Side Channel Attacks against SaaS

The Register highlights a paper from Microsoft Research and Indiana University on information leakage from popular SaaS applications. Interestingly, the attacks work even when only HTTPs is used and are most effective when the application is relatively sophisticated and uses modern development techniques.

The attack is based on observing the size of packets between a user and an application and subsequently deducing the content. Although this initially sounds rather far fetched, AJAX technology means data transfer has “low entropy” making it far easier to guess the content that for a more basic application. “AJAX (shorthand for asynchronous JavaScript and XML) is a group of interrelated web development techniques used on the client-side to create interactive web applications. With AJAX, web applications can retrieve data from the server asynchronously in the background without interfering with the display and behaviour of the existing page.” * To put this in layman terms, AJAX allows the user and application to efficiently transfer data without the overhead of display and formatting information. It is subsequently much easier to determine the packet content by observing its length as there is less “noise” in the transmission.

The paper gives an example of determining a victim’s gross income by observing packets from an online tax preparation site.

What risk does this pose to everyday users of SaaS type applications? In the main, risk is probably very low as an attacker first needs to invest considerable time in profiling an application. They then need to be able to capture the traffic of the target at the right time. Information leakage, although highly dependant on the application, is unlikely to include specific data such as password or other fields that are not selected from a list. In the real world, an attack would need to be targeted against a specific user or group to have a chance of being effective.

In the list of things you need to worry about for internet security, this kind of attack is fairly low on the list. Of course this may change as exploit techniques develop and so is well worth keeping an eye on.

*Wikipedia

Who Can Read My Email?

I recently had a client who suspected that their email was being read by someone else in their company. They wanted to know if this was technically possible given their setup, which was the fairly standard Microsoft Exchange server with Outlook as the client. When including members of the IT team as possible suspects I could think of at least 7 possible attack vectors for reading someone else’s email. Starting with the most basic, these were:

Password Compromise: Failure to keep a password secret or easy to guess allows for anyone to logon to the associated email account.

Shoulder Surfing: Reading someone’s email over their shoulder or more likely when the PC is left unattended without an activated password protected screen saver. For example, during a coffee or cigarette break.

Inappropriate Permissions: Although more commonly used for Calendar access, it is possible to share your mailbox with other users in the organisation. An inappropriate general rule could allow unexpected access to the inbox. A malicious user could setup such a rule with a few minutes access to an unattended PC.

Administrator Permissions: A mail administrator can modify permissions at the server level to allow other accounts to access a mailbox.

Message Forwarding: A mail administrator can forward a copy of all incoming messages to another mailbox, completely transparent to the mailbox owner.

Anti Malware Program Abuse: Such software can often be configured to filter messages based on keywords and forward a copy of filtered emails to another mailbox. The filter can be constructed in a particular way to ensure messages from a particular user are always trapped.

Network Sniffing: By default the RPC protocol, most often used to communicate between the client and server, is not encrypted allowing the email to be intercepted and read. The same is true for the SMTP protocol which is normally used for communication between servers in an organisation or for messages destined for outside of the company.

I intend to blog in the future about how best to protect against such attacks but thought it worth while listing the basics here. Protecting your PC where the email client runs with a secure password and making sure it is not left unlocked when unattended is the obvious first step. It’s worth remembering that you also need your colleagues who receive your messages to do the same. Reviewing the permissions on your inbox is also important. If the culprit is a mail administrator, it’s much harder to defend against or even identify. S/MIME is one technology that could help although it is not appropriate in all cases. At the organisation level it is vital the IT policies make clear what is and is not permitted with regards to email. Even if you can prove someone has been reading email not destined for them, if there is not a policy in place that states that such activity is forbidden, it’s unlikely you could undertake any disciplinary action.

Attacking the Virtual Machines

There was an interesting advisory posted by Core Security Technologies this week about a vulnerability in Microsoft Virtual PC. In actual fact no vulnerability had been discovered; instead weaknesses in Virtual PC had been identified which made exploitation of new vulnerabilities more likely. The problem was that the virtual machine memory management allowed the OS security mechanisms Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH) and Address Space Layout Randomization (ASLR) to be bypassed. This functionality mitigates the effects of buffer overflows and other attacks. So, although the issue presents no current risk to a system, it is more likely that future vulnerabilities will be exploitable in a Virtual PC environment when compared to stand alone systems.

