1. The attacker has physical access to your PC.
2. You’ve made the mistake of not locking your PC when you walk away.
3. You’ve select the option to stay logged on - which happens to be a default, or, you’ve left your browser open (as I expect most people do).

If all three of these are true (or your PC is otherwise compromised) - you probably shouldn’t expect much in the way of security, but LastPass does protect you - most of the time. If you try to copy or view a password, you’ll be prompted to enter your Master Password - but there’s one case that can easily expose your passwords without needing to know the Master Password.

The issue is that LastPass allows you to change the address associated with a login without confirming your master password. This would allow an attacker to update an entry in your vault to a specially crafted page to echo the password - allowing the attacker to see the password and leave minimal tracks behind. I setup a special page to test this, it echoes the password as soon as LastPass enters it, allowing me to see the password in a few seconds without providing the master password (it’s also possible to update the password without providing the Master Password, providing another opportunity for mischief).

Automation

While I’ve not taken the time to build a tool to automate this - it would be a fairly simple process to do, just a matter of investing the time (which unfortunately I don’t have). The obvious solution would be to automate the GUI interaction to perform the following steps:

• Change the URL to a malicious page.
• Navigate to the page, and log the login data.
• Revert the URL to the original value.

Using this method it would be possible to collect all of a users credentials within just a few minutes. It’s possible there may be a simpler & faster route available by interacting directly with the plug-ins, though in looking at the exports and COM interfaces I didn’t see an obvious way to achieve this (which as a LastPass user, this makes me happy).

For an attacker, one substantial upside is that there would be little evidence of the event - while the LastPass Vault will show that all entries have been “touched” recently, I would venture to say that very few users would actually notice.

While this attack requires full access as the logged-in user, if a PC is otherwise compromised (perhaps as part of an APT type attack), it could allow an attacker to greatly expand their activities with a minimal time investment. This is the type of situation that could take a fairly small local information disclosure and turn it into a real nightmare scenario for a targeted user.

Solution

The simplest solution for this issue is to require Master Password verification if the URL changes, or at least require it if the domain changes. This should be a minor change for them and will eliminate this attack vector. Thankfully this is a minor issue, due to the three requirements required to pull this off - so I don’t believe there is too much risk due to this oversight.

The device is based on the TP-LINK TL-WR703N, which uses a 400Mhz Atheros AR7240 CPU - not exactly a power-house, but enough power for standard pen-testing (or even just as a super-portable linux box). In cases where the 400Mhz CPU and 32MB RAM aren’t enough, you can easily use OpenVPN as a tunnel to run your tests remotely.

The total investment for the build was only $38 - though next time I’ll pay a little extra and get the 16GB drive - mostly for extra room when working with logs. The 4GB drive used in the standard build has plenty of room for the software - but I’d rather have the extra room to work with.

The build process was process was simple - thankfully the instructions are quite good, though I did have to change a few things to make it all work.

Step 1): To save looking, here’s a direct link to the OpenWrt image.

Step 4): I formated the thumb drive by mounting it in a Ubuntu VM, and used GParted to delete the existing partition, and created a 512MB swap partition, then the rest is ext4.

Step 16): Read step 17 first so you don’t feel so stupid for wasting time trying to figure out why step 16 doesn’t seem to do anything.

Step 21): I use WPA2 on my network, so I had to edit the /etc/config/wireless a little differently:

config wifi-iface
        option device   wlan0
        option network  wan
        option mode     sta
        option ssid     <ssid>
        option encryption psk2+tkip
        option key <password>

More information about the wireless setup can be found here.

Step 24): My local wireless network is in the 192.168.1.x range, so this wasn’t working for me. Seeing as changing the wireless doesn’t make sense for me (way too many static devices), I had to change the IP address of eth0 to deal with the issue. I updated my /etc/config/network to look something like this:

config 'interface' 'lan'
        option 'ifname' 'eth0'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '192.168.2.1'
        option 'netmask' '255.255.255.0'

Once the change is made, you’ll need to execute /etc/init.d/network restart - then update your PC’s static IP address to “192.168.2.111” and reconnect your telnet session.

Step 27): When executing the installs I was receiving this error:

opkg_install_cmd: Cannot install package <package-name>

To correct this error, I had to run opkg update - after this the installs started working fine.

Step 27b): The install for samba2-client was failing, as there isn’t a package by that name - though samba36-client installed fine.

Overall, it’s a great little setup - I’m quite pleased.

