On the 7th March I blogged about port scans coming from a remote machine http://bit.ly/HiwIFq at the time I emailed the company owning the IP address range from which the scans where coming from and got the wonderful, this is low priority and we will look into.
Well today 21 days later I got a reply
"Thank you for your notice. The server you have
provided in your log is no longer on our network. Thank you for your
cooperation and please let us know if we can do anything else."
Well it took three weeks, but the final got around to replying to say it had been sorted. In a couple of days I will publishing the rests of analysing the March log files from my ADSL router.
Wednesday, 28 March 2012
Tuesday, 27 March 2012
Kaspersky and the BBC
For a short time today Kaspersky Lab reputation service passed comment on the BBC website as being a dangerous web resource with many of the links highlighted as being suspect as shown below.
Their customer service department did say when I sent them the Screenshot "This is a false alarm that we are working swiftly to rectify, it will be solved in the next set of Kaspersky database updates. We apologise for the inconvenience"
I can think of other web pages that could be similarly classified!
I can think of other web pages that could be similarly classified!
Monday, 26 March 2012
Tools (March 26th)
Weekly blog on the tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgraded.
One of the features of a Pen Test tool I feels is the ability to add to its functionality and this demonstrates why, the ability to run addition tools from withing another improves the testing capability of a tool.
Sqlmap plugin for BurpSuite http://code.google.com/p/gason/
This project contains plugins to extend BurpSuite proxy. The first release contains a plugin to run sqlmap from Burp.
OWASP ZAP http://code.google.com/p/zaproxy/
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. The current version of ZAP is 1.3.4 But they have alsoe also got a 1.4.alpha.1
I have looked at several sites where their has been problems with security certificates, this is a tool I will be looking at to see if it can help with identifying thr problems.
SSLyze http://code.google.com/p/sslyze/
a Better, faster scanner to analyze the configuration of SSL servers.
One of the features of a Pen Test tool I feels is the ability to add to its functionality and this demonstrates why, the ability to run addition tools from withing another improves the testing capability of a tool.
Sqlmap plugin for BurpSuite http://code.google.com/p/gason/
This project contains plugins to extend BurpSuite proxy. The first release contains a plugin to run sqlmap from Burp.
OWASP ZAP http://code.google.com/p/zaproxy/
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. The current version of ZAP is 1.3.4 But they have alsoe also got a 1.4.alpha.1
I have looked at several sites where their has been problems with security certificates, this is a tool I will be looking at to see if it can help with identifying thr problems.
SSLyze http://code.google.com/p/sslyze/
a Better, faster scanner to analyze the configuration of SSL servers.
- Supports cipher suites scanning, insecure renegotiation verification, session resumption testing, client certificates, and more...
- Tested on Python 2.6 & 2.7 with Ubuntu and Windows 7, both 32 and 64 bits. Might work on other platforms as well.
- Based on OpenSSL and a custom SSL Python wrapper
Friday, 23 March 2012
CPD Presentations
Starting to work on two presentations that I will be giving next month, will be revamping my Hollywood Forensic presentation that I will be giving to the Hertfordshire Branch of the BCS http://bit.ly/AcZ3TC on the 24th April, a look at how the TV and film industry portray digital forensics and a look at how it is done, sort of gentle introduction to the topic of Digital Forensics combined with a reality check for those who get a fix of the CSI an NCIS etc on a weekly basis. Will also be doing the same talk at the Bedford branch of the BCS in June, this will appear on the web page http://bit.ly/GIZbFu in the next month.
The other talk is on wireless security but looking at the home users prospective rather than industry use of wireless, this is for the Hertfordshire Section of the Instiutute of Measurement and Control http://bit.ly/GHN0Xm. This takes in my research interest that I am covering in my other blog Wireless MSc Research http://bit.ly/GIz8vM the talk will look at the issues in implementing a network using wireless technology, especially in the domestic environment. Wireless technology has a history of security problems with flaws in the implementation of WEP and recently with WPS. Secure configuration is becoming increasing more important as a lot more users are using wireless to create multimedia entertainment systems, enabling laptops, smartphones and games console to have internet access and to create a CCTV system to monitor home security and children's playrooms. The courts have already convicted paedophiles of piggybacking neighbours wireless networks to download material and hackers of using wireless networks for pirating software, music and films and for spying on occupants using their own security cameras. I will be covering the (opensource) tools that can be used and how these apply to the home environment. The talk will include practical demonstrations of the tools and techniques discussed in the presentation and unravel the alphabetic soup of the available standards.
The other talk is on wireless security but looking at the home users prospective rather than industry use of wireless, this is for the Hertfordshire Section of the Instiutute of Measurement and Control http://bit.ly/GHN0Xm. This takes in my research interest that I am covering in my other blog Wireless MSc Research http://bit.ly/GIz8vM the talk will look at the issues in implementing a network using wireless technology, especially in the domestic environment. Wireless technology has a history of security problems with flaws in the implementation of WEP and recently with WPS. Secure configuration is becoming increasing more important as a lot more users are using wireless to create multimedia entertainment systems, enabling laptops, smartphones and games console to have internet access and to create a CCTV system to monitor home security and children's playrooms. The courts have already convicted paedophiles of piggybacking neighbours wireless networks to download material and hackers of using wireless networks for pirating software, music and films and for spying on occupants using their own security cameras. I will be covering the (opensource) tools that can be used and how these apply to the home environment. The talk will include practical demonstrations of the tools and techniques discussed in the presentation and unravel the alphabetic soup of the available standards.
Monday, 19 March 2012
Tool Update 18 March 2012
Weekly blog on the tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgraded.
