Using URL anchors to enliven XSS exploits

I hope this is original, I certainly couldn't find anything in a quick bit of research on “Internet Explorer”, “anchor” / “fragment id” and “onfocus” or “focus”. [Click here for the TLDR version.]

Those of you who know me, or have been reading this blog for a while know that I have something of a soft spot for the XSS exploits (See here, here, here and here – oh, and here). One of the reasons I like them is that I can test sites without causing any actual damage to them – a reflected XSS that I launch on myself only really affects me. [Stored XSS, now that’s a different matter] And yet, the issues that XSS brings up are significant and severe.

A quick reminder

XSS issues are significant and severe because:

  • An attacker with a successful XSS is rewriting your web site on its way to the user
  • XSS attacks can be used to deliver the latest Java / ActiveX / Flash / Acrobat exploits
  • Stored XSS can affect all of your customers, and can turn your web server into a worm to infect all of your users all of the time
  • A reflected XSS can be used to redirect your users to a competitor’s or attacker’s web site
  • A reflected or stored XSS attack can be used to void any CSRF protection you have in place
  • XSS vulnerability is usually a sign that you haven’t done the “fit and finish” checks in your security reviews
  • XSS vulnerability is an embarrassing rookie mistake, made often by seasoned developers

Make it “SEXY”

So, I enjoy reporting XSS issues to web sites and seeing how they fix them.

It’s been said I can’t pass a Search box on a web site without pasting in some kind of script and seeing whether I can exploit it.

So, the other day I decided for fun to go and search for “security blog” and pick some entries at random. The first result that came up – blog.schneier.com – seemed unlikely to yield any fruit, because, well, Bruce Schneier. I tried it anyway, and the search box goes to an external search engine, which looked pretty solid. No luck there.

A couple of others – and I shan’t say how far down the list, for obvious reasons – turned up trumps. Moderately simple injections into attributes in HTML tags on the search results page.

One only allowed me to inject script into an existing “onfocus” event handler, and the other one allowed me to create the usual array of “onmouseover”, “onclick”, “onerror”, etc handlers – and yes, “onfocus” as well.

I reported them to the right addresses, and got the same reply back each time – this is a “low severity” issue, because the user has to take some action, like wiggling the mouse over the box, clicking in it, etc.

Could I raise the severity, they asked, by making it something that required no user interaction at all, save for loading the link?

Could I make the attack more “sexy”?

Try something stupid

Whenever I’m faced with an intellectual challenge like that, I find that often a good approach is to simply try something stupid. Something so stupid that it can’t possibly work, but in failing it will at least give me insight into what might work.

I want to set the user’s focus to a field, so I want to do something a bit like “go to the field”. And the closest automatic thing that there is to “going to a field” in a URL is the anchor portion, or “fragment id” of the URL.

Anchor? What’s that in a URL?

You’ll have seen them, even if you haven’t really remarked on them very much. A URL consists of a number of parts:

protocol://address:port/path1//path2?query#anchor

The anchor is often called the “hash”, because it comes after the “hash” or “sharp” or “pound” (if you’re not British) character. [The query often consists of sets of paired keys and values, like “key1=value1&key2=value2”, etc]

The purpose of an anchor is to scroll the window to bring a specific portion to the top. So, you can give someone a link not just to a particular page, but to a portion of that page. It’s a really great idea. Usually an anchor in the URL takes you to a named anchor tag in the page – something that reads “<a name=foobar></a>” will, for instance, be scrolled to the top whenever you visit it with a URL that ends with “#foobar”.

[The W3C documentation only states that the anchor or fragment ID is used to “visit” the named tag. The word “visit” is never actually defined. Common behaviour is to load the page if it’s not already loaded, and to scroll the page to bring the visited element to the top.]

This anchor identifier in the URL is also known as a “fragment identifier”, because technically the anchor is the entire URL. Not what people make as common usage, though.

XSS fans like myself are already friendly with the anchor identifier, because it has the remarkable property of never being sent to the server by the browser! This means that if your attack depends on something in the anchor identifier, you don’t stand much chance of being detected by the server administrators.

Sneaky.

The stupid thing

So, the stupid thing that I thought about is “does this work for any name? and is it the same as focus?”

Sure enough, in the W3C documentation for HTML, here it is:

Destination anchors in HTML documents may be specified either by the A element (naming it with the name attribute), or by any other element (naming with the id attribute).

[From http://www.w3.org/TR/html4/struct/links.html#h-12.1]

So, that means any tag with an “id” attribute can be scrolled into view. This effectively applies to any element with a “name” attribute too, because:

This attribute [name] names the current anchor so that it may be the destination of another link. The value of this attribute must be a unique anchor name. The scope of this name is the current document. Note that this attribute shares the same name space as the id attribute. [my emphasis]

[From http://www.w3.org/TR/html4/struct/links.html#adef-name-A]

This is encouraging, because all those text boxes already have to have ids or names to work.

So, we can bring a text box to the top of the browser window by specifying its id or name attribute as a fragment.

That’s the first stupid thing checked off and working.

Bringing it into focus

But moving a named item to the top of the screen isn’t the same as selecting it, clicking on it, or otherwise giving it focus.

Or is it?

Testing in Firefox, Chrome and Safari suggested not.

Testing in Internet Explorer, on the other hand, demonstrated that even for as old a version as IE8, all the way through IE9 and IE10, caused focus behaviour – including any “onfocus” handler – to trigger.

The TLDR version:

Internet Explorer has a behaviour different from other browsers which makes it easier to exploit a certain category of XSS vulnerabilities in web sites.

If you are attacking users of a vulnerable site that allows an attacker to inject code into an “onfocus” handler (new or existing), you can force visitors to trigger that “onfocus” event, simply by adding the id or name of the vulnerable HTML tag to the end of the URL as a fragment ID.

You can try it if you like – using the URL http://www.microsoft.com/en-us/default.aspx#ctl00_ctl16_ctl00_ctl00_q

OK, so you clicked it and it didn’t drop down the menu that normally comes when you click in the search field on Microsoft’s front page. That’s because the onfocus handler wasn’t loaded when the browser set the focus. Try reloading it.

You can obviously build any number of test pages to look at this behaviour:

<form>
<input type="text" name="exploit" id="exploitid" onfocus="alert(1)" />
</form>

Loading that with a link to formpage.html#exploit or formpage.html#exploitid will pop up an ‘alert’ dialog box.

So, that’s a security flaw in IE, right?

No, I don’t think it is – I don’t know that it’s necessarily even a flaw.

The documentation I linked to above only talks about the destination anchor being used to “visit” a resource. It doesn’t even say that the named anchor should be brought into view in any way. [Experiment: what happens if the ID in the fragment identifier is a “type=hidden” input field?]

It doesn’t say you should set focus; it also doesn’t say you should not set focus. Setting focus may be simply the most convenient way that Internet Explorer has to bring the named element into view.

And the fact that it makes XSS exploits a little easier doesn’t make it a security flaw either – the site you’re visiting STILL has to have an XSS flaw on it somewhere.

Is it right to publish this?

Finally, the moral question has to be asked and answered.

I start by noting that if I can discover this, it’s likely a few dozen other people have discovered it too – and so far, they’re keeping it to themselves. That seems like the less-right behaviour – because now those people are going to be using this on sites unaware of it. Even if the XSS injection is detected by the web site through looking in their logs, those same logs will tell them that the injection requires a user action – setting focus to a field – and that there’s nothing causing that to happen, so it’s a relatively minor issue.

Except it’s not as minor as that, because the portion of the URL that they CAN’T see is going to trigger the event handler that just got injected.

So I think the benefit far outweighs the risk – now defenders can know that an onfocus handler will be triggered by a fragment ID in a URL, and that the fragment ID will not appear in their log files, because it’s not sent to the server.

I’ve already contacted Microsoft’s Security team and had the response that they don’t think it’s a security problem. They’ve said they’ll put me in touch with the Internet Explorer team for their comments – and while I haven’t heard anything yet, I’ll update this blog when / if they do.

In general, I believe that the right thing to do with security issues is to engage in coordinated disclosure, because the developer or vendor is generally best suited to addressing specific flaws. In this case, the flaw is general, in that it’s every site that is already vulnerable to XSS or HTML injection that allows the creation or modification of an “onfocus” event handler. So I can’t coordinate.

The best I can do is communicate, and this is the best I know how.

Posted by Alun Jones | with no comments
Filed under: ,

Credential Provider update–Windows 8 SDK breaks a few things…

You’ll recall that back in February of 2011, I wrote an article on implementing your first Credential Provider for Windows 7 / 8 / Server 2008 R2 / Server 2012 – and it’s been a fairly successful post on my blog.

Just recently, I received a report from one of my users that my version of this was no longer wrapping the password provider on Windows Server 2008 R2.

As you’ll remember from that earlier article, it’s a little difficult (but far from impossible) to debug your virtual machine to get information out of the credential provider while it runs.