After looking at the options and issues to get the server upgraded to a non-stone-age version of the PGP software, the easiest answer looked like decrypting the files with GPG - it wasn’t as easy as expected, but I did get some useful information that may help others.

IDEA

If it wasn’t for IDEA this would have been easy, but the keys used for this transfer were old (thankfully the data isn’t sensitive) and IDEA it was. GPG doesn’t support IDEA due to various patents (most if not all of which are now expired), so that leaves us to use a rather old plug-in to fill in the gap. Unfortunately for me, the server that hosts up that plug-in is misconfigured, making it impossible to retrieve the file.

Thankfully there are other sources (plug-in, mirror).

Gpg4win

I used Gpg4win so I could decrypt the files from Windows - which had unexpected consequences. The current version of Gpg4win uses gpg version 2.0, which isn’t compatible with the IDEA plug-in - a fact that isn’t pointed out anywhere.

The key to making this work was to use an older version of Gpg4win - I used v1.1.4, which thankfully is compatible with the plug-in. Though I do wish I found this out a few hours sooner than I did.

Setup

The setup for this is pretty simple, it’s documented in a few places, but here is a quick wrap-up:

1. Install Gpg4win v1.1.4
2. Download the plug-in, and copy to C:\Program Files (x86)\GNU\GnuPG\lib

3. Update (or create if it’s not there) the C:\Users\<user>\AppData\Roaming\gnupg\gpg.conf file to include the following:

   load-extension "C:\Program Files (x86)\GNU\GnuPG\lib\idea.dll"

Once this is done, you can run gpg --version which will give you information about what algorithms are supported. It should look like this:

>gpg --version
gpg (GnuPG) 1.4.9 (Gpg4win 1.1.4)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/Adam/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

If you note the first item on the “Cipher” line is IDEA, that means it worked. If you don’t see that - something went wrong, probably a bad path.

This version is able to handle the large files that old versions of PGP can’t, and it allowed for a quick solution to the problem until we can upgrade the server.

Thankfully I found a post with a few detection methods, one of which was using WMI from VBScript - which gave me the inspiration I needed:

1
2
3
4
5
6
7

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery( _
    "SELECT * FROM Win32_Product WHERE Caption LIKE '%.NET Framework 4%'",,48)
For Each objItem in colItems
    Wscript.Echo "Caption: " & objItem.Caption
Next

I pulled up LINQPad and whipped up a quick script to check for both the Client Profile and full (extended) version on a list of computers. Hopefully it’ll be of some use others.

One thing to note, is that you do need Administrator permissions on the remote workstations.

So a month ago I began an experiment, I committed to using DuckDuckGo for a month - here’s what I’ve found.

Quality: The quality of the results is at par with Google for the vast majority of queries. On some queries where there are few results, Google tends to rank the results more accurately.

Index Size: The Google index seems to be larger, with faster additions than DuckDuckGo, though this was only a real issue for very obscure search terms. For the majority of queries, this isn’t noticeable.

Bang Syntax: DuckDuckGo has a great feature called ’!bang’ which allows you to search specific sites easily. Of all the options here are the ones I used most often:

• !amazon - Search Amazon.com
• !g - Google Search
• !man Search the *nix man pages

The bang syntax works great with the Search/Address bar in Chrome, making this my favorite feature.

Speed: DuckDuckGo feels much faster that Google does now (which is sad, as Google used to be amazingly fast, even on extremely slow connections), and the results page is clean and free of useless distractions.

Image Search: One that DuckDuckGo is missing compared to Google is a useful image search feature. Though you can easily jump to Google’s image search by adding “!i” to your query.

Zero Click Info: For a number of searches, DuckDuckGo displays an answer from an authoritative source, often giving you what you need to know without having to go any further. For me, the most useful of these is data from StackOverflow and Wikipedia.

Auto-Complete / Suggestions: This is the single biggest thing I’ve missed, it seems like a minor feature but I didn’t realize how useful it was until is wasn’t available. Hopefully they’ll add this at some point, would be a real step in the right direction.

Overall: I’m impressed. It’s not perfect, but it’s far more competitive than I expected. It’s clean, lean, and private. Over the last month I’ve still used other Google services and products (Chrome, Gmail, Google Voice, Google Authenticator, etc.) so it wasn’t a complete separation from Google - but enough to remind me that innovation is still happening elsewhere.

