Old 05-27-2019, 04:35   #1
Golf1echo
Area Commander
 
Golf1echo's Avatar
 
Join Date: Sep 2010
Location: Western Carolina in the rainforest,4000' along the Eastern Cont. Div.
Posts: 1,154
First American Security Flaw

885 million real estate documents were left exposed as far back as 2003 in one of the largest data exposures to date:

https://krebsonsecurity.com/

Apparently this information was on an unsecured Microsoft Cloud ... seems like they should be included culpability as well.
__________________
"It is because they have so much to give and give it so lavishly...that men love the mountains and go back to them again and again." Sir Francis Younghusband

Essayons

By Dand

"In the school of the wilds,there is no graduation day"Horace Kephart
Golf1echo is offline   Reply With Quote
Old 05-27-2019, 08:05   #2
Hand
Guerrilla Chief
 
Hand's Avatar
 
Join Date: Dec 2010
Location: Georgia
Posts: 858
Quote:
Originally Posted by Golf1echo View Post
Apparently this information was on an unsecured Microsoft Cloud ... seems like they should be included culpability as well.
I'm curious why you think this way. The cloud is infrastructure and virtualized hardware provided to users to do whatever they want to. This is 100% directly the fault of developers who didn't implement per-request authorization on FAF's web site. There are plenty of tools and plenty of consulting firms who specialized in analyzing web sites for security flaws. FAF did not do their due diligence in hardening their site. This exact same scenario would be present had they hosted their site on AWS or cheap web site hosting.com.
__________________
"I'm going trick or treating at an all women's college dressed as a safe space." - Divemaster

"Fuck that - man up - kick over the podium, piss on the teleprompter, wave your dick at the TV cameras and drop the mic' as you walk off the stage. " - the QP formerly known as BillyLBach
Hand is offline   Reply With Quote
Old 05-27-2019, 08:45   #3
Golf1echo
Area Commander
 
Golf1echo's Avatar
 
Join Date: Sep 2010
Location: Western Carolina in the rainforest,4000' along the Eastern Cont. Div.
Posts: 1,154
Hand I might ask you why would they not? This came up on the radar a while back but details are just being clarified. This is a very egregious slip up to say the least. I understand the company has primary responsibility but I have to ask why Microsoft doesn’t have parameters in place to prevent their cloud from becoming the mechanism for such a data exposure in this day and age. If I had something to do with it I would advocate for such protections...

Edit: In 2018 the cyber security industry was valued at 93 Billion Dollars, I suppose if we had more secure platforms that could threaten the value of that industry...

https://www.csoonline.com/article/32...time-soon.html
__________________
"It is because they have so much to give and give it so lavishly...that men love the mountains and go back to them again and again." Sir Francis Younghusband

Essayons

By Dand

"In the school of the wilds,there is no graduation day"Horace Kephart

Last edited by Golf1echo; 05-27-2019 at 09:54.
Golf1echo is offline   Reply With Quote
Old 05-28-2019, 07:23   #4
Hand
Guerrilla Chief
 
Hand's Avatar
 
Join Date: Dec 2010
Location: Georgia
Posts: 858
To be forthright, I work in technology, maybe that colors my opinion.

I see this being similar to Microsoft's Windows operating system. Embedded inside the windows code is as much security as you want to use. You can configure your OS to lock your PC if it senses no activity for a set interval, you can configure it so you have to enter as complex a password as you want before it grants you access to your system. It implements network access file security and many other security features.

If you, as a user, create a text file and add your bank account numbers and username/ passwords to it, then walk away from your machine without locking it, and a house guest just happens to walk by your machine and notices the file and contents on the screen, and steals that information and drains your accounts, would you, in that case, believe Microsoft to be culpable for the theft of your information?

Building web sites is similar in some respects where instead of creating a file as in my above example, you are creating a lot of files, and it is up to you as a developer to secure access to those files, you can be as liberal or as restrictive as you want with your security. There are industry standards and best practices that define the least amount of security that a web site should have, but it is up to a company to enforce those standards on their site. There really isn't a policing organization that monitors the internet for adherence to security standards. However, information has value, and since it has value, it becomes a target for theft. This being the case, a company absolutely must be obsessively protective of their data while simultaneously being obsessively rigorous in their enforcement of security practices. This continuous analysis and application of practices encompasses the software (website), the data, the database the data resides in, the server the database resides on, the server the website is hosted on, physical access to those hardware devices, local access to that hardware and so on ad nauseum.

