HTML 5 – Persistent Offline Storage As A Risk Management Challenge

HTML 5 – Persistent Offline Storage As A Risk Management Challenge

I just watched an excellent Shmoocon presentation by Michael Sutton called, “Pulling The Plug — Security Risks in Next Generation Offline Web Apps.”

His main theme is that the HTTP Cookies and Flash Local SharedObjects that developers use today are going to be relatively rapidly overtaken by HTML5′s persistent offline storage (with Gears to continue as a transitional technology).  WebKit browsers already handle offline data storage today (Safari on Mac OS & iPhone, and Google Chrome).

We have all been associated with cookies as indicators of authentication as well as a “live” session.  And most of us have been much nearer than we would wish to Flash and its “cookies” (LSOs).  Mr. Sutton argues that is the past.

Increasing pressure to make web applications mobile friendly and/or off-line friendly, has resulted in the importance of “local” storage rapidly accelerating for an extended period.  HTML5 has many new features, but persistent offline storage may have the greatest impact on financial services risk management (it may also have dramatic impacts in the Health, retail, and transportation industries as well, but those are the topics of other blogs).   As more and more data persists on mobile devices, attacks against those data stores will increase.

HTML5 uses SQLite as its relational data store.  Mr. Sutton highlights a key risk issue for this approach by reminding us how many applications today are vulnerable to XSS attacks, and then outlining enumeration logic for an SQLite attack:

(1) Identify Tables
SELECT name FROM sqlite_master WHERE type=’table’
(2) Identity Table Structure
SELECT sql FROM sqlite_master WHERE name=’table_name’
(3) Access and use the data
db.open(‘local_database_name’)
var data;
var rs = db.execute(‘SELECT * FROM __DOJO_STORAGE’);
while (rs.isValidRow())  (
data = data + (rs.field(0) + ‘#’ + rs.field(1));
data = data + ‘\n’;
rs.next();
)
alert(data);

Criminals will necessarily find something much more interesting for the data than our “alert”…

I strongly recommend this presentation to all security professionals.  He describes a world where writing risk-appropriate applications is going to keep getting harder — much harder.  And HTML5′s persistent offline storage will challenge our software architects, application designers, risk managers, marketing executives, and risk management professionals.  What do you think?

-Reference-
http://www.ustream.tv/recorded/4537736

The Shmoocon 2010 Schedule and Presentations: http://www.shmoocon.org/presentations.html

2009 Data Breach Investigations Report–by Verizon Business Incident Response

“2009 Data Breach Investigations Report” was released this week.  It is a 52-page study conducted by the Verizon Business Incident Response team describing its work.

Keep in mind, this report is a description of Verizon Business Incident Response engagements.  As they did in their 2008 report, the Verizon team emphasizes external attack and services that they sell.  It is an unusual report.  Verizon does, I believe, a great job describing what their Incident Response practice found last year.  I have no reason to doubt any of their data.  It presents a picture of great diversity over their 2008 engagements.  But the top five breaches included in this report account for 93 percent of total records compromised. (page 34)   This made the many of the statistics throughout the rest of the report almost irrationally skewed…

Maybe it would be best to read this paper as an “Annual Report” of the Verizon business unit performing Incident Response services.  I believe that would be a difficult stretch to try to turn it into something that has broadly-applicable meaning for the financial services industry, or for the full spectrum of technology-rich Internet-dependent businesses across the globe.

In that context, though, there is still some interesting reading.  The report is based on their experience in 150 forensic engagements in 2008.   90 of those were confirmed data breach investigations — so the report data is from those 90 engagements.
These 90 cases resulted in more than 285 million data records breached — exceeding the combined total from all Verizon Business Incident Response engagements from 2004 to 2007.

For their customer base, they reported that “breaches still go undiscovered and uncontained for weeks or months in 75 percent of cases.” (page 38)  I work for a geographically-dispersed, diversified financial services corporation, and this finding generates a little catch in my breathing…

Verizon reported that nearly half of their caseload was described as being comprised of different sets of interrelated incidents, and that “quite often” that meant the same individual(s) committed the multiple attacks.

This is a sometimes-dense, 50-some page report, so you would need to fetch a copy and read it to get a sense of the scope of information that Verizon presents.  That said,  here are some statistics from the report that I found interesting:

Breach Distribution by business sector:

31% Retail

30% Financial Services

14% Food and Beverage

6% Manufacturing

6% Business Services

6% Hospitality

3% Technology

4% Other

Industries represented by percent of records breached:

93% Financial Services

7% Everyone Else

Targeted attacks accounted for 90% of all compromised records. (page 31)

Compromised database and application servers accounted for 42% of breaches and 94% of breached records. (page 33)

Median number of records compromised per breach:

External 37,847

Internal 100,000

Partner 27,000

Compromised data types by percent of breaches / records:

Payment Card Data 81% / 98%

Personal Information 36% / 1.5%

Authentication Credentials 31% / <0.1%

Account Numbers 16 / 0.5%

Intellectual Property 13%

Monetary Assets / Funds 11%

Corporate Financial Data 6%

Other 11%

Threat categories by percent of breaches / records:

Malware

% of breach cases: 38%

% of records: 90%

Hacking

% of breach cases: 64%

% of records: 94%

Misuse

% of breach cases: 22%

% of records: 2%

Deceit

% of breach cases: 12%

% of records: 6%

Physical

% of breach cases: 9%

% of records: 2%

Error

% of breach cases: 1%

% of records: 0%

Types of hacking by number of breaches / percent of records:

