Sunday, April 21, 2013

2013: The Year of the Facebook Mobile Attack?

Facebook has been pushing - if you don't update, you'll receive notifications in your newsfeed - a new version of the Facebook app for Android. I've reluctantly upgraded the version on my Nexus 7, but I'm holding off installing it on my phone. At this point, I'm not sure the increased risk is worth it.

"What risk?", I hear you ask. There's a potential exposure in the new Facebook app; the app requires somewhat looser permissions than the previous version, including - wait for it - the ability to directly call phone numbers. Big red flag here, Facebook. The major form of malware seen to date on Android phones has been apps that use this permission to call premium-rate international numbers, running up a huge phone bill for the victim and delivering a nice profit for the attacker.

Properties required by the Facebook app for Android -
notice "direct call phone numers"

The need to make phone calls arises from the introduction of the new "Facebook Home" - an app which takes over the home screen of a phone to present a Facebook-centric experience - as well as Facebook Messenger, which integrates Facebook messaging with SMS as well as supporting voice messaging. It's not clear to me why the main Facebook app, which does not support these functions, should also require access to the phone functionality, not to mention the ability to record audio, download files without notification, read your contacts and many other privacy-invading permissions.

At the same time Facebook has been a terrific vector for the spread of malware on the PC, sometimes in the form of infected videos or apps, as well as privacy-invading apps which harvest your profile, contacts or other information or download files.

The message: expect this to spread rapidly to mobile devices. Facebook now exposes a relatively large attack surface, and an attacker who can compromise the Facebook app on Android can use its permissions in a range of creative ways.

2013: the year of the Facebook mobile attack? I hope not, but it looks likely to me.

Sunday, April 14, 2013

Google+: The Good, The Bad and The Ugly

I've recently introduced a group of online friends to Google+. We'd mostly met via Facebook, where we'd shared things via a secret group, but disenchantment set in and the group was fractured when some of our number were locked out of their accounts (the reasons for that are not at all straightforward and I won't go into them here).

So a few of us were chatting about how to get around this, and off the top of my head I quipped, "We ought to set up a similar group as a Google+ community". Then I thought, "why not?" and a minute later, I'd done it.

I spent the day intermittently writing short "How-To" posts for the new users I was dragging across from Facebook, and answering their questions, helping them to figure out how to get things done, etc. It's been a couple of days and the experience has given me a better understanding of Google+

Neither Good Nor Bad - Just Important


Circles. You have to grok circles. Circles have both read and write, or in and out, functionality. You can use circles to filter what you see in your home page - for example, you can suppress a circle from appearing in your Home page stream (great if they are prone to posting NSFW images!). That's the "read" functionality. You can also limit posts to only certain circles so that your doings are not broadcast to the wrong people - that's the "write" functionality, which will be more important to some people (to be honest, I regard anything that I post on a social networking site as public).

The problem is that the importance of circles, and the things one ought to consider when creating them and adding people to them, are not immediately obvious - it's only after you've spent some time fiddling with the various configuration options that their importance becomes apparent.

The Good


Now to some good points I've noticed and others have commented on.

Firstly, the Home page has filtering, so you can view just specific circles. Across the top of the home page are buttons for "All", "Friends", "Following", or whatever circles you've created. This means you can choose to see only posts from colleagues during the workday, then spend some time catching up with friends, or reading up on products/technology you're following.

The integration with Gmail, Contacts, Youtube, Blogger, etc. is nice - but only important for users who have already engaged with the Googleverse. It's good for me - I use Google Apps for both business and university purposes, and it was that that led me to get my Google+ profile sorted out and then start using it - but for people looking for a Facebook alternative, the fact that you might have to use some other Google service such as Google Drive to get things done seems odd.

There are some nice usability features; for example, you can drag and drop pictures directly into the "Share what's new..." comment box - there's no need to click on "Add Photos/Video" first. However, on the down side, sharing URL's requires you to click on a link button to get a field, rather than auto-recognising the URL in your text. And Google+ doesn't automatically provide previews of URL's in comments like Facebook does.

The privacy and security options are very granular; this is great if you're willing to take the time to learn and use them. Not every is willing, though - and it can be confusing for the new user, who doesn't know what all these things are.

Communities are essentially equivalent to Facebook groups, and can be made public with no barriers to joining, public with approval for joins, or secret, which will require an invitation to join. A nice feature which Facebook doesn't have is "Categories"; for example, I quickly created a a "Using Google+ And This Community" category where I could post hints and answer questions without overwhelming the main "Discussion" category. Of course, the default view when one logs in is "All posts", which displays everything - and it takes the new user some time to discover and use categories. Until they do, they post everything in the default "Discussion" category and (under "Bad") there's no way for moderators to move posts to the correct category.

