1. 7

    Pentesters always want to sound like it’s some sort of action movie, and I am tired of it.

    Good on the company for having their security in order. Breaking in and prying out disks of laptops in storage is a bit over the top.

    1. 14

      The hardest part of any security job is communicating your findings effectively to your audience.

      A pen-test of a corporate network is not the most exciting topic in the world of security so I’m sure attempts at adding some drama and a story helps.

      1. 4

        Depends on the scope of the assessment; I have had clients that have wanted me to break into things, and device theft was definitely in scope. Working adversary simulation, OPFOR, whatever, has different scope. On the flip side, I’ve definitely seen pentesters/red teamers who just want to “win” regardless of the scope or cost. This provides almost nothing of value to a client: if they knew their physical security was weak, breaking into the data center provides nothing to a client who wanted to know how well their validation schemes worked.

        I remember once being on site with another company that usually did “full scope” assessments as their bread-and-butter. The first day of their web app test, they:

        • tried to unplug a phone
        • spoof the phone’s MAC address
        • bypass network restrictions and NAC via the phone to get to a database

        on a web app… The client wanted to know about their web app, not their network security (which was actually fairly decent). Anyway, I finished my application early and was asked to step in and take over that assessment…

      1. 3

        Note, this is for local attackers that are beyond reading files. You need to run code as the user.

        1. 2

          Yeah, if someone has that level of access, losing saved chrome cookies is probably the last thing to worry about.

          1. 1

            I dont mean to be facetious but what could be worse than losing your cookies for most people?

            1. 1

              Having some hidden script running behind the scene and monitoring everything realtime and transmitting back.

              Someone making a copy of confidential files (documents, photos, etc.).

              Access your browser and take note of any saved passwords (the last time I checked, a user could see their passwords in clear text in Chrome and maybe Firefox).

              Delete your precious save games of Skyrim.

        1. 17

          An interesting aspect of this: their employees’ credentials were compromised by intercepting two-factor authentication that used SMS. Security folks have been complaining about SMS-based 2FA for a while, but it’s still a common configuration on big cloud providers.

          1. 11

            What’s especially bugging me is platforms like twitter that do provide alternatives to SMS for 2FA, but still require SMS to be enabled even if you want to use safer means. The moment you remove your phone number from twitter, all of 2FA is disabled.

            The problem is that if SMS is an option, that’s going to be what an attacker uses. It doesn’t matter that I myself always use a Yubikey.

            But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.

            This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.

            update: I just noticed that twitter has fixed this and you can now disable SMS while keeping TOTP and U2F enabled.

            1. 2

              But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.

              I get why they do this from a convenience perspective, but it bugs me to call the result 2FA. If you can change the password through the SMS recovery method, password and SMS aren’t two separate authentication factors, it’s just 1FA!

              1. 1

                Have sites been keeping SMS given the cost of supporting locked out users? Lost phones are a frequent occurrence. I wonder if sites have thought about implementing really slow, but automated recovery processes to avoid this issue. Going through support with Google after losing your phone is painful, but smaller sites don’t have a support staff at all, so they are likely to keep allowing SMS since your mobile phone number is pretty recoverable.

                1. 1

                  In case of many accounts that are now de-facto protected by nothing but a single easily hackable SMS I’d much rather lose access to it than risk somebody else getting access.

                  If there was a way to tell these services and my phone company that I absolutely never want to recover my account, I would do that in a heartbeat

                2. 1

                  This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.

                  True. Also, if you have the target’s phone number, you can skip the social engineering, and go directly for SS7 hacks.

                3. 1

                  I don’t remember the details but there is a specific carrier (tmobile I think?) that is extremely susceptible to SMS interception and its people on their network that have been getting targeted for attacks like this.

                  1. 4

                    Your mobile phone number can relatively easily be stolen (more specifically: ported out to another network by an attacker). This happened to me on T-Mobile, but I believe it is possible on other networks too. In my case my phone number was used to setup Zelle and transfer money out of my bank account.