One of the most interesting releases that has hit the infosec world is not so much a pen test tool but the Anonymous OS, not going to go into to details but check the threads on twitter and the blogs for more details on the so called Anonymous OS that has been denied by Anonymous and removed from source forge.
Update Seccubus V2.0 beta3 http://seccubus.com/
Tool to automatically fire regular security scans with Nessus. Compare results of the current scan with the previous scan and report on the delta in a web interface. Main objective of the tool is to make repeated scans more efficient.
Web Application Security Penetration Testinghttps://addons.mozilla.org/en-US/firefox/collections/adammuntner/webappsec/
The plugins list for firefox have been updates as the list maintainer says can not guarantee the trustworthiness of plugins but plugs provide useful functionaility to browser, there is a good range for IE, Firefox and Chrome that are useful for the web application tester
CANAPE security assessment http://www.contextis.com/news/
Context Information Security has been presenting its latest Windows security assessment tool at Black Hat Europe this week in Amsterdam. CANAPE extends the functionality of existing web application testing tools such as CAT, Burp or Fiddler in order to analyse complex network protocols.
One of the most interesting releases that has hit the infosec world is not so much a pen test tool but the Anonymous OS, not going to go into to details but check the threads on twitter and the blogs for more details on the so called Anonymous OS that has been denied by Anonymous and removed from source forge.
Update Seccubus V2.0 beta3 http://seccubus.com/
Tool to automatically fire regular security scans with Nessus. Compare results of the current scan with the previous scan and report on the delta in a web interface. Main objective of the tool is to make repeated scans more efficient.
Web Application Security Penetration Testinghttps://addons.mozilla.org/en-US/firefox/collections/adammuntner/webappsec/
The plugins list for firefox have been updates as the list maintainer says can not guarantee the trustworthiness of plugins but plugs provide useful functionaility to browser, there is a good range for IE, Firefox and Chrome that are useful for the web application tester
CANAPE security assessment http://www.contextis.com/news/
Context Information Security has been presenting its latest Windows security assessment tool at Black Hat Europe this week in Amsterdam. CANAPE extends the functionality of existing web application testing tools such as CAT, Burp or Fiddler in order to analyse complex network protocols.
Port scan update 19th March
After a week a few days of peace on the ADSL router a Chinese machine has come a knocking over the last few days. Have recieved 11 reported DOS on various ports, which is probably the Netgear router's way of saying it is seeing a very slow port scans for proxy servers rather than a DOS attempt.
The ports being probed are
80 HTTP
3246 DVT SYSTEM PORT
5390 Bosch Video Management
7212 Unassigned IANA (Ghost Surf Proxy)
8080 HTTP Alternative
8123 Polipo Web Proxy
Will be producing a monthly report at the end of month and it looks like March will be a bumper month for attempts.
The ports being probed are
80 HTTP
3246 DVT SYSTEM PORT
5390 Bosch Video Management
7212 Unassigned IANA (Ghost Surf Proxy)
8080 HTTP Alternative
8123 Polipo Web Proxy
Will be producing a monthly report at the end of month and it looks like March will be a bumper month for attempts.
Cyber Security Important to the UK
I attended "The Future of Cyber Security 2012" conference http://bit.ly/woU3Ed in London today, the range of topics was wide ranging from protecting mobiles, to the cyber economy, implementation of cyber security as well as the future of cyber security. When I got home there was
interesting coincidence in that I found the BBC web site had an article on that
UK is the ‘most internet-based major economy’ http://bbc.in/FPSugF
based on a report by researchers at the Boston Consulting Group (BCG). The
report claimed the "internet economy" was worth £121bn in 2010, more
than £2,000 per person in the UK, they predict it will continue to expand at a
rate of 11% per year for the next four years, reaching a total value of £221bn
by 2016. The figures justify that cybercrime is big business, the money is in
the internet and it is perceived as being easy to commit with a low chance of
being caught and if you are the sentencing is lower than for a physical
robbery, with highly skilled cybercriminals developing and distributing
automated click and attack tools even the most basic IT literate person can go
online and commit cybercrime.
As I said there were a good range of talks at the conference from all sectors of public, private and academic bodies, each talk complemented each other which the conference even better from an attendees point of view.
Cyber security is important to the UK as a substantial amount of business is conducted on the Internet as shown in the BCG report, but important to all countries. Stefan Tanase from Kaspersky alluded to the cybercrime economy maturing with organised crime planning exit strategies to escape from the illegal activities before they are caught. This very much like the organised crime expanding from criminal activities into legimate activities, the koobface gang has invested in nightclubs and other other ventures, although they have not been caught, due to being exposed they have stopped their activities. Although the risk of being caught is low, the longer they go on, the more likelihood of been caught. With cyber-criminal gangs stopping after a couple of years the investigation of cybercrime need to speed up.
Charlie McMurdie, head of PCeU gave facts and figures on the performance of the PCeU, it was given a £30million budget and told to target £504million of cybercrime, it has exceeded this in the first year of operation. This gives the indication of the scale of the crime although it is difficult to come up with a series of metrics that can be used to judge performance of security plans. If 100,000 credit card details are recovered and the potential for fraud is about £2k, it is not a simple case of multiplying out the factors as some of the credit card details would of already been cancelled and the actual value can be considerable less. However the police are making inroads into targetting the more important players rather than the foot soldiers of the gangs, taking the example of hactivism with the activities of Anonymous, the several hundred thousand of people who download the tools and took part either directly or be handing remote control of their PC over to Anonymous although identifiable and could be arrested to get some high figures of arrest it is those who developed and controlled the tools that are being targeted. AN interesting fact is that the majority of people in the UK who download the tools did on their work PC's a fact that should make public and private sector organisations sit up and reflect on the implications to their security policies.
