Friday, September 07, 2012

Duplicate Section Defined in Web.config

I looked into a web.config parsing error which troubled me on one web server and not another...

It was an web application with elements of .Net 2 but compiled under 3.5.   The app would compile fine but upon publishing the app there would be config errors. The particular error depended on if you were in the IDE or IIS7.  In IIS 7 the app would load and run fine but would not allow you to edit any site settings without throwing a "duplicate script section" error.  Basically it was implying that the script attribute had already been defined.

After finding that there was no duplicate and that all the tags were closed properly I checked it with another IIS instance and it worked fine.  This told me that it was probably related to the framework version on the app pool.

I right-clicked the site name in IIS, clicked Manage Application and picked Advanced Settings...

Then I clicked Application Pool and changed it from "Classic .Net App Pool" (framework 4.0) to ASP NET V2 Integrated.  (I used Integrated rather than V2 Classic because the script tag definitions in question called for Integrated mode)

Immediately the site settings like authentication etc. were editable in IIS without throwing errors.

So if you have a similarly impossible configuration error in IIS, check your framework version since xml tag implementations can differ from version to version... each framework "sees" the Web.Config file in a different context and may not understand some settings or choke on deprecated settings.

Tuesday, July 03, 2012

Y2K Micro

The addition of a leap second to the world's atomic clocks this weekend produced some spectacular crashes of Java software around the web.  (One might wonder why not in other software?  But that question is complicated enough to require a separate post) Some of the more notable epic fails were in Redit, StumbleUpon, Yelp and FourSquare and other systems running Hadoop and Cassandra possibly in combination with Firefox.
In 2006 we reported a large-change clock vulnerability that affected Zone Alarm, Norton, and several other anti-virus vendors and Microsoft.  The security companies quickly remedied the problem but Microsoft hedged until we produced a proof of concept exploit.  Software vendors typically don't really care too much about date based issues unless they affect security or credibility.

The leap-second clock problem was a small-change clock issue which probably should have been tested just in the likely event that someone would eventually block the time synch port and duplicate this issue by accident.  It is incumbent upon developers of 24x7 software to plan for the unexpected and test their systems for time-change crashes and vulnerabilities.  Timing attacks in various forms are often part of a hacker's arsenal and should be part of every test plan.

As authentication systems and date-based database transactions rely more strongly on precise clock synchronization, it is important for the computing community to take clock changes a little more seriously and notify industry ahead of time so these issues can be tested and addressed.  Leap-second tweaking will continue in the future as the earth and moon continue to synchronize.  Software, just like the earth and moon, has to adjust accordingly.

Saturday, June 16, 2012

Threat Modeling with Customers as Assets

One thing I've been contemplating lately is if the security world isn't missing something when threat modeling.
Threat modeling will generally list assets and then see what kinds of threats can threaten those assets and see what the expected loss might be.  Assets are typically thought of as being physical systems like a web server or database. 

But a consideration has been percolating since I had a discussion with one very confident threat modeler working for a fortune 100 company.  I suggested that it would be possible to consider a customer, who has a company distributed token and can move their data from one service to another in seconds, could be considered an asset.  This credentialed expert was absolutely beside himself with indignation, "the business doesn't own the customer. And a customer is also not an asset because a customer can't be attacked or exploited!" 

Oh really?

Follow me down this rabbit hole and see if there isn't a case to be made for at least considering that your customers might be an asset.

An asset is defined as:
"Any item of economic value owned by an individual or corporation, especially that which could be converted to cash. Examples are cash, securities, accounts receivable, inventory, office equipment, real estate, a car, and other property. On a balance sheet, assets are equal to the sum of liabilities, common stock, preferred stock, and retained earnings. From an accounting perspective, assets are divided into the following categories: current assets (cash and other liquid items), long-term assets (real estate, plant, equipment), prepaid and deferred assets (expenditures for future costs such as insurance, rent, interest), and intangible assets (trademarks, patents, copyrights, goodwill)."

