Tuesday, December 30, 2014

[Basics] Software flaw vs. bug

Have you ever thought about the difference between a software flaw and bug? Or are they referring to the same thing? This mini post will explain.

It is true that both software flaws and bugs result in vulnerabilities that hackers can exploit, but these two terms refer to two different things. The former is more serious than the latter.

Software flaw - caused by a design failure
Software bug - cause by a implementation failure (design is perfectly fine)

Note that software can be vulnerable due to both software flaw and bug at the same time - incorrect design and incorrect implementation.

Let me quote a famous bug which was exploited to produce one of the first Internet worm, Morris worm, in 1988. Morris worm exploited a buffer overflow vulnerability in Unix finger daemon. Specifically, finger used get() function to obtain user input. The problem with get() is that it does not have provision to limit or check user input string length. So, the bug is not checking/validating input string. It is not a flaw as it is an implementation issue and has nothing to do with the design of finger.

Another recent one is heartbleed bug. It is a serious software bug in OpenSSL library. Exploiting this vulnerability, attackers can eavesdrop on OpenSSL encrypted communication, steal data from server and clients, and also impersonate either of the entity. It is caused by an implementation failure of the heartbeat part of OpenSSL library and it has nothing to do with the design of TLS.

Now let's look at a recent design flaw vulnerability. iOS 6 had a vulnerability in mobile hotspot passwords. A hacker can do a simple dictionary/brute-force attack to recover this password. This vulnerability is not an implementation issue, but rather resulted from the design flaw in how passwords are generated. This password is generated from a set of predefined words. These words are randomly selected and padded with a 4 digit random number. The flaw here is that selection of words from the pool of words is not truly random and also the number of words in the pool is also small.

Good read: Avoiding the top 10 software security design flaws

Bottom line is that use secure design principles and coding techniques to avoid such vulnerabilities.

Top data breaches of 2014 and lessons

May - eBay [1, 2]
  • 145 million
  • The problem has been exploited at least from February
  • Information compromised - encrypted passwords, usernames, emails, DoBs, phone numbers, postal addresses
  • How - eBay allows sellers to use active content such as Javscript and Flash. Hackers have embedded password harvesting scripts in listings and used XSS attack to gather information from logged in users
  • Lessons  - If you allow active content in your web site, you need to have preventive (such as limiting what is allowed) as well as risk mitigation techniques (detection, monitoring, etc.) in place. If not, it is better to block active content.

September - Home Depot [1]
  • 56 million
  • Information compromised - credit and debit card numbers
  • How - resulted from the compromise of a third-party vendor
  • Lessons - Organizations should evaluate the security measures taken by third-party vendors and also have intrusion detection in place.

September - JPMorgan Chase [1, 2]
  • Attack discovered in July and disclosed in September
  • 76 million households (83 million accounts)
  • Information compromised - names, addresses, phone numbers and email addresses
  • How - Hackers got access via a neglected server which is not upgraded to two factor authentication
  • Potentially took 2 months to notice unusual activities after the initial attack
  • Lessons - Security is only as strong as the weakest link in your system. Make sure you do not leave any unguarded holes in your network. Cannot emphasize more of the need for better and faster detection techniques in place.

December - Sony Pictures [1]
  • Number of people affected is still not known
  • Attack initially detected in November
  • Information compromised - unreleased movies, company emails, executive salaries, personal information, internal strategy information
  • How - wiper malware (still it is not known how it got into the system). It is likely that lapses in internal security measures may resulted in this attack.
  • Lessons - Never take security lightly. Internal security measures and auditing should always be a top priority.

Monday, December 29, 2014

Explaining public cloud computing to my kid

Subway - Public Cloud Computing

Bob is living in a very busy city. In order for him to go to work, either he could take the subway train or drive his own car. Bob is a recent college graduate. He neither has  a lot of money nor a good credit score. Therefore, buying a car is somewhat out of his options. Besides, it is really time consuming to drive in the city to commute. So, Bob opts to take the subway to work. This is exactly how cloud computing works. Instead of Bob buying his own vehicle, he is using the public transportation to commute. In cloud computing, companies, without having to invest on computer hardware, rent hardware or software in the cloud.

