March 9, 2012
A down-to-earth observation of the Dropbox Cloud

The Cloud™ is everywhere to be seen in the current Information Technology landscape and many oracles (with vested interests) such as Microsoft predict that it is not going away anytime soon.

It certainly offers many useful features that make our digital lives easier. There are hidden costs however that users should know about before trusting their data (or their employer’s) with the Cloud™.

Take Dropbox as an example. It’s one of the most visible Cloud-based services on planet Silicon. It allows you to synchronize your files across all sorts of devices. It is extremely easy to open an account and install the client and join their 70 million+ users, frolicking in a cozy cloud. But how many of those users took the time to carefully read the Terms of Service or care about two major security incidents the service had in 2011?

Issue 60 of MISC Magazine features an article from yours truly about Dropbox ; in French though. Leveraging some business intelligence, OSINT, careful reading of the ToS and observation of the Dropbox client behavior, the article aims at rising the public’s awareness of some important issues before they trust anything into the hands of Dropbox. I also knock on a few doors that might be worth exploring by other members of the Information Security community.

Is Dropbox secure enough? Is the company behind it trustworthy? Well, there are no easy answers to these questions. It largely depends on your trust scale and the type of data you share on their cloud (and Amazon’s since they heavily rely on AWS). But I certainly wouldn’t upload my employer’s or any sensitive data on their “cloud”. Security has been, is and will remain a trade-off.

If you have the opportunity to read the article, let me know what you think.

11:08am  |   URL: http://blog.upbeat.fr/post/18996905131/a-down-to-earth-observation-of-the-dropbox-cloud
(view comments
(No. OF NOTES: 1)
  
FILED UNDER: Dropbox Security trade-off Terms of Service OSINT business model intelligence Magazine article information technology Information Security 
December 5, 2011
Twitter’s Free iPad 2 Scam (with a twist)

Someone, something going by the handle @mahanarfmhul3 (a.k.a Mahana Cox) sent me the following message on Twitter:

As of this writing, @mahanarfmhul3 began emitting tweets about two hours ago with a frequency of 1 tweet every 3~5 minutes. The account totals 26 tweets. 19 of them are of the same kind I received:

While the remaining 7 look harmless ; most probably to thwart Twitter’s algorithms for detecting SPAM and phishing attempts. 5 of these “innocuous” tweets are written in English while 2 are in Spanish:

I highlighted a tweet apparently addressed to someone called AdamWeitner. Except that Adam Weitner is not following “Mahana Cox”. And the tweet is not addressed properly to him since the @ sign is not used as a prefix.

Now let’s look into the phony link I received: tinyurl(dot)com/6v5g4wz. Since it’s a TinyURL shortened link, we can preview it by prefixing the URL with preview:

Now that we have the URL behind the shortened link, we can dig a bit further. whois tells us that the domain is very fresh as it was created on Dec 4, 2011 through GoDaddy.

McAfee’s Threat Intelligence and MalwareDomainList do not have identification data (yet) for this URL.

However, Wepawet finds some interesting results:

ipadzu(dot)net seems to be yet another site hosting one of those numerous Free iPad2 scams that are running rampant on Twitter. WOT gives it a poor reputation:

This shows once more why it is unsafe to click on URLs, shortened or otherwise, before doing some basic checks.

During the course of this investigation, no animal was harmed. However, it seems that LongURL have some funny results to say the least:

Sorry Mehana, I am not interested in your free iPad 2 and I’ve flagged you as a spammer with Twitter.

11:52pm  |   URL: http://blog.upbeat.fr/post/13796581134/twitters-free-ipad-2-scam-with-a-twist
(view comments
(No. OF NOTES: 10)
  
FILED UNDER: spam scam Twitter phishing shortened URL tinyurl check security 
November 16, 2011
Thoughts on Security Practices and the Consumerization of IT

Tim Rains, Director of Trustworthy Computing Communications at Microsoft, has published an interesting post on TechNet pertaining to the IT consumerization wave that is hitting enterprises at full force and the difficulties these companies face to deal with it.

