Newsletter Archive

26 Apr, 2006

SIFT Note 2006-03

The Fundamental Security Issues of XML
Extensible Markup Language (XML) has become a ubiquitous format for information exchange between systems. The proliferation of XML for data storage and transmission has emphasised the need for XML security. In the majority of current implementations, XML formats are application level protocols working on top of HTTP. As a result, these formats bypass common firewall inspection and the protocol is exposed to potentially malicious elements that must be handled within the application. XML-aware firewalls are currently being developed that promise to examine messaging formats for XML-specific threats but these should not be solely relied upon to protect information assets. XML is an extremely flexible self-describing language that can be used for describing virtually any set of information. The ability to build complex data structures out of elements and attributes in a standardised fashion has been a primary driver for XML adoption but it is this complexity that poses a critical challenge in securing XML. Although substantial progress has been made in the development of XML security standards for ensuring confidentiality and integrity, particularly in the web services domain, XML itself has some issues that can manifest as security threats. XML is widely acknowledged to be verbose and the resulting performance decrease compared to traditional binary formats is generally accepted to be the cost of an interoperable platform-independent data format. The performance impact arises from the heavy computation required to validate and process XML documents and these issues can be exploited by malicious users to mount denial of service (DoS) attacks. The root cause of such denial of service lies in two major areas of XML processing. The first concern is the self-describing aspect of XML documents that may be manipulated by an attacker. In particular, the Document Type Definition (DTD) processing in the parser components of several products from major vendors, have been susceptible to a DoS attack that allows an attacker to consume prohibitive amounts of memory and processing power with a single XML document. This issue has since been patched and rectified but is an example of how the power and flexibility of XML can pose a serious threat to availability. The second concern stems directly from the performance issues surrounding XML processing and is an inherent part of the standard. Memory and CPU requirements for XML processing are high and largely unavoidable because parsing must occur regardless of the validity of the document because the XML must be parsed prior to the actual validation and subsequent processing. As a result, traditional flooding attacks can be extremely effective against XML endpoints, particularly against endpoints utilising XML Document Object Model (DOM) parsers. When deploying an XML-based system such as a web service, it is essential to consider the performance aspects that affect system availability, specifically the capacity to handle intensive XML processing. Filtering is a vital step in securing an XML system and whether this is performed on a separate system or a dedicated XML security appliance, XML inputs must be validated and filtered before reaching application processing. Although this requires additional hardware in high-throughput systems for dedicated XML processing, this will provide a centralised approach for controlling incoming XML to the application and allow the enforcement of XML-specific security policies. Further information: XML.org XML complexity introduces security risks XML Web services security best practices

Voice Over IP Threats Are Real
The release of the VoIP Security and Privacy Threat Taxonomy by the VoIP Security Alliance (VOIPSA), and major vulnerabilities having being identified in the popular Skype application, have together highlighted the need to exercise caution when considering VoIP deployments. The threats described in the VOIPSA Taxonomy are numerous and comprehensive, covering a number of levels of criticality and different areas of VoIP service. VoIP operates on the TCP/IP protocol stack. As a result, it is inherently susceptible to the same risks as traditional data services. However, additional threats exist that are either specific to the VoIP domain or are an extension of traditional threats with a VoIP flavour. The Taxonomy details the technical threats that have been widely covered in the media and security community, as well as social threats and resulting privacy issues. Among the technical threats outlined in the Taxonomy are the widely publicised eavesdropping and interception attacks. These are similar to traditional threats to data networks and can facilitate the reconstruction of conversations and voicemail. More specific VoIP threats include call pattern tracking and profiling, which raises privacy concerns, and impersonation attacks through false caller identification or call tampering. Furthermore, denial of service is also a significant threat to VoIP. It can be accomplished through several attack vectors including conventional flooding approaches, malformed or spoofed call control messages and quality of service degradation. In addition to the threats outlined in the Taxonomy, application level threats also exist as evidenced by the vulnerabilities discovered in the popular Skype application. All VoIP products inevitably contain software components. Vulnerabilities in the software can lead to VoIP attacks or attacks on the system itself. In particular, the flaws found in the Skype product potentially allow attackers to compromise the host system or cause the application to crash, thus resulting in a denial of service condition. An independent security review was recently commissioned by Skype to assess the security of its cryptography and implementation. This is a step in the right direction for the VoIP community. Although the findings and thoroughness of the review have been questioned by some security professionals, the fact that a proactive approach to security has been taken must be commended. One major concern that has been raised is the use of proprietary cryptography in the Skype application - particularly its key agreement protocol and random number generation - in preference to standardised and well-known protocols. These proprietary protocols have not been rigorously scrutinised and rely partially on security through obscurity, a practice that is discouraged in the security community. These recent events in the VoIP domain illustrate the wide array of threats that VoIP will face in the coming years. The vulnerabilities found in Skype demonstrate that not only can VoIP itself be attacked, but so can the applications and systems that provide the service. The Taxonomy provides a concise compendium of threats faced by VoIP deployments and should be used as a guide for security design and testing, along with appropriate measures to harden supporting infrastructure. Further information: Skype patches critical flaws Skype Security Evaluation VoIP Security and Privacy Threat Taxonomy

