[Infowarrior] - More on - A US CERT reminder: The net is an insecure place

Richard Forno rforno at infowarrior.org
Sun Sep 9 19:27:25 UTC 2007 

From: security curmudgeon <jericho at attrition.org>
Date: Sun, 9 Sep 2007 00:36:01 +0000 (UTC)


: A US CERT reminder: The net is an insecure place
: 
http://www.theregister.co.uk/2007/09/08/security_group_warns_of_web_vulnerab
ity/

: If you use Gmail, eBay, MySpace, or any one of dozens of other web-based
: services, the United States Computer Emergency Readiness Team wants you
: to know you're vulnerable to a simple attack that could give an attacker
: complete control over your account.

Didn't CERT warn us about 'sniffing' fifteen years ago?

http://www.cert.org/advisories/CA-1994-01.html

  Given today's networked environments, CERT recommends that sites
  concerned about the security and integrity of their systems and networks
  consider moving away from standard, reusable passwords. CERT has seen
  many incidents involving Trojan network programs (e.g., telnet and
  rlogin) and network packet sniffing programs. These programs capture
  clear-text hostname, account name, password triplets. Intruders can use
  the captured information for subsequent access to those hosts and
  accounts. This is possible because 1) the password is used over and over
  (hence the term "reusable"), and 2) the password passes across the
  network in clear text.


: Five weeks after we reported this sad reality, US CERT on Friday warned

Wow, you warned us five weeks ago, which was only fifteen years after CERT
warned us originally? Even longer that other security professionals were
saying it was a problem?

: US CERT warned that Google, eBay, MySpace, Yahoo, and Microsoft were
: vulnerable, but that list is nowhere near exhaustive. Just about any
: banking website, online social network or other electronic forum that
: transmits certain types of security cookies is also susceptible.

This is alarmist FUD at best. Yes, every site should be using secure
practices surrounding authentication. Yes, most sites aren't willing to
deal with the overhead and hassle when the information being protected is
your blog (MySpace) or information not deemed quite as sensitive.

Looking at eBay since it is the first on the list that involves money
transactions:

- http://www.ebay.com/
- Click 'Sign In' takes you to a HTTPS page.
- You can check a box saying "Keep me signed in on this computer for one
  day, unless I sign out" which is bad, giving users a chance to quickly
  choose session persistence over security.
- Click the 'Sign in Securely' button without checking the above.

The cookie that is set is done over SSL

: The vulnerability stems from websites' use of authentication cookies,
: which work much the way an ink-based hand stamp does at your favorite
: night club. Like the stamp, the cookie acts as assurance to sensitive
: web servers that the user has already been vetted by security and is
: authorized to tread beyond the velvet rope.

: The thing is just about every website transmits these digital hand
: stamps in the clear, which leaves them wide open to snoops monitoring

MySpace is done in the clear. Google (gmail) is done over SSL. So two out
of three from the above list are using encrypted communications to set
cookies. Gmail sets the cookie secure, Ebay sets some as HttpOnly (but not
secure) etc.

: A Microsoft spokesman said the company is "investigating new public
: claims of a possible vulnerability involving sending authentication
: tokens over unencrypted channels." New? Evidently, Microsoft security
: people attending Black Hat sat out the Errata Security presentation.

Evidently, Microsoft spokespeople are not hip to security 101.

: But you'd think the collective brainpower and considerable pursestrings
: at the world's most elite tech companies would by now have found a way to
: tackle a problem that leaves attackers free to rifle through their
: users' most intimate details. It begs the question: is this problem
: unsolvable or are these guys simply uninterested in figuring it out?

The solution is there. Either use SSL and fork over the money for more
hardware, or use SSL for sensitive information only.

: As the only web-based email service we know of that offers a
: start-to-finish SSL session, the service is among the most resilient to
: cookie hijacking. Unfortunately, Gmail doesn't enable persistent SSL by
: default, and has done little to educate its users about its benefits.

The Gmail I just logged into (gmail.com -> mail.google.com) sets cookies
after the login POST request via SSL, the subsequent GET request via SSL
and then at least four more request/responses that set cookies *not* over
SSL. That is not a "start-to-finish" SSL session but the authentication
cookies are set securely. As noted, it is not enabled by default and the
'Settings' don't have any obvious way to change this behavior.

More information about the Infowarrior mailing list