Category: Information Security

Web Application Threat Modeling – Its Hot and Buzzing!!

Recently I flunked an interview wherein the interviewer was asking lots of questions around threat models. While I will not be putting any of those questions here, I did do my “after the horse bolted” type of post mortem and have come up with a list of questions that anyone who works with design of web application should be aware of.

First the obvious one Smile What is Threat Modeling?

Well It’s a hot buzzword these days in the world of Information technology security. Threat modeling is a structured approach to analyze your web application design and identify threats against your system. Hmnn of…you said THREAT? Threat model is very useful in identifying security issues related to design early in the application development lifecycle and thus makes mitigating those issues less costly as compared to identifying in the, say Verification phase.

So what is a Threat? Threat is a possible harm that can be caused to an Asset (anything of importance that needs protection; from a web application perspective it may be user passwords, keys, financial information, etc.)

Where and when do you start Threat Modeling? A good point to start threat modeling is just after you are done with the functional and technical design document of your application. Having said that it is never to late for you to start, if not in the current release, this may help in the next.

What are the general steps involved in Threat Modeling?

The threat modeling process should ideally start with a brain storming session to answer the following questions (by not means an exhaustive list..so think think think):

  1. What is asset to the system?
  2. Who are the end users?
  3. Where will you deploy the application? Is this an intranet application or will be accessible over internet?
  4. What would attract a malicious user to your system?
  5. What security mechanisms do you have in place?
  6. How many point of failures does this application have? One??? Run back to the drawing board…

While doing the threat model of an application (or anything) think like an attacker who is trying to sabotage your app. Find ways on subverting your system’s weaknesses. This will help you create an Attack Tree (a What??????)

Once you have identified the threats, what’s next? Remember risk can never be erased fully, you can only Transfer/Accept/Ignore the risk. And that’s exactly what you do once you have identified the threats. A good threat model will have ALL the identified threats reviewed and updated as Ignore/Accept/Transfer.

—–)0(—————–)0(—————–)0(—————–)0(————

Authentication and authentication protocols

Authentication is the one of the fundamental requirements for ensuring security of important assets. Authentication is the process of validating the identity of an object trying to access an asset. Authentication can be done based on the implementation of one or more the following:

  1. Authentication by what you know.
  2. Authentication by what you have.
  3. Authentication by what you are.

When attempting to authenticate a user/application several industry standard types of authentication may be used depending on various conditions that exists on a subjective basis.

Various types of authentication protocols that is supported by Microsoft Windows Server 2003 family includes:

  1. Kerberos v5 authentication.
  2. SSL/TLS authentication.
  3. NTLM authentication.
  4. Digest authentication.
  5. Passport authentication.

Kerberos v5 authentication protocols: This protocol is either used with password or a smart card for interactive logon. It is also the default method for network authentication of services. The process works like this:

  1. The user on a client system using a password or a smart card authenticates to the KDC.
  2. The KDC issues a TGT to the client. The client system uses the TGT to access the Ticket Granting Service (TGS) which is the part of the Kerberos V5 authentication mechanism on the domain controller.
  3. The TGS issues a service ticket to the client.
  4. The client supplies the required network service with the service ticket. The service ticket provides both the user identity to the service and also the service identity to the user.

So the Kerberos v5 authentication protocol has the following main parts:

  1. Key Distribution Center (KDC)
  2. Ticket Granting Ticket (TGT)
  3. Ticket Granting Service (TGS)

The Kerberos v5 services are installed on each domain controller and a Kerberos client is installed on each workstation and server.

Each domain controller acts as a KDC. The client service uses the DNS to look up for the nearest nearest domain controller and in turn the nearest KDC.

