Relatively Secure

Last week Symantec reported an active exploit of Cross Site Request Forgery (CSRF) against residential ADSL routers in Mexico (WHID 2008-05). In this attack, an e-mail with a malicious IMG tag was sent to victims. By accessing the image referenced by the e-mail message, the user initiated a router command which changed the DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker’s server.

For the Web Hacking Incidents Database (WHID) this type of attack presents a new category: until now WHID included attacks against servers and ignored attacks against clients. After all, this is the Web Hacking Incidents Database.  The closest WHID got to client side attacks were incidents in which a web site was hacked and a malicious code was inserted to abuse clients, such as the Dolphins Stadium Incident (WHID2007-10).

WHID 2008-05 somewhat blurs the lines: while the attack is definitively against clients, and the bank is only indirectly involved, it is technically a web hack and demonstrates the need for better web application security. The reason if of course that technology blurs the lines: when installing ADSL routers at customers’ premises we place a sophisticated piece of equipment at their hands. Neither the developers nor the service providers give the necessary attention to the security implications of this, making our computing environment much less protected than ever. Another example of the same problem was discovered recently by Aaron Weaver who found that printers are susceptible to XSS.

To signify this new trend we have added to WHID a new attribute, location, which will describe where the attack takes place. The default when location is not specified is server, while for WHID 2008-05 the value would be client. Another possible value for this attribute is proxy or service provider if the attack occurs somewhere along the way.

One of the issues haunting WHID since its inception two years ago is inclusion criteria: which incidents get in? WHID goal is not to provide an alternative to Zone-h defaced sites archive or ScanSafe’s Threat Alert which tracks malware planted on web sites. WHID aim is to be provide a tool for decision makers and researchers to understand the real world impact of web hacking, and to achieve that WHID limits itself to “meaningful” incidents.

To achieve this goal, I continuously try to nail WHID inclusion criteria. It is not easy to translate “meaningful” to absolute and objective criteria. The criteria I came up with so far are:

• Real incident: the bad guys did something, it is not just the good guys that disclosed a vulnerable site.
• Known or highly suspected to be a result of a web hack.
• Interesting. This is the tough one and highly subjective one. By interesting I usually mean one of those:
  • Not something that happens daily.
  • A high profile target.
  • The damage done was significant.
  • The incident is just a “very good story”.

If you have an incident that falls under these criteria and is not at WHID, I would love to here about it. I would also like to here if you feel that these criteria are not correct. One thing I know and don’t need you to tell me is that there are incidents in WHID that do not satisfy the criteria above: the criteria change and I don’t always go back and filter again past incidents…

1. Introduction

The Payment Card Industry Data Security Standard  (PCI-DSS for short), requires that credit card numbers are not transmitted in clear and are not presented to users unmasked. Naturally a network monitoring systems such as an IDS or an IPS seems like a natural enforcement system to ensure that such information is not sent against the regulation over a network.

But closer examination shows that implementation is far from trivial. This writeup would discuss several aspects of implementing a network monitoring system to detect leakage of credit card numbers:

• Matching a credit card number sequence
• Handling false positives using exceptions
• Additional considerations including: evasion, logging, performance and other sensitive patterns.

2. Matching a Credit Card Number

2.1 Matching a Credit Card Number Sequence

A credit card number includes 13 to 16 digits. In addition, real world presentation of a credit card number often include delimiters such as dashes or spaces, usually in specific positions. The following regular expression can be used to match credit card number sequences:

\d{4}[\- ]?\d{4}[\- ]?\d{2}[\- ]?\d{2}[\- ]?\d{1,4}

2.2 Boundaries

For long sequences of digits, which are common in network traffic, the above regular expression would match multiple sequences of the desired length. In order to avoid that, we need to define the sequence delimiters. What can or cannot be a valid delimiter might vary according to the application. Not requiring any delimiter would generate many false positives while requiring delimiters might lead to false negatives. For example, should we allow a leading “0″?

A reasonable choice for a delimiter would be any non-digit character. The resulting regular expression is:

(?<!\d)\d{4}[\- ]?\d{4}[\- ]?\d{2}[\- ]?\d{2}[\- ]?\d{1,4}(?!\d)

or if a regular expression engine does not support look-ahead and look-behind searches:

(?:^|[^\d])(\d{4}[\- ]?\d{4}[\- ]?\d{2}[\- ]?\d{2}[\- ]?\d{1,4})(?:[^\d]|$)

2.3 Validate the number against the LUHN checksum algorithm

However sequences of 13 to 16 are not always credit card numbers. There are many other long numbers in typical network traffic. For example, we often find that identification numbers such as product IDs used in online stores are also 13-16 digit numbers. Luckily, a credit card number has to conform to the LUHN checksum function. A monitoring system can implement this algorithm and check that each sequence of digits detected is a valid credit card number.

