Secure Application Development links

Oct 14, 2008 in Security

Hi,

I have been putting some secure application development documents together recently and have found some good general tutorials and guidelines which I thought I would post here.

Best Practices

Other Resources

No Comments »

Internet Banking Security Assessment Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

I was asked some time ago what sort of things may be considered when looking at .

Below is a list of things which could be considered. It was just a brain dump and as such may not be complete.

Don’t underestimate the value of standard for your infrastructure, website configuration,  database engine configuration/, and /QA environments.

Some thoughts:

  • Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system .

- And all the other things expected for a session (forced changes, aging, etc))
- Tools such as may be use to brute force authenticated sessions.

  • Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.

- These may be side, client side, cookie based, etc.
- Get someone to check the methodologies and the code being used.
- Database query strings can be placed into test entry fields, allowing table dumps to browser.
- Check all pages served are secure and contain user flags.

  • Customer may not be segregated, this needs to be checked.
  • Customer should not reside on the .
  • databases / system should not reside on the webserver.
  • The databases should reside on a private/semi-private .

- A different segment to the main system.

  • Webserver should be dual homed or equivalent (some VLAN techniques are good)

- Separate private and public cards, monitoring/backup/administration
- Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the .

  • At all segregation points ensure rules are in place which appreciates the traffic though that point.
  • All customer where possible should be sourced from a secure back-end database.

- This may be a . i.e. no the main system.
- This usually allows for transactions to appear real time to the customer.
- Many transactions may be batched in reality. (internal or external to the )

  • Ensure suitable rules have been set-up on firewalls.

- There should be inbound and outbound rules on firewalls and filtering routers.

  • Don’t allow any infrastructure on the front end to allow remote administrative connections. (, etc.)

- Use the serial console port to connect to a or back-end terminal .

  • Services not used by the system are active

- These should be disabled.

  • Port scan of the supporting infrastructure (routers /switches) and (s).

- Investigate the reasons for all open ports.

  • Don’t use the main gateway for trusted partner (clearing / RAS / etc.)
  • Do all that standard IIS checks and NT checks (Sample scripts, change management, methodologies, etc.)
  • Ensure denial of service precaution have been taken into account for all infrastructure and equipment.
  • Check the adequacy of the escalation procedures used.

- Look for real-time monitoring and alerting.
- Look for responsibility matrix.
- Look for ownership of issues.

  • Consider upstream carrier(s) (denial of service, IP spoofing, hacking, etc)
  • Consider social engineering of customer, administrative, partner accounts / systems / infrastructure.

- Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).

  • Use dynamic passwords where possible (SecureID, TACACS, etc.).
  • Use encrypted tunnelling where needed (, Firewall 1, etc)
  • Consider looking at other customer methods to enhance existing methods.

- cert, IP address locked to account, etc.
- Consider use of or CVN for issued cards.

  • Consider how passwords are distributed /changed for customers.

- Plain email, telephone, etc.
- Can passwords be changed ?

  • Is additional used between sections of the services once authenticated?
  • Consider what the customer has to once authenticated.

- Look at , RTGS, inter- transfers, to cards, etc.
- If an attacker does get in, what can the do?

  • Use techniques to ensure pages, customer details are not cached at , or client system.

- These are flags that can be set within pages.
- Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
- Caching of SSL pages on the client system can be turned on on some browsers.
- May banks use a (or similar) applet for all customer interaction, restricting all caching issues.

  • Ensure paper based and on-line liability clauses are available are address all effected areas.
  • Ensure within the customer sign-up process liability is reduced.

- I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
- Not very customer focused, but that’s what their legal department recommended.

All of the above can effect the and/or operation of an on-line system.

Other things to consider:

  • External and of the application.
  • Ownership and management of the /applications
  • Publishing points for new content (internal/private/trusted or )
  • Topology of front end.  i.e. document should be in place and managed appropriately.
  • Are limited AP tests performed whenever changes are made to the ? i.e. integrated AP into Change management process.
  • Database . Is it buffered or is it live to the core systems.
  • What facilities are provided? Direct + + + ……. Consider different scenarios for your depending on the feature.
  • What other services are shared within the segment that the service is running. Can this be used to compromise the site. eg. different /business/ organisations with differing strategies/profiles.
  • Consider all external supporting services within you AP. Look at internal/external poisoning opportunities, mail , etc. What IPS’s do they use has the any opportunity to systems or supporting services which may affect .
  • Depending on the size of the , many organisation do not use the same groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external organisation to administer the infrastructure.
  • Look at the business and user methods and paths (client side certs, secure ID, SMART , etc). Consider two factor and modern user methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?
  • See if the application sends email to users which may contain interesting information.
  • Better to the application can generally be gained after to the system. i.e. get an legitimate account on the system. I have found that some sample/administration screens have been restricted to authenticated users only.
  • Consider social engineering the Help desk to have an account reset.