Beginning Windows Server 2003, Kerberos is implemented as a SSP (Security Service Provider) that can be accessed using the SSPI (Security Support Provider Interface)

SSL/TLS authentication Protocols: TLS/SSL authenticates and secures data transfer by using certificate based authentication and symmetric encryption keys. Windows Server 2003 onwards, SSL/TLS protocols are implemented as a Security Service Providers (SSP) using dynamic link libraries that are called SChalnnels that is supplied with the OS implementation. Which one gets used is decided based on the capability of the computer on the other side of the connection. The default SSPs for Windows Server 2003 include the following: Kerberos, Digest, NTLM, SChannel and Negotiate authentication protocols as DLLs in the SSPI.

SChannel SSP is used to access web enabled services such as emails and personal information served over the internet on web pages. The SChannel SSP uses the public key encryption to authenticate parties. It included four authentication protocols that it supports:

  1. TLS v1.0
  2. SSL v3.0
  3. SSL v2.0
  4. Also supports PCT (Private Communications Transport) for backward compatibility.

Schannel then selects the most preferred authentication protocol that both parties can support.

TLS/SSL Architecture: TLS/SSL protocols are layered between the Application layer and the TCP/IP layer, where it can secure and send the application data to the transport layer for farther transport. Just because TLS/SSL works between the application layer and the transport layer it can support multiple application layer protocols.

TLS/SSL assumes that TCP/IP is in use. The main advantage of using TLS/SSL is that it provide the following:

  1. Message Integrity
  2. Message confidentiality
  3. Message authentication

The step by step of how SSL/TLS works:

  1. Client tries to connect to a SSL/TLS enabled service on port 443. The browser will send out the information that will include its supported methods of encrypting data. This includes an encryption type, some random data that encryption program on both side can use in the scrambling routine, and other ssl related data.
  2. Server responds by sending its own random data to be used for the encryption as well as other ssl information that will include its SSL certificate with the public key that the browser will use in the subsequent steps.
  3. The client browser checks the information it has received and compares it to the domain it to the domain it was trying to connect securely with.If the secure certificate information on the web site doesn’t match the domain name the browser will notify the customer that there is a problem. The certificate expiration date and valid certificate authority are also checked at this point.
  4. After validating the server certificate, the browser uses a random data that it encrypts using the agreed upon encryption method. For encryption it uses the public key sent by the server and send this encrypted secret to the server.
  5. With the string that the server received from the browser, both the browser and the web server create a new string and use it to create session keys that their encryption programs use for the rest of the session to scramble and descramble (or encrypt/decrypt) all transmissions for the rest of the session. With the Master Secret key in place, both sides are also able to verify that the data didn’t change in route.

NTLM Authentication: NTLM is the abbreviation for Windows NT LAN Manager This is a Windows network authentication protocol that uses challenge/response system to allow a client to prove its identity without sending the password over the network.  NTLM is the authentication protocol for computers that are not participating in a domain, such as stand-alone servers and workgroups. NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection oriented environment (connectionless is similar), and a fourth additional message if integrity is desired.

Kerberos has mostly replaced NTLM in domain controller environment within AD implementation, but NTLM still find wide spread usage in environments where the domain controller is unavailable or reachable.

Reference: http://technet.microsoft.com 

 

Information Security: Phishing and Microsoft Phishing filters

Phishing is one of the fastest growing threats of identity theft and abuse on the internet. It is so prevalent that almost any site of importance will have a warning mentioned somewhere to be careful about phishing attacks.

The very basis of Phishing attacks are phony websites that will give a perfect actual site like feeling to the user. This way the attackers manage to fool the user and get the important personal and financial information ranging from SSNs to credit card details.

Often phishing requests are sent over innocent looking emails that reflect the actual emails sent out by the legitimate organizations, requesting users for information. A not so tech savvy user may not be careful enough and hence loss of important information happens.

To fight against phishing scams, Microsoft has taken a number of steps that include:

1. Including SenderID to all of its email  email products and services

2. The Phishing filter (SmartScreen filter)

Per MSDN:

The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail messages are sent. Sender ID validates the origin of e-mail messages by verifying the IP address of the sender against the alleged owner of the sending domain.

