for aggregate use. We may associate this information with your Personal Information to resolve technical issues and support security for our users."

What exactly is the company gathering in those logs? Who has access to these logs? Do third parties analyze the data and if so what do they do with it?

 

2. "We may share, in aggregate form, information collected from surveys with advertisers, partners, affiliates and the general public, but will not share survey information containing personally identifiable information with any third party without your prior consent."

Make darn well sure you understand how and where you give consent to allowing PII to third party sites. Does the company use auto opt-ins, do you opt-out by default, is it a combination or are you not even given the chance to opt-out?

 

3. "We link cookies to your unique registration number and use them to enhance and personalize your experience on the Site. We also use cookies to deliver information and fresh content specific to your interests."

There is no mention of third party cookies… are third party cookies used and if so, how does that affect your privacy?

 

4. “We only share Your Information with others when we have your permission or under the types of circumstances described in this Privacy Policy.”

Read the rest of the Privacy Policy carefully to understand the circumstances where your information could be shared with others

 

5. “Upon removal of membership from the Site, we may retain Your Information for a period of time in our internal databases and systems.”

Not a particularly specific timeframe… how long? For what purpose is this information being retained?

 

6. “You should be aware that despite our efforts, factors beyond our control may result in disclosure of Your Information. Accordingly, we are not in a position to guarantee that Your Information will be secure under all circumstances.”

So what circumstances are they responsible for? Is that information outlined specifically or is this a carte blanche for deniability? What exactly is a factor beyond their control? Be skeptical and ask questions.

 

7.”We may update this policy from time to time as our information practices are modified or changed. It is strongly suggested that you regularly visit this privacy policy for updates to its contents.”

Better policy would dictate the company notifies its customers whenever a change to the policy is made.

 

8. “We may, without your consent, access and disclose Your Information, any communications sent or received by you, and any other information that we may have about you or your account if…”

For what? Requests by the government? Actions that appear illegal? A threat is made? How comfortable are you with who they detailed could request or be provided this information? Is there any ambiguity to the list? Is there actually a list provided?

 

9. “We may share Your Information with third parties that are subject to privacy policies that protect your personally identifiable information from disclosure to other third parties in a similar manner to our privacy policy.”

What does a similar manner mean? If they cannot disclose the exact privacy policy these third parties are using, you cannot be assured they are using your information in a manner you would agree to.

 

10. We and our third party advertisers may use web beacons to compile aggregate statistics about which advertisements and promotions users have seen and how users responded to them.

Beacons can also be referred to as web bugs, 1×1 gifs, clear gifs, tracking bugs, and tracking pixels. Are these beacons associated to individuals and how does the company handle this information? As mentioned before, are third parties beholden to a privacy policy and if so, what is it?

 

It's pretty simple… always read the privacy policy. Be skeptical, ask questions, read between the lines and walk away from a site that sinks below your "I don't feel so good about what this company is all about" threshold. Be wary of privacy policies and terms of use that make you jump around from one document to another or from one paragraph to another in a non linear manner. Refuse to accept ambiguity. Write to the company. An electronics firm in Brooklyn selling a camera for 1/2 of what everyone else is selling it for is probably performing a bait and switch and probably doesn't care about your PII… use your brain. Remember, you CAN fight back with your wallet. You don't like how the company protects your data then don't reward them with your patronage and let others know.

Tags:
Posted in Privacy | No Comments »

Microsoft Releases the sources to the .Net framework

January 17th, 2008 by

I suppose this is news to a lot of people. http://weblogs.asp.net/scottgu/archive/2008/01/16/net-framework-library-… The easy access to the source should help people. Even if it helps them use someone elses library. I'll get back to that thought in a second.

Of course the Intermediate Language (IL) can be looked at with it's rich meta data with ILDASM. It's kind of odd looking at “machine” intructions for a virtual machine. As far as I can tell there's close to no documentation about their OP codes or a language reference. The one (and only) great book I've found is …Expert .NET 2.0 IL Assembler
by Serge Lidin, S. Lidin

The much easier way to wander around is Reflector. You'll want the file disassembler add-in (let's you save all the files in an assembly).

