What the WAF?

I’ve been noticing a trend from security vendors who promise security-in-a-box solutions and Web Application Firewalls (WAFs) are being promoted as one such solution. Unfortunately, organisations are aligning to this suggestive, albeit dangerous tune.

As a result, organisations choose to filter out traffic that would exploit their known vulnerabilities on their WAFs instead of applying vendor approved updates and fixes, refactoring or rewriting vulnerable code.

Don’t give your WAF the whole responsibility!

A WAF is a piece of software capable of applying a set of rules to an HTTP conversation. These rules will then allow the organisation to make control-flow decisions on the HTTP interaction and therefore help mitigate and protect against certain common attacks on the Web (XSS, SQLi, etc).

In short, it adds an additional layer of security to a web application, which is a good thing. This is done by keeping a separate rule-set for the detection and prevention of attacks, keeping the actual application oblivious to such attempts.

“Just because you feel safe, doesn’t mean that you’re secure”

WAFs exist in many different guises, as network appliances, full-blown applications or even modules running inside of web servers. When correctly deployed, WAFs are a huge help in preventing some common attacks on organisations’ applications. Cross-site scripting, SQL-injection, brute-force attacks are on the top of the list of attacks that you would be able to prevent with the help of a correctly configured WAF.

Of course this doesn’t mean that by having a WAF you don’t have to include security-aware developers and secure coding practices, or stop applying security updates, just because you are “protected” against some of these threats. Security controls should be placed as near as possible to the asset you are trying to protect and a defence-in-depth approach is required. A WAF should therefore be one of many security measures deployed, not relied on in isolation.

“In the absence of other factors, always use the most secure options available.” – Dr. Joel Snyder

Whilst filtering against the input and output of your application might protect you against some of the OWASP-top-ten attacks, WAFs are only able to protect against a few specific and well-known attacks.

Keeping in tune with the “locking doors behind locked doors” mantra that guides the defense-in-depth approach, you should always keep increasing the overall security of your environment to maintain currency with the current threats out there. This should be done by applying security patches, fixing security bugs on software, hardening configurations and establishing and maintaining security baselines.

Security is not a recipe. Security is an on-going process and evolves over time. This process includes installing updates regardless of whether on devices (security patches), people (raising security-awareness) or processes (security reviews).

By relying on a WAF to protect you from a current known weakness and enabling you to avoid the issue of patching, will only lead to more headaches further down the line.

This subject is something that we will explore further in later posts.

 

Security Testing Project Manager

We are looking for a Security Testing Project Manager to join the team.

The role of the Security Testing Project Manager will be to work within 7 Elements’ busy technical team to manage the delivery of security testing whilst ensuring 7 Elements’ high standards of customer service are met.  The main focus of the role is to ensure the smooth and effective delivery of security tests through technical project management. This role is key to the effective functioning of the overall test team. The project manager will be responsible for ensuring process is followed and that standards are met. This will require effective communication with clients and the testing team.

This role is ideal for an individual with a solid technical understanding of information technology and associated terminology and a basic understanding of information security looking for their first role within the information security industry.  The role will allow an individual to gain an understanding of the broad spectrum of security testing in a business environment and the challenges this brings. As a customer facing role it will also enable the individual to gain that vital experience of working with businesses and understanding their requirements.

For further information visit our careers page.

My trip to BSides Lisbon 2013

On the 4th October, I flocked to BSides Lisbon 2013 to talk about Cell Injection.

It was the first meeting of this kind in Portugal (for infosec people by infosec people, open to the general public, free admission, international speakers and attendees). There were about 180 people there in both rooms.

bsides2013

Other than my talk, here’s a rundown of what I saw.

Convincing your friend that a Website sucks by Colin McLean

Colin tried to prove to his friend Mark a website he used wasn’t that safe… and failed. The end result – and a big win – is this talk. We should realise that after all this time, since the beginning of the World Wide Web, we still haven’t been able to prove automatically and successfully if a site is doing something malicious. Colin’s initial solution is a smart mix of proxying, analysis and IDS techniques. It looks very promising. I just hope Colin is able to find a grad student that tackles this issue and fixes it for us!

Security (A)SAP by Bruno Morisson

This talk is about the hugely complex and prevalent CRM system in most large companies in the world and the challenges in keeping these kind of critical systems secure and healthy. Some of the work presented resulted in a Metasploit module for SAP pen-testing. A typical talk at these gatherings.

Digital Forensics on todays’ digital world by David Marques

In this talk, David gave us a general and introductory overview of Digital Forensics. Starting with digital forensic’s history, describing different mindsets between the technical forensicators and legal crowd (judges and lawyers), existing software and usage, explaining current (and future challenges) as a forensics company. Unfortunately, in the end, Q&A fell back to the oldest discussion in the books: “Open-Source” vs “Proprietary” Software. A very good intro to the Digital Forensics’ world, nonetheless.