The SmartScreen filter is a feature of Windows Internet Explorer 8. It is designed to help protect the user from fraudulent websites trying to steal personal information. SmartScreen filter also helps protect from installing malicious software or malware.

SmartScreen filter helps to protect you in three key ways:

  • It operates in the background as you browse the web, analyzing webpages and determining if they have any characteristics that might be suspicious. If it finds suspicious webpages, SmartScreen filter will display the “Are you trying to visit this website?” fly-out, giving you an opportunity to provide feedback and advising you to proceed with caution.
  • SmartScreen filter checks the sites you visit against an up-to-the-hour, dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen filter will show you a red warning notifying you that the site has been blocked for your safety.
  • SmartScreen filter also checks files downloaded from the web against the same dynamic list of reported malicious software sites. If it finds a match, SmartScreen filter will show a red warning notifying you that the download has been blocked for your safety.

Application Security: Internet Explorer and Cross Site Scripting

Cross site scripting (aka XSS) is one of the most prevalent web application security issue. In OWASP top 10 for 2010, cross site featured prominently in number 2.

Considering the damage that a successful cross site scripting attack is capable of doing, almost all the successful commercial browsers have tried to provide security features that makes it difficult to execute a successful cross site scripting attack. One of the main ways this attack is carried out is by exploiting the browser’s capability for executing scripts.

Starting Internet Explorer 6 SP1, a new attribute is introduced to the cookies to counter the menace of XSS.

This attribute makes the cookie inaccessible to the scripts, thus stopping malicious script code from executing. The cookies with this attribute set are called HTTP only cookie.

A cookie is set on the client with an HTTP response header.

Set-Cookie: =[; =]
[; expires=][; domain=]
[; path=][; secure][; HttpOnly]

The HttpOnly attribute is not case sensitive and it is important to be noted that this feature must be used in coordination with other XSS mitigation to effectively counter XSS, like:

1. Proper input validation.

2. Adequate output encoding whenever any possible user controlled values are rendered back to the browser.

Application Security: Internet Explorer 8 vulnerabilities

The main class of vulnerability that is detected and patched on Internet Explorer 8 for Windows server include is  Remote Code Execution

As of this writing the latest patch came out on Feb 8, 2011 that contained fixes for the a number of  issues. Some of these include:

CSS Memory Corruption Vulnerability.

Per CVE-2010-3971 this issue came up because of a vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, that is used in Microsoft Internet Explorer 6 through 8 and other products.  This vulnerability allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a style sheet.

Uninitialized Memory Corruption Vulnerability.

Per CVE-2011-0035 Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption.

Almost all the issues reported lead to remote code execution that if successfully exploited could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Application Security: What is CIA?

Been a long time I wrote anything in this blog. I am preparing for my CISSP examination and thought that I will share some notes here.

CIA forms the fundamental triad of information security and stands for CONFIDENTIALITY, INTEGRITY and AVAILABILITY.

What is Confidentiality? Any item of importance for an individual/organization (also called an asset) should not be disclosed to anyone who has not be granted explicit rights to it.

What is Integrity? Assurance that the data is free of unauthorized manipulation.

What is Availability? All data and services should be available to the legitimate users each time they need.

Anything and everything we do in information security are always directed towards ensuring that the triad is maintained.

Loss of any one of the three may have extreme legal/reputational impact on the organization/individual.

Setting up the Microsoft Windows 7 Event Viewer to display Security Errors

  1. Open Microsoft Management Console (Start->Run->mmc).
  2. In the Console window select File->Add/Remove Snap-In.
  3. In the “Add or Remove Snap Ins” window, select “Group Policy Objects” and click the “Add” button.
  4. In the “Select Group Policy Object” dialog box ensure that “Group Policy Object” is set to “Local Computer”.
  5. Click Finish in the “Select Group Policy Object” dialog box.
  6. Click Ok to close the “Add or Remove Snap Ins” window.
  7. The “Local Computer Policy will now be listed under the “Console Root” folder on the left pane.
  8. Navigate to Local Computer Policy->Computer Configuration-> Windows Settings->Security Settings->Local Policies-> Audit Policy
  9. Right click on “Audit Privilege Use” Policy and select Properties.
  10. Set the Success and Failure check boxes and click Ok to close the properties window.
  11. Exit the tool.
  12. Your new Audit Policy to check Privilege Use should be ready in a couple of second time.

