Browser - Comodo RSA Certificate - BVP.com

On Linkedin there was a trending in Computer and Network Security Update about a Forbes blog post about an index of the largest security companies.

I went to Forbes and there was a link to the index.

I clicked on the link using Safari and got a certificate warning.

Tried Opera, got a warning.

Tried Chrome, got a warning.

Tried Authentic8 Silo, it went to the page, but then it is a virtualized browser so there is very little risk. Tried Firefox, it loaded the page with no warning. Risk is unknown. I tried using Google to find out if Comodo has been hacked. The best data I could find was here. This takes us back to the Trusting Trust problem. I can do Keychain First Aid, I can explicitly trust, but does that set me up for problems by a malware web site? So, I asked Sandra Dunn, she knows as much about certificates as anyone I know.
= = =

Sandy,

I am pretty sure I know how to get Comodo trusted by my Mac, but I do not know how to tell if I should. Any insights you have would be appreciated.
http://securitywa.blogspot.com/2016/04/browser-comodo-rsa-certificate.html

Thank you,

Stephen Northcutt

= = =
Sandy replied, it works on Windows, (I hate it when that happens, after I finish this blogpost I need to do a search and destroy of quicktime on my Win 10 box). By the way, Sandy is quoted/credited with permission.
= = =

Mr. Northcutt

https://www.bvp.com is working in both Chrome and IE for me on Windows

But running a TLS scan shows there are multiple issues and an F grade.  I don’t have a MAC but I am going to check in a Linux system and see if I get a warning.

Best,

Sandy Dunn

= = =
So we have a stock index that claims to 2X outperform S&P and Dow Jones and trusting the certificate that proves they are who they claim to be is doubtful. Can anyone see the opportunity for mischief? Sandy did further investigation and wrote back.
= = =

Mr. Northcutt

The www.BVP.com certificate isn’t in good shape but I couldn’t figure out why I wasn’t being blocked from the site as you were.  I tested www.bvp.com in Iceweasel and then I received the same error you saw.   I saw that it was a chain issue and a call to a technical friend put the final pieces together.  Windows has the Comodo Intermediary CA in the Intermediary root store.  Iceweasel and apparently the browsers you were trying don’t have it either.  Please see attached screen shots for more explanation.


Best,

Sandy Dunn

Windows does not have the intermediary in the certificate store

= = =
The bottom line for me, (Stephen), is that a stock index needs to be something you trust. When you invest in equities, you are investing money you worked hard to earn. There is always risk, you want to minimize that risk. From a cursory look at their list of the billion dollar club, it looks correct. I am going to guess that when Sandy and I went to BVP.com it really was them. However, the number of problems they have in their implementation makes it so that at least this one paranoid security guy is not going to blindly trust their site.

Browser: Baidu - infostealer?

Sometimes browsers collect information about you and either provide that information to the websites you visit, or a central server. As an example I logged the browser interactions that occur when you play a single song on YouTube using Opera. In that case the browser shares many times with Google and YouTube and then sends a report to Opera.

According to Softpedia, the Baidu Browser can almost be classified as an "infostealer virus". Remember, a virus is malware that requires user interaction, in this case loading the browser and clicking on URL links.

Citizen Lab researchers narrowed down the information leakage issues to a common SDK, Baidu Mobile Tongji (Analytics) SDK, used for both the Android and Windows versions.

Together with mobile security firm Lookout, the researchers identified this SDK inside 22,548 app packages. Back in November 2015, researchers from Trend Micro identified a similar Baidu SDK, which could be found in 14,112 Android apps and included features that could be abused to install backdoors on all infected devices.

You can read more about the Baidu Browser here, but use a safe browsing configuration like Authenic8 Silo or Firefox & NoScript as it appears to attempt to run 15 different scripts on you. If you are a cybersecurity executive of an international organization, it would pay for you to read the Citizen Labs report. Highlights include:

The Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption.

The Windows version of Baidu Browser also transmits a number of personally identifiable data points, including a user’s search terms, hard drive serial number model and network MAC address, URL and title of all webpages visited, and CPU model number, without encryption or with easily decryptable encryption.

Browser: long email links

NOTE: I do not use drugs recreationally. However I am a Washington state resident and so I am interested in the news about the use of legal marijuana to some extent.

Today, I received an email note about marijuana in Canada, (I have a Google alert on the word Canada), and the teaser said "following Colorado and Washington", so I wanted to open the note. My habit is to never click on a link, (and if I screw up because I am in a hurry, my default browser is Firefox/NoScript so I am fairly safe). Instead, I copy the link and paste it into the appropriate browser, in this case Authentic8 Silo.

