Monthly Archives: September 2010

Security

US Airline Shutdown for Regulation Violations

Leave a comment

A US jet charter company had an expensive and dangerous crash in 2005. This led investigators to discover Platinum Jet Management LLC was operating a high risk and illegal airline. NJ.com says one of the pilots has now pleaded guilty to several serious charges

Vieira told assistant U.S. Attorney Scott B. McBride that he falsified flight logs, altered weight and center of gravity graphs, and routinely flew illegal charter flights that violated federal safety regulations.

One of the practices of Platinum was to overfill fuel tanks at cheaper airports and then alter flight manifests to hide the extra weight. Another practice was to hire unqualified pilots and other staff. The performance of the flight attendant during the 2005 crash probably gave investigators several big clues about airline management practices.

…a Miami model and dancer — did not know how to open the door of the plane to evacuate those inside

NJ.com points out that passengers, obviously who were high-value assets, paid nearly $100,000 per charter even though the company was not even certified to fly.

Poetry, Security

ASP.NET Padding Oracle Attack

Leave a comment

Cryptographic keys can be stolen from ASP.NET web applications by modifying cookies and reviewing the resulting errors — an information disclosure vulnerability from a side channel attack. This video shows the Padding Oracle Exploit Tool (POET) in action:

Details can be found here: Padding Oracle Crypto Attack (POCA)

The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application’s crypto API.

[…]

If the padding is invalid, the error message that the sender gets will give him some information about the way that the site’s decryption process works. Rizzo and Duong said that the attack is reliable 100 percent of the time on ASP.NET applications, although the time to success can vary widely. The real limiting resources in this attack are the speed of the server and the bandwidth available.

They say the longest attack time so far has been just 50 minutes. They do not say what the longest time is to fix a site and prevent the attack path.

Microsoft is investigating and discussing a fix. Since it is an information disclosure vulnerability I expect they will enhance the ability to redirect or completely suppress errors. They also may add some randomness of errors to reduce timing attacks — attempts to guess information by the time it takes to respond. Either way, it was already a best practice to suppress errors to prevent information disclosure.

Edited to add (Sep 28th):

  1. Here is a great introduction to Padding Oracle Attack, including Python code
  2. Microsoft has released a patch, which has to be manually installed from their download center. They also give the following recommendations, as I predicted above:

Until the patch has been installed, administrators should configure servers to only respond with a single error page, meaning that all server errors should return the same error page so that an attacker would not be able to determine which part of their request was deciphered properly. In addition to this, modify the Page_Load() function within the custom error page to pause for a short random sleep delay before sending the error response.

Administrators should watch for errors with the following message: “CryptographicException” and/or “Padding is invalid and cannot be removed” as these could be an indicator that an attacker may be trying to exploit this vulnerability against an IIS server.

Security

Google Convicted of Defamation

Leave a comment

The legalis.net report says the managing editor of Google.fr and Google Inc. has been sentenced for defamation of a person. Google is required to remove all “related searches” or face a 500 euro/day fine.

Interesting to note that the Court of Paris said Google did not show good faith. The search engine company had argued that because their search is “automated” and determined by “objective factors” they could not be held liable for results. This was not accepted as a defense.

Le TGI de Paris a refusé d’admettre l’absence d’implication de Google du fait du caractère automatique de son système. Entre autres arguments, il a noté, comme dans le jugement du 4 décembre 2009, que Google ne prend pas en compte certains libellés de recherche lancés par les internautes qui pourraient offenser un grand nombre d’entre eux, ce qui suppose nécessairement qu’un tri préalable est fait entre les requêtes enregistrées dans la base de données. De même, Google permet au public de signaler des requêtes qui ne devraient pas être suggérées, laissant supposer qu’une intervention humaine est possible. Sur l’atteinte à la liberté d’expression qu’il y aurait à supprimer telles associations de mots, la 17ème du TGI a adopté une position différente de celle exprimée par le juge des référés dans son ordonnance du 22 juillet 2010. Cette fonctionnalité a-t-elle remarqué a pour seule utilité d’éviter à l’utilisateur de saisir la totalité d’une requête et « qu’en état de cause la suppression éventuelle de tel ou tel des thèmes de recherche proposés ne priverait aucun d’entre eux de la faculté de disposer, mais à leur seule initiative et sans y être incité par quiconque, de toutes les références indexées par le moteur de recherches correspondant à telle association de mots avec tel patronyme ou telle raison sociale de leur choix ».

The first thing that comes to mind is that Google has historically argued the opposite of their defense in this case. They have said they have a uniquely designed engine that has been tuned for better results.

It is from their particular algorithm based on their superior engineering that you get results you would want more than from other search engines. They are in the drivers’ seat when they say they can tune their engine to present results that are good instead of bad, or popular instead of unpopular, or objective instead of biased.

No matter what you call it, they have been taking credit for results with the tool that they programmed. Now that results were found to be objectionable by a person I find it odd to see them argue in court that they just passively ride in the back seat. This is like a newspaper saying they have no control over the content they publish after marketing themselves as an accurate source of news.

More to the point, the tool did not malfunction. Google did not claim someone broke in or modified the results without authorization. Instead they said the results were the natural byproduct of public opinion that they just pass along, as if their search engine adds no value at all. Easy to see how the court reacted — protecting individuals from defamation should be within the capabilities of a search engine, just like protection from other forms of harm have been developed.

Google’s SafeSearch Filtering says it “blocks web pages containing explicit sexual content from appearing in search results”. They should have presented a defense along these lines rather than try to cook up some weird concept of universal machine-based objectivity.

Security

Segway kills company owner

Leave a comment

The Telegraph says the Segway company owner died riding his two-wheeled machine off a cliff

The multi-millionaire businessman, 62, fell into the River Wharfe while inspecting the grounds of his North Yorkshire estate on a rugged country version of the Segway.

Inspecting the grounds of an estate sounds a lot like the modern equivalent of a horse-riding accident. The sad irony is that the man who died made his fortune by selling security perimeter equipment to protect soldiers from harm.