As a business do you invest money to retain customers? - maybe you don't own customers but you invest in them -
As a business do you carefully maintain and grow your customer base?
As a business do customers provide you money? (maybe not unlike accounts receivable?)
As a business, if all of your customers leave do your physical assets have any value beyond their depreciated physical value?

So I think a reasonable person would agree that customers are an investment which pays dividends over time.  Also note in the definition of asset the sub list of "intangible assets" which include... goodwill.  Your customers represent a huge pile of cash which may or may not be delivered to your revenue stream. (think Netflix when they changed their terms and service model)

So let's say for the sake of argument that customers are the embodiment of goodwill represented in terms of accounts receivable and have been invested in both in terms of advertising dollars and education as you have tried to help your customer keep themselves secure while they use your product.

Let's go further and examine this claim that a customer cannot be attacked by a hacker.  I would suggest that it's not only possible but it is part of your threat model and sphere of business.  It is your concern.  My justification is as follows:

1) customers can be socially engineered
2) customers can be attacked by spam, trojans, viruses
3) customers can be lured away if service is denied from the customer's computer
But when someone tells me that something is impossible the lateral thinker in me feels compelled to find an exception to the rule... what if the customer is attacked by DOS and thereby denied service and leaves your service because it never works?  What if a browser helper object is put on the user's browser that denies service to Amazon Web Services or Netflix or Gmail?  What if a BHO stops service to one company and facilitates it with another?  I can think of one such BHO - Cool Web Search. So such a thing has already happened.  Microsoft has already realized they they need to protect their customers via anti-spyware and anti-virus in order to keep their company alive.
So your customers can be threatened!  The customer can take their money elsewhere.  If compromised, the customer could lead to a general compromise of your entire system. The following source indicates that customer data is an asset and probably could be considered even when transient.  Consider for a moment what happens when the customer has tiny bit of our data such as an access key or certificate?

Could you educate your customer about how to keep their secret key secret? 

Could you educate your customers about how to avoid being socially engineered? 

Could you educate them on how to keep their computers secure? 

Could you educate your customer on how to avoid service interruptions? 

I think the answer to all these questions is yes even if it would lead to an extra expense...  You probably already have spent money trying to educate your customer to some degree.  So maybe you can't entirely control your customer but the customer can be educated and controlled, and even somewhat protected.  * almost like an asset *  You could provide your customer with a security token for example, or a X509 certificate.  Maybe you could even put a program on their computer that assists them in securing their credentials.

Now you can say that you're not responsible for the customer... and why should you be?  Why take on an extra expense for something you can't control?  Given the threats we face you may want to consider changing your thinking.  Operating system vendors like Microsoft understand that they need to make efforts to secure their customer in order to keep them.

The following is a hypothetical which may illustrate the point-

What happens if a customer uses your company's lowest assurance method of login to your cloud hosting services... a shared key for example.  A hacker uses Google to find the customer's exposed code using a specialized search.  Imagine then, the hacker uses the customer's login and secret key to create a fully authenticated message to the customer's account gaining access to a VM that can't be traced back to them.  Then the hacker uses the new zero-day ring 3 VM breakout to compromise the host running hundreds of VMs inside the cloud service.  From there, the hacker or nation-state can leverage sufficient computing power to crack other systems in minutes.  The hosting company now has a compromised reputation, and permanently compromised revenue stream all because they didn't consider their customer is an asset.

So should a business fold users into their threat model?  The answer I would say "depends".  Customer=Asset does not compute for every industry.  But if your customers have highly portable data that can be taken elsewhere and and your business' reputation for security is the only thing between it and disaster... including your customer as an asset in your threat models may be the only sensible approach.


