SharePoint "Vulnerable by Default"

Even the Scroll Bar Can't be Trusted

Here's how to steal sensitive information from users of either SharePoint or LinkedIn, via their web browser.

The method, known as frame sniffing, is unlike a conventional SQL Injection or cross-site scripting (XSS) attack, in that no code need be injected into the site. Instead, a target website crafted within the attacker's malicious webpage is simply loaded into a hidden HTML frame, once the CMS user is tricked into browsing to that page by any of the usual, socially-engineered means (e.g., spam email). As long as the user then keeps that tab open, the attacker can frame-sniff, for example running SharePoint searches exactly like an authorised user.

Paul Stone & Jacobo Ros describe the vulnerability in their video, and present some sample exploits, including a proof of concept that you can run for yourself, at the Context Information Security site:

http://www.contextis.com/research/blog/framesniffing/

Surprisingly, the attack works because often the default configuration of the CMS omits to secure against browsers which allow framing. The approach bypasses browser security restrictions intended to prevent webpages directly reading the contents of third-party sites loaded in frames. At the time of writing, only Mozilla Firefox has been updated to prevent frame sniffing.

Installations that are vulnerable by default include SharePoint 2007 and 2010. The vulnerability is easily stomped by tweaking the X-Frame-Options, forcing browsers to disallow framing on critical configuration server pages, or other pages that require an “authentic user click” - as previously described by Microsoft's Eric Law in his (two year old!) IEInternals article, Combating ClickJacking With X-Frame-Options. Obviously, since this setting will prevent SharePoint from being framed, it might break your installation, for example if you have another intranet app using SharePoint via a frame.

Good news: Microsoft have stated that the X-Frame options should be correctly set in the next version of SharePoint. Bad: at the time of writing, LinkedIn have yet to respond to Context's vulnerability report.

Ordinal Numbers and Leap Years

Linda's always been mad about Scotland's rugby squad, and just recently she's been busily accumulating points for badges on their Six Nations website to prove herself a superfan! As you can see from the above graphic, she's notching up some success in the endeavour, having collected 2,000 points and been ranked eleventy second (112nd) overall at that point.

Looks like their web dev could use a refresher on English ordinal numbers? This little exercise in natural language expression always reminds me of today's leap day calculation. It has just enough of an exceptional clause to ensure frequent failures of implementation. For every code monkey who ever forgot that last rule about years divisible by 400, another has forgotten the "teens" exception to the suffix rule,

• 1 takes "st" (so 1st, 21st, 101st, etc),
• 2 takes "nd",
• 3 takes "rd",
• everything else takes "th".

The exception is of course that any number ending in 11, 12 or 13 takes "th", instead of the corresponding suffix for 1, 2 or 3. The close analogy with leap year rules is striking, as its etymology has nothing in common with the scientific basis of the latter (which itself does have direct analogies to things like modular arithmetic, games of Monopoly, and drawing smooth inclined straight lines on a pixel raster).

Update (1st March): Since the time of writing, Linda has climbed to rank 75th nationally with 2,600 points, and been promoted from "National Squad" to "1st Cap". Problem solved!
Update (3rd March): 66th nationally, 3,100 points, promoted to "Starting XV". Girl takes her rugby seriously.

Update (17th March): 57th nationally, 4,700 points, promoted to "Captain". Meanwhile, the team collected yet another wooden spoon today.

Everything is a Remix

New York-based film writer, director and editor Kirby Ferguson's brilliant little set of four 10-minute videos, Everything is a Remix, produced over the course of two years, reminds us of the original motivation behind copyright and patent law. Namely, to create a short period of controlled monopoly, allowing inventors and creators to recoup their development costs. And emphatically not to allow those rights holders to continue to profit almost indefinitely from their creations, while preventing others from doing anything similar or related.









Hat tip: Neurobonkers.

Scotland 17-23 France

Match Report

On second thoughts, make that a photo essay. With a final score like that, I don't really feel like talking about it very much.

This year we sprang the extra £25+ to park within Murrayfield. A couple of practice fields behind the West Stand were provided for the purpose, a great improvement on the usual Edinburgh parking experience.

A couple of random supporters. With refreshments.

It all seemed to be going so well at first.

But in the end, this:

Och.

Help Find Ulf's Murderers

In January Adam Shostack, famous hereabouts for the SDL card game Elevation of Privilege, wrote about the murder of his Zero-Knowledge Systems colleague (pictured right) Ulf Möller (link to original Bild.de report, in German).

Yesterday, Adam wrote again about the case, pointing to a website created by Ulf's family containing several good quality surveillance camera photographs of his murderers (pictured below), explaining the background to the case (in English, German, Polish and Lithuanian), and asking everyone to help find the killers, and spread the word:

The two men are described as slim, both about 1.75 m to 1.80 m tall, between 20 and 30 years old. One of them was wearing a dark jacket with a fur-like hood. The surveillance cameras took clear pictures of his face. The other killer was wearing a noticeable light blue quilted Nike-brand jacket.