As Google has shifted much of its energy from information to social, companies like DuckDuckGo are continuing to innovate and find better ways to provide the information that we live on.

The key to this is that ZeroBin stores pastes and discussions encrypted - and the encryption is performed in the browser, with a browser generated key. This means that the people running the ZeroBin software have no knowledge of what they are storing.

So, if they are asked to remove content, all they can do is remove specific named items - it would be impossible to remove all items that contain specific material (where if PasteBin was to be ordered to remove all items containing credit card numbers, it’s a realistic possibility). As long as knowledge of the key remains limited - the paste will likely live on, no matter the content.

To make it even better, there are no accounts - so there’s no way to see what a specific user is posting. With a properly configured server, this could be completely anonymous. With no knowledge of the content, no knowledge of users - it’s the ultimate in deniability.

I really expect that this technique will become far more common in the future. It allows a much higher level of deniability for hosts and service provider, and greatly restricts the ability of investigators to research the activities of a user or group.

Take a closer look at this, I expect you’ll see more of this.

I really expected the ultra-book to be a fad, and a short-lived one at that.

Then came the HP Folio 13 - my desktop recently failed, and since then I’ve been using my 2+ year old ASUS G73 as my only machine. While the G73 is great - it’s also massive, hot, and heavy. After parting with my unused camera gear, I acquired a Folio 13 to act as my main laptop, leaving the G73 to play the role of desktop / development machine.

Within a couple hours of getting the Folio 13 it was clear, I was in love.

It’s not quite the love I felt when I first found the iPad, but it’s an amazing machine. Fast, super-light, and the battery goes on forever - it’s the ideal laptop. With the power of my G73 available anytime via RDP, I think this combination is about as good as it gets.

Here’s a rough overview of the Folio:

• Intel Core i3 / i5**
• 128GB SSD
• 4GB RAM
• 13.3” 1366x768 display
• 9 hour battery (so far 7-8 hours seems to be the realistic number)
• Brushed aluminum case
• 3.3lbs

Also included are the normal things you would expect, like a web cam, Bluetooth, etc..

I’ve been extremely impressed with what this little thing can do, from large compiles to generating Jekyll sites, it’s more capable than I expected. So far it’s handled everything I’ve thrown at it - and most taking around the same time as my G73 would (and some taking less, thanks to the Folio’s SSD).

I’ll be doing most of my writing and non-development work on the Folio, and the G73 will still be my go-to system anytime I need Visual Studio or other heavy-weight development tools (though I’d be willing to bet, it’ll be via RDP from the Folio more often than not).

Overall: I’m extremely pleased. It’s a great device - it has the battery life and portability of a tablet (i.e. an iPad), with the power and flexibility of a traditional laptop.

** The Core i3 version is less expense, and thanks to the lower power consumption, it also stretches the battery life better than the i5 - making it a win-win.

Octopress

I’ve switched from WordPress to Octopress, a Jekyll-based blogging platform that generates a completely static site. So there’s no database, no dynamic code (i.e. PHP), minimal memory footprint (which is great, given my recent hosting change) and best of all - it’s fast and secure. Using Octopress, it greatly reduces the security surface of the server, which means I spend less time worrying about updates and more time writing.

Thanks to the completely static nature of the platform, it’s extremely fast - it allows the server software to do what it does best: shove bits down the wire, instead of waiting on a database and parsing and executing dynamic code. In the coming days I’ll be tweaking the server software to optimize for performance, so it should get even faster.

I’m still trying to figure out the ideal workflow, but so far I think it’s the right platform for me. Hopefully, I’ll be able to keep the friction low and spend more time writing.

WordPress

So what about WordPress? I still love the product - in general. It’s not perfect, and while it’s easy to get running, it takes effort to make it fast and secure - something most people don’t do. If you want a full CMS and you’re willing to do it right, WordPress is a great option.

Personally, there are some frustrations with WordPress that I’m happy to be rid of - not the least of which is fighting the WordPress editor to maintain code formatting. It’s little things like this, that has had me looking for better options.

For your average non-developer, something like Octopress has too much friction - as the tag line says, it’s for hackers. If you aren’t comfortable with Ruby development, this probably isn’t the solution for you. If you are, and you want a lightning fast, flexible, and powerful platform - it’s a great option.

Comments

You may have noticed that there isn’t a comment form - I’ve went back to not having comments.

