Why attackers love your developers!

Kind Sir

My name is Developer A. I am having a problem with database connectivity to Oracle. I think I am doing everything right, but I am getting an HTTP 500 error with the following details:
(Full Stack trace follows)
The sample of the source code is given here.
(Source Code follows)
The error where it is occurring is at this URL (Organization's url follows)
Please help me out with this as soon as possible. I reeeallly need help!!!
Email me at developerA@organization.com

Yes. This was one of the messages I found sifting through my Google hacking results while I was pen-testing a web application the other day. Needless to say that, the page with the stack trace was open for me to go and gain a complete understanding of the application and penetrate. The organization which I was pentesting had gone great distances to get secure. They had spent a lot of time, money and resources in getting secure and staying that way. They had gotten a few things wrong, but mostly they were on target. Unfortunately, they had forgotten to explain to their developers that dirty laundry (or in this case confidential laundry) should not be washed in public. I have seen this with several organizations (mostly in Software development) where developers post their queries in Internet forums and get some other professionals to look at it and give them some insight into the matter. While there is nothing wrong with this practice, the way it is followed is quite shocking. Developers dont even go through the trouble of hiding the name of the organization they are working for. They advertise their email address and in several cases the URL of the page which is problematic and buggy. When posting code snippets or source code, they mostly never remove sensitive details like certain class references or database drivers (sometimes, even usernames and passwords to dbs) and last but not the least, they use words like "Kind Sir" on an Internet forum (although the last one is not a vulnerability, it is bloody irritating). I am sure all of you would realize that such information can be extremely useful to anyone looking to break into an application or a site. It would be worth its weight in gold. And, of course, as usual the only thing you really have to do is "Google it" or "Bing it" (my vendor agnostic comment for the day).

My advice to organizations to prevent against such ignominious disclosures are these:

• Instruct developers never to post in internet forums under their own name or with their company credentials like emails, etc.
• Encourage developers to first find help within the organization. I have seen that several greenhorns tend to be afraid of asking their seniors or project managers any doubts regarding the code, fearing a nasty remark or backlash. Build an environment of openness and encourage questions. Not doing so, would result in these juniors asking questions anyway, but to someone you are totally not aware of, not bound by confidentiality agreements, etc.
• If someone really has to post queries on the Internet, make sure that these are approved. Source code should not be posted. Stack trace should not be posted. Questions should be based on peripheral details and no sensitive information should be posted. Words like "Kind sir" should definitely be filtered out of posts ;)
  
• Have your risk folks scour the internet regularly checking for violations and take action against people violating these instructions.

PCI Compliance: Hazards of the "Dull-Clarity" effect

It has been a while since I sat down to write a post for my blog. The monsoon season has just set in this part of the world. The days are hot and it rains heavily on occasion causing one to just enjoy the comfort of his bed a little more than usual.

This was a piece, which had been in the works for sometime now. I had planned to write it, close on the heels of the Savvis lawsuit (for the CardSystems breach), but I missed my cue. Anyway, here goes. This lawsuit has been abuzz in blogosphere because some of the banks that were processing their card transactions through CardSystems (which was involved with one of the largest credit card breaches in history), have decided to file a lawsuit against Savvis, the organization that attested to the compliance of CardSystems, with the Visa compliance requirement called CISP (Cardholder Information Security Program). The CISP was the predecessor to someone we all know lovingly as the PCI-DSS (Payment Card Industry Data Security Standard). A little background here. CardSystems was one of the largest credit card processors in the US, and they were involved in a breach which compromised over 40 million card numbers. Savvis was the company, which certified CardSystems as compliant with the standards. Now, four years later, Merrick Bank has filed a case against Savvis, alleging that it has been negligent in certifying CardSystems. Frankly, I am not aware of whether Savvis has been negligent or not, but blogosphere and online news portals have gone wild with the news. The Security gurus are quoting their same old lines of the inadequacy of PCI Compliance and are questioning the 'rigour' of the standard in the protection of cardholder information.

My intention with this piece is 1) To introduce the some people out there to the concepts of "Reasonable Assurance" and "as on date"; Two concepts which have been in lost in the rhetoric which several security folks have been dishing out relentlessly. 2) Drive home my point of Risk based compliance, another concept which has been dulled with wrong interpretations of the PCI Standards 3) and hope that a few organizations would actually understand the concept of PCI being risk-driven as opposed to a dull checklist, requiring their meek submissiveness.