If you were involved in cyber security in the 1990's you would of seen Malware development move from a couple of new virus per day through to the current 9 new variants per second being detected by Secunia as told by Stefan Frei. Additionally it has moved from some of the Malware being annoying but not dangerous with the screen being flipped upside down to virtual all Malware today aimed at making money with passwords and identity credentials being targeted as reported by Jeremy Spencer from Orange, if they can’t steal money from your machine, your machine becomes a resource they can sell as part of a botnet.
There were discussions on where criminal activity will be heading in the future as cyber security needs to keep up with and developing counter techniques to ensure the security of devices, protecting intellectual property as well as identity and money
A good portion of the talk was about protecting mobile devices and the trend of BYOD within organisations. Orange used the conference to launch their new product "Secure Mobility" which is combining the Orange VPN service with Mobile Iron's solution to form an end to end security platform with remote management of corporate activities. I won't go into this in detail as I'm sure Orange will be pushing the details out to corporate users.
As I said there were a good range of talks at the conference from all sectors of public, private and academic bodies, each talk complemented each other which the conference even better from an attendees point of view.
Cyber security is important to the UK as a substantial amount of business is conducted on the Internet as shown in the BCG report, but important to all countries. Stefan Tanase from Kaspersky alluded to the cybercrime economy maturing with organised crime planning exit strategies to escape from the illegal activities before they are caught. This very much like the organised crime expanding from criminal activities into legimate activities, the koobface gang has invested in nightclubs and other other ventures, although they have not been caught, due to being exposed they have stopped their activities. Although the risk of being caught is low, the longer they go on, the more likelihood of been caught. With cyber-criminal gangs stopping after a couple of years the investigation of cybercrime need to speed up.
Charlie McMurdie, head of PCeU gave facts and figures on the performance of the PCeU, it was given a £30million budget and told to target £504million of cybercrime, it has exceeded this in the first year of operation. This gives the indication of the scale of the crime although it is difficult to come up with a series of metrics that can be used to judge performance of security plans. If 100,000 credit card details are recovered and the potential for fraud is about £2k, it is not a simple case of multiplying out the factors as some of the credit card details would of already been cancelled and the actual value can be considerable less. However the police are making inroads into targetting the more important players rather than the foot soldiers of the gangs, taking the example of hactivism with the activities of Anonymous, the several hundred thousand of people who download the tools and took part either directly or be handing remote control of their PC over to Anonymous although identifiable and could be arrested to get some high figures of arrest it is those who developed and controlled the tools that are being targeted. AN interesting fact is that the majority of people in the UK who download the tools did on their work PC's a fact that should make public and private sector organisations sit up and reflect on the implications to their security policies.
If you were involved in cyber security in the 1990's you would of seen Malware development move from a couple of new virus per day through to the current 9 new variants per second being detected by Secunia as told by Stefan Frei. Additionally it has moved from some of the Malware being annoying but not dangerous with the screen being flipped upside down to virtual all Malware today aimed at making money with passwords and identity credentials being targeted as reported by Jeremy Spencer from Orange, if they can’t steal money from your machine, your machine becomes a resource they can sell as part of a botnet.
There were discussions on where criminal activity will be heading in the future as cyber security needs to keep up with and developing counter techniques to ensure the security of devices, protecting intellectual property as well as identity and money
A good portion of the talk was about protecting mobile devices and the trend of BYOD within organisations. Orange used the conference to launch their new product "Secure Mobility" which is combining the Orange VPN service with Mobile Iron's solution to form an end to end security platform with remote management of corporate activities. I won't go into this in detail as I'm sure Orange will be pushing the details out to corporate users.
Saturday, 17 March 2012
Blogging for a month
Being doing this blog for a month now and had over 500 page views in the first month with which I'm pleased with. Will be continuing the blog with a stronger emphasis on Information Security. I am planning to do a weekly blog entry on Pen Testing tools, also planning to do a monthly blog entry on the port scans of ADSL router. In addition to the planned regular blogs I will be blogging about the activities I undertake for CPD and these will be combined with entries aimed at students and those wishing to enter the InfoSec profession. As I have been doing there will be entries about anything I feel interested in and motivated to blog about.
In the first month my top article was on "What makes an ethical hacker legal" http://bit.ly/wyekis the other popular entries where the series of blogs on Cookies and the PECR "Cookies hit headines as the ICO deadline approaches" http://bit.ly/wtsCin, "Why are cookies used on web sites? (Part 2)" http://bit.ly/z4kYkg, "Privacy and cookies (part 3)" http://bit.ly/zHOKfe, "Browsers, Cookies and Privacy (part 4)" http://bit.ly/A1ogiR, and "Cookies and the PECR (part 5)" http://bit.ly/zenFk3. I will be working on these blogs and producing an article combining all 5 entries into a single paper. There was also a lot of interest in the port scanning entries.
In the first month my top article was on "What makes an ethical hacker legal" http://bit.ly/wyekis the other popular entries where the series of blogs on Cookies and the PECR "Cookies hit headines as the ICO deadline approaches" http://bit.ly/wtsCin, "Why are cookies used on web sites? (Part 2)" http://bit.ly/z4kYkg, "Privacy and cookies (part 3)" http://bit.ly/zHOKfe, "Browsers, Cookies and Privacy (part 4)" http://bit.ly/A1ogiR, and "Cookies and the PECR (part 5)" http://bit.ly/zenFk3. I will be working on these blogs and producing an article combining all 5 entries into a single paper. There was also a lot of interest in the port scanning entries.
Friday, 16 March 2012
Working with Students
One of the activities I enjoy whilst trying to earn enough CPD points is working with the local schools and colleges and helping students who are starting or thinking about starting on a career in computer security or digital forensics to gain an understanding of what it is like to work in the industry.