Tim refers the 14th annual Global Information Security survey from E&Y.

The following excerpt, cited by Tim, is a telltale sign of enterprises groping for answers on how to address these consumer-grade devices in the corporate network (emphasis added):

our survey shows that the adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge.

The vast majority of respondents try to tackle the issue from a security policy and awareness perspectives. 3rd comes encryption as many CISOs and CSOs try to concentrate on the data rather than on the equipment.

By approaching the problem from a data-centric point of view, they aim to isolate and protect corporate data stored on BYO devices. Sadly a well-known fact of information security is that whoever controls the device controls the data. Building a castle in uncharted territory is an ill-advised strategy.

I am not saying that data-centric approaches are useless. I am saying that they are not sufficient and must be complemented by a threat-centric approach as championed by Richard Beijtlich.

We should be monitoring what goes in and out of these devices and beef up our incident response capability to act swiftly in case of data exfiltration and other significant threats to brand image, business data and intellectual property etc.

10:08am  |   URL: http://blog.upbeat.fr/post/12876076176/thoughts-on-security-practices-and-the-consumerization
(view comments
(No. OF NOTES: 2)
  
FILED UNDER: dfir incident response BYO IT consumerization survey microsoft information technology secu security 
June 27, 2011
Cert-IST 2011 Annual Forum

I had the opportunity to attend the Cert-IST 2011 Annual Forum held on June 7, 2011 in Paris, France.

Cert-IST is a French CERT dedicated to the Industrial, Services and Tertiary sectors. They organize a yearly annual forum. Last year’s edition was mildly interesting. The most interesting presentation IMHO was given by a security professional working for Sanofi-Aventis about how they conducted their security awareness programs. In comparison, it would be an understatement to call this year’s edition an interesting conference as most presentations were really thrilling.

First of all, let me apologize to my non-French speaking readers as all the presentations were made in French. This year’s theme was “Security and Modernity: a Challenge for the Enterprise?” and questioned the numerous technologies and trends from the standpoint of security professionals, be it the Cloud™, the smartphone invasion, the traction that the BYOD (Bring Your Own Device) movement is gaining in the enterprise, social networks, or APT attacks.

There have been quite a number of very interesting presentations such as:

  • Keynote “Security and Modernity” by Antoine GARAPON, Judge: CISOs continue to view Information Systems as a territory to defend while attackers act as sea pirates. They view the Internet not as land but as a body of water where they can sail, looking for preys. It is necessary that we, security professionals, look for a middle ground and get out of the “forbid everything not absolutely necessary” mindset. Otherwise, we won’t be able to cope with the challenges that we are facing (think new technologies).
  • National Strategy for Cyber Defense by Patrick PAILLOUX, General Manager, ANSSI: very interesting feedback on the French Ministry of Finance’s attack and the resources ANSSI allocated for incident response. The attacks were not sophisticated but their perpetrators had important means and were highly organized. Mr. PAILLOUX insisted on the necessity of having a CERT-like capability or at least some sort of incident response in every company to help cope with the new threat landscape.
  • Securing Mobile Devices for Enterprise Usage by Jean-Marie MELE, Security Engineer, France Telecom Orange: very good presentation on the technical and legal issues pertaining to BYOD (Bring Your Own Device). In France, a personal device is the property of its user even if it is used in a professional context. As such, it cannot be audited or submitted to a pentest without the consent of its owner. A number of Android vulnerabilities were also cited. It is necessary to follow such trends and adapt to them or risk being completely bypassed.
  • Cloud Computing: Legal Questions by Jean-Marie JOB, Attorney: excellent presentation on the legal aspects of Cloud Computing. Who is responsible of data processing (and thus must make sure that personal data is processed according to the French law)? What are the important points to keep in mind before moving to the Cloud? What happens if personal data is handled outside of the EU?

