Secure Forgot Password Implemantion

I got a message from Mae Bualat about secure implementation of forgot password mechanism. Although, his way also sounded secure to me, I suggested him more alternatives. It's always arguable the approaches, but these are my personal arguments as per my limited knowledge.
Following is the communication between us:
Hi Mr. Nilesh Kumar,

I've come across your blog while looking for some references on the web for a secured password recovery scheme. I suppose, as a security specialist, you may have inputs to help me work on it.

Am looking for a secure password recovery implementation. The process that I am looking into is this: user will need to supply email address used on account registration then birthday, then user will need to supply new password, then the system will send a verification link to his registered email to finalize and confirm the process.But aside from this, am still currently looking for some ways to securely implement this process.

Any idea will be highly appreciated.

Thanks,

mae

I wrote:
Hi Mae,
Your implementation in the first glance looks reasonably secure to me, but again it depends on various scenarios as how rigorously you implement it, ie, no. of security questions and how personal they are as date of birth is not so personal now a days. Instead you may use mother's maiden name.
So, leaving the type of security questions you implement on you, I would suggest the following Do's and Don'ts. It's my personal assumption and may and may not be the best solution:

1. Don't rely on an email mechanism to send temporary password/ cleartext (actual ) password/ or any other sensitive instructions to the user's registered email. It may seem secure but there's always a risk of sniffing the passwords/ other sensitive instructions on how to reset the password over the unencrypted internet.
2. Don't display user's password on the webpage after answering some secret questions. The risk here is the page may be cached on the computer and anybody with little computer knowledge may have access to it. And this also implied that that the application is not storing the password in hashed form in the database, that is again a weak implementation.
3. Don't use password hints as to be displayed on the webpage, which is again guessable.

Now this should be reasonably secure mechanism:
1. Use a multistage password set mechanism where in you may ask username, registered email and some other information such as DOB, ZIP, customer no. etc.More are the questions, the more secure it is. Once all validated correctly, go to next stage, otherwise display generic message "Invalid Data".
2. Next stage, ask at least 3 personal security questions (like mother's maiden name, name of your first vacation place etc) already preset while user was registered. If correct go to next stage.
3. At this stage, finally, present user with new password reset form. Enforce all password complexity guidelines. One more thing you can dot to more it more secure is, as soon as the user is done with providing correct personal security answer as stage 2, immediately send a long random token to his registered e-mail. And then do require him to supply that long random token on this final new password reset page. This will act as 2-factor authentication.

Apart from that, all by-default security best practices you should follow, such as storing user's answers in salted hash in the DB, Don't use using HTTP method, Invalidate old password ONLY when user is done with setting new password successfully, Send an email informing user that password has been changed, Lock out the account for a certain period and then unlock it etc.

So in short, Don't use email to send sensitive information, use email for a out-of-band authentication purpose. This way, it might be reasonably secure implementation.

Regards,
Nilesh

MHTML files

Today my colleague Surendra had a query regarding a weird popup coming up while he was trying to access a website. Although even, I was not very familiar with the kind of message he was getting. All we wanted to know, if it's really anything malicious! He was trying to access some page, and the website was making some weird request to the webserver in order to load some object (here it was a calender) from the server:

mhtml:http://abc.com/resources/Calnder.mht

The warning message was like this:

Even I had not noticed like anything in the past, I did a little research on the topic. The browser was trying to load some MHTML page.MHTML is simply a MIME HTML format, used to combine all the external resources, which are generally loaded as external link, with HTML code into a single file. Generally this file has extension as .mht. So any .mht file contains mix of HTML code and other objects such as, Flash, images, applets, audio files etc. The content of .mht file is encoded in base64. (Wiki)

So when you are requesting a .mht file it will be loaded into multipart one-by-one, as the file may be large. Also, to minimize the lots of GET requests to server, it can be used. So IE uses mhtml:http:// format to request such type of files from the server. But again IE strips the mhtml part and makes the normal GET request to the web server. Again when it gets the response from the server again it prefixes the mhtml before it. So for example, if you request mhtml://http://abc.com/anyFile.mht, IE interprets the mhtml request for multipart/related content and sends a normal GET request to the server as http://abc.com/anyFile.mht. After receiving the response back it again prefixes with mhtml as mhtml:http://abc.com/anyFile.mht.

So, regarding his case, there was some script injection vulnerability with the way the Windows treats the MHTML long ago. So, Microsoft came up with a lock-down solution for the MHTML being used in the URL. Now you can’t use mhtml in urls/hyperlinks if that fix is applied on the server. But still MHTML can works behind the scene, the only thing is you can never request it as mhtml:http://. Generally .mht doesn’t contain script but if it contains that and the lock-down for the MHTML is applied on the server, it pops-up a message like you faced: “This webpage is trying to communicate with your computer using a protocol that your security setting don’t allow”. You can simply allow the pop-up by clicking yes to be rendered option. No harm in that.

So in his case, it may be the browser is trying to access some url in the mhtml:http:// format and mhtml have been locked down on the remote server or in your IE settings, that could be a reason you are getting the pop-up alert.

Again, all the above observations are based on my google, might not be 100% correct, but one might have got the picture a bit. So nothing malicious in that request.

Process listening on the ports

Some times it becomes very necessary to confirm which exe or process is listening upon which port in order to determine the reason behind the running services on those ports. For example, if you find that there is one more web service running over another port, suppose 8082 apart from port 80, you may need to determine, after all which process. To see it type:
netstat -anb:

If you see the above output, you can see the inetinfo.exe process is running on two ports 80 and 3205 which in turn are http and sapdp05 respectively. Also, the respective PID or processID, which in this case is 2644 for inetinfo.exe. So, if you stop or kill the inetinfo.exe process, these services will stop.

