His presentation makes a number of claims about the security benefits of SSBs. It lists protection against phishing, CSRF, some types of XSS (likely all non-persistent varieties), and domain whitelisting as a future improvement to harden those protections.

I don’t think [current] SSBs completely provide those security benefits unless you do two things:

1. You block non-SSBs from accessing your website (blocking on user agent string would be enough)
2. You train users that an SSB is the only acceptable place to enter their password

Without those two requirements satisfied, it is my opinion that SSBs give little security benefit.

If you still allow non-SSBs to access citibank.com, then when a user clicks an XSS’d link to citibank.com, the citibank.com page will still load, and they will still be XSS’d. Similarly, CSRF continues to function as it is likely that the ’session cookie isolation’ benefit of SSBs are negated by the user likely having duplicate cookies in both their SSB and in Firefox (you must ensure the user never logs into citibank.com with their normal browser and obtain a session cookie there, hence the first requirement).

In order for the phishing protection to be effective, users must be aware that they are only supposed to encounter Citibank content in their SSB and not in their normal browser. For instance, if an SSB user encounters a Citibank phishing website in Firefox, will they close their browser and open their SSB instead? It might be the case that users will behave in this way, but I haven’t seen any verifiable proof either way.

[This hasn't been reported on ISIS Blogs yet, but next week marks the end of our first run of "The Psychology of Security/Social Engineering", a first-run research course here at Poly. I'm writing up a research proposal to test the above hypothesis with a group of students in the Fall.]

Lastly, if a bank starts deploying SSBs to their customers, I see this as a first step towards successfully forcing client-side requirements on users where the end-game is fully trusted computing and the open commercial web starts to disappear. This actually goes back to our “Refusing Insecure Customers” debate. It’s an evolution of the same (bad, according to readers) idea.

So, although I see where SSBs have some use and can positively affect your web security, let’s not kid ourselves, they don’t solve that much. To really be effective, they require major changes in the way you do business and [still] rely on an intelligent user. Rather, they look like avoidance of the base problem and an idealistic patch that isn’t going to work.

Oddly enough, I have been using a set of 4 Prism SSBs for the last 2 weeks and have actually grown fond of them, but not for security reasons at all. I like how they show up in my dock, that they rarely crash, and it seems natural to give such webapps “first-class” status as desktop applications. I’ll probably continue using them, but I don’t think I’ve gained any security from doing so.

That said, I think part of the problem here is that SSBs haven’t fully matured yet. I just heard about these things 2 weeks ago and I haven’t heard anyone else in the security community talking about them besides Andrew. They are a topic that deserves more attention and particularly more research from the security community as they embody a lot of attractive ideas. Despite my harsh words, I’m not ready to give up on them yet.

Let’s brainstorm: how could SSBs be more useful to security? Could we change the way they work or change how they are deployed to give us additional benefits? If you’re an InfoSec student with no good topic to research, this is without a doubt a good avenue to explore.

Here is an overview of the items not covered in the previous article:

• The director of software development at Synology contacted me one business day after my ISIS Blogs post. They have already released a firmware update to fix the most critical issues and came up with an “enhancement” plan (security fixes are not enhancements, but I digress) to fix the rest!
• I’ve started developing ARM/Linux2.6 shellcode so I can integrate a Synology exploit into Metasploit. First try: virtualize the firmware inside of qemu. Failed. Second try: install gcc directly on device. So far so good.
• I wrote an FTP request module for Sulley to fuzz the FTP server Synology is using. I haven’t been able to use yet because I hit the built-in connection limit on the FTP server and it starts ignoring me. That is a project for another day.

See the entire deck of slides here: http://cryptocity.net/archive/synology_presentation.pdf

Let me just say this: it seemed like a good choice at the time, and, if I could have trusted the vendor to deploy the software on it properly, it might still be. Here is a short summary of some of the issues I found:

You can skip to the full report here: A Security Audit of the Synology Disk Station Manager (DSM) v2.0-0590 Firmware.