                    This article actually provides more detail on the method attackers have used to port your number: https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin

                    1. 1

                      T-Mobile sent a text message blast to all customers many months ago urging users to setup a security code on their account to prevent this. Did you do it?

                      Feb 1, 2018: “T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: t-mo.co/secure”

                      1. 1

                        Yeah I did after recovering my number. Sadly this action was taken in response to myself and others having been attacked already :)

                1. 3

                  Maybe someone at Twitter saw the similar GitHub issues a few days ago and thought to audit their logs?

                  1. 4

                    My guess is that both Twitter and GitHub saw the GDPR deadline looming and decided to audit their estates.

                  1. 9

                    If you don’t mind the tinfoil, this could well be a shakedown test to see how Russia might deal with partitioning of the network in a time of relative peace, before being surprised during some other time.

                    Then again, that’s the sort of idle speculation I’d give back in my HN days.

                    1. 3

                      Maybe not the intention, but I can’t imagine the data point would go unnoticed.

                      1. 3

                        According to the time line, it may seem related to telegram.

                        Here’s my tinfoil take :)

                        Russia banned the telegram app at the beginning of the month[1]. They basically blacklisted their domains.

                        Telegram started to use the google app engine as a domain front [2].

                        I guess Russia is trying to prevent domain fronting for future ban cases. I guess it is easier for them to send a takedown notice to a Russian cloud provider than sending that to a American one.

                        [1]: https://www.nytimes.com/2018/04/13/world/europe/russia-telegram-encryption.html

                        [2]: https://en.wikipedia.org/wiki/Domain_fronting

                        1. 2

                          Probably not the intention, because running the blocklist updates in that mode means that an external party can easily force a block of something critical inside Russia at the moment than neither the blocklist operators not ISPs have spare capacity to react sanely. People who are qualified to understand your point also know that Roskomnadzor is not qualified to prevent the risk I describe.

                          But some note-taking about unexpected dependency chains will be done anyway.

                          1. 1

                            If you were to pile some more tinfoil on, what else might we expect to see from Russian authorities?

                          1. 2

                            I believe this is a link with technical details of the attack: http://seclists.org/oss-sec/2016/q4/760

                            1. 4

                              “state-sponsored actor”. Let the attribution dice roll!

                              1. 4

                                don’t people attribute hacks to ‘state-sponsored actors’ only because it makes them look less bad than if they were hacked by ‘some 17 yo kids in their parents’ garage'?

                                1. 1

                                  I guess a 17 yo kid who attended public school is technically state-sponsored.

                                2. 1

                                  Maybe it was the US state?

                                  1. 1

                                    Interesting accusation, particularly after all the goings on with Yahoo Mail at the time of the Democratic National Convention.

                                  1. 3

                                    Does anybody else have no idea what RAP and ROP are?

                                    1. 8

                                      If you want to build a program at run-time, you can find the addresses of blocks of code that do what you want, but are followed by a ret. These addresses are called gadgets. You can then execute your program by pushing these gadgets onto the stack in the order you want them to execute, and then returning with the ret instruction. This is called ROP: return-oriented programming.

                                      RAP is “return-address protection”, and it’s a device where you save extra cookie someplace before calling a function, and then verifying that the cookie is in that place before returning. This allows you to detect if someone is using the end of your function as a gadget.

                                      1. 2

                                        Is there an equivalent for J(ump)OP? Will we just see many ROP-using exploits switch to JOP or is there a practical reason that it’s unlikely to be the next iteration in the cat-and-mouse game?

                                        1. 1

                                          I was curious about this too and found this paper: https://cseweb.ucsd.edu/~hovav/dist/noret.pdf.

                                      2. 3

                                        This paper is one of the best ones I’ve read on it. It also wins points for a fantastic title:

                                        https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf

                                        1. 1

                                          It’s the predominant technique to achieve remote code execution in systems with ~“data execution prevention” or “write or execute” memory protections, which prevent exploits from executing malicious code directly.