While I do greatly appreciate those that have taken the time to leave a comment, comments make up the vast minority of feedback I receive. Twitter, and Facebook are more common - so instead of slowing the site down and wasting my time fighting spam, I’ll just turn off the comments.

If you have feedback - question, suggestions, anything else - find me on twitter for the quickest response.

The new plan is about as minimal as it gets:

• 128 MB RAM

• 256 MB vSwap

• 1 CPU Cores

• 20 GB Disk Space

• 500 GB Bandwidth

The upside to this? It’s only $15 per year.

So I’m going to focus on caching and optimization to keep this and a few other sites running on such lean resources. In theory WordPress should be able to do it, if it can’t - I’ll switch to Octopress or something similar.

This should be a fun challenge.

I was coding away on the next version of a small product called GSuite that I was building for a tiny (and now nonexistent) software company called Imspire Software. It was a simple tool that provided some goodies for Gmail users, and had a few thousand users (it eventually died as a result of rapid API changes and new tools directly from Google). As I took a break to check my email, I saw something that shocked me:

[The full email is still posted over at osvdb, and I make a point to go and look at it and the details once a year or so - just to remind myself of what can happen.]

As I worked through the somewhat iffy English of the email I was in shock. I instantly understood the issue, I could see the code in my mind. It was written by another developer, and I could remember questioning its security - but I had other things I was supposed to be doing and didn’t worry about it. What a mistake that was.

I went back to Visual Studio and found the code that caused it all:

Shifting values is obfuscation and little more, it looks like security - it might even smell like security, but it isn’t. It’s a false sense of safety, it was a mistake to implement and even more of a mistake to actually use in a consumer product.

While this is only a local information disclosure, and not something far more serious like a remote arbitrary code execution issue - it was still enough to really shake me. I had always considered myself to be a good developer, and part of that is writing secure code. This was many things - but secure isn’t one of them.

Thankfully, Lostmon, the finder of the issue was courteous enough to give me a couple of days advance notice before making it public. Allowing me plenty of time to get a notice up on the web site, and get the next (fixed) version ready for release. I switched from a glorified Caesar cipher, to Rijndael - a significant step up I would say.

Was anybody harmed by this issue? I don’t believe so - it was a relativity minor issue given what was needed to get the password. Was anybody impacted? Most certainly.

• Users: They now wonder if they are secure - did somebody steal their information?

• Company: The brand is weakened, less trusted, and questioned more.

• Developers: Confidence is lost, self doubts start creeping in.

Because of this, every time I release an application I give much more thought to what I’m exposing and how it could be leveraged in an attack against my users. The only way I’ll agree to an application release is if I’m completely certain that I’m not risking a user’s security - if there are any unknowns, any doubts, then it’s not worth the risk. Just that simple.

• Results made up of the same two digits repeating (i.e. 5454545454545454).

• Results that have seven or more of the same digits repeating (i.e. 5555555555554444).

I also fixed a bug that I introduced in v1.0.6 that prevented it from compiling on certain *nix systems; while I was in there I also fixed several instances of this building warning on newer Linux distros:

warning: call to __builtin___strncat_chk might overflow destination buffer
 [enabled by default]

I also took the time to write-up really simple build instructions for *nix users:

$ wget -O ccsrch.tar.gz https://github.com/adamcaudill/ccsrch/tarball/master
$ tar -xvzf ccsrch.tar.gz
$ cd adamcaudill-ccsrch-<rev>/
$ make all

This will probably be the last release for now unless a bug turns up; to improve results further I’m working on a new project (ccsrch-score), hopefully it’ll be released soon.

For an application like ccsrch, having this data available would be very handy to reduce false positives when scanning a large file system (scanning a large server produces a huge number of possible hits), but for what I would call fairly misguided reasons, the official registrar of these numbers (the ABA) doesn’t make this data publicly available. As a result many people have pulled together what data they could find and made it freely available.

So I’ll add my name to that list.

I’ve pulled data from many public sources (sorry, I didn’t keep very good notes as to the sources) and cleaned it up to a reasonable point. All told, I’ve probably spent 40 hours or more cleaning this data up and getting it to a usable state. It contains over 60,000 entries, including major credit cards (Visa, MasterCard, Amex, Discover) as well as a few merchant entries.

Each record contains the following:

• IIN

• Type (Mastercard, Visa, Visa Credit, etc.)

