Thursday, August 31, 2006

Regarding Jetty Cipher Suites

Well it looks like the default in Jetty is going to remain that you must explicitly DENY the ciphers you don't want rather than enable those that you do want. This is against the principle of locking down everything first and then granting access only as needed. I would be worried that someone misspelled something or forgot to add something or new ciphers come along when you're not looking ...

Here is the response from the Jetty team:

The list of cipher suites available is determined by the security provider that is available in Java and by default it is the SunJSSE provider. Its not included in Jetty but in your Java installation itself. It is possible to use a third party provider but its not simple to install it (here are the details:

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#JCECust).

Thus, if you know the provider, you can just select the low level ciphers from the list of available ciphers provided by that provider. To see the list of available cipher suites in Java 1.5, just go to appendix A in the link above.

In appendix B, you'll see that Java has a list of allowed cipher suites for other providers. Java 5 will only allow third party providers as long as they support only those cipher suites in the list. You can just select the weak encryptions from this list and enumerate them in the excludeCipherSuites list so no one will be able to sneak in a weak encryption cipher.

Sunday, August 27, 2006

Foiling Key Loggers & More McAfee Software Problems

I had this laptop that kept inserting letters when I tried to login. It would stick a bunch of extra letters in after every key I typed. Seemed like if I waited long enough then it would stop and I could login. Or if I rebooted six times. Sometimes it seemed like a certain combination of characters hit into the keyboard out of frustration would work but the combination was inconsistent so that was most likely a coincidence.

Needless to say, logging into my computer with these extra characters spewing out of my keyboard was a total waste of time. I was so annoyed I went and bought a new laptop.

Then wandering around the random Internet I happened across a white paper by Microsoft talking about messing up key loggers by inserting additional random characters as someone typed passwords into text boxes. AHA.

I had McAfee software installed and although I tried to uninstall it something was completely hosed on my machine and it didn't work right. There were still random services floating around that I would mostly ignore.

I went to start/run and typed msconfig to pull up start up programs and sure enough there were some McAfee services in there yet. I killed them all and removed them from automatic start up on my machine. Yep. That stopped the random characters from messing up my login.

This is not the first time I have had problems with McAfee and the feeling like it is more a foot in the door for hackers through their update process rather than a piece of security software. This feeling was justified in the case where their "enterprise" software had a serious vulnerability doing just such a thing. See other comments in past entries here.

And if you're having problems with extra characters appearing and getting in your way...msconfig and stop the McAfee services from auto start up.

Wednesday, August 23, 2006

Online Advertising - Click Fraud

Here's a good article on the issues surrounding click fraud - the clicks you pay for at sites like Google, MSN and Yahoo and pages like this with the ads on the side of the page (or wherever).

Click Fraud

This is a serious issue for businesses because it can drain a lot of revenue. I once put up and ad and wasn't watching it and the amount billed in two days was something like $600.00 for Christmas decorations. I cannot believe all that was legitimate, however Google claimed it was and I didn't have the proper logs to look into it. I never had such an issue so didn't bother in the past.

More recently I have found that in competitive spaces like the online travel industry, online advertising is a significant part of the cost of doing business. The ads are very expensive based on the amount of clicks received.

Even worse is the web development space where you have to spend $2.50 per click just to get on the board. Something is wrong with that picture - and I got no leads for a huge amount of expense which just doesn't seem right.

Of interest is that recently I got a letter in the mail about a class action law suit against Google to get money back for fraudulent clicks. Hmm. Some lawyer will make a lot of money. The more alarming thing to me was that this letter stated I either had to send in a letter to remove myself from the suit, otherwise I would be a part of this suit and could never again sue Google for this reason. Well if I send in a letter is Google going to see that and shut down my advertising so they won't get sued? And what if I join the suit but I don't have any click fraud that I know of. I don't get any money now but I may have a click fraud issue later? I would like to think that Google is angelic and all that but reality is...Enron happens. The nice thing for Google is they basically settle this suit, pay a bunch of money, and can never be sued again for all the people who didn't see the letter or respond to it. And for those that did they might just close those people's accounts. It's always the little guy getting burned no matter which way you look at it. I saw subsequent similar letters for other online advertising services.

Click fraud is a serious issue for businesses. Not only do you have to ensure you aren't paying for fraudulent clicks, however, you have to make sure your site is secure, because if you are pouring a lot of money into advertising and someone else can redirect your visitors to another site - you're paying for their advertising.

Jetty Cipher Suite Handling

In the latest version of Jetty rc1 it appears that the method setCipherSuites was removed and replaced with excludeCipherSuites.

Cipher suites allow the web server to use different types of encryption. If you are allowing weak encryption on your web server - you'll want to fix this.

In the case of the latest version of Jetty now you have to think of and exclude every possible cipher suite instead of just specifying those you want to allow. This is very poor security.

