Tuesday, December 1, 2015

Privacy, Breadcrumbs and Personally identifiable information (PII)



I am reading “Programming Windows Store Apps with HTML and CSS by Kraig Brockschmidt. It’s a good book and better still you can get the ebook/pdf version for free (http://blogs.msdn.com/b/microsoft_press/archive/2012/10/29/free-ebook-programming-windows-8-apps-with-html-css-and-javascript.aspx).

The author Kraig Brockschmidt has a section about adding code to a demo app (Here my AM!) to share a photo and a geo location.  I came onto the following text (“And if you still think I’ve given you coordinates to my house, the ones shown here will send you some miles down the road where you’ll make a fine acquaintance with the Tahoe National Forest.”). His newer version of the book he has his house coordinates blurred out so we can’t see them.

Let’s look at his remark and see how true it is from a privacy perspective. First is what do we actual know.

* His name Kraig Brockschmidt.
* A good guess is he works for Microsoft Software.
* We know he lives close to Tahoe National Forest.
* A quick look up in Google/Bing we see that the main address for Tahoe National Forest  is Lake Tahoe, CA 96140.
* We now know that another good guess is he lives in the state of California.

Now lets go back to our favorite search tool and see how difficult it is to learn what Kraig’s physical address is since he won’t give us his geo coordinates to his house. Maybe we want to borrow a cup of sugar and share some Microsoft love,

First we can just search for his name and state to see what we get.  Our first entry in our results list is a web site (http://www.kraigbrockschmidt.com) a quick look around and we know its Kraig’s web site. We can see references to California and his books.  On his about-page we see a reference to that he and his wife moved to Nevada City, CA in 2011. So now we know his state, and city.

Using his own web site, LinkedIn and O’Reilly we see that his current employer is Microsoft Software as a program manager.

So now we have his city, state and employer. We just need to get his physical house address. Not to worry a quick web search and we will be at his house in a few minutes to borrow that cup of sugar.

We can use http://www.zabasearch.com (zaba search can be totally free if you sign in using Facebook) or if we want we can use a paid service like http://www.intelius.com/. Now we have his physical house address and phone number.

I am not going to post his actual home address or his phone number in this blog post. I just look and I have enough sugar so I don’t need to borrow a cup.
Unfortunately what works to find Kraig’s home address also works to find my home address, I also check on a few friends living in Owasso, Depew Ok and I was quickly able to get their home addresses and phone numbers.

The issue here is a hard one to solve. We want to be connected to people. Easiest way is using the Internet.  We want and need the Internet to help with our own personal branding. We need and want to show our professional work. Some of us want to discuss our spiritual paths, political views, etc. with friends and others. That causes us grief since one web site may not give a view of who we are but we leave enough breadcrumbs for sites like ZABA Search and state and federal government web sites to collect data on us. Remember we don't want our physical address known to everyone on the Internet but we do want police, fire services to be able to quickly find us.

We find ourselves in an uncomfortable position of wanting to control what we can’t.

Not just our physical addresses are hard to keep private but other personal information is under attack as well. Researchers using Facebook found with remarkable accuracy( 93% to 95% ), based on what we mark as likes on Facebook that a wide variety of our personal attributes, from sexual orientation, race, age, political affiliation to intelligence can be predicted.

See (http://www.pnas.org/content/110/15/5802.full.pdf) and you can also go to (http://applymagicsauce.com/test.html) to become part of the study.

These new predictive algorithms are only going to improve in the future. Not just Facebook but also Google, Bing, Yahoo, Amazon and others are paying for predictive algorithm research so businesses can sell us more products and services.

So what is the solution? I don’t know. We want our information out there and businesses are finding more and more ways to get it and to use it. We ourselves give away information for perceived and real benefits like being able to search without paying for Bing or Google or getting good deal on products and services. By leaving breadcrumbs on the Internet and with public data we that we have already provided the ability for someone to build an accurate profile on us is real. 

My recommendation is to pay attention to what you are doing. One example is by default our likes on Facebook is public knowledge. You can in Facebook settings is make this information private. This makes you in charge of your own information. I am not going to kid you; this is not an easy task. You are on a slippery slope and no matter what you do some information on you is always going to be publicly available.

Additional information...
* http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
* https://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf
* http://itlaw.wikia.com/wiki/Personally_identifiable_information

Sunday, August 17, 2014

UnHandled exceptions and secure coding

We all want our programs to run with explicit control doing exactly what the user or other processes needs. But as we know that does not always happen. This has cause the rise of several large components of software development, Quality Assurance (QA) testing, Test Driven Design (TDD), etc. These processes try to identify all the reasons why a program may fail. Never less even with these processes programs fail for many reasons.

