Über Dig

Here is another interview question. In the example below, which one is the best/worst and why...

Today I was thinking about the different ways in Python to reverse a string. Each of these has a different runtime do you know why they are so different?

Django is releasing version 1.4 with some great security enhancements. One of them is a move off of the SHA1 password hashing algorithm to PBKDF2. Another is the ability to add your own password hasher to Django.

Django will use the first password "hasher" that you provide it (at least 1 must be included within your settings.py file.

PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', # Insecure Hashes 'django.contrib.auth.hashers.MD5PasswordHasher', # Insecure Hashes 'django.contrib.auth.hashers.CryptPasswordHasher', # Insecure Hashes )

Lets start with looking at how your create a new password hasher.

First you must inherit from BasePasswordHasher which is in django.contrib.auth.hashers . The class looks like this:

class BasePasswordHasher(object): """ Abstract base class for password hashers When creating your own hasher, you need to override algorithm, verify(), encode() and safe_summary(). PasswordHasher objects are immutable. """ algorithm = None library = None def _load_library(self): if self.library is not None: if isinstance(self.library, (tuple, list)): name, mod_path = self.library else: name = mod_path = self.library try: module = importlib.import_module(mod_path) except ImportError: raise ValueError("Couldn't load %s password algorithm " "library" % name) return module raise ValueError("Hasher '%s' doesn't specify a library attribute" % self.__class__) def salt(self): """ Generates a cryptographically secure nonce salt in ascii """ return get_random_string() def verify(self, password, encoded): """ Checks if the given password is correct """ raise NotImplementedError() def encode(self, password, salt): """ Creates an encoded database value The result is normally formatted as "algorithm$salt$hash" and must be fewer than 128 characters. """ raise NotImplementedError() def safe_summary(self, encoded): """ Returns a summary of safe values The result is a dictionary and will be used where the password field must be displayed to construct a safe representation of the password. """ raise NotImplementedError()

As you see you must create the following methods verify(), encode() and safe_summary()

Django does this with their PBKDF2 algorithm with 10,000 iterations making it computationally harder to brute force the hash. The password is stored in the following format:

"algorithm$number of iterations$salt$password hash"

In the case of PBKDF2 Django encodes the hash in base64

class PBKDF2PasswordHasher(BasePasswordHasher): """ Secure password hashing using the PBKDF2 algorithm (recommended) Configured to use PBKDF2 + HMAC + SHA256 with 10000 iterations. The result is a 64 byte binary string. Iterations may be changed safely but you must rename the algorithm if you change SHA256. """ algorithm = "pbkdf2_sha256" iterations = 10000 digest = hashlib.sha256 def encode(self, password, salt, iterations=None): assert password assert salt and '$' not in salt if not iterations: iterations = self.iterations hash = pbkdf2(password, salt, iterations, digest=self.digest) hash = hash.encode('base64').strip() return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash) def verify(self, password, encoded): algorithm, iterations, salt, hash = encoded.split('$', 3) assert algorithm == self.algorithm encoded_2 = self.encode(password, salt, int(iterations)) return constant_time_compare(encoded, encoded_2) def safe_summary(self, encoded): algorithm, iterations, salt, hash = encoded.split('$', 3) assert algorithm == self.algorithm return SortedDict([ (_('algorithm'), algorithm), (_('iterations'), iterations), (_('salt'), mask_hash(salt)), (_('hash'), mask_hash(hash)), ])

If you are worried you need to install something Django includes the algorithm utils.crypto

def pbkdf2(password, salt, iterations, dklen=0, digest=None): """ Implements PBKDF2 as defined in RFC 2898, section 5.2 HMAC+SHA256 is used as the default pseudo random function. Right now 10,000 iterations is the recommended default which takes 100ms on a 2.2Ghz Core 2 Duo. This is probably the bare minimum for security given 1000 iterations was recommended in 2001. This code is very well optimized for CPython and is only four times slower than openssl's implementation. """ assert iterations > 0 if not digest: digest = hashlib.sha256 hlen = digest().digest_size if not dklen: dklen = hlen if dklen > (2 ** 32 - 1) * hlen: raise OverflowError('dklen too big') l = -(-dklen // hlen) r = dklen - (l - 1) * hlen hex_format_string = "%%0%ix" % (hlen * 2) def F(i): def U(): u = salt + struct.pack('>I', i) for j in xrange(int(iterations)): u = _fast_hmac(password, u, digest).digest() yield _bin_to_long(u) return _long_to_bin(reduce(operator.xor, U()), hex_format_string) T = [F(x) for x in range(1, l + 1)] return ''.join(T[:-1]) + T[-1][:r]

bcrypt is also provided but you must install py-bcryptor bcrypt in order for it to work.

