security research, software archaeology, geek of all trades
271 stories
·
7 followers

Oil & Gas International post-mortem: the hard security lessons are management-related, not technical

2 Shares

On Monday, a man named Dev George posted the following on Mozilla’s Bugzilla bug reporting database:

Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.

(Bugzilla have hidden the bug report, but you can view a version with broken CSS on archive.is.1)

What happens next is both completely predictable and an excellent illustration of how to not do security.

Browsers are in the process of making it so insecure logins are flagged up as a potential security issue. This recently went live in Firefox and is slated to go live in Chrome soon (it is available behind a feature flag).

The website referred to in the comment—Oil and Gas International (or O&GI)—not only accepts logins via HTTP, but also accepts credit card payments sent unencrypted. At least, it did. It is now offline.

Not only was the site not using Transport Layer Security for logins or card transactions, the site itself was rife with an array of fundamental security failures.

It was running on ASP.NET, version 2.0. .NET 2.0 was released in 2006. The version the OGI site was running was likely teeming with old, unpatched vulnerabilities. Microsoft stopped supporting .NET 2.0 a long time ago, and they no longer support versions of Windows capable of running .NET 2.0. I’m not an expert in .NET, but from what I understand, it is pretty trivial to upgrade the underlying .NET Framework (just as one can run old Java code on a newer JVM).

Not that framework vulnerabilities are the main problem. The site was vulnerable to a SQL injection attack in the login form. Before the site went down, people found that submitting poorly formatted username/passwords led to the .NET server responding with a stack trace with highlighted source code.2

Here’s another screenshot showing the application vomiting back stack traces when the login code fails to handle a SqlException.

So far we’ve got no HTTPS, an extremely outdated back-end framework, SQL injection, and a server configured to reveal stack traces to the user.

According to this Reddit thread, someone took a peek at their user table and found all the passwords were stored in cleartext. And some charitable soul took it upon themselves to drop either the user table or the whole database (I can’t tell which). The Reddit thread also says that a user on there called the company and tried to explain their security failures, only to be rebuffed.

Nmap results posted in that thread and on Twitter showed that the server had open ports for Microsoft SQL Server, POP3, IMAP and… HTTPS. Yes, they had port 443 open for HTTPS traffic but didn’t use it.

At one level, the technical lessons of this are obvious. In no particular order:

  1. Keep your server patched. Keep an eye on the frameworks and libraries you use and patch/upgrade as appropriate. Automate this as much as possible.
  2. Don’t expose error messages/stack traces in production. Make the attacker do some work.
  3. Sanitise user input to avoid SQL injection.
  4. Don’t store user passwords in cleartext. At this point, Bcrypt or PBKDF2.
  5. Lock down your server ports.
  6. Use HTTPS. With Let’s Encrypt, certifiates are free. If you run a business, can you think of any examples where the traffic between your user’s browser and your server should be interceptible? No? Then use HTTPS. (Every US federal website is going HTTPS-only. Seriously. You should too.)
  7. PCI-DSS is a thing. Even if you think login-over-insecure-HTTP is fine (it isn’t), sending card details over insecure-HTTP is dumbness.

I do have some sympathy for the site owner. According to this biographical page from (an archived version of) the site, he’s a writer with genuine expertise and understanding of his field, and has worked with some of the biggest companies in the business. He knows about oil rigs, not infosec.

He has every right to sell access to his expertise and knowledge through running a premium website. But doing so comes with risk. Information security risks are genuine risks that businesses have to cope with.

And they are doing a poor job of it. Every business that builds anything online needs to have a strategy for how to handle information security risks. None of the issues I raised above are complex. Every professional developer worth their salt should know the importance of getting them right. And most do.

As I’ve noted in the past, business organisations often talk up the complex, ever-changing, difficult nature of these threats. Listen to the non-technical discourse on information security and you’ll end up so confused as to basically do nothing. The threat is insidious, ever-mutating, confusing and impossible to fight that it is quite rational to not do anything. This ignores the truth: the threat model that for small and medium sized companies are less like Wikileaks and/or 24 and more like… well, this kind of small potatoes nonsense.

