Categories
Cybersecurity Missteps Passwords Security Trial by Fire: A Series

Misstep 9: Trial by Fire, the Perfect Storm that Created Me

Welcome to the second misstep of 2020… A series of hindsight. Back in late 2006, I started a small forum site where I learned that building desktop applications != hosting web applications that other people use. The former may be breakable, but it won’t hurt myself or other people. The latter can devastate a business and other users.

It wasn’t that I didn’t care, it was that I didn’t know better. A lot of developers are in the same boat. They want to build systems well, but they simply do not have access to the training or tools to determine if it was built securely.

Today, I want to take you on an adventure back to 2006/2007. I was working overnight 12-hour shifts in a factory, convinced I wouldn’t find a career in information technology. I’d get off at 6:30am, drive home and usually hop online to my new creation. I didn’t have a smart phone, so I couldn’t check my sites and see if there was spam or other issues, so it would go all night long unwatched. Here’s what that site looked like:

My first forum site, with blogs and articles

First things first, it was a WATP site… Windows, Abyss, Text File, and PHP site. If I recall correctly, it was PHP 5.1.6. I was a bit apprehensive learning MySQL at the time, or Linux, and wanted to focus on PHP only. This is why PHP is called “insecure”, it is simple to get something up and running that is terrible. So, people like me write legit crap and publish it.

The forum posts were all stored in text files, as were sessions, user logins (plain text the first few weeks, then unsalted MD5!), etc. This works reasonably well since I would extort a handful of friends to use my site and, even then, nobody wanted to use it. There were no chances for a race condition to happen.

Race Conditions Happen

A race condition happens when two or more actions are applied to the same datastore at the same time. My file structure was simply a random number. PHP’s random number generator is awful, and this practice is awful. Let’s take a peek:

<?php
$titl = strip_tags($_POST["titl"]);
$dat = strip_tags($_POST["dat"]);
$msg = strip_tags($_POST["msg"]);
$poster = strip_tags($_POST["poster"]);
$rnd = rand(0,999999);


//Convert linefeeds to bbcode key and remove. Apo's are done in edittopic.php
$msg = nl2br($msg);
$msg = str_ireplace("<br />", "[br]",$msg);
$msg = str_replace("\r", "", $msg);
$msg = str_replace("\n", "", $msg);


$file = fopen("forum/" . $rnd . ".txt", 'x');
fwrite($file, $titl . "\r\n");
fwrite($file, $dat . "\r\n");
fwrite($file, $msg . "\r\n");
fwrite($file, $poster . "\r\n");
fclose($file);

So, I’m taking a random number as a file name, and adding each “field” as a newline within the file.

PHP’s random number generator is seeded by the current timestamp, so within a few milliseconds of each other, two posts can create the same topic, throw off the posts, or cause some people’s posts to be overwritten. It was a hot mess.

Race Condition + c:\site\sessions.txt

I had committed several “sins” of secure development at the time:

  • I did not use atomic identifiers on files, meaning two writes would cause an error in some conditions.
  • I did not turn off error reporting, I was editing the site live on the server, so I thought I needed to display errors.
  • I stored the “sessions” file within the webroot.

So, I had a few folks who would use my site who also had some legit curiosity into a site’s inner workings. It so happened when this user, we’ll call him “Cody”, logged into the site and spotted a write error on the site. Something along the lines of:

Parse Error: Could not open c:\site\sessions.txt for writing.

Quite possibly, accessing this file via https://example.com/sessions.txt would be the next thing that was attempted. And, this Cody did. Inside this file, he seen my username, next to a session ID. He then copied that into the browser, and he was in my account.

I get home from work, to find I was online all night…

Several posts were made from my account, mostly about how I’ve been owned and such. I totally deserved it. As a matter of fact, here’s the forum topic that told me about the exploit. Sadly, I don’t have the site running, so I can only show you a (Somewhat anonymized) forum “file” instead:

Attention Bob
Fri, 16 Feb 2007 16:24:34 CST
This is why SQL > TXT.[br][br]Love,[br]Cody
John
Fri, 16 Feb 2007 21:17:06 CST
I been hacks.
John
Tue, 27 Feb 2007 20:25:48 CST
Should be fixed now.
MMTbb

This post was from my account, since my session ID was exposed. I was able to fix it, but even my fix was implemented somewhat poorly.

