So you’ve been hearing lately about how some Android applications are going rogue and being used to steal users’ data and infiltrate their phones, to sit idly by only to wreak havoc when the user least expects it (ok, so maybe I exaggerated a little there). But there has been a lot of buzz lately about certain apps not playing by the rules, or including certain calls to leach user information. A lot of this buzz has been spun as backlash against Google for allowing these types of applications to exist (instead of having some asininely draconian filtering process like some ‘other’ phone provider).

Well, to help defend Google (which they’ve done a decent job of doing themselves), this one falls back on the users. If you’re an Android user, you’ve most definitely seen a screen similar to this.

This screen tells you exactly (mostly) [kinda] what the application you’re installing has access to, and how far it can reach. It’s your (the user’s) obligation to agree with this and install, or not agree, and cancel out. See those two buttons at the bottom? If you don’t agree and see something that has “Cost Money” in this section and you presumed it was a completely free (as in beer) app, then you’d better click the right (Cancel) button.

Read the rest of this entry »

Due to the way Android requires SD cards to be formatted in VFAT, it leaves a bit of a hole when it comes to security for files stored here. VFAT is an old standard that doesn’t support the access controls of Linux, so data stored here is unprotected.  Because of this, all storage here is shared with all programs on the device.  So storing sensitive information here isn’t going to be the best thing to do. With some devices having limited internal storage though, this might be your only option, or depending on what the data is, you may require large amounts of storage space.

One way around this is to simply encrypt the data from within your application. This can be achieved via the ‘javax.crypto’ library.

Read the rest of this entry »

There’s no need to go and reinvent the wheel when coding. Many good developers will have a plethora of custom or public libraries of code to do all the functions they need. One area where this type of stockpiling code really shines is in security APIs. For the longest time I’d followed Microsoft’s Enterprise Library, specifically for its security namespace. Being a .NET developer primarily this was all good.

But lately I’ve been branching out my coding endeavors, as well as watching the Microsoft Enterprise Library continue to grow; A little too large for my taste as of lately. This is where the OWASP ESAPI (Enterprise Security API) comes into play.

It’s fairly lightweight, supports many languages, and is a set of foundational security controls that developers don’t have to keep remaking over and over.

Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:

• There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.

• There is a reference implementation for each security control. The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.

• There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

I’ve just recently started using the ESAPI, but do have a history with some of OWASP’s other projects. I’d advise anyone looking to lock down some of their controls and ensure they have the proper guidelines in place to take a look at the ESAPI from OWASP.

A beta release of HTTPS Everywhere was released today. It’s a collaborative project between those at the Tor project and the EFF.

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

It’s good to see a project like this, especially after giants like Google finally step up and start offering more secure search features in their search engine. It’s only in beta so far, but it does look very promising.

One area to look out for though, just because you have a plug-in like this doesn’t mean every site you go to is going to be secure. You still need to check your browser’s security notifications/icons to ensure you’re on a protected site.

Did you know that two thirds of all phishing attacks are sourced from a single group? This seems like a staggering statistic, except for the fact that we’ve already seen this before. Maybe those plans for world domination just might pay off…

This whole Facebook privacy scare seems to finally be taking its toll on the general public as it seems Google is showing a major increase in trends data sourced from people wanting to delete their accounts. This doesn’t really surprise me much either, as we’ve talked numerous times about how to secure yourself within Facebook. Let’s hope that emergency meeting that was supposed to take place today actually accomplished something.

One of the pioneers of PKI, Whit Diffie, landed a new position today as VP of information security and cryptography of the Internet’s key oversight agency for domain names. The ICANN doesn’t have that much control over many of the domain providers, but I like to think they have enough influence that if Diffie were to make some serious strides, the world could be a better place.

I recently found out about Netsparker through Darknet. They released an update to their community edition (free). The main thing about Netsparker that caught my eye is its fundamental approach at eliminating false positives in its web application scanning. I completely agree with the developers’ approach.

The developers thought that if you need to investigate every single identified issue manually what’s the point of having an automated scanner?

So I decided to check out Netsparker a little further and put it to the test. I first started by running its array of scans against a few local web applications I had on my system. Most are either internal development projects or just sandbox sites I use for testing random stuff, most comprised of ASP.net apps.

