got root?
Monday, January 16, 2006
PASBC security issue
Basically this is my entire conversation with the folks that maintain PASBC, an online system for posting your grades to a number of local post-secondary institutions here in BC. I came across a vulnerability in their system a few days ago while I was helping my Significant Other with something. Bottom line is that I got in her application and that's something that should not happen, right? :)

They patched something for now, they claim they will implement my suggestions in the next design of the site. They did not mention anything regarding these communications so I am posting everything here [e-mail addresses and other signature information removed for privacy reasons]

I do feel that they did as much as possible so far. If this was e-mail probably nobody would have bothered, seeing as there are some pretty sensitive fields in these applications I believe the concern is genuine.

Oh yes, another thing is, if you are logged in and have someone else use your URL at the same time, they can see what you entered thus far. ID theft is the issue, here... E-mails attached below, enjoy!

---------- Forwarded message ----------
From: Graeme McNeil

Hello again Alex,

Please see below for responses to your concerns from the technical lead of PASBC. As you will see, he understands the concern but there does not seem to be much more we can do within our current framework. We will be redeveloping PASBC following the current peak application period and please be assured that we will take your security concerns into account when we redesign the system.

Thanks,

Graeme

Graeme McNeil, PMP
Project Manager, BCcampus

----- Forwarded by Graeme McNeil/emp/bccampus/CA on 01/16/2006 08:10 PM -----
Mark Ardiel/emp/bccampus/CA

01/13/2006 10:11 AM






See comments to his email inline below.

I understand his concern, but I do not think we can do too much more without changing the entire architecture that we have the system built on. Right now, the only real threat I see is if someone is sniffing your requests, and can pull out the URL. They then are able to get into your session while you have it active by using the URL. Once you logout, or your session times-out (30 minutes of inactivity) they cannot get into your session any longer. However, I believe that if someone can be sniffing your requests on your machine, then you have a much more serious problem.


From: inaequitas
Sent: Friday, January 13, 2006 12:12 AM
To: Graeme McNeil
Cc: Greg Link; Lauri Aesoph; Mark Ardiel
Subject: Re: PASBC security issue

Hello sir!

First of all allow me to congratulate you on how expeditious you were
in tackling this issue. Unfortunately my quick 'analysis' was not
indicative of a safer environment at the moment.

I have generated another 'guest' session and proceeded to fill in some
fields. I then passed the link to my friend and she was able to access
all of that information without any issues.
As long as you have not logged out of your session, then yes, this session can be accessed by passing the URL to another machine. There is currently no mechanism in the framework that we use to have the session created as a URL along with a matching cookie, it is purely in the URL.

When I logged out from my
machine I was not able to view the session, that is true; however my
friend was still free to access it.
This should not be the case. As soon as you log out, the session on the server is destroyed. Since you are both using the same session on the server, it will not longer work on either machine. I have tried this, and this is what I see happening from my tests.

This was done from separate
computers on entirely different network blocks.

I am not privy to the details of your implementation so I am not sure
what is designed in the system. But if, for example, I pass my friend
a link from Yahoo! mail she is not able to view anything. A simple
log-in cookie could do the trick in securing the session and as long
as it does not store any personal information it should not provide an
additional risk in terms of privacy. Nobody should be able to view the
details of a session with only that session's generated URL.
This is not something that we can change with our current framework. Right now the session IDs are just the URL.


The reason why I even brought this to your attention is that very
important information can be extracted from these applications. I did
not have the proper set-up to test whether a network traffic analyser
[sniffer, e.g. Ethereal] would capture any part of this communication
in plain text; but if it can retrieve as much as the HTTP request then
a snooper can obtain SIN and a good other deal of personal
information.
The actual information being sent over the request will be encrypted by TLS/SSL. However, I do believe that the request URL may be in plain text.


The abundance of ID theft nowadays is not something to
take lightly especially as SIN numbers are unique and irreplaceable.

If you feel, however, that you do not need to consider these issues
please let me know and if requested I will maintain a certain level of
secrecy regarding the issue. I do, however, sincerely hope that you
will be able to implement this sometime soon.

Again, thank you for your interest!

On 1/12/06, Graeme McNeil wrote:
>
> Hello again inaequitas
>
> Our technical guys here have implemented fix on PASBC which closes down the specific instance of the Common Form when a user logs out which should resolve the issue you brought up. We have tested it here but if you wish to have a look and check I'd be happy to hear your results.
>
> If a user closes their browser without logging out the session will persist for 30 minutes at which point the user will be timed out, much as they would in other signed in environments.
>
> Thanks again for bringing this to our attention.
>
> Best regards
>
> Graeme McNeil
>
> Graeme McNeil, PMP
> Project Manager, BCcampus

--
inaequitas

Undergraduate Student
Computer Science
University of British Columbia

======================
Please avoid sending Word or PowerPoint attachments.
PDF makes for a good alternative. Please see
http://www.gnu.org/philosophy/no-word-attachments.html
P.S.: http://tinyurl.com/8jvcq
1/16/2006 10:35:00 p.m. ||  0 comments || 
Tuesday, January 10, 2006
Right to Create: Patent Reform via Open Source

Wow, this goes in the "I'm getting a hard-on thinking about it" category! So IBM is pushing the envelope forward on Open Source, after donating 500 patents and supporting Linux, now this. I feel like river-dancing :D

In all seriousness though, this comes as a big hit to many corporations I'm sure. I can't wait to see the backfire to such news since it will naturally create an outcry from those players that make more money on patenting things they ponder about in the shitter and less money from selling them in good, useful products. Let's see, they'll probably say something having to do with not stimulating innovation, causing a flood of bad products and an overall impact on economy as a result of the big dogs abandoning certain areas of technology [I'm focusing here because this is where the big battles are given nowadays].

Innovation means new things; if prior art can be shown, then what you're trying to do is steal somebody else's idea. Shame to you!

Bad products do not survive in this [becoming] technotopia. There is no point people will use crappy things. In fact, they will rather pay some small price for quality when they're not forced to. So Research in Motion can go about their good business while NTP gets covered in their own slime after being publicly shunned for their lame-ass attempt to reap money without any merit whatsoever.

The economy won't dive overnight, and we will adapt to the new playing field just as we've managed to do it time and time again over the course of at least a few millennia.

This is part of our revolution!
1/10/2006 08:14:00 p.m. ||  0 comments || 
Thursday, January 05, 2006
So I've started my work at WebCT and so far I must say I love it =) Testing is a fun job because especially in the beginning there are no precise guidelines to follow, it's basically your imagination at work to crack the machine. As I was telling a friend, I'm a 'hacker with a license to hack', in a James Bond-ian way of thinking about it. But it's not all that glamorous.

I can't give more details about my work due to certain NDAs that I had to sign. I can say that the WebCT software has some pretty wicked functionality and I wish my Uni upgraded to a newer version. I mean what I'm working with is actually 'pretty' as well =)

In other news I was having dinner tonight and realised that the cafeteria is the great social divide for teenagers. This is where it all starts, in the highschools of the world [that have one]. I suppose Klebold and Harris had a point starting in their cafeteria and not someplace else, maybe they weren't immediately aware of it but something in their subcounscious 'told' them to start there. Well, it depends if you let yourself influenced by the masses, if you think they are better than you. A weaker person will always find a way to latch onto what he or she perceives as a stronger person.

Keep hustlin' =)
1/05/2006 11:04:00 p.m. ||  0 comments ||