Something that I find quite funny is the quote from the Django docs which contradicts what is written within the source code...

Django Doc

By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This should be sufficient for most users: it's quite secure, requiring massive amounts of computing time to break.

Django Source Code

Right now 10,000 iterations is the recommended default which takes 100ms on a 2.2Ghz Core 2 Duo. This is probably the bare minimum for security given 1000 iterations was recommended in 2001. This code is very well optimized for CPython and is only four times slower than openssl's implementation.

Here are the slides for the talk I gave last night at OWASP NY/NJ. 

This morning I went to reddit.com which should of redirected me to www.reddit.com but instead I was greeted by another page.

Here is curl output

It was too early in the morning to investigate further but what are your thoughts?

Pentesting for startups

Here is a great feature to speed up program execution on Linux, Prelinking. This amazing example was taken from the NSA's guide to secure REHL (Red Hat Linux)

Prelinking is designed to decrease process startup time by loading each shared library into an address for which the linking of needed symbols has already been performed. The /etc/sysconfig/prelink file describes what files the /usr/sbin/prelink program will modify and how often it should modify those files.

A cron job is run daily that determines if the prelink program should be run. There are two types of prelinking: quick and full. Full prelinking occurs by default every fourteen days and relinks all shared libraries and the binaries that use them. Quick mode is run every day, but it only runs on modified binaries and libraries.

After a binary has been prelinked, the address at which shared libraries will be loaded will no longer be random on a per-process basis, even if the kernel.randomize va space sysctl is set to 1. This is undesirable because it provides a stable address for an attacker to use during an exploitation attempt.

A basic binary compare is a linear operation which is dangerous when comparing password hashes. If I wanted to know the hash of the users password I just need to look at how fast the comparison is failing and tweak my hash accordingly. 

This technique has been used successfully in many well known attacks and code to compare password hashes like this is widely used across the Internet.

In order to properly mitigate this attack you need to create a non linear string comparison. 

I love Scapy it makes network packet manipulation a breeze. Recently an exploit targeting IPv6 DOS exploit was released. I decided to write my own version of that exploit using Scapy and test it out on my home network...

The exploit involves flooding the local network with random router advertisements, hosts and routers update the network information, consuming all available CPU resources, making the systems unusable and unresponsive. As IPv6 and autoconfiguration are enabled by default, all are affected in their default configuration.   For Windows, a personal firewall or similar security product does not prevent this attack.

I needed to sniffer to so I can see if everything is working out properly... Scapy to the rescue again!

>>> sniff(filter='ip6',prn=lambda x: x.summary()) Ether / IPv6 / ICMPv6ND_RA / ICMPv6NDOptPrefixInfo / ICMPv6 Neighbor Discovery Option - Source Link-Layer Address 00:16:3e:71:42:b4 Ether / IPv6 / ICMPv6ND_RA / ICMPv6NDOptPrefixInfo / ICMPv6 Neighbor Discovery Option - Source Link-Layer Address 00:16:3e:71:42:b4 <Sniffed: TCP:0 UDP:12 ICMP:0 Other:126>

Nginx is one of the most popular web servers today. It serves over 7% of the worlds webs traffic and is growing at a fantastic rate. It is an amazing server and I love deploying it.

Here is a list of common security pitfalls and solutions to help ensure your nginx deployment is secure and safe.

1. Be wary when using "if" in your configuration files. Since it is a part of the rewrite module it shouldn't be used for anything else.

Directive "if" is part of rewrite module which evaluates instructions imperatively. On the other hand, nginx configuration in general is declarative. At some point due to users demand an attempt was made to enable some non-rewrite directives inside "if", and this lead to situation we have now. It mostly works, but... see above. Looks like the only correct fix would be to disable non-rewrite directives inside if completely. It would break many configuration out there though, so wasn't done yet.