It's quiet. I've given up on Twitter; it's been over-run by social media "marketers" who think they're slick, and aren't. Facebook is rapidly heading the same way; my newsfeed is starting to fill with posts from link farmers trying to trap people into granting access to their Facebook profiles. Google+ doesn't have that, as far as I can see. Yes, there are marketers there - I follow a couple of my favourite brands - but so far, it's a pretty well-behaved place.

The Bad


But there are problems, and it's been obvious as I've introduced these new users.

It's noisy. By default, every post, every comment on a post, every damn thing that happens, fires off an email. There's a notifications on/off button in communities, but that doesn't seem to do much to quieten things down - instead, you have to go to your profile,

Configuration options and settings are spread out in various places, mostly accessible from your Profile, via the gear-wheel icon at top right. Some options are under "Profile and Privacy" (https://www.google.com/settings/privacy) - for example, you can control which people appear in the "People in his/her circle" listing on your profile, on a circle-by-circle basis if you want. But other settings, such as just what "Your Circles" means when you share something with "Your Circles", and the email/SMS notification noise level, are under "Google+" (https://www.google.com/settings/plus). It all gets rather confusing, especially for the new user.

Another big issue is the lack of group chat functionality. Just like Facebook, there's a "Chat" tab at lower right of most pages, but unlike Facebook, you can't add multiple people to the conversation. Googling "Google+ group chat" leads to articles that imply it's possible, but the software has obviously changed since they were written. And the confusion over Google's IM products don't help, there's Google+ Chat, Google Talk, Google Messenger and Google Voice, and they're all different things. In fact, it seems that two different things on different platforms (PC vs Android) can even have the same name even though they're incompatible and not interoperable.

If you really want a multi-way conversation, Google+ pushes you towards "Hangouts" which offer up to 10-way videoconferencing and have some really neat features such as screen-sharing, etc. However, not everyone has a webcam, or even a microphone, or they don't want to be seen. And Hangouts require special software; when you start a hangout (or try to join one?) without the software, you are prompted to download GoogleVoiceAndVideoSetup.exe. The messages seem to imply that the software has installed itself; however I soon discovered that it hadn't, and when I found and ran GoogleVoiceAndVideoSetup.exe, it downloaded and installed the actual code required. At this stage, no-one else in our little group seems to have completed the process and so we haven't actually accomplished a Hangout. If we do, we might well move this feature to the "Good" side of this balance sheet.

File sharing is difficult. Facebook groups have a "Files" tab and even an "Add file" link right at the top of the page. There's nothing like this in Google+ communities. The easiest way to share something seems to be to upload it to Google Drive, make it public and accessible to anyone who has the link, then copy and paste the link into a Google+ post. This is awkward at best, and it also means that the file is stored in an individual user's Drive, rather than storage space that belongs to the community. At the very least, the Share... menu option in Google Drive ought to have options for sharing to Google+ - that functionality already exists in Youtube and could almost be copied and pasted into the Google Drive code base.(Update: it turns out that there may be a button which allows direct sharing to Google+ [or email, Facebook or Twitter], but I don't see it because I'm using the Google Apps version of Google Drive. Just another complication - different people see different versions of the same thing, depending upon which Google services they're signed up for.)

Terminology keeps changing. For example, the term "stream" has fallen into disuse - your "stream" is now your "Home page". And I've already mentioned the confusion over the IM apps.

Functionality keeps changing and is inconsistent. Google+ - and the rest of the Googleverse - is obviously in a constant state of change and flux. New functionality is constantly appearing while older and less-used - but popular with its users - features are liable to disappear. I need only mention Google Reader at this point - but it's an issue I'll return to.

Related to this is the fact that while Google is positioning Google+ as the central hub of their applications and services, at least for identity and profile management, it is not very good as a user-centric dashboard. As one of my friends pointed out, iGoogle was much better for that - but it's due for end-of-life later this year. It's a great pity - Google needs something that provides a single page with widgets for Gmail, Calendar, Contacts, Google+, etc. Ironically, I realised that's what my home screen on the Nexus 7 provides - it would be wonderful if Google could provide a web page that could run the same widgets as Android devices. How about it, Google?

The Ugly


Now we're down to cosmetics - the kind of thing that a bit of CSS fine-tuning could probably fix

Google+ doesn't seem to fit as much information on the page as Facebook does. I say, "seem", because on close inspection they both use the same font size for the main text of posts. Google+ puts its major app icons down the left column while Facebook lists groups, apps and pages there; scrolling up, Facebook shifts it up, leaving empty white space. Over on the right, Google+ lists more "stuff" you might like while Facebook puts a scrolling "ticker" app, which is dense with a smaller font and less white space.

