This year at Black Hat USA 2010 and Defcon 18 Marcin Wielgoszewski and I did a talk called Constricting the Web: Offensive Python for Web Hackers (video). The basic premise of our talk is that web architectures and technology are getting far more complicated and it is not sufficient just to run a vulnerability scanner on an application and call it done. Individuals tasked with testing these architectures are going to need to write their own tools and tests at some point. If you aren’t taking security beyond your vulnerability scanner then you aren’t performing the proper due care and due diligence required to protect your assets.

More information on tools and projects to come. I just don’t feel too much like writing today

Write Your Own

It’s inevitable at some point you are going to have to write your own tools and tests. Modern web architectures no longer consist of a page with a simple backend web server. Complex items such as RIA technologies, APIs, aggregators, and custom protocols are now thrown in to the mix. Vendors continue to lag behind the technology curve which puts commercial tools at a disadvantage. All of these items need to be tested in order for organizations to have any type of success in their testing efforts.

This is where you take the code in to your own hands. It really isn’t as difficult as it may sound. I know quite a few people that shy away at the thought of writing their own code. I am not quite sure why there is so much apprehension about writing your own code. Maybe people are having C flashbacks from college or something.

Modern languages have quite a bit of the work already done for you. Python, which is my weapon of choice, has a vast amount of modules that allow interfacing with many different protocols. In the end all you need to do send and record your tests. Python is also a rapid development language that is easy to read and write, making it great for security people who don’t want to spend all day writing code.

Black Hat Wrap-up

We are participating in the Black Hat Wrap-up webcast. We are going to summarize our talk and highlight a few items. This is happening Thursday, August 19th at 4pm Eastern. Information on the webcast can be found here: https://www.blackhat.com/html/webcast/webcast-2010_BHUSAwrapup.html

Tools Released

We also released a couple of tools. Most notable is Marcin’s Burp API. It allows you to interface with Burp logs and turn them in to objects. This would allow you to do anything from replaying tests, creating your own macros, and even creating your own vulnerability scanner. Burp API information can be found here: http://mwielgoszewski.github.com/burpee/

I also released a stand alone encoder that I wrote a while back. The main reason was I just like having a stand alone encoder when I am doing assessments. It allows you to encode and decode values as well as wrap values with different characters. You can get more information on DharmaEncoder here: http://code.google.com/p/dharmaencoder/

Finally, I created a Python web fuzzing module called pywebfuzz. The pywebfuzz module allows you to have values available for testing from the fuzzdb project as well as some convenience functions for range generation and making requests. The module is in it’s early phases but still usable. I have a bunch of miscellaneous things I need to do to it before it is where I would like it to be. More information on pywebfuzz can be found here: http://code.google.com/p/pywebfuzz/

If you run in to bugs please let us know so we can get them fixed. If there are features you would like to be added please let us know that as well.

Conference Materials

The conference materials are posted on the Hexagon Security site. You can download them here: http://hexsec.com/docs

Ok, first order of business, I love Dropbox. If you are unfamiliar with Dropbox it is a popular cloud based syncing / storage / sharing application for your files. It allows you to store files, roll back changes, etc. You can get more familiar with them by visiting their site https://www.getdropbox.com

Now that I am done singing the praises of Dropbox, it’s time to get to the nitty gritty. This issue isn’t necessarily devastating for Dropbox, but could lead to some larger issues with other cloud based providers. The reason I am writing about this issue is because I think it can aid other individuals in the design of their applications. Let’s face it, cloud based applications and storage aren’t going anywhere.

What You Should Notice

One of the first things you should notice after installing Dropbox is that it sets up some files and folder structure for you.

A few of the folders are Documents, Photos, and Public. A couple of files that show up are This is your Dropbox.txt and if you have installed the iPhone app you get the iPhone intro.pdf. Your Public folder is where you can put files that you want to share with via a public URL.

So by default you get a Public folder with a public file that is shared called “Top Secret.txt”. If you go to the Dropbox menu you can obtain a link for the public file that has the following structure:

http://dl.dropbox.com/u/{acct number}/Top%20Secret.txt

So now you have a known resource  with a known location. By simply requesting this resource and changing the account number you can enumerate through valid accounts. In doing this it will become apparent relatively quickly that account numbers are sequential. You would also notice that most people do not delete any of pre-installed default files even though they are unnecessary. These files are Dropbox’s way of communicating with you about what the folder should be for or about something the application does.