• Name (Issuer name)

• Length

Data Quality

It’s not perfect. It’s from public sources so there may be errors, and there are some duplicates from cases where I wasn’t able to determine who the IIN actually belongs to. I’ve also updated for name changes and mergers where possible, but I’m sure I’ve missed a few and there are some where the assets where split, so I don’t know who the correct owner actually is (Washing Mutual being the leading example of this).

In general, I leaned to the side of caution - so if I didn’t know for sure, I left the duplicate in.

If you need absolutely correct data - contact the ABA, they are the only source that can give you the completely accurate listing. If you need to have a decent idea if a number is valid for most cases - I would say that this data is good enough.

Warranty

Just to make it really, really, really clear: There is no guarantee that this data is accurate, that it won’t cause to lose your job, cause your house to burn down, or cause Rebecca Black’s Friday to get stuck in your head (yup, you’re welcome ;)).

Copyright

Based on my understanding of US copyright law, it is my understanding that this data is not subject to copyright as it is a compilation of facts and doesn’t constitute an original expression. Thus, to the best of my knowledge, this data is in the public domain.

Download

Here (zipped CSV)

Mykonos’s Web Security product uses deception to “detect, confuse, slow down and prevent attackers” in real-time in order to help companies protect their websites and Web apps from malicious hacker and proactively prevent fraud and theft.

A couple of minutes of reading, and my interest was piqued - to say the least. The thing that most interested me was the claim of no false positives, while they do talk about it - I really wanted to see it for myself. Assuming they used their own product to protect their site, I took a few minutes to see what I could find - and find I did.

The first thing I did was a view-source to see what I could learn about their site - mainly to see if there were any obvious signs of using one CMS or another. The first thing that jumps out at me is this from the HTML:

<!-- InstanceBegin template="/Templates/mykonos.dwt.php"
     codeOutsideHTMLIsLocked="false" -->

So, this tells us they are using Dreamweaver, and the name of the template. So, the next question is, does that /Templates/ directory exist on the server?

Yup.

So, not only does it exist, they have directory listings turned on - which to me was a real shock. Unfortunately for us though, these files are named with the .php extension and not the .dwt I was hoping for, so we can’t get much useful from them.

So, from looking at the source of the home page, we can see that the css files are stored in a /css/ directory - maybe that’ll be interesting.

It’s there, and like last time, we can see all of the files. While CSS files are of no real interest, the /_notes/ directory is, because it’ll contain a file called dwsync.xml - which can be quite interesting (since we knew they are using Dreamweaver, it’s not too surprising to see this). This file contains data about the last time the site was pushed from Dreamweaver, and will contain one entry per file, and looks like this:

<file name="style.css"
 server="ftp.belincreative.com/public_html/clients/mykonos/site/"
 local="129651858311162109"
 remote="129651936600000000"/>

The most interesting thing there is the server entry, as it tells us a little about the file-system; which if we were really trying to attack the site, knowing that would be handy. The other thing of interest is that when you see one /_notes/ directory, you’ll see lots more, as Dreamweaver likes to put them everywhere.

So, let’s see if there’s one in the root - that should be the most interesting one. Sure enough: /_notes/

This one has a few interesting entries, such as a PHP file that is named with an HTML extension - causing the code not to execute. Viewing the source of that file in the browser exposes the /inc/ directory; potentially interesting, but yields little information. The next file I tried (knowing it would be way too easy if it worked), was the .htaccess file:

<files "webadmin.pl">
    AuthUserFile /usr/local/www/public_html/.htpasswd
    AuthType Basic
    AuthName "Server Administration"
    require valid-user
</files>

Now, at first glance things look too good to be true - and that’s because they are. Look at the path in AuthUserFile and compare that to the entries from the dwsync.xml files. This .htaccess file is part of the trap, which is all but confirmed if you try to go to the .htpasswd file which shouldn’t work, since the path isn’t what we would expect.

Now, while mucking around looking at the aforementioned files, and others such as robots.txt, I would periodically see this, which I would assume is part of that “no false positive” promise:

I was hoping to run into the firewall (for lack of a better term) - looks like I got my wish; though since I wasn’t using anything automated and was just poking around by hand, it didn’t have any impact. Not terribly exciting, but it did provide some insight into what they are doing.