No Comments »

Financial Transaction Processing

Jul 02, 2008 in Banking and EFTPoS

I have been recently working inside one of the larger Banks in .
Through this work I have been looking at the controls and surrounding the of and cards around the Asia Pacific.

I get perform many and systems assessments.
Over the years I have always considered the of the as one of the key considerations.

Until yesterday I had never seen an or . I think some scripted use of these tools could be very interesting.
The site hziggurat29.com

Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.

As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

One of the more extraordinary files is the Atalla Module ()  and for (simulation) tools. So I wonder if and are shaking in their boots. Some how I don’t think so. ;-)

——– ziggurat29 ———

These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.

DUKPT Decrypt (<- the actual file to download)

This is a that will Encrypted Blocks that have been produced via the triple- method.  I used this for testing the output of some Pad software I had created, but is also handy for other debugging purposes.

VISA PVV Calculator (<- the actual
file to download)

This is a that will compute and verify Values that have been produced using the .  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn ), creating and encrypting blocks, decrypting and extracting PINs from encrypted blocks, etc.

VISA CVV Calculator (<- the actual file to download)

This is a that will compute Values that have been produced using the .  MasterCard CVC uses the , so it will work for that as well.  It will compute , CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date.  is simply comparing the computed value with what you have received, so there is no explicit function.

Atalla AKB Calculator (<- the actual file to download)

This is a that will both generate and Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

BogoAtalla (<- the actual file to
download)

This is an Atalla (or simulator).  This software (simulation) of the well-known Atalla Module () that is used by banks and processors for cryptographic operations, such as verifying/translating blocks, authorising transactions by verifying
/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing functions, and are using more modern schemes such as and , and need to do generation, , and translation.

This runs as a listening socket and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native ), but definitely should get identical positive
responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating values and encrypting/decrypting plaintext values.

BogoAtalla for Linksys (<- the actual file to download)

This is the Atalla ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) /test device.

 

Local Files

bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc

2 Comments »

Lethal Toxins Entering Your Body

May 04, 2008 in Environment & People

I recently read an article in a magazine and was shocked to see some of the toxic dangers which modern living introduce. Men’s Health April 2008, by Susan Casey, pg 87.

I thought I would expand on this article here as a method of analysing some of the things and I need to be careful of. I hope this also assists others in understanding some of these dangers.

“Except for the small amount that’s been incinerated every bit of plastic ever manufactured still exists”

Toxic

Articles

Polycarbonate

Bottles (marked with a #7 in a triangle)

Cling wrap and plastic takeaway containers (marked with a #7)

Polystyrene cups and takeaway containers (marked with a #6)

Fast-food containers (with waxy lining) and non-stick (Teflon) pans.

Polyvinyl chloride (), used in vinyl flooring, shower curtains and car interiors.

Dangerous

Ingredients

Bisphenol A (BPA), a synthetic oestrogen, which can leach into the bottle’s contents when heated.span>

Phthalates, a probable human carcinogen and endocrine disruptor, can seep into food (especially fatty foods, such as delis meats and cheeses).

Styrene, a possible human carcinogen, can leah into the contents of the cup.

Perfluoro-octanoic acid (PFOA), a grease-repelling flourotelomer chemical and likely human carcinogen, can transfer from the waxy-plastic coating onto the food inside, especially at high temperatures.

Vinyl chloride is a known human carcinogen that gives off gas into the surrounding air, so it’s inhaled instead of ingested.span>

Linked to

Prostate cancer, reduced sperm count and reproductive-organ abnormalities, according to US studies at the universities of Missouri, Chicago and Cincinnati.

Reproductive problems like undescended testes and low sperm count, reveal researchers at New York’s University of Rochester and the Centres for Disease Control and Prevention in the US.span>

Cancer, warn scientists at the US Environmental Agency’s (EPA) Office of Research and and the World Health Organisation’s International Agency for Research on Cancer.

Cancer, lung and kidney damage, according to studies at the EPA and Environmental Working Group in the US.

Cancer and liver damage, predicts both the EA and the Centre for Health and Environmental Justice in the US.

How to reduce your exposure

Pots, pans and bottles made from stainless steel are a non-toxic alternative. If you’re using polycarbonate, keep it out of the dishwasher and replace it every 60 days or if it’s scratched. Plastic releases over tie when damaged or exposed to high heat.