All your sites are belong to Burp by Tiago Mendo

A plain talk that had a bit for everyone, an introduction to Burp for the newbies and developers and tips that experienced users always enjoy (Macros and Extensions). I also learned about using both Intruder and the Scanner to optimize testing. I actually overheard someone in the room say “where do I sign to get this fantastic piece of software?”. Oh, and I do believe Dafydd Stuttard deserves every penny he is paid for Burp!

“there is no spoon” – The art of “bending” a vulnerability with the power of mind by Pedro Cabrita

Revisiting the idea that automated vulnerability scanning is worth what it is worth, Pedro described several vulnerabilities on a custom tailored app that some of the automated vulnerability scanners couldn’t find. Some of these vulnerabilities were quite basic and immediate that even a more unexperienced tester would find them. While the topic isn’t new, it made a good point since it explains the skewed reality perception organisations have after being submitted to testing. Testing for security isn’t a case of point & shoot or point & click in our case. Just as attackers are somewhat artistic in their trade, so too should testers be. Automated testing tools are just that, tools. Give a skilled tester some good tools and he will deliver.

Revisiting Mac OS X Rootkits by Pedro Vilaça

Unfortunately, I only saw the end of this talk since I was at Pedro Cabrita’s talk but from what I gathered, Pedro is one of the world’s authority on OSX Rootkits and his work is interestingly mindblowing and an eye-opener regarding OSX’s security. One of my favorite talks.

Securing Password Storage – Increasing Resistance to Brute Force Attacks by Tiago Teles

As recent years have shown, storing passwords securely has been proven quite dificult judging by all the password leaks and disclosures even for big players like Yahoo!, Twitter and LinkedIn. After an introduction, design decisions and evolution of hashing functions for password storage, Tiago from Cigital proposed an HMAC based solution to storing user passwords. It was quite an interesting and technical talk with some food for thought on the future of secure password storage and management for organisations.

Man vs Internet or The future of Authentication by Luís Grangeia

Why is it so hard for people (even us, infosec professionals) to properly and securely manage our digital online selves? In his talk, Luis talked about the Mat Honen digital life theft case, authentication and the management of digital identities. It was a basic subject but still something we haven’t completely figured out and often leave to superficial thinking and management without realising we are putting ourselves at unecessary risk with high likelihood of exploitation. Luis finished the talk with some ideas on how to increase our security and raised awareness of these topics. A very interesting talk with a lot of food for thought.

I’m the guy your CSO is STILL warning you about by Gavin Ewan

Gavin is a funny and gifted speaker. He has the heart of a Social Engineer, he lures you in and you’re hopelessly captivated. His words debunk common Social Engineering misconceptions, juicy targets and successful results. It’s funny as legal compliance information disclosure and leaking results so often help out the attacker, especially because they usually end up not being uber-nerdy-obssessive-technical-proficient attackers…. just really motivated beings. Information acquisition is, more often than not, one Google search away! You just need to be smart in how to use it.

Aftermath

Other that the talks, there was a crypto-challenge – decrypting a file containing an encrypted version of the SGFja2VyJ3MgTWFuaWZlc3Rv (spoiler avoided by b64-encoding) – and two attendees signed up for lightning talks. For this, the participants won the possibility of having dinner with the speakers.

Dinner ensued at a brazilian meat restaurant “Orizon” where almost all speakers met (I missed all the other Scots who traveled to Portugal for the event!) followed by drinks at Expo’s Peter’s for wrapping up.
All in all, a good InfoSec informal meeting. I was pleased to see that some of the talks developed on ideas from previous shorter talks from “Confraria da Segurança Informática”, a monthly InfoSec meeting very much in the spirit of BSides only smaller. They have an active community there.

Congratulations to Tiago Henriques and Bruno Morisson for making this event happen. Next year, we might have a BeachCon…
Looking forward to BSides Lisbon 2014!

Cloud Security

On the 24th September I had the opportunity to talk at the Cloud Security Alliance Symposium, a free event in support of the Cloud Security Alliance EMEA Congress 2013 hosted in Edinburgh on Cloud Security. My talk focused on real life examples of cloud security issues and internal research that we at 7 Elements had been working on. Our earlier paper on cloud security issues can be found here. This blog post covers some of the themes discussed during my talk.

 

Cloud Basics

What is the Cloud? Well, in short, it is a great marketing gimmick. There is no one such individual thing as the ‘Cloud’. The Cloud is a term used to describe multiple service offerings such as Software as a Service (SaaS), Platform as a Service (PaaS) as well as Infrastructure as a Service (IaaS). All of this is characterised by the use of on-demand provision, rapid ability to scale and are based on payment solely for the amount of resource required at any given point.