This got me thinking about the risks presented by virtualisation and in particular side channel attacks. My first attempt at investigation in this area was after a seminar at Infosec 2009 where someone suggested an attack could be made against the graphics subsystem of a virtual host. Side channel attacks against virtualisation seemed to be a very new area at the time and I didn’t make much progress. I’ve subsequently come across a recent paper from the University of California, San Diego, which looked at attacking cloud architecture including Amazon’s EC2 and Microsoft Azure.

To summarize, the paper explains how it is possible to identify a physical host of a target VM in a cloud infrastructure and then activate a virtual machine on the same system. It then goes on to discuss possible side channel attacks using vectors such as the shared processor data cache. Perhaps the closest result that came close to presenting a risk was the possibility of identifying key strokes on the target VM. Several denial of service attacks were also proposed.

Assuming the paper is representative of current knowledge on side channel attacks against virtual machines, there is nothing really to worry about at the moment. The amount of effort required by a criminal hacker to gain useful information by this method is disproportionate to the expected return. It is an area of interest more or less exclusively to researchers. However this is likely to change and possibly quite quickly as more and more information is located in the cloud.

300 Billion Passwords in One Second

The Register reports more advances in brute force password cracking. Swiss security firm Objectif Sécurité used Solid State Drives (SSD) to store rainbow tables and consequently speed up each brute force attack. The read speed from an SSD is typically quicker than that from a traditional drive, which is why there is an overall performance increase.

Objectif Sécurité claims a throughput of 300 billion passwords per second when attacking a Windows XP MD4 password hash.

My own testing using Objectif Sécurité’s online proof of concept easily cracked the passwords from my test XP machine including the complex x%fF*Z3$. It couldn’t crack my 29 character pass phrase from Size Does Matter, but this is because Windows XP stores passwords longer than 14 characters in a different way.

Of course the default LMHash used with MD4 to store Windows XP passwords is weak and has largely been replaced in modern operating systems. However the speed improvement can be applied to accelerate brute force attacks on other algorithms.

What does this mean in real terms? It was already true that if someone could get physical access to your XP PC, they could extract your data. Now it is trivial to steal your passwords as well, which of course opens up all sorts of identity theft related crime possibilities. This makes disk encryption, and not reusing passwords more important that ever.

For info, I “harvested” the passwords on my XP machine by booting from my favourite Linux Live CD, Backtrack. I then used Bkhive to extract the key used to encrypted the SAM file where the LMHashes are stored. Finally I used Samdump2 to extract the hashes themselves.

Protecting Your PC with Free Software

A couple of announcements this week have brought home just how important it is to proactively defend your PC against the multitude of dangers that exist on the modern internet. This first was F-Secure announcing that the most targeted application of 2009 was, shock horror, not a Microsoft application. Less surprisingly was that fact that the gold medal winner was Adobe Acrobat. The second, as reported in the Register, was that Secunia have estimated that on average it is necessary to patch your PC once every 5 days to remain secure.

Until recently, if you had a good anti-malware package, a personal firewall (even the inbuilt Windows one) and had activated automatic Microsoft updates, there was a good chance that your PC was well protected. Unfortunately as has become apparent, the bad guys now target far more than Microsoft products and there is just too much new Malware to feel confident that anti-malware software can catch all new attacks. It seems that making sure all of your applications are patched as part of your defence strategy is more important than ever.

At this point, I am sure Linux users are feeling vastly superior as patching all applications is a fundamental part of many Linux distributions and has been for some time. Unfortunately, their numbers are not sufficient to make this article obsolete.