Keep it out of microwave and dishwasher. Don’t store fatty or acidic foods in these containers, rather use waxed paper and buy meat wrapped in paper from the butcher. If you use plastic-wrapped cuts, trim the edges off where the product touched the wrapping.an>

Never drink hot liquids out of polystyrene ups. Use paper ones (those without a wax lining) whenever possible or a ceramic coffee mug. If your takeaway comes in polystyrene, transfer it to ceramic dish or glass as soon as possible.

The best alternatives to drive-through and delivery are sit-down restaurants and home cooking. At home, never use Teflon-coated pans. If you own any, replace with non-toxic cookware made from copper, cast iron or stainless steel.

Use natural materials for home flooring. Buy a shower curtain made from hemp – which lasts longer and is naturally mildew-resistant. New vinyl gives off aerial at highly concentrated levels, so open windows to air spaces where this is present.span>

No Comments »

ISO 14443 contactless card

Mar 24, 2008 in RFID

An international standard for or contactless smart communication

contactless

is an international standard which describes how and terminals should work to ensure industry-wide compatibility, for example in , , , mass-transit and control applications.

ISO are developed by the ISO, the International Organization for Standardization. committees comprising experts from the industrial, and business sectors develop the to increase levels of quality, reliability and interoperability on a global scale.

Gemplus has always had a strong involvement in ISO definition of the , and has been represented in the of this international standard. The is divided into 4 separate parts outlining physical characteristics, power and signal , initialization and anti-collision and protocol.

Gemplus has developed a wide range of contactless solutions based on the international standard. The speed and convenience of contactless has created a significant demand for this sort of solution in environments such as fast food restaurants, gas stations, , banks and many others.

No Comments »

Bluetooth - Security

Mar 24, 2008 in Bluetooth

Redirected from Bluetooth

Source

1
2 Wireless- History
3 Wireless- Technologies
4 - Introduction
5 - Advantages
6 - Applications
7 - Issues
7.1 The
7.2 The
7.3 The BLUEBUG
7.4
7.5 Warnibbling
8 Future of
9 See also:
10 Reference List

is a new that utilises waves as a way to communicate wirelessly between devices. It sets up that incorporate all of a persons devices into one system for both convergence and convenience.

Wireless- History

Many people put the invention of [wireless] down to Guglielmo Marconi, who in 1895 sent the first telegraph across the English Channel. Only twelve years later began being used in the public sphere. [Mathias, p.2] Up until then however, many wireless pioneers conducted trials across lakes where the used to transmit the signal was longer than the distance across the lake. [Brodsky, p. 3] After its introduction the main use of wireless was for military where its first use was for the Boer War. [Flichy, p. 103] The invention of ensured the feasibility of wireless technologies. [Morrow, p. 2] By the 1920s, had become a well-recognised mass medium. [Flichy, p. 111] From the 1980s until now, wireless have been through several stages, from 1G (analogue signal), 2G ( signal) and 3G (always on, faster rate). [Lightman and Rojas, p. 3] The history of is a much more recent one, with the first -enabled products coming into existence in 2000. Named after Harald Blatand the first, king of Denmark around twelve hundred years ago, who joined the Danish and Norwegian kingdoms, is founded on this same unifying principle of being able to unite the computer and telecommunication industr[ies]. [Ganguli, p. 5] In 1994 the Company began looking into the idea of replacing cables connecting accessories to mobile phones and computers with wireless links, and this became the main inspiration behind . [Morrow, p. 10]

Wireless- Technologies

is not the only wireless currently being developed and utilised. Other wireless technologies, including 802.11b, otherwise known as Wi-Fi, Infrared Association (IrDA), Ultra- Wideband (UWB), and Home RF are being applied to similar technologies that use with mixed results. 802.11 is the most well known , excluding , and uses the same , meaning that they are not compatible as they cause interference with each other. 802.11 is being implemented into universities in the US, Japan and China, as well as food and beverage shops where they are being used to identify students and customers. Even airports have taken up the 802.11 , with airports all over America, and three of Americas most prominent airlines promoting the use of it. [Lightman and Rojas, p. 202-3] Infrared Association is extremely inferior to that of . Its limitations include only being able to communicate point-to-point, needing a line of sight, and it has a speed of fifty- six kilobytes per second, whereas is one megabyte per second. [Ganguli, p. 17] The Ultra- Wideband is superior to that of in that it can transmit at greater lengths (up to 70 metres), with only half of the power that uses. [Ganguli, p.17] HomeRF is a that is not very well known. It is used for and voice communication and targeted for the residential market segment and does not serve enterprise- class WLANs, public systems or fixed wireless . [Ganguli, p.17-18]