 

Key Risks

What are the key risks presented by using the Cloud? For me, the key risks and some of the issues that an organisation should explore when looking at the Cloud break down as follows:

Cloud Security Risks

 

Legal Jurisdiction

As an organisation you should be aware of how legal requirements to disclose data may be affected by the geography of where the data is stored. If you are based in the UK and use a US based Cloud provider, consider the impact on your organisation if the US courts enforce disclosure of your sensitive data. Where the Cloud is used to store or process sensitive personal data, there may be an impact on your compliance with the required regulation (Data Protection Act,) which you will need to fully understand and mitigate.

 

Geographical Location

Different geographical locations mean different legal jurisdictions, which will have an impact on your legal and regulatory requirements within each of those regions. This may restrict the type of data that can be stored or processed or limit how the data in question can be transferred between locations. The ability to encrypt data will also be impacted within certain locations due to export restrictions.

 

Access to Data

Many Cloud services are based on the use of shared services or multi-tenancy solutions. The benefit to the end user is reduced costs, but this can also lead to security concerns. The data may be at risk of attack from another user of the same Cloud service due to the architecture in use. Consideration should be given to how the Cloud provider has limited the possibility of data compromise.

 

Data Destruction

With the Cloud, you can grow and shrink your resource requirement. When the data on disks is no longer needed then it will need to be destroyed. You will need to gain assurance that this has been destroyed in compliance with your organisation’s standards, that the next user of that environment will not accidentally gain access to your data, and that you have met any regulatory requirements.

 

Data Availability

The Cloud sells itself as always being there. The data is ‘in the Cloud’, so you will always have access to it. However, the Cloud brings its own impact in relation to your organisational business continuity plans and disaster recovery approach. Consideration should be given to scenarios where the Cloud provider fails, or your ability to connect to the Internet fails. This may render the data unavailable.

 

Economic Denial of Service

What controls do you have in place to protect against unauthorised provisioning of cloud instances? Based upon a simple example of an attacker gaining access to an organisations provisioning capability (a real life example of gaining access is included later in the blog), we have estimated that an attacker could cause an individual organisation £14,000 of costs in a single day. More on this will follow in a separate blog on Economic Denial of Service.

 

Cloud Security

The talk then moved on to real life examples of cloud based security issues.

 

Geographical Location

The first focused on the geographical location for data. Did you know that internally created or ‘private’ cloud installations can be configured to automatically connect to the public cloud if capacity is reached?

The following example shows a private cloud, configured to do just this:

 

Server instantiated on Eucalyptus.
Number of instances running: 1
===============================================
=================================================================
Auto-scaling successful
instantiated eb server: instanceID i-35AE00C1
Number of servers: 2
=================================================================
=================================================================
Cloud bursting successful
Instantiated web server on EC2: instanceID i-32CB323A
Number of servers: 3
=================================================================
=================================================================

 

The issue here is that data is now outside of the organisation’s boundary and is stored on Amazon EC2. Given this scenario, there would be no prior warning and no assessment of the data that is now in the public cloud. This could lead to potential information disclosure or breach data handling requirements.

 

Access to Data

We then looked at the issue of who has access to your data. A recent article outlined how Dropbox were accessing uploaded word documents. The researcher discovered his documents were being opened by Dropbox-owned Amazon EC2 instances automatically 10 minutes after they had been uploaded, although other file types were not being accessed. The following screenshot shows the EC2 IP addresses accessing the documents:

 

Dropbox

 

More on this issue can be found in our previous blog post here.

 

At the end of the talk, I then provided a live demo of how easy it was to identify valid Amazon EC2 and S3 access and secret key values and use these to enumerate running cloud instances.

 

$ ruby enumerate.rb
Enumerating AWS account AKWWR5MSIHCI7FH3HIAA
EC2 Instances
——————————————————————————-
[*] i-828b26e4 / running / 54.224.143.100

S3 Buckets
——————————————————————————-
oa-site-backups
– /home/data/_backups/20130902.database.sql.tgz
– /home/data/_backups/20130901.database.sql.tgz

 

An individual who has access to these credentials could choose to start new cloud instances (potentially leading to an economic denial of service), stop current services leading to a more common denial of service or more importantly, access the data currently stored within that instance. This issue will be covered in more detail in our next Cloud Security blog.

Conclusion

As we have seen in many ways, the Cloud is no different to the wider challenges of managing an organisation’s data securely. However, with these unique opportunities, unique risks will also arise. As such, we need to understand those risks and assess the data that we wish to put into the Cloud and understand how important  that data is in terms of confidentiality, availability and integrity to the business.