Security by Obscurity, and other hilarious antics

<?php
$cok = $_COOKIE["COOKIE"];
$filses = @fopen("http://example.com/site/online.bmp" , "r");
while ($names = @fscanf($filses, "%s\t%s\n")) 
	{
	list ($userkey, $username) = $names;
	if ($userkey==$cok)
		{
		$userret=$username;
		}
	}
@fclose($filses);
?>

So, the sessions.txt file was changed to “online.bmp”. Still in the webroot, but a little less likely to be spotted. Also, I added the error control operator “@” before the file functions (fopen, fscanf, and fclose) to hide the errors. Now, we’re getting errors that nobody knows about, but hey, it’s not giving away my clever fix.

Later, I added in an additional check. You would have to have both the session ID, and be on the same IP address as you were at login to stay logged in. Hey, this sounds fantastic! And it would be, except for these two failures (which I don’t have the code for anymore):

  • I typo’d… I used a single equals sign (=) or assignment, instead of a double (or triple) equals sign (== or ===), comparison and strict comparison, respectively. So, what ended up happening is that sessions were now disregarded, and the IP address is what was important. So, living at home with the rents at the time, my younger brother kept accidentally posting from my account and didn’t know why. This took an embarrassingly long time to correct.
  • Some users were using AOL’s custom-wrapped Internet Explorer, which proxies requests via different cache servers. This means that the IP wasn’t steady, and some users were randomly being logged off as a result.

I remember sharing my IP-following idea with Michael Coates at THOTCon 0x1 back in 2010, who liked the idea, but was immediately familiar with the issue you’d face with transient IP addresses.

Over time, I’ve improved how I’ve handled sessions, using PHP’s in-built session mechanism, ensuring proper entropy, proper cookie flags, and so on. This resolved my authentication woes, but there were still plenty more problems I was tempered by.

Join me again next Tuesday to see what other awful mistakes I’ve made.

Categories
Cybersecurity Passwords Phishing Security Software Engineering

Stop Using Security Questions

Please stop using security questions.

Why security questions were designed with good intentions

If you forget your password, a site can ask you a series of security questions. This allows you to recover your account while still potentially authenticating you with questions only you know.

Account recovery options are always a great idea, but doing so with security questions is bad.

Insecurity Questions

Seriously — they introduce insecurity. In my experience, I’ve come across a form like this:

What is your favorite color?

Your security question must contain at least five characters!

What do you think the most popular colors are? Red? Blue? What about: teal, gray/grey, etc. A form I’ve came across actually had a 5-character minimum, which removed options from this answer and made guessing black/green/white/yellow a bit easier. My wife will tell you that everybody from the 90’s would say “Crayola Cerulean” is their favorite — I’m inclined to agree.

Facebook even has a feature where people can “know you better” where you can answer questions about yourself and paste it on your profile. Yikes!

Mother’s maiden names are easy to get from your social network (click you, click your mom, look at her friends names, or look at whom you call “aunt”, “uncle” etc).

Distributing Security Questions

I’ve once seen an admin that would screenshot a page that shown user’s security questions. This page existed to help admins verify users are who they say they are over the phone. In lieu of using it for this function, people were screen shotting this info and sending it to users who “forgot” them. Yikes.

I’m a site user — what should I do?

If a site insists you complete security questions, generate random text and throw that in the box. If you need to recover the account later, paste in that random text. While there, look for the company’s security@ e-mail, Twitter, etc. Tell them to fix it.

I’m a webmaster on the world wide web

Heh, old terms. Disable the requirement for security questions, remove account recovery until you can fix it. Replace it with CAPTCHAs and allow them to reset it via an e-mailed link. Make the link valid for <30 minutes, and with a bunch of entropy in the query string. Don’t store the expiration in the query string. If their e-mail is compromised, they indeed can steal this account. For this reason, it is imperative for users to have secure e-mail accounts. Also, wipe the security questions out of the database. If you’re compromised, those answers can quickly become public.

What if I follow the email reset and security questions?

You could. It’s better than no email reset.

 

Categories
PHP Software Engineering

Blocking Tor Exit Nodes by .htaccess with PHP

What is Tor?

