I Have Done It Longer Because I Have Not Had Time To Make It Shorter

This is a quote I usually see attributed to Mark Twain:

If I had more time, I would have written a shorter letter.

The quoteinvestigator.com research on that indicates that Twain “did not use it according to the best available research”.

The earliest use of this phrase from is Blaise Pascal in 1657 ( yes, that Pascal ), originally in French as part of “Lettres Provinciales”:

Je n’ai fait celle-ci plus longue que parce que je n’ai pas eu le loisir de la faire plus courte.

Google Translate offers up this English version:

I have done it longer because I have not had time to make it shorter.

That applies to many things that benefit from refinement over time, including programming.

UPHPU April 2014

20140417-200124.jpg

HTML5 Security Cheatsheet

A list of web related security issues is being collected at html5sec.org, with a GitHub repo to send in updates.

There are so many ways that bad things can happen in a web environment that sharing details in an open and public way like this is really important.

Successful Web App Requirements

Thomas Fuchs answers the question, what do you need to make a successful web app?. The most important part of the answer may be the things that you don’t need.

Read Access on Google Servers with XXE

Detectify explains how they gained read access to production servers at Google:

One system caught our eyes. The Google Toolbar button gallery. We looked at each other and jokingly said “this looks vuln!”, not knowing how right we were.

googlexxe_passwd_blurred_873

They were able to leverage XML External Entity ( XXE ) processing to read local files on Google’s production servers. If you haven’t read up on XXE go watch Mike Adams talk at WordCamp SF 2013, the video is only 30 minutes.

Be very careful when processing XML, it can come back to bite you in very bad ways.

Flysystem

Flysystem for PHP:

Flysystem is a filesystem abstraction which allows you to easily swap out a local filesystem for a remote one.

A common API for accessing files stored locally, on S3, FTP, SFTP, Dropbox, Rackspace, Zip, and WebDAV. Abstraction layers usually impose a performance penalty, I wonder how big that is in this case. Even with a performance penalty a shared API may be preferred for some situations.

Heartbleed Explanation on xkcd

Excellent explanation of the heartbleed bug on xkcd.

Network Link Conditioner

Matt Thompson outlines how to install the Network Link Conditioner on Mac OS X.

network-link-conditioner

The Network Link Conditioner allows you to tweak settings to simulate various network conditions. This is a must have tool if you want to see what your mobile app experience is like under less than ideal network conditions.

Mass Session Hijacking With Heartbleed

The original proof of concept scripts for heartbleed are being expanded into more specialized session hijacking tools. Here is one from Michael Davis:

I altered the proof of concept code written by Jared Stafford to continuously query a given server for memory chunks and parse those chunks for session ids.

Some very simple checks are in place to only spit out unique session IDs.

For a more complete example of how to then use the session ID to gain access to an account check out Matthew Sullivan’s Hijacking user sessions with the Heartbleed vulnerability post.

Even these scripts still involve manual actions afterwards. There is no doubt that the heartbleed bug is going to continue to be used as the foundation for more and more automated attack scripts.

Heartbleed, Update OpenSSL Now!

heartbleed

A very bad bug, Heartbleed, has been found in OpenSSL:

Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

- via heartbleed.com

This is a stop what ever you are doing and upgrade to a fixed version of OpenSSL NOW! level bug. More from heartbleed.com:

Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

This is just about as bad as it can get.

A few tools have been thrown together if you want test for this vulnerability. The really scary one is http://filippo.io/Heartbleed/, which will allow you to run a live check against a hostname and show you the resulting memory dump. Source code for that site is available here. If you are looking for a script to test locally take a look at https://github.com/titanous/heartbleeder.

OpenSSL versions impacted according to heartbleed.com:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

You can find out which version of OpenSSL you are running with openssl version -v -b. The -b is important because some updates are not changing the version number. For instance the fixed version on Ubuntu 13.10 reports:

OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr 7 20:33:19 UTC 2014

The version wasn’t changed, so you’ll need to know the build date.

Heartbleed was announced yesterday ( 7 Apr 2014 ), I expect that we are going to see more fallout from this over the next few days. Tools to exploit this are already widely available, not updating is not an option.

« Older posts

© 2014 Joseph Scott

Theme by Anders NorenUp ↑