This weekend I went to one of my favorite web sites (www.movies.com) to look for a movie to watch. I click on one of the controls and I received an exception. This is a major Internet site. I hope nothing bad comes of this for movies.com but this is not a good thing for a major web site. movies.com gets about 15,000 users a month to visit their site and is rank as 3,152 for top sites by daily users and page views. To see the exception that prompted this blog post scroll to the bottom of this post.

One of the principals of secure programming is to fail securely. Many programmers simple do not look at exception handling as part of secure coding. One of my favorite sayings is “An error message to a cyber criminal, is like a bone to a dog; something good to chew.”

Exceptions throw out a lot of very useful information; file paths, database names, database table names, server names, program names, module names, line numbers, etc. All of this information is very helpful to developers at 3:00am in the morning trying to debug a production issue. The same information is also helpful to a cyber criminal. Many forms of attack require knowing or guessing locations of files, with exception information being out in the open you are reducing the time and guessing the bad guy needs to find a vulnerability to enter your application it also provides a red flag to the bad guys that something is amiss here and maybe this is a good place to start for something bad to happen at your organization.

All exceptions need to be caught and sanitized before propagating them to upstream callers and or displaying them.

A few suggestions on exception handling in a more secure way.

  1. Log your exceptions; remember to sanitize what you log. Never log passwords, or other highly sensitive information. Look closely at user input to make sure you really need to log that information.
  2. Display an error message to the user to know something is wrong with the application. The programmer needing the error information at 3am in the morning should be trained to know where to look for additional error information in a log.
  3. Cleanup state if the application is going to fail. Cleanup often involves reclaiming of resources, rolling back of transactions or some combination of these two among others. Some of this can be automated. Make sure the entire cleanup mechanism is also tested in QA.
  4. Fail-secure should be part of the application design and included as part of the functional specification and not left to individual implementers.
  5. Make sure programmers are not using the anti-pattern of “exception swallowing”


Summary:

How your application will fail-secure should be part of the design document and reviewed early in the lifecycle. Use the programming framework to detect an exception and then augmented the frameworks exception handling with activities that are performed after the system has detected the exception.

Carefully consider the content of error messages displayed to the user. This is to ensure that those messages cannot be used to launch a more serious attack.

Finally, a process should be in place that ensures that all errors and exceptions are logged and audited periodically to detect and potentially prevent any malicious activity that appears in the audit trail and no confidential information is being logged.


References:
https://www.owasp.org/index.php/Secure_Coding_Principles#Fail_securely
http://msdn.microsoft.com/en-us/magazine/cc188938.aspx
http://www.oracle.com/technetwork/java/seccodeguide–139067.html
http://en.wikipedia.org/wiki/Error_hiding



Exception: www.movies.com
Server Error in ‘/’ Application.
1. In GetTheaterShowTimes()

2. Passed movieId: 

3. Passed zipCode: 74012

6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012

7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012

10. forceRetrieve = True

11. resultsDoc == null? False

12. Trying to get results from file system!


Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)
  at System.Xml.XmlTextReaderImpl.ParseElementContent()
  at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)
  at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)
  at System.Xml.XmlDocument.Load(XmlReader reader)
  at System.Xml.XmlDocument.Load(String filename)
  at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254
  at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372 Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.


Exception Details: System.ApplicationException:
1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 1
2. Trying to get results from file system!
Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)   at System.Xml.XmlTextReaderImpl.ParseElementContent()   at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)   at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)   at System.Xml.XmlDocument.Load(XmlReader reader)   at System.Xml.XmlDocument.Load(String filename)   at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254   at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372


Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace: [ApplicationException:

1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7. and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 12. Trying to get results from file system!

Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace: at System.Xml.XmlTextReaderImpl.Throw(String res, String arg) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type) at System.Xml.XmlTextReaderImpl.ParseElementContent() at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace) at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(String filename) at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254 at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372] Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:649 Mdc.Movie.Presentation.TheaterSelectionPage.OnLoad(EventArgs e) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.Presentation\TheaterSelectionPage.aspx.cs:529 System.Web.UI.Control.LoadRecursive() +71 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3178


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446

Thursday, June 12, 2014

Privacy

Here is a good definition of privacy...

An individuals’ ability to determine how much, to whom, and when / for how long Information about themselves is revealed.

Here is another definition...
The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.

I think the first definition cuts to the heart of the matter a little quicker with a more simple and accessible definition.  


Tuesday, June 10, 2014

Privacy and the internet

A lot has been in the media recently about encrypting emails using gmail. But email isn't the only thing being looked at concerning your privacy. I decided for this blog post two show two inforgraphics. I have already talked about this subject in several blog post but showing the same information again on an important subject can't hurt.


Internet Privacy Tips Statistics 2014This Infographic was published on AnsonAlex.com

Here is the last Inforgraphic on Privacy I have for this blog post.