Tor is a multi-layered anonymizing proxy, used by a lot of parties interested in privacy or avoiding government overreach (great firewall of China, for example).

It is also used by annoying spammers who don’t know how to configure a traditional VPN, so they rely on pre-configured browsers.

Candidates for this Method

If you run a forum, for example, where you’re not looking for Tor users to visit your site, you can simply deny them with .htaccess. This isn’t the most elegant solution, as a firewall would be ideal. But it is a quick win. This assumes you’re using Apache 2.4, PHP 7, and Ubuntu 16.04. It also requires root access or a user that can edit .htaccess of the site required and run PHP. You should also not have anything already in htaccess, as this will overwrite it. If you require htaccess later, this can be modified as needed.

Configure your VirtualHost

You will need to modify your virtual host (probably located in /etc/apache2/sites-available/——). Adding the code below will instruct Apache to process the htaccess files, make sure to modify the path as needed.

<Directory /path/to/site>
   Options Indexes FollowSymLinks
   AllowOverride All
   Require all granted
</Directory>

After completing the change, run this:

sudo apache2ctl configtest

If you see “Syntax OK” at the end, you did a good job. Restart Apache:

sudo service apache2 restart

Set up the PHP script by entering your path where it is bold below:

<?php
$nodeList = file_get_contents("https://check.torproject.org/exit-addresses");
$nodeList = str_replace("\r\n","\n",$nodeList);
$lines = explode("\n",$nodeList);

foreach ($lines as $v) {
 if (substr($v,0,11)=="ExitAddress") {
 $exitNode = explode(" ",$v);
 $exitNodes[] = $exitNode[1];
 }
}

$file = fopen("/path/to/site/.htaccess","w");
fwrite($file,"# Any changes here will be overwritten. File managed by /automation/getTorNodes.php".PHP_EOL);
foreach($exitNodes as $v) {
 fwrite ($file,"Deny from $v".PHP_EOL);
}
fclose($file);

I like to have this file in an automations folder. You can trigger it as often as you like, though I recommend not more than once a day. You can either manually trigger the php script, or add a cron job.

Bonus: If your firewall is a Ubiquiti Security Gateway:

You can SSH into it and modify /config/config.json and add this in. I haven’t tested persistence across re-provisioning. I’d suggest adding the group through the web UI first, finding the IP(s) you added in the JSON, and then adding them there.

 group {
 address-group 5a61631fe4b0d5a0bfa53416 {
 address 46.165.254.166
 address 51.15.3.40
 .........
 description customized-TorNodes
 }

 

 

 

Categories
MOS 6507 Software Engineering

New Atari 2600 Game — Speedway

Download Speedway v0.1

The Atari 2600 was released back in September of 1977, 40 years and a few months ago. I wrote a rather simple driving game for the Atari back in September of 2014, and finally I’m getting around to putting it online.

Lerner Manufacturer Title Card

Don’t expect a whole lot, I’m not a graphic designer, or a game dev. I’m also younger than the system I built for. I built it for fun as a learning lesson, as the 2600 is notoriously hard to program for (racing the beam, etc).

Speedway Title Card
Speedway Title Card

Well, if I’m going to make something to “race the beam”, what better than a racing game. Be prepared, GTA5 lovers, these graphics are “SIK” and “4K” if 4K means 4Kolors:

Speedway Screen Shot
Speedway Screen Shot

You’re the car on the right (solid black), the opponents are your drunk neighbors (the car on the left). They’ll drive on the wrong side, the middle, anywhere! Your job is to avoid a collision by using a joystick to move left and right. You can accelerate by going up, or crash into the wall to slow down.

 

Speedway Game Label
Speedway Game Label

The archive you downloaded (top and bottom of post for the link) includes some game art (the top and front labels, if you are going to flash this to a cartridge), as well as a nice, full-color manual! The picture is one I took ca. 2003 at the NHRA drag races at Route 66.

Speedway Manual
Speedway Manual

The game is playable, it’s enjoyable, if you go fast enough, it’s hard. It may even run on an old school 2600, though I recommend a nice RetroPi or, for even more immediate results, Stella.

Please leave feedback in the comments! I always enjoy it! (Good or absolutely terrible!)

Download Speedway v0.1