Posts in Kudos, Opinions and Rants

The biggest mistake of Myspace

Wednesday, July 19, 2006 by Ed Finkler in Kudos, Opinions and Rants, Secure IT Practices,

Myspace, the super-popular web site that your kid uses and you don't, was once again hit by a worm, this time utilizing Macromedia Flash as its primary vector. This was a reminder for me of just how badly Myspace has screwed up when it comes to input filtering:

They use a "blacklist" approach, disallowing customized markup that they know could be an issue. How confident are you that they covered all their bases, and could anticipate future problems? I don't trust my own code that much, let alone theirs.
They allow embed HTML tags. That means letting folks embed arbitrary content that utilizes plugins, like... Flash. While Myspace filters Javascript, they seem to have forgotten that Flash has Javascript interaction and DOM manipulation capabilities. If you're a Myspace user, you may have noticed Javascript alert()-style pop-up windows appearing on some profiles -- those are generated by embedding an offsite Flash program into a profile, which then generates Javascript code.

Even if they can plug these holes, it's unlikely that anything short of a full rewrite/refactorization of their profile customization system can ever be considered moderately secure. So will Myspace get their act together and modify their input filtering approaches? Very unlikely. A large portion of Myspace's appeal relies upon the customization techniques that allow users to decorate their pages with all manner of obnoxious flashing, glittery animations and videos. Millions of users use cobbled-together hacks to twist their profiles into something fancier than the default, and a substantial cottage industry has sprung up around the subject. Doing proper input filtering means undoing much of that. Even if relatively secure equivalent techniques are offered, Myspace would certainly find themselves with a disgruntled user base that's more likely to bail to a competitor. That's an incredibly risky move in the social networking market, and will likely lead Myspace to continue plugging holes rather than building a dam that works. This is why you can't design web applications with security as an afterthought. Myspace has, and I think it will prove to be their biggest mistake.

Reporting Vulnerabilities is for the Brave

Monday, May 22, 2006 by Pascal Meunier in Infosec Education, Kudos, Opinions and Rants, Policies & Law, R&D, Secure IT Practices,

I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn't have access to the source code or configuration information). As luck would have it, the web site got hacked. I had to talk to a detective in the resulting police investigation. Nothing bad happened to me, but it could have, for two reasons. The first reason is that whenever you do something "unnecessary", such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn't have? It's normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems. A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof. This got Eric McCarty in trouble -- the proof is automatically a proof that you breached the law, and can be used to prosecute you! Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time. We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing. I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it...). Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means. If there had been an overlap in time, we could have become suspects. The second reason that bad things could have happened to me is that I'm stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism. Why anonymously? Because student vulnerability reporters are akin to whistleblowers. They are quite vulnerable to retaliation from the administrators of web sites (especially if it's a faculty web site that is used for grading). In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem. Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don't yet either). They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions. Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities. So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized? Thankfully, the student bravely decided to step forward and defused the situation. As a consequence of that experience, I intend to provide the following instructions to students (until something changes):

If you find strange behaviors that may indicate that a web site is vulnerable, don't try to confirm if it's actually vulnerable.
Try to avoid using that system as much as is reasonable.
Don't tell anyone (including me), don't try to impress anyone, don't brag that you're smart because you found an issue, and don't make innuendos. However much I wish I could, I can't keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice. We all want to do the right thing, and help people we perceive as in danger. However, you shouldn't help when it puts you at the same or greater risk. The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer -- you're a student!) is just too high. Moreover, this is a web site, an application; real people are not in physical danger. Forget about it.
Delete any evidence that you knew about this problem. You are not responsible for that web site, it's not your problem -- you have no reason to keep any such evidence. Go on with your life.
If you decide to report it against my advice, don't tell or ask me anything about it. I've exhausted my limited pool of bravery -- as other people would put it, I've experienced a chilling effect. Despite the possible benefits to the university and society at large, I'm intimidated by the possible consequences to my career, bank account and sanity. I agree with HD Moore, as far as production web sites are concerned: "There is no way to report a vulnerability safely".

Edit (5/24/06): Most of the comments below are interesting, and I'm glad you took the time to respond. After an email exchange with CERT/CC, I believe that they can genuinely help by shielding you from having to answer questions from and directly deal with law enforcement, as well as from the pressures of an employer. There is a limit to the protection that they can provide, and past that limit you may be in trouble, but it is a valuable service.

Re: Security Absurdity

Wednesday, May 17, 2006 by Prof. Spafford in General, Kudos, Opinions and Rants,

This is a great blog posting: Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. The data and links are comprehensive, and the message is right on. There is a tone of rant to the message, but it is justified.

I was thinking of writing something like this, but Noam has done it first, and maybe more completely in some areas than I would have. I probably would have also said something about the terrible state of Federal support for infosec research, however, and also mentioned the PITAC report on cyber security.

[posted with ecto]

What is Higher Education’s Role in Regards to ID Theft?

Thursday, April 06, 2006 by Matt Rose in Kudos, Opinions and Rants,

A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is more susceptible, so I've started a list:

Willingness To Share Information: If myspace, facebook, and the numerous blog sites like livejournal are any indication, younger adults tend to be more open about providing personal information. While these sites may not be used by identity thieves, they nonetheless illustrate students' willingness to divulge intimate details of their personal lives. Students might be more forthcoming with their SSN, account information and credit card numbers than are their elders.
Financial Inexperience: Many college students are out on their own for the first time. Many also are in "control" of their finances for the first time. With that lack of experience comes a lack of experience with and knowledge about tracking expenditures and balancing checkbooks. College students are an easier target for identity thieves who can ring up several purchases before being noticed.
Access to Credit: A walk around campus during the first few weeks of the year also reveals another contributing factor. Students are lured into applying for credit cards by attractive young men and women handing out free T-shirts and other junk. It is not unusual for a college freshman to have three or four credit cards with limits of $1000 to $5000.
Lost Credit Cards and Numbers: This might be a stretch, but I know many college students who periodically loose their wallets, purses, etc. and who did not act quickly in canceling their debit and credit cards. I also know many who have accidentally left a campus bar without closing their tab. It would be trivial to get access to someone else's card at these establishments. Along with this reason comes access to friends' and roommates' cards.

I'm sure there are many more contributing factors. What interests me is determining the appropriate role of the university in helping to prevent identity theft among this age group. Most colleges and universities now engage in information security awareness and training initiatives with the goal of protecting the university's infrastructure and the privacy of information covered by regulations such as FERPA, HIPPA, and so on. Should higher education institutions extend infosec awareness campaigns so that they deal with issues of personal privacy protection and identity theft? What are the benefits to universities? What are their responsibilities to their students?

For educational organizations interested in educating students about the risks of identity theft, the U.S. Department of Education has a website devoted to the topic as does EDUCAUSE.

Useful Awareness Videos

Wednesday, April 05, 2006 by Matt Rose in Infosec Education, Kudos, Opinions and Rants, Reviews,

The results are in from the EDUCAUSE Security Task Force's Computer Security Awareness Video Contest. Topics covered include spyware, phishing, and patching. The winning video, Superhighway Safety, uses a simple running metaphor, a steady beat, and stark visual effects to concisely convey the dangers to online computing as well as the steps one can take to protect his or her computer and personal information.

The videos are available for educational, noncommercial use, provided that each is identified as being a winning entry in the contest. In addition to being great educational/awareness tools, they should serve as inspiration for K-12 schools as well as colleges and universities.

Recent Blogs

Blog Archive

Posts in Kudos, Opinions and Rants

Page Content

The biggest mistake of Myspace

Recent Blogs

Blog Archive