I've wandered around in the framework a good deal and for the most part it isn't ….mmmmm…. productive. Some beanhead professor once upon a time decided that everything possible should be private. I'm not sure what this accomplishes except that it kills all kinds of code reuse. For example you want the listbox control to handle hotkeys or whatever just a tad differently for your application. You should just be able to overload the “broken” part of .Net. No can do, private. Don't get me wrong, on occasion you can redo some function. You borrow the code in Reflector, modify the part that doesn't work for you, and then you have to figure out how to get it's 4 uses of private calls fixed. Copy the whole object you say! Good idea. Now you have 4 other internal objects to copy. Lame lame lame. It's a big ole spider web.

The best cheat is to add yourself a CustomAttribute listing your assembly as a a “friend”. Of course this makes the signature invalid, so not exactly distributable. You could really cheat and sign your own version! Ahah. Who knows what's next? Mmmhmm, you have to drag all the other Microsoft Internal Friends with you. It's a tar baby I tell ya.

Who want's to talk about COM and application integration now? Makes you love those little itty bitty tools that don't depend on a thing. I wish thee were more.

Tags:
Posted in Development | No Comments »

Whatever happened to?

January 16th, 2008 by

One of the most useful sites on the Internet was the Ports Database at http://www.portsdb.org

Unfortunately it went missing over a year ago and has not returned. The best alternative I have found is using the IANA list at http://www.iana.org/assignments/port-numbers and doing a manual search. Not ideal, but it works. Maybe we will put a little database up on this site in the future.

Posted in Security Testing | No Comments »

P3P compliancy search engine

January 16th, 2008 by

While the Privacy Finder Privacy Policy search engine only works for an estimated 15% of the top 5000 websites, it is a useful tool to find websites that comply with a stated privacy preference level (low, medium, high or custom) based on a P3P (Platform for Privacy Preferences Project) standard for creating machine readable policies.

You chose the search engine the Privacy Finder will use; put your search term in the dialog box, select your Privacy Preference Threshold Level and the results of the search are provided. If the search comes back with a website that has a P3P compliant privacy policy, a “privacy meter” is shown. The number of green boxes in the “privacy meter” shows how closely the privacy policy matches up with the privacy preference level set when doing the search. A link next to the search results brings another page neatly and succinctly showing why the privacy policy does or does not match the preference level and another link to the sites entire policy.

The P3P standard has been around since 2002, but it hasn't really caught on with the web community at large for a number of reasons:

-Some argue it's too complex
-Non code compliance does not necessarily mean poor privacy standards for a company
-There are currently no laws which require a company to comply specifically with a privacy policy
-Poor support from the web browser community

These issues do not remove the need for companies to provide clearer explanations of how it handles a customer’s information and P3P, while not perfect certainly is better than no standard. What privacy finder does is present the compliant privacy policy to the consumer in an easy to read and standardized output, giving consumers more information to make more informed choices.

For more information:
http://www.privacyfinder.org/
http://www.w3.org/P3P/
http://cups.cs.cmu.edu/

Tags:
Posted in Privacy | No Comments »

New risks for old credentials

January 16th, 2008 by

I was playing around with my Tivo this weekend and realized that many of the new features being offered on Tivo are handy but leave valuable information stored on your Tivo.

How so?

Well, Tivo now offers Amazon Unbox downloads, Yahoo Weather/Traffic, etc. All of these services require you to store your credentials on the device or on Tivo's website. Imagine what might happen if an attacker can break into the device and gather such information. With an Amazon account an attacker has access to any stored credit cards for purchases on the site. Even if an attacker cannot hack into your private network and break into the Tivo, what happens when the Tivo is put into the trash at the end of its life?

Tags:
Posted in Security Testing | No Comments »

Visual Studio 2008 CRT bug

January 16th, 2008 by

I run into this “issue” alot compiling this open source project or that open source project (winpcap, cygwin, delegate, snort, nmap. It's a fun MACRO problem. I love MACROs. </sarc>

Here's what your compiler will give you.