Is this enough to avoid false positives? The LUHN function is a checksum function that generates an additional digit for each number and therefore it matches 1 out of 10 consecutive numbers. Since in most cases applications use numbers of this length as identification numbers, the applications would probably use many consecutive numbers, and therefore 1 out of 10 numbers used would be a valid credit card number. Therefore validating sequences using the LUHN formula reduces false positives by 90% but does not eliminate them.

2.4 Checking Prefixes

To reduce the amount of false positive, a monitoring system can check that the credit card number is not just valid but was also assigned. Naturally the monitoring system cannot include a list of all assigned numbers, but it can check for prefixes which where assigned to different financial institutes. A pretty good table of assigned prefixes can be found on Wikipedia.

Prefixes further reduce false positives and can be implemented using a regular expression. Assigned numbers account for 1% to 17% of the valid credit card numbers, depending on the sequence length. Prefixes are especially useful for eliminating the less often used sequences of 14 and 15 digits (1.2% and 2.5% prefix coverage respectively), leaving us with mostly the 13 and 16 digits sequences. 13 digits sequences are a mystery: it is not clear whether Visa still uses them.

On the down side, using prefixes can lead to false negatives and require updates to the monitoring system. For example, the Australian Bankcard range is marked as not in use in the Wikipedia table, but we have recently saw such a number in actual traffic.

Using the LUHN formula and prefix validation, false positive rate can be reduced to approximately 1% of the rate achieved using pattern matching only,

3. Handling False Positives Using Exceptions

In real world systems 1% is still a high number, especially as sequences of digits are quite common in network traffic. If a human would have to examine even hundreds of alerts a day, the monitoring system becomes not useful. How can we make the accuracy of the detection system better?

One way to do that would be to create exceptions for traffic known to generate such false positives.  Exception can be defined both for non credit card sequences as well as for intentional and legal transmission of credit card numbers.

Such exceptions are a curse as much as a blessing, as overusing them or defining them too broadly will open big security holes. Lets take for example a 16 digit sequence used as a product ID in a web site. An exception using firewall like rules which support only IP address and port would have to ignore an entire web site to take care of such an issue. On the other hand an application aware monitoring system, such as a Web Application Firewall, can define a much more fine grained exception. In the case above, a WAF rule can be defined to exclude credit  card number detection for the specific field on a specific page used for the product ID.

Let’s assume for example that a ModSecurity rule number 955555 detects credit cards in an application output, but the page /support/manual_payment.php, available only to store personal,  must display a credit card number. The following is a simple ModSecurity exception for ignoring this rule for a single page:

<LocationMatch “/support/manual_payment.php”>
SecRuleRemoveById 955555
</LocationMatch> 

The exception can further check that  only a single credit card number is displayed on this page, and only in a certain part of the page.

Further more, the product ID may have some unique attributes such as its own prefix or surrounding text that can help to make the exception narrower.A good example is Google AdSense. A site running Google ads needs to add the following piece of code to each page displaying ads:

<script type=”text/javascript”><!–
google_ad_client = “pub-0000000000000000″;
google_alternate_color = “ffffff”;
… 

Many times the 16 digits ID in the google_ad_client parameter is a valid credit card number. The following modified regular expression will compensate for that:

(?<!google_ad_client = \”pub-)(?<!\d)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?!\d)

4. Other Considerations

4.1 Evasion

Evasion techniques are a serious problem for intrusion detection system in general and even more so for detecting credit card numbers. Even the simplest transformation function performed on a sequence will enable it to bypass detection. For example, an attacker performing an SQL injection attack in order to smuggle card numbers out, could craft an SQL statement in such away that each credit card number is multiplied by 2. As a result, the monitoring system would not detect the output as a valid credit card number. Once the information is out, the attacker can easily divide the number by 2 to get the original credit card number. Because it is so easy to evade them, network monitoring system, or actually any other egress inspection system are not suitable for detecting malicious theft of credit card numbers. To avoid such credit card numbers theft one must focus on inbound protection.

But even unintentional leakage might be subject to unintentional evasion. A good example is encryption: in order to provide better security, many applications use encryption when transferring information over the network. Such encryption would hide the traffic from the monitoring system.While most network layer IDS solutions fail to decrypt SSL, web layer security solutions always do that. You can read more about the SSL blind spot in this thread.

