Monday, 29 April 2013

Your Mac, iPhone or iPad may have left the Apple store with a serious security risk

Monday, 29 April 2013

Just over a year ago to the day, my wife and I walked into the Apple store in Sydney’s CBD and bought her a shiny new MacBook Air. Macs weren’t familiar territory for us so we happily accepted the offer for a staff member to walk us through some of the nuts and bolts of OSX. That was a handy little starter and we left the store none the wiser that the machine now had a serious security risk that wouldn’t become apparent for another year.

A couple of weeks ago I wrote about my new favourite device, the Wi-Fi Pineapple. Despite its friendly tropical name, the Pineapple is a piece of cigarette-pack-sized professional security equipment I picked up online for $100 to help me demonstrate secure coding practices. Specifically, it’s helping me educate web developers about the risk of not using encryption between browsers and the websites they’re communicating with, something that needs to be built into the design of the site itself.

Among various party tricks packed into this little piece of equipment is a feature called “Karma” and it works like this: When you connect a device to a wireless network – let’s imagine the network is named “WILSON” for the purposes of demonstration – the device then continues to look for that network for perpetuity. What that means is that the device (laptop, smart phone, tablet, etc.) is running around shouting “WILSON, WILSON, where are you WILSON?” What Karma says when it hears this is “I’m Wilson, let’s get connected” and if WILSON wasn’t originally secured with a wireless password, the device connects to the Pineapple automatically. It now looks just like a normal wireless connection and it has been made without any action whatsoever on the user’s behalf.

You didn’t know this could happen? It’s written right there on the wireless network screen of every iOS device, albeit without explaining that “Known” means nothing more than an access point claiming to be exactly what the device has just publicly broadcast it’s looking for:

iPhone stating that "Known networks will be joined automaticaly"

So what’s the risk of a device connecting to the Pineapple (or any similar equipment – it’s not the only one) without knowing it? It means that every single byte of data that passes through that connection and is not encrypted can be read or changed by an attacker. Passwords, personal information, photos, videos and anything else not properly protected by the website can be intercepted. Links to secure login pages, documents, emails and even banking websites can be manipulated when that protection doesn’t exist.

What’s now evident is that a large number of devices are leaving Apple stores after having been connected to an insecure network leaving them at risk for years to come. Let me explain.

Read more

Wednesday, 17 April 2013

The beginners guide to breaking website security with nothing more than a Pineapple

Wednesday, 17 April 2013

You know how security people get all uppity about SSL this and SSL that? Stuff like posting creds over HTTPS isn’t enough, you have to load login forms over HTTPS as well and then you can’t send auth cookies over HTTP because they’ll get sniffed and sessions hijacked and so on and so forth. This is all pretty much security people rhetoric designed to instil fear but without a whole lot of practical basis, right?

That’s an easy assumption to make because it’s hard to observe the risk of insufficient transport layer protection being exploited, at least compared to something like XSS or SQL injection. But it turns out that exploiting unprotected network traffic can actually be extremely simple, you just need to have the right gear. Say hello to my little friend:


Wi-Fi Pineapple

This, quite clearly, is a Pineapple. But it’s not just any pineapple, it’s a Wi-Fi Pineapple and it has some very impressive party tricks that will help the naysayers understand the real risk of insufficient transport layer protection in web applications which, hopefully, will ultimately help them build safer sites. Let me demonstrate.

Read more

Wednesday, 3 April 2013

5 ways to implement HTTPS in an insufficient manner (and leak sensitive data)

Wednesday, 3 April 2013

HTTPS or SSL or TLS or whatever you want to call it can be a confusing beast. Some say it’s just about protecting your password and banking info whilst the packets are flying around the web but I’ve long said that SSL is not about encryption.

As an indication of how tricky the whole situation is, OWASP talks about insufficient transport layer security. Not “have you done it right” or “have you done it wrong”, rather have you considered all the little nuances that go into the correct implementation of this invaluable security feature.

Naturally, when this tweet from Mark Hemmings popped up on my timeline was a little intrigued:

WRONG @Top_CashBack (cc @troyhunt)

We’ve all seen this before right? Clearly it means your valuable password is being sent over the wire in plain text and the ghosts in the wires will immediately harvest them and do frightful things with them, won’t they? Apparently not:

@mhemmings Hi Mark, The login box, which is the important bit on this page is secure.  It is a separate iFrame, which is a https page...

This is not your usual customer service rhetoric – these guys know about iFrames! They continue:

@mhemmings ...all our key pages on the site are also secure, so your profile etc all have secure addresses. I hope this helps, thanks, TCB

The key here is the word “key” in that sentence. Hang on – so other pages aren’t sent over secure connections? What happens if you’re already logged on?

This is a great opportunity to revisit the quirks of HTTPS because as it turns out, Mark is spot on and there are some very insufficient practices going on here. Let me break it down into 5 discrete problems and why each one of them undermines the HTTPS implementation not just on Top CashBack, but on many other sites following the same patterns.

Read more

Tuesday, 2 April 2013

I’m back! MVP again for 2013

Tuesday, 2 April 2013

Despite the anniversary continually falling on that most foolish of days, it appears I have indeed been renewed and will now go into my third year of MVP’dom.

Microsoft Most Valuable Professional

For those of you not familiar with the process, every year as an MVP’s renewal date approaches, the powers that be at Microsoft look at what you’ve done and work out if you’ve aligned closely enough with the MVP ethos to deserve a renewal. As part of the process, MVPs keep track of their highlights from the year which is actually a good opportunity to reflect on what we’ve been able to contribute to the technology community.

I churned out 59 blog posts with about 1.13 millions page views, had a truckload of comments via Disqus (is there an easy way to tell numbers on Disqus?), pushed half a dozen videos to YouTube with 364k views across 1.76 million minutes of viewing time (yeah, surprised me too!), hit the media dozens of times (tech and mainstream), spoke on half a dozen podcasts, presented at DDD Sydney and Web Directions, appeared on national TV twice (once on cold call scams and again on internet banking) and presented at three user groups.

The highlights (at least in terms of blog post page views were):

  1. Lessons in website security anti-patterns by Tesco (no surprises there!)
  2. 10 lessons for uncultured web developers (some great discussions on this in the comments)
  3. Scamming the scammers – catching the virus call centre scammers red-handed (and yes, the bastards are still at it)

In amongst all that, I also totally redesigned (welcome mobile users!), added some ads (unfortunately hasn’t bought me a Ferrari yet, but the fuel bill is covered), wrote a complete classroom training course on the OWASP Top 10 for .NET developers, built out ASafaWeb further including the ability to schedule scans and of course got myself along to the MVP summit in Seattle.

Thanks again to the folks who have contributed great ideas, actively and robustly discussed my content online and in person and generally just engaged in making the web a more enjoyable and more secure place to be.