If you’d like to dig deeper, read my full account (in French) and/or download the presentation materials online.

9:16pm  |   URL: http://blog.upbeat.fr/post/6982397900/cert-ist-2011-annual-forum
(view comments
(No. OF NOTES: 14)
  
FILED UNDER: CERT Incident Response APT French Ministry of Finance ANSSI Attacks Threat Landscape Smartphones Security Cloud Computing 
May 19, 2011
A short definition of APT (Advanced Persistent Threat)

There have been a lot of discussions involving APT (Advanced Persistent Threat) attacks. Many abuse this term to define any sufficiently advanced attack, no matter the motives of the attacker and as long as the attacked party is a high profile company or any organization that can get the information security community’s attention.

Please note that depending on whom you ask, sufficiently advanced is a widely fuzzy qualifier and must not be considered as a valid definition given the bias that is introduced, voluntarily or not, by the involved parties.

That said, I believe that all APT attacks share something in common, as written on page 69 of the IBM X-Force 2010 Trend and Risk Report:

the key is that the attacker is dedicated to maintaining a persistent capability to extract data.

Another good and far more complete definition of APT has been proposed by Richard Beijtlich in early 2010. Richard now works for MANDIANT, a company that seems to have an extensive experience in dealing with such attacks.

11:40am  |   URL: http://blog.upbeat.fr/post/5633837240/what-is-apt
(view comments
FILED UNDER: APT Advanced Persistent Threat IBM X-Force Security Richard Beijtlich MANDIANT 
March 31, 2011
"Root cause of attacks isn’t vulnerabilities, its economics. The data is economically valuable, therefore the attack is worth money to do."

Adam J. O’Donnell

9:56am  |   URL: http://blog.upbeat.fr/post/4229780298/root-cause-of-attacks-isnt-vulnerabilities-its
(view comments
FILED UNDER: security economy 
January 12, 2011
"Show me one CISO who can deinstall — and write-off — a fully deployed enterprise security product because the marginal utility it contributes is not worth the complexity cost it engenders."

Digital Affluence Is Making Us Less Secure, Dan Geer, CISO, In-Q-Tel

10:14am  |   URL: http://blog.upbeat.fr/post/2711180145/marginal-utility-security
(view comments
FILED UNDER: Dan Geer security Infosec Complexity 
December 26, 2010
Nessus 4.2 Provides Improved Exploit Availability Information

Back in September, I’ve blogged about a relatively new feature added to Nessus that provides information about the availability of an exploit for vulnerabilities identified during the scan. I wrote then:

This is an incredibly valuable information that will allow you to prioritize your remediation actions. For instance, you could elect to plug critical vulnerabilities for which there is a public exploit then move on to the medium ones for which there is also a public exploit and so on.

This feature has recently improved. The .nessus v2 XML reports tells you now if the exploit is available in Immunity CANVAS and/or Metasploit.

If an exploit is available in CANVAS, the exploit_framework_canvas subnode of the ReportItem XML node will be set to true. Moreover, the canvas_package subnode will tell you in which CANVAS package the exploit can be found.

If an exploit is available in Metasploit, the exploit_framework_metasploit subnode of the ReportItem XML node will be set to true. In case Metasploit has an exploit for the identified vulnerability, the metasploit_name subnode will provide its name. Here is an example:

<metasploit_name>Microsoft ASN.1 Library Bitstring Heap Overflow</metasploit_name>

This is particularly interesting as Metasploit 3.5.x allows you to control Nessus, import the scan results and display only the vulnerabilities for which there is a Metasploit exploit.

9:09am  |   URL: http://blog.upbeat.fr/post/2467152981/nessus-improved-ea
(view comments
FILED UNDER: Nessus CANVAS Metasploit exploit security vulnerability 
September 20, 2010
HTML 5 Security: Good, Bad, or Both?

In a recent and excellent post, Paul Roberts from ThreatPost explored the security of HTML 5, the upcoming version of the markup language that fuels the Web.

