Tuesday, January 27, 2009

Online finance flaw: one flaw to rule them all

Flaws in SAAS offerings and the inherent risks

What if dozens (even hundreds) of banks all used one vendor's solution to provide online banking services?
What if that solution had a security flaw thus affecting all users of said solution? A finding of considerable concern, yes?

I must preface this discussion with the fact that the vendor in question has proven to be trustworthy, capable, reputable, responsible, and responsive.
Precision Computer Systems, a FISERV company, provides outsourced online banking solutions to a plethora of banks.
My desire to discuss the vulnerability with Precision Computer Systems (PCS) was forwarded to FISERV for consideration, and the reply came directly from the Vice President | Head of Security.
"As you might imagine, no higher priority exists for our organization than the protection of our client’s information, and that of their customers. To that end, we’ll always welcome constructive feedback such as yours with enthusiasm."
As responses to reported vulnerabilities go, PCS/FISERV handled the process in ideal fashion and are to be applauded for doing so.
While flaws in web applications are a dime a dozen, and nearly every web app yields a vulnerability at some point, the more important piece is how the vendor responds when said vulnerability is disclosed to them.
For this software as as service (SAAS) offering, while each bank's web site is unique, when the user decides to login to the Online Banking service, they're redirected to https://ibank.pcs-sd.net/onlinebanking8/login.r?t-bank=bank id.
Thus, all banks utilizing PCS for this particular feature all take advantage of this specific application to handle logins, amongst other things.
The login form, in particular, suffered from a cross-site scripting (XSS) vulnerability; as discussed in earlier posts, the potential risks to consumers are obvious.


This graphic has specific bank information redacted, and the specifics of the vulnerability are unnecessary. My preference is to treat this discussion as a learning opportunity, rather than nitpick needlessly.

At the risk of overstating the point, the one flawed variable affected all PCS customers utilizing the service.
Again, PCS/FISERV, as indicated above, handled this vulnerability quickly and admirably; they immediately assigned a PM and development resources to repair and release a fix to production.

The lessons here are many.
1) Other online finance vendors, particularly those falling in the SAAS category, take note: this is how to respond to reported vulnerabilities.
2) SAAS customers, take note: ensure that the vendor you contract with for service is very clear about their secure development practices. Don't be afraid to ask very pointed questions such as:
"How quickly will you respond if a vulnerability is disclosed to you?"
"Do you employ a Secure Development Lifecycle standard?"
"How often, and by whom, is the security posture of your product reviewed, preferably with the appropriate compliance frameworks (PCI, SOX) in mind as well as the given web application security standards (input validation, sanitize output, etc.)?"
3) Customers and vendors alike: trust no trustmark (security badge) provider to actually provide you any actual security value...conversions yes, security not so much. At least one bank on the PCS customer list utilize the likes of Control Scan. You'd think Control Scan might have found or reported this vulnerability to the bank or PCS, yes? I think not. SSL-related trustmarks are also nice but no encryption in the world will help you under these circumstances.

The responsibility bestowed upon SAAS providers is of a magnitude at least similar to that of typical application product providers, if not more.
Where a single "boxed" product falls under the scrutiny of vulnerability managers such as CVE and OSVDB, no such scrutiny exists for SAAS offerings.
As more enterprises take advantage of SAAS and cloud-based offerings, they do so for obvious cost and efficiency reasons, but may not have assessed the changing dynamic of their risk posture.

As we consider the premise of one flaw to rule them all, vendor response will be paramount. May the PCS/FISERV standard become commonplace.

del.icio.us | digg | Submit to Slashdot

Adeona Article in Linux Magazine

I'm pleased to announce that an article I've written regarding the open source laptop tracking and recovery offering Adeona is available in Issue 100 (March 2009) of Linux Magazine.

Adeona is the private, reliable, open source system for tracking the location of your lost or stolen laptop. With no dependency on a proprietary, central service, Adeona only needs to be installed on your laptop to help increase your sense of mobile device safekeeping.




del.icio.us | digg | Submit to Slashdot

Thursday, January 22, 2009

PHPIDS: Attack Me, Please!

Of the many projects I've had the pleasure of reviewing for toolsmith over the past few years, one of my absolute favorites is PHPIDS.
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application.
The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.

