New Windows flaw allows hackers control of your computer

Posted by Alf Norris (Conseal USB Lead Developer), 21 Dec 2012
A very significant new flaw in all versions of Windows allows hackers complete control over your computer if you visit an infected website or open a document. The flaw is fixed in KB2783534 which is currently on Windows Update.

This has vast damage potential, and we're not sure why it isn't receiving more media attention. The flaw exists in the way that fonts are opened and displayed - so in any situation where hackers can get your computer to display a custom font, they can take control over your system. This includes just visiting a web page for example.

This is uniquely damaging because it's software-independent. It would apply regardless of the browser you are using, as presumably they all use Windows' own mechanisms for loading and displaying fonts.

We advise all customers to ensure they have the latest OS patches.
 

Security, in Numbers III

Posted by Alf Norris (Conseal USB Lead Developer), 10 Aug 2012
In numbers:
26%companies which believe their staff have a very good understanding of their security policies
75%of those organisations in which security policy was poorly understood, the percentage which had staff-related data breaches
67%percentage of large organisations which expect more security breaches next year
37%number of small businesses which do not have a formally documented security policy
568mnumber of flash drives expected to be in use by 2015
 

Security, in Numbers II

Posted by Alf Norris (Conseal USB Lead Developer), 27 Jul 2012
In numbers:
£500,000maximum fine for data breaches from the ICO
70%number of businesses which have traced the loss of sensitive or confidential information to USB flash memory sticks in the past two years
81%risk of data breaches to small businesses (compared to 75% of large organisations)
35%breaches caused through loss of mobile devices (the top cause of breaches)
> 50%small organisations which don't use encryption and have no systems in place to protect against data loss
Zeroof 50 analysed USB sticks lost on trains, the number which were encrypted
 

Security, in Numbers I

Posted by Alf Norris (Conseal USB Lead Developer), 12 Jul 2012
In numbers:
17,000number of USB sticks found in the UK - by dry cleaners alone.
36%proportion of data breaches caused by employee negligence (for example lost USB sticks) in 2012
68%the rise in costs of data breaches to UK businesses over the last 5 years
£79average cost per compromised record in a data breach last year
£1.75mthe average cost of a data breach to UK organisations last year
£780,000cost of data breaches to UK firms last year - in lost revenue alone
 

Elegant Fork Bomb

Posted by Nancy Wyatt (Penetration Testing), 29 May 2012
Here is a rather beautiful Unix command which will lock up a computer:

:(){ :|:& };:

It's neat because it's short, deadly and pleasingly all-punctuation. It's what's known as a "fork bomb", a self-replicating program which does nothing except multiply. It locks up the computer because there is a limit to how many processes can be run at once. When the limit is breached, no more commands can be entered because each command necessarily starts a new process.

However since the colons in the example are just placeholders and can be replaced with any single word, the same thing could be written, with added spacing, as:

destroy()
{
     destroy | destroy &
}
destroy

ie: we first define a function called 'destroy' which simply runs two copies of itself. Then we run it once, setting off the chain reaction.

It causes a fairly significant security problem because it potentially allows a non-admin user to take down the entire system. The solution? Process limits - limiting the number of processes that users can create. A starter for ten is the file /etc/security/limits.conf.
 

Hacking: how to read any file on a server

Posted by Nancy Wyatt (Penetration Testing), 16 Jan 2012
Hello world! I am Conseal's new leader of penetration testing - meaning I am paid to deliberately break our products and web sites. This is even more fun than it sounds. Recently I have had the pleasure of trying to rip into the new version (currently in beta) of Conseal Server.

Having only recently joined Conseal, I was essentially trying to break into a product whose internal machinations I knew nothing about. This is much harder than hacking products that I'm familiar with or which I've had a hand in developing, because I don't know the mechanisms involved. For example, I don't know what happens internally when a client authenticates itself - knowledge of which I would otherwise use to develop specific attacks.

So when working from cold I can only guess. It's a case of thinking carefully about how a product may have been written, and what security mistakes a programmer may therefore have made. For example, are a users' permissions checked correctly for every action they may take - or can I get into somewhere I'm not supposed to, simply because there's no bouncer on the door?

One of the most common mistakes I find allows me to read any file on a server's hard disk including system settings or password hashes. Even more significantly, it even allows me to read (and potentially reverse-engineer) the server's executable code - meaning I no longer have to work "from cold". Jackpot!

Here's how to protect yourself from an evil-minded version of me reading anything I want off your server's hard disk.

The problem occurs whenever a server takes a user's input and uses it to read a file (perhaps a template for example) from the disk.

Take a web server for example, and say it's used to display information on products. Let's say there's a URL like this:

http://www.my-parrot-shop.com/products?name=norwegian-blue

So there is a script called 'products' which is used to display a product named 'norwegian-blue'. The same script could be used to display any other parrot by replacing 'norwegian-blue' in the above with the parrot's name.

A common way of writing the 'products' script is:

1. Read the contents of a file called 'norwegian-blue'
2. Paste this into a template web page and display it to the customer.

So in step 1, we are taking the user's input and using it to form the filename. Can you see the security flaw yet? Let's ask this question... What happens if I request the following:

.../products?name=/etc/passwd

That would cause the script to serve me the contents of /etc/passwd as part of a web page! (A file which, under Unix, typically contains users' password hashes).

In fact, I could use the name of any file. This is known as a directory traversal vulnerability.

Scary? You'd be surprised how often this kind of hack works. Whenever you see a web page which takes a parameter which just might be a filename, try this out.*

It's such a great hack because it's so obvious, and so easy for programmers to get wrong. The solution is, of course, equally simple. If the file name you're reading from is based on a user's input, make sure it only consists of letters, numbers and dashes!

...So, most importantly, is this a hack that would work against your own website?

PS: You'll be pleased (or maybe disappointed as I was) to know that Conseal Server wasn't subject to any directory traversal vulnerability. Ah well. Next!

* Okay, perhaps check you're allowed to first.