12>C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\stdio.h(358) : error C3163: '_vsnprintf': attributes inconsistent with previous declaration
12> C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\stdio.h(350) : see declaration of '_vsnprintf'
12>Generating Code...

Now this looks like a no brainer, I mean the two declarations are 8 lines apart! So I stare for a while. (Looks the same to me). Hmmmm. Then I try following a few MACRO's, often futile if you don't have browser symbols built yet. Perhaps I have some crazy path with my includes!? I only have 12 SDKs or something installed. So I turn on /showIncludes (how did it take 20yrs to add this option?) Looks good again…..

Crap time for the Big Guns — If you love MACRO programming you know what's next. Turn on the C++ listing output. The listing output is what the compiler really compiles are the preprocessor has had it's merry way with the code. 2MB of the finest night time reading you'll ever find. Per source file of course. I was kinda dreading trying to find the function after all it's beautification had been stripped.

I've read a lot of code over the years. I'm not even sure what this is…much less what it would preprocess out to.


__DEFINE_CPP_OVERLOAD_STANDARD_NFUNC_0_2_ARGLIST_EX(int, __RETURN_POLICY_SAME, _CRTIMP, _snprintf, _vsnprintf, _Pre_notnull_ _Post_maybez_ char, _Out_cap_(_Count) _Post_maybez_, char, _Dest, _In_ size_t, _Count, _In_z_ _Printf_format_string_ const char *, _Format)

I digress…

It just compiles when you turn on the listing output.

I'll type it more slowly this time, in case that didn't sink in. The compiler switch, that just spits out more information, changed things just enough to have everything compile. Neato, unless that sort of thing keeps you up at night.

btw, the fix, if you've been reading this far, is to not #define vsnprintf in _your_ project. The CRT must redefine it once or thrice.

Tags:
Posted in Development | No Comments »

How to apply domain restrictions to a browser plugin (ActiveX or XPCOM)

January 15th, 2008 by

For Internet Explorer, there's Microsoft's Sitelock. For Mozilla, I'm not sure what there is… In that case, we've been working on some solutions that could hold up cross-browser on a Windows platform. Sitelock takes a solid approach, check out the code and you'll see it implements the IObjectSafetySiteLockImpl, replacing the ATL IObjectSafety interface. What am I talking about? Well sometimes, when you develop a browser plugin like an ActiveX control for IE or an XPCOM object for Mozilla, you only want it to load and run from a few trusted domains. The plugin/control runs potentially powerful code after all, executing in the user's context. For example, you're a large social networking site, and your new control helps synchronize offline and online data for the user. Well first off, you want to make sure it's secure as possible:

  1. code flaws have been identified and addressed (buffer overflows, leaks, etc.)
  2. repurposing threats have been identified and mitigated (the control should not do anything more than it needs, and should be very careful when performing file, registry, or network operations)

To gain a higher level of assurance that this control won't be exploited, you take more steps to restrict the domains which are allowed to call it.

So without Sitelock for Mozilla, we're in search of an alternative solution that will work across both IE and Mozilla. We know a few things available for the cross-browser domain restriction solution:

  • we can use C/C++
  • we have access to the DOM
  • we have access to COM+
  • we'd like access to WININET but that's too far down the stack

Right now, we're primarily interested in getting the true domain which is loading and calling the plugin. How can we gaurantee this? We try getting it from the DOM's document.domain property, but know that the document.domain property has historically been a source of security vulnerability in all major browsers. There have even recently been ways to spoof the address bar, or the domain property using JavaScript and other means, and there likely will in the future. For example:

FireFox
http://www.thespanner.co.uk/2007/11/14/spoofing-firefox-protected-object

IE 6/7.
http://www.0×000000.com/hacks/crossdomain/crossdomain.html

Safari/Windows
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3514

After some research we're testing some other options. Right now our best bet might be looking like:

  • using IWebBrowser2::get_LocationURL() for Internet Explorer
  • using window.location.href for Mozilla
  • InternetCrackUrl() to parse the hostname

    • After some testing we don't see the document.domain type issues present in window.location.href, so it seems to be holding up short some unknown browser-flaw.

    ~Chris Weber

Tags: , ,
Posted in Development | No Comments »