It is fairly simple to enumerate through account numbers and come up with a list of valid users, you could do this in just a couple of lines of Python code:

#!/usr/bin/env python
 
import httplib
 
f = open("dropbox_accts.txt", "w")
 
for num in range(1440000, 1450000):
    request_string = "/u/{0}/Top%20Secret.txt".format(num)
    conn = httplib.HTTPConnection("dl.dropbox.com")
    conn.request("GET", request_string)
    req = conn.getresponse()
    if req.status == 200:
        print(req.status)
        f.write("{0}\n".format(num))

What this does is enumerate through account numbers from 1440000 to 1450000, and if there is a return on Top Secret.txt, it records the number in to a file called dropbox_accts.txt.

Why This Is A Problem

This is a problem for multiple reasons. First of all, it allows an attacker to determine valid accounts on the system. This gives an attacker a starting point for an attack on an account. Another thing to note is that it shows accounts are created sequentially which could lead to other issues.

Working on account enumeration it would be possible for an attacker or someone tracking Dropbox to determine how many new users they have per a certain period of time just by starting where they left off with their previous enumeration activities.

The issue might allow an attacker to try to obtain some information about a particular user through sifting through their public files, if they were guessed. Yes, an attacker would have to guess the name of a valid file but we as humans tend to name files descriptively, so it may be easier than it seems. There is no randomness attached to the filename /URI that would deter this type of activity. After sifting through this data it may be possible to determine the name of the individual who owns the account. Another thing you might find from this activity is an email address associated with the login of the account. If they were to obtain the email they would have the login (email), account number, and the person’s real name. It would not completely out of the question to find something like resume.doc in a user’s Public folder. This is a lot more than an attacker should have.

Now this shouldn’t be a huge deal because it is a “public” folder, it should be assumed that everything in there could be accessed by anyone, but people don’t always make the best choices when it comes to sharing. Many people who use Dropbox use this folder to share things with their friends, not the entire world.

Probably most important, is that they are using known resources and locations. This can be a particularly bad issue for cloud based applications due to their public nature. Every Dropbox account has several folders set up by default along with several files added. These rarely get changed and just get utilized by users. Giving an attacker known resources and locations goes a long way to a successful attack. It allows an attacker to gauge success or failure of a given attack and gives them ready-made resources on which to focus their attacks.

Dropbox uses these files in their private directory structure as well, which opens the doors for some interesting possibilities. I have not really dug in to their API or too much in to their web interface to really say where this might be an issue, but the groundwork can be done in relatively small period of time.

Without having any kind of knowledge how the back end of Dropbox works, it’s hard to tell whether any of the information (ie Account Number) that can be be enumerated can be used to attack user files at rest. It may be hugely important or totally innocuous. I am assuming they have probably thought of this, but you never know.

What’s The Takeaway

People designing cloud based applications and storage should be aware that creating items with known locations could increase their attack surface by giving attackers something to work with. This should be kept to a minimum. Users should be defining the structure of their storage and setting up names for their resources. If you need to communicate with users, it should be done in a message format vs leaving a standard named file in a known location.

Public resources, even though they are public should have some form of randomness added to their resource locations. This way, it is not extremely easy for an attacker to enumerate resources and gain information about the application and its users. It would be a better idea to take the approach that Flickr does with it’s randomized URLs for photos. That way it is not easy to map a resource to a given user or account number.

When numbers associated with accounts are exposed, they should take on some form of randomness or there should at least not be any exposed method that would allow someone to enumerate through them easily.

Threat modeling should be done on the application during the design phase allowing for the identification of issues before they get worked in to production. Always think about how the application could be abused. You would think this would be second nature by now, but so many organizations are not doing this.

If you are Dropbox user you should delete the default files that are created by Dropbox, especially the Top Secret.txt that is in your Public folder.

In Closing

In closing not extremely devastating on the surface for Dropbox, but definitely food for thought for anyone working on the design of cloud based applications. Issues like this are definitely not isolated to Dropbox. I wrote a tool about a year and a half ago (that I had forgotten about by the way) for pulling valid users and data out of Apple’s MobileMe service. An issue that still exists to this day. Cloud providers need to be thinking about this stuff in the design phase because it is hard to make changes after deployment.