The majority of the scans came out rather quickly and watching the process was somewhat entertaining. When the scan is complete, it will give you a readout of not only the vulnerabilities, but also lets you see the actual results of each attempted attack, as well as the http request/response for each transaction. It correctly identified a few of the areas that I knew about already. These being internal (some local only) sites, I hadn’t bothered to enable all the security features.

I decided my local sites were a good start so then decided to see if it could pick up some other well-known vulnerabilities. So I pointed it at my DVWA VM (Damn Vulnerable Web Application). With it filled with quite a few vulnerabilities, I’d have a decent record of known flaws for it to test against. Netsparker did quite well, even picking out a few areas that weren’t intended in the tutorial routes for DVWA.

Overall, I was quite impressed. The fact that it actually goes and tries the attacks with some dummy data, or even data that was pulled from context on the site is quite impressive. It even gives you tips or direct commands to run in order to fix some of the known issues. And where it doesn’t give specifics, it points you to the OWASP site for guidelines. I might have to look towards this again and will definitely keep a reference to it in my toolbox for future endeavors.

Pwn2Own winner Charlie Miller is taking a different approach this year when it comes to releasing the vulnerabilities he used to the vendors, in this case Apple, Microsoft, and Adobe. In an interview with Computerworld Charlie stated:

“We find a bug, they patch it, we find another bug, they patch it. That doesn’t improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can’t make them do that.”

From this observation Charlie decided he’s not just going to hand over the vulnerabilities to the vendors. Instead, he’s going to sit down, show them the method he used to find them, and let them do the actual work to find them.

“People will criticize me and say I’m a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them,” Miller said. “What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing.” That, Miller maintained, would mean more secure software.

I think this is a great approach. Instead of simply giving the vendors the fish, you’re helping them learn to fish and fishing for vulnerabilities in software is something they need to be doing more often anyways.

Microsoft has already implemented a fuzzing in its Security Development Lifecycle (SDL), so how the vulnerabilities made their way into PowerPoint presentation maker who knows. I’m not sure if Apple or Adobe already implement a form of fuzzing in their development process, or to what extent their SDL goes to for security — I’m hoping Adobe at least has some pretty stringent processes in place seeing as they are not the most targeted vendor in the world.

Either way, I love this approach; it puts a little more pressure on the vendors to fix their software and in the process hopefully shows them how simple it is to detect this stuff.

Let’s face it. There are a lot of broken web apps and software out there. These web apps and software can oftentimes lead to major security holes being opened up due to their vulnerabilities. You don’t want to be the guy/girl responsible for the next major security breach just because you forgot to sanitize some input, or check that your sessions were secure.

I would love to provide you a great tutorial on how to avoid many of the hardships that developers face, especially in security these days, but I don’t think I could do it better than the people over at the OWASP WebGoat project. It’s a web application that purposefully has many vulnerabilities right out in the open. The site is laid out with exercises for you to complete. It will offer hints, and even a full solution for when you get stuck. It even tracks your progress through a report-card like page showing how many times you’ve attempted an exercise, how many times you got help, and whether it was completed or not. You can grab WebGoat from OWASP.org directly and install it on your own tomcat server, or grab it in a fully enclosed environment through Dojo or OWASP Broken Web App VM. Either way you choose, I’d highly recommend either one. The VM’s provide much more on top of WebGoat but I feel the way the site is laid out and structured, it provides a very good tutorial-based approach to learning what not to do or at least learn what to avoid in your own applications.

The first night of ShmooCon is a wrap, at least for the presentations. First off, my shout-outs to all those that actually made it this year. The DC weather hasn’t been too kind to any of us, especially those traveling in specifically for this Con. But to those who made it, I salute you (even more so to those who had to walk a couple miles to get to their hotel because they didn’t make or take reservations at the Marriot).

Read the rest of this entry »

Seems the new year has brought out a few new findings. One being the newly discovered “God Mode” feature in Microsoft’s Windows 7 based operating systems. At its core, it’s basically a glorified control panel. It takes all the hard to get to, or annoying multiple right click -> properties -> options -> submenu -> etc. -> etc. parts out of some of the common administrative tasks.

So, how do you get this miracle “God Mode”?

Read the rest of this entry »