Just not getting called

Nothing seemed to be obviously wrong, the setup was still executing the same way, but the code just wasn’t getting called. For the longest time I couldn’t figure it out.

Finally, I took a look at the registry entries.

My code was installing itself to wrap the password provider with CLSID “{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}”, but the password provider in Windows Server 2008 R2 appeared to have CLSID “{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}”. Subtle, to be sure, but obviously different.

I couldn’t figure out immediately why this was happening, but I eventually traced back through the header files where CLSID_PasswordCredentialProvider was defined, and found the following:

   1: EXTERN_C const CLSID CLSID_PasswordCredentialProvider;
   2:  
   3: #ifdef __cplusplus
   4:  
   5: class DECLSPEC_UUID("60b78e88-ead8-445c-9cfd-0b87f74ea6cd") 
   6: PasswordCredentialProvider; 
   7: #endif
   8:  
   9: EXTERN_C const CLSID CLSID_V1PasswordCredentialProvider;
  10:  
  11: #ifdef __cplusplus
  12:  
  13: class DECLSPEC_UUID("6f45dc1e-5384-457a-bc13-2cd81b0d28ed") 
  14: V1PasswordCredentialProvider; 
  15: #endif 
  16:  

As you can see, in addition to CLSID_PasswordCredentialProvider, there’s a new entry, CLSID_V1PasswordCredentialProvider, and it’s this that points to the class ID that Windows Server 2008 R2 uses for its password credential provider – and which I should have been wrapping with my code.

The explanation is obvious

It’s clear what happened here with a little research. For goodness-only-knows-what-unannounced-reason, Microsoft chose to change the class ID of the password credential provider in Windows 8 and Windows Server 2012. And, to make sure that old code would continue to work in Windows 8 with just a recompile, of course they made sure that the OLD name “CLSID_PasswordCredentialProvider” would point to the NEW class ID value. And, as a sop to those of us supporting old platforms, they gave us a NEW name “CLSID_V1PasswordCredentialProvider” to point to the OLD class ID value.

And then they told nobody, and included it in Visual Studio 2012 and the Windows 8 SDK.

In fact, if you go searching for CLSID_V1PasswordCredentialProvider, you’ll find there’s zero documentation on the web at all. That’s pretty much unacceptable behaviour, introducing a significantly breaking change like this without documentation.

So, how to support both values?

Supporting both values requires you to try and load each class in turn, and save details indicating which one you’ve loaded. I went for this rather simple code in SetUsageScenario:

   1: IUnknown *pUnknown = NULL;
   2: _pWrappedCLSID = CLSID_PasswordCredentialProvider;
   3: hr = ::CoCreateInstance(CLSID_PasswordCredentialProvider, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pUnknown));
   4: if (hr == REGDB_E_CLASSNOTREG)
   5: {
   6:     _pWrappedCLSID = CLSID_V1PasswordCredentialProvider;
   7:     hr = ::CoCreateInstance(CLSID_V1PasswordCredentialProvider, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pUnknown));
   8: }

Pretty bone-dead simple, I hope you’ll agree – the best code often is.

Of course, if you’re filtering on credential providers, and hope to hide the password provider, you’ll want to filter both providers there, too. Again, here’s my simple code for that in Filter:

   1: if (IsEqualGUID(rgclsidProviders[i], CLSID_PasswordCredentialProvider))
   2:     rgbAllow[i]=FALSE;
   3: if (IsEqualGUID(rgclsidProviders[i], CLSID_V1PasswordCredentialProvider))
   4:     rgbAllow[i]=FALSE;

If that wasn’t nasty enough…

Ironically, impacting the Windows XP version of the same package (which uses a WinLogon Notification Provider, instead of a Credential Provider), another thing that the Windows 8 SDK and Visual Studio 2012 did for me is that it disabled the execution of my code on Windows XP.

This time, they did actually say something about it, though, which allowed me to trace and fix the problem just a little bit more quickly.

The actual blog post (not official documentation, just a blog post) that describes this change is here:

Windows XP Targeting with C++ in Visual Studio 2012

What this blog indicates is that a deliberate step was taken to disable Windows XP support in executables generated by Visual Studio 2012. You have to go back and make changes to your projects in order to continue supporting Windows XP.

That’s not perhaps so bad, because really, Windows XP is pretty darn old. In fact, in a year from now it’ll be leaving its support lifecycle, and heading into “Extended Support”, where you have to pay several thousand dollars for every patch you want to download. I’d upgrade to Windows 7 now, if I were you.

New Windows Phone 8. Something to love, something to hate.

Given in to phone envy, Alun?

No, not really – although I will say it was interesting to be around so many Windows Phone 8 users at the Microsoft MVP Summit last week.

But the HTC HD7 I originally bought, which spent a half-hour in a hot-tub (syncing), then a week in a bucket of Damp-Rid, then a year (working) in the hands of my teenaged son, finally bit the dust in the middle of the MVP Summit.

Says the storage card is corrupted.

So, I can’t afford the time to take it apart, mess with the drive and possibly even discover that it is truly dead.

I have to take advantage of the “upgrade” pricing that comes with committing to another year of service from T-Mobile, and upgrade him to a Windows Phone 8 system.

Then my wife gets interested in the phone, and before you know it, we’re all getting new phones.

No problems, then – everything’s good!

Yes and no.

It’s always good to get a new phone, sure, and to enjoy the fun of new features. But you’ve got to reinstall, and in some cases, re-buy (my wife went from a Blackberry to an HTC 8X) all your apps. And the data is all gone. High-scores, messages, settings, there’s no good path to take data from a WP7 to a WP8, let alone from a Blackberry to a WP8.

Some apps, of course, save their data to the cloud – all my OneNote files came with me.

It’s not so bad in the future, because there’s apparently a better upgrade path from WP8 to other WP8 phones. Messages get backed up, as well as your app list and settings.

How’d you get your apps back, then?

The interface to reinstall has improved over the years, from the first version, in which I only found the ability to restore apps installed directly from the Zune software; to a later version, which required a bunch of different click-through pages for each app you want to reinstall. Now, the reinstall interface is so much easier. Just go to the Windows Phone "Purchase History” page, scroll down the list of apps and click “Reinstall” on each app you want to go onto your new phone. No clicking through, no re-checking boxes about allowing location, etc.

Despite the name “Purchase History”, this page lists even those apps which I downloaded for free, whether as Trial software, or because the software was free in the first place.

That’s the good part, and that’s how I got some of my apps back. But the bad part is that this list doesn’t contain all of my free apps, just a limited, and somewhat random, selection. For instance, although it lists Amazon Fresh, the Purchase History page is missing Amazon Kindle, and Amazon Mobile, as well as the majority of my other free apps. This is not good customer experience, and if I was the author of any of the apps that aren’t easily reinstallable, I’d probably raise a big stink.

So now, I have to go one by one through my old phone’s list of apps, finding out which aren’t on my new phone, searching for them in the store, finding them in the search results, clicking on them, then clicking “Reinstall” (the store knows I have already installed them before). This makes me more likely to not reinstall these apps, and since the majority of these are ad-funded apps, whose authors won’t make a dime unless I run them, I think that app developers have a strong incentive to ask Microsoft to fix this behaviour.

And how’s the podcast experience?

Oh, you knew that I’d have something to say about that. Well, this post’s long enough already, so I’ll leave that until next time. For now, I have to say I do like my new phone, but I’m really tired of this whole update process already.

That old “cyber offence” canard again

I’m putting this post in the “Programmer Hubris” section, but it’s really not the programmers this time, it’s the managers. And the lawyers, apparently.

Something set me off again

Well, yeah, it always does, and this time what set me off is an NPR article by Tom Gjelten in a series they’re currently doing on “cybersecurity”.

This article probably had a bunch of men talking to NPR with expressions such as “hell, yeah!” and “it’s about time!”, or even the more balanced “well, the best defence is a good offence”.

Absolute rubbish. Pure codswallop.

But aren’t we being attacked? Shouldn’t we attack back?

Kind of, and no.

We’re certainly not being “attacked” in the means being described by analogy in the article.

"If you're just standing up taking blows, the adversary will ultimately hit you hard enough that you fall to the ground and lose the match. You need to hit back." [says Dmitri Alperovitch, CrowdStrike's co-founder.]

Yeah, except we’re not taking blows, and this isn’t boxing, and they’re not hitting us hard.

"What we need to do is get rid of the attackers and take away their tools and learn where their hideouts are and flush them out," [says Greg Hoglund, co-founder of HBGary, another firm known for being hacked by a bunch of anonymous nerds that he bragged about being all over]

That’s far closer to reality, but the people whose job it is to do that is the duly appointed law enforcement operatives who are able to enforce law.

"It's [like] the government sees a missile heading for your company's headquarters, and the government just yells, 'Incoming!' " Alperovitch says. "It's doing nothing to prevent it, nothing to stop it [and] nothing to retaliate against the adversary." [says Alperovitch again]

No, it’s not really like that at all.

There is no missile. There is no boxer. There’s a guy sending you postcards.

What? Excuse me? Postcards?

