Information Security Blog

tumblrbot said: WHAT MAKES YOU FEEL BETTER WHEN YOU ARE IN A BAD MOOD?

XSS

CloudFlare attack- it could have been worse

If you haven’t read it already, do yourself a favor and read this blog post:

The Four Critical Security Flaws that Resulted in Last Friday’s Hack – CloudFlare blog.

It describes how Cloudfare was attacked (in a limited way- only email system was compromised) by exploiting weakness of security systems/protocols at AT&T (unauthorized voice-mail change), Google (flaw in two-factor authentication)  and CloudFare (Bcc-ing security sensitive emails to admins).

Kudos to CloudFare team in resolving the issues in timely manner and being open and honest.

As I mentioned in the title of this post, the situation could have been much worse. When you register a domain from Google Apps sign-up page, Google creates a password which is required to login to DNS registrar. This password is very much visible on Google Apps domain settings page. This means that if an attacker has compromised Google Apps account, s/he can login to DNS console and redirect ALL of the traffic to malicious web server which can steal credentials and do other nasty things.

Unfortunately, Google Apps doesn’t provide any option to “unlink” the DNS registrar. I am going to send email to Google security team and ask for their response.

Note that above scenario is valid only when domains are registered from Google Apps sign-up page only and not when domains are registered independently.

DPAPI Entropy Tip and Importance of Obfuscation

Have you ever wondered why CryptProtectData function asks for “Optional Entropy”?

Entropy in crypto world is defined as “randomness”. Though is quite difficult for a computer to generate true random value, in this context of DPAPI one can choose a random string oneself and use it in the CryptProtectData function. 
Though the official definition of CryptProtectData funtion says its optional value and one can provide NULL to the function, it has its own security value. 
Consider this:
You application encrypts the data using “user store” and you do NOT provide entropy to CryptProtectData function. 
What if some other application (malware?) running under same credential decrypts the data? What is stopping a malware to do it? 
It’s actually the entropy. Always use a strong, hard to guess entropy to prevent other applications sneaking at your data.

Now the fun begins.

What is stopping a malware to use reflection to get the entropy value? 
The answer is obfuscation. It makes it hard for other applications to look at entropy value and thereby protecting the data encrypted using DPAPI.

Moral of the story:

  1. Always provide entropy to CryptProtectData when using user store to encrypt the data. Do not supply NULL
  2. Use obfuscation

Forgot password security design

To err is human. To forget is even more human

Let’s delve into some of the design considerations. Your comments are greatly appreciated.

1. Pre-Canned Questions or User Defined Questions ? Check out Rocky’s blog here for more.

2. Never send password by email. Internet is ugly..lots of sniffers running, email servers getting hacked etc.

3. If you have verified the identity of user, instead of generating temporary password and forcing user to change it at first logon, it is much simpler to ask user to create a new password. 

4. Use HTTP POST instead of HTTP GET. Consider this: if the URL of forgot password page which shows password when user successfully answers questions looks like-

www. Domain.com/forgotpassword.aspx?challenge=X&response=Y

Now imagine if there is some ad displayed on same page and user clicks on it what goes in referrer header of http? It’s the URL of originating page and in our case its having challenge and response in URL? You don’t want other domains to know your user’s passwords, right?

5. Verify it’s a human who is requesting password on his/her alternate email address. Use Human Interaction Proofs (HIPs) like CAPTCHA for same.

6. Though I won’t recommend sending links to alternate email address to reset password, if absolutely necessary, force the link to expire in few minutes, say 15 minutes. Also, reset password link should be nonce- one time use only.