What follows is a complete retelling of how I got here, sort of a lesson in vulnerability disclosure (not so much discovery, you’ll see why). It’s not pretty, I didn’t do all the right things, and it’s kind of long.

I had a lot of free time over Spring break (read: no money to travel anywhere) and so I decided to start “kicking the tires” of the Synology CS407 I owned. My jaw dropped when I got this first nmap scan back:

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e PHP/5.2.0)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp   open  http        Apache SSL-only mode httpd
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp   open  printer
548/tcp   open  afpovertcp?
3306/tcp  open  mysql       MySQL (unauthorized)
3493/tcp  open  tcpwrapped
3689/tcp  open  http        mt-daapd httpd 0.2.4
5000/tcp  open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e)
5001/tcp  open  http        Apache SSL-only mode httpd
5432/tcp  open  postgresql  PostgreSQL DB
50001/tcp open  tcpwrapped

It only got worse when I ran Nessus. And then worse when I got a shell and started poking around the filesystem. Get this: every application on the box is running as root! And all the web apps are written as compiled binaries running in CGI… with root privileges! As a friend in the lab described it, “1996 called, it wants its web technology back!” They weren’t even making it difficult.

This is where things got interesting. I looked around and there isn’t any formal security contact or even a public bug tracker (and they call themselves a Linux vendor!). I’m thinking maybe I can save myself some trouble and get this solved informally, so I made this really scary sounding post on their user support forums with just the results of that nmap scan. I also submitted a technical support request at the same time, pointing to the forum post. Best idea? No. But it was easy. I really didn’t want to write a formal report and submit it. I’m not getting paid for this, and frankly, I’m kind of pissed off that I bought this thing and that I’m stuck with it now.

Two moderators immediately replied to my forum post claiming that there were no security vulnerabilities and that security vulnerabilities were the price we pay for having the coolest NAS out there. I thought these were official representatives of Synology at first and was ready to make a post to full-disclosure after reading their replies.

Then an official response came back from their tech support: log in to the box over SSH (which they don’t provide, I had to hack it to turn it on) and turn off the affected services. They also recommended I put the box behind a firewall… This is why you’re supposed to have a security@ contact, so people like me don’t get stuck with non-tech and sales staff. I said a few specific things in my reply to get my concerns in front of the right people:

1. Ask for this issue to be escalated to a product manager
2. Explain the risks they were putting themselves and their customers under
3. Explain what would happen if they didn’t respond to my concerns (full-disclosure)
4. Included a PDF of a very early draft of my report

That worked. 3 days later I got a response from Synology (still their sales staff) indicating that more than half of the vulnerabilities I pointed out would get fixed in a new release of the firmware due out in 60 days. They denied a number of vulnerabilities, which I explained further and sent back to them.

Then I didn’t hear from them for 9 days. Apparently, my emails were getting stuck in their spam filter (again, vendors, please set up a security@ e-mail)! This went back and forth for a bit and I’ve moved about 90% of the issues into the next release! A handful of more architectural issues were pushed back until a release 6 months in the future. You can’t win them all, but at least they are aware of the issues now.

Back on the forum, I had been getting fairly actively involved by answering security questions from other users. Some intelligent people saw what I was saying and came to my defense when the fanboys attacked what I was saying about their precious devices. Two people even posted that they had delayed or reconsidered buying Synology products because of this discussion! It was really great to hear that, both as vindication that what I was saying was important and that Synology’s management had to take me seriously now. They were actively losing customers due to poor development practices.

How they reacted to this really isn’t surprising in hindsight: they moved all my posts to a separate, special forum, away from potential and current (but mostly potential) customers. Then their moderators started getting fed up that people were still talking about security issues they thought were irrelevant and resorted to character attacks and flaming. I sent an e-mail to my contact on the sales staff that someone representing their company was acting inappropriately and their behavior might be tied back to the company. Synology responded by locking my post.

And that’s the end of that mess.