Yep, pretty much exactly that.

Every packet that comes at you from the Internet is much like a postcard. It’s got a from address (of sorts) and a to address, and all the information inside the packet is readable. [That’s why encryption is applied to all your important transactions]

So how am I under attack?

There’s a number of ways. You might be receiving far more postcards than you can legitimately handle, making it really difficult to assess which are the good postcards, and which are the bad ones. So, you contact the postman, and let him know this, and he tracks down (with the aid of the postal inspectors) who’s sending them, and stops carrying those postcards to you. In the meantime, you learn how to spot the obvious crappy postcards and throw them away – and when you use a machine to do this, it’s a lot less of a problem. That’s a denial of service attack.

Then there’s an attack against your web site. Pretty much, that equates to the postcard sender learning that there’s someone reading the postcards, whose job it is to do pretty much what the postcards tell them to do. So he sends postcards that say “punch the nearest person to you really hard in the face”. Obviously a few successes of this sort lead you to firing the idiot who’s punching his co-workers, and instead training the next guy as to what jobs he’s supposed to do on behalf of the postcard senders.

I’m sure that my smart readers can think up their own postcard-based analogies of other attacks that go on, now that you’ve seen these two examples.

Well if it’s just postcards, why don’t I send some of my own?

Sure, send postcards, but unless you want the postman to be discarding all your outgoing mail, or the law enforcement types to turn up at your doorstep, those postcards had better not be harassing or inappropriate.

Even if you think you’re limiting your behaviour to that which the postman won’t notice as abusive, there’s the other issue with postcards. There’s no guarantee that they were sent from the address stated, and even if they were sent from there, there is no reason to believe that they were official communications.

All it takes is for some hacker to launch an attack from a hospital’s network space, and you’re now responsible for attacking an innocent target where lives could actually be at risk. [Sure, if that were the case, the hospital has shocking security issues of its own, but can you live with that rationalisation if your response to someone attacking your site winds up killing someone?]

I don’t think that counterattack on the Internet is ethical or appropriate.

That “are you kidding me?” moment in customer support

So, my Sunbeam electric blanket died yesterday. Second one in a year.

As a dutiful consumer, I’d really like to report this to the manufacturer, get a replacement and move on. I fill out the “Contact Us” form. Then I get this ludicrous error:

image

So, you’re going to ask your customers to contact you when they have problems, and then you’re going to actually limit the characters they’re allowed to use in the QUESTION that they’re asking you?

Asking me to avoid using quotes, colons and semicolons in written English is completely ludicrous.

And yes, I know why they do this. It’s because they attended a course on secure programming which told them how to do input validation.

Input validation is not the shizzle

I am constantly amazed as to how frequently I have to ram this point home to developers who have learned one trick to protect against injection attacks.

“Validate ALL input – reject the bad characters!” – I’ve heard this from a number of people, including security professionals.

When you CAN do strict input validation based off a restricted whitelist, of course, that’s great – “input a whole number between one and ten” is good for input validation. “Input your name” generally isn’t, because names have a habit of containing characters that are known to be ‘bad’ characters in a number of cases, such as “O’Donnell”. Apostrophes are bad in numerous cases. “Input your question”, as in this case, is likely to elicit all kinds of funky characters.

And, as I ask the candidates on my phone screen interviews, what do you do in the case when you have a web app which stores to a SQL database, and its task is to store XSS and SQL injection attacks. <sigh> Clearly, you have to use acceptable output encoding. Apparently, Sunbeam’s web developers are not good enough to know when to stop using input validation, and start using output encoding.

Even less smart

My suspicions are confirmed when, after typing in a correctly formed question, the model number of the blanket (which, curiously, isn’t anywhere on the blanket or its controllers), the date code on the plug, and my contact details, the web page unerringly provides me with this as its response:

image

So, I think our next step is to contact Amazon to resolve this customer service issue properly. And not buying from Sunbeam again.

Removing capabilities from my first Windows Phone app

So, I thought I’d write a Windows Phone app using Visual Studio 2012 the other day. Just a simple little thing, to help me solve my son’s algebra homework without getting into the same binds he does (failure to copy correctly, fumbled arithmetic, you know the thing…)

And I run into my first problem.

The app uses no phone capabilities worth advertising – you know, things like the choice to track your location, so that the app’s install will ask the user “do you want to allow this app to have access to your location”, and you say either “allow”, or “why the hell does a flashlight application need to know where I am?”

And yet, when I run the “Automated Tests” under the Store Test Kit, I get the following:

image

If you can’t read the image, or you’re searching for this in Google, I’ll tell you that it wants me to know that it’s validated all the capabilities I’m using, and has noticed that I’m using ID_CAP_MEDIALIB and ID_CAP_NETWORKING.

Weird, because I don’t do any networking, and I don’t access any of the phone user’s media.

It’s just my son and me using the app right now, but I can picture some paranoid person wondering why I need access to their media library or networking simply so I can solve the occasional simultaneous or quadratic equation!

Quite frankly, I was mystified, too. Did a bit of searching across the interWebs, but all the articles I found said the same thing – the MediaLib capability must be because you’re using something with the word “Radio” or “Media” in it somewhere (I’m not), and the Networking capability because you’re doing something across the network. I removed all the “using System.Net” lines from all of my code files, but still no joy.

[A quick tip: to find all these rules yourself, look in C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v7.1\Tools\Marketplace for the file “rules.xml”, which will tell you what the capability detection code is looking for]

Nothing in my own code seemed to be actually causing this, so I took a step back and had a look at other references being included by the compiler by default.

System.Net seemed to be an obvious offender, so I removed that, to no effect (quite right, too, because it isn’t the offender, and doesn’t, on its own, cause ID_CAP_NETWORKING to be detected).

No, here’s the culprit:

image

Microsoft.Expression.Interactions – what on earth is that doing there?

It’s not something I remember including, and quite honestly, when I went looking for it, I’m disappointed to find that it’s associated with Expression Blend, not something I’ve actually used EVER. [Maybe I should, but that’s a topic for another time].

Removing this reference and rebuilding, the XAP tests clear of all capabilities. Which is nice.

So, now I have my “Big Algebra” app in beta test, and it doesn’t tell the user that it’s going to need their media library or their network connection – because it’s not going to need them!

Could Google prompt Microsoft to provide easier syncing?

As a Windows Phone user, and trying to persuade my wife to one day become one (instead of the Blackberry she totes around), I’m constantly stopped by the prospect that there is no way to sync my calendar and contacts without going through some online service.

This is a very strange situation, because even Apple’s iPhone can apparently synchronise Outlook contacts and calendar entries over the USB connection.

Microsoft’s answer to date has always been that we should rent or borrow an Exchange Server of some sort, push our calendar and contact details to that server, and then fetch them down later. Not exactly secure (you’re sharing a high-value target, possibly operated by a company with whom you compete, as your mail server), and free under generally limited circumstances.

Maybe I’m too paranoid, but I don’t really fancy that level of reliance on someone else’s service to host and protect information that, up until now, I’ve held physically on only a couple of devices. So, I make do without my contacts on my phone, and I rarely have a firm idea of my calendar commitments until I’m back at home base.

There are solutions, of course, because there always are – and they rely, essentially, on setting up something that pretends to be Exchange on your local WiFi.

Not exactly secure, and not exactly cheap. Certainly not free.

Then comes the bad news – Google has decided to close down Exchange connectivity to GMail, so that Windows Phones will not be able to use GMail any more. I’m sure that’s not the reason they give in press releases, but it seems likely that’s at least seen as a handy side-benefit. [Does this mean Google sees a threat from Windows Phone?]

Rather uncharacteristically, but in a welcome move, Microsoft turned around and, instead of turning it into a raging war of words, said that if they couldn’t get at GMail that way any more, they’d support one of the other ways of getting at GMail – this means that they’ll start supporting IMAP and the Calendar and Contact sync formats supported by GMail.

That changes everything

Because now, you don’t have to find an Exchange lookalike in order to sync locally – all you need is IMAP support, and support for the two formats, CardDAV and CalDAV.

These are simpler formats, and more widely documented and supported, than the Exchange protocols previously insisted upon by Microsoft. I can see that when they open up IMAP support, a lot of Windows Phone users will be opened up to their email accounts, and when CardDAV and CalDAV are added, we should see very quickly some solutions that allow for syncing of contacts and calendar while connected by USB.

2013 should be a good year to be a Windows Phone user.

And yes, I’m still waiting for my carrier to push Windows Phone 7.8.

On new exploit techniques

Last year’s discussion on “Scriptless XSS” made me realise that there are two kinds of presentation about new exploits – those that talk about a new way to trigger the exploit, and those that talk about a new way to take advantage of the exploit.

Since I didn’t actually see the “Scriptless XSS” presentation at Blue Hat (not having been invited, I think it would be bad manners to just turn up), I won’t address it directly, and it’s entirely possible that much of what I say is actually irrelevant to that particular paper. I’m really being dreadfully naughty here and setting up a strawman to knock down. In the tech industry, this practice is often referred to as “journalism”.