We are grateful for any help in finding the murderers. Clues can be reported to the German police (Polizeidirektion Sachsen-Anhalt Ost, who are leading the investigation) by calling +49 340 6000 293, by sending e-mail to lfz.pd-ost@polizei.sachsen-anhalt.de, or by visiting any German police station. If you prefer, you can email us directly at mail.ulfm@googlemail.com.

Help us find the people who killed Ulf

How to Steal a Google Wallet

Just Press Reset

This "quite significant security flaw" isn't new, but it is news, having received a bit of a boost in various blogs in recent days - oddly enough, because of the emergence of yesterday's much harder (and so less urgent) brute-force attack on the same PIN. Last December Evangelion01, posting on the xda-developers forum, drew attention to the following weakness in Google Wallet:

1. Go into application settings.
2. Clear data for Google wallet.
3. Open wallet and set it back up.
4. Everything remaining on your Google prepaid card can now be used.

This succeeds because Google Wallet stores your card details not in the phone's file system, but safely on the Secure Element. They are therefore unaffected by resetting the application data. However, your PIN is just stored in a file, so it does get wiped. Next time you run it, Google Wallet looks for the missing data, and concludes that it's being run for the very first time. Since Google Wallet is tied to the device itself, rather than to your Google account, it simply asks you to set a new PIN. All you have to do now is think of a number, and...

Bingo! When it next needs a prepaid card, it will find one already present on the Secure Element, and start using it.

There are a few obvious mitigations. First you have to steal an un-screenlocked phone. And not just any phone: it has to be a Samsung Henstooth, with wallet installed, activated, and using prepaid credit. So in that sense, Google Wallet is no more insecure than any other wallet - a little better in fact. Still, it's quite surprising that such a vulnerability should be allowed to get this far.

Update: they've finally fixed it.

On International Data Privacy Day

Europe to Google

Really, Google? You're getting rid of over 60 different privacy policies and replacing them with one that's a lot shorter and easier to read? Gee, thanks for doing that! I do have trouble with anything requiring an adult's attention span. What's that, your new policy covers multiple products and features, reflecting your desire to create one beautifully simple and intuitive experience? Terrific! You believe this stuff matters? Well that's great, just great.

First of all: why oh why, in the name of all that's hairy (and private); why did you ever send this notification to my Sky Mail account? I know you provide their service; but you know, that only makes them, not me, your customer. My contract is with Sky. They carry a privacy policy, to which I've agreed. Your opinions were neither sought nor welcome, and your policy (or policies) has (or have) no dominion over me there.

Secondly: do you never learn? You killed the much over-hyped Google Buzz in 2010 by deliberately implementing and obscuring such default privacy settings as would shame Facebook. You just killed off any last chance of social network success, by enforcing your account naming policy in Google+ (latest feeble "concessions" notwithstanding). Now you impose, without an opt-out, this unification of accounts across all Google services. What makes you think that I will continue to want to entrust any of my business correspondence, private letters, other documents and messages, contact lists, calendars, photographs, videos, even this blog, to such a capricious company? To you, who might delete everything I own at any time, on a whim and without appeal, simply because you suddenly decide you don't like my name?

Thirdly and finally: shut up, sit down, and pay attention. European citizens will not have privacy policies dictated to them by their service providers. Europe shall determine the privacy policy to be applied to, and by, its service providers. That, or else providers will no longer be providers to Europeans.

Sufficient Unto The Day

And the same applies across the pond. Facebook Live, in conjunction with the National Cyber Security Counsel, streamed last Thursday's NCSA event anticipating International Data Privacy Day (which is today). This included the keynote opening speech by Federal Trade Commissioner Julie Brill, but if Zuckerberg and co thought their coverage would smooth the ride, then it's safe to say she surprised them. The full text of her remarks can be read here:

http://www.ftc.gov/speeches/brill/120126datarivacyday.pdf

But here are a few samples.

Our enforcement actions in the privacy area are also a call to industry to put important privacy principles into practice. Facebook and Google learned this the hard way.

The Commission’s complaint against Facebook alleges a number of deceptive and unfair practices [...] These include the 2009 changes made by Facebook so that information users had designated private became public.

We also addressed Facebook’s inaccurate and misleading disclosures relating to how much information about users apps operating on the site can access [...] that the company misrepresented its compliance with the U.S.-EU Safe Harbor. And we called Facebook out for promises it made but did not keep: It told users it wouldn’t share information with advertisers, and then it did; and it agreed to take down photos and videos of users who had deleted their accounts, and then it did not.

Google received similar coverage of the FTC's complaint against them in the Buzz era. Both companies settled their respective complaints, and have been left embarrassingly subject to a decades-long regime of shame, rehabilitation, audit and assessment. Yet both seem determined to keep testing and risking their parole.

Facebook and Google: sufficiently evil, unto the day.