Posts Tagged ‘security’

autocomplete=”off”

Something I haven’t thought about much, but very important: for sensitive information, turn off autocomplete on input tags.

<input type="text" name="super-secret-pin-num" autocomplete="off" />

It’s a non-standard attribute, but all the major browsers implement it (including Webkit/Safari).

h/t Pete Freitag

Safe and secure

As the TSA pushes forward another round of absurd “security” measures, a notable quote from Bruce Schneier,

Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.

The S3 security gap and drop.io

Amazon S3 has emerged as a dominate player in providing a white box cloud storage solution for numerous organization. However, while S3 is great for outsourcing public web content, private, user-specific content is not something it handles quite as well. When storing private files, 3 solutions come into play:

  • Transfer the files back and forth between your servers and S3. This is cumbersome, as you incur a bandwidth toll on both your server and S3 and a performance penalty (the extra time to transfer to/from S3). However, it can be a valid solution based upon the specifics of your storage needs.
  • Add users to the access control list of S3 objects. This is usually not a feasible solution as it requires users to have an AWS account and authenticate with AWS.
  • User query string authentication on objects. This will allow public access to an object for a certain period of time. While this will allow access, this is also where the security gap is, as during the interval of time when the file is public, anyone can access it given the URL.

The security gap came into play as I was experimenting with the drop.io API and a drop with the guest password set. Once you pull the list of assets in a drop, you get a link with each asset to access the file (well, typically, a converted version of the file, as you can’t get original files back unless your a premium user – in any case, the data is visible). This URL redirects to a query string authenticated S3 object which can be accessed publicly.

drop.io converted file url

The problem here is that there is no encryption between drop.io and the client (it’s all plain old HTTP), so it’s not unreasonable to assume that a hacker using a packet sniffer could pick up the URL. Said hacker would then simply have to put the URL into a browser to download the asset. To verify this, I traced the HTTP request and response with Wireshark and, as I expected, was able to easily get the asset URL,

drop.io converted file url

Network security and filthy lies told by Windows XP

Note: Everything below relates to Windows XP Professional with Simple File Sharing turned off.

One of the simple things that can be done to prevent unwanted peer-to-peer network access to data on Windows is to disable the Guest account (you can alternatively give permissions to specific users or groups, but for my situation this is a hassle as I, generally, don’t need the level of granularity). By some mechanism unknown to me (perhaps malware or a recent virus), the guest account on my desktop was turned on. With the guest account on and shared folders allowing everyone access, any machine connected to the network was able to seamlessly login and access anything in the shared folders. The situation bugged me for quite a while as I didn’t realize the active guest account was the culprit because from looking at the User Accounts extension in Control Panel, I saw the following:

win xp guest account off

Unfortunately, this does not mean the account is actually disabled, it simply means it doesn’t appear on XP’s welcome screen. I finally took at look at the Administrative Tools >> Computer Management extension, then navigated to Local Users and Groups >> Users, and saw that the guest account was enabled. Disabling it here (right-click on Guest >> Properties >> check the “Account is disabled” checkbox), actually disabled the account and prevented automatic authentication as Guest for incoming peer-to-peer connections.

win xp users

As you can probably guess my real annoyance here is the discrepancy between what appears in the User Account extension vs. the actual state of the account.