The threat to most small-to-medium sized companies is that they don’t seem to get this. Poorly built websites, often outsourced to the cheapest supplier, filled with utterly boring vulnerabilities. SQL injections and insecure form submissions aren’t the constant, dynamic, ever-changing threat that pundits in the press pontificate about. It’s not cyberwar, just run-of-the-mill bad coding, lack of testing, and poor systems administration.

In so many companies, people haven’t fully understood how bad software is. They haven’t grasped how widespread poor business information security truly is. They hide behind certifications and assurances.

I’ve seen organisations proudly show off their ISO 27001 certification, then taken a look at their site and found an old, unpatched POP3 server running without TLS and accepting passwords in cleartext. I’ve seen organisations offering to do ISO 27001 certification, as well as government-approved cybersecurity work, without HTTPS on their website.

I have seen so many people and organisations in business who think software is something that gets “done”. That you just finish writing the software and nothing else needs to be done. Everyone who works in software knows this isn’t true, but this incorrect attitude is worryingly frequent in business.

I have also seen organisations where non-technical staff are not instructed on how to deal with reports of security vulnerabilities. In such organisations, it’s only through luck that a vulnerability is passed on to developers/sysadmins who can actually do something about it. When a security vulnerability is revealed, the staff run around like headless chickens worrying about what to do. People at all levels, in all areas (sales, customer service, support, management etc.) will need to learn what to do when someone tells them their website or app has a vulnerability—what the appropriate reporting procedures are etc. They also need to have confidence that the business will take it seriously, and know how to get it fixed quickly and properly.

Those at the management level need to take responsibility for understanding some basic information security. Without basic knowledge of information security, they won’t be able to evaluate risks rationally. If people were wandering around so worried about laser-shooting stalker drones that they didn’t bother locking their front doors, that’d be a sign of a colossal misunderstanding of risk. People getting worried about three-letter agencies and cyberwar while not fixing (or even having basic awareness) SQL injections, XSS vulnerabilities and other well-understood threats is the situation we see now.

The same misplaced fears affect the wider public. People read stories in the press about, oh, the CIA, NSA, GCHQ, Snowden, Wikileaks, mass surveillance, and cyberwar. That’s all worth thinking about. But most people, most businesses, are unlikely to be the target of surveillance by a spooky government agency, nor are they likely to be pawns in a global cyberwar. Much more likely is some incompetent website designed by inexperienced, self-taught developers with some major Dunning–Kruger issues, unwilling to learn anything new, is going to accidentally leak private data due to, oh, the sort of important but boring sins committed by sites like O&GI.

The real problem with information security is management-related: those in charge, unable to grasp elementary security issues or evaluate their relevance, properly handle security reports (sometimes from scary pseudonymous people on the Internet), or listen to experts. The existing certification processes, and the attitude that security is about “reassuring” customers (rather than actually being secure) is part of the problem. O&GI is a case study in how bad technology choices and poor management combine to produce a predictable (if undeserved) outcome. Here’s the scary bit: the same people who design websites with this level of insecurity are also designing your internet-connected coffee machine or teddy bear or, oh, car. We can’t carry on without some pretty fundamental fixes to how information security is handled in society, in business and in government.

  1. I did consider the ethics of whether to post this. I think the cat is out of the bag now and continuing to pretend otherwise is pointless.

  2. bool blnLogin. Yay for Hungarian notation. Systems Hungarian, really.

Read the whole story
zwol
1 day ago
reply
Mountain View, CA
acdha
2 days ago
reply
Washington, DC
Share this story
Delete

jacobtheloofah:

1 Share














jacobtheloofah:

Read the whole story
zwol
4 days ago
reply
Mountain View, CA
Share this story
Delete

spocks-pockets: Happy (future) birthday, Jim Kirk!

1 Share


spocks-pockets:

Happy (future) birthday, Jim Kirk!