To address the above issues, I’ve recently evaluated Secunia’s free Personal Software Inspector (PSI). It is supposed to scan your PC, find all the applications running on it and then notify you if any of them need patching. I was pleasantly surprised to find out that it did just that and detected many applications that I thought would be too obscure for it to know about. The interface is easy to us, providing links to patches, explanations of vulnerabilities and also to a forum so that you can discuss any problems you might have. It also shows end of life products which are no longer supported. One result of a scan was for me to cleanup my PC, removing all those old applications I no longer used, especially if they were considered dangerous, which has also helped performance.

There were a few quirks to PSI that caused a bit of confusion. Google Chrome was flagged as needing to be updated, despite the correct version being installed. It turns out that Chrome leaves the last version of its code on your disk when it carries out an upgrade, presumably for roll back purposes, and this was detected as a risk. Whether the old code was accessible and exploitable by hackers was not clear. PSI also has a simple and advanced mode. Simple only displayed vulnerabilities that were easy to fix, whereas advanced included everything. This seemed a bit strange as a vulnerability poses the same risk whether or not it is easy to fix. Having spent half a day fixing all the issues flagged as advanced, I finally decided that Simple mode was probably a good thing. If you can get none technical users to fix the majority of the problems on their PC, it’s probably better than scaring them off by trying to get them to address complicated issues for which exploitation is unlikely.

I’m definitely adding PSI as part of my PC defence strategy.

Why Does Internet Explorer 6 Refuse to Die?

Everybody hates it, including its creator, but Internet Explorer 6.x refuses to die. According to Stats Counter, it still manages to take nearly 14 % of world wide market share despite not being supported by Microsoft. I thought it would be good to look at the reasons why it’s still around and what could be done to speed up its demise.

Firstly, why is it so much of a problem? A major irritation is its failure to correctly support cascading style sheets version 2 (CSS 2) which means developers often need to write custom code to detect browser versions and then perform conditional comments to ensure compatibility. The major problem however is the number of security vulnerabilities that it contains which present a real risk to the data of anyone who uses it.

The reasons most often quoted for IE 6’s continued use include, old operating systems, unlicensed copies of Windows XP and compatibility with legacy applications. Looking at these in turn:

Old Operating Systems: Internet Explorer 7 requires at least Windows XP SP2 in order to run. Hence anyone still using Windows 98, ME or 2000 would not be able to run more recent versions of Internet Explorer. However a quick look at Stats counter shows that such operating systems don’t even register sufficiently to justify being listed individual. They are grouped together under the category “Other” and combined don’t even amount to 1% of total usage.

Unlicensed Copies of Windows XP: Although it is not clear how many copies of unlicensed Windows XP are in use, it is thought to be significant. Internet Explorer 7 and 8 is distributed via Windows Update which does not work with counterfeit copies of XP and so the user is stuck with Internet Explorer 6. Although there is nothing stopping such users from installing up to date versions of Firefox, Chrome or Opera, many probably don’t due to a lack of knowledge. Indeed they may even be unaware their copy of Windows is illegal if their PC has been bought on the cheap. Stats counter reports that around 65% of the world’s PCs currently use XP so if 10% of this figure represents counterfeit copies, a large number of units are illegal. From a security perspective, it would be better if Microsoft “bit the bullet” and released security updates to the illegal systems as they are the source of most of the SPAM in the world and also make up Botnets that can be used for denial of service attacks.

Compatibility with Legacy Applications: It’s very easy to sneer about lack of foresight when you hear of companies running bespoke applications that are only compatible with IE 6. However, when many of these applications were developed IE 6 had as much as a 98% market share and was the best option available. It is also likely that some of the applications in question are ERP systems. If you want to upgrade one of those it can involve a battalion of consultants in smart suits with expense accounts and so is not easy to justify from a cost point of view. A simpler solution would be to use IE 6 just for the bespoke applications and to install a second browser for other internet access. Although installing multiple versions of Internet Explorer is theoretically possible, it is not supported by Microsoft. Other browsers have traditionally not been popular in large enterprises due to lack of central control which is provide for IE by the Internet Explorer Administration kit (IEAK). This is actually a misconception as Firefox, at least, has many such features. Another solution is to run IE 6 in an isolated environment using virtualisation which I have previously blogged about here.