Whilst I was working at the University of Bedfordshire I had great pleasure of having speakers from the Metropolitan Police give a talk, Keith Cottenden of Cy4or who regularly spoke to the students and we had an association with 7Safe with whom the University worked with on a MSc pathway for computer security and forensics.
Whilst teaching the introduction to the subject areas I have always emphasised the point of being professional and ethical in the studies and for them to continue this behaviour into their careers.
I also point out that they could come across some unsavoury material in the course of the careers, this is something there need to consider in deciding on their career path.
The last point is continual personal development, I myself feel that the more I learning there is more I need to learn and researching tools and techniques is an important part of this as well as networking with other security professionals. I will encourage students to start this as they start their courses. Of course research should be conducted with the same ethical and professional approach they apply to their studies and careers. It can be a very fine between researching to learn and crossing the line to the dark side to paraphrase a film from my youth.
In terms of a career they have a wide choice to select from ranging from penetration testers to digital forensic examiners, and from chief information security officers to network engineers with a security background. They can work in a range of organisations from the public bodies including government agencies through to the SME. Computer security affects all walks of live and there is a need for security professionals in all works of life to counter threats and protect our digital lives.
Since leaving the university I have maintained my associations with the local colleges and university and have enjoyed working with Bedford College and University of Bedfordshire at a number of activities this year. In Jan spoke to Bedford College evening and part students about Web application security. In Feb worked with IEEE Student branch at the University of Bedfordshire on a wireless security workshop. In March returned to Bedford college to discuss ethical hacking and security with their daytime students.
I am hoping that the association will continue in the future as it is great to see keen young students taking an interest in Computer Security and Digital Forensics and it is also an enjoyable way of earning some valuable CPD points.
Whilst I was working at the University of Bedfordshire I had great pleasure of having speakers from the Metropolitan Police give a talk, Keith Cottenden of Cy4or who regularly spoke to the students and we had an association with 7Safe with whom the University worked with on a MSc pathway for computer security and forensics.
Whilst teaching the introduction to the subject areas I have always emphasised the point of being professional and ethical in the studies and for them to continue this behaviour into their careers.
I also point out that they could come across some unsavoury material in the course of the careers, this is something there need to consider in deciding on their career path.
The last point is continual personal development, I myself feel that the more I learning there is more I need to learn and researching tools and techniques is an important part of this as well as networking with other security professionals. I will encourage students to start this as they start their courses. Of course research should be conducted with the same ethical and professional approach they apply to their studies and careers. It can be a very fine between researching to learn and crossing the line to the dark side to paraphrase a film from my youth.
In terms of a career they have a wide choice to select from ranging from penetration testers to digital forensic examiners, and from chief information security officers to network engineers with a security background. They can work in a range of organisations from the public bodies including government agencies through to the SME. Computer security affects all walks of live and there is a need for security professionals in all works of life to counter threats and protect our digital lives.
Since leaving the university I have maintained my associations with the local colleges and university and have enjoyed working with Bedford College and University of Bedfordshire at a number of activities this year. In Jan spoke to Bedford College evening and part students about Web application security. In Feb worked with IEEE Student branch at the University of Bedfordshire on a wireless security workshop. In March returned to Bedford college to discuss ethical hacking and security with their daytime students.
I am hoping that the association will continue in the future as it is great to see keen young students taking an interest in Computer Security and Digital Forensics and it is also an enjoyable way of earning some valuable CPD points.
Cookies and the PECR (part 5)
Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR)
As previously stated On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) come into force. These amend the Privacy and Electronic Communications (EC Directive) Regulations 2003. The 2011 Regulations enhance these powers and introduce new requirements, most notably in relation to cookies.
From the ICO advice on the new cookies regulations, the introduced changes is that cookies can only be placed on machines where the user has explicitly given permission.
Regulation 6 of the PECR
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Notes:
The regulation 6(3) implies the the first time a terminal equipment of a subscriber or user they must be asked, however on subsequent visits it is nor necessary to repeat the request for consent. However it is hard to see if equipment is shared between users how the website will know if it is the same user or not.
Regulation 6(3A) does allow a website to test to see if cookies are allowed by trying to read and write a cookie which the ICO has indicated is not fully acceptable. I assume that if the site detects cookies are not allowed then it can assume consent is not given, however it can write and read cookies then it has to ask consent at which point it is too late as they have already written a cookie potentially without consent.
Regulation 6(4) exempts strictly necessary cookies from the consent request process, where strictly necessary is for operation of the web application to meet the subscribers or user expectations.
Cookies and the PECR
Previously, companies using cookies only had to inform users about their use and give such users the opportunity to "opt out" if they wanted, now it is an "opt in" requirements.
In order to determine whether people had opted out, companies are using the technique of trying to write a cookie to a browser and immediately read to test if the user had disabled the acceptance of cookies, if they could write a cookie it was assumed the user had not opted out of accepting cookies.
The Information Commissioner now advises that these are not currently sophisticated enough to allow companies to assume that the user has given consent and he advises that companies should obtain user consent in some manner.
In order to give the rules some bite the ICO has the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules. Along with the use of enforcement notices and undertakings as we have previously as part of the range of options available to us to make sure organisations comply with the law.
The Commissioner has said they will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
This is going to mean companies will need to look at their web sites and develop a strategy for handling gathering cookie consent
The process of cookie consent handling is showing in this flowchart
At the moment essential cookies don't need consent, if your site only uses essential cookies than no consent is required, however if you have a mix and most sites will especially if they are using Google Analytics then you will need to get consent for the strictly not necessary cookies and this is where the problems start.
What is the ICO doing?