So where’s my distinction?

Let’s say you’re new to XSS. It’s possible many of you actually are new to XSS, and if you are, please read my previous articles about how it’s just another name for allowing an attacker to inject content (usually HTML) into a web page.

Your first XSS exploit example may be that you can put “<script>alert(1)</script>” into a search field, and it gets included without encoding into the body of the results page. This is quite frankly so easy I’ve taught my son to do it, and we’ve had fun finding sites that are vulnerable to this. Of course, we then inform them of the flaw, so that they get it fixed. XSS isn’t perhaps the most damaging of exploits – unlike SQL injection, you’re unlikely to use it to steal a company’s entire customer database – but it is an embarrassing indication that the basics of security hygiene are not being properly followed by at least some of your development team.

The trigger of the exploit here is the “<>” portion (not including the part replaced by ellipsis), and the exploit itself is the injection of script containing an alert(1) command.

Let’s say now that the first thing a programmer tries to protect his page is to replace the direct embedding of text with an <input> tag, whose value is set to the user-supplied text, in quotes.

Your original exploit is foiled, because it comes out as:

<input readonly=1 value="<script>alert(1)</script>">

That’s OK, though, because the attacker will see that, and note that all he has to do is provide the terminating quote and angle bracket at the start of his input, to produce instead:

<input readonly=1 value=""><script>alert(1)</script>">

This is a newer method of exploiting XSS-vulnerable code. Although a simple example, this is the sort of thing it’s worth getting excited about.

Why is that exciting?

It’s exciting because it causes a change in how you planned to fix the exploit. You had a fix that prevented the exploit from happening, and now it fails, so you have to rethink this. Any time you are forced to rethink your assumptions because of new external data, why, that’s SCIENCE!

And the other thing is…?

Well, the other thing is noting that if the developer did the stupid thing, and blocked the word “alert”, the attacker can get around that defence by using the “prompt” keyword instead, or by redirecting the web page to somewhere the attacker controls. This may be a new result, but it’s not a new trigger, it’s not a new cause.

When defending your code against attack, always ask yourself which is the trigger of an attack, rather than the body of the attack itself. Your task is to prevent the trigger, at which point the body becomes irrelevant.

Time to defend myself.

I’m sure that someone will comment on this article and say that I’m misrepresenting the field of attack blocking – after all, the XSS filters built into major browsers surely fall into the category of blocking the body, rather than the trigger, of an attack, right?

Sure, and that’s one reason why they’re not 100% effective. They’re a stopgap measure – a valuable stopgap measure, don’t get me wrong, but they are more in the sense of trying to recognise bad guys by the clothing they choose to wear, rather than recognising bad guys by the weapons they carry, or their actions in breaking locks and planting explosives. Anyone who’s found themselves, as I have, in the line of people “randomly selected for searching” at the airport, and looked around and noted certain physical similarities between everyone in the line, will be familiar with the idea that this is more an exercise in increasing irritation than in applying strong security.

It’s also informative to see methods by which attacks are carried out – as they grow in sophistication from fetching immediate cookie data to infecting browser sessions and page load semantics, it becomes easier and easier to tell developers “look at all these ways you will be exploited, and you will begin to see that we can’t depend on blocking the attack unless we understand and block the triggers”.

Keep doing what you’re doing

I’m not really looking to change any behaviours, nor am I foolish enough to think that people will start researching different things as a result of my ranting here.

But, just as I’ve chosen to pay attention to conferences and presentations that tell me how to avoid, prevent and fix, over those that only tell me how to break, I’ll also choose to pay attention to papers that show me an expansion of the science of attacks, their detection and prevention, over those that engage in a more operational view of “so you have an inlet, what do you do with it?”

Posted by Alun Jones | with no comments

XSS Hipster loved Scriptless XSS before it was cool

I was surprised last night and throughout today, to see that a topic of major excitement at the Microsoft BlueHat Security Conference was that of “Scriptless XSS”.

The paper presented on the topic certainly repeats the word “novel” a few times, but I will note that if you do a Google or Bing search for “Scriptless XSS”, the first result in each case is, of course, a simple blog post from yours truly, a little over two years ago, in July 2010.

As the article notes, this isn’t even the first time I’d used the idea that XSS (Cross Site Scripting) is a complete misnomer, and that “HTML injection” is a more appropriate description. JavaScript – the “Scripting” in most people’s explanations of Cross Site Scripting – is definitely not required, and is only used because it is an alarmingly clear demonstration that something inappropriate is happening.

Every interview in the security field – every one!

Every time I have had an interview in the security field – that’s since 2006 – I’ve been asked “Explain what Cross Site Scripting is”, and rather hesitantly at first, but with growing surety, I have answered that it is simply “HTML injection”, and the conversation goes wonderfully from there.

Why did I come up with this idea?

Fairly simply, I’ve found that if you throw standard XSS exploits at developers and tell them to fix the flaw, they do silly things like blocking the word “script”. As I’ve pointed out before, Cross Site Scripting (as with all injection attacks) requires an Injection (how the attacker provides their data), an Escape (how the attacker’s data moves from data into code), an Attack or Execution (the payload), and optionally a Cleanup (returning the user’s browser state to normal so they don’t notice the attack happening).

It’s not the script, stupid, it’s the escape.

Attacks are wide and varied – the paper on Scriptless Attacks makes that clear, by presenting a number of novel (to me, at least) attacks using CSS (Cascading Style Sheet) syntax to exfiltrate data by measuring scrollbars. My example attack used nothing so outlandish – just the closure of one form, and the opening of another, with enough CSS attribute monkeying to make it look like the same form. The exfiltration of data in this case is by means of the rather pedestrian method of having the user type their password into a form field and submit it to a malicious site. No messing around with CSS to measure scrollbars and determine the size of fonts.

Hats off to these guys, though.

I will say this – the attacks they present are an interesting and entertaining demonstration that if you’re trying to block the Attack or Cleanup phases of an Injection Attack, you have already failed, you just don’t know it yet. Clearly a lot of work and new study went into these attacks, but it’s rather odd that their demonstrations are about the more complicated end of Scriptless XSS, rather than about the idea that defenders still aren’t aware of how best to defend.

Also, no doubt, they had the sense to submit a paper on this – all I did was blog about it, and provide a pedestrian example with no flashiness to it at all.

Hipster gets no respect.

So, yeah, I was talking about XSS without the S, long before it was cool to do so. As my son informs me, that makes me the XSS Hipster. It’d be gratifying to my ego to get a little nod for that (heck, I don’t even get an invite to BlueHat), but quite frankly rather than feeling all pissed off about that, I’m actually rather pleased that people are working to get the message out that JavaScript isn’t the problem, at least when it comes to XSS.

The problem is the Injection and the Escape – you can block the Injection by either not accepting data, or by having a tight whitelist of good values; and you can block the Escape by appropriately encoding all characters not definitively known to be safe.

UDP and DTLS not a performance improvement.

Saw this update in my Windows Update list recently:

http://support.microsoft.com/kb/2574819

As it stands right now, this is what it says (in part):

image

OK, so I started off feeling good about this – what’s not to like about the idea that DTLS, a security layer for UDP that works roughly akin to TLS / SSL for TCP, now can be made a part of Windows?

Sure, you could say “what about downstream versions”, but then again, there’s a point where a developer should say “upgrading has its privileges”. I don’t support Windows 3.1 any more, and I don’t feel bad about that.

No, the part I dislike is this one:

Note DTLS provides TLS functionalities that are based on the User Datagram Protocol (UDP) protocol. Because TLS is based on the Transmission Control Protocol (TCP) protocol, DTLS performs better than TLS.

Wow.

That’s just plain wrong. Actually, I’m not even sure it qualifies as wrong, and it’s quite frankly the sort of mis-statement and outright guff that made me start responding to networking posts in the first place, and which propelled me in the direction of eventually becoming an MVP.

Nerd

Yes, I was the nerdy guy complaining that there were already too many awful networking applications, and that promulgating stupid myths like “UDP performs better than TCP” or “the Nagle algorithm is slowing your app down, just disable it” causes there to be more of the same.

But I think that’s really the point – you actually do want nerds of that calibre writing your network applications, because network programming is not easy – it’s actually hard. As I have put it on a number of occasions, when you’re writing a program that works over a network, you’re only writing one half of the application (if that). The other half is written by someone else – and that person may have read a different RFC (or a different version of the protocol design), may have had a different interpretation of ambiguous (or even completely clear) sections, or could even be out to destroy your program, your data, your company, and anyone who ever trusted your application.

Surviving in those circumstances requires an understanding of the purity of good network code.

But surely UDP is faster?

Bicycle messengers are faster than the postal service, too. Fast isn’t always what you’re looking for. In the case comparing UDP and TCP, if it was just a matter of “UDP is faster than TCP”, all the world’s web sites would be running on some protocol other than HTTP, because HTTP is rooted in TCP. Why don’t they?