                                        1. 16

                                          I’m appalled at FTA since some industries rely on it for “secure” transfer.

                                          Also it’s only mentioned in the timeline but the tester got $10,000 for their report. Nice!!

                                          1. 18

                                            Probably saving FB millions.

                                            1. 1

                                              Probably not, methinks. I am fairly convinced by the argument that these bugs are not worth as much as people seem to think they are.

                                              1. 6

                                                While I’m sure this has been debated enough and I don’t have nearly enough data to decide if the vulnerability is worth $10,000 or not but I think it’s important not to compare the value of a vulnerability on an open market to the value of the vulnerability to Facebook itself.

                                                The right attack on Facebook may not provide much financial gain to the attacker but would cost Facebook plenty in terms of credibility and customer trust.

                                                1. 3

                                                  This argument unfortunately comes pretty close to extortion. It sure would be a shame for me to throw this rock through your window. How much would you like to buy my rock for? Nobody else will offer me anything at all, but I think you’re just the buyer I’m looking for.

                                                  1. 1

                                                    I don’t think so either. Facebook is widely hated, but that doesn’t mean it’s not widely used. They can afford a lot of hatred because they are so big.

                                            1. 1

                                              Its always great to see how multiple low theat vulnerabilities can be combined together to create one with a much higher threat!

                                              1. 4

                                                This could easily be retitled as “Yet Another Reminder on How Not to Host Your Web Site.”

                                                1. 1

                                                  I haven’t decided yet if all these write ups I’ve seen lately are a good or depressing thing.

                                                  It may be good because it’s giving obvious security mishaps visibility to the uneducated or it may be depressing because we keep seeing the articles about the same problems over and over (i.e. is anyone actually learning?).

                                                1. 3

                                                  While I am happy that there is such functionality in the Linux kernel, this feels like a slightly over-engineered and complex solution to the problem of restricting access to certain system calls.

                                                  1. 3

                                                    I agree – seccomp really seems to suffer from second system effect. I think the biggest problem is that it makes the logical next step in sandboxing system calls unnecessarily hard. I glossed over it in the article, but inspecting any non-integer system call arguments requires a supervising process to inspect the sandboxed process with ptrace.

                                                  1. 2

                                                    Id love to see a similar online course teaching the fundementals through exercises.

                                                    1. 1

                                                      I actually found the theoretical and practical explanation of using ROP (Return Oriented Programming) pretty good!

                                                      1. 4

                                                        While you shouldnt expose your .git folder to the world, its probably also good practice not to put credentials into your source control.

                                                        1. 4

                                                          More details about the exploit at: http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/.

                                                          Clearly there is a bug in the code, but more importantly why is a font driver running in kernel mode? Would running the code in user space not reduce the effectiveness of the bug?

                                                          1. 5

                                                            History: Windows NT 3.51 had the Win32 stuff, as the primary subsystem be run in CSRSS, and Windows was good and like a microkernel. Enter Windows NT 4.0. The Win32 stuff is moved into a kernel driver called win32k.sys, to improve speed. (Printing was moved into the kernel as well.)

                                                            To improve reliability and security, since Vista is undoing a lot of this. (Example: When GPU drivers crash, they can gracefully restart.)

                                                            Note I am not a Dave Cutler or Mark Russinovich, and as such, my knowledge of NT’s guts may be a bit off.

                                                          1. 6

                                                            I think the reality is somewhere in the middle of the two extemes.

                                                            While it is quick and easy to ‘pick-up’ a new language it takes much more time and effort to become experienced and really productive with it.

                                                            With an existing codebase and a big enough team you can get experienced much quicker.

                                                            1. 5

                                                              I quite like the closing sentence: “The network is not a security boundary anymore.”

                                                              1. 1

                                                                It is also recommended against using auto incrementing ids on S3 (and I think DynamoDB) to best distribute load across partitions. In this case UUIDs aren’t necessary: you can simply reverse the order of the digits in the auto incrementing id.