The way to handle security is to first disallow everything, then specify the things you want to allow explicitly.

Microsoft has this in their top 10 application security problems list however they also do not follow this principle in regards to DCOM and RPC. Functions which are not required should always be disabled - especially those which can clearly be hacked, and administrators should be given the option to enable these things when needed.

In the case of Jetty I hope this was an oversight because this seems to be a well engineered application for the most part, however their use of certain non-standard third party tools does worry me at times. I hope they have checked every line of code inside and out.

Jetty is not the only organization doing this of course. I have written about many PHP frameworks which are on many more vulnerability lists!

Friday, August 18, 2006

Are You Getting All Your Email?

I have this vision for a new company - maybe someone can take my idea for free and run with it. I am having problems getting some email right now from a vendor. In the past I have had problems getting emails from other companies. There are various companies set up to check your web site content from different locations. It would be cool if there was a company that was not too expensive that would send you emails from different places and you could see online from where and when they sent them to validate you are getting all the email you think you should be. It would need to be something random so that the company stealing your email doesn't realize it's a verification email. Sounds like spam doesn't it?? Actually I think it's more like a secret shopper.

Tuesday, August 15, 2006

More PHP Hacks: Better Web Systems

Lieberman's site was hacked on the eve of his defeat in the race for US Senator. You can read more about it here:

PHP Hacks

I wrote previously about how I hate PHP becuase it is this free software with all these neat widgets which script loving programmers and web site owners who many not be programmers at all hack together into something that externally - looks like a web site. Ok it is a web site.

Well, if you're running a web site for the neighborhood street party maybe that is ok. But using someone who is not on top of ALL the issues in building and maintaining secure and solid web sites, and you're basing your whole career off this web site...good luck.

The problem here was that someone threw together a PHP web site (so you can guess it was cheap...) and didn't apply a patch that came out that would have prevented the whole problem. Too often people set up a web site and then think they can never pay attention to it again. Not true.

Whatever software you are running, besides your automatically updated Windows operating system, is potentially hackable and must be managed and monitored if you don't want someone to hack it.

And as mentioned previously I have somewhat of a disdain for PHP for various reasons. There are some good PHP programmers but seems more bad than good and more hacks than most other languages.

You get what you pay for.

Sunday, August 13, 2006

A different View of Netcraft Server Usage Rankings

Here's a twist on how to view the Netcraft rankings that tell you how many of each type of server (IIS, Jboss, Jetty, Apache, Tomcat, etc) are being used on the Internet.

The way these rankings are gathered is by scouring the web and pinging each web server to determine what type it is to add to the statistics.

Consider that a properly secured configuration will not advertising this information because then as new vulnerabilities are announced, hackers will use this information and scour the Internet (the same way Netcraft does) looking for these types of servers so they can attempt to exploit that vulnerability.

So instead of thinking, hey most people use IIS so I'm going to use that too, you can think, geez IIS has the most insecure installations therefore there are more IIS admins that don't know what they are doing than other types of web servers in terms of security.

By the way I haven't looked to see which type of server is most widely used right now. IIS is just an example. It is probably one of the free web servers like apache - which is a good web server for certain uses. The problem is not with the server itself. The problem is with administrators who are not properly trained on implementing secure configurations of their web servers.

I for one, knew my limitations and hired a managed hosting company, thinking they would have all the answers to make my systems secure so I could focus on development. Not so. Your application developers need to be aware of application issues and your internal staff and/or external auditors need to be checking everything your managed hosting company is doing. People at managed hosting companies can make mistakes, as well as the possibility of internal security breaches.

So secure your web server by hiding the implementation from prying eyes, including Netcraft unfortunately. Additionally, run security audits and don't assume your administrator or your managed hosting company can find every single problem. Security is a tough issue that requires constant monitoring and updating to keep up with the hackers.

Validating Click To Call Advertising Charges

I set up a pay per call account with this online advertiser and after a couple of months I was billed for a couple of calls. No big deal right? Couldn't cost that much? Well the problem is - I didn't get these supposed leads. I had no additional business, no messages, and no record of the phone calls in my logs. I only had some calls from some marketing research company in Canada. I wondered if they were calling and creating the charges and wanted to complain about that.

However instead, I must now complain about the advertising company. I emailed them and told them I think I was billed incorrectly because I hadn't gotten any "leads". However just to make sure I asked for the phone records so I could match them up to my phone calls and determine if I had actually received calls from other sales people rather than actual leads and that was the source of this whole thing. Maybe that research company is using their list and generating charges for people - in which case they need to stop!

Instead of simply sending me the phone logs or telling me where I could find them, the advertising company emailed me and told me to call them. I told them I couldn't right now because I'm on a contract during the day where I can't take/make phone calls and additionally, I am super busy. I use my lunch hours and any extra time to get projects done. Could they please just send me the phone records and I would look into it later.