I have seen in some PCs, specially in Win7 netstat -ab command does not work. So for determining about the process listening on a specific port you can do like this:
type netstat -ano | find "2644" as we know that PID 2644 is responsible for opening the port 80 (http) and 3205 (sapdp05) but we exactly don't know the process name. So we can map them like the following picture:
The PID 2644 is mapped to inetinfo.exe in the Windows task manager. But if you want to just stop port 80 (or say, don't want the inetinfo.exe should listen on port 80, ie. http) you need to stop WWW Publishing into Services.msc. This will allow inetinfo.exe to tun on port no. 3205 (sapdp05) which may be a required service but stop http (port 80).

So this way you can determine how to check which exe or process is responsible for running a specific service on a specific port.

Reverse Engineering with OllyDbg

My Article on reversing exe has got published in Oct issue of "Exploiting Software-Hakin9" magazine. This article is about basic introduction to Reverse Engineering. I have chosen to show reversing of a sample exe file and how to patch it. The article more focuses on showing a practical example of reversing.
It could be downloaded here. The article is from Page no. 38 onwards.

Dealing with Non-technical users

In Security profession, you always go with your finding to the people who has technical capabilities so that they may understand, what you want to explain to them. But what in a situation if you need to deal with ordinary, non technical users? They don't understand your security jargon, they only care about their business. I have been dealing with these sort people from long back! And when they are sitting in remote location, it's very tough!
The best way is to send them mails explaining the issue, its impact and how to fix them. Sometimes, they will co-operate with you some times, you are disappointed.
For example, if you need to deal with users running any Insecure Services (suppose FTP) on their machines, the following ways seem working:
1. First send a communication to them about the issue, eg, what the service is all about, how it could be exploited if not closed or secured.
2. If they respond, well, tell them to stop FTP from Services.msc.
3. Sometimes, they are not sure why FTP is running on their machine. They stop IIS admin and all, but FTP still running. Tell them to run fport, a McAfee tool to find the EXE which is responsible for running the service. netstat -ab is another equivalent command. Sometimes Inetinfo.exe may not be responsible for running FTP on your machine as there are lots of other application, which may run their own FTP servers.
4. Now you are sure, which process (EXE) is running the service, you may instruct the user to go and locate that service into Services.msc and stop it.

What, I want to say is , it really takes to be patient at your side, if users are non-technical, remote and a little non-cooperative. But again, its very necessary to take them to right way as they may pose a security risk to your organization.

Securing Connection Strings

Today, again I came across the same scenario about which my colleague Sam had asked me once. He asked me about best practices for securing the connection strings. Well, for securing the Database connection string file. The general approach will be-irrespective of technology- its’ best practice to move the credentials out of source-code into a configuration file. It needs to be properly protected, using strong ACLs and strong encryption with properly protected keys. I shall give you an example of .NET which I am aware of and you can suggest developers to use the similar thing for Oracle and jsp pages.

Again there are different approaches for different technologies- for ASP.Net you can either use Windows authentication instead of using username/password, database (connection string) name in the source code. But that’s not possible, if you have got to mention the username/password, database name, put them in a separate configuration file such as app.config or web.config and encrypt them using various ways available in .NET such as, protected configuration:
The following configuration file fragment shows the connectionStrings section after it has been encrypted:

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AHHJHJh9w+++kdjkdkUIosdndns…. </CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>

When the encrypted connection string is retrieved at run time, the .NET Framework uses the specified provider to decrypt the CipherValue and make it available to your application. You do not need to write any additional code to manage the decryption process.
The bottom line is that don’t store them in source code and you have to encrypt the configuration file containing connection string. Tell them to put the connection string in configuration file and encrypt it. Again, they have to pay attention to key management. This is the best available solution however, it may be tailored as per the their needs.

His other query was about SSL if that can be used to connections between application and database servers.
Here there are two scenarios, first the app server and database server are on the same machine. In case of protecting connection between application server and database server doesn’t make any sense as the connection is not exposed to the public. Also, the application server and DB server both can be on same machine or separate machines. SSL is only used between application server/DB server machine and user browser to prevent Man in the Middle attacks like sniffing.
In worst case, if application server gets compromised (application vulnerabilities may be main culprit) SSL won’t do anything as the connection string if not encrypted can be easily read by the hacker.

Regarding the second scenario,one situation I may think of, if the both app server and DB server are on different sites. But in that case also, only the connection string credentials in transit can be protected with SSL, can’t be protected when app server is compromised.
The best bet is to encrypt the connection string file itself.

Open Mail Relay-How to test

An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users.This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular due to their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers.[Wikipedia]

How to test your mail server for open relay:
1. At command prompt type:
C:/>telnet mailserver.yourdomain.com 25

220 mailserver.yourdomain.com ESMTP MAIL Service Version 6.0.3894 ready at Tue, 22 Aug 2011 05:22:00 -0700

2. helo

250 mailserver.yourdomain.com Hello

3. mail from: sender@otherdomain.com

250 2.1.0 sender@otherdomain.com....Sender OK

4. rcpt to: recepient@someotherdomain.com

250 2.1.5 recepient@someotherdomain.com

5. data

354 Start mail input; end with .

This is a test mail. Please ignore this-Nilesh

.

250 2.6.0 Queued mail for delivery

6. quit

221 2.0.0 mailserver.yourdomain.com Service closing transmission channel

Connection to host lost.

You have successfully sent an anonymous mail abusing open-relay.

But if you get 550 error like this:
rcpt to: recepient@someotherdomain.com

550 5.7.1 Unable to relay for recepient@someotherdomain.com
The mail server does not allow open relay and won't forward spam all over the net.