Because UDP repeats packets, loses packets, repeats packets, and first of all, re-orders packets. And when your web delivery over UDP protocol retransmits those lost packets, correctly orders packets, drops repeated packets, and thereby gives you the full web experience without glitches, it’s re-written large chunks of the TCP stack over UDP – and done so with worse performance.

Don’t get me wrong – UDP is useful in and of itself, just not for the same tasks TCP is useful for. UDP is great for streaming audio and video, because you’d rather drop frames or snippets of sound than wait for them to arrive later (as they would do with TCP requesting retransmission, say). If you can afford to lose a few packets here and there in the interest of timely delivery of those packets that do get through, your application protocol is ideally suited to UDP. If it’s more important to occasionally wait a little in order to get the whole stream, TCP will outperform UDP every time.

In summary…

Never choose UDP over TCP because you heard it goes faster.

Choose UDP over TCP because you’d rather have packets dropped at random by the network layer than have them arrive any later than the absolute fastest they can get there.

Choose TCP over UDP because you’d rather have all the packets that were sent, in the order that they were sent, than get most / many / some of them earlier.

And whether you use TCP or UDP, you can now add TLS-style security protection.

I await the arrival of encrypted UDP traffic with some interest.

But officer, everyone else is speeding…

I’ve been consistently amazed by human behaviours for many years, and through many employers.

One of the behaviours that always astonishes me is when I let someone know that they’re violating security policy, or simply behaving in an insecure manner, and rather than changing their behaviour or defending their own actions per se, they respond with some variation of “sure, but such-and-such team/person is already doing that and far worse”.

Maybe it’s my grammar school upbringing, in which it was clear that the response of “but Sir, Jenkins minor was also chewing gum” was not only going to get Jenkins into trouble, but also get me into more trouble (if only when Jenkins found out who snitched) – I really can’t see that there’s any appropriate response to such statements other than to say “well, thank you for drawing my attention to that other infraction, which I will decide to address at my convenience – now, back to your case…” – or perhaps less usefully, “that may be, but it’s you that I caught.”

I readily acknowledge that institutional behaviours are as much learned from the actions of one’s peers, so that it is important to curb widespread culturally-ingrained wrongness.

But I don’t see what people who use this argument expect will happen – is there really a circumstance in their past in which someone said “really? Oh, well then, that’s alright. Carry on.”

Immutable Security Laws and Windows Sidebar Gadgets

Immutable Security Law number 1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

I love the Immutable Security Laws – they strike a chord deep within me, and they’re a “go to” resource every time I want to decide if I’m making a good security decision.

I also like my Windows Sidebar Gadgets. Not a whole lot of them, mind you, just one or two that I’ve written myself. And I can’t say that I’ve gone very deep in developing them.

So I’m deeply conflicted when I see “Microsoft Security Advisory (2719662) - Vulnerabilities in Gadgets Could Allow Remote Code Execution” – this seems to be saying that because there are a number of vulnerabilities in common Sidebar Gadgets, you should disable Sidebar Gadgets completely.

But the descriptions I see of Sidebar Gadgets and their security suggest that these Gadgets are exactly like other executables, in terms of the protection you get when running them (essentially, none).

So, in essence, this boils down to “a class of executables that you can download and run are known to have vulnerabilities. So we are disabling that class of executables.” And apparently, this isn’t an architectural flaw in Sidebar Gadgets, because the wording indicates only that a lot of Gadgets have common vulnerabilities – but not all of them.

Can you imagine if the same had been done for, say, Java? If all Java apps were disabled, not because of a flaw in Java, but because many Java developers had written poorly-secured code? What about other frameworks? C++? .NET? PHP?

Uh, yeah, OK, I can see it for PHP. I’m all for disabling PHP on the basis that [almost?] nobody seems able to reliably write secure code using it.

Obviously, I’m writing this from the perspective of someone who hasn’t seen information on the sort of vulnerabilities being described, so it’s entirely possible that there’s an actual architectural weakness that warrants disabling Gadgets completely. I’m just not reading that into what’s been said so far, and I’d like to think that we’re capable of making security decisions on the basis of security truth, rather than some random measure of “disable this framework, because it’s not that important, and many of its developers are writing bad code”.

Clearly I have to wait for the revelation at the BlackHat talk (I’m not going to BlackHat, but I’m on vacation right now – in Vegas) to see what the threat actually is, but I will state up front that I am confused.

iCan’t sync with iTunes; iCan’t sync without iTunes…

OK, so that’s a horrible stretching of a song to cover a point, but it’s kind of the way I feel right now – torn between a rock and a hard place.

Some time ago now, I let you readers know that I’d won an iPad at the Black Hat security conference, and that I’d be trying it out to let you know what I thought.

First, let’s consider my usage case, and what I am comparing it against.

The iPad is, to my mind, a potential killer device for a few things I like to do:

  1. Watching movies and TV shows on the bus on my way to work
  2. Reading comics and books
  3. Using Twitter and Facebook to keep up with people around me
  4. Skype to my parents in England
  5. Surfing the web in places where my laptop is too bulky

In checking out these behaviours, I’m implicitly comparing them to not only my own Windows Phone 7, but also my wife’s Kindle Fire.

Movies and TV shows

In common with many people, I have a lengthy commute – at least 40 minutes each way of which is on a bus, so I can happily watch videos. My comparison device in this use case is my Windows Phone – an HTC HD7 (I’d link to it, but apparently it’s not being sold any more).

The iPad is bulkier, for certain, and I can hold my phone in one hand comfortably for some time. However, making up for this is the fact that the iPad is a larger display and therefore easier to see at a comfortable distance. But watching on the phone isn’t bad either.

Syncing to the iPad is accomplished through Apple’s piss-poor iTunes software (of which, more later), which seems to require that my videos be already in a suitable format for the iPad. Syncing to the HD7 requires the Zune software, which is configured by default to convert video and audio in the background without any further assistance from me.

Note that – Zune converts the videos to the right format automatically when necessary, the iTunes software simply shrugs its shoulders like a Frenchman and refuses to cope.

Because of this, I can sync to the HD7 from more sources, and more easily and automatically than to the iPad.

However, the winning step that the iPad has for me comes from a combination of its viewing size, and the fact that it can play the audio from my videos to my Bluetooth headset, something that the HD7 currently does not. I have to use a Bluetooth dongle on the HD7 to hear my videos – and that’s not right, when I already paid for a phone with Bluetooth support.

It’s worth noting, however, that because the iPad seems to pretend to be a phone, I can’t have the appropriate level of Bluetooth support, allowing incoming phone calls to pause my video and let me answer the phone.

So, a narrow win for the iPad there. But keep reading. [Add Bluetooth support for video watching, and the Windows Phone will easily surpass the iPad]

Reading comics and books

Killer app, no doubt – the size and colours make the iPad superior for reading comics. For other books, you can’t really beat a Kindle, because it’s the size and shape of a book. The iPad does seem to suffer in daylight as well, not that we get much of that around Seattle – but we clearly get enough for this to be a noticeable problem for me.

The Kindle Fire is a more subtle device than the iPad in this use as well, since it doesn’t take up as much space. The battery life, as well as the use of standard charging cables (read: I already have dozens of the things, as opposed to having to look for the one wonky, too short cable that came with the iPad) makes the convenience factor that much greater.

However, I’ve even read my comics on the Windows Phone. It’s not that bad a format, because the display is so high a resolution.

Winner: Kindle Fire. Of course, I would say that. But since the Fire has no Bluetooth audio, I can’t use it on the bus as comfortably for my videos.

Using Twitter and Facebook

The iPad is certainly convenient for this, with free Twitter and Facebook apps, as well as a web browser to use the online versions. The iPad’s desire to keep pushing text further and further to the right of the screen, in ever-decreasing strips of window, make it incredibly difficult to read some items.

In comparison, while the Windows Phone does have a free Twitter and Facebook app, and access to the web, it doesn’t actually need any of these, because there are the “Me” and “People” tiles, through which you can read notices from all your social media sources (Twitter, Facebook, Linked-In, MSN Messenger in my case). This gives a more natural, integrated feel to the communication, and it feels more like I’m sharing with my friends than I’m using this or that app.

Winner: Windows Phone, hands down. [But it would be nice to have Bluetooth keyboard support]

Skype to the UK

OK, the iPad wins hands-down on this one. There’s a Skype app in beta for the Windows Phone, but my HD7 has only a rear-facing camera, and the Fire of course doesn’t have one.

Winner: iPad (but only because I have a 1st-gen Windows Phone)

Surfing the web

The iPad has no Flash support – but then nor does the Windows Phone.

The iPad uses a webkit-based browser, which comes with a fresh batch of security flaws once a month (as does iTunes). The Windows Phone comes with Internet Explorer – but without the same set of flaws that get patched in your regular Windows update. I strongly believe that the Windows Phone gives me the most secure browsing of any device that I have. But it is a little hard to read.

Winner: iPad

Sounds like we have a clear winner, then?

Yabbut no.

