Wednesday, January 20, 2010

The Open Source Vulnerability Database

I had the opportunity to listen to a great interview on episode 19 of the Tenable Network Security Podcast during my morning commute yesterday. The interview was with Jake Kouns the President and co-founder a of the Open Security Foundation which oversees the Open Source Vulnerability Database (OSVDB) and the DatalossDB. The interview is certainly worth a listen and for those not familiar with OSVDB, take a few minutes to check it out. To quote OSVDB's about page;
OSVDB is an independent and open source database created by and for the security community. The goal of the project is to provide accurate, detailed, current and unbiased technical information on security vulnerabilities. The project will promote greater, more open collaboration between companies and individuals, eliminate redundant works, and reduce expenses inherent with the development and maintenance of in-house vulnerability databases.
I just wanted to take a few minutes to point out the interview and OSVDB's Winter 2010 Fundraiser. So if you use the database please consider donating as it is a fantastic resource that would be missed.

Monday, January 11, 2010

Is a Warning a Mitigation?

On Friday the good people at The Internet Storm Center posted some notes on a readers experience with a recent targeted phishing attempt of his corporate OWA (Outlook Web Access) users. The email used to target the end users is convincing. It explains that their mailbox settings have been changed due to a security update and includes a hyperlink to what appears to be an URL residing on the corporate domain. Once clicked, the unsuspected recipient is brought to another site that offers up an executable containing the ZBot Trojan.

Soon after reading the post, I chatted with a few people who stated that they too had witnessed this attack at their place of employment. None of this is very surprising to me, except that it does not seem to occur more often. At first glance, one might be inclined to believe this is a low risk attack vector. It's just OWA right? I disagree however. Many organizations allow OWA untethered from the internet. OWA runs on Microsoft Exchange which indicates it is a Microsoft Active Directory environment. In almost all cases OWA is using the same login credentials that is used to authorize the access to corporate resources such as Windows end nodes, file shares, VPN's, databases, and web applications. It is the "keys to the kingdom" if you will. Combine this with end users running as local adminitrators and there are multiple opportunities for compromise.

OWA has been no stranger to vulnerabilities in the past. An URL redirection vulnerability affecting Exchange 2003 has gone unpatched and almost unnoticed by many Exchange administrators for years. With the exception of some frustrated forum posts from a handful of systems administrators and security practitioners, there seems to be little mention of the issue. The user is presented with the organizations OWA login page and after providing credentials is redirected to the attackers server. An example of the redirected URL:

https://[victim]/exchweb/bin/auth/owalogon.asp?url=http://[attacker/file.exe]

Such vulnerability would only make the aforementioned phishing attempt more effective. The Open Web Application Security Project (OWASP) recently released release candidate 1 of the The Top Ten Critical Web Application Security Risks of 2010. Number eight on this list is  UnvalidatedRedirects and Forwards. To quote the summary of this risk:

"Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages."

Again there is no official Microsoft patch for the issue but the aforementioned OSVDB link does contain a comment describing a mitigation tactic. By hard coding the redirectPath variable in login.asp to you company's full URL path for the locale you’re using, you can prevent the redirection. It should be noted however the redirectPath should be hardcoded in each of the locale's being used (i.e. language set in the user’s browser). While Exchange 2007 is not affected by this example it is affected by a similar URL Redirection described here. Upgrading to Exchange Service Pack 1 or higher fixes the issue.

So I am not sure why I was surprised when I recently received an email from one of the email lists I subscribe to. In it, Dan from http://www.madjic.net/ describes a similar redirection issue with Exchange 2007 SP1. He had verified that with some modifications, URL redirection is still possible via:

https://[victim]/owa/[user]@[victim]/redir.aspx?URL=http%3a%2f%2f[attacker/file.exe]

One would need to include the victim's login name but this would be trivial since in many Exchange environments the email address is the same as the Windows username. Now here is the rub. Once redirected the end user is presented with the following warning:


So my question is this; is a warning a mitigation? (Please comment as I am truly curious on everyone's opinion on this) While certainly an improvement, I would not consider it a fix or mitigation. Users have a tendency to click through warnings. SSL Certificates are a great example of this. This actually reminds me of another Microsoft mitigation from almost a decade ago (I am dating myself now).