]]> http://www.neohaxor.org/2009/12/11/enumerating-dropbox-resources/feed/ 3 http://www.neohaxor.org/2008/12/29/speaking-at-shmoocon-2009/ http://www.neohaxor.org/2008/12/29/speaking-at-shmoocon-2009/#comments Mon, 29 Dec 2008 20:56:01 +0000 Nathan Hamiel http://www.neohaxor.org/?p=100 Hello Everyone. I just wanted everyone to know that I will be speaking at ShmooCon 2009 with Shawn Moyer. Our Topic is Fail 2.0: Further Musings of Attacking Social Networks. This will be an update to our Black Hat / Defcon 16 presentation. Update as in, we will have some new material and updates to what we have previously talked about. We won’t be consistently beating an already dead horse. We felt that the topic still contains quite a bit of relevance. As companies continue to shift their focus toward social networks and social networking platforms in general, they are encountering the same security problems. Even though social networks are web applications, they do offer some unique challenges over other common web applications. We will be explorisploiting these differences

I am going to be as objective as possible in this post. People who know me know that I have a distaste for some of these certification vendors due to their deception and motives. I hold quite a few certifications myself going back to the 1990′s and have dealt with many of these organizations first hand. I have had plenty of time to hone my opinions and in the end that is all they are, my opinions. Feel free to agree or disagree.

What is Certification Supposed to be About?

The world of information security tends to be quite a bit different than other professions. Other disciplines may live and die by certifications and licensure. For example, in the medical field you want licensed physicians who are possibly board certified for their specialties. Additionally stenographers, interpreters, and many other professions have national certifications that open up great opportunities for their individuals following certification. The bodies that handle these certs in other disciplines are much different than those in the information security world. Other disciplines typically have certifications issued by national associations or other recognized industry body. In the information security world it is typically done by private business and masked bodies. I will get in to this more later.

Certification is supposed to be about demonstrating a baseline level of knowledge for a particular area. Licensure, as I see it, granting of a license based on a certain set of baseline qualifications. The way you go about demonstrating competency can range from certification to certification.

What You Look for in Security People

What do you look for in security personnel? Most likely there are no objectives of a certification that cover that. Often the number one thing people look for is experience. Nothing trumps experience even certification vendors know that. Along with experience is depth of knowledge. If someone doesn’t have experience you at least want people who can find answers, who have a genuine interest in the security field, and who can think critically. I haven’t seen a Certified Information Security Googling Professional certification yet What about soft skills? Writing skills? There are many factors about the people you wish to hire that are well beyond the scope of a security certification.

Three general areas that people look in to when hiring information technology people are experience, education, and certification. They may throw these areas around and substitute them, but the requirements are going to be there. Once the gatekeepers are passed it is up to the interviewee and the impression they make to land the job.

All About the Benjamins

Certification in the infosec world is typically handled by private companies and are either vendor specific or vendor neutral. Sometimes these companies will masquerade as an org, but when you pay them for training or certification watch where your money goes. It’s not the org front It’s in the best interest of these companies to draw blurry lines between their different parts. You may hear things like, “No this company provides the training, the certification is from this other organization”. Who do they think they are fooling? It is the same people working at both organizations and proctoring the tests.

More benjamins equals more win for the companies providing the security certifications, training, or CPE style credits. Or maybe you can just take the road that SANS does and just charge and outrageous price for your certification challenges right off the bat. Yes, Yes, I know. I called GIAC SANS. Same thing They are counting on people with security training budgets and certification reimbursement and saying “screw you” to the little guy. Certification vs value, make the decision for yourself. I personally think they are pricing themselves out of the running to do any competition with the big dogs ISC2 and ISACA but, oh well. I am entitled to my opinion. Not saying they are trying to do direct competition with them, but there are more people looking for CISSPs than there are GIAC certified individuals.

Why Security Certification is hard to make

There are certain roadblocks to certs in the information security space. This is because everyone from the person that deploys anti-virus software to the individual reverse engineering software is considered a “security person”. These are wide and varied disciplines that take a greatly differing skills to perform. So from a certification perspective you either have to specialize or generalize. When generalizing you have to be very broad and lose depth. When you specialize you lose overall market appeal. It’s hard to draw that line. This may be important when you are considering certification. If you are a specialist and there is a certification that fits your particular specialty, then there may be some additional appeal.

Perception is Everything

Certification value is pretty much all about market perception, regardless of the actual value of the certification to you personally or your peers. The greatest, most perfect security certification in the world can come along, but if it has no market value then there is pretty much no value in getting it. One way to gauge how well perceived the certification may be is by going to job search sites and looking for job positions in which you are interested. You will see how many mention the certification you are considering. The business side of security likes the thought of certification. It gives them a nice warm feeling inside. Hiring people in any profession is a gamble. You never really know if someone is going to work out or not. The thought of having an additional assurance that they are getting a decent individual is very appealing to them, regardless of how valid the certification is.