The ICO website has a banner for requesting consent for using cookies, with a check box for accepting cookies, a continue button and a link to a privacy notice, this is all good until you click on the continue button without accepting cookies from the site, the warning changes by the addition of a line saying "You must tick the "I accept cookies from this site" box to accept, and the banner stays on all pages until you tick the box. This shows the problems of getting consent and how it affects user experience if at the top of all web pages is banner about cookies.
What is the solution for the future?
The law whilst aimed at protecting users does not reflect the current technology being used in websites and browsers.
The EU has said existing cookie controls in browsers are not flexible enough and a majority of users don't understand cookies and won't be able to configure cookies from the web site
.
Some extensions to browsers do give the functionality to allow the blocking of some and allowing others, however it takes user awareness and knowledge. Software writers developing browsers could take some of these ideas and implement them in the browser and at the first time of using the browser it could ask for setting to be configured with the default being, strictly necessary cookies are allowed all other are blocked, but how does a browser know a strictly necessary cookie form any other cookie. Here a development of a new RFC for session management is required with a new attribute of strictly necessary which can be set by the website developer. The ICO and other such agencies could that have strict penalties for incorrect setting of cookie attributes.
As previously stated On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) come into force. These amend the Privacy and Electronic Communications (EC Directive) Regulations 2003. The 2011 Regulations enhance these powers and introduce new requirements, most notably in relation to cookies.
From the ICO advice on the new cookies regulations, the introduced changes is that cookies can only be placed on machines where the user has explicitly given permission.
Regulation 6 of the PECR
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Notes:
The regulation 6(3) implies the the first time a terminal equipment of a subscriber or user they must be asked, however on subsequent visits it is nor necessary to repeat the request for consent. However it is hard to see if equipment is shared between users how the website will know if it is the same user or not.
Regulation 6(3A) does allow a website to test to see if cookies are allowed by trying to read and write a cookie which the ICO has indicated is not fully acceptable. I assume that if the site detects cookies are not allowed then it can assume consent is not given, however it can write and read cookies then it has to ask consent at which point it is too late as they have already written a cookie potentially without consent.
Regulation 6(4) exempts strictly necessary cookies from the consent request process, where strictly necessary is for operation of the web application to meet the subscribers or user expectations.
Cookies and the PECR
Previously, companies using cookies only had to inform users about their use and give such users the opportunity to "opt out" if they wanted, now it is an "opt in" requirements.
In order to determine whether people had opted out, companies are using the technique of trying to write a cookie to a browser and immediately read to test if the user had disabled the acceptance of cookies, if they could write a cookie it was assumed the user had not opted out of accepting cookies.
The Information Commissioner now advises that these are not currently sophisticated enough to allow companies to assume that the user has given consent and he advises that companies should obtain user consent in some manner.
In order to give the rules some bite the ICO has the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules. Along with the use of enforcement notices and undertakings as we have previously as part of the range of options available to us to make sure organisations comply with the law.
The Commissioner has said they will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
This is going to mean companies will need to look at their web sites and develop a strategy for handling gathering cookie consent
The process of cookie consent handling is showing in this flowchart
What is the ICO doing?
The ICO website has a banner for requesting consent for using cookies, with a check box for accepting cookies, a continue button and a link to a privacy notice, this is all good until you click on the continue button without accepting cookies from the site, the warning changes by the addition of a line saying "You must tick the "I accept cookies from this site" box to accept, and the banner stays on all pages until you tick the box. This shows the problems of getting consent and how it affects user experience if at the top of all web pages is banner about cookies.
What is the solution for the future?
The law whilst aimed at protecting users does not reflect the current technology being used in websites and browsers.
The EU has said existing cookie controls in browsers are not flexible enough and a majority of users don't understand cookies and won't be able to configure cookies from the web site
.
Some extensions to browsers do give the functionality to allow the blocking of some and allowing others, however it takes user awareness and knowledge. Software writers developing browsers could take some of these ideas and implement them in the browser and at the first time of using the browser it could ask for setting to be configured with the default being, strictly necessary cookies are allowed all other are blocked, but how does a browser know a strictly necessary cookie form any other cookie. Here a development of a new RFC for session management is required with a new attribute of strictly necessary which can be set by the website developer. The ICO and other such agencies could that have strict penalties for incorrect setting of cookie attributes.
Tuesday, 13 March 2012
Browsers, Cookies and Privacy (part 4)
Below I
have screen grabs of three of the most used browsers on a PC, showing the
options available to control how the browsers interact with cookies.
Internet
Explorer 9.05
Firefox
10.0.2
Chrome
17.0.963
The
common features amongst the latest versions of browsers are
- Block all cookies
- Block third party cookies
- Allow exceptions
However
the different ways of implementing the controls will make it difficult for a
web site owner to give instructions on how to handle consent for cookies.
Ideally a
web user needs a more flexible approach to controlling cookies than the blanket
controls based on options of either ignoring all cookies, ignoring 3rd party
cookies or accept all cookies. The browsers above do offer some additional
features of which, the exceptions option is probably the most important in
where a blanket ban on cookies can be overridden on selected web sites. A good
feature that a lot of browsers are now implementing is allowing session
variables which are typically associated with the management of web
applications but only exists for the duration of the visit. An additional handy
feature is the ability of some browsers to delete all cookies as it exits, thus
turning all the cookies into session cookies.
The ability to accept only
session cookies or turn all cookies into session cookies by forcing the
deletion of them is of fundamentally important with a modern dynamic web
application where session management cookies allow the web site to function as
the user expects it to. With the new regulation a lot of web sites are being
forced to offer two alternatives, consent to cookies or block all cookies as
they can't rely on user’s configuring the browser settings. In fact assuming
consent has been given as the browser accepts cookies has been specially ruled
out and it is written a site must get consent before writing a cookie to the
client browser.
