News:

For my part, I've replaced optimism and believing the best of people by default with a grin and the absolute 100% certainty that if they cannot find a pig to fuck, they will buy some bacon and play oinking noises on YouTube.

Main Menu

I AM HAXOR, ASK ME ANYTHING

Started by Pæs, November 15, 2013, 08:44:18 PM

Previous topic - Next topic

Trivial

How in the hell would a virus on a windows vm jump to a linux host or vice versa?
Sexy Octopus of the Next Noosphere Horde

There are more nipples in the world than people.

Golden Applesauce

Quote from: Pæs on November 16, 2013, 10:33:24 AM
I think cross site scripting has hit enough blogs and forums that developers are pretty aware of it, even if they're not entirely aware of every way the issue can emerge from their code. There are a lot of noble stupid attempts to sanitise input to remove anything that might be interpreted as instructions for the browser, but Pratchett said it best with "Ninety percent of most magic merely consists of knowing one extra fact" which is all an attacker needs to have to thwart your defences.

It's starting to become understood that perfect defence of a system is not possible and all over infosec people are assuming compromise has occurred and putting their focus into detection and mitigation.

It is possible to sanitize input: HTML encode all user input before putting it in a browser, XML escape all user input before putting it in XML, etc. Every modern language has a nice simple built in function to do this for you correctly. But instead, every single developer things "Oh, I'll just take out <script> tags and we'll be fine" AND GUESS WHAT THAT DOESN'T WORK MORON. ARRRRRG.

<ScrIPt>
<    script>
<scr    ipt>
<scr\ipt> (forget which browser this works in)
<&#115;cript>  ('s' is 0x115 in Unicode)
<&#00000115;cript>
<img src="IsMaliciousScriptNotActuallyPictureLOL.js" /> (for some old, buggy browsers cough cough IE cough cough)
<img onload="<script goes here>" />
<a ref="http://site.with.malware.example" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; z-index: 1000000000;">
<object>
<meta>
ad infinitum.

Plus you have to know every single browser rendering / parsing quirk - older versions of IE let you put script instead of images, and it would actually run them. And that includes quirks of browsers that haven't been invented yet - if your users have a coffeescript plugin then <coffee> tags will work on them, etc.

Or you might just use TinyMCE for your user text input needs. TinyMCE is an HTML editor in HTML, and guess what? It lets people write HTML, including embedding Flash, Java applets, ActiveX controls, whatever scripts they want, redirects to other sites etc etc etc. The Pagan Place used TinyMCE in its forum software, and yes, I verified that it has script injection vulnerabilities.



Sorry, this is a little of a sore point with me. About ~2 years ago we found a pretty gaping script injection in some software my company uses. For about 3 months their most junior dev would tell me he'd fixed it and I would do a quick google search and "one more fact" them and tell them to do it properly instead. After I showed them the unicode character escape they just started ignoring me.
Q: How regularly do you hire 8th graders?
A: We have hired a number of FORMER 8th graders.

Golden Applesauce

Quote from: Mome Papess Trivial on November 17, 2013, 04:33:08 AM
How in the hell would a virus on a windows vm jump to a linux host or vice versa?

Exploiting a bug in the VM.
Q: How regularly do you hire 8th graders?
A: We have hired a number of FORMER 8th graders.

Golden Applesauce

Quote from: PopeSlag on November 16, 2013, 04:43:04 PM
Why is our utility and security infrastructure ("our" in my case being the United States) accessible through the Internet at all? Has humankind forgotten that computers can be built to work without being accessible to four billion random humans over a wild west frontier network where no one has ever had a good intention ever?

It honestly strikes me as collusion with hackers in a new world order way, which sucks because all that is nonsense and is not what's going on, meaning I actually have no clue as to why this is so.

So if a power line shorts, engineers can configure the nearby lines to route the load around it from their office in realtime, rather than having to send guys out into a hurricane to fix it. If enough power lines short you need to turn down the various power plants in the area to avoid overloading the whole grid. They could build a dedicated, secure network for it... but we're talking about an industry that is still being outwitted by squirrels and tree branches.

