Twitter’s flawed OAuth implementation

14. September 2010 · Comments Off on Twitter’s flawed OAuth implementation · Categories: Authentication · Tags: , ,

I meant to post this last week. Ryan Paul at ars technica wrote an important article detailing the flaws in Twitter’s implementation of OAuth. This is serious because it is the only method for “users to grant a third-party application access to their account without having to provide that application with their credentials.” He also details the flaws of OAuth 1.0a, but holds out hope for OAuth 2.0, which the IETF is currently working on. Let’s hope they get it right this time.

Twitter officially disabled Basic authentication this week, the final step in the company’s transition to mandatory OAuth authentication. Sadly, Twitter’s extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong. This article will explore some of the problems with Twitter’s OAuth implementation and some potential pitfalls inherent to the standard. I will also show you how I managed to compromise the secret OAuth key in Twitter’s very own official client application for Android.

The article goes on to trash OAuth 1.0a as well:

…OAuth 1.0a is a horrible solution to a very difficult problem. It works acceptably well for server-to-server authentication, but there are far too many unresolved issues in the current specification for it to be used as-is on a widespread basis for desktop applications. It’s simply not mature enough yet.

There is hope though:

I think that OAuth 2.0—the next version of the standard—will address many of the problems and will make it safer and more suitable for adoption. The current IETF version of the 2.0 draft still requires a lot of work, however. It still doesn’t really provide guidance on how to handle consumer secret keys for desktop applications, for example. In light of the heavy involvement in the draft process by Facebook’s David Recordon, I’m really hopeful that the official standard will adopt Facebook’s sane and reasonable approach to that problem.

Finally:

Although I think that OAuth is salvageable and may eventually live up to the hype, my opinion of Twitter is less positive. The service seriously botched its OAuth implementation and demonstrated, yet again, that it lacks the engineering competence that is needed to reliably operate its service. Twitter should review the OAuth standard and take a close look at how Google and Facebook are using OAuth for guidance about the proper approach.

Consumerization and Corporate IT Security

13. September 2010 · Comments Off on Consumerization and Corporate IT Security · Categories: FireEye, Malware, Next Generation Firewall, Palo Alto Networks · Tags: ,

Bruce Schneier’s article last week entitled, Consumerization and Corporate IT Security, postulates that IT security has no choice but to loosen control in response to the consumerization of IT. In other words corporate use of consumer IT products cannot be controlled by IT Security.

Here at Cymbel, we became aware of this issue back in 2007 and began searching for solutions to this issue. There is no doubt that corporate employees must be allowed to take advantage of Web 2.0 applications and social networking. However, the enterprise can surely do this in a controlled manner and provide protection against the risks of using these applications.

Here are four solutions we offer to corporate IT Security to protect the organization while enabling the use of consumer IT products:

Palo Alto Networks provides a next generation firewall designed and built from the ground up to enable controlled use of Web 2.0 applications and social networking and protection against web-based malware. In the last 18 months, they’ve grown from 200 customers to 2,000 and they are now cash-flow positive. I would expect an IPO in the next 12-18 months.

FireEye provides protection against web-based zero-day and unknown threats using heuristics rather than signatures. It minimizes false positives by using VMWare based sandboxes on its appliances to run suspicious executables prior to alerting.

NexTier Networks is the first Data Loss Prevention system that uses semantics to classify documents rather than traditional fingerprinting. Therefore it can protect against malicious attempts at intellectual property exfiltration as well as structured data without massive pre-scanning or pre-tagging.

Zscaler provides cloud-based proxy services for protecting against web and email-based malware without having to deploy any premises equipment. This is especially suitable for organizations with many small locations. Zscaler also provides a lightweight agent for traveling users so their web and email traffic is also routed through their cloud-based service.

In addition, we recommend Sentrigo, a database protection solution, as another layer of our next generation defense-in-depth architecture focused on applications, users, and information.

Enhanced by Zemanta

Ping drowning in scams and spam

05. September 2010 · Comments Off on Ping drowning in scams and spam · Categories: Fraud · Tags: , , , , ,

Via NetworkWorld, Sophos is reporting that Ping, Apple’s new social network add-on to iTunes, is “drowning in scams and spam.”  Sophos says, “Apple has not implemented any form of automated spam or URL filtering in Ping,” although they do appear to be filtering profile photos for obscenity and copyright infringement.

This comes on top of other generally negative reviews of Ping:

Can Ping be saved?

Apple’s Ping is a big pile of steaming dung

Ping is neither social, nor is it a network. Discuss.

The biggest issue seems to be lack of integration with Facebook.

Mitre releases log standards architecture – Common Event Expression (CEE)

05. September 2010 · Comments Off on Mitre releases log standards architecture – Common Event Expression (CEE) · Categories: Log Management, Security-Compliance · Tags: ,

Finally, on August 27, 2010, Mitre’s log standard, Common Event Expression Architecture Overview was released. The goal of CEE is to standardize event logs to simplify collection, correlation, and reporting which will drive down the costs of implementing and operating Log Management controls and improve audit and event analysis.