The security world has much to learn from the Financial audit and assurance world. No auditor will be able to guarantee that an organization's financial statements are free from error or misstatement. The auditor has to do everything that a prudent person in his place would do and in the end, signs off on a report which states that a "reasonable assurance" can be provided with respect to the financial statements. The auditor is not god, and the laws are quite aware of that and have provided for a similar treatment. Moreover, the auditor does not have to look for fraud, another basic truth in the financial audit world. The auditor must perform a risk assessment and gain an understanding of Internal control, before he performs his audit tasks. Contrast this with the security world. Information Security assurance, being nascent as it is, has not promulgated such basic truths to its practicing professionals. It still (subtly) preaches the utopian ideals of "Perfect security" Furthermore, PCI as a standard still has a very hazy understanding of what assurance the QSA actually provides. Is it "Reasonable Assurance" or is it a guarantee, because if it is a guarantee, then QSAs should pack their bags and quit the business, because that is impossible to provide. When it comes to reasonable assurance, the only defense that an auditor should provide in his alleged negligence, is his working papers and evidence. So my advice to people who are QSAs, please keep your workpapers and evidence in perfect auditor, they are your only saving grace tomorrow when fingers are pointed at you.

Another important concept which people usually miss out with PCI Compliance is the "as on date" concept. When an assessor certifies an organization for PCI, the certification is done as on date and not for the "period ending". I have seen several companies take the proverbial snooze after their PCI Compliance. 8/10 organizations I have seen have serious issues with their applications, or their network configurations or their log management and review. They would have slipped into non-compliance several times during the year and would have remained so till the the recertification for PCI Compliance. An assessor cannot be held responsible for the negligent organization on a future date, unless he has wrongfully or negligently assessed the misgiving as compliant as on the date of certification. I would like to add, at this juncture that I am not aware of whether Savvis was actually negligent or not. Its negligence can only be established once its made to produce evidence of its assessment and its work papers in front of a court. My advise to assessors is to go ahead and fail organizations which have not demonstrated compliance throughout the year.

When it comes to Risk based compliance, my views have already been aired, but I would like reiterate some practical angles to the same. Several clients ask me, "Where does it say that this has to be done in the PCI Standards?" The greatest advantage of the PCI Standards is also its weakest point. Its clarity. Several organizations interpret PCI to be a checklist requirement set which they need to fulfill and be done with. The PCI has acquired a reputation of being a standard which prescribes exaclty what to do and how to do it and that it is inflexible in its approach. True, it is specific, which is why, when a recommendation outside its realm, but very much in the realm of specific risk is given, it is quickly shot down by an organization as not being specific in the requirement. I have several (often heated) arguments with clients who ask me questions like, "Where does PCI say that Internet access to these partiular set of users should be blocked?", My reply to them is that PCI is a baseline set of controls to be applied to any environment storing, processing or transmitting cardholder information. For such specific requirements, a risk assessment is in order, which narrows down certain risks which are specific to the environment. If the risk of individuals having access to cardholder information as well as the Internet (where cardholder information can be sent over email or over the internet in any way) is high, then it is only prudent that you mitigate the risk and not let it become your Achilles Heel. My advice to organizations. Dont look at PCI as a checklist for truly being secure. Treat PCI as a baseline and add to it controls for the risks which are specific to your environment.

I would like to conclude by stating this. PCI Compliance, like anything else in Information security, is at its growing phase. There are bound to be a few teething problems with respect to the standard and its expectations. An organization intent on pursuing PCI Compliance should not be misguided by the pure view of the 12 requirements of PCI, but to understand the risks before going into requirements.

OWASP Membership

I became a member in the OWASP (Open Web Application Security Project) today. I am glad to support the great initiative for Web Application Security, which has been taken by OWASP.

For all reading this, please become OWASP members, it is a great initiative, which is completely free. We should do all we can to support it. It costs just $50 for the Individual membership for a year.

Please join up and make a difference

OWASP Bangalore Chapter Meet: 7th June 2009

It was the first meeting of the OWASP Bangalore Chapter that I was attending. The meeting was scheduled at 9am at the India Coffee House on Church Street in Bangalore. Although, the location was not the most suitable, especially keeping in mind that that presentations on App Sec and other Info Sec related issues would be part of the meeting. Nevertheless, it was nice seeing some energy from this chapter.

Rajiv Vishwa's was the only presentation on using Firefox as the ultimate App Sec assessment tool. Rajiv demonstrated the use of several Mozilla Addons like Tamper Data, XSS-Me, SQL Inject-me demoed over Webgoat to a small group of dedicated OWASPers in Bangalore. It was an interesting presentation, which highlighted the fact, that there are several tools for performing AppSec assessments and a pen-tester would never really have to leave the comfort of the browser to perform security testing for applications. Mozilla provides several other addons like Firebug, FoxyProxy, etc, which allow the easy assessment of web applications. Although Rajiv had to leave early, I took over and we discussed talked more AppSec. I stressed on the use of exploit frameworks like Metasploit for Pentests and also discussed how Application development needs to be given the impetus, it so badly deserves from the security standpoint. We signed off on a positive note.