Another problem would be encoding systems built into network protocols such as Unicode encoding or compression of HTTP traffic and base64encoding of e-mail messages. Again, network only monitoring systems would not detect the encoded traffic, while an application aware monitoring system would  decode prior to inspection and therefore detect the leakage.

4.2 Logging

Logging is just as important as detection for a monitoring system. This is all the more so with credit card numbers detection: in many cases a security breach can be mitigated better if the organization knows what actual information leaked. For example, different state disclosure bills such as California SB-1386 require an organization to notify all affected clients in case of a breach. If the organization does not know who the affected clients are, it must notify everyone, raising the price of the breach and the media exposure.

Unfortunately, logging credit card leakage incidents is not trivial. PCI DSS does not allow the credit card number itself to be logged. On the other hand, the logging record must include enough information to be useful. Useful implementation must keep two levels of log:

1. Alert logs that can be used to analyze what happened, but do not include the actual credit card number, or possibly a masked version of it.
2. Encrypted store for the credit card data itself.

4.3 Performance

Regular expressions are not very efficient and therefore most IDS try to avoid testing the payload for a large number of regular expressions. To achieve that, an IDS would first use an efficient parallel matching algorithm such as Aho-Corasick, which is super fast and uses a single cycle through the payload to check for all signatures. In the other hand parallel matching can only matches simple strings. Only if a certain simple string matches, a follow-up regular expression is tested.To reduce the number of regular expression tests required, the parallel matching algorithm searched the longest constant string extracted from every regular expression.

Unfortunately the regular expressions presented so far in this write-up do not have any fixed string in them as the look for a sequence of digits. Parallel matching algorithms can be adapted to search efficiently for a string of character groups, digits in this case, rather than a string of  characters, but normal implementations found in most IDS do not support it.

Additionally, the performance cost of running a checksum algorithm over any sequence matching must be taken into account.

4.4 Other Sensitive Identifiers

While credit card numbers are the most well known sensitive identifier for which PCI DSS  requires special attention, it is neither the only one, nor the most sensitive. Card Verification Code (CVV) is a 3 or 4 digit code on the back of a credit card that is often used as an additional identification number in online transactions. CVV is even more sensitive than a credit card number, but much harder to detect as it is so short and has no checksum digit.

One way to detect use of CVV numbers is to find a 3 or 4 digits value in a field on a form where a credit card number was found. This method is far from immune to false positives, but in paranoid environments might pull the trick.

5. Conclusion

Detecting theft of credit card numbers by monitoring network traffic is very difficult, but such monitoring can be useful for detecting unintentional leakage of credit card numbers. In order to do so the monitoring system has to be application and protocol aware so that it can both compensate for encoding and encryption applied to the data as well as provide a tool for creating exceptions for valid credit card numbers or other information detected as credit card numbers.

I live in a war zone. Less than one mile from my house is a border which I have never crossed. Many have died on both sides of the border and many probably will die here in the future. But when I jog along the border, with the wonderful view you can see at the top of this page, listening to the birds sing, it all seems quite unreal. Is the quietness deceptive? Am I secure?

Maybe this perspective enables me to understand better than my fellow information security technologists that nothing is really secure. Security is relative. One can be more secure than his neighbor, or more secure than he was last year, but nothing, never, is just secure.

The most obvious outcome of this viewpoint is that my research area, unlike most of my peers, has always been protecting information systems rather than breaking into them. It is just not that much fun to break things that are inevitably breakable. The other outcome is that this site is not secured. I don’t feel it is worth my time and effort to make sure nobody breaks into the site as it does not contain any sensitive information. With good backups, I should be up and running in no time if someone does break in. But actually, why should somebody do that?

XSS has dominated the Web Hacking Incidents Database statistics page since its inception. The immediate conclusion it that XSS is the most dangerous of them all. This is supported by the fact that XSS is the vulnerability most commonly found by pen testers according to the Web Application Security Consortium’s Statistics Project and that new and advanced JavaScript payloads such as Anton Rager’s XSS proxy or SPI’s JS scanner are created daily to exploit XSS.

On the other hand, while it is easier to find XSS vulnerabilities (after all the vulnerability is reflected to the client), it is still harder to abuse XSS vulnerabilities.

An new feature of the Web Hacking Incidents Database statistics page published today shed some light on this question. In addition to the total count, two new numbers are presented for each classification: the number of actual security breaches reported and the number of vulnerability disclosed but not known to be abused. Actual security breaches are more significant as they indicate both that a vulnerability is exploitable and in many cases what the damage can be.

The numbers are interesting: while on the total count, XSS leads by a wide margin (53 incidents vs. 24 for SQL injection), when we look only at the number of security breaches the field levels, with XSS and SQL injection tying for first place (15 incidents each). But the really striking number is the number of breaches for which the vulnerability is unknown: 37, more than XSS and SQL injection together!