More specifically, PHPIDS enables you to see who is attacking your site and how, and all without the tedious trawling of logfiles or searching hacker forums for your domain.
PHPIDS is subject to minor releases every few months, and the release of 0.5.4 (the last minor release before 0.6) just before Christmas reminded me to invite you, dear reader, to kick the crap out of it.
Give it all you've got, beat on it. Really. That's the idea.
The PHPIDS Demo Smoketest will test how 1337 your mad web app testing skills are and give you a grade for overall impact, just like in school...the school of XSS, the school of leetness, the interlocutor of insertion.
So enjoy, and see what you've got in the way of evasive techniques and pwnage prowess.
I can see it now...I pass and receive an overall impact rating of 54. "Wow!", I say. "That's got to be as good as something Gareth Heyes might utilize to circumvent the centrifuge!"
To which David Ross says "Hah! I know Gareth Heyes, and you sir, are no Gareth Heyes!"
*sigh* I feel so inadequate. Life as a white hat script kiddie is teh sux0r.

Enjoy. ;-)
http://attackmeplease.holisticinfosec.org/
Should you wish to read my article on PHPIDS, from the July 2008 ISSA Journal, it's here.

Most importantly: PHP web app developers and site operators one and all: give PHPIDS a close look and consider utilizing it to improve your offering's security. I promise you, you'll quickly learn where your code passes muster and where it doesn't.

del.icio.us | digg | Submit to Slashdot

Tuesday, January 13, 2009

The McAfee Secure Standard has been published

McAfee has alerted me that the McAfee Secure Standard has been published on the McAfee Secure (formerly ScanAlert Hacker Safe) website.
The McAfee SECURE Standard
Joe Pierini and Kirk Lawrence started this process with me prior to their departure from McAfee, and work continued in their absence, largely at the hands of Will M., who's been communicative and inclusive in their stead.
I applaud McAfee for staying true to their commitment to publish the McAfee Secure Standard.
While I may not agree with everything in it, a standard is better than no standard.
That said, my concerns with the Standard as discussed earlier remain unaddressed.
First, you will find that remediation of what McAfee deftly refers to as Client Side Vulnerabilities is Optional. The Client Side Vulnerabilities category includes the entire family of script insertions.
Clarified, this means that merchants displaying the McAfee Secure trustmark are under no obligation to repair such vulnerabilities; the trustmark will remain displayed unabated by the truth.
My position here is clear.
If a website declaring itself secure via a McAfee Secure trustmark is vulnerable to cross-site scripting (XSS), I believe that declaration to be false and misleading. Further elaborated, the McAfee Secure Standard's Client Side Vulnerability category includes cross-site request forgery (CSRF).
While I choose not to out any site in particular at this time, I can assure you with all professional certainty that there are sites displaying a McAfee Secure trustmark that are vulnerable to CSRF. In the case of sites using one particular application, the CSRF vulnerability is so severe, an attacker can escalate privilege in short order.
This is a vulnerability that I've discovered and disclosed responsibly, so I won't discuss it further at this time.
But I ask you, should a site vulnerable to such an attack be labeled as McAfee Secure, per their freshly published Standard?
I think not.
Also Optional on the McAfee Secure Standard: SSL Encryption.
Should a website that conducts financial transactions, yet does not choose to encrypt transaction traffic, be allowed to display a McAfee Secure trustmark?
I think not.
Ironically, the McAfee Secure Standard directly compares itself to PCI DSS. None of the vulnerabilities listed as Optional, per the McAfee Secure Standard, are acceptable for PCI certification.
While the McAfee Secure Standard careful delineates the difference between the Secure trustmark program and their PCI Compliance program, it's not as black and white as they may think. McAfee is a PCI approved scanning vendor (ASV), and a provider of a popular PCI compliance service.
Should they really hold one set of customers to a different standard than the other?
I think not.
Again, I applaud McAfee for publishing the McAfee Secure Standard.
I never imagined we'd get this far, so I humbly ask McAfee to consider the following.
1) Don't bury the Standard. Announce it. Publicize it. Embrace discussion about it. Provide a link to it from the McAfee Secure website. While we may have differences over some of its content, the McAfee Secure Standard is a bold step. Let people know.
2) Disguising script insertions (XSS and CSRF) in the Client Side Vulnerabilities category is a disservice to your customers, and their customers. The "clients" in Client Side Vulnerabilities are consumers using these sites. I believe you are beholden to these consumers as much as you are your own.
Extend the timetable for merchant repair of these vulnerabilities if you must, but said repair should not be Optional.
3) A McAfee Secure site, with a McAfee Secure trustmark, without an SSL certificate is unfathomable. While many a vulnerability can be exploited under the umbrella of SSL protection, SSL encryption is nonetheless an industry standard that should not be Optional.
These things I ask of McAfee in the name of common sense and consumer well-being.
To quote the McAfee Secure website:
"When you display the McAfee Secure certification mark, you not only increase sales by increasing shopper confidence, you build your brand with the security seal seen on more top sites than any other."
Is "increasing confidence" at the expense of industry standards, and real web security a violation of good faith and the very trust you seek to build?
I think so.

