For all of my readers who are DD-WRT users you may want to stop using v24 SP1, SANS Internet Storm Center (ISC) has a brief post about a DD-WRT vulnerability that will allow an attacker to run programs with root privileges on a vulnerable router. In other words, this is a really bad vulnerability. Root privileges in Linux is the equivalent to admin privileges in Windows. With root access, a hacker could do anything with your router. Since your router controls what you do on the Internet, that could be really, really bad. The SANS post has a link to the dd-wrt forum which provides additional details regarding the problem as well as some options on how to mitigate it and/or patch the DD-WRT firmware. I highly recommend checking it out right now. Now that I’ve stressed it enough, here’s the link to the SANS ISC page: http://isc.sans.org/diary.html?storyid=6853&rss.
Category archives: Security
More Secure OpenID
03Jan08OpenID is a very cool authentication idea. It allows you to have single sign-on (i.e., login once using one user name and password for multiple websites/applications) for sites that support OpenID. The ability to only login to one site and then only provide your OpenID URL to other sites you would like to authenticate to (prove that you are who you say you are) is very nice. For one, it alleviates the problem of having to remember multiple user names and passwords (I hope you use different passwords for different sites…at the very least different passwords for financial sites). For two, it saves time. Unfortunately, every site I use does not yet support OpenID so I still end up having to deal with multiple user names and passwords.
Like all things with computer security, OpenID is not without its fair share of problems. One of the biggest problems is a result of OpenID’s main benefit, single sign-on. Single sign-on is great as long as no one is able to compromise your user name and password. However, if someone manages to compromise your user name and password then they’ve compromised every site for which that single sign-on is used. Therefore, it is imperative that your OpenID account has a very strong (read long, random, mixed case, numbers, and special characters) password.
It is also important that you don’t fall victim to a phishing attack that tricks you into thinking your logging in to your OpenID account when you’re not. Otherwise, it doesn’t matter how strong your password is if you simply give it away to a fake site. In order to ensure the OpenID provider site you’re logging into is legitimate you should examine the SSL certificate to make sure it belongs to your OpenID provider and has been signed by a trustworthy certificate authority (e.g., Verisign, Thawte, etc.).
Another concern with OpenID that I won’t cover in this article because its out of scope is privacy. The jest of the issue is that your OpenID provider can basically track every site you use your OpenID account with. A few other concerns with OpenID exist. I recommend that you checkout Security Now episode 111 if your interested in learning more about OpenID concerns.
Wouldn’t it be great if there was a way to easily and effectively reduce some of the risk with OpenID? Two-factor authentication provides the solution. For those of you who are not familiar with what two-factor authentication is, I’ll give a brief explanation. Two-factor authentication is when you provide more than one form of evidence that you are who you say you are. Generally, people just provide a password which is something you know. However, two other common factors of authentication exist—something you are (biometrics) and something you have (security token/fob, smart card, etc.).
Two-factor authentication is a great solution because it ensures someone can’t easily steal your account by guessing, cracking, or stealing your OpenID password. The second factor means that would need to possess your security token as well. Security tokens work by providing a random string of typically six digits periodically (most tokens do so every thirty seconds). The current six digits being displayed by the token (which only you have) must be appended to the password (which hopefully only you know). Additionally, a two-factor authentication mitigates the risk of falling victim to a phishing site because the password the phisher stole is only good for thirty seconds.
Luckily for all of us Verisign is a free OpenID provider which offers support for two-factor authentication. They call their service Personal Identity Provider (PIP). To take advantage of their service you need to have a supported security token (i.e., a little key-chain device which provides a random number every thirty seconds). Luckily, you can buy one of these devices through PayPal for only $5. As an added benefit, this security token works not only with PIP but also with PayPal and eBay.
A Firefox extension, SeatBelt, automatically fills in your OpenID URL in websites with the appropriate form field. The extension also provides some useful security and OpenID management capabilities.
In conclusion, OpenID is a great solution for trivial sites like blogs and forums as long as you are aware of the dangerous that exist and take the necessary precautions. I still wouldn’t recommend OpenID for financial and medical sites but for pretty much everything else it is great. I know I can’t wait till more of the sites I use start to take advantage of it.
In case your wondering, I’m not getting paid anything to write this post nor do I make any money if you sign up for an account or buy a security key. I just think Verisign is offering a really good, secure OpenID solution that not many people know about. I just wanted my readers to know that this is an available solution. Plus, if enough people start using OpenID more sites are likely to offer it is an login option. Before I forget, you can find a list of OpenID enabled sites at the OpenID directory.
AJAX Security Considerations…
10Aug07As many of my blog readers know AJAX is a very popular web development technology right now. AJAX offers web developers the ability to provide desktop application like functionality in web applications. Without AJAX many of the tools I use every day such as GMail, Google Reader, and Google Maps just wouldn’t be near as fun or easy to use. Don’t worry, I do occasionally use non-Google sites that make heavy use of AJAX, I just can’t think of them right now.
However, as recently reported by security researches from SPI Dynamics at the Blackhat USA 2007 security conference, the benefits of AJAX don’t come without significant security risks.
One of the main problems with AJAX is that a lot of traditional server side code is now executed on the client side. This provides would be hackers with a ton of insight on how your application functions. Once equipped with these details it is much easier for hackers to trick web applications into doing things they’re not designed to do.
The presenters at Blackhat showed the audience how a mock AJAX travel site could be tricked into selling tickets cheaper and also tricked into blocking ticket sales for the same airplane. I think these two examples show exactly how important it is for web developers to secure AJAX.
My recommendation on this subject is to not stop developing with AJAX but to take the time and effort to learn about the security problems associated with this web development technique and the ways to avoid the common pitfalls–doing so will make the web a safer place for each of us.
Just so you know where to start more about AJAX security, Darknet offers some good insight on securing AJAX by explaining some of the common ways to attack AJAX applications.
[via Ars Technica]