ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
With BlackHat and DefCon happening as I type it’s hard to choose what’s going to make this list. I will probably save most of the big shiny new wrap ups for next week after I’ve had a chance to review some of what those two conventions produced. Until there here’s a few articles and a project that I found interesting this week.
As a software engineer it is important to always have in mind “what level of authentication is required to perform this action.” Failure to do so often results in some pretty big problems. As we saw with the court case between Apple and the FBI the iPhone has some pretty sophisticated security features. Unfortunately it also has some nifty ease of use features. By themselves these features are often helpful, and not a real security threat of any kind. However, when combined they sometimes lead to real problems. As is the case with Venmo, an app that allows users to send and receive money with other Venmo users. They implemented a feature to allow notification and authorization via text message, due to the fact that iPhone displays text messages on the lock screen, and Siri can send texts when the phone is locked… bam, money can be stolen.
I like this next article because he just has a solid point. Many developers will install local copies of the tools they use to handle their backend data on a their workstation for testing code they’re working on locally. The fact that many of these tools come either built-in or add-on web interfaces, which developers find extremely handy for checking the state of the database during development and therefore often have installed, leads to a possible vulnerability when surfing about the web. It might be worthwhile to note that the attacks described here rely on HTTP 0.9 and DNS rebinding, both of which will be very hard to pull off in Chrome, impossible if the browser is the Chrome-nightly build as support for HTTP 0.9 was removed and DNS rebinding was made very difficult if not impossible in a recent bug fix.
Following up on March’s Pwn2Own the Trend Micro’s Zero Day Initiative research team has issued a 65 page PDF which details the winning entries in the contest. This paper paints a picture of browser technology still full of security holes. There are some really great vulnerabilities in here and nice walk-through of the logic of how these things work.
In keeping with my recent pattern I decided to add a project I’m looking into. This week it’s Felony. I’ve had a fair share of people tell me that they don’t regularly use crypto because it’s difficult. Here they’re probably referring to the GnuPG command line interface which can be a bit steep if you don’t have any understanding of how public key cryptography is meant to function. Fortunately there are folks out there who are trying to remedy this situation. Felony gives a nice front-end to GnuPG, it allows use of the system through the native-ish windowing systems folks are used to. That’s a good thing.