Unauthorized Access via Default or Shared Credentials 17 / 53 %

SQL Injection 16 / 79%

Improperly Constrained or Misconfigured ACLs 9 / 66%

Unauthorized Access via Stolen Credentials 7 / 0.1%

Authentication Bypass 5 / 0.1%

Brute-Force 4 / 7%

Privilege Escalation 4 / 0%

Exploitation of Session Variables 3 / 0%

Buffer Overflow 3 / 0%

Cross-Site Scripting 1 / 0%

Attack pathways by number of breaches / percent of records:

Remote Access & Mgt. 22 / 27%

Web Application 21 / 79%

Other Server or Application 7 / 7%

Network Devices 6 / 11%

End -User Systems 1 / 26%

Malware functionality by number of breaches:

Key logger or Spyware 17
Backdoor or Command Shell 16
Capture and Store Data 13
Attacks Other Systems 2
Disables Security Controls 2
Other 2

What is that “1% cross-site scripting” is telling us?  Does it really represent reality for our Internet-facing applications?  I really have doubts…  It must say more about the types of technology and services Verizon sells.

What do you think?

– References –

“2009 Data Breach Investigations Report — A study conducted by the Verizon Business RISK team:” http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Social Networks are a Global Malicious Code Channel

If you are not familiar with the user-base in the social networking sites identified in my last post, you might think that all of them retain a North American focus, and then that this might be a North American problem.  It isn’t.  For example, two recent reports by Finjan identify analogous problems on the livedoor.jp and yaplog.jp social networking sites.  Both systems were infected via malicious iFrames and ActiveX applications designed to take advantage of a range of Windows vulnerabilities and then compromise the local environment and download additional malicious code, including a trojan that steals the user’s credentials.

The Finjan team does a good job outlining their position concerning a key risk of Web2.0 — that is “giving users the power to add code also gives them the power to add malicious code.”  Finjan promotes real-time content inspection.  That approach may buy time, but comprehensive and effective input validation and output encoding still seem like the only approach that will ultimately be successful.

How does your organization approach this issue?

– References –
“Cyber Sino-Japanese War?” MCRC Blog, Feb 26, 2009 http://www.finjan.com/MCRCblog.aspx?EntryId=2197
“Malware and the rising sun website” MCRC Blog, Feb 24, 2009 http://www.finjan.com/MCRCblog.aspx?EntryId=2195

Worm in Social Networks Again

Social networking sites have been a favorite for malicious code and injection attacks.

A worm that hit Facebook last year has resurfaced and is now hijacking user accounts — not only for that social networking service, but also for MySpace, Friendster, LiveJournal and others.

The Koobface worm is again hijacking user accounts on Facebook bebo.com, Friendster, fubar.com, hi5.com, LiveJournal, MySpace, myYearbook, Netlog and Tagged.

Trend Micro named it “Koobface.az,” and said that the worm, rifles through a compromised PC, sniffs out browser cookies associated with 10 different social networking sites, uses the usernames and passwords within those cookies to log on to each service, searches for the infected user’s friends, and then sends those people messages that include a link to the worm.

Many businesses appear to want to inject themselves into the fabric of social networking sites in order to better connect with their customers.  This should be a reminder that these sites represent a risk profile not usually found in corporate environments.

– References –

More at: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9128842&taxonomyId=17&intsrc=kc_top

and TrendMicro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KOOBFACE.AZ&VSect=T

Need Cultural Change at Adobe – Vulnerabilities Too Numerous

From their long and growing list of products and services, Adobe appears to be attempting to dominate the rich, user-centric application, communications, and information-delivery environments.
(see: http://www.adobe.com/products/ and http://labs.adobe.com/)

They have been pumping out new functionality, new development environments, new languages, etc. at a pace that is difficult to imagine.  How do they manage the pool of energy and creativity required to initiate and maintain their current (accellerating) trajectory?

In financial services, “cool” and “new” are not unknown, but we need to manage them into business environments that must constantly demonstrate a threshold level of due care and due diligence.

Adobe products, new and old, keep getting hacked.  On the consumer/customer as well as corporate fronts, the latest include critical vulnerabilities in Flash/AIR/Flex and Adobe Reader/Acrobat.  Both involve remote exploit and potential for executing arbitrary code on an end-user’s PC.  Because Flash and PDF files are found “everywhere” throughout the Internet, this set of vulnerabilities presents a particilarly difficult risk equation for PC users — and for the information security personnel who serve them.

There have been at least 8 publically-disclosed vulnerabilities in Adobe Flash, and at least 6 in Adobe Reader/Acrobat in the last year.  That extended a well-established tradition of vulnerabilities another year.

Because these Adobe products are found on virtually all Windows PCs, the culture at Adobe that generates and accepts this tradition of regularly-vulnerable software must be modified.  We need to raise the volume of our input to Adobe on this topic, and consider going broader with this campaign, maybe even to investors.

What do you think?  What would work most effectively?

– References –
Many of the Adobe collection can be found at: http://www.adobe.com/products/ and http://labs.adobe.com/

Adobe Flash Player (Flex/Air as well) Multiple Vulnerabilities  (Feb 25, 2009 http://secunia.com/advisories/34012/ and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773)
Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability (Feb 2, 2009 http://www.kb.cert.org/vuls/id/905281 and http://secunia.com/advisories/33901/)