Back to the FAF breach. If I understand the situation properly, what the developer(s) did was lazy and/or negligent. I'll use this site for contrast.

You can send someone a link to a particular thread, forum or even to a specific post by building up a URL to that piece of content. This is done in different ways depending on language/ web framework etc...

Here on this site, a link to a particular thread looks like this:
http://professionalsoldiers.com/foru...ad.php?t=54312

And a link to a particular post looks like this:
http://professionalsoldiers.com/foru...56&postcount=3

You can even use this URL format to build up a link to a particular attachment:
http://professionalsoldiers.com/foru...8&d=1483130105

I know these links look like gobeldy gook, but they are informative if you know how to read them. Looking at any of these urls, I can make a pretty accurate guess that professionalsoldiers.com is going to get routed to a DNS server and translated to an ip address that belongs to a particular piece of hardware (server) most likely sitting behind 3 feet of concrete in the Team Sergeants basement So now we can look at that URL again and see something different:

169.61.48.158:80/forums/showthread.php?t=54312

The DNS server has taken professionalsoldiers.com and mapped it to that web servers actual IP address, now we know where the site actually is. Now we can start ascertaining what the web site looks like.
/forums/showthread.php?t=54312 gives us an idea of what the navigation structure of the website looks like.

We can start guessing that threads exist in a database or file structure and that each thread has an id, in this case 54312. Now that we know all this, we can put the full URL into our browser and manipulate the ids by hand

http://professionalsoldiers.com/foru...ad.php?t=54312
http://professionalsoldiers.com/foru...ad.php?t=54311
http://professionalsoldiers.com/foru...ad.php?t=54310
etc...

Now here is the point I typed all this to make. You can play around with URLs here on this particular site and get to the content because you are logged in and are authorized to see that content via forum authorization rules. But if you log out (hopefully) you can manipulate URL's all day long and every single one will simply redirect you to the log in page, and after more than a few of these unauthenticated request for pages that require authentication, I'm sure the forum can put you on a black list and simply deny any of your request.

Back to FAF - they did not implement this absolutely required piece of authorization code. So they may have a main page that requires you to log in, but they don't check to see if you are logged in when handling requests for resources. Once somebody (read hackers) figure that out, they can slap together a very short script that iterates from 0 to 1000000000 or whatever, and makes a request for

FAF.com/peoplesDataFolder/pdf_1
FAF.com/peoplesDataFolder/pdf_2
FAF.com/peoplesDataFolder/pdf_3
FAF.com/peoplesDataFolder/pdf_...

and lickety split, all FAF's data is now in a hackers possession.

If this web site did not implement request base authorization, then someone could do the exact same thing and publish a professionalsoldiers2 web site with all of the content from this web site.

FAF chose to use the cloud to host their site. But this breach is not specific to a cloud hosted site, this breach is 100% site based, 100% FAF's fault and negligence.
A cloud based breach would be something like a company that shared database servers escalated their SQL permissions and crossed database boundaries and stole their data or a company on a shared web server did something illegal and hacked across security boundaries and stole their physical files. If something like that had happened, then I would agree that Microsoft should share some level of responsibility.

I attempted to add enough technical details to make this informative on how the internet works in general, while laying out the particularities of the FAF breach at the same time. If this extremely long post has caused anyone to drool on themselves or bang their head on something flat and hard, I apologize.

Golf1Echo, hopefully I have answered your question. I would appreciate reading your justification for Microsoft's culpability. As you can see, my vision is probably a bit too narrowly focused on the technical aspects.
__________________
"I'm going trick or treating at an all women's college dressed as a safe space." - Divemaster

"Fuck that - man up - kick over the podium, piss on the teleprompter, wave your dick at the TV cameras and drop the mic' as you walk off the stage. " - the QP formerly known as BillyLBach
Hand is offline   Reply With Quote
Old 05-28-2019, 07:58   #5
Joker
Quiet Professional
 
Joker's Avatar
 
Join Date: Jan 2008
Location: Tampa
Posts: 2,153
Quote:
Originally Posted by Hand View Post
Your post.
Great explanation. Bottom line, use good (complex) passwords. And require their use when and where you can.
Joker is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 4 (0 members and 4 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -6. The time now is 21:59.



Copyright 2004-2019 by Professional Soldiers
Site Designed, Maintained, & Hosted by Hilliker Technologies