Security Risk or Feature Request – Software due diligence – who controls your reputation?

If you can think of a business process nowadays, there’s probably either an outsourced service or off the shelf piece of software that will perform it for you. As part of any outsourcing arrangement, due diligence will be performed. However, what happens when you buy a piece of software?

If an organisation suffers a data breach thanks to an outsourcing partner not living up to their part of the bargain, there’s always the potential to mitigate reputational damage through plausible deniability. However, when you install and manage a piece of software, whatever happens is all your fault, so what can you do to make sure that software vendors take your reputation as seriously as you do?

Security Testing – In an ideal world, software would undergo a rigorous testing regime. Back in the real world though, software will usually undergo an element of functional testing with security testing either being an afterthought or the end user’s problem. Before you buy software that your trusting with your reputation, ask the vendor for their most recent security testing results. If they try to make it your problem, look elsewhere. If they are an open approach (CANVAS LMS is a good example here), stick with that vendor and don’t let them go.

Remediation Process – Ask the vendor for their documented process for actioning vulnerability reports. If the vendor shows your a full process documenting risk assessment and communication procedures including a liberal sprinkling of response timelines, give them a tick in the box for this one. If they give you a blank look, their competitors may want to help you.

Do your own testing – So, if you’ve found the unicorn that is a vendor taking information security seriously, why would you want to do your own testing? Penetration testing arranged by a vendor will often take place in a sterile environment that doesn’t necessarily resemble the real world. A real world configuration may introduce previously undiscovered flaws.

Show me – The cynical part of me strongly believes that if a vendor smells a sale, they’ll. tell you whatever you want to hear, so don’t take them at their word, have them show you that they take the security of your customers’ data seriously.

Performing due diligence is just as important for COTS that could have an impact n your sensitive data as it is for an outsourcing partner. Above all else, if you find a vendor who uses the term “Feature Request” instead of the more commonly used “Urgent Security Fix” run away as quickly as you can – they’re not taking security of your information as seriously as you are!

HOW TO: Intercept iPhone and iPad SSL connections that require a valid SSL certificate

With the rising popularity of iPhone and iPad devices, we are running into more and more applications which require a valid SSL certificate for all connections. In order to properly assess the security of these applications, we need to intercept the SSL connections they make. This post shows our technique for doing this.

Please note that this is not a vulnerability in iOS, and that everything is working as intended. This is the method we use for intercepting SSL connections made by iOS applications, and assumes you’re already able to forward such connections (using pf, iptables, or something similar) to your machine. This also assumes that you will be using burp suite proxy

1.     Firstly, set up a working directory. This blog post assume you’re working with the following working directory structure:

mkdir ~/iosssl
cd ~/iosssl
mkdir {conf,certs,private,newcerts}
echo 01 > serial
touch index.txt

2.     Then, copy your “openssl.cnf” file from somewhere in “/etc” into “conf/caconfig.cnf”

The location of your “openssl.cnf” file may vary  “find /etc | grep openssl.cnf” may help.

cp /etc/pki/tls/openssl.cnf ~/iosssl/conf/

Continue reading

HTTPS In Abrupt – by Thiébaud Weksteen

For any of you who have ever played with the Android emulator, you may have noticed the following hiccup: when trying to establish an HTTPS connection – the browser tries to connect to the IP address of the server, rather than its FQDN. Even though in normal usage this is not a problem, it might still create some trouble when using classic HTTPS proxies (e.g. when performing security testing of an application).

HTTPS proxies

Here is an example of how an intercepting proxy works (e.g. Burp Suite):

  1. The browser connects via the proxy using something like “CONNECT http://www.securusglobal.com:443 HTTP/1.1”
  2. The proxy will answer that the connection has been established and at the same time generate a new certificate with the required domain name.
  3. What happens next will depend on your configuration:
    • If your browser has the Burp CA certificate installed, it will send the request.
    • If your browser does not have the Burp CA Certificate installed, a warning will be displayed on screen (CA unknown).

As you can see this works perfectly for standard usage of HTTPS. Continue reading

Red cell testing takes on mobile security

When considering an organisation’s digital security, it is commonplace for workers to take into account common features such as password strength and regular updates of antivirus software. While these certainly help to form part of a strong security plan, these components do not constitute a complete suite of protection. This is because malicious parties are constantly evolving the way they seek out information that can be used in a penetration attack. As an example, the 2012 Threat Report by Websense Security Labs analysed over 200,000 smartphone apps and found what it calls “a noticeable percentage” of the mobile programs were containing elements of malware and non-essential permissions.The report states: “The popularity of mobile devices is creating a large target installed base and cybercrime is actively innovating to harvest information for profit.”On top of this, researchers found that 51 per cent of mobile users turn off password permissions and security protections on their devices – making a lost or stolen phone a valuable commodity for malicious parties.This is just one of the avenues that red cell testing teams could use when helping to examine possible exploitation routes – making use of the same methodologies and processes as real-world hackers and data thieves, but without the danger of losing control of proprietary information

Security audits for third-party providers

When firms sign up to a cloud service provider, the decision is usually in terms of utility versus cost – as external providers can usually supply better software and applications than are available to a firm using their own in-house assets, but without the initial purchase cost. Of course, these transactions are only entered into with the understanding that the external partner will do their best to ensure the safety and security of their client’s data.

However, the concentrated nature of the details stored by specialist service providers often make them a prime target for malicious parties, with the proprietary nature of the data making it highly valuable.

While the provider may assert that they are on top of their game in terms of online protection, due diligence demands that responsible firms have a clear picture of the measures currently in place. A professional security audit from an external provider can deliver a clear report into the depth and breadth of a firm’s digital capacities – providing an unbiased review of the promises made during the primary sales contact. Everything from encryption standards, storage methods and transmission protocols can be covered – providing managers with peace of mind that their partnership is secure before they sign on the dotted line