The larger problem is that nobody ever, ever, ever invests until security until they absolutely have to. The incentives just aren't there, especially if you can pass all the costs of an attack onto someone else.
Q: How regularly do you hire 8th graders?
A: We have hired a number of FORMER 8th graders.

Golden Applesauce

Quote from: Remington on November 17, 2013, 03:20:36 AM
With recent NSA/Snowden leaks about the NSA potentially compromising Internet encryption standards, is SSL/TLS still considered to be safe/not backdoored? If there are backdoors, how likely would it be that they would be in the implementing application vs in the SSL/TLS standard itself?

Basically, is SSL still theoretically secure against an organization like the NSA?

Yes.*

The NSA had to work very hard to get data that was protected by SSL/TLS. They siphoned a ton of user contacts information from Yahoo! by tapping cables. They got much, much less of that same type of data from GMail, because GMail has users use SSL by default. They actually man in the middled a Google datacenter to bypass their SSL.

You might have seen this slide:


It was easier for them to sabotage the servers that Google was using to encrypt things than it was to break the encryption.

The weak point in a communication secured with SSL/TLS is everything except the SSL/TLS part. Malware on your computer**, malware on the server, stolen SSL certificates.

*SSL/TLS is a protocol for for two computers to agree on an encryption scheme, not encryption itself. Some of the older encryption algorithms are starting to show weaknesses, so those specific algorithms should be deprecated, but that doesn't affect TLS as a whole.

**Encryption makes it impossible to cache things, which makes thing slow. If you're an IT guy at a company and you have 1000 people hitting the same encrypted external website 100 times a day, you have to make 100,000 requests. If you cache it, you only have to make 1. But if you let the browser and the external server encrypt things, you can't tell when someone is making a duplicate request. So a lot of networks will actually man in the middle themselves to improve performance, by doing all encryption stuff at the point where the internal network connects to the internet. This includes some smartphone networks / browsers, where bandwidth is at a premium. You need less infrastructure, and it only comes at the expense of your user's security!
Q: How regularly do you hire 8th graders?
A: We have hired a number of FORMER 8th graders.

Pæs

Yeah, what GA said! Thanks for joining in the thread GA!

Typically, even when the crypto is weak, it's going to be easier for the NSA (or any other attacker) to just bypass the crypto and install malware to take your data before encryption or after decryption.

Edit: I recently attended a talk by crypto heavyweight Peter Gutmann which addressed a lot of the NSA stuff. I'll try and find the slides from it, otherwise will summarise from memory.

Pæs

Quote from: Golden Applesauce on November 17, 2013, 04:50:43 AM
Quote from: Mome Papess Trivial on November 17, 2013, 04:33:08 AM
How in the hell would a virus on a windows vm jump to a linux host or vice versa?

Exploiting a bug in the VM.
This or exploiting a feature, like shared folders between VM/host or VM access to network + network's access to host.
Some VM escapes are based on that old chestnut input sanitisation, allowing code running on the VM to refer to files on the host.

Remington

Quote from: Golden Applesauce on November 17, 2013, 05:18:02 AM
Quote from: Remington on November 17, 2013, 03:20:36 AM
With recent NSA/Snowden leaks about the NSA potentially compromising Internet encryption standards, is SSL/TLS still considered to be safe/not backdoored? If there are backdoors, how likely would it be that they would be in the implementing application vs in the SSL/TLS standard itself?

Basically, is SSL still theoretically secure against an organization like the NSA?

Yes.*

The NSA had to work very hard to get data that was protected by SSL/TLS. They siphoned a ton of user contacts information from Yahoo! by tapping cables. They got much, much less of that same type of data from GMail, because GMail has users use SSL by default. They actually man in the middled a Google datacenter to bypass their SSL.

You might have seen this slide:


It was easier for them to sabotage the servers that Google was using to encrypt things than it was to break the encryption.

The weak point in a communication secured with SSL/TLS is everything except the SSL/TLS part. Malware on your computer**, malware on the server, stolen SSL certificates.

*SSL/TLS is a protocol for for two computers to agree on an encryption scheme, not encryption itself. Some of the older encryption algorithms are starting to show weaknesses, so those specific algorithms should be deprecated, but that doesn't affect TLS as a whole.