The post provides an overview of the major security features of the new specification. It also conveys the concerns security experts have with what will probably be the vector of a new Web revolution.

Quoting Adam Barth of the University of California, Berkeley, Paul Roberts writes:

HTML5 actually specifies how HTML code should be parsed by Web browsers. Previous iterations of the language left it up to individual platform vendors to develop their own interpretations of how the code should be parsed, which led to differences in how the language was rendered on different browsers. That also created opportunities for attackers to exploit quirks in the HTML parsing of specific browsers in Cross Site Scripting and other Web based attacks…

While this might be considered good news, given the current difference in HTML 4 implementation among browsers, I am bothered with the use of should instead of must in the sentence above. At any rate, I don’t see how HTML 5 would enforce similarity in parsing. Would a website refuses to display an HTML 5 page unless the browser which made the request is on a list of 100% compliant browsers?

Let’s assume that HTML 5 can tell browsers how they must parse it. Will we end up with a class break across all HTML 5 ready browsers shall the specification suffer from a vulnerability that affects its design?

Further down, still quoting Adam Barth, Paul Roberts writes:

New features are also intended to make HTML5 more secure than its predecessors. Among them is a new sandbox attribute that allows Web sites that use iFrames to aggregate untrusted content from external sources to run it in a secured environment. The postMessage() feature, for cross document messaging, allows secure communication between different web sites in the browser

This sounds like a major security feature in HTML 5. The ability of controlling external input while serving it to the browser looks like a good way to thwart the problems we currently have with mash-ups and similar content aggregation techniques. However, problems have already been found with the technique:

The new sandboxing and postMessage() features are examples of tools that, if not used properly, could fail to provide protection against hacks, or even enable new types of attacks. Veracode, in its analysis of HTML5,  raised red flags about the security of the postMessage() feature, as well, noting that Web applications that use cross-document messaging could be vulnerable to attack from malicious Web sites, which could spoof rogue messages.

Among other concerns:

“HTML5 has an enormous amount of functionality. The (specification) is just huge,” said Jeremiah Grossman of Web security firm WhiteHat. The breadth of the new specification gives him concern. “I know that we’re still finding vulnerabilities in HTML4,” Grossman said.

And:

“With any new functionality you’re going to have new security concerns. HTML5 is going to increase the attack surface considerably,” said Neil Daswani of Web security firm Dasient.

So HTML 5 is a huge specification that offers a huge attack surface. Are we calling for disaster here? I hope that the persons who are involved in its development have more that functionality in their minds and agendas.

Moreover:

HTML5’s ability to support native rendering of audio and video files could allow attackers to take advantage of security vulnerabilities in supported audio and video file formats for Web based attacks

During CanSecWest 2008, Thierry Zoller and Sergio Alvarez from the now-defunct n.runs company demonstrated many ways to exploit parsing bugs in anti-virus software to circumvent them or exploit them to get a foothold on the systems on which they run. This is due to their support of many, different file formats. I guess you see know what I am aiming at. Need another example? Wireshark, the ubiquitous network sniffing software, has suffered from many vulnerabilities due to parsing bugs in its implementation of a wide array of protocols. I clearly don’t see why HTML 5 wouldn’t suffer from the same types of mistakes.

One other area of concern is HTML 5 support for event handlers:

HTML5’s broader support of event handlers on HTML elements could defeat blacklist filters designed to allow HTML but block scripting.

And while this major revision of HTML is still under development, sites such as YouTube are already adopting it:

Grossman said he sees support for HTML5 in around 10% to 12% of the 2,000 Web sites his firm monitors. It could be three years or more before the security implications of the new capabilities in HTML5 are fully grasped, he said.

5:07pm  |   URL: http://blog.upbeat.fr/post/1156161291/html5-security
(view comments
FILED UNDER: HTML 5 security analysis vulnerability Threatpost 
Liked posts on Tumblr: More liked posts »