I got the iPad for free, so I have to bear in mind that for most people, they pay $500 to have it. It’s not that much better than the Windows Phone. I got the Windows Phone for practically free – one cent on Amazon Wireless, with a two year commitment. But then I was going to get a phone anyway, and the two year commitment is common for phones.

Irritations

As with every Apple product I have ever used, it seems like they skimped a little on the “fit and finish” of the software. This leads to small – but constant – irritations. There have been many times I’ve been tempted to throw it to the floor and stomp on it. So far, the iPad has survived largely because I know that if I want to get rid of it, there are numerous people who would happily take it from me. And then I settle down.

So, what are my irritations?

  1. User interface
  2. iTunes
  3. iTunes
  4. iTunes

User interface

There are some areas where it’s clear that the Apple design philosophy hasn’t been communicated well – even to writers of the native apps.

Delete an item

A clear example – how do you delete an item? In iBooks, you swipe to the right, which causes a delete button to appear. You press this button, and the item goes away. In Videos, you hold your finger on an item until a little “x” appears. You press the “x”, and are asked if you really want to delete the video. I guess videos are more important than books, that you have to be prompted.

I should say that this is how videos are supposed to be deleted. What actually happens is that you hold your finger on a video for a while. The “x” fails to appear, because you wiggled your finger a little (really common on a bus). So you let your finger up, and the video opens up. So you close it down again, and hold your finger on the video again. Now the “x” appears – albeit sometimes in a different place than you expect. So you press it. Damn, missed, because the bus must have hit a bump, so the “x” goes away. Bring it back! Bring it back! Okay, here it is again, so I can press it finally. And then I get asked if I’m sure. Am I sure? Am I sure? I’ve only spent the last ten minutes trying to get the damn “x” up on screen and hit it – of course I’m sure! And I remind myself not to throw the iPad to the floor and stomp on it.

Yes, I know about the “Edit” button, and that shortcuts one part of the process, but makes it more likely that you’ll accidentally delete the wrong video, because it puts an “x” above each one.

[A short note – the “x” appears in one of two places – either immediately on the top left corner, or a good half-inch above that. I can see no logic in why it does this.]

Detail view

In the Videos app, there are three kinds of video. “Movies”, “TV Shows”, and “iTunes U”. The “TV Shows” and “iTunes U” items all come from iTunes, so all the videos I put on my system end up in “Movies”, no matter what metadata I put on the file. Whereas I never metadata I didn’t like, iTunes clearly never metadata. For the iTunes U and TV Shows tabs, each item is listed with details – length, a title, and a description. This is great, although it would also be nice to see which ones I’m part-way through watching.

For the Movies tabs, however, there’s only two things showing – a thumbnail, which is the first frame of the movie (oh, and so often, that means it is plain black), and the curtailed title of the video. So, “Have I Got News for You: Series 42, Episode 5” is displayed as “Have I Got News for You:…” – as is every episode of every series of that show. Same thing for “The Sarah Jane Adventures…”, or “Who Do You Think You Are…” Yeah, the BBC could choose shorter titles, but the iPad could pay attention to the Subtitle field in the metadata for the episode information. Oh, yeah, that’s right, metadata is to be ignored.

And there’s no details on the video – no duration, no description, no indication of whether or not I’ve been watching this video file at all. I’d like to say “hey, this component of my bus ride is going to take another twenty-five minutes, so I’d like to watch something that length or shorter”.

Notifications – or scrubbing

When watching a video, you can ‘scrub’ through it by dragging a little slider at the top of the screen. Except when the slider is near the middle of the top of the screen, because then you’re going to actually be pulling down the notifications window. If anyone writing this software actually used an iPad, they’d be experiencing this frustration, and it would have been fixed by now.

Back, back, back – no, store!

To go backward in the user interface of an app, you click the button in the top left. Except that sometimes, the button in the top left takes you somewhere else, like the iTunes store.

Delete doesn’t actually free up space

You can delete videos all you like, bus joggling allowing, and when you’re done, your storage usage hasn’t gone down at all. There is no room for more videos. This one confused me for some time, until I remembered that you never actually close apps when you switch between them. The storage is released, not when you delete the movie, but when you close the app.

That would make sense, if you could actually undelete the movie while the videos app runs, but no. That doesn’t happen.

And on and on…

I could carry on, but I just get angrier and angrier. The difference between editing the list of apps you can run, versus editing the list of apps currently running, for instance. One is dismissed by a tap, the other requires that you hit the home button, and I can’t remember which one.

iTunes

So, the first complaint I have about iTunes is the one I have made from the beginning – it includes way too much, and it screws up my system way too badly. What do you get when you install iTunes?

Well, first you get a file called “iTunes64Setup.exe”. This installs iTunes into “C:\Program Files (x86)” – uh, yeah, that means the “64 bit” version of iTunes is actually all 32-bit. Then it tells you:

SNAGHTML1f848dc

The wha?

What does iTunes have to do with Outlook? That’s crazy.

And then, what does it install? Only another four applications.

SNAGHTML76b36b0

iTunes

When syncing videos to the iPad with the Windows version of iTunes, they are synced with at least one default setting not correctly set.

That’d be fine if it was an unimportant setting, but no. The setting is “resume from where I left off”. That means that every time I switch videos, or close the video application (see previous discussion of why I need to do this to recover storage), the video I want to watch starts again from scratch.

There is a simple fix to this – for every video I upload to the iPad, I have to go into iTunes, select the video, right-click it, select “Get Info”, open the “Options” tab, uncheck the box that says “Remember Playback Position” (or if I selected multiple videos, set to “No” the drop-down arrow labeled “Remember Position”), hit “OK” (there is no “Apply”), wait for this action to sync to the iPad, then right-click the video(s) again, select “Get Info”, open the “Options” tab, and then recheck the box (or set the drop-down box to “Yes”), hit “OK” and sync once again.

iTunes

For weeks I’ve been complaining that every USB device on my system has been unreliable – I have to plug and unplug simple USB flash drives a half dozen times before they finally get recognised in Explorer.

Then it finally dawned on me.

One device has been steadfastly reliable, always becoming active and ready to use within seconds of plugging it in. Yes, it’s the iPad.

Acting on this hunch, I removed iTunes, Apple Mobile Device Support, Apple Application Support, Apple Software Update, Bonjour, and even QuickTime (not sure how that got on there). Suddenly all my USB devices connect first time, every time. With the exception of the iPad, of course, which sulks if it doesn’t have iTunes (though the same charge can be leveled against my Windows Phone requiring Zune – although that hasn’t yet caused all my other USB devices to become unavailable).

Adding iTunes back in to the mix, strangely, has yet to reproduce the same unreliable behaviour. I strongly distrust software acting randomly.

If I could just drag my videos into a folder using Explorer without installing iTunes (since iTunes doesn’t actually properly do any of the other things that an intermediate program should do, such as converting video formats, extracting and using metadata, or setting the “resume from where you left off” option), I’d be happy without iTunes on my PC at all.

And other reasons…

There are other reasons not to like the iPad – it’s too trendy, for one; and it’s not really a $500 product. There are, as I point out above, too many areas where it’s clear that the developers have not finished the job.

I use the iPad simply because it’s free, and has a large display.

I’d far rather use a tablet that works in a more predictable and controlled manner, where the applications on the device and to sync the device have the flavour of being finished.

But I didn’t get one of those for free.

I got an iPad.

And I’m grateful.

Even if, once in a while, I want to dash it to the floor and stomp it into pieces.

Multiple CA0053 errors with Visual Studio 11 Beta

I hate it when the Internet doesn’t know the answer – and doesn’t even have the question – to a problem I’m experiencing.

Because it was released during the MVP Summit, I was able to download the Visual Studio 11 Beta and run it on a VS2010 project.

There’s no “conversion wizard”, which bodes well, because it suggests that I will be able to use this project in either environment (Visual Studio 2010 or the new VS11 beta) without any problems. And certainly, the project I selected to try worked just fine in Visual Studio 11 and when I switched back to Visual Studio 2010.

Unfortunately, one of the things that I noticed when building my project is that the code analysis phase crapped out with fourteen instances of the CA0053 error:

imageAs you can see, this is all about being unable to load rule assemblies from the previous version of Visual Studio – and is more than likely related to me installing the x64 version of Visual Studio 11 Beta, which therefore can’t load the 32-bit (x86) DLLs from Visual Studio 2010.

Curiously this problem only exists on one of the projects in my multi-project solution, and of course I couldn’t find anywhere in the user interface to reset this path.

I thought for a moment I had hit on something when I checked the project’s options, and found the Code Analysis tab, but it didn’t seem to matter what I did to change the rule set, there was no place to select the path to that rule set.

Then I decided to go searching for the path in the source tree.

