Myspace, the super-popular web site that your kid uses and you don’t, was once again hit by a worm, this time utilizing Macromedia Flash as its primary vector.  This was a reminder for me of just how badly Myspace has screwed up when it comes to input filtering:

• They use a “blacklist” approach, disallowing customized markup that they know could be an issue.  How confident are you that they covered all their bases, and could anticipate future problems?  I don’t trust my own code that much, let alone theirs.
• They allow embed HTML tags.  That means letting folks embed arbitrary content that utilizes plugins, like… Flash. While Myspace filters Javascript, they seem to have forgotten that Flash has Javascript interaction and DOM manipulation capabilities.  If you’re a Myspace user, you may have noticed Javascript alert()-style pop-up windows appearing on some profiles—those are generated by embedding an offsite Flash program into a profile, which then generates Javascript code.

Even if they can plug these holes, it’s unlikely that anything short of a full rewrite/refactorization of their profile customization system can ever be considered moderately secure.

So will Myspace get their act together and modify their input filtering approaches? Very unlikely.  A large portion of Myspace’s appeal relies upon the customization techniques that allow users to decorate their pages with all manner of obnoxious flashing, glittery animations and videos.  Millions of users use cobbled-together hacks to twist their profiles into something fancier than the default, and a substantial cottage industry has sprung up around the subject.  Doing proper input filtering means undoing much of that.

Even if relatively secure equivalent techniques are offered, Myspace would certainly find themselves with a disgruntled user base that’s more likely to bail to a competitor.  That’s an incredibly risky move in the social networking market, and will likely lead Myspace to continue plugging holes rather than building a dam that works.

This is why you can’t design web applications with security as an afterthought.  Myspace has, and I think it will prove to be their biggest mistake.

Via Infinite Loop, I came across an interesting post from a hawdcore MacBook Pro user who bellied up to the bar and retrofitted a Sony fingerprint scanner into his precious Apple laptop.  No indication that the hardware actually interfaces at all with OS X, but it’s pretty cool, and maybe Apple will get some inspiration from this. 8)

So who’s going to OSCON 2006?  I am, and if you are too, drop me a line so we can meet up.  I’m also going to be “moderating” a PHP Security BOF meet, so if you have some interest in PHP Security or secure web dev in general, come by and participate in the chaos.

If you’re planning on going, make sure to check out the official wiki and the OSCamp wiki.

Our superfriends at Sun were kind enough to bless us with 13 new servers today: 10 Sun Fire X2100s and 3 Sun Fire X4200s:

Sun has been one of CERIAS’ biggest supporters over the years, and their monetary and hardware contributions have been invaluable.  These new machines will be put to good use in experiments, handling our Sun Ray clients, and making our web sites run a zillion times faster.  Wee!

As promised, I’m following up my previous post about security extensions for Firefox with suggestions from readers.  Some of these are basically different solutions to similar problems—which is great, because some users will prefer one approach over another.  A couple of these are very useful, though, and should be considered essential parts of a secure browsing platform.  And one seems very useful, but raises privacy issues that are a little troubling.

(An aside: I wonder if a “more secure” version of Firefox is being built and distributed by someone, one that includes some of these extensions out of the box.  If so, give us a heads-up.)

• McAfee SiteAdvisor

  McAfee SiteAdvisor, started at MIT, is a project to classify the “safety” of a site into green (safe), yellow (caution) and red (warning) categories.  Testing is done by a system of bot programs that interact with web sites, doing things like submitting email signup forms, testing downloads for adware and viruses, and looking at the safety levels of linked sites.  Users can also submit reports manually.

  The safety level of a site is displayed as a button in Firefox’s status bar, which I’m not sure was the best place.  My eyes tend to spend more time at the top half of my browser window (maybe because I have 1920x1200 display), so more often than not I found myself forgetting that I had SiteAdvisor installed.  I would have appreciated an option for display as a toolbar, like Netcraft’s extension.

  I did, however, really dig the integration with search result pages from Google, Yahoo! and MSN.  Links to result pages—even sponsored links—have a green, yellow or red icon appended to the end, and mousing over the icon displays a popup with additional info.  This was very clear and easy to grasp without being intrusive or overbearing.

  (McAfee also maintains a SiteAdvisor blog that’s quite interesting.)

 

 

• Stanford SafeCache and SafeHistory

  SafeCache and SafeHistory are extensions developed to address methods where users can be tracked via browser features that don’t apply a “same origin” policy: specifically the browser cache and browsing history.  Details of this problem are available at at Same Origin Policy: Protecting Browser State from Web Privacy Attacks, a report created by the Stanford Security Lab.  It’s a good read.