There seems to be a perception of certifications such as the CISSP, CISA, etc as being technical. This perception is incorrect. I split security certifications in to two different categories: Functional and Awareness. I consider certifications such as CISSP, CISA, Security +, etc as awareness based certifications. These certifications do not go particularly deep in to each of their domains but provide awareness in all of their domains. Functional certifications are ones that are more vendor specific and / or cover the functional aspects of particular items or domains.

Certification (may) = Win

Let’s take a look at some of the advantages of certification in the information security field. Certifications in the security field are all about your professional life. They are about your job and your future job prospects. Certifications aren’t good for much else unless you just like framing them and putting them on your wall Keep in mind all of these potential win situations for certifications are all based on someone else’s perceptions at a given time.

The biggest advantage of a certification is that it allows you to display the designation. This means you can say you are certified, display it on your resume, put it in your email signature, etc. Certifications are sometimes used as filtering mechanisms to weed through potential candidates. The person in recruiting or HR may not even forward your resume on to a decision maker because they do not see the certification. The whole goal of submitting a resume is to get your foot in the door for an interview. If you can’t make it that far then it is a fail situation. Displaying the designation allows you to meet the perceived expectations of someone looking for that particular designation.

Along with the previously mentioned, certifications give you some “flare” for your resume. It allows you to add a section to your resume called “Professional Certifications”. Now, you may have more than enough content for your resume due to your experience, but for people with less experience it helps fill out a resume.

During the study process for a certification there is the possibility of learning something. Now this probably isn’t going to be some earth shattering revelation, but the more you know the better off you are. It may force you to look at concepts that you haven’t taken the time to look at previously. So there is the potential that horizons may be broadened.

Vendor specific certifications demonstrate that you are at least familiar with the interface to a particular product. The world is much better off now that you know where that check box is It may give people a sense that you have actually seen the interface before.

Certifications can prove that you have the ability to start something and see it through. Much like education, some certifications take some effort to study for and complete. It can display a certain amount of determination on the part of a potential candidate. It shows that you have not remained stagnant in your career. I know the actuality is stupid, but remember we are talking about perceptions.

Certifications are rarely something that you get looked down upon for. If you are applying for a job or have a job interview I have never heard of a case where someone didn’t get a job because of a certification they held. I file this under the “it couldn’t hurt” column.

Certification (may) = Fail

Security certifications won’t help you do your job better, lift a car, or save a baby from a burning building. Security certifications in their current iteration seem to be very poor at proving people have baseline competencies, which is what certification is all about. This is something that the business side has not really caught on to yet and probably won’t.

Certification can be a pain to get. Some certifications require a healthy dose of time dedicated to studying, practice exams, and whatever other resources are required to pass the exam. Even if you are already familiar with the material, it takes time to learn how to answer the questions the way the certification vendor wants them answered.

Certifications can be a pain to maintain. Some security certifications require maintenance. This maintenance includes either re-certifying periodically or the submitting of credits. The credit based systems require that you get so many credits per year and per certification cycle. For the ISC2 certifications these are called CPEs (continuing professional education).

The benjamins are here to stay, certification costs money up front. This is your initial buy-in to the certification. Certification costs typically range anywhere from 150 dollars to as much as a few thousand depending on what the certification is and what is required.

Oh no, the benjamins are back! Of course everything from re-certification to annual maintenance requires money. Fees, fees, and more fees. Needless to say unless it is a perpetual certification you are no doubt going to have to pay money to the vendor periodically.

You really don’t get anything from certification vendors in return for your time, effort, and money. I think this is the part about certification that irritates me the most. After you have spent the time and effort to get a certification, you really receive nothing useful from them. You may receive notifications about items from the vendor, but it is typically “who cares” communication.

You may have ethical issues with certification vendors in which you don’t want to give them your money. In this case I am right there with you. This could actually be a big turn off in your decision making process.

The Certified Conclusion

There are probably valid points that I left out, sorry, but the post is getting long I don’t know if anyone will read it anyway. I am sorry if there is anything that I have left out. I also really didn’t want to talk about particular certifications, so I didn’t really list any. They are easy enough to find though.

There is really no right or wrong answer about whether to obtain a security certification. All you can do is take the data you have and make a decision for yourself. Visit job search sites and search for jobs with that particular certification. Weigh the time, effort, and expense that you will have to endure to get and maintain the certification. See what other people are saying about the certification. If it makes sense and you think that it will help, then go for it. If it doesn’t seem worth it, then don’t. It’s really hard to judge the future and where security certification vendors are going, so all you can do is make the best decision for yourself in the present.

Thank you to all who showed up, we hope you enjoyed the presentation. Let us know if you have any further questions.