There it was, in the project’s “.csproj” file – two entries in the XML file, CodeAnalysisRuleSetDirectories and CodeAnalysisRuleDirectories. These consisted of the simple text:

<CodeAnalysisRuleSetDirectories>;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Static Analysis Tools\\Rule Sets</CodeAnalysisRuleSetDirectories>

<CodeAnalysisRuleDirectories>;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Static Analysis Tools\FxCop\\Rules</CodeAnalysisRuleDirectories>

As you can imagine, I wouldn’t normally suggest editing files by hand that the interface normally takes care of for you, but it’s clear that in this case, the interface wasn’t helping.

So, I just closed all currently open copies of Visual Studio (all versions), and edited the file in notepad. I kept the entries themselves, but deleted the paths:

<CodeAnalysisRuleSetDirectories></CodeAnalysisRuleSetDirectories>

<CodeAnalysisRuleDirectories></CodeAnalysisRuleDirectories>

Errors gone; problem solved.

You’re welcome, Internet.

MVP news

My MVP award expires on March 31

So, I've submitted my information for re-awarding as an MVP - we'll see whether I've done enough this year to warrant being admitted again into the MVP ranks.

MVP Summit

Next week is the MVP Summit, where I visit Microsoft in Bellevue and Redmond for a week of brainwashing and meet-n-greet. I joke about this being a bit of a junket, but in reality, I get more information out of this than from most of the other conferences I've attended - perhaps mostly because the content is so tightly targeted.

That's not always the case, of course - sometimes you're scheduled to hear a talk that you've already heard three different times this year, but for those occasions, my advice would be to find another one that's going on at the same time that you do want to hear. Talk to other MVPs not in your speciality, and find out what they're attending. If you feel like you really want to get approval, ask your MVP lead if it's OK to switch to the other session.

Very rarely a talk will be so strictly NDA-related that you will be blocked from entering, but not often.

Oh, and trade swag with other MVPs. Very frequently your fellow MVPs will be willing to trade swag that they got for their speciality for yours - or across regions. Make friends and talk to people - and don't assume that the 'industry luminaries' aren't willing to talk to you.

Featured TechNet Wiki article

Also this week, comes news that I've been recognised for authoring the TechNet Wiki article of the Week, for my post on Microsoft's excellent Elevation of Privilege Threat Modeling card game. Since that post was made two years ago, I've used the deck in a number of environments and with a few different game styles, but the goal each time has remained the same, and been successfully met - to make developers think about the threats that their application designs are subject to, without having to have those developers be security experts or have any significant experience of security issues.

In June: Happy Birthday to me–World IPv6 Launch Day

I’d like to thank ISOC (the Internet Society) for making my birthday later this year into World IPv6 Launch Day.

This year is a special one for anniversaries – my 45th birthday, 20 years since I arrived in the USA, 10 years since beating cancer – seems like the perfect time for ISOC to honour me by switching everyone to IPv6.

Now, if only I could persuade Comcast to deliver IPv6 to my house, where we are still using Hurricane Electric’s Tunnel Broker.

Changing passwords on a service, part 3

It’s been quite some time since I wrote about changing passwords on a Windows service, and then provided a simple tool written in Visual Basic to propagate a password among several systems sharing the same account.

I hinted at the time that this was a relatively naïve approach, and that the requirement to bring all the services down at the same time is perhaps not what you want to do.

So now it’s finally time for me to provide a couple of notes about how this operation could be done better.

1. If you can’t afford an outage, don’t have a single point of failure

One complaint I have heard at numerous organisations is this one, or words to this effect:

“We can’t afford to cycle the service on a password rotation once every quarter, because the service has to be up twenty-four hours a day, every day.”

That’s the sort of thing that makes novice service owners feel really important, because their service is, of course, the most valuable thing in their world, and sure enough, they may lose a little in the way of business while the service is down.

So how do you update the service when the software or OS needs patching? How do you fix bugs in your service? What happens when you have to take it down because the password has escaped your grasp? [See my previous post on rotating passwords as a kind of “Business Continuity Drill”, so that you know you can rotate the password in an emergency]

All of these activities require stopping and cycling the service.

Modern computer engineering practices have taken this into consideration, and the simplest solution is to have a ‘failover’ service – when the primary instance of the service is taken offline, the secondary instance starts up and takes over providing service. Then when the primary comes back online, the secondary can go back into slumber.

This is often extended to the idea of having a ‘pool’ of services, all running all the time, and only taking out one instance at a time as you need to make changes, bringing the instance back into operation when the change is complete.

Woah – heady stuff, Mr Jones!

Sure, but in the world of enterprise computing, this is basic scaling, and if your systems of applications can’t be managed this way, you will have problems as you reach large scale.

So, a single instance of a service that you can’t afford to go offline – is a failure from the start, and an indication that you didn’t think the design through.

2. Old passwords and new passwords are both valid – for a while

OK, so that sounds like heresy – if you’ve changed the password on an account, it shouldn’t be possible for the old password to work any more, should it?

Well, yes and no.

Again, in an enterprise world, you have to consider scale.

Changing the password on an account isn’t an instantaneous operation. That password change has to be distributed among the authentication servers you use (in the Windows world, this means domain controllers replicating new password information).

To account for this, and the prospect that you may have a process running that didn’t yet have a chance to pick up the new password, most authentication schemes allow tokens and/or passwords to be valid for some period after a password change.

By default, NTLM tokens are valid for an hour, and Kerberos tickets are valid for ten hours.

This means that if you have a pool or fleet of services whose passwords need to change, you can generally take the simple process of iteratively stopping them, propagating the new password to them, and then re-starting them, without the prospect of killing the overall service that you’re providing (sure, you’ll kill any connections that are specifically tied to that one service instance, but there are other ways to handle that).

3. Even if you don’t trust that, there’s help – use two accounts

Interesting, but I can’t afford the risk that I change the password just before my token / ticket is going to expire.

Very precious of you, I’m sure.

OK, you might have a valid concern that the service startup might not be as robust as you hoped, and that you want to ensure you test the new startup of the service before allowing it to proceed and provide live service.

That’s very ‘enterprise scale’, too. There’s nothing worse than taking down a dozen servers only to find that they won’t start up again, because the startup code requires that they talk to a remote service which is currently down.

You wouldn’t believe how many systems I’ve seen where the running service is working fine, but no more can be started up because startup conditions for the service cannot  be replicated any longer.

So, to allow for the prospect that you may fail on restarting your services, here’s what I want you to do:

  1. Start with a large(-ish) pool of services. [See “no single point of failure” above]
  2. All of your services are running as one user account. Create another user account, with the same rights and privileges. Make sure that access rights are provided to the group that these accounts are a member of, rather than to individual accounts.
  3. Wind down one of the services, and shut it down.
  4. Change the downed service to use the second account you just created.
  5. Start up the downed service.
  6. Monitor this newly started service to make sure it starts up successfully and is providing correct service. (Yes, this means that you have the ability to roll-back if something goes wrong)
  7. Repeat steps 3 – 6 with each of the other services in the pool in turn, until all are using the second account.
  8. De-activate / disable logon to the old user account. Do not delete it.

As you can probably imagine, when you next do this process, you don’t need to create the second user account for the server, because the first account is already there, but disabled. You can use this as the account to switch to.

This way, with the two accounts, every time a password change is required, you can just follow the steps above, and not worry.

You should be able to merge this process into your standard patching process, because the two follow similar routines – bring a service down, make a change, bring it up, check it for continued function, go to the next service, continue until all services are done.

No excuses

So, with those techniques under your belt – and the necessary design and deployment practices to put them into place – you should be able to handle all requests to rotate passwords, as well as to handle patching of your service while it is live.

Sorry that this doesn’t come with a script to execute this behaviour, but there are some things I’m hoping you’ll be able to do for yourselves here, and the bulk of the process is specific to your environment – since it’s mostly about testing to ensure that the service is correctly functioning.

What else I did at Black Hat / DefCon–the Core DataMatrix Contest

Black Hat, and its associated sideshow, DefCon, consists of a number of different components. Training, Briefings, Exhibition and Contests, all make up part of Black Hat, and DefCon is a looser collection of Workshops, Events, Parties, Talks, Villages, Contests and numerous other things besides(*).

Perhaps the thing that gave me the most fun this year was the contest that I entered at Black Hat and at DefCon. The contest was run by Core Labs, a part of Core Security Technologies, and featured the theme of reverse engineering.

Reverse Engineering is the skill of looking at someone else’s code – in source code or binary form – and figuring out what the code does, and more importantly, how best to make it do what you want. This often involves exceeding the original design specifications – which is perhaps the simplest and most inclusive definition of “hacking”.

In the DataMatrix contest, the code (or at least, a portion of it) is given to you in source form, in C#. You are told that this code is running as part of a server, and you are given access to the server in the form of two webcams and an output screen. The output screen displays a score sheet, the views from each webcam, and a ‘debug’ output window. I’ve lost the link to the Black Hat version of the code, but here’s the DefCon code.

The webcams are the only form of input to the server that are available to the contestants. Each contestant is given a DataMatrix containing their activation code. This is a bitmap (kind of like a two-dimensional barcode) with some “registration” values around the edge, and squares either black or white in the middle.

And that’s it – that’s all the help you get.