So far we’ve found a few interesting things, and bumped into their firewall, but that all pales in comparison to the last entry in the dwsync.xml file:

<file name="local-site.zip"
 server="ftp.belincreative.com/public_html/clients/mykonos/site/"
 local="129695851046591796"
 remote="129695888400000000"/>

When I saw the file name I was shocked - could it really be? But I was right. It’s a 59MB file containing everything on the site - all the PHP and everything else. Out of curiosity, I compared the .htaccess to that in the zip file, as expected it’s quite different and more believable:

Options +FollowSymlinks
RewriteEngine on
rewritecond %{http_host} ^mykonossoftware.com [nc]
rewriterule ^(.*)$ http://www.mykonossoftware.com/$1 [r=301,nc]

That confirms what I suspected, the file I saw earlier was just part of the trap.

So what have we learned?

1). Mykonos makes a really cool product, and had I not known what I was up against (and thus less skeptical about everything) it probably would have killed a lot of my time - just as intended.

2). No matter what you put in front or your site or application, human mistakes are still your greatest risk. A second set of eyes and a little paranoia go a long way in securing your systems, and stopping hackers.

3). Mykonos was either lucky or smart in that there was little on their site that shouldn’t be seen by the public. If they were using a CMS with a database back-end instead of simple (mostly-)static pages, this could have been worse. If they had source code or other valuable IP on the server, a mistake like this could be devastating.

4). Mykonos should take some of their new-found cash and hire somebody to finish the audit of their site that I started. ;)

Note: I notified Mykonos about that zip file before posting this (through a couple of channels), and I’m intentionally not linking to it. While I didn’t see anything in there that would be an issue to be publicly disclosed, I’m sure they don’t want it getting out. Hopefully by the time anybody reads this, they will have taken care of that file.

Update: As expect, they’ve cleaned up the files I mentioned - and a bit more. In a tweet from the company’s CEO, David Koretz, he mentioned that they had left a surprise for me. So I went to my starting point (the /Templates/ directory), and was greeted with this:

Yeah, cool product and cool people. I’m impressed.

Once I saw the file name, a sinking feeling set in and the answer became clear:

%LocalAppData%\Google\Chrome\User Data\Default\Sync Data\SyncData.sqlite3

So it turns out that it’s Chrome’s sync feature that was saving my information, but why?

It turns out that auto-fill data is synced with your Google account (if you’re signed in and have the feature enable, of course), and all of the computers you’re signed into - and by default, without the benefit of encryption. This file may contain any number of things, from mine I was able to extract the following:

• Full name

• Wife’s full name

• Date of birth

• Wife’s date of birth

• Social Security Number

• Multiple credit card numbers

• Multiple CVVs

• Bank account & routing number

Not to mention quite a few websites I’ve been to, various addresses, employer’s name and other various useful tidbits. All would be quite useful for identity theft or highly targeted spear phishing.

Now am I saying that syncing auto-fill is bad? No, not at all. It’s a very useful time saver, but what takes it from a useful feature to security issue is the fact that by default, this data isn’t encrypted!

What are the risks?

There are three significant risks I see here:

1). Disclosure to less trusted systems:

In my case, I trust my laptop to be secure; between full-disk encryption (via TrueCrypt) and other precautions, I know that I don’t have too much to worry about. On the other hard, my Work PC is on a corporate domain, and at least a couple dozen people have permissions sufficient to access my personal files - thus I don’t trust anything too valuable on it.

Now because of the fact that this feature is insecure by default, that data is exposed to a less trusted system.

It can also go the other way: a number of auto-fill entries on my personal laptop were from forms on internal-only applications that only my Work PC would be able to access. So this means that anything sensitive could be leaked to home networks which are typically less secure than corporate environments. If you routinely handle PCI, HIPAA, or other restricted information - this type of leak could be a major issue.

2). Spear Phishing:

Let’s imagine a scenario:

You work for a defense contractor and I work for a foreign intelligence agency. Through some targeted attacks I manage to penetrate your home network, but have been unable to make it into your corporate network. I grab the sync database file from your home PC and extract one of your credit card numbers. I look up the IIN and find out what bank the card is from. Once I have this, I build a PDF with the latest 0day exploit, and send it with a convincing subject line:

“Important Information about your Bank of America credit card ending in 7850”

Normally you’d dismiss it as spam, but the last four digits are right - so you open it, just in case. The exploit kicks in. I’m in, you’re done.

This is just a simple and quite contrived example, but you get the idea.

3). Google Data Mining:

This is the most paranoid and least likely, but given Google’s issues in controlling their people - I’d say not impossible (see here, here, and here).

Just for a moment, think about the fact that Google has the following:

• Your account data (name, email, etc.)