At present there are no accepted log standards. Each commercial application and security product implements logs in a proprietary way. In addition, the most commonly used log transport protocol, syslog, is unreliable since it’s usually implemented on UDP. The custom application environment is even worse as there are no accepted standards to guide application developers’ implementation of logs for audit and event management.

Why after ten years of log management efforts are there still no standards? In my opinion, it’s because government agencies and enterprises have not recognized that they are indirectly bearing the costs of the lack of standardization. Now that log management has become mandatory for compliance and strongly recommended for effective cyber defense, organizations will realize the need for log standardization. Initially, it’s going to be up to the Federal Government and large enterprises to force CEE compatibility as a requirement of purchase in order to get product manufacturers to adhere to CEE. The log management vendors will embrace CEE once they see product manufacturers using it.

Here is the Common Event Expression Architecture Overview (CEE AO) Abstract:

This Common Event Expression (CEE) Architecture defines the structure and components that comprise the CEE event log standard. This architecture was developed by MITRE, in collaboration with industry and government, and builds upon the Common Event Expression Whitepaper [1]. This document defines the CEE Architecture for an open, practical, and industry-accepted event log standard. This document provides a high-level overview of CEE along with details on the overall architecture and introduces each of the CEE components including the data dictionary, syntax encodings, event taxonomies, and profiles. The CEE Architecture is the first in a collection of documents and specifications, whose combination provides the necessary pieces to create the complete CEE event log standard.
KEYWORDS: CEE, Logs, Event Logs, Audit Logs, Log Analysis, Log Management, SIEM

There are four components of the CEE Architecture – CEE Dictionary and Taxonomy (CDET), Common Log Syntax (CLS), Common Log Transport (CLT), and Common Event Log Recommendations (CELR).
  • Common Log Syntax (CLS) – how the event and event data is represented. The event syntax is what an event producer writes and what an event consumer processes.
  • CEE Dictionary – defines a collection of event fields and value types that can be used within event records to specify the values of an event property associated with a specific event instance.
  • CEE Taxonomy – defines a collection of “tags” that can be used to categorize events. Its goal is to provide a common vocabulary, through sets of tags, to help classify and relate records that pertain to similar types of events.
  • Common Event Log Recommendations (CELR) – provides recommendations to developers and implementers of applications or systems as to which events and fields should be recorded in certain situations and what log messages should be recorded for various circumstances. CELR provides this guidance in the form of a machine-readable profile. The CELR also defines a function – a group of event structures that comprise a certain capability. For example, a “firewall” function can be defined consisting of “connection allow” and “connection block” event structures. Similarly, an “authentication management” function can be composed of “account logon,” “account logoff,” “session started,” and “session stopped.”
  • Common Log Transport (CLT) – provides the technical support necessary for an improved log transport framework. A good framework requires more than just standardized event records, support is needed for international string encodings, standardized event record interfaces, and reliable, verifiable log trails. In addition to the application support, the CLT event streams supplement the CLS event record encodings to allow systems to share event records securely and reliably.
The CEE Architecture Overview document also defines the CEE “product” approval management process and four levels of CEE conformance.
ANY CHARACTER HERE

CEE holds the promise of driving down the costs of implementing Log Management systems and improving the quality of audit and event analysis. However, there is still much work to be done for example in defining Taxonomies and defining and testing interoperability at the Transport and Syntax levels.

Mitre has had mixed results over the years in it’s efforts to standardize security processes. CVE (Common Vulnerabilities and Exposures) has been it’s biggest success as virtually all vulnerability publishers use CVE numbers. CEE is much more ambitious though and will require more money and resources than Mitre is accustomed to having at its disposal.

Related articles by Zemanta
Enhanced by Zemanta

Windows DLL exploits boom – how to thwart them

28. August 2010 · Comments Off on Windows DLL exploits boom – how to thwart them · Categories: Boundary Defense, FireEye, Zero-day · Tags: , , , ,

On August 23, 2010 Microsoft issued Security Advisory 2269637, warning about a new method of attack based on the standard way Windows finds a DLL called by a program when the program does not specifically define the location. InfoWorld’s Woody Leonhard, among others had an article about this on August 24 – Heads Up: A whole new class of zero-day Windows vulnerabilities looms.

In a matter of days, hackers were publishing attacks against many Windows apps including FireFox, Chrome, Word, and Photoshop. See Windows DLL exploits boom (August 26).

This is just one example of the speed with which zero-day attacks can proliferate. This is a particularly bad situation because just one Windows vulnerability is being used to create a large number of zero-day attacks across a wide range of applications. We recommend organizations deploy FireEye to counter these zero-day attacks.