US SEC Issues Online Trading Guideline
Recently, the US Securities and Exchange Commission (SEC) published a guide to secure online trading following a number of reported instances of theft from online trading accounts. The November '05 issue of BusinessWeek Magazine reported an incident where a 64 year old man, Korukonda L Murty, had his online trading account cleared while on a five week holiday. Two monthly statements from online brokerage E*Trade Financial Corp showed that securities worth USD$174,000 had vanished. During July 13-26, it was found that investments were sold and six wire transactions, each of nearly USD$30,000 had taken place, none to the knowledge of Murty himself. During E*Trade's post mortem, it was found that Murty lacked antivirus software protection, and was subsequently infected with code that enabled hackers to obtain his username and password. It was found that the severity of the breech was compounded as criminals were able to gain control of Murty's email as well, consequently getting the security code required to legitimize the wire transfers. Following a number of similar instances in recent months, the SEC has published a guideline titled Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information outlining reasonable steps individuals are recommended to take to protect themselves when trading online. These steps are applicable to all use of e-commerce services, and include:

  • The use of personal firewalls and security software;
  • The use of security tokens with one-time passwords when possible;
  • An improvement in the strength of passwords;
  • A greater awareness of 'phishing' and how to identify such frauds;
  • An awareness of wireless insecurities; and
  • An awareness of the importance of logging out from a session.

It is vitally important for individual investors to understand the potential risks of using online trading facilities. While organisations that currently provide online trading services have begun taking steps in educating their users, there is no requirement for these organisations to provide awareness raising materials upon users signing up to their services. It may be worthwhile in the long run for such a system to be enforced by an industry code or simply as an element of "corporate social responsibility" in the name of consumer protection. In Australia, the Fido system, the consumer website of the Australian Securities and Investment Commission (ASIC), provides investors with directives on how to undertake due diligence on a broker. The Australian Bankers' Association (ABA) similarly has provided a considerable amount of material supporting consumer awareness of information security issues when banking online. Given the degree of consistency between security risks, and security control measures between banking & finance organisations, and in fact for the broad e-commerce community, a specific online brokerage security guide may not be necessary. However, developing awareness in the user community of the materials that are currently available is critical, and as online brokerages have access to a user group who are likely targets of online fraud, some work in this area would have a considerable impact. Further information: Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information SEC urges security in online trading Invasion of the Stock Hackers ASIC - Buying and selling shares online Australian Bankers' Association - Safety checks

SAS 70 and Section 404 of Sarbanes-Oxley Act
Outsourcing relationships offer many benefits to organisations in a range of industries. However, as governance requirements tighten, outsourcing becomes a potential weak link in the assurance of an organisation's compliance with security standards and regulatory requirements. In particular, Section 404 of the Sarbanes-Oxley (SOX) Act contains requirements for outsourcing control assessment. Based on the guidance issued by the US SEC and Public Company Accounting Oversight Board (PCAOB), the preparation of the Statement on Auditing Standards No. 70, Service Organisations (SAS 70) Type II assessment is an acceptable method for evaluating the internal controls of service organisations without performing separate assessments. SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It provides guidance to service organisations to disclose their control activities and process to their clients in a uniform reporting format. A SAS 70 examination is performed by an independent auditing firm and a formal Service Auditor's Reports on the company's control objectives and control activities are produced. There are two types of Service Auditor's Reports: Type I and Type II. A Type I report describes the service organisation's description of controls at a specific point in time. A Type II report contains the service organisation's description of controls as well as detailed testing of the service organisation's controls over a minimum six month period. The service auditors follow the AICPA's standard for fieldwork, quality control and reporting. Nevertheless, SAS 70 audits are not performed according to a pre-determined set of control objectives or control activities. The service organisation would typically work together with the audit firm to develop the objectives based on their user organisations' requirements. The Section 404 SOX requirements for controls over systems with the potential to impact on reported financial details will need to be taken into consideration. The SAS 70 Type II reports are then forwarded to the user organisation, providing a detailed description of the service organisation's controls and an independent assessment on whether the controls were adequate, suitably designed and operating effectively. The user organisation's auditors can use these reports to contribute to their overall audit assessment, without sending auditors to the service organisations to perform control assessments again, thus saving on auditing costs. It is noted that if the service organisation outsources work to organisations, then individual SAS 70 assessments must be performed in each of the sub-service organisation to fully satisfy the Section 404 SOX requirements. Like any other type of audits, SAS 70 provides reasonable, but not absolute, assurance on the control objectives being achieved. The audit is also capturing a period of time in the past and should not be viewed as a guarantee of continual compliance. The user and service organisation should be utilising the process of gaining compliance to encourage the development of information security best practices within their information technology environment. Further information: About SAS 70 SAS 70

This article is tagged in these categories

Compliance, VoIP, Application Security