• Your auto-fill history (see the list of items I found above)

• Tons of data from their other services

• At least parts of your browsing history, if not much of it

• Engineers that truly enjoy data mining

Most other companies I wouldn’t worry about; but knowing the people that Google hires, and the skill they have in manipulating data - you know that some engineer is using his 20% time to do this (or at least is wishing he could).

If nothing else, I know if I worked at Google - playing with this data would be tons of fun. ;)

Want to see your data?

To see what Chrome has saved about you, download SQLite Browser, and open the file I mentioned above. Go to the “Browse Data” tab, and select the “metas” table. What you’re looking for is in the “non_unique_name” column (among other places). You should see something like this:

The entries starting with “autofill_entry” are the ones you are interested in, but you’ll likely find some of the other records interesting as well. If you see the word “encrypted” then your data is already encrypted, and you don’t have to worry about this.

Is this a vulnerability in Chrome?

No, not at all - though it was a mistake. They should encrypt everything by default, and not provide an option to do otherwise. There’s no reason to expose users to a potential security risk when there’s a simple fix. Security isn’t something users should have to opt-in to; and unless there’s a very good reason, they shouldn’t have a way to opt-out.

Google should understand security and the value of the data they hold; they should be more responsible for the data (and faith) people give them.

How do I fix it?

Simple, from the “wrench” menu, select Options -> Personal Stuff -> Sign In -> Advanced… and then under “Encrypted data types” select “Encrypt all synced data” - and that’s it. After a couple of minutes the entries that were visible before will now just display the word “encrypted.”

You can also go a step further, and get rid of this data by disabling auto-fill to ensure that potentially sensitive information isn’t being persisted when it shouldn’t be.

CCSRCH is a cross-platform, command-line application that reads every file from the starting point passed in, and scans them for what looks like credit card numbers (and using the Luhn algorithm to check each possible result). It’s fairly brute-force, but it gets the scans required for PCI - though I would be careful about using it during production hours, it can have a pretty significant impact on a server’s I/O performance.

I’ve forked the application and setup a new ccsrch project over at github (the original is on SourceForge), and made a few modifications to better suit my needs (from the change log):

• Added option to output the file name, and how many hits were found to the console when using -o (see -c in usage).

• Added option to limit the number of results from a single file before going on to the next file (see -l in usage).

• Added option to exclude certain file types from the scan (see -n in usage).

• Fix for ignoring NULL, CR & LF.

• Ignore dash when scanning.

• Exclude results with the last 8 digits repeating (very unlikely to be a real PAN).

I’ve uploaded a Windows build of the new 1.0.5 release to github, and for *nix systems, you can just download the latest tag.

There’s been an amazing resistance to SOPA, from the boycott of GoDaddy to public statements from celebrities such as Adam Savage - the public outcry against this horrid piece of legislation has been quite inspiring. But how often will you be able to get so many people to stand up and take action before they start to lose interest? How many times can you raise the troops before the numbers start to dwindle; how long before the celebrities start fearing they’ll be branded in the media as extremist or crazy? How many times can you raise the call of breaking the internet and freedom of speech before the public gets bored and goes to read about the latest Hollywood divorce instead?

Here’s how I see it going:

1. Strip many of the worst parts of SOPA and get it through congress. By removing these offending pieces, those backing SOPA will try to make themselves look responsive to the community, and it’ll be played as a victory for the community in the media. All in all, if you aren’t paying attention it’ll look like a victory for the people.

2. Next year, introduce a bill to modify SOPA to change the wording here are there, edging it just a little closer to the original. If done carefully, it’ll be easy to dismiss those that try to stir up another outcry as over-reacting or even paranoid.

3. In a few years after a series of modifications, we have SOPA, just as broad and dangerous as originally intended - and the vast majority of people who fought SOPA would have no idea.

If you have a financial motivation to get something like this passed, they key to success would be patience. Chip away slowly at DMCA Safe Harbor protections, at what requires a judge instead of an administrative action, at transparency so that any action ends up happening behind closed doors. In enough time you’ve established a law that gives the US Federal Government a massive amount of control of the internet, without oversight - all in a way designed to get offending web sites off the internet as quickly as possible. To say it would be ripe for abuse would be a massive understatement.

Am I being paranoid? I honestly hope so - I really hope that there aren’t people out there looking to limit the freedoms we cherish for their own profit, but the fact that SOPA was introduced in the first place makes that hard to believe.