**Encryption makes it impossible to cache things, which makes thing slow. If you're an IT guy at a company and you have 1000 people hitting the same encrypted external website 100 times a day, you have to make 100,000 requests. If you cache it, you only have to make 1. But if you let the browser and the external server encrypt things, you can't tell when someone is making a duplicate request. So a lot of networks will actually man in the middle themselves to improve performance, by doing all encryption stuff at the point where the internal network connects to the internet. This includes some smartphone networks / browsers, where bandwidth is at a premium. You need less infrastructure, and it only comes at the expense of your user's security!

Very thorough, thanks for the reply!
Is it plugged in?

Q. G. Pennyworth

One extra bit about encryption and the NSA:

Encryption increases the time it takes to figure out the fuck you just said. Since the infrastructure is being put in place to make it possible to capture and store that encrypted data basically forever, and computing power keeps increasing, it's possible that encrypted data could be broken into 5 or 10 years from now and used to fuck you over.

Faust

From working with the electric grid here, I've discovered they are pretty security concious which is a relief. They avoid networking any system they can. Even routine things like meters don't report back via TCP, it's all old analogue signals and even if you were to tap into that it's all meaningless unless you understand the protocol they are using.

I'd hope the water and gas are similar.
Sleepless nights at the chateau

PopeSlag

Quote
So if a power line shorts, engineers can configure the nearby lines to route the load around it from their office in realtime, rather than having to send guys out into a hurricane to fix it. If enough power lines short you need to turn down the various power plants in the area to avoid overloading the whole grid. They could build a dedicated, secure network for it... but we're talking about an industry that is still being outwitted by squirrels and tree branches.

The larger problem is that nobody ever, ever, ever invests until security until they absolutely have to. The incentives just aren't there, especially if you can pass all the costs of an attack onto someone else.

I see no reason that the computer network which handles this has to be the Internet. It makes no sense.
First, when people are having fun, time is said to go by faster. Second, with objects sharing a common gravity, time is slower for the object closest to the center of gravity. Therefore, it's more fun in space.

Junkenstein

Paes/anyone really:

Can I get some facts (or speculations) about how viruses and other malware is/is likely to be affecting cell phones?

I'm guessing that with the rise of app stores and indie developers, there's got to be a couple of popular games or something that are basically phone malware in disguise? I've got a feeling that there's going to be a massive story within a few years that "popular game A" is little more than a data harvesting tool. Moreso than the current Zinga and similar offerings.

Also:
QuoteBasically if it's closer to you than your local cell tower, your phone can be convinced to use it instead. This is your calls and SMS and internet connection compromised but the baseband stuff I mentioned earlier makes this much more severe because the part of your phone that knows how to talk to the local tower will actually take all sorts of ridiculous instructions from it.

If the tower says "yo, turn on your microphone and tell me what's going on nearby", your phone is like "LOL K". If the tower says "Send an SMS to this expensive number" your phone is all "sure thing bro."

Would it be reasonable to speculate that this is exactly what was going on with the UK's fuckup in Germany recently?

More questions later.
Nine naked Men just walking down the road will cause a heap of trouble for all concerned.

Faust

There's a lot of keyloggers on cracked apps cydia on rooted iphones and similar for android and have been for a good while. Hearing a bit about browser high jacking on both but not sure what it's beeing used for yet.

The Facebook app while not strictly malware goes beyond it's remit as an app. It bypasses the updating from the app store and updates itself directly from facebook.

There's a load of nasty shit it will do if you misconfiguration it on set up; It will try have access your contacts and photos and make itself the default program for opening a lot of file types. which you can deny but there's some things that it explicitly puts outside your control such as notifications and push and background idling processes. Even if you have forbidden every kind of push things like friend requests still raise events.
Sleepless nights at the chateau

Junkenstein

QuoteThe Facebook app while not strictly malware goes beyond it's remit as an app. It bypasses the updating from the app store and updates itself directly from facebook.

Thanks Faust, that's added yet another level of personal aversion to facebook in all it's forms.

I assume these glitches and inappropriate access are at least somewhat intentional. There's little point running a data harvesting operation if you let people opt out easily.
Nine naked Men just walking down the road will cause a heap of trouble for all concerned.