The Bangalore Chapter has some great energy going but needs a lot more to live up to the reputation of being the OWASP Chapter in the Silicon Valley of India. It would be great to see more Bangaloreans interested in AppSec and InfoSec attend the Chapter meets and play an active role in the development of this community. I will try and get in touch with the ISACA Chapter in Bangalore for some joint meetings and meeting space. Hopefully, things should go well on that front. I would request anyone part of the OWASP Bangalore Mailing list to actively participate and probably initiate some action on the location issue for the chapter. There is a nice quote which I would like to share with all of you, "I ask not for lighter burden, but for stronger shoulders".

Thanks

My brush with the Gumblar worm

Some of you might have heard of the new worm out there known as the Gumblar worm or the gumblar.cn worm. It is a worm which has been spreading rampantly across the internet. This worm has become the scourge of the internet after the conficker worm. The Gumblar worm has two ugly sides to it, both of which I have been exposed to.

This was way back in March, when we were performing a company's website assessment. The company had outsourced their website development activity to a organization that designs websites. The company had run into a few security issues including Directory traversal vulnerabilities and weak passwords which the web design company had caused. Once the website was up, I opened up the page to see my Avast Anti-virus light up like a Christmas tree, with a malware alert for a "JS:Redirect" worm. Needless to say upon exploring the source in the php and html files, I found that a large piece of javascript code, which had no apparent business being on the page, was there. It was obfuscated code, which obviously caused the worm to propogate. The Javascript code for Gumblar is given below:

I have removed the Gumblar worm code as some AV apps were throwing up alerts from their content filtering engines. Please check elsewhere for a copy of the code.

The gumblar worm infects the PC when the PC opens up the website which is infected the malicious javascript.












The execution of the malicious code results in a backdoor being installed which attaches itself to Internet Explorer and also manipulates Google searches. Furthermore the worm is also known to disable anti-virus software, install fake av applications and also sends out spam. This is the one facet of the Gumblar worm. The other facet of the Gumblar worm, is worse and is extremely worrisome for a security professional. Gumblar also steals FTP credentials and appends itself to pages hosted in the webserver, thereby wreaking havoc to a webserver. This means to say that Hosting providers and webservers hosted by organizations may well have already been seriously compromised. FTP credentials have been stolen several webpages hosted in webservers all ovetr the world have been affected by the gumblar worm. The number of attacks over the last week have grown by 188% and counting and has accounted for over 42% of the malware detected all over the world. The number of infected websites has jumped from 800 to over 3000 in a matter of a few weeks.

As you can see, the gumblar botnet really goes two different types of systems. One it goes after PCs, where the PC is infected and the Google searches, Internet Explorer and the vulnerabilities in Adobe Acrobat are exploited. The other system is the Webserver, where it goes after FTP passwords and then appends the code onto all the web pages in the webserver. I first experienced this worm in March of this year and the worm has now started surfacing in all its glory. So, for all of you, here are some tips to stay safe and keep your website safe:
1. Latest AV Definitions: The biggest issue has been that Antivirus vendors except, I think, Avast and Kaspersky have not woken up to this issue till recently. Please make sure that your AV definitions are up and functional against Gumblar's many variants.
2. FTP Credentials: This is a good time to run a thorough manual and automated scan of the webserver and change the FTP credentials for all users in the system. It would also make sense for organizations hosting their web content with hosting providers to talk to them and see how their dealing with the situation. Also, please make sure that the FTP passwords are stored securely and that there is adequate encryption or hashing which is used to protect the same.
3. NoScript: For ordinary users out there, please use NoScript with Mozilla Firefox, it goes the distance in protecting you from the malicious javascript in websites against executing and infecting your PC.
4. Hosting and Web Design organizations: Please make sure that your hosting providers also take the same precautionary measures. In case you are having your website being designed by others, please make sure you test it in a staging environment before deploying it over the Internet. You might be aiding in the propogation of the worm.
5. IPS signatures: I already know for a fact that ISS Proventia has signatures released for the Gumblar worm. I am sure others would have also done so. Please keep the IPS updated for the Gumblar sigs.

Why doesn't anyone pull their security SOx up?

This is a question, which has been raging in my mind for a while now. It has been something, which I see a great scope for improvement for and something that is currently, very rarely, if ever, followed.

