The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration. The 10, in no particular order, are:
- Earn or give, but never assume, trust
- Use an authentication mechanism that cannot be bypassed or tampered with
- Authorize after you authenticate
- Strictly separate data and control instructions, and never process control instructions received from untrusted sources
- Define an approach that ensures all data are explicitly validated
- Use cryptography correctly
- Identify sensitive data and how they should be handled
- Always consider the users
- Understand how integrating external components changes your attack surface
- Be flexible when considering future changes to objects and actors
Tag Archives: security
Multipath TCP Introduces Security Blind Spot
MPTCP is an extension to the Internet’s primary communication protocol. It allows a TCP session to move over multiple connections and network providers to the same destination. Should one drop, the session seamlessly moves to its second, backup connection, keeping phone calls or Internet sessions alive.
“Technology like MPTCP makes it much harder for surveillance states,” Pearce said. “If I split traffic across my cell provider and an ISP I may not trust, in order for a surveillance state to snoop they have to collaborate with all these parties. It’s a much harder proposition.”
Eight Ways to Blacklist with Apache’s mod_rewrite
With the imminent release of the next series of (4G) blacklist articles here at Perishable Press, now is the perfect time to examine eight of the most commonly employed blacklisting methods achieved with Apache’s incredible rewrite module,
mod_rewrite. In addition to facilitating site security, the techniques presented in this article will improve your understanding of the different rewrite methods available withmod_rewrite.
via Eight Ways to Blacklist with Apache\’s mod_rewrite | Perishable Press.
Monitor DNS Traffic & You Just Might Catch A RAT
You may not be able to keep pace with every new DNS exploitation but you can be proactive by using firewalls, network IDS, or name resolvers to report certain indicators of suspicious DNS activity.
Dan Farmer Presents Research on IPMI Vulnerabilities
IPMI runs regardless of the underlying operating system and operates on UDP port 623 through a server’s network port or its own Ethernet port. It runs continuously, Farmer said, unless the plug is literally pulled. Moore’s scan pulled up 230,000 responses over port 623, an admittedly tiny slice of the overall number of implementations. Yet Farmer concludes that 90 percent of BMCs running IPMI could be compromised because of default or weak passwords or weaknesses in the protocol, not only implicating the host server but others in the same management group because, as he discovered, some vendors share common passwords.
via Dan Farmer Presents Research on IPMI Vulnerabilities | Threatpost | The first stop for security news.
BMC = Baseboard Management Controller, a separate device attached to motherboards for management purposes. This isn’t the first article to point out vulnerabilities in IPMI. It has been noted that IPMI should run on its own intranet and not the public internet. Providing another layer of security to this interface may mitigate any problems. IPMI can’t be any less secure than SNMP.
New Al Qaeda Encryption Software
Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight.
Glenn Greenwald: how the NSA tampers with US-made internet routers
But while American companies were being warned away from supposedly untrustworthy Chinese routers, foreign organisations would have been well advised to beware of American-made ones. A June 2010 report from the head of the NSA‘s Access and Target Development department is shockingly explicit. The NSA routinely receives – or intercepts – routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers.
via Glenn Greenwald: how the NSA tampers with US-made internet routers | World news | The Guardian.
U.S.: Stop using Internet Explorer
The United States Computer Emergency Readiness Team, a part of Homeland Security known as US-CERT, said in an advisory released on Monday morning that the vulnerability in versions 6 to 11 of Internet Explorer could lead to “the complete compromise” of an affected system.
“We are currently unaware of a practical solution to this problem,” Carnegie Mellon’s Software Engineering Institute warned in a separate advisory, that US-CERT linked to in its warning.
via U.S.: Stop using Internet Explorer – chicagotribune.com.
Warrantless Cellphone Tracking
The secretive technology is generically known as a stingray or IMSI catcher, but the Harris device is also specifically called the Stingray. When mobile phones — and other wireless communication devices like air cards — connect to the stingray, it can see and record their unique ID numbers and traffic data, as well as information that points to the device’s location. By moving the stingray around, authorities can triangulate the device’s location with much more precision than they can get through data obtained from a mobile network provider’s fixed tower location.
The government has long asserted that it doesn’t need to obtain a probable-cause warrant to use the devices because they don’t collect the content of phone calls and text messages but rather operate like pen-registers and trap-and-traces, collecting the equivalent of header information.
via Florida Cops’ Secret Weapon: Warrantless Cellphone Tracking | Threat Level | Wired.com.
No, I Don’t Trust You! — One of the Most Alarming Internet Proposals I’ve Ever Seen
The technical details get very complicated very quickly, but what it all amounts to is simple enough. The proposal expects Internet users to provide “informed consent” that they “trust” intermediate sites (e.g. Verizon, AT&T, etc.) to decode their encrypted data, process it in some manner for “presumably” innocent purposes, re-encrypt it, then pass the re-encrypted data along to its original destination.
In essence it’s a kind of sucker bait. Average users could easily believe they were “kinda sorta” doing traditional SSL but they really wouldn’t be, ’cause the ISP would have access to their unencrypted data in the clear. And as the proposal itself suggests, it would take significant knowledge for users to understand the ramifications of this — and most users won’t have that knowledge.
This editorial illustrates that Man In The Middle (MITM) attacks cannot happen without user consent. This blogger fears that ISPs will require consent for all SSL sessions making all users’ end to end encryption vulnerable to a “trusted” proxy. Here is a blurb in the draft.
From the IETF draft: Explicit Trusted Proxy in HTTP/2.0 draft-loreto-httpbis-trusted-proxy20-01
This document describes two alternative methods for an user-agent to automatically discover and for an user to provide consent for a Trusted Proxy to be securely involved when he or she is requesting an HTTP URI resource over HTTP2 with TLS. The consent is supposed to be per network access. The draft also describes the role of the Trusted Proxy in helping the user to fetch HTTP URIs resource when the user has provided consent to the Trusted Proxy to be involved.
The consent is supposed to be on a per network (or destination) basis which means there may be a reason the user agent will want to use a trusted proxy — perhaps they do not trust the destination network. The blogger implies ISPs will want blanket consent over all destinations which 1) they could implement now without this standard and 2) this would not make for a good PR move because it would not go unnoticed.