- Introduction

is a short- range device that replaces cables with low power waves to connect devices, whether they are portable or fixed. The device also uses hopping to ensure a secure, quality link, and it uses ad hoc networks, meaning that it connects peer-to-peer. It can be operated worldwide and without a because it uses the unlicensed Industrial- Scientific Medical (ISM) band for that varies with a change in location. [Ganguli, p. 25-6] The user has the choice of point-to-point or point-to-multipoint links whereby communication can be held between two devices, or up to eight. [Ganguli, p. 96] When devices are communicating with each other they are known as piconets, and each device is designated as a master unit or slave unit, usually depending on who initiates the connection. However, both devices have the potential to be either a master or a slave. [Swaminatha and Elden, p. 49]

- Advantages

There are many advantages to using wireless technologies including the use of a , the inexpensive cost of the device, replacing tedious cable connections, the low power use and implemented measures. The use of an unlicensed ensures that users do not need to gain a license in order to use it. Unlike Infrared which needs to have a line of sight in order to work, waves are omnidirectional and do not need a clear path. The device itself is relatively cheap and easy to use, one can be bought for around ten American dollars, and this price is currently decreasing. Compare this to the expensive cost of implementing hundreds of cables and wires into an office and there is no competition. Of course, this is the main reason for the take -up in -enabled devices; it does away with cables. Another of Bluetooths advantages is its low power use, ensuring that battery operated devices such as mobile phones and personal assistants wont have their battery life drained with the use of it. This low power consumption also guarantees minimal interruption from other operated and wireless devices that operate at a higher power. has several enabled measures that ensures a level of and , including hopping, whereby the device changes sixteen hundred times per second. Also within the tools are and that guarantee little interference by unauthorised hackers. [Ganguli, p. 330] One of the best advantages of devices, especially the hands free device that connects to a mobile , is that it removes from the brain region. [Tsang, p.1]

- Applications

The applications that are in or current use for the include such areas as automotive, medical, industrial equipment, output equipment, -still cameras, computers, and systems. [Lightman and Rojas, p. 201] is an ad hoc user, and therefore it may be used for social networking, i.e. people can meet and share files or link their devices together to play games or other such activities. [Smyth, p. 70] Using , a mobile can become a three- way , where at home it connects to a landline for cheaper calls, on the move it acts as a mobile and when it comes in contact with another -enabled it acts as a walkie- talkie. This walkie- talkie option allows for free interaction and communication, as is not connected to any telecommunications . [Gupta, p.1] also allows automatic synchronization of your desktop, mobile computer, notebook and your mobile for the user to have all of their managed as one. [Gupta, p.1]

- Issues

has several which range in level of risk and how widespread the action is. These have the ability to provide criminals with sensitive information on both corporate and personal levels. The only way to avoid such is for manufacturers, distributors, and consumers to be provided with more information on how they are committed, current activity and how to combat them. This information can be used on a level for manufacturers, it can be used by distributors at retail levels to teach consumers the risks and it can be used directly by consumers to be aware of the . The outcome of such research will allow end users of products to have an upper hand in this wireless warfare. is in early stages with regards to both the attackers, their techniques and consumers understanding of these attacks. Some research has been conducted into what the attackers are doing and how they do it. Adam Laurie of A.L Ltd http://www.thebunker.net/release-bluestumbler.htm is leading the research race in and is often linked to academic resources. Laurie’s research has uncovered the following capabilities of attacks:

  • Confidential such as the entire book, calender and the ’s IMEI.
  • Complete memory contents of some mobile phones can be accessed by a previously trusted (”paired”) device that has since been removed from the trusted list.
  • can be gained to the AT command set of the device, giving full to the higher level commands and channels, such as , voice and messaging.

Attacks on devices at this stage are relatively new to consumers, and therefore are not widely seen as a real . Attacks such as the Bluejack are probably more recognised by consumers due to its perceived humorous and novelty nature as well as the ease to Bluejack someone. Users who allow their to be Bluejacked open the door to more attacks, such as the which have a low level of awareness amongst consumers as attackers can attach to the device with out the users knowledge. Corporations are starting to understand the risks devices pose, Michael Ciarochi (in Brewin 2004) stated that ‘ radios were included in laptop PCs that were being configured by an IT Engineer. It raises the possibility of opening a wireless back door into stored on the PCs. Such a weakness would be extremely attractive to hackers. Although invites hackers to such attacks; Venders are playing down the risks, Brewin (2004) said that ‘ advocates last week dismissed growing fears about the short-range wireless , saying any flaws are limited to a few mobile- models. They also detailed steps that users can take to secure devices’. There are many methods of attacks, the , the , Bluebug, Bluejack and Warnibbling are the only recognised attacks at this early stage. Below are explanations of such attacks.

The

It is possible for attackers to connect to the device without alerting the user, once in the system sensitive can be retrieved, such as the book, business cards, images, messages and voice messages.