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)

So based on this requirement I assumed that the code to do this would be common and widely available; much to my surprise there are rather few samples that do this, and of those I found they only showed the last four (which when you are handling a lot of credit cards, searching for an account by the last four isn’t all that helpful) and were often rather fragile.

So I whipped this up, hopefully it’ll be useful to others.

The regex pattern is from Regular-Expressions.info and should detect most major cards.

The key to Cringely’s argument comes down to this:

When SSDs gain enough capacity there will be a shift from the Ruby world back to the Java world. Not for prototyping, because, well, it’s prototyping. But simply because the statement “Ruby is _incredibly_ slow but I don’t care because my database is slower” will no longer be true.

What he’s missing here is the real reason people use frameworks like Rails; it’s not about it being Ruby, or being the latest cool thing - it’s about developer productivity. That’s it, and that’s all there is to it - Rails allows a developer to do more in less time. That’s one of the key reasons so many Java web developers jumped ship (though I can think of a few others), and what pushed Microsoft to invest so heavily in their MVC framework.

I could fully rehash the argument, but in what I consider to be one of Jeff Atwood’s best articles,  Hardware is Cheap, Programmers are Expensive, he covers a key point to my argument - developer time is vastly more expensive than hardware. Atwood’s take on the issue is clear:

Clearly, hardware is cheap, and programmers are expensive. Whenever you’re provided an opportunity to leverage that imbalance, it would be incredibly foolish not to.

When there’s a choice between developer productivity, and spending money on hardware - the conclusion should be the same. It’s much cheaper to throw more hardware at a slower framework than it is to invest more developer time in a faster framework. For any non-trivial application, throwing more front-end servers at it will always be cheaper than slowing the development process down with a non-productivity-centric toolkit.

It’s simple economics; server hardware is getting faster and cheaper, developer time is only getting more expensive.

To properly test the services, I had to make a compromise: temporarily modify the application to expose a SOAP endpoint. While this changes the state of the application and thus reduces the validity of the tests, it does provide a reasonable way of testing the web services to ensure that they are behaving as intended.

The recently released SoapUI Pro 4 adds new security testing tools that makes this a viable (and attractive option). To get this working, there are a few small changes that need to be made to the solution:

First, you’ll need to add a reference to Microsoft.ServiceModel.DomainServices.Hosting.EndPoints which is part of the RIA Services Toolkit; this allows you to expose different End Points for the service such as SOAP and OData.

Next, you’ll want to add the following configSections entry to your Web.config:

<configuration>
 <configSections>
   <sectionGroup name="system.serviceModel">
     <section name="domainServices"
      type="System.ServiceModel.DomainServices.Hosting.DomainServicesSection,
      System.ServiceModel.DomainServices.Hosting,
      Version=4.0.0.0,
      Culture=neutral,
      PublicKeyToken=31bf3856ad364e35" />
   </sectionGroup>
 </configSections>
 ...

Finally, to expose the SOAP end point:

<configuration>
 ...
 <system.serviceModel>
  ...
  <domainServices>
   <endpoints>
    <add name="Soap"
     type="Microsoft.ServiceModel.DomainServices.Hosting.SoapXmlEndpointFactory,
     Microsoft.ServiceModel.DomainServices.Hosting,
     Version=4.0.0.0,
     Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   </endpoints>
  </domainServices>
  ...

Finally, just follow the instructions for SoapUI to setup your tests, and you can feel (just a little) more confident in your application. Passing with flying colors obviously doesn’t mean your application is bulletproof, but it helps to confirm that web service code is solid.

Now, while this does provide some insight into your application and should help find common issues, it’s not a replacement for a professional assessment by a qualified auditor. If you are handling credit cards or other highly targeted information, please consult a security specialist before a public deployment.

So, let’s take a look at a few stats:

Total Domains: ~5,230

Top 15 Domains:

There are over 50,000 unique passwords, but even with this many passwords, there’s still a few quite common - and very bad passwords in use:

While this is a fairly small release, the LulzSec twitter stream has a number of entries like these:

There are several tweets about people accessing Facebook, Twitter, and even Amazon accounts - what’s so unfortunate here is that service providers could easily restrict accounts on lists like this to protect the users and greatly reduce the impact of these breaches.

Until people learn that password reuse is dangerous, this will keep happening.

Update: I’ve removed a link to a tweet, as the account has since been removed. The tweet said: “@LulzSec Cheers for the paypal account with £250 in it! ;)”