Friday, June 01, 2012

Extreme Browsing


If you are testing security or you simply want to surf without tracks you might enjoy TAILS which is a bootable DVD running Debian.  Essentially this will allow you to turn most any machine into a completely safe virtual browsing envrionment.  Check out the download here:

Surfing "Home Style" with Socks

SSH tunneling for a home-away-from-home experience.  Ever find yourself behind a corporate firewall or untrusted network and want to check your personal email or your facebook account to see what you need to bring to the party tonight?  If you just need to browse safely you can easily do this via SSH and get your encrypted session from wherever you are to home.  Your home computer will then make requests on your behalf and pass the data back to your browser in an encypted session. If you're checking email you can usually do this via the web as well even on your POP accounts as most POP providers have browser front-ends you can access if you have the URL.

How do you set up this little magic trick and surf stright though firewalls and super IDS/IPS systems?

1) Set up a linux box at home with port 22 (SSH) incoming and outgoing on your firewall.  (Make sure the account has limited privileges and a very strong password)  If you know what you're doing you may even want to set up certificates.  

2) If you're on linux you're good to just open a shell and SSH -D (see the detail below) to your home machine and skip to step 3.  If you're on Windows you'll need Cygwin or Open SSH etc.  I have a small Windows app that I wrote to accomplish this in about 800KB if you want to set up on Windows and don't care to install a bunch of stuff.  [If you comment with your email I can send you a copy]

The popular thing is to use -N -L and pick your ports but there's a far easier way for the browser using built-in Sox proxy capability. Using a Sox proxy you can shorten your SSH command and save yourself some head ache and configure your browser more easily.

Execute on your client machine:
ssh -D 9050 [username]@[]
( is the IP or address of your linux box at home which is running SSH)

Your tunnel awaits!  Your session will expire eventually but while SSH is connected you will be able to set up your browser and surf safely using the port you chose.

3) Set your browser to use a Sox proxy at port 9050 (or whatever port you want to default to.  Type in your destination into the browser such as: and voila you're surfing around all sensible precautions and filters.

You can set a specific browser instance (say Chrome or FireFox or IE) to always connect Socks.  This way you can keep your regular browser normal and playing nicely through the firewall and then open your browse-by-home super secret browser and surf like you're on your home network.

Of course this violates all corporate policies we know and love.  It also gives you a taste of what can be done if you let your home network or corporate network get hacked.  You shouldn't use this if you intend to stay compliant with any sensible regulation or policy.  But in a pinch this will get you home-style access from behind the great firewall of China.

You are what you surf so be safe.


Friday, May 25, 2012

Yahoo and Facebook team up to snarf usage data

Yahoo now requires you sign an agreement when you use their comment system to leave comments on political news.  The agreement gives them the right to use any Facebook data they deem necessary and naturally they exclude themselves from all liability in taking and using whatever data they want.  If you haven't already clicked through the agreement blindly you may want to check it out and read the agreement text.

Yahoo and Facebook use "nonce" which is a one time usage key assigned to a user for a specific session which generally changes with time.  This is to stop cookie replay or man in the middle attacks but do nothing useful against "boy in the browser" attacks or XSRF.  XSRF is particularly useful in exploiting sites like Facebook, Google, Yahoo etc. which keep you logged in 24x7x365 unless you explicitly log out.  Facebook thoughtfully keeps you logged in even when you log out because they know you really don't ever want to leave...

The downside with sites like YouTube/Gmail and Facebook is that if you poke around Anonymous posts long enough you will find that they are actively exploiting your perpetually logged in status and the nonce system does nothing to stop your browser from making the evil request on your behalf. I found a link posted by an Anon member which opened up and activated the change-password page.  But this issue illustrates a point with the danger of the perpetual login-session which all of the big-brother style systems are implementing.  When sites keep you perpetually logged-in in order to watch your behavior and to provide "convenience" then they are keeping themselves open to the possibility of a world-wide breach which could be exploited quickly to reach 100% of systems that view the poisoned page.

At least with a boy in the browser type of attack, attackers are limited to doing what Facebook and others already do... gain personal info about you or using your account for spam.  There is a small measure that sites can provide which stops the boy-in-the-browser attack which is for the developers to keep the submit button deactivated until keyboard input is received and validated in some way.

When using these super-sites you would be well advised to log out of them before going on a surfing session.