19.10.2009 von faintdreams.

Having recently been forced to migrate back to using Windows, I feel compelled to comment on Microsoft’s new ‘Security Enhancements’ in the Vista and Windows 7 OS.

Upon starting a Computing MSc I was dismayed to find out that the first trimester was windows- centric. Running a virtual machine under OSX on my Macbook was not practical (due to speed and HDD space concerns) and so I opted for a new lightweight Toshiba laptop to be my course workhorse.

For a non Linux machine, Vista (or nothing) were the OS choices I had and so reluctantly I opted for Vista - with a Windows 7 upgrade to follow as soon as that is available. Little did I know what I was letting myself in for.

The ‘User Access Control’ (UAC) in windows is useless - why? Because it is so intrusive as a piece of security software that I can only liken it to having to unlock 15 deadbolts, AND entering a safe combination every time you want to go through a door, or open a window inside your own house.

To fully understand how irritating it is to use ANY application under Vista with UAC turned on, let me explain that the previous example includes EVERY door / window in your house. You HAVE to shut each door / window behind you when you change rooms, and EVERY time you open a door you have to unlock all fifteen of the deadbolts AGAIN. Imagine your house is somewhat sentient, so ideally you want to say to your house “I have been to the toilet today. I do not wish to unlock the toilet door EVERY time I need to use it. I wish to authorise the door to stay open as long as the sensors see ME either entering or leaving the room.” “NO.” says your house, “I will not allow you to designate security passes to ANY of the doors. I will force you to lock and unlock EVERY DOOR, during EVERY INSTANCE OF USE. You can either authorise EVERY door / window for every instance of use, EVERY TIME or you have to leave all the doors / windows open to everyone ALL THE TIME.

Any sane person would just switch off the house security protocols and leave every door open all the time - right? WRONG.

What you want to do to keep your house secure is make sure that the front door and the windows are shut by default and only THOSE SPECIFIC INSTANCES of holes in your house require authorisation to open, and ONLY YOU have the key. As ‘Keyholder’ you can walk around the house unmolested the rest of the time without having to worry about constantly opening doors you just walked through. Also if you get a pet, you would supposedly want your pet to be able to walk unfettered from room to room, but not walk out the front door, or jump out of the windows.

I may be stretching the point somewhat, but in my illustration, the ‘you’ in the house is the logged on Administrative user, the doors / windows are pre-installed (or pre-approved) windows applications and the pet represents any third party applications you install.

Perhaps I am just being dense, but my google-fu fails me when it comes to ways to authorise individual Apps under the UAC tool.

So in essence I am reduced to leaving all my doors and windows open in order to do anything, and that is far from secure.

Geschrieben in opinion | Drucken | Keine Kommentare »

19.10.2009 von matti.

During a network assessment there should always be some investigation for public information on the Internet. This includes of course a look at the registrars.

One thing that sometimes gets overlooked is the auth method within the whois records:

http://www.ripe.net/db/news/MD5-HOWTO.html

So what could be the issue here ?

Geschrieben in hacking | Drucken | Keine Kommentare »

19.10.2009 von matti.

As it had been mentioned before there some standard tools that can be utilized for assessing a flash based web application.

http://www.nowrap.de/

Offers two different applications. One is flare and the other one is flasm. The first just extracts the ActionScript of a swf file. Nothing else gets extracted. The later disassembles the complete file. Therefore both should be used to get the complete picture.

http://www.owasp.org/index.php/Category:SWFIntruder

Is an OWASP project that helps with the practical application exploitation. Basically you download the flash from the web site and place it on a local running Apache web server. It must be seen more as a framework as you can define your own attacking strings and so for. There are a few exploitation strings that come along but more focused on XSS within the swf file. This should never be the only tool utilized during the assessment and more seen as an exploitation framework. The main problem is of course that you do the exploitation on your on machine and therefore the client can easily argue against it.

https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf

SWFScan from HP does a really good job in decompiling the swf file and analyze it for known weaknesses. This should defiantly be part of the assessment.

All this tools have of course the limitation that they do not take the communication with the database into account. SWFScan looks for insecure calls from the swf file but that does not give you a complete picture.

Therefore it is essential to perform a complete web application test. The fash application normally results in quite a lot of post requests.

The problem you are facing with such a test is that you have to scope it. The best approach from my point of view is to look at the application and make an estimate of how many interactions the user has with the application and how many calls the application does to the infrastructure (web server, database, etc.)

Geschrieben in hacking | Drucken | Keine Kommentare »