Sunday, 6 June 2010

Really, Google? Really?

So it has recently come to light that Google will, according to this article, phase out Microsoft Windows in favour of Mac OS-X or Linux on the company machines. They are claiming that this is a security measure, citing the attacks on Google's Chinese operations recently. At this point in time I really have to wonder, what in the name of the seven deep dark pits of Hell are you not thinking Google? you could not be more wrong if you tried (yes, this annoys me so greatly my grammar is out the window.)

If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.

Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
  1. Windows
  2. IE6
  3. Buffer overflow attack
Let us now examine the 3 points each. Windows, more to the point Windows XP. Now Windows XP, as with most Operating Systems, really did not have any security features built into it, hence making them all as equally vulnerable. However most vendors have realised that this is no longer acceptable and have started adding security features to their OS's. We take the one specific feature in Windows XP, which is Data Execution Protection (details to follow in a later blogpost), which was added in as part of SP3, if memory serves. This was before the attack and would have prevented it, but it seems Google's computers were not up-to-date on software patches.

Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.

Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.

There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.

Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.

So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!

Tuesday, 1 June 2010

Facebook

Yes, I know I've been gone for a while, but I was busy. My apologies. Now that I am back, I will update more frequently. Now down to the matter at hand.

I'm sure most, if not all of you use or are aware of Facebook. Just as a brief recap, Facebook is a social networking site that allows you to add friends, communicate with them, play games, blah, blah, blah. To explain the problem at hand, we need to discuss some features of Facebook. The first one is Groups. Now a Group is basically a group of people brought together by some common theme, such as this group about potatoes. What people soon did was make groups for celebrities, fictional characters, TV Shows, movies and so on and so forth. Facebook thought "Well, this can't be right!" Thus were born fan pages. Its essentially a group with limited functionality, such as no messaging to all members.

Now, when a friend becomes a fan of something you get a message in your newsfeed saying "Friend is now a fan of Something." With your friend's name as a hyperlink to their profile page and similarly the name of the page links to the page itself. Of course Facebook changed "Become a Fan" to "Like", thus making it "Friend now likes Something."

However Facebook did not stop there. No, that would be easy and the sensible thing to do. They then went and did possibly the worst thing possible. They allowed the fan page hyperlink to direct to you to an external website!!! So now you can click on a page and you would be whisked of Facebook and taken to some other website.

Now where's the problem you ask? Surely Facebook checks all of these sites and ensures that they are safe and all that jazz. Sadly not. A large number of sites exsist where simply visiting the site makes you Like it on Facebook and publishes that your friends newsfeed, who the click on the link and so a worm is born. This has a non-destructive payload, but it is definatly proof of concept.

What's even worse, in a reaction to exceptionally long page names, somebody posted a page on how to remove them from your newsfeed. This lead to site, which then issued a pop-up saying "I don't know either!" Really funny right? Yes, because these sites can actually execute arbitrary code and do essentially anything. The main concerns here are Clickjacking and Cross-Site-Scripting. These can be used to do well potentially anything to your system.

Ironically as I am writing this post, I have come across this blog post from Sophos' Graham Cluely. This shows that it is possible and it has been done. I will leave you to read that, as well, his post is probably better then mine will ever be.

Right, so having been a bit scared, what do we do? Simple:
DO NOT LIKE RANDOM PAGES!!!
DON'T DO IT!!!
Seriously, don't!