Sunday, May 11, 2014

Tulsa School of Dev



Don't forget May 16. OUS downtown campus free training. An all day event. For more information go to ...http://tulsaschoolofdev.com

Client Side Coding - JavaScript

JavaScript has several known security vulnerabilities. Now with HTML5 and JavaScript becoming more prevalent in web sites today and with more web sites moving to responsive web design with its dependence on JavaScript the developer needs to understand what vulnerabilities to look for.

The most significant vulnerabilities in JavaScript is cross-site scripting (XSS) and Document Object Model, DOM-based XSS.

Detection of DOM-based XSS can be challenging. This is cause by the following reasons.

• JavaScript is often obfuscated to protect intellectual property.
• JavaScript is often compressed out of concerned for bandwidth.

In both of these cases it is strongly recommended the code reviewer, and QA be able to review the JavaScript before it has been obfuscated and or compressed.

Another aspect that makes code review of JavaScript challenging is its reliance of large frameworks such as Microsoft .Net and Java Server Faces and the use of JavaScript frameworks, such as JQuery, Knockout, Angular, Backbone. These frameworks aggravate the problem because the code can only be fully analyzed given the source code of the framework itself. These frameworks are usually several orders of magnitude larger then the code the code reviewer needs to review. Because of time and money most companies simple accept that these frameworks are secure or the risks are low and acceptable to the organization.

Because of these challenges we recommend a hybrid analysis for JavaScript. Manual source to sink validation when necessary, static analysis with black-box testing and taint testing.

First use a static analysis. Developers, Code Reviewers and the organization needs to understand that because of event-driven behaviors, complex dependencies between HTML DOM and JavaScript code, and asynchronous communication with the server side static analysis will always fall short and may show both positive, false, false–positive, and positive-false findings.

Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities.

Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been ‘tainted’ with user controllable input and traces them to possible vulnerable functions also known as a ‘sink’. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.

Second the developers, QA needs to be certain the code was tested with JavaScript was turned off to make sure all client sided data validation was also validated on the server side.

Code examples of JavaScript vulnerabilities.

<html>
<script type=”text/javascript”>
var pos=document.URL.indexOf(“name=”)+5;
document.write(
document.URL.substring(pos,document.URL.length));
</script>
<html>

Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>bad code here</script>" to the victim resulting in the victim’s browser executing the injected client-side code.

Another example:

  1. var url = document.location.url;
  2. var loginIdx = url.indexOf(‘login’);
  3. var loginSuffix = url.substring(loginIdx);
  4. url = ‘http://mySite/html/sso/’ + loginSuffix;
  5. document.location.url = url;
Line 5 may be a false-positive and prove to be safe code or it may be open to “Open redirect attack” with taint analysis the static analysis should be able to correctly identified if this vulnerability exists.

If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review.

References:



  • http://docstore.mik.ua/orelly/web/jscript/ch20_04.html 
  • https://www.owasp.org/index.php/CRV2_SourceSinkRev
  • https://www.owasp.org/index.php/CRV2_CanStaticAnalyzersDoAll
  • https://www.owasp.org/index.php/Static_Code_Analysis
  • http://www.cs.tau.ac.il/~omertrip/fse11/paper.pdf
  • http://www.jshint.com/about/ https://github.com/mozilla/doctorjs

Saturday, March 8, 2014

OWASP Wins SC Magazine 2014 Editor's Choice Award


On Tuesday, February 25th OWASP was awarded the 2014 SC Magazine Editor’s Choice award. This was the final award of the evening and presented directly from Illena Armstrong, VP, editorial, SC Magazine.

For its ongoing support of the development and maintenance of secure web applications, we are calling out the achievements of the OWASP (OpenWeb Application Security Project). Its efforts in offering tools and education materials to developers and other security professionals has greatly aided in furthering the advancement of web application security. The nonprofit group does not endorse or recommend commercial products or services. This enables its open network to remain vendor neutral and synergize the collaborative efforts of the leading lights in software security worldwide. It’s all about trust, and information security professionals have come to rely on the group’s annual Top 10 project– ongoing since 2003 – which delineates the most common flaws present in web apps, thus increasing awareness in the security community of some of the most critical risks facing organizations. As well, the “Bug Bash,” held for three nights in November during the AppSec Conference, is considered one of the biggest application security bug searches in recent time. The event, sponsored by OWASP, gathered security researchers from 30 countries who collaborated to discern security gaps in software that runs the internet and some of the planet’s most commonly used applications. For its advocacy, out reach and teaching, we are delighted to recognize OWASP with this year’s Editor’s Choice Award
As a volunteer driven, non-profit organization our contributors donate their time and expertise for the betterment of all. It is exciting and rewarding for the entire community to be recognized for our continued efforts to increase application security!



http://owasp.blogspot.com/2014/03/owasp-wins-sc-magazine-2014-editors.html