A user of a web site is now being
forced into either accepting all cookies as they want the functionality of the
web application, or block the functionality of the web site as they don't want
the functionality of some of the cookies. Although the regulations say consent
for strictly necessary cookies is not required, the cookie specification and
browser support are insufficient to allow acceptance of strictly necessary
cookies and block all other cookies, unless the web site uses session only
cookies for the strictly necessary functionality and uses non-session cookies
for all uses and even then the browsers will need to be correctly set.
This series of blogs will end
with a look at the possible options on meeting the regulations and suggestions
on a way forward.
Monday, 12 March 2012
Privacy and cookies (part 3)
So far, it seems that
cookies are useful and help by making the browsing of websites a better
experience for the user, so why are the EU and privacy organisations concerned
about cookies? Well, hopefully you picked up some points I mentioned the
previous blog entries about cookies that are the cause of the concern about
privacy. For those who didn’t, it is because cookies can be used for tracking,
they can be created for third parties and browsers frequently ignore
recommendations in the RFCs about session management
Tracking
A company may want to track a person using their website, they do this by setting a first-party cookie, they then log the pages requested that have the cookie sent in the request header enabling them to track page views and the order in which they were viewed, they do this to obtain data to improve navigation, calculate popular pages and personalise pages offered to a user when they visit, depending on what was viewed last time.
3rd Party Tracking
Third- party companies can create a cookie on a domain other than their own if the web page includes objects, such as images requested from the third party domain embedded in the web page; this allows the creation of third party cookies with a domain different to the domain of the requested webpage.
If the third party has a series of these objects across a large number of domains, it allows what a first party cookie on its own website can do in tracks pages viewed, but now the third party can track page usage across all domains on which it has an object embedded. This can allow targeted advertising based on web sites visited, i.e. adverts for trainers if the user has visited a number of sports footwear website, but it can be used to profile a user for alternate purposes.
Reselling Internet usage
Generally with a web site to which you subscribe there is often the option to decide on how the owner of the web site can use your information and whether they can pass it on to external parties. However when it comes to third party tracking of Internet usage it is a lot harder to prevent them from reselling the derived data about your web usage, they can use the information themselves and additional sell it on to other interested parties, either for marketing purposes or for other profiling purposes.
Profiling
If a user is tracked across the Internet through 3rd party cookies, for example an advertising company that places it is adverts onto websites so the owners can generate revenue by per click advertising. It allows the advertising company to record what sites a user has visited, if for example they track a unique cookie value as having visited several horticultural sites and sites about growing cannabis etc. this level of profiling and tracking would be useful for law enforcement agencies.
Leakage of information
Additionally vulnerabilities have allowed data to be retrieved from cookies that could allow an unauthorised person to steal information about the user and/or impersonate them on web sites allowing identity theft, fraud and other crimes to be committed.
Privacy and the real world
The real danger comes when it becomes possible to link an online identity created by a unique cookie value with personal identifiable Information, allowing the online identity to be linked to an real world identity allowing a name, address to be added to data collected about their viewing habits, this could be useful for direct mail marketing companies but also could be abused by companies, criminals and other agencies.
Tracking
A company may want to track a person using their website, they do this by setting a first-party cookie, they then log the pages requested that have the cookie sent in the request header enabling them to track page views and the order in which they were viewed, they do this to obtain data to improve navigation, calculate popular pages and personalise pages offered to a user when they visit, depending on what was viewed last time.
3rd Party Tracking
Third- party companies can create a cookie on a domain other than their own if the web page includes objects, such as images requested from the third party domain embedded in the web page; this allows the creation of third party cookies with a domain different to the domain of the requested webpage.
If the third party has a series of these objects across a large number of domains, it allows what a first party cookie on its own website can do in tracks pages viewed, but now the third party can track page usage across all domains on which it has an object embedded. This can allow targeted advertising based on web sites visited, i.e. adverts for trainers if the user has visited a number of sports footwear website, but it can be used to profile a user for alternate purposes.
Reselling Internet usage
Generally with a web site to which you subscribe there is often the option to decide on how the owner of the web site can use your information and whether they can pass it on to external parties. However when it comes to third party tracking of Internet usage it is a lot harder to prevent them from reselling the derived data about your web usage, they can use the information themselves and additional sell it on to other interested parties, either for marketing purposes or for other profiling purposes.
Profiling
If a user is tracked across the Internet through 3rd party cookies, for example an advertising company that places it is adverts onto websites so the owners can generate revenue by per click advertising. It allows the advertising company to record what sites a user has visited, if for example they track a unique cookie value as having visited several horticultural sites and sites about growing cannabis etc. this level of profiling and tracking would be useful for law enforcement agencies.
Leakage of information
Additionally vulnerabilities have allowed data to be retrieved from cookies that could allow an unauthorised person to steal information about the user and/or impersonate them on web sites allowing identity theft, fraud and other crimes to be committed.
Privacy and the real world
The real danger comes when it becomes possible to link an online identity created by a unique cookie value with personal identifiable Information, allowing the online identity to be linked to an real world identity allowing a name, address to be added to data collected about their viewing habits, this could be useful for direct mail marketing companies but also could be abused by companies, criminals and other agencies.
Tool Update 12th March
Another round up of tool releases that can be useful to the Pen Tester, if you are aware of any new tools or releases of existing tools you feel should be included please contact me with the details.
The comments here are my own views and I am not recommending any one product over another, if you are looking for tools I recommend trying a few, as most have free versions and picking the one that works for you. We all have our own methods of working and a pen tester’s tool bag reflects their own personality.
New test release of NMap (9th March 2012)
http://seclists.org/nmap-hackers/2012/0
5.61TEST5. This release has 43 new scripts, including new brute forcers for http proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth daemon, and old-school rsync.
