Category Archives: Thoughts

Legalize Hacking Now!

“If you don’t hack your systems, someone else will.” The latest data breach statistics (IBM / Verizon / OSFDB) prove the conventional wisdom is still valid. The AT&T “hacking” case of Andrew “Weev” Auernheimer made me revisit my 2007 views on hacking and responsible disclosure, especially in light of the changes in the field since my article was published.

Weev’s case forces one to try to reconcile contradictory views: on one hand, the greater good was served because AT&T fixed a hole that easily exposed much sensitive personal information of their iPad users. On the other hand, after inspection of his code on Git, there is no reason to think it’s not a case of parameter tampering and clearly illegal.

In the broader picture, society needs people who can and are willing to expose information security issues that clearly hurt individuals (or groups of people) either physically or in regards to their privacy. We need a way to give people who have the technical prowess the ability to legally search and report what they find thereby improving and strengthening society.

With the disclosure that Nation-States continuously hack computer infrastructures and the development of industry bug bounty programs offered by Facebook, Microsoft and Google it seems to me it’s time — and society is ready — to legalize hacking. Legalization does not mean we should give just anyone free reign to research another’s online infrastructure property. While I’m not looking to lay out an entire program in this short op-ed, I image such a program would be similar to Facebook’s bug bounty program: the researcher would most likely be required to register (or create a test account) and be looking for specific types of vulnerabilities in order to legitimately engage in the activity. Companies and government entities would be required to have  procedures for receiving and fixing reported vulnerabilities disclosed to them through the “hacking” channel in a timely fashion.

“If you don’t hack your systems, someone else will.” That “someone else” already has, now we must. Legalize hacking now!

PHP uniqid() – Entropy Analysis and Potentially Vulnerable Apps

Background
This research started with my reporting a zero-day that Front Accounting’s reporting used uniqid() and it’s file names were non-random. Given where the application saves these reports by default they are retrievable by anyone who can guess the proper URL report name. OSVDB asked me to what extent does this issue overlap with a larger, previously reported PHP issue of non-randomness in the generation of PHPSESSIONID. Over the course of my research I discovered that, while both suffered issues of non-randomness, uniqid() and LCG were independent from each other after PHP3. As of PHP4+, uniqid() is not used to generate session cookies. While uniqid()  uses an LCG randomness routine it only does so when the more_entropy flag is set by the developer. LCG is not the cause of the lack of uniqid() entropy. In fact it is just the opposite. It helps it when the flag is set but not significantly. As such it is my humble opinion that CVE and OSVDB descriptions needed to be updated to reflect this information. In our tweets Steve Christey was still worried — and rightly so — that many applications use the uniqid() function and might be vulnerable. So, here we are.

Issue
It’s clear that uniqid() is non-random. This is even reported in the PHP documentation. The question is how non-random is it? Furthermore, what’s the impact? How many apps are using the function?

Testing
I tested the non-randomness by writing some sample PHP code taken almost straight from the documentation. I did this because I felt it best to use the sample code provided by PHP to their users. I assume here that it will be the way most people will use the function (copy and paste). Two apps were written: one to test the function regularly and one to test it with added entropy. Since I’m not a math geek, I used burp‘s Sequencer functionality to test the entropy. I have fairly smallish sample sizess but I believe I do not need a larger ones to change the general nature of the result. (I leave this to the next researcher.) I then used Search Diggity to scan through google’s project code as well as doing a direct search. I attached a gallery with annotations showing the testing procedure and results.

Conclusion

With or without the more_entropy option, uniqid(), as represented in the PHP sample code and documentation, results in poor entropy and should not be used. According to burp, with a sample size of 4016 tokens, uniqid() without more_entropy is “extremely poor” and has a effective entropy of 10 bits. With a sample size of 7515 tokens, uniqid() with more_entropy enabled is “poor” with an effective entropy of 29 bits. According to burp the reliability of the sample sizes were either reasonable or good. It is my opinion that if the tests were conducted over a larger sample size the effective entropy will only decrease: by how much I’m not certain.

The question remains: are there vulnerable applications and to what extent? Search Diggity returns 100 instances of uniqid() being used on google code. Google’s own search engine returns 60K+ strings matching uniqid(). Important:  google’s query is a bit of a false indicator since it returns results that matches the string including languages other than PHP. And, I didn’t scan other repositories such as Sourceforge or Github.

Lesson 1: heed the PHP documentation and do not use uniqid() when the need for a random string arises. Lesson 2: it seems that there is a decent amount of potential vulnerable code.

Below are the pictures to support the research. Many thanks to OSVDB and Steve Christy for an excellent exchange of tweets. Enjoy and happy hunting.


I’m only number #10…

According to SANS, being the CISO/ISO or Director of Security is the 10th coolest infosec job. The top two jobs are:

Once upon a time I did network and web penetration.  Here’s a sample exploit on packetstorm.

Sometimes moving up is in fact moving down!