What can we learn from this? that XSS is certainly a killer vulnerability, even if not THE killer vulnerability. But probably the main lesson is that we know little. With so little information about the real world attacks, threat modeling requires collecting information from many sources, each providing a partial and somewhat biased view. In addition to WHID information can be drawn from sources such as the WASC’s Statistics Project, Jeremiah Grossman’s Web App Sec survey or WASC’s Open Proxy Honeypot Project and others. Saying that, with so much more hidden than on the surface, we always need to rely on own (hopefully) good sense.

The entry in the Web Hacking Incidents Database FAQ describing which incidents are included in the database and which are not seems simple, but hides a lot of complexities.While it might seem obvious what a web hack is, nothing is further from the truth. Is a hack only a real break-in or any vulnerability discovered in a live web site? We recently changed the criteria for inclusion in WHID. The reason was simple: to make the database more useful. We made two changes:

• Gone are most vulnerability disclosures. They can only marginally be called hacks anyway, and on top of that, the blur the difference between this database and your normal everyday vulnerability registries such as Bugtraq and CVE. A small number of vulnerability disclosers still make their way to WHID, if the relevant web site is of such an importance that justifies that, or alternatively, if the case can teach us something
• The requirement for a court proof for the hacking being web based was removed. The requirement made the database very objective, but severly limited our ability to include incidents in the database. We now include stories that we believe are a result of a web hack, even without hard evidence. We are ready to remove stories if we find out differently, which recently happened in the TJX incident.

The new criteria balance the need for objective selection of incidents with the need to bring good stories that people will find useful. Not having CardSystems in WHID for a long time was just not justifiable. Bottom line: now we have all the good stories and just good stories.

Until today, the CardSystems incident, probably the most well known information security breach ever, was mentioned in WHID only in the FAQ. It was mentioned as an example of an incident that we would like to add to WHID but cannot because there is no public information about how the hack was done. Today, nearly a year after it was initially publicized, it was added to this database. While we always suspected that it was a web hack and industry rumors hinted that, no public information regarding the way in which the hack was done was available until now.

Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with
these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever
and it caused company share holders, financial institutes and card holders damage of millions of dollars.

Recently new articles about the case revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them
and export them to an FTP site. You can links to those articles in CardSystems entry WHID 2004-17.

This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.

I’ve recently added to the database an old incident. In March of 2003 a hacker broke into the computers of the University of Texas in Austin and stole more than 55,000 social security numbers. Since at universities the networks are many times wide open, I dismissed the incident at the time as another network based hack.

A note posted in one of the mailing list made me go and check the incident again. I found out that the hacker penetrated a database, not a web application, but not a network layer attack either. I continued my research in order to determine what database is was and found out that it was txClass. Now, what database can this be? I certainly haven’t heard of such a product before. Well txClass is a web based application, which was referred to in the news stories as a “database” since it does manage a database.

So this was a web application layer hack. I even managed to find out what the hack was: the hacker brute forced the system by trying large ranges of social security numbers.

This incident shows how little we actually know about published incidents and hints that many of the incidents that I do not include WHID might actually be related to the application layer.

If you took a look at the statistics page, you probably saw that in 2005 the number of reported incidents grew rapidly. This is probably at least partially because we started collecting information in 2005. But I believe that there is an additional reason: many more people are concerned with web application security and are inspecting online services searching for vulnerabilities.

When analyzing the 2005 incidents we can see that the bulk of incidents are disclosure incidents, and in many cases they have two common attributes: they where discovered in major sites such as Google and Yahoo and a large part of them are XSS vulnerabilities. The reason for that is simple: researches naturally focus on larger sites, and XSS is the easiest vulnerability to find since the vulnerable code is on the client machine and available to the researcher.

These findings highlights two phenomena: first, the ever increasing interest and knowledge of more and more people in web application security. To understand how strong is this phenomenon one has to inspect the work of Aliaksandr Hartsuyeu from eVuln.com, who has made a point of inspecting every open source application under the sun, releasing a new vulnerability report daily. He started his endeavor around Christmas and already released more than 120 advisories.

The second phenomenon is the iceberg phenomenon. The number of vulnerabilities found in major sites that invest in security provides an indication as to the much larger amount of vulnerabilities yet to be discovered in less popular or less exposed sites. The large number of XSS vulnerabilities indicated that vulnerabilities that are more difficult to find in a black box inspection such as SQL injection are just as common, as SQL injection vulnerabilities are usually found more than XSS vulnerabilities in source code inspections.