But then, that’s probably all the help you’ll need.

The first challenges

The first challenges are relatively easy. First, you activate your userid by showing the webcam your initial card, and then you see there’s a function called “process_activate” – that sounds like it’s the function that was used to activate your card.

It’s fairly simple to see that this must use the single byte command (in the “cmd” variable) “1”, along with your two byte userid and four byte password, to register you in the system as an active user. It also increases a user-specific value, “score”. To make this easy to understand, we’ll call this “scoring a point”.

Then you see a function “process_free” – from the code, this is clearly a free point. All you need is a command “10”, and your userid, to score a point.

Another function, “process_pieceofcake”, is almost as easy. Command 11, and your userid, plus another four bytes which are simply the two’s-complement of your userid. Easy. In fact, in the Black Hat version, this was even easier, if I remember correctly, but I don’t have the code handy.

“process_name” is clearly one to call early on, because it gets you the bragging rights of putting your own name in the high score table. Plus, it gives you five points more. Pretty good, huh? By now you should have eight points.

Some more interesting challenges

“process_regalo” took my interest next, since it talks about a “gift_list”. Regalo is, apparently, Spanish for “gift”. This one’s strange, because the process has some activity even when the command code isn’t the code expected.

So, I took a look at what that path does. Checks four bytes for the user’s password, and if the “data_regalos” value for this user is less than 10, increments it, and then assigns an extra point to a randomly selected member of the gift list.

Having figured that out, I realised that the quicker I get on the gift list, the quicker I start racking up the points. So, I solved the little coding conundrum (did you figure that one out yourself?) in the other path of process_regalo, and added myself to the gift list.

Five times.

Yeah, five times – did you spot that in the code?

“process_fabe” and “process_fabe13” – those were a little harder. You have to not only crack an MD5 hash (not difficult, but hard), but in the “fabe13” case, figure out what the appropriate “encode” is for the “decode” function. [ROT13, if you didn’t get it]

“process_enqueue” – nasty, this one sends a message to an email address at mailinator.com that you have to figure out for yourself. I still haven’t figured it out. So, I also haven’t got the points from “process_claimMessage”.

“process_sync” was one function where I knew I had an advantage. It requires the use of a .NET Random function, and because I spend a fair amount of my development time in .NET, I knew that I could use my own system to figure out what times the sync function was expecting me at. Occasionally, the webcams weren’t reading my cards quickly enough, but that’s OK. I didn’t necessarily need a whole lot of those points.

Ladies and Gentlemen, we have a winner!

So, as you’ve probably guessed by now, using these functions I managed to rack up quite a number of points, and as it happened, I conquered the Black Hat competition. 60 points to me, 27 to my nearest opponent.

As a result of this, I am now the proud owner of an iPad. Yes, I know, all those things I’ve always said about Apple, and here I am, walking away from a competition with an iPad 2. The irony is almost unbearable. I’ll tell you later what I think of the iPad.

Then comes DefCon

DefCon started out much the same – I was streaking ahead of the competition, largely because the contest was better attended, and I’d already got my foot into the gift_list early on.

Then I saw the part of the server code that was new – it allowed you to write a limited form of program to execute on the server, that would randomly add points to your score. I entered that, and sure enough, I got a pile of points very quickly – about twice as many as I had at Black Hat.

I thought that meant I was going to win the prize.

Sadly, I hadn’t taken into consideration that this was DefCon. The people there are sometimes more devious (though there are also an awful lot of wannabes).

Sure enough, two of my competitors executed the portion of code that allowed them to dump out the list of executing code, as well as to remove the code sample I had submitted. That way, they could copy my code in order to give themselves points, and remove my ability to add points.

In a way, I almost felt like this was kind of cheating – what, they couldn’t write their own code? But, realistically, this was simply a part of the challenge – if I had been as good at reverse engineering as I felt I was, and a little less cocky, I would have spotted this functionality and taken advantage of the means with which to prevent it.

As it was, I came in third, and won a t-shirt. But the joy of winning the Black Hat contest is still something I’m proud of, and grateful to Core for letting me play their games.

NCSAM 2011–Post 21–Failure is always an option

For my last post in the National Cyber Security Awareness Month, I’d like to expound on an important maxim for security.

Failure is always an option – and sometimes the best

If you can’t handle a customer’s credit card in a secure fashion, you shouldn’t be handling the customer’s credit card.

If a process is too slow when you add the necessary security, the process was always too slow, and can not yet be done effectively by modern computers (or the computers you’re using).

If you enable a new convenience feature, and the rate of security failures increases as a result, the convenience is more to the hackers than to the users, and the feature should be removed or revisited.

Accept your own failures and deal with them

Sometimes there’s nothing to do but to say “Oops, that didn’t work”. Find something else that does.

If you’re writing software code, expect to encounter failing conditions – disk full, network unresponsive, keyboard stuck, database corrupt, power outage – all these are far more common than software developers anticipate.

Failure is not the exception, it is a part of life in an uncertain universe.

Handle other people’s failures gracefully

Other people will fail you.

This is not always their intent, nor is it necessarily something that they will recognise. Do not punish unintentional failure as if it was an intentional insult. Educate, where possible, redirect otherwise.

Where failure is intentional, be firm and decisive. Do not allow deliberate failure to continue unhindered.

Failure is always a necessary part of innovation

Innovation is doing that which has never been done before.

As a result, no one knows how to do it correctly. You will fail, a lot. If you are always right, it is because you are doing something that you already know.

Because failure is ubiquitous, look for it everywhere

Part of being a security expert is the ability to see where people, process and technology are likely to fail, and how someone might take advantage of that, or cause you disadvantage.

Turn “I can’t imagine how that might fail” into “I can see seven different ways this could screw up, and I’ve got plans for eight of them”.

And yes, I failed to finish writing this in National Cyber Security Awareness Month.

NCSAM/2011–Post 20–Is SSL broken?

It seems like a strange question for me to ask, given that in a number of my National Cyber Security Awareness Month posts to date, I have been advising you to use SSL or TLS to protect your communications. [Remember: TLS is the new name for SSL, but most people refer to it still as SSL, so I will do the same below]

But it’s a question I get asked on a fairly regular basis, largely as a result of news articles noting that there has been some new attack or other on SSL that breaks it in some way.

To be fair, I’m not sure that I would expect a journalist – even a technology journalist – to understand SSL in such a way that they could give a good idea as to how broken it may or may not be after each successful attack. That means that the only information they’re able to rely on is the statement given to them by the flaw’s discoverers. And who’s going to go to the press and say “we’ve found a slight theoretical flaw in SSL, probably not much, but thought you ought to know”?

The good news

First, the good news.

SSL is a protocol framework around cryptographic operations. That means that, rather than describing a particular set of cryptography that can’t be extended, it describes how to describe cryptography to be used, so that it can be extended when new algorithms come along.

So, when a new algorithm arrives, or a new way of using an existing algorithm (how can you tell the difference?), SSL can be updated to describe that.

So, in a sense, SSL will never be broken for long, and can always be extended to fix issues as they are detected.

Now for the bad news

Of course, SSL is really only a specification, and it has to be implemented before it can actually be used. That means that when SSL is updated to fix flaws, theoretical or practical, every implementation has to be changed to catch up to the new version.

And implementers don’t like to change their code once they have it working.

So when a new theoretical flaw comes along, the SSL designers update the way SSL works, increasing the version number when they have to.

The implementers, on the other hand, tend to wait until there is a practical flaw before updating to support the new version.

This means that whenever a practical break is found, you can bet it will be at least several weeks before you can see it fixed in the versions you actually use.

In moderation

The presence of SSL assumes that your communications may be monitored, intercepted and altered. As such, don’t ever rely on a statement to the effect that “this breach of SSL is difficult to exploit, because you would have to get between the victim and his chosen site”. If that wasn’t possible, we wouldn’t need SSL in the first place.

Having said that, on a wired network, you are less likely to see interception of the type that SSL is designed to prevent. As such, even a broken SSL on wired networks is probably secure for the time it takes everyone to catch up to fixing their flaws.

On a wireless network, any flaws in SSL are significant – but as I’ve noted before, if you connect immediately to a trusted VPN, your wireless surfing is significantly safer, pretty much to the same level as you have on your home wired network.

The bottom line

In summary then:

SSL is frequently, and in some senses never, broken. There are frequently attacks, both theoretical and physical, on the SSL framework. Theoretical attacks are fixed in the specifications, often before they become practical. Practical attacks are fixed in implementations, generally by adopting the tack that had been suggested in the specifications while the attack was still theoretical. At each stage, the protocol that prevents the attack is still SSL (or these days, strictly, TLS), but it requires you keep your computers up to date with patches as they come out, and enable new versions of SSL as they are made available.

If you’re on a wired network, the chances of your being attacked are pretty slim. If you’re on a wireless network, your chances of being attacked are high, so make sure you are using SSL or an equivalent protocol, and for extra protection, use a VPN to connect a trusted wired network.

More Posts « Previous page - Next page »