The Prologue
First, a prologue to the entire story. I am sure all of you know the Sarbanes Oxley Standard, popularly known as SOx. It is one of the most important compliance requirements of publicly listed companies in the US. It is governed by the PCAOB (Public Company Accounting Oversight Board), which is an independent oversight body for SOx. SOx arrived in the wake of several scams such as Enron and WorldCom. These scams rocked the business world and caused a great deal of embarassment for corporate America. All these scams had something in common; they had cooked the books (misstated financials) and this syndrome percolated to the very top, including the CEOs and CFOs of some of these organizations.

Enter SOx. SOx was the brainchild of two US senators whose last names have been given to the standard. Their take on this was that shareholders and the general public need to be able to reaffirm their faith in an organization's financial statements. This involved, first of all, establishing accountability from the top management (as they had been intricately involved in the scams previously and had the most reason to misstate financials) and providing auditors with the teeth to ensure that the organization's control environment was adequate to ensure the "true and fair" view of financial statements. Therefore, as one can clearly see, SOx is primarily concerned with the integrity of the Financial Statements and the environment in which they are processed and created. The auditor assessing an entity for SOx needs to ensure that the environment in which Financials are prepared is secure and more importantly, an environment with controls which can be relied on to ensure the integrity of information and lastly make sure that the Financials are not misstated. This involves a process many of us have heard of. Identify scope, perform Risk Assessment, Document controls, Test controls, identify gaps, continuous improvement.

The Conundrum
Our look at SOx was fine and dandy, but all that is not new, right? All of you have heard it time and time again. Especially those of you who work for large consulting firms have seen SOx being thrown around in a conversation a lot of times. I have been interacting lately, with a lot of the auditors who assess their clients for SOx compliance. My question to them usually is, "How do you assess the integrity of the environment, which is involved in the creation and processing of financial information?". Their answer to that is something like this, "We usually ask a few questions about their IT policies and procedures and establish whether we can rely on the financial statements. Our worry is more on the business processes".

When I say "financial information", it means information from all quarters which is leading to the preparation of financial statements. It means, any system which is involved in the initiation, authorization, recording, processing and reporting of financial information. So you can imagine that this is.....a lot. An ERP system which is part of the organization would be a part of it, in case of an e-commerce company, for instance, the e-commerce accounting and inventory management modules of the applications would probably need to be a part of the SOx assessment.

Let me give you, quite a real scenario and then explain the matter. What if an ERP application is vulnerable to an Application vulnerability like XSS or SQL Injection where an insider might be able to hijack sessions, gain access to the privileged information and make unauthorized changes which are not logged, not checked in any way. If an employee were able to submit an expense statement and hijack his manager's session and authorize the expense statement, with no logging. Would I, as an auditor rely on the financial statements for a SOx environment, knowing that the application could be compromised and the financials could potentially be modified or in some cases even destroyed, and more so, without being checked (no logging). Taking the business process side of things, if the same person could could initiate an expense statement and authorize it himself as part of a business process, that would be looked upon as a serious hole in the internal control of an organization and the assessor would have no doubt that it was a significant deficiency. Let us take another instance, if a business unit of a corporation were vulnerable to several network issues, let us assume that they do not have proper firewalls rules, restricting specific IP and port sets, that default passwords still exist on their network devices and servers. Let us assume that a supplier breaks into this network and overstates the value of the organization's account payables. Would, I as an auditor sign off on that entity's financials, knowing that the entity can be easily breached and integrity of data can be adversely affected?

This is just from the auditor's standpoint. A company would be held equally responsible for its negligence to IT security (as IT is a key driver in financial statements) and its reputation and business value would be seriously impacted.

Unfortunately, the scenarios I gave you have real life significance and are quite real in the corporate environment and I believe that they are largely going unchecked, because the auditors for SOx are usually not capable of assessing IT controls and are under the false belief that SOx only applies to business process and related internal control, whereas the real scenario is quite different. In today's world of highly connected enterprises, IT is a huge area of consideration. IT controls, in essence form an integral part of the entity's internal control and can significantly impact the way financial statements are initiated, authorized, processed and recorded.

The Solution
My advice to the SOx assessors and auditors of the world is this. IT security is an important consideration for any entity today. SOx does not absolve you of the duty of performing basic risk assessment and control testing (like you would do for business process with assessment of internal control to ensure that financial statements may be relied upon). Integrity of information can be made or broken by IT security in today's digital age. SOx must be treated like any other security compliance which requires scoping of processes and applications affecting financial information, performing Risk Assessment, testing controls of the processes or applications and gap analysis. As you can see, this clearly involves issues like Firewall management, Application and Network security testing, Secure Application development, deployment and configuration, Network Change Management, Logging, Integrity Monitoring, Patching, AV and all the other IT security requirements which one can formulate through effective risk assessment and best practices. Bottom line. SOx is not just a financial standard. It has a serious impact in an IT environment and from an IT standpoint.