                                                                Additionally, I’ve always felt uncomfortable with treating UUIDs as unique because the chance of a collision is so small. Surely if you want something to be unique (as in the case of a primary key in the database) you’d have to deal with collision resolution in the code, no matter how small? I wouldn’t feel conformable with the code otherwise :(

                                                                  1. 6

                                                                    By that same measure you shouldn’t trust cryptography.

                                                                    UUIDs also have non-random variants, though. They just require coordination as you scale.

                                                                    1. 4

                                                                      Good point!

                                                                      After posting I gave it lots more thought (and ready the wiki link above) and am actually warming up to the idea of UUIDs. Even if a collision does occur, if it’s set as the primary key on your database, the error handling is probably there already.

                                                                      1. 2

                                                                        Yeah - I’ve used UUIDs as primary keys, actually, in Postgres. I’m definitely guilty of being a programmer rather than a DBA (… is there a word for “non-DBA programmer”? Surely, DBA is programming), and if I’d had the advice that they work badly with GIN and GIST indices, I’d have avoided them. I’m sure the docs said it somewhere…

                                                                        But they worked decently well. At that company’s scale, there was no performance issue. It was probably less than 1M rows in the largest table, for what that’s worth.

                                                                    2. 6

                                                                      Additionally, I’ve always felt uncomfortable with treating UUIDs as unique because the chance of a collision is so small. Surely if you want something to be unique (as in the case of a primary key in the database) you’d have to deal with collision resolution in the code, no matter how small?

                                                                      Not to dog-pile, but another point to consider: the filesystem that stores your database is likely using UUIDs internally to represent chunks/extents.

                                                                      You’re fine.

                                                                    1. 42

                                                                      Excuse the strong language, but I can’t stand snobbish, deceitful drivel like this. The article attempts to make the explicit point that programming is not a craft (because, apparently, the author thinks they have a monopoly on what it means for something to be a craft). But its subtext is far more sinister: it not-so-subtly weds the idea of craftsmanship to negative qualities like “big ego”:

                                                                      So here’s my concern with the idea of Software Craftsmanship. It’s at risk of letting programmers’ egos run riot. And when that happens… well, the last time they went really nuts we got Web Services, before that J2EE. They convinced the British government that they wanted an uber-database to store Everything Ever About Everyone. You see where I’m going?

                                                                      Um. What?

                                                                      Blatantly irrelevant analogies:

                                                                      Non-programmers don’t care about the aesthetics of software in the same way non-plumbers don’t care about the aesthetics of plumbing – they just want their information in the right place or their hot water to work. (Although it’s fair to say they appreciate decent boiler controls.)

                                                                      Programming isn’t plumbing and plumbing isn’t programming. What one does has no bearing on the other.

                                                                      Well it seems to me the most succesful programmers I’ve encountered don’t craft software

                                                                      Which is clearly supposed to read as, “Successful programmers don’t craft software.” I’m not putting words in the author’s mouth. The entire point of the article is to seemingly generalize their own opinions to programming as a whole.

                                                                      More deceit:

                                                                      Do I need to demonstrate any kind of skill? No. Any specific credentials? No. Any kind of experience working in the field? Nope (and as the Pragmatic Programmers are happy to remind you, ten years experience is very different from one year repeated ten times). In fact, all I have to do to associate myself with Software Craftsmanship movement is to fill in my name on the website. Woohoo!

                                                                      As if acknowledging craftsmanship necessarily implies throwing out every other indicator. Really? The subtext with this nonsense is that people that see programming as a craft will produce lower quality code. The author even bemoans the loss of good programmers to the craft:

                                                                      Software practitioners – especially, ironically, the good ones – often lose sight of this. They fall in love with the software itself and start thinking of themselves as craftsmen of software.

                                                                      Unbelievably, despite the fact that programming isn’t a “proper” profession (the author’s words), the author has still somehow managed to identify good programmers from bad programmers. I know I’ve certainly never needed to see someone else’s certificate, nor have I ever needed the approval of some “Software Craftsmanship Council” to tell if a programmer was a real craftsmen or not.