When Bob takes the subway, he shares the ride with many other commuters. Similarly, many organizations share the computing infrastructure made available through cloud computing.

Bob pays for his subway ride everyday. He pays only when he takes it and only for the distance he travels. For example, Alice, who is also a subway commuter, has to pay more than Bob as she travels longer distance than Bob. Likewise, with cloud computing, companies pay only for the resources they use. If a company uses more resources than another, they have to pay more for the cloud provider.

Subway trains are available 24x7. Bob can catch a train virtually any time he wants. Similarly, cloud is available 24x7.

Trains have more compartments during peak hours than the normal hours. So, Bob does not have to worry about getting on-board anytime he wants to take a train. Subway accommodates all passengers catering for varying demands through out the day. The cloud is also like that. The resources in the cloud can expand or shirk based on the demand. We call it elasticity. Elasticity is a very useful property that lets businesses to timely respond to their customers for varying amounts of demand through out the year.

If Bob used his own vehicle, he needs to regularly maintain his car on his own and repair any damages. Since Bob is using the public transport, he does not have to worry about any of that. Similarly, companies can have the peace of mind that they don't have to worry about maintaining computer hardware and having a dedicated staff to look after them.

When Bob boards in to the train, he gets a seat to sit and travel peacefully. Usually, everyone respects each other and does not invade others' space. Bob can browse his smart phone or read a book without getting unnecessary peaking from others. Similarly, even though the cloud is public, companies get their own bounded space to do their business so that their data is not mixed with other companies.

Usually subways have one or more train operators and ticket security officers. They make sure that Bob and other passengers travel safely as well as catch bad people who misuse it. Similarly, the cloud provides a several security measure to make sure that your business is safe and secure.

In summary, a public cloud is a shared resource, paid-per-usage, elastic, 24x7 available, transparent, virtually isolated, and secure.

Tuesday, December 23, 2014

Taxonomy of Information Protection Mechanisms

Is there a single silver bullet solution that solve all security problem? No, there isn't any. In fact, there won't be any in the future as well. Security is a complex landscape that requires multiple solutions to protect against many threats. The following diagram tentatively groups those solutions into 4 main categories:

Figure: Taxonomy of information protection mechanisms (source: http://goo.gl/1YecXg)

The first line of defense is to have denial and isolation techniques to keep bad people away from your system. For example, a firewall can prevent SQL injections by malicious users. Persistent hackers may penetrate through this defense by exploiting a vulnerability in the perimeter security or using a social engineering technique. Degradation and obfuscation mechanisms such as encryption and anonymization are utilized to make it difficult to access the real data if hackers penetrate through the first layer of defense. That is, if an attacker get his hand on the encrypted data, it will difficult to decrypt the data without having access to keys. In order to make it even more harder for attackers, negative information and deception techniques are used. For example, mix real passwords with fake passwords (honeytokens). Nowadays, attackers are so sophisticated that they may carry out attacks in your system without your knowledge, i.e. evading any detection of unauthorized actions. In fact, statistics show that most attacks on systems remain undetected or are detected after a long time from the inception of the attack. Therefore, it is important to have detection mechanisms and then counter-operations to cut down the damage caused by the attacks and take corrective measures.

Notice that some techniques provide protection for multiple overlapping areas. For example, honeytokens serve as a deception as well as a detection mechanism.

As you can see, there is no one single silver bullet that protects your system. We need to deploy multiple solutions to achieve defense in depth. The idea behind multiple defense mechanisms is to make attackers life difficult so that they give up when their effort is more than what they get in return.

References:  http://goo.gl/1YecXg