  The SafeCache and SafeHistory extensions apply a proper “same origin” policy to these features, only allowing access to scripts that originate from the same domain as the cached content/history info.  This isn’t perfect, as “cooperative” tracking where two sites pass info back and forth between each other isn’t addressed, but it’s certainly better than the current situation for out of the box browser installs.  Honestly, this is something I think should be a default part of every browser install, because it’s a significant security hole that needs to be addressed.  I hope that the Firefox, IE, Safari and Opera devs are addressing these problems.

• Netcraft Toolbar

  The Netcraft Toolbar is a useful anti-phishing tool.  A “risk rating” is calculated for your current site’s domain based on criteria like the age of the domain, known phishing sites within the domain, the ISP’s history re: phishing sites, and the like.  Additional info, such as the site’s age and ISP, are displayed in the toolbar, linked to more detailed data on Netscraft’s site.

  What’s a bit worrisome about the Netcraft Toolbar is its site popularity ranking functionality.  Netcraft appears to keep a database of sites visited by toolbar users to provide popularity data.  Their privacy policy does state that no personal information is collected, but it’s something users should be aware of before installing.

• PasswordMaker

  The plethora of web-based accounts we maintain can get out of hand quickly, and maintaining separate passwords for each one becomes pretty challenging.  PasswordMaker is an interesting solution to this problem, in that it doesn’t store passwords anywhere, but instead takes a single master password and generates a site-specific password based on 10 criteria, including personal encryption settings and the site itself.  The combination of these criteria makes for an enormous number of possibilties, so typical attacks are not likely to be effective (see their FAQ for more info).  Site passwords are generated on the fly, and are proactively wiped from RAM.  By default it doesn’t store your master password either.

  The program itself isn’t too hard to use, although you’ll probably need to help Grandma get used to it when you set it up for her.  I was able to get it working pretty quickly with some of my existing web app accounts.

  Source code is available (it uses an LGPL license), and versions of PasswordMaker exist for IE, all Mozilla browsers, a Yahoo! Widget, CLI, PHP, and mobile devices.  You can also use an online version if none of those fit the bill.

• Form SSL Indicator (Greasemonkey script)

  This is a handy Greasemonkey script that scratches an important itch: indicating if a form’s action target is SSL-encrypted.  I liked the implementation here better than the FormFox extension, which pops up a title/alt-style label if you hover over the submission button for a moment.  This script pops up an indicator immediately, and I appreciate the responsiveness.  Still, I wish that the submission button would just have a lock icon layered over it for quicker visual recognition, and this doesn’t do anything for forms with no submission button.

• Cookie Button

  The Cookie Button extension is really three extensions that offer the same functionality, but in different interface contexts.  All three allow you to quickly see and change the current cookie permissions on a site, with one displaying a Navigation Toolbar button, one adding a right-click context menu, and the third showing a status bar button.  I’m not sure I entirely understand the need to separate these into three different extensions, but it does allow the user to pick the one that best fits his or her interface habits.

 

 

• Prefbar

  Firefox has a bevy of “hidden” preferences, and Prefbar brings them out into the open.  Many of these settings are really a matter of user preference and browser performance, but some—like toggling Javascript, Flash, and User Agent settings, are handy and made much more accessible with this extension.  My personal fav is turning on “Cookie Warning,” which tells you whenever a cookie is being set or modified.  This was one thing I liked about IE’s cookie handling, and I missed it in Firefox.  It’s there in the cookie prefs (set “Keep Cookies” to “ask me every time”), but I didn’t realize how to set it until I researched it a bit—Prefbar made it a lot clearer.

  One little annoyance I found with Prefbar was that it doesn’t seem to “group” itself with the rest of your toolbars.  I like to right-click on on the Navigation Toolbar to swap in and out the 5 or 6 toolbars I have installed, but Prefbar refuses to show up in this list, instead mapping itself to F8 (which will annoy folks who use that key for other functions, like Exposé on OS X), and appearing in the View menu.  *grumble*

 

As before, if you have suggestions for useful security/privacy related addons for Firefox, please let me know.

mod_security is an essential tool for securing any apache-based hosting environment.  The Pathfinder High Performance Infrastructure blog has posted a good starter piece on using mod_security to block email injections.

One of the more common problems with PHP-based applications is that they can allow the injection of malicious content, such as SQL or email spam. In some cases we find that over 95% of a client’s ISP traffic is coming from spam injection. The solution? Grab an industrial size helping of Apache mod_security.

BTW, Ivan Ristic’s (the developer of mod_security) Web Security Blog is well worth a spot in your blogroll.

(Edit: fixed title.  Duh.)