Here is the link:
https://www.google.com/url?rct=j&sa=t&url=http://www.businessinsider.com/canada-to-decriminalize-marijuana-by-2017-2016-4&ct=ga&cd=CAEYACoTNzY4MzAwNjQyNzUxODA1MDcwNjIaZDZmMTgwYTZlY2EwNzA2Mjpjb206ZW46VVM&usg=AFQjCNHDv5TppIGbFihCRXrWwuwwIlc3cw

The good news is that any scripting and cookies remain in Silo. The bad news is that someone, somewhere, knows my email address opened the note. So what if I just change the last character of the very long link?

https://www.google.com/url?rct=j&sa=t&url=http://www.businessinsider.com/canada-to-decriminalize-marijuana-by-2017-2016-4&ct=ga&cd=CAEYACoTNzY4MzAwNjQyNzUxODA1MDcwNjIaZDZmMTgwYTZlY2EwNzA2Mjpjb206ZW46VVM&usg=AFQjCNHDv5TppIGbFihCRXrWwuwwIlc3cx

Sure enough the page opened, and there is a good chance they don't know I opened it:

Browser: Digital cover and concealment

I originally posted this on LinkedIn, but I wanted to repost because last night I saw the movie, The American, (gift from Kathy's brother). There is a scene near the end where a sniper is setting up to shoot George Clooney and she is standing on a roof with the gun up against a gutter and my brain was screaming Oh Nooooo. She is not shooting from cover. Repeat after me, a line from another famous movie, The Shooter, "Snipers always shoot from cover".

Full credit for these ideas belongs to Glen Sharlun, former US Marine, SANS Instructor and friend, (glen@authentic8.com), and I am using with permission. Let's start with a screen shot.

 I am sitting in Hawaii logged on to Yahoo. But look closer. All the content is personalized for South Africa. More on that shortly. Before I start, I have no financial relationship to Authentic8, but every once in a while a security technology looks like a game changer. On to Glen's observations and my comments.

Cover is protection from the fire of hostile weapons.

Concealment is protection from observation,..., but not from hostile fire.

-MCWP 3-11.1 4.1 So in the military/LEA (hell, any 'active shooter' scenario), the conversation almost always starts with 'immediately seek Cover and Concealment', when dealing with a hostile enemy.

• Using a single standard browser is surfing without any (digital) Cover or Concealment

Funny, an hour before I received this email from Glen, I was bugging coworker to download the Opera browser. It is not perfect by any means, it is in bed with tons of trackers, but it has less vulnerabilities than Chrome and beats using a single browser.

• Using multiple browsers is surfing with no (digital) cover, but some (digital) concealment.

= A lot of concealment actually. I mostly use a Mac with six different browsers on my desktop. In order to support and grade a SANS Technology Institute grad student project I slipped by Costco to get a Windows 10 box, that adds Edge, Internet Explorer, (needed for updates), Firefox/NoScript, (so I do have some cover), TOR, Chrome and Opera. I would assert I cannot be uniquely identified by my browser fingerprint.

• Using Tor (or such) is no (digital) cover, but good (digital) concealment.

Especially if you click on that link right after you install to *really* be safe!

• Using Silo is excellent (digital) cover, and good concealment.

A couple weeks ago, I got the love letter from OPM telling me my information had been compromised and wrote a LinkedIn post of the subject. One of the comments said that anyone involved in that adventure could get Silo for free for a year. 

Silo is a browser, but it is in the cloud. You don't get executable stuff, so drive by malware can't get you. It reminds me a bit of the Google Docs Viewer, so when you see spreadsheets, .pdfs or .docxs online, it opens them in Google Docs and simply displays them to Firefox, (which gives you some digital cover).

• Using Toolbox is excellent (digital) cover and excellent (digital) concealment.

Toolbox is an upgrade to Silo. It is pretty cool. You can choose your browser fingerprint AND a bit like TOR, you can choose the point where you appear to have accessed the Internet. For the screenshot on this post, I chose South Africa which is why Yahoo is giving me .ZA regionalized ads and content. 

1/12/16 When I upgraded to El Capitan Pirisoft CCleaner quit working. I downloaded and installed it today. Keep in mind that I use the various browser's clear history function every couple of days. It took 875.836 seconds to clean 14, 609 files. That is a heck of a lot of state.

Browser: Poison URL

This is rich. The URL: https://www.islandgrownschools.org/about/schools-staff

Firefox/Noscript will not connect to it. Neither will Authentic8 Silo.

Let's try python:

Stephens-MacBook-Pro:Downloads snorthcutt$ python

Python 2.7.10 (default, Oct 23 2015, 19:19:21) 

[GCC 4.2.1 Compatible Apple LLVM 7.0.0 (clang-700.0.59.5)] on darwin

Type "help", "copyright", "credits" or "license" for more information.