Then they tell me they can't provide the phone records like the number that called me - for "privacy" reasons. What the heck? What kind of phone service doesn't provide you record of the calls you are being charged for? Does anyone see anything wrong with this picture? They could tell me I got 100 phone calls and have no way to prove it and I am supposed to just pay it? Even with pay per click advertising you can track back clicks to their source and validate you are getting the clicks you are paying for. Same should be true for phone.

Additionally this company told me that my phone line would not allow them to leave a message. That's odd. I have messages from this research company, vendors, etc. I also have hang up messages (clicks) from their number so if I can get the hang up why couldn't they speak and leave a message? However I realize something may have been wrong with the phone line and need to call the company providing me with that service in that case, so I asked them exactly how they tried to leave a message so I could resolve it. Were they on the main extension and didn't select a particular extension or what?

Additionally I sent some suggestions for making the service better and why it would make more sense if they could provide the phone logs. For instance if someone placed a call and didn't leave a message you could use the phone number in the logs to call them back. If nothing else you could validate that you actually did receive the calls you are being charged for. I asked if she could pass that message on because I think it would be valuable for marketers to be able to track the source of their leads and make this online advertising service more valuable if it could be associated with dollar value in terms of new sales.

In the meantime I said I would try to login and see if there was some information in the system I could match up to my phone logs to figure out what happened.

So what did they do? Did they answer my question about the voicemail so I can fix it? Did they pass my message along? Did they tell me how they tried to leave a message so I could resolve that problem on my end (if it was on my end)? Did they allow me to log in and find potential answers to my questions -- OK I should have looked there first but I didn't realize they had stats in their online system and actually just forgot about it altogether so I will say shame on me for that. But apparently the info I needed was not there anyway from what she told me.

But no...she deactivated my account and refunded all the money before I had a chance to log in. Hmmm... I did not ask for this. I did not refuse to pay the charges if they are legitimate. I did not even refuse to pay the charges if they were wrong! I was just trying to understand how they track these things because I didn't have record of these calls they were charging me for.... I just wanted to see where they are coming from!

Could it be that they closed my account because there were no record of these calls? Before I could login and prove it??

If you are paying for "pay for call" advertising online - check that the service you are using can actually prove that you are getting the calls for which you are getting billed.

Maybe this company is not even doing it intentionally...but they should think about and change the service so people can verify the charges they are receiving. The other thing is that competitors may be clicking on this link to generate invalid charges and there needs to be a way to trace this back to the source and make it stop if that is happening. This services provides no recourse for doing so. We simply have to pay for the fraud with everything else.

Thursday, August 03, 2006

International Crime Ring - The Web Mob

More correlations between all the data I have been presenting or almost a year now (go back to my very first story and the speculations about coordinated crime efforts spawning from Russia, China and elsewhere) can be found in this report:

FBI Discusses International Web Crime

My take that the next war will be an information war is being played out in references to Internet crime "cells" similar to terrorist network cells. My speculation further suggests that these "cells" are related to terrorist cells trying to produce nuclear bombs and weapons.

It's always about power and money isn't it? Sometimes I wish I was blissfully oblivious but I can't help what I see. And it all started by digging into the network of spam drowning my emails last year. The trends...the networks involved...the targets...the messages...I knew it was somehow coordinated.

Piece by piece the random Internet connections are connecting into a puzzle that is starting to form comprehensible and recognizable images that explain what is really going on.

The Internet is the new Wild, Wild West ... the new digital mob ... a new form of drug lords that want to rule the world ... a new brand of espionage and terrorism predicted in war games but very much an understatement in terms of the reach and complexity of the network and crimes involved.

Wednesday, August 02, 2006

JSP Vulernability

Besides DCOM I am wondering if there is some type of security problem with JSP. In one of my last entries you'll see some comments from people about various hosting companies. One of them mentions problems at a company I also have had problems with. They also mention that they wonder whether the problem stems from a JSP application.

Two things come to mind after reading this statement.

#1. That hosting company is partnered with JBoss, and open source Java Application Server that serves up JSP. They must have some expertise in that area - and potentially some people who are aware of known hacks who may have internal access at the organization.

#2. Maybe there is some sort of flaw in JSP...which was something I was starting to wonder prior to reading this. The thing about JSP is that it is compiled after the fact and there are some temporary files that contain the compiled code. What this means is that if someone can get into your cache off compiled JSP pages, they could potentially change those cached pages and alter the functionality of your application. You wonder what is going on so you do a diff on your code and it all looks the same...but in reality what was altered was the cached files. In the past I have found permissions changed on these cached files as well so they could not be deleted. That means that the code you think you are running may not be the code you are actually running.

#2 does not just apply to JSP but any programming language that compiles at run time. There needs to be a way to verify that the cache has not been poisoned.