SQL Injection Mitigations – Is SP_EXECUTESQL enough?

If you are writing Stored Procedures in SQL Server and your code got through a security code review, the chances are bright that you heard the terms “dynamic sql”, “sp_executesql” in the context of SQL Injection.
I found the details of what sp_executesql does in MSDN here. The msdn article starts with a Security note that reads “Run time-compiled Transact-SQL statements can expose applications to malicious attacks, such as SQL injection.”
This procedure, if used correctly, can help mitigate SQL Injection attacks to an extent.
From SQL Server books online, the syntax of sp_executesql looks like:
sp_executesql [ @statement = ] statement
[
    { , [ @params = ] N’@parameter_name data_type [ OUT | OUTPUT ][ ,…n ]’ }
     { , [ @param1 = ] ‘value1’ [ ,…n ] }
]
This method is useful ONLY when you use parameterization correctly and also that this method is no different from dynamic SQL if used with string concatenation. I wrote a quick set of code snippet (copied below) to check this:
image
The table I used is detailed in my blog entry here. As you can see a well crafted SQL query in the input can still get me the details not meant to be shown.
This can be avoided if I use a properly parameterized implementation of sp_executesql, detailed below.
image 
As you can see when parameterization is used correctly even a crafted value cannot be used to manipulate the results returned by the query.
So use SP_EXECUTESQL does help mitigate the SQL Injection attacks only if parameterization is used properly.
I am trying to understand the internal workings of sp_executesql, for now [:)]!

SQL Injection – the way I learnt it

I am writing some T-SQL code for one of the assignments and am told to watch out for SQL injection as a possible attack vector.
So I took a look around to see what it is and how it really works from a very high level. A good resource to start with SQL Injection (for that matter any attack) is the OWASP.
To try hands on with how dynamic SQL executed using the Execute statement,  I created a dummy Database in my local SQL Server instance and created some tables on it. For the purpose of this write up, I will only use one of the tables in the DB that I call “ZipCodes”. There are three dummy records in the table and here is the snapshot:
image
I created a Stored procedure to get me the record count from this table. Here is the code:
image

As you see I do not do anything fancy. The Stored procedure takes some parameters and then constructs a sql statement, @SQL which is then executed.
I execute the stored procedure using the following statement to confirm that the procedure is working just fine:
image
To check whether the stored procedure is validating the input parameters, I inserted the following value as part of  in execute statement:

Exec [dbo].[StoredProcedureToCheckForSQLInjection] ””, ‘ABC’, 123, ‘ZipCodes’`

Well that irritated my SQL Server and the Stored procedure cried out the following error:
image
Look at the query that the SP tried to execute (that’s why I used the Print statement in the stored procedure code).
Ok I am on the right track and this procedure is a possible candidate of an injection attacks. I as an attacker will know this looking at the result above which shows that:
1. The Stored procedure is NOT validating the inputs.
2. The stored procedure is doing something by concatenation (Remember that I as an attacker will not have access to the SP code and hence it will be an analysis of the result/error above that will give me these details.)
That’s good news. So can I get all the records in this table? Lets check out using a crafted input that looks like the one below:
image
Once this query is run, the result that is thrown back is below:
image

Well that is not what the SP is supposed to do.
Lets check the query that the SP executed to get to the result above:
image
This is a very very very simple scenario and hopefully all the smart developers out there are not writing code like this in there Stored Procedures. But since I just started and it took me a while to get my query going, I thought of putting this here for reference.
I will comeback to this with more tricky cases. Till then its Happy Learning to me!!