This warning was included in Outlook 2000 Service Pack 2 and above and was a direct result of worms such as the ILOVEYOU virus which leveraged VBA in Outlook to spread to the others in the victims contact list. Did it stop the propagation of such malware?

Certainly properly architecting OWA and placing it behind a proxy with appropriate ACL's that restrict outbound connections would be a better solution than a warning. This may not be feasible for small businesses, however. End User education is always a must but with spam and attacks becoming more streamlined and targeted this is not a realistic solution in itself. I purpose the better solution would be to provide systems administrators with an easy way to turn redirection off (that is a hint Microsoft). Hey let's get a bit crazy! Let's make the default setting be disabled.

I think most of us understand the concept of the path of least resistance. Attackers will always take the road that is less bumpy. History has proven that phishing, is one such avenue. Many attack vectors have come and gone but yet phishing attacks still exist. Let’s not give the bad guys anything that is going to make their jobs any easier. Now go forth and mitigate!

Monday, January 4, 2010

What's in a Word?

So I am doing the post holiday vacation catch up with my email last night and I found several emails in my inbox referencing a Boston Globe article published yesterday. The article is titled Data Breaches Affect Million State Residents .

To summarize, the article briefly reviews the amount of data loss containing Personal Identifiable Information (PII) of Massachusetts residents reported since MGL Chapter 93H was put into effect in October 2007. I was happy to see some general media coverage of the 2007 law and the newer 201 CMR 17.00 law which is scheduled to become effective in March 2010. I quickly became annoyed however.

What struck me was a quote in the article from Barbara Anthony, Undersecretary of the Office of Consumer Affairs and Business Regulation.

“In 60 percent of the cases, the breaches were due to criminal acts,’’ said Anthony. “Forty percent were negligence.’’

<disclaimer>I am not an attorney nor do I play one on TV!</disclaimer>

I live and work in Massachusetts so I am familiar with both these laws. I have to say I have a real problem with this statement. Lets first look up the definition of the word negligence. It is after all a legal term which therein lies my issue with her statement.

From dictionary.com
–noun
3. Law. the failure to exercise that degree of care that, in the circumstances, the law requires for the protection of other persons or those interests of other persons that may be injuriously affected by the want of such care.

–adjective
4. Law. pertaining to or involving a civil action for compensation for damages filed by a person who claims to have suffered an injury or loss in an accident caused by another's negligence: a negligence suit; a large negligence award.

So if a criminal act was used to obtain data by way of an individual or company's neglect to adequately protect that data would that not be considered “negligence”? I would argue that most of the 807 cases reported by the Commonwealth of Massachusetts were probably caused by some form of negligence. If an employee of a company storing such data, copies the data to his/her laptop against company policy, and that laptop is stolen from the front seat of his/her vehicle, then that is a criminal act caused by negligence. If a company's System Administrator forgets to apply a security patch to a critical system prior to leaving for two weeks of vacation, the server is compromised, and the data is stolen, I would also consider that a criminal act resulting from negligence.

My point is I would like to know how the Commonwealth is differentiating between a criminal act and negligence since the later can often lead to the former. I believe their logic and consequently their statistics are flawed. Moreover, neither law seems to outline such terminology.

So why is this important? I believe companies should be held legally liable. The term negligence implies that I as a consumer residing in the Commonwealth of Massachusetts should be able to hold a company that is storing my Personal Identifiable Information liable in criminal and civil court if they have been negligent in protecting my data. Is that not the purpose of Law? Until then, I do not believe laws and regulations will have any substantial positive effect. They are just security theater.

On a related note, I found this great post on philosecurity.org blog waiting in my RSS reader last night;  Why Data Breaches Don't Get Reported.