Ars Technica‘s Eric Bangeman posted a pointer and commentary about a case in Illinois where a WiFi piggybacker got caught and fined. This is apparently the third conviction in the US (two in Florida and this one) in the last 9 months.  The Rockford Register reports:

In a prepared statement, Winnebago County State’s Attorney Paul Logli said, “With the increasing use of wireless computer equipment, the people of Winnebago County need to know that their computer systems are at risk. They need to use encryption or what are known as firewalls to protect their data, much the same way locks protect their homes.”

Firewall?  I guess they didn’t prepare the statement enough, but the intent is clear.  Still, it seems that the focus is on the consumer’s responsibility to lock down their network, ignoring the fact that the equipment that’s churned out by manufacturers is far too difficult to secure in the best of circumstances, let alone when you have legacy gear that won’t support WPA.  Eric seems to agree:

Personally, I keep my home network locked down, and with consumer-grade WAPs so easy to administer, there’s really no excuse for leaving them running with the default (open) settings.

“Easy” is very relative. It’s “easy” for guys like us, and probably a lot of the Ars audience, but try standing in the networking hardware aisle at Best Buy for about 15 minutes and listen to the questions most customers ask.  As I’ve touched on before, expecting them to secure their setups is just asking for trouble.

Well, we’re all pretty beat from this year’s Symposium, but things went off pretty well.  Along with lots of running around to make sure posters showed up and stuff, I was able to give a presentation called Web Application Security - The New Battlefront.  People must like ridiculous titles like that, because turnout was pretty good.  Anyway, I covered the current trend away from OS attacks/vandalism and towards application attacks for financial gain, which includes web apps.  We went over the major types of attacks, and I introduced a brief summary of what I feel needs to be done in the education, tool development, and app auditing areas to improve the rather poor state of affairs.  I’ll expand on these topics more in the future, but you can see my slides and watch the video for now:

• Slides (PDF Format)
• Video (Xvid AVI; requires Xvid or Divx playback codec)

Mozilla’s Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions.  Here’s a roundup of some of the more useful ones I’ve found.

• Add n’ Edit Cookies This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience.  This extension not only shows you all the details, but lets you modify them too.  You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
• Dr. Web Anti-Virus Link Checker This is an interesting idea—scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service.  I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
• FormFox This extension doesn’t do a whole lot, but what it does is important—showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
• FlashBlock Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance.  This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like.  It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
• LiveHTTPHeaders & Header Monitor LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server.  Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar.  They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
• JavaScript Option This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
• NoScript This extension is pretty smooth.  Of all the addons for Firefox covered here, this is the one to get.  NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with.  NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code. The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access.  Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces.  Also read Pascal Meunier’s take on NoScript.
• QuickJava Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1).  Hopefully a new version will be available soon.
• ShowIP This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar.  Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info.  You can add additional web lookups if you like, as well as passing the IP to a local program.  Handy stuff.
• SpoofStick The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users.  It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
• Tamper Data Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions?  Leave a comment and I’ll collect them in an upcoming post.

[tags]firefox, extensions, security, privacy, safe_browsing, browser, web, flash[/tags]

This story at the NYT web site (registration might be required—it seems kind of random to me) about the prevalence of “piggybacking” on open wireless networks.  Most of the article deals with the theft of bandwidth, although there are a couple quotes from David Cole of Symantec about other dangers of people getting into your LAN and accessing the Internet through it.  Something that really struck me, though, was the following section about a woman who approached a man with a laptop camped outside her condo building:

When Ms. Ramirez asked the man what he was doing, he said he was stealing a wireless Internet connection because he did not have one at home. She was amused but later had an unsettling thought: “Oh my God. He could be stealing my signal.”

Yet some six months later, Ms. Ramirez still has not secured her network.

There are two problems highlighted here, I think:

1. We haven’t done enough to make it clear why encrypting your wireless network is important.
2. More importantly, wireless routers need to be secure out of the box.  Users will not change their behavior unless the barrier for wireless network security is lowered as far as possible, and that includes shipping routers with:
• WPA encryption enabled
• a unique shared key
• a unique router admin password (the fact that millions of routers ship with the same default admin password is embarassing)
• a unique SSID
• SSID broadcast disabled

Think about it: if you purchased a car that came with non-functioning locks and keys, and it was your responsibility to get keys cut and locks programmed, would you be satisfied with purchase?  Would it be realistic to expect most consumers to do this on their own?  I think it’s not.  But that’s what the manufacturers of consumer wireless equipment (and related products, like operating systems) ask of the average consumer. With expectations like that, is it really a surprise that most users choose not to bother, even when they know better?

More: Hey Neighbor, Stop Piggybacking on My Wireless - New York Times »