From an end user perspective, on August 27, Woody Leonhard published a helpful article, How to thwart the new DLL attacks. To summarize, Woody has two excellent recommendations for users:

First, never double-click on a file that’s in a potentially compromised location. Drag it to your desktop, then open it.

Second, make Windows show you filename extensions and hidden files.

Enhanced by Zemanta

MPLS WAN Encryption – It’s time

28. August 2010 · Comments Off on MPLS WAN Encryption – It’s time · Categories: Data Loss Prevention · Tags: , , , ,

Is MPLS secure? All the MPLS vendors use the term VPN (Virtual Private Network), implying some level of security. But in reality, MPLS is not encrypted and therefore subject to snooping. But of course, you have no way of knowing one way or the other.

Mike Fratto at Network Computing wrote a nice piece a couple of months ago explaining the situation.

If you talk to the WAN services folks at a carrier, their definition of a VPN will be an overlay network that is carried by another network over shared infrastructure. By the carrier’s definition, a telephone call over a PSTN is a VPN. The carrier definition is very different than the other definition of a VPN as an authenticated and encrypted layer 3 tunnel between two nodes, with one node being a network. The former definition assumes that the carriers employees are trustworthy. The latter definition doesn’t care if they are or aren’t.

In addition, compliance regimes like MA 201 CMR 17 and HIPAA are mandating WAN encryption.

To encrypt MPLS traffic and really all wide area network encryption, we recommend CipherOptics.

Enhanced by Zemanta

Is there a need for mobile anti-malware

28. August 2010 · Comments Off on Is there a need for mobile anti-malware · Categories: Malware · Tags: , , , , ,

With the increasing popularity of mobile devices like iPhones and Android-based phones, we are beginning to see targeted malware, raising the question, do we need anti-malware for our mobile devices? ReadWriteWeb Enterprise was prompted to write an article on this topic as a result of the Android game Tap Snake which was reported to be spyware.

It appears the mobile anti-malware market is fairly immature:

I took to the opportunity to test a few of the anti-malware apps available on the market: antivirus free from droidSecurity, Lookout, Symantec‘s Norton Mobile Security for Android beta, and Smobile. I was also going to try SmrtGuard, but I couldn’t get the app to activate before Tap Snake was removed from Android Market. Of those four apps, only one detected Tap Snake as a potential threat.

The article goes on to say that tightly controlling what apps can be loaded onto mobile devices may all enterprises need at this time.

Related articles by Zemanta
Enhanced by Zemanta

Russian cyber crime – the life and times of BadB

28. August 2010 · Comments Off on Russian cyber crime – the life and times of BadB · Categories: Fraud · Tags: ,

Earlier this week, the NYTimes wrote an article on the life and times of BadB, Vladislav Horohorin, a Russian cyber criminal recently arrested while on a trip to France.

He is expected to appear soon before a French court that will decide on his potential extradition to the United States, where Mr. Horohorin could face up to 12 years in prison and a fine of $500,000 if he is convicted on charges of fraud and identity theft. For at least nine months, however, he lived openly in Moscow as one of the world’s most wanted computer criminals.

It appears that BadB operated openly in Russia despite the fact that he was indicted in the United States in November 2009. He was arrested only because he traveled to a country which respects the rule of law and does not have an adversarial relationship with the U.S.

Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals’ expertise or for allowing their networks of virus-infected computers to be used for political purposes — to crash dissident Web sites, perhaps.

Definitely worth reading the whole article.

Enhanced by Zemanta

Only one way to block ‘Flash cookies’

22. August 2010 · Comments Off on Only one way to block ‘Flash cookies’ · Categories: Privacy · Tags: , ,

While browsers now give you total control of standard “cookies,” Flash cookies are another matter. Woody Leonhard at Infoworld writes about the only way to control Flash cookies in his article, Block ‘Flash Cookies’ to thwart zombies. Hint: you have to go to the Adobe Flash Player Settings Manager site.

OpenDNS – Simplifying the Lives of Web Users

22. August 2010 · Comments Off on OpenDNS – Simplifying the Lives of Web Users · Categories: Social Engineering · Tags:

David Pogue at the New York Times wrote a very good article about OpenDNS, Simplifying the Lives of Web Users. The article also provides a well written explanation of DNS – Domain Name Service.

I did not realize that one of the benefits of OpenDNS is phishing protection:

PHISHING PROTECTION Phishing is the Internet scheme where you get a fake e-mail note from your bank about a problem with your account. When you click the link to correct the problem, you get a fake Web site, designed to look just like your bank’s — and by logging in, you unwittingly supply your name and password to the bad guys.

OpenDNS intercepts and blocks your efforts to visit the fake sites. It works like a charm.

Another layer of phishing protection alone makes OpenDNS worthwhile. Improved performance, availability, shortcuts, typo corrections, and parental controls are other benefits Pogue discusses.

« Older articles
Newer articles »