Vanguard Pentesting Scanner (8th March)
http://packetstormsecurity.org/files/download/110603/vanguard-public.tgz
Vanguard is a comprehensive web penetration testing tool written in Perl that identifies vulnerabilities in web applications. It provides crawling, uses LibWhisker2 for HTTP IDS evasion, and checks for issues like SQL injection, XSS, LDAP injection and more.
Not a tool as such but useful nethertheless Mutillidae (9th March)
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. It is already installed on Samurai WTF. Simply replace existing version with latest on Samurai. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" target for vulnerability software.
The comments here are my own views and I am not recommending any one product over another, if you are looking for tools I recommend trying a few, as most have free versions and picking the one that works for you. We all have our own methods of working and a pen tester’s tool bag reflects their own personality.
New test release of NMap (9th March 2012)
http://seclists.org/nmap-hackers/2012/0
5.61TEST5. This release has 43 new scripts, including new brute forcers for http proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth daemon, and old-school rsync.
Vanguard Pentesting Scanner (8th March)
http://packetstormsecurity.org/files/download/110603/vanguard-public.tgz
Vanguard is a comprehensive web penetration testing tool written in Perl that identifies vulnerabilities in web applications. It provides crawling, uses LibWhisker2 for HTTP IDS evasion, and checks for issues like SQL injection, XSS, LDAP injection and more.
Not a tool as such but useful nethertheless Mutillidae (9th March)
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. It is already installed on Samurai WTF. Simply replace existing version with latest on Samurai. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" target for vulnerability software.
Sunday, 11 March 2012
Analysis of Logfiles (Jan & Feb 2012)
After the probes early this month on my ADSL router, I looked back through
the Jan and Feb log files for records of probes and analysed the results. The
router records DOS and Port Scans, with the originating IP address. For the
simple analysis I looked at the total number of attacks, looked at whether
there were DOS or Port Scan. With the IP addresses I identified the number of
unique IP and then looked at the country of issuing of the IP address registration.
Feb 2012
Jan 2012
This exercise will be repeated every month, with the details being added to the tables. I will also create a page with the results on the blog.
|
Month
|
No Attacks
|
DOS
|
Port Scans
|
Unique IP
|
Unique Countries
|
|
Feb 2012
|
76
|
74
|
2
|
60
|
9
|
|
Jan 2012
|
96
|
94
|
2
|
86
|
6
|
Feb 2012
|
Country |
Attacks |
|
Turkey |
52 |
|
Ukraine |
2 |
|
France |
1 |
|
China |
1 |
|
Egypt |
1 |
|
South Africa |
1 |
|
UK |
1 |
|
Netherlands |
1 |
Jan 2012
|
Country |
Attacks |
|
Turkey |
79 |
|
South Africa |
3 |
|
Hong Kong |
1 |
|
Switzerland |
1 |
|
USA |
1 |
|
Thailand |
1 |
This exercise will be repeated every month, with the details being added to the tables. I will also create a page with the results on the blog.
Saturday, 10 March 2012
Why are cookies used on web sites? (Part 2)
Web pages use the Hyper Text Transfer Protocol (HTTP) to
transfer the page from the web server to the client’s browser, it uses Hyper
Text Markup Language (HTML) to code the page and the browsers render the HTML
to create the web page on the screen. When Sir Tim Berners-Lee developed HTTP
at CERN the particle physics laboratory on the French-Swiss border it was a stateless
protocol, each transaction of transferring a single web page was a single
session within the protocol and independent of the any other session, it was
not possible to transfer information between web pages.
It was not long before information was being exchanged
between web pages by using Uniform Resource locator (URL) encoding in a GET
request or in the body of a POST request. GET and POST are two types of HTTP
request methods used by the client to request a resource from the web server.
The URL of the request object is contained in the header of a request method.
Sample GET Request showing URL encoding
GET
/path/script.cgi?field1=value1&field2=value2 HTTP/1.0
From: someuser@internetuserl.com
User-Agent: HTTPTool/1.0
[blank line here]
Sample GET Request showing data in
the body of the method
POST /path/script.cgi HTTP/1.0
From: someuser@internetuserl.com
User-Agent: HTTPTool/1.0
Content-Type:
application/x-www-form-urlencoded
Content-Length: 32
[blank line here]
home=Cosby&favorite+flavor=flies
When using GET request the
transferred data is visible in the address box of the browser, in a POST
request the data is not so visible.
However these methods of transferring data are transient and
don’t provide for persistence of data which is required for a more complex web
application and for a personalised experience. As web pages are rendered on the
client machines, a technique of using variables that will be stored in the
client’s browser where developed, these variables are known as cookies.
The document Request for Change (RFC) 2019, Feb 1997 deals
with HTTP State Management Mechanism and describes the two new headers
introduced to the HTTP protocol, Cookie and Set-Cookie. The header Cookie is
used in the Request object to send a cookie to the server, the Set-Cookie
header is used in the response method to set a cookie on the client browser.
In the RFC 2109, 3rd party cookies where not
allowed, however this was ignored by some companies and RFC 2965, Oct 200 and
RFC 6265, April 2011 have redefined HTTP State Management Mechanism.
There are a number of controls built into session management
by the use of cookies to try and protect the user, such as that a cookie should
only be read by the domain that created it, however these controls can be by
passed and the newer attributes introduced into cookie header in later RFC’s are
meant to control exploiting cookies, however the browser’s themselves can be exploited
to give up cookie information.
There are a number of types of cookies
Session cookie
Only lasts whilst using the website
that created it, a session cookies is created when no expires attribute is
provided during its creating, a browser should delete session cookies as it
quits
Persistent cookie
A persistent cookie outlasts its
session retaining information until the expiry or max-age is reached, allowing
information to be exchanged across multiple sessions with the same domain.