Read the whole story
zwol
4 days ago
reply
Mountain View, CA
Share this story
Delete

Science finds a way to bring back the American chestnut tree

2 Shares

Seventy years after American chestnuts all but died out, researchers will soon be applying with Canadian regulators to distribute a genetically modified version.
Read the whole story
zwol
6 days ago
reply
Mountain View, CA
acdha
6 days ago
reply
Washington, DC
Share this story
Delete

Saint Patrick Drives The Snakes Out Of Ireland

1 Share
image
Read the whole story
zwol
9 days ago
reply
Mountain View, CA
Share this story
Delete

Remember the People America’s Healthcare System Has Already Killed

1 Comment and 5 Shares

It struck me as normal, somehow, to watch my girlfriend enter an online sweepstakes that would help decide whether or not she would be able to afford to buy medicine. Only now, watching the Republican establishment dismantle the Affordable Care Act, has this struck me as cruel.

I don't remember the specifics of the promotion, but I remember that it was a monthly trivia contest run by an online cystic fibrosis pharmacy. Answer the questions right, and your name was entered to receive $500 toward your meds. I'd ask Katelin about it now, but she is dead.

The Republican plan to repeal Obamacare and replace it with something that offers more "choice" has inspired thousands of people to confront lawmakers with their stories about how the law—and health insurance more generally—has saved their lives or prevented financial ruin. Their courage should be applauded, their voices amplified.

We should remember, though, that we are hearing from the fortunate ones. The ones who were repeatedly fucked by insurance companies before Obamacare? They are dead.

If Jason Chaffetz, Paul Ryan, and Donald Trump want to offer Americans more healthcare choice, they're on the right track. Obamacare closed many of the loopholes insurance companies used to keep the chronically ill from purchasing coverage, but any system that treats healthcare as a luxury rather than a basic human need is going to afford people plenty of options as their insurance lapses or benefits are suddenly changed.

Katelin was afforded the choice to do fewer breathing treatments to preserve her medicine until her insurance company would pay for more. For a few months, she made the choice to take generic nebulized albuterol because she couldn't afford the more effective Xopenex out of pocket. She had regular battles with her insurance company about when it was appropriate to refill her prescription for digestive enzymes, which she needed to take in order to eat almost anything. She chose to enter insane online sweepstakes to pay for medicine and wake up before dawn to ride multiple buses to get to work on time and to act in plays.

Three years after she died, I cannot piece together a timeline of when she had coverage, when she did not, and the varying quality of that coverage. There were times when she had excellent doctors and excellent insurance, and times when she had next to nothing thanks to a clerical error or benefits changes. 

I was pissed off at her genes, not at her insurance companies, our politicians, or the system that had continually made clear it'd rather not help keep her alive

What I do know, though, is that she was constantly engaged in some bureaucratic battle about whether she was allowed to buy medicine, go to the doctor, or refill a prescription. About whether she should be allowed to live. A pre-Obamacare study found that lack of health insurance killed roughly 45,000 Americans annually.

Somehow, through all of this, most people didn't know that Katelin was sick, that she had been sick since the day she was born, and that she was slowly getting weaker because skipped treatments were beginning to take a toll on her lungs.

I was too young, maybe, to realize that the contests, the paperwork, the compromises were unjust. I was pissed off at her genes, not at her insurance companies, our politicians, or the system that had continually made clear it'd rather not help keep her alive. No more. Katelin lost the genetic lottery, but she is dead because of a health system and country that refuses to take care of our most vulnerable.

It's too early to say whether Katelin would have been able to buy health insurance under the GOP's plan and what quality of coverage she would have gotten. Though the plan promises to protect those with pre-existing conditions, experts say the lack of an individual mandate means that there's no mechanism for healthy people to subsidize the care of the sick. And it has been made abundantly clear that the Republican plan will protect fewer people than Obamacare..  

As I watch America again debate if we should take care of our sick, the stories of those whose lives have been saved by Obamacare serve as a powerful counterbalance to politicians who would cut taxes for the rich by any means necessary. Remember, though, the people who are no longer here to speak for themselves.



Read the whole story
acdha
13 days ago
reply
“I was pissed off at her genes, not at her insurance companies, our politicians, or the system that had continually made clear it'd rather not help keep her alive”
Washington, DC
zwol
12 days ago
reply
Mountain View, CA
Share this story
Delete
Next Page of Stories