As always, I welcome constructive and thoughtful comments and feedback.

del.icio.us | digg | Submit to Slashdot

Tuesday, January 06, 2009

Online finance flaw: Merrill Lynch not bullish on XSS & CSRF vulnerabilies

Updated: 1/16/09 See update below.

Perhaps, now that they're a Bank of America property, better web site security is in store for Merrill Lynch. In the meantime...here's where the trouble begins.
Prompted by headlines from December 21st stating that $1.6B Of Bank Bailout Went To Execs, I thought I'd take a look at the most egregious amongst those receiving a bailout courtesy of taxpayers.
I'd also like to explore what web app vulns mean to Sarbanes-Oxley (SOX) compliance; I've posed some questions below.

Here's all you really need to know:
John A. Thain, chief executive officer of Merrill Lynch, topped all corporate bank bosses with $83 million in earnings last year. Thain, a former chief operating officer for Goldman Sachs, took the reins of the company in December 2007, avoiding the blame for a year in which Merrill lost $7.8 billion. Since he began work late in the year, he earned $57,692 in salary, a $15 million signing bonus and an additional $68 million in stock options.
Like Goldman, Merrill Lynch received $10 billion from taxpayers on Oct. 28.


Too bad Merrill Lynch didn't spend just a wee small percentage of excessive salaries focusing on improving web application security on behalf of the customers paying for the extravagant lifestyles of their top execs.
But, that said, enough frustrated social commentary.

The Merrill Lynch OnLine Login page is vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF), leaving customers at risk for financial compromise via phishing or credential theft.

As always, I followed my terms of engagement, sending no less than three emails over a period of no less than two weeks, even allowing a couple of extra days for the holidays.
To date I have not received a single response, automated or otherwise.

The point is best driven home via video, but the details are simple enough.
A properly formed IFRAME fits neatly, front and center, on Merrill Lynch's OnLine login, embedding Morgan Stanley's ClientServ login page, just to prove the point.

Merrill Lynch OnLine before:



Merrill Lynch OnLine after:



Web application vulnerabilities and SOX compliance

It's obvious that vulnerabilities such as that described above indicate a clear break from PCI compliance.
But what about SOX? HP (formerly SPI Dynamics) offers an interesting perspective in an effort to promote product:
Sarbanes-Oxley Act compliance can be difficult because it was not written specifically with information technology or information security in mind; however, there are various sections within the act that directly affect these functions in today’s corporations. This includes how information is accessed, what leaves the corporate network and what information needs to be protected and retained over time. You should conduct web application security assessments for an initial SOX compliance risk assessment to understand your various internal controls.
Such a web application security assessment would certainly require that a company like Merrill Lynch "validate that web application inputs are properly validated and not vulnerable to command injection or cross-site scripting attacks."
If SOX Section 404: Assessment of internal control indicates that an enterprise must "evaluate controls designed to prevent or detect fraud", shouldn't web application vulnerabilities that lend greatly to phishing or credential theft (fraud to be sure) fall under established controls?
So, my compliance an auditor friends, who wants to take this one on?
Comments welcome.

Can a failed enterprise like Merrill Lynch, who received $10 billion in bailout funds, and compensated a top exec in extraordinary fashion, be called in to question with regard to SOX compliance for issues as described above?
I'm not certain, but it seems worthy of consideration and debate.
I look forward to your feedback.

Update 1/16/09
The Merrill Lynch security team has responded in force and has conveyed that they "take security very seriously and now that we know about this are acting quickly."
As of 1/16/09 Merrill Lynch has indicated that the necessary fixes have been applied to their production environment.
They've also asked that, should anyone discover issues in the future, that they report them to abuse at ml.com.

del.icio.us | digg | Submit to Slashdot