So don't use JSP? I don't think that is the answer here because so many other application programs work in a similar way. In terms of Java application servers you could opt for using servlets. You can also perform some security auditing on your system to verify this is not happening.

DCOM - Vulnerability #1

I am starting to think DCOM is a real security hazard. Every hosting company I talk to seems afraid to touch it. The one I talked to last said disabling it can "cripple the OS". The one I talked to before that said it could be "disabled no problem". So which is it?

And by the way I didn't ask to disable DCOM. I just want it to be secure so someone can't use it to launch rogue applications like they did on my box at the last hosting company. Someone was able to launch apps that were sending spam and who knows what else (see previous topics) using DCOM.

I am not sure how they got those apps on the box in the first place - I know they were launched through DCOM however they could have been installed by other means. Was it through my app or someone internal to the organization who had access to the machine? I also find it interesting that they say they have no knowledge or understanding of my web application and I find this to be a crock of you know what since I recently found an article saying they are partnered with the company who wrote my application server. Since they are partnered up with JBoss they probably have some internal or closely related people over there who are very aware of any known hacks should they want to take this hacker action to steal my money. (Which was clearly happening for three months over there and I am not yet positive it has been resolved).

But back to DCOM.

SO whose responsibility is DCOM anyway? It's kind of an application thing. Something people use to write apps that connect to and talk to each other over the Internet and a way to launch remote applications. However it ships with the OS and so in my opinion, if a hosting company is claiming that it is going to "harden the OS" for you and manage security then security DCOM from launching rogue applications and being left unnecessarily accessible if the client is not using it is an issue that the hosting company should address.

So far not one single company I have talked to has anything about DCOM or RPC in their OS hardening policies. This is clearly a fact that hackers are taking advantage of based on my experience.

Additionally if changing DCOM settings can "cripple the OS" why is there no clear documentation from Microsoft on how to correctly secure DCOM and a more simple way to figure out what apps are using it and if it can be safely disabled on a machine where it is not needed. The documentation on the Microsoft web site is even sketchy - warning that disabling DCOM may cause problems - but not clearly defining those problems so a person can make a technical and accurate decision as to whether disabling it is the correct thing to do or not.

And as argued before, you should not be able to do something on the OS that allows you to "cripple" your machine via the user interface. I understand if you are changing registry settings or something like that. But changing security in the OS settings? What's the point of a user interface. It should have some application logic to prevent this and a way to safely back it out if they aren't going to prevent it.

Managed Hosting Companies - Internal Employee Access Policies

The saga continues...In search of a new managed hosting company.

Seems like most companies do not have well documented processes in terms of how and when employees can access managed systems and how this access is audited. To me I find this scary. I am working with some mid range hosting companies that support multi-million dollar businesses. I know because the reason I found out about one of these companies was through one of my $150 million per year clients.

One company was able to have a tech respond to me and outline the process. The company I was at previously could not articulate their processes and apparently did not have them written down anywhere - or want to provide me these documents in writing - because they constantly wanted to call me. The third company I am speaking to tells me that they have very stringent processes but no customer facing documents to explain these processes.

Since system administration is one of the very weakest points in the whole process - typically errors and hacks are caused by humans and most easily someone who has open access to the machine already - this is a huge problem! Yes so someone can't get into the building because you have biometric controls and chainlink fence lockers and separately locked cabinets. So what if your administrator is the one causing the problem!

This was highlighted by an instance at Internap that took down their whole Fisher Plaza facility one fine Friday evening - when I just happened to have a potential customer looking at my web site and freaking out, thinking I am some fly by night operation. Someone who had access to the building already went and flipped off the power switch somehow and for whatever reason in such a way that the generators didn't kick in. Seems they pushed that big red button that says "do not push" all over it way up in the air and Internap reported to me that it was "an accident"?? Hmm.

Internap is a good company but things happen. In "Who Says Elephants Can't Dance" Lou Gerstner says "People do what you INSPECT, not what you EXPECT." I wholeheartdly believe this after being ripped off by some of my own employees. Hosting companies want me to "just trust them" but that is foolish. You need to have good auditing in place in your hosting environment for true security - both internally and externally.

Tuesday, August 01, 2006

Managed Hosting Companies - Comparison

Here are some postings about potential managed hosting companies. Please note that I did not participate in this discussion. I am currently in the process of researching and evaluating new potential hosting companies in order to find one that can provide better security configuration and resolve some of the problems mentioned in past articles.

Managed Hosting - Comparison

It is very difficult to find a hosting company that sounds confident in their ability completely secure DCOM based on the applications I am running. I know what the potential settings are but am not sure why setting them a certain way crashes a server. Additionally it is unclear what settings must be left turned on for the applications at the managed hosting companies - most of them don't even know if their applications require DCOM or not.