                                                                      I’ll never forget my programming languages course. On the first day, the professor went around the room and asked us to name some properties of programs. You had the usual suspects: “correct,” “fast”, “functional”, “object oriented”, “size” and so on. I was the only one who said “beauty.”

                                                                      Donald Knuth has my back:

                                                                      We have seen that computer programming is an art, because it applies accumulated knowledge to the world, because it requires skill and ingenuity, and especially because it produces objects of beauty. A programmer who subconsciously views himself as an artist will enjoy what he does and will do it better. Therefore we can be glad that people who lecture at computer conferences speak of the state of the Art.

                                                                      You can try to impose as many pre-conceived judgments on me as you want (“losing sight of the utility of software” or my giant “ego”), but I’m never going to stop seeing programming as a craft. I always have and I always will.

                                                                      1. 7

                                                                        Fantastic quote by Donald Knuth!

                                                                        A programmer who subconsciously views himself as an artist will enjoy what he does and will do it better.

                                                                        To me, this is the biggest thing that separates a software engineering from many other engineering professions.

                                                                        1. 3
                                                                        2. 5

                                                                          Thanks for this. The article bothered me, but I didn’t feel able to explain why. As a “hook”, the author refers repeatedly to a disconnect between engineers and users, and, actually, that’s true - there are several such disconnects and they deserve individual attention. I suspect most readers will agree with that part. You correctly point out that the real thesis here doesn’t follow from it, and I agree with all your points.

                                                                          I guess I’d not go so far as to call this “deceit”; I believe the author is sincere. Most people who have conflated different things like this are unaware they’ve done so. I’ll give you “snobbish” though. :)

                                                                          You have me very curious - how did the professor and other students respond to “beauty”?

                                                                          1. 4

                                                                            As a “hook”, the author refers repeatedly to a disconnect between engineers and users, and, actually, that’s true - there are several such disconnects and they deserve individual attention. I suspect most readers will agree with that part.

                                                                            Definitely agreed.

                                                                            I guess I’d not go so far as to call this “deceit”; I believe the author is sincere. Most people who have conflated different things like this are unaware they’ve done so.

                                                                            Also agreed. I could have been more charitable. Just got a bit riled up!

                                                                            You have me very curious - how did the professor and other students respond to “beauty”?

                                                                            My professor paused and smiled, then moved on to the next student. It was one of those “first day of classes, let’s get the juices flowing” kind of thing. But that moment has stuck with me.

                                                                            We actually became very good friends. I went on to TA that course a couple times, and it is one of the most enriching experiences I’ve ever had!

                                                                            1. 1

                                                                              Neat. :)

                                                                          2. 2

                                                                            Well,

                                                                            I like the idea of programming as craft but I liked that the article raised a number of issues involved with the craft conception - despite the unfortunate “slick consultant” tone.

                                                                            The challenge is to engage in software craftsmanship in a fashion that makes a customer care about that craftsmanship.

                                                                            The example of the plumber seems good. The average person understands that not everyone who can stop a leak does so with equal skill. The immateriality of software makes that understanding harder. How can it be communicated to people effectively?

                                                                            1. 2

                                                                              Programming isn’t plumbing and plumbing isn’t programming. What one does has no bearing on the other.

                                                                              While you’re right, I think his analogy here is apt, but it also misses the point. A good plumber would see a bad plumber’s jumble of pipes and think “That’s a fucking mess”, just like good/bad programmers do with code. And why do we think it’s a mess? The reason a jumble of pipes or a pile of spaghetti code is scary is because we’ve been trained to recognize these patterns and associate them with a broken plumbing system or broken software.

                                                                              There’s a reason why highly skilled programmers think simple, elegant code is something to work towards, and that reason is because more often than not, it works.

                                                                              Either way, I absolutely agree with you. And this article has some serious gaping holes.

                                                                              1. 1

                                                                                Totally fair point! Agreed. :-)