Third party cookie
A third party
cookie is one set with a domain not the same as the domain of the web site visited
Attributes of cookies
Domain & Path
These set the
scope of the cookie; it can be a single host, all the hosts in a domain, or a
folder and sub folders within a host if the part is set to a folder other than
root of the domain.
Setting a domain
to a top level domain (TLD) is not allowed i.e. .com, or .co.uk
Expires & Max-Age
Sets the persistence
of a cookie, if an age is not set the cookie expires at the end of the session,
however it is possible to set an exact date for the expiry of the cookie or how
long in seconds it will last.
Secure cookie
When set
limits the cookie to being transmitted by secure connections only i.e. https, it
goes without saying the cookie should only be created within a secure
connection
HttpOnly cookie
Only allows
access to the cookie via the HTTP protocol and prevents access from within
scripts by using the document object model (DOM) i.e. document.cookie
Cookies are used on web sites to allow session management,
personalisation and tracking, session management allows interaction between web
pages to create a web application; typically session cookies that expire at the
end of the session are used. Personalisation allows data to be retained by the
client about settings used on a web site, allowing for personalisation without
having to get a user to authenticate to the web site every time; persistent
cookie are used with a suitable expiry limit. The final use and the one that
causes problems with privacy is the use of cookies for tracking a user and
which pages and the sequence of visiting them is logged on every visit to the
site; again persistent cookie are used.
Cookies are created by a web server sending the set-cookie
header to the browser, from then onwards every time the browser requests a page
from that domain the cookie header is sent as part of the request, this
continues until the cookie expires. However cookies can also be set by a script
on a web page manipulating the DOM if supported and enabled on the clients
browser.
Cookies hit headines as the ICO deadline approaches
Cookies are starting to hit the headlines again as the UK
deadline for meeting the EU Cookies directive draws nearer. The UK government
had revised the Privacy and Electronic Communications Regulations, which came
into force in the UK on 26 May, to address new EU requirements. The Regulations
make clear that UK businesses and organisations running websites in the UK need
to get consent from visitors to their websites in order to store cookies on
users’ computers, the ICO gave a year’s grace period starting the 26 May 2011
for companies to become compliant with new guidelines provided by the Information
Commissioner Office.
Current regulation of
cookies
The internet industry has tried to control the sue of
cookies and protect privacy, if we look at the RFC’s about session management, they
say the browsers should protect user privacy and not allow third party cookies
by default, a number of the popular browser ignore the default deny of third
party cookies. Some browsers allow the setting of third party cookies if they
have a compact privacy policy and use a compact policy field as part of the Platform
for Privacy Preferences Project (P3P) that was started by the World Wide Web Consortium
(W3C) and officially recommended in 2002 but development ceased a short period
afterwards.
A number of countries around the world have produced
guidelines and regulations on cookies but these only affect the relevant
country. In 2002 the EU developed a telecommunication privacy directive and
article 5, paragraph 5 gave directive mandates that storing data on a user’s
computer can only be done if certain conditions are meet. These cover giving
information on how this data is used and giving the option for the user to opt
out of storing the data. Data that is necessary for technical reasons are
exempted for the user opting out of storing it.
In the UK the Privacy and Electronic Communications (EC
Directive) Regulations 2003 (the Regulations) implemented a European Directive
- 2002/58/EC concerned with the protection of privacy in the electronic
communications sector. In 2009 this Directive was amended by Directive
2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive
requiring consent for storage or access to information stored on a subscriber
or users terminal equipment. The UK introduced the amendments on 25 May 2011
through The Privacy and Electronic Communications (EC Directive) (Amendment)
Regulations 2011.
The government prior to the introduction of the Regulations expressed
the view that there should be a phased approach to the implementation of these
changes. The Information Commissioner agreed that businesses would need time to
implement solutions. He therefore confirmed that he would exercise his
discretion and allow organisations a ‘lead in’ period of 12 months to put in
place the measures needed to comply. This lead-in period will come to an end on
the 26th May 2012, there is just two months left of the period.
During this period the Information Commissioner made it
clear that organisation should be taking steps to comply with the rules, any
complaints received about web sites during this period he would expect to see a
plan of action on how the rules are going to be compiled with.
What can be done?
No matter what a business view on the law is, it won’t stop
the Information Commissioners Office (ICO) from taking action about complaints
websites are breaking the law.
The new regulations require more than just telling users
about cookies and allow them to opt out and they need to be more pro-active in
meeting the regulations.
The ICO recommend these three steps
1.
Check what type of cookies and similar technologies
are being used and how are there are being used.
2.
Assess how intrusive the cookie use is
3.
If consent if needed then decide upon the method
of obtain consent.
Although cookies required for technical reasons are exempt,
the actual scope of the exemption has been discussed in various forums and
there have been some very inventive technical reasons as to why a cookie should
be exempt.
In general the following are not exempt
·
Cookies used for analytical purposes to count
the number of unique visits to a website for example
·
First and third party advertising cookies
·
Cookies used to recognise a user when they
return to a website so that the greeting they receive can be tailored
The international nature of the internet and the use of
third party cookies will make the scope for implementing the regulations and
the responsibly difficult to establish clear.
From the information released by the ICO it is clear and UK
organisation is subject to the regulations even if their web site is hosted
outside the UK. Organisation from outside European with websites designed for
the European market and offering services or products within European should
consider that European users will be expecting information on cookies and the
ability to opt out.
The responsibility for providing information on third party
cookies and gathering the opt-in permission will be with the website owner as
it will be technically very difficult for the third party to do so.
Subscribe to:
Posts (Atom)