>>> import urllib2

>>> body = urllib2.urlopen("https://www.islandgrownschools.org/about/schools-staff")

Traceback (most recent call last):

  File "<stdin>", line 1, in <module>

  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 154, in urlopen

    return opener.open(url, data, timeout)

  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 431, in open

    response = self._open(req, data)

  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 449, in _open

    '_open', req)

  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain

    result = func(*args)

  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1240, in https_open

    context=self._context)

  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1197, in do_open

    raise URLError(err)

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

Extraction at Light speed : Faster Blind SQL Injection

(Thanks to Benjamin Robinson for his excellent comments to improve this post.)

Most of  my focus these days is on User Agents, we are going to do a browser insecurity panel at SANS Boston 2016, but somehow one of my Google Alerts triggered a recent OWASP SQL presentation on a series of methods to improve the scanning speed of Blind SQL Injection attacks.

"Blind SQL (Structured Query Language) injection is a type of SQL Injection (SQLi), attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection." OWASP  Veracode has a nice graphic on SQL Injection that they allow you to place on your website.

Programmer Interview gives an example: "We said that loading the URL “http://www.mybigspace.com?id=1008 AND 1=1″ might result in mybigspace.com running the SQL above – the reason we said might is because of the fact that it depends on whether the server would allow the extra characters after the 1008 to be injected into the SQL."

NOTE 1: the string AND 1=1 is VERY common and tools such as IDS/IPS/DLP/Web Firewalls should report these attempts to the SIEM. Should be OR 1=1. Reason is select * from user where username = 'x' and 1=1 does not change the logic. However, select * from where username = 'x' or 1=1 now returns all rows. If you want to learn more, you may want to reference OWASP SQLi prevention cheatsheet (https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet).

NOTE 2:  Mitre makes some additional comments however filtering union/select/insert as they recommend could have significant unintended consequences. That said, recommending strong input validation is always true with any interaction with software. If the database developers properly escape inputs, there should not be a problem with a user having the username of "'; drop database allthethings --" "  Perhaps the webcomic XKCD explains it best :)

Other classic common examples including the use of sleep(), can be found here. There is a, (slightly boring), Youtube demonstration of Blind Injection available here.

This is not a new technique, one of the early talks on the subject was at Blackhat in 2004 where Cameron Hotchkies discussed automating the process. His process to search for integers was as shown:
"Select a range (usually starting with 0)"
• Increase value exponentially by a factor of two until upper limit is discovered
• Partition halfway between upper limit and previous value
• Continue to halve sections until one value remains"

Once there is an established technique such as the one above by Hotchkies, or the one below by Makan, tools to automate exploitation are developed. The open source sqlmap continues to mature as a tool aiding with identification of SQL injection vulnerabilities. Recognizing how rampant SQLi continues to be, most web application scanners have SQLi scanning modules. The idea of automating these tests eventually led to the creation of Burp Suite, There is an excellent GIAC Gold paper on the tool here. Another popular tool, the OWASP Zed Attack Proxy also includes SQL injection modules.

It is generally agreed that Blind SQL injection is slow. This leads to the observation by Keith Makan at a recent, March 23, 2016 talk that is hosted on YouTube: https://www.youtube.com/watch?v=7WA9Muvt4Sg
Essentially, the idea is to automate the "Is it bigger than a breadbox". His slides are available here: https://drive.google.com/file/d/0B0tB... As we seek to optimize our databases we also make them more predictable.

Summary, (or, if I am a manager why do I care?). This has been a long standing source of vulnerabilities and introduces risk to most web based applications. Risk with a simple and well known countermeasure, always validate user inputs. Some articles you may want to review for further information:

"14 Years of SQL Injection and still the most dangerous vulnerability" (https://www.netsparker.com/blog/web-security/sql-injection-vulnerability-history/)

"The History of SQL Injection, the Hack That Will Never Go Away" (https://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away)

More and more data is stored in databases that can be queried from the Internet. These queries have been around forever and are getting better and faster. The good news is they are somewhat predictable and are VERY noisy. In addition to validating input, if we are monitoring our databases for more than just performance, the odds are quite high we can detect Blind SQL injection in the early phases of an attempted attack. If we are not monitoring our databases, the odds of a successful attack just increased, again.

Saved by an abundance of caution - Firefox w NoScript

My default browser is Firefox with NoScript. It is a pain, a lot of things do not work including slimy redirects with possibly malicious intent. Earlier today, I wrote the Advisory Board about using someone’s picture and story for the SANS Boston 2016 Brochure. I got a couple replies so when this came in I ASSUMED it was another reply and clicked on it; dumb. It is a redirect. But I was saved by my operating environment. Now, how to find out how to cause redirects to send me a popup asking for my permission.

= = = 

Email had no subject, (Link has been modified for safety):

   

http://egisbrand.com/none.php?Blake Andrews

Best regards,

Blake Andrews

= = =

Result, (thank you NoScript):