Category Archives: Uncategorized

No, a virtual machine is not as safe as a physical one!

This week, during the CanSecWest 2017 Conference in Vancouver, British Columbia, is held the PWN2OWN™ CONTEST organized by Zero-Day Initiative (http://zerodayinitiative.com/). A team carried on an attack on Microsoft’s Edge browser allowing them to escape a VMware Workstation virtual machine in which it ran. This exploit fetched them 105 000$ of reward. On the same day, another team successfully exploited 3 vulnerabilities and succeed to perform a virtual machine escape.

I will state what is obvious to me since the rising of the hardware virtualization technologies: Virtual Machines aren’t as safe as Physical one. I feel stupid writing it as it is just a matter of fact but it seems it has not yet been accepted by a lot of system admins who are still in denial.

And VMware is not the only to blame, all the Virtualization solutions have already been breached (Xen, KVM,…) one way or another. And those ares just the known exploits. So, whoever you’re talking too, there is no way (s)he can pretend the risks are the same between a physical and a virtual machine.

Of course, there is economics upsides using virtualization and that’s why it is a matter of risk management. But when it comes to crown jewels, we might have to think twice or at least strongly insist on a physical segregation between more sensitive systems and internet facing one.

I don’t say we shouldn’t use virtual machine, I just say we must stop pretending they are as safe as physical one. It is just not true. Risk are different and we must take that into account. The wolfs can pass the fences…

Further reading:

SMS spammers 1 – belgium: 00

I have recently received SMS that are supposed to be sent by young ladies in search for a soul mate. Within the SMS, there is a link to a website with a specific number in the URL, giving access to a picture of young & pretty naked girl (no, I didn’t clicked on it, I tried it from a secured virtual workstation with all protections on and through a Tor gateway). Fortunately, this picture doesn’t seem to have any payload in it.

I called my provider to ask how I can stop this (in France, there is the number 33700 that helps you with SMS spams). According to my provider, the goal of such email is to have men replying to this sms, making their mobile communication bill a bit more expensive than usual. Except deactivating Mobile commerce option on my number, there is no way to prevent this and no place to signal such malicious SMS.

At the same time, we can understand operators are not in a hurry to solve a problem that create probably a substancial revenue as they likely have a nice percentage of margin on the operation.

Unfortunately, as SMS are cheap (and SMS servers can easily be hacked), it can also be used to distribute malicious paylod without going through the usual anti-malware that are now quite common on most email services. So, if we do nothing, this can become (if it is not yet the case) the new channel to target smarphone (and you know how much sensitive information your smartphone holds).

So, when will we have a central platform to gather information, block and prosecute such malicious and illegal (is it?) behaviour?

So far: Spammers: 1 – Belgium: 0.

9 tips to improve the security of your web applications

Should you be a student, a TV Show fan, a small online-shop, a small enterprise or a large corporation, you likely have a web site connected to the world wid web. You probably didn’t developped your website in PHP or in Java by yourself but rather used one of the existing (some being free of charge) framework available like WordPress for you blog, Prestashop for your online shop, Odoo, Drupal, Joomla or even Adobe CQ. While you can use a “cloud” version of these application, you might also have decided to manage it by yourself on your own server or using a hosting service like OVH, HostGator or Ikoula.

If you’ve decided to manage it by yourself, here are a few tips to ensure your server(s) is/are and remain secure:

  1. Use very strong passwords: At least 14 characters and a combination of uppercase, lowercase, numeric and special characters. Ideally change it a few times a year or at least as soon you believe your password might have been compromised. Don’t use the same password for everything.
  2. If possible, rename or disable default admin user (like admin or root) into something less common and use personnal accounts (every admin should have its own user and password). When someone leaves the company, immediately remove his/her user account from the server.
  3. Patch your systems (OS like Linux or Windows server), your middleware (like Apache or IIS), your database (MySQL, Postgress, MSSQL) and your application (like WordPress, Odoo) regularly (every week). Nowadays, most systems inform you when an update is available.
  4. Ideally, you should have a separeted test environment, being a second (set of) server(s) (that we will call the Acceptance System) replicating exactly the one you use for the publicaccess (we call it the “production system”) on which you can first test if the patches won’t disrupt, corrupt or break anything on your servers (It can happen too).
  5. Disable any un-used services on your server(s) like telnet (prefer SSH), motd, FTP (use SCP via SSH instead), IMAP, POP3 or SMTP (if you don’t use your server as a mail relay), Samba and other stuff you won’t use. Be sure to still keep a way to access your server. For Linux machines, you can use automated scripts like Bastille to help you harden your server.
  6. For your database accesses, use a specific system user per application (and per environment) that will have only the access needed on the database of the application it is used for (So, you don’t use the admin user of your database to grant access to your database for your application). If possible, restrict access to the database to the localhost or to the IP of your front-end application.
  7. If possible, force the encryption of your communication by using TLS (HTTPS instead of HTTP). For that purpose you need a cryptographic certificate (not a self-signed as it won’t be recognized by your customer’s browser). You can get free SSL/TLS certificate that will be recognized by most browser with companies like StartCom. Once your certificate installed, you can check the configuration of your SSL with the free online SSL Labs analysis tool. If you need help to configure your SSL with Apache Servers, you can use Mozilla’s SSL Configuration Generator.
  8. In order to prevent attacks like Clickjacking or Man-in-the-Middle, you can configure the HTTP(S) headers sent by your server to make it more secure (see OWASP Secure Header project for more details). Practically, you can check the status of your server’s headers on the very useful and user friendly SecurityHeaders.io website from Scott Helme. Based on the result of your servers’ hearders analysis, Scott’s website will provide you with all the necessary information to improve your headers (again, for free).
  9. Scan your server(s) in order to detect any known vulnerability. This is still possible for free with the services of BitNinja or even from one of the market’s leaders like Qualys.  If you use a Windows server, you can download Microsoft baseline Analyzer and run it against your server.