Source: IfIsEvil

2. Passing Every ~ \.php$ request to PHP. We posted last week on the potential security vulnerabilities introduced by this popular directive. Even if your filename is hello.php.jpeg the ~ \.php$ regex will match and execute your file.

There are a two good solutions to the above mentioned problem. I feel that a hybrid approach is necessary to ensure that you aren't vulnerable to arbitrary code execution.

use try_files and only if the file isn't found (as should be the case for all your dynamic executable content) pass it onto the FCGI process running PHP.

Make sure that cgi.fix_pathinfo is set to 0 (cgi.fix_pathinfo=0) in your php.ini file. This ensures that PHP checks the full file path (and when it doesn't find a .php at the end of the file it will ignore it) 

Fix the regex to find the incorrect files. Now the regex looks at any file with ".php" in it. Make sure that only the correct files are executed by adding the following "if" condition to your site.  Set both location ~ \.php$ and location ~ \..*/.*\.php$ to return 403;

3. Disable the autoindex module. This may be already done by in your version of nginx if not just add the directive autoindex off; to your command location block.

4. Disable the ssi (Server Side Includes) on your server. This can be done by adding ssi off; to your location block.

5. Turn off server tokens. If this is on (which is included by default) all your error pages will happily display your server version and information. You can set this directive in your main nginx configuration file so you cover all your bases. server_tokens off;

6.Limit the possibility of buffer overflow attacks by setting custom buffers within your settings file.

client_body_buffer_size  1K;

client_header_buffer_size 1k;

client_max_body_size 1k;

large_client_header_buffers 2 1k;

7. Set low timeouts to prevent DOS attacks. All these directives can be placed within your main settings file.

client_body_timeout   10;

client_header_timeout 10;

keepalive_timeout     5 5;

send_timeout          10;

8. Limit user connections to prevent DOS attacks.

limit_zone slimits $binary_remote_addr 5m;

limit_conn slimits 5;

9. Try and avoid using HTTP Auth. HTTP Auth defaults to using crypt which is an insecure hash. If you are going to use it make sure you are using MD5 (which isn't good as well but loads better than crypt).

When flooding the local network with random router advertisements, hosts and routers update the network information, consuming all available CPU resources, making the systems unusable and unresponsive. As IPv6 and autoconfiguration are enabled by default, all are affected in their default configuration. For Windows, a personal firewall or similar security product does not prevent this attack.

I am a big fan of Scapy and this is going to make my weekend exciting!

Here is another reason why you should always take any online tutorial with a grain of salt. Neal Poole pointed out a pretty big hole in a prominent PHP + Nginx config file.

location ~ \.php$ {  include /etc/nginx/fastcgi_params;

fastcgi_pass  127.0.0.1:9000;

fastcgi_index index.php; etc...

The above code allows any filename with the PHP extension on the server to be executed locally. This can easily be exploited by uploading a malicious file <filename>.jpeg.php and the server will be more than happy to execute it. Even if you locked down your webserver any person can easily "own" your website.

This is from Fox's Breaking In. In usual Hollywood style hacking is depicted as a guy with a Hollywood style haircut and shave rapidly typing on a keyboard and breaking into the worlds most "secure system".

In reality hacking is split into two groups. The first is a group of people that go to work just like everyone else but instead of creating things they research and test how secure things really are. The second is a bunch of people that haven't seen a shaver or sunlight since they were in grade school typing with one finger because their fingers are greasy from food.

A network engineer, who was fired by the American branch of Gucci, has been accused of breaking into the computer systems of the Italian luxury good retailer, shutting down servers and deleting data.

According to the New York County District Attorney's office, 34-year-old Sam Chihlung Yin of Jersey City, NJ, used an account that he had secretly created while employed by Gucci to access the network after his employment was terminated.

In a 50-count indictment, the IT expert is charged with computer tampering, identity theft, falsifying business records, computer trespass, criminal possession of computer-related material, unlawful duplication of computer-related material, and unauthorized use of a computer.

It is alleged that while Yin was still employed as a network engineer at Gucci, he created a VPN token in the name of a fictional employee, and after being fired for unrelated reasons in May 2010 took the key fob with him. The following month, Yin is said to have contacted Gucci's IT department posing as the fictional employee and requested that his authentication fob be activated so he could access the corporate network remotely.