Part of the reason for the less dense appearance of Google+ is its use of boxes around posts and grey shading. Facebook's all-white page is much cleaner looking. Google+ could really use a makeover from a good designer.

Summing Up


Overall, the impression one gets is that Google+ is "geekier" - it's stronger and more innovative on the back end server functionality. There are lots of configuration options, but Google annoys most first-time users by not setting appropriate defaults - there are far too many email notifications and the privacy settings probably aren't set high enough for most users, requiring a good half-hour or more of stumbling around, changing things by trial and error.

I believe that Google+ is going to grow and get better - as more and more users acquire Android devices or switch to using Google Apps and Gmail, they will be assimilated, and the functionality will be refined. But for now, it's still rough round the edges and a bit abrasive for the user switching over from Facebook.

Monday, April 1, 2013

Much Ado About DNS Amplification Attacks

There's been much wailing and gnashing of teeth from one or two people over DNS amplification attacks, following an over-hyped DDoS attack on Spamhaus using this technique. The attack relies on sending DNS requests with the source IP address spoofed to be the address of the victim, which is swamped by comparatively large reply datagrams, Here are two techniques to make sure that your systems can't be used by Bad Guys to conduct these attacks.

For years now, in my CISSP Fast Track Review Seminars, I've been advocating the use of reverse path filtering in routers and firewalls. In fact, it's an Internet Best Practice - see BCP 38 [1]. It's implemented in the Linux kernel and many distributions turn it on by default. On Red Hat Enterprise Linux, CentOS or Scientific Linux, for example, take a look at the /etc/sysctl.conf file, looking for the following lines near the top:

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1


If you change that to:

net.ipv4.conf.default.rp_filter = 2

you have solved the problem - before forwarding a packet, the kernel essentially asks itself, "If I was sending a reply to the source address of this packet, would I send that reply back out the interface that I received this packet on?". If the answer is no, the packet is dropped. So, for example, if a packet with a source address on your internal network arrived on the external interface, it would be dropped.

If your distro does not use the sysctl.conf file, you can achieve the same effect with the following command in a startup script such as /etc/rc.d/rc.local:

echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter

The default value of 1 enables reverse path filtering only of addresses on directly connected networks. This is a safer option - full reverse path filtering can break networks which use asymmetric routing (e.g. the combination of satellite downlinks with dial-up back-channels) or dynamic routing protocols such as OSPF or RIP.

However, reverse path filtering really needs to be implemented by all ISP's, to stop datagrams with spoofed source addresses from getting anywhere on the Internet. For those of us who aren't ISP's but just operate our own networks, a better fix is to make sure that your DNS either does not support recursive lookups, or supports them only for your own networks.

If your DNS is intended only as a primary or slave master for your own public zones, and will therefore be authoritative, then just edit the named.conf file to set the global options:

options {
     allow-query-cache { none; };
     recursion no;
};


However, if your DNS will provide recursive lookups for your internal machines, then restrict recursive lookups like this:

acl ournets {203.35.0.152/29; 192.168.0.0/21; };

options {
        directory "/var/named/data";
        version "This isn't the DNS you're looking for";
        allow-query { ournets; };
        allow-transfer { ournets; 139.130.4.5; 203.50.0.24; };
        allow-recursion { ournets; };
};


(Replace the network addresses in the ournets acl with your own addresses, obviously.)

The allow-transfer directive restricts zone transfers, and you would normally only allow slave DNS's (e.g. those provided by your ISP) and perhaps a few addresses within your own network - I've allowed transfers from all addresses in ournets, so that the dig command can be used for diagnostics. The allow-recursion directive allows recursive lookups only from our own machines

Finally, the allow-query directive means that only your own network(s) can even query this DNS - if you need to allow queries of your public zones, you can allow that in their specific options, later:

zone "ourcorp.com.au" IN {
        type master;

        file "db.ourcorp.com.au";
        allow-query { any; };
};


Should you choose to go even further, there are even patches for BIND which allow you to rate-limit responses, so that you can provide protection for your own addresses against DNS amplification attacks.

The bad news is that if you are running Windows, the only option that you have is to completely disable recursion - the Windows DNS is originally based on really old BIND code and does not have most of these options.

Implement these two simple fixes, and you can be confident that your systems won't be part of the problem.

References:


[1] BCP 38: Network Ingress Filtering - Defeating Denial of Service Attacks which employ IP Source Address Spoofing - available online at http://tools.ietf.org/html/bcp38

[2] US CERT Alert TA13-088A, DNS Amplification Attacks. Available online at http://www.us-cert.gov/ncas/alerts/TA13-088A