If you have a Synology product… well good luck! All the problems I found won’t be resolved until 09/2008! And even then, I’m sure there will be more security vulnerabilities. Those compiled binary CGIs are a ticking timebomb. If you don’t already own a Synology product, I suggest FreeNAS. You can install it in a VM and try it before you “buy” it. I’d really like to get my hands on one of NetGear’s ReadyNAS products… anyone with one want to let me poke around it for a bit?

A: If you’re concerned about keeping the data in your possession, why not do that? The ready-made NAS market is starting to mature and they’re great for use as backup appliances. I wrote about this previously when I bought a Synology CS407. Now the market has changed a bit and I see 4 good options: Synology, Netgear (they bought Infrant), get an Apple and start using Time Capsule + Time Machine, or even FreeNAS as soon it will be based on FreeBSD 7 and use ZFS internally (can’t get much better than that).

But then what happens when I click the wrong button and delete my data (if I’m a terrible sysadmin), or when someone breaks into my apartment and steals my hardware? Maybe I don’t want to spend as much money and maybe, this sounds like you, I’m just more concerned with the availability of the data and the confidentiality issue is just a distraction. If someone breaks into Amazon S3 (or maybe they already work there) will they care about your data when they find it? Or, if someone is after your data, are they going to want to/be able to break into Amazon S3? If it were me, I’d be going after your data before it leaves your laptop, it’s an easier target. And besides, there are ways to mitigate your risks to confidentiality by using something like TrueCrypt or PGPDisk (two passwords to get your data isn’t so bad). Rather, you’re defaulting to an outsourced backup provider because they:

• are better sysadmins than you
• have more reliable hardware and systems than you
• have lower overhead costs than doing it yourself (probably the biggest motivator)

Given that an outsourced backup provider is only as useful as the above 3 services it provides, it’s important not to choose solely based on cost. Their value decreased rapidly with the possibility that they may not be as big and distributed as you thought, they have less expertise than you thought, or even if they get taken over in an acquisition. Hence, this list immediately, unconsciously recommended only Tier 1 backup providers like Amazon S3 who we know are a) experts and b) will be around as long as we need our data.

With all that out of the way, the big question becomes: Would I use it? And the answer is: absolutely not. First let me state that I’m a little bit of a hypocrite as I obviously outsource my e-mail, and for some reason, all of us completely underestimate the confidential nature of our *communications* online relative to the *stored* data on our hard drives. Even when we recognize this, there is little we can do to protect the confidentiality of our e-mail in the hands of others as the medium is incredibly difficult to encrypt.

So why not backup? I’m not at all comfortable with the level of control or the level of visibility of my data. All I can do to check on my backups is log in to S3 and see that they are still there. I don’t know if one more HD failure will pop them into nonexistence, I don’t know if they’ve been compromised, I don’t know if they are planning downtime, I don’t know if they are rebuilding part of their infrastructure, I don’t know anything. In other words, I am not in control of the risks I *have to* accept when using their service.

Contrast this to the Linux NAS in my apartment, where I control the level of risk I’m comfortable with. I can see when HDs fail (none have, go Seagate!), I can SSH in and view logs if I think I’ve been compromised, I’m in complete control of what I do with it. If I want more reliability, I can add another hard drive. If I want less, I can kick it really really hard when I get angry. If my appliance dies, I can take the HDs to Ontrack and get them recovered. You can’t do, control, or even know about these things with an outsourced provider.

Hopefully this will give you enough information to make an informed decision regarding how you want to backup your data.

-Dan

The original paper can be found listed under Usenix.

Apparently, ISP’s have completely given up on educating users. While teaching people how to use their computer safely does seem like an impossible task I believe selling this idea of ’security in a box’ actually does more harm than good. Although, I hate the idea of spreading fear, a little dose of paranoia would at least keep everyone mindful of what information they distribute.

Most of us would agree with the idea that security is not a product its a state of mind, a journey rather than a destination. Promoting security as an end product relieves users of any sense of responsibility towards their information. With security taken care of, the user is free to download anything from anywhere and forget about all those pop-up windows complaining about software security updates that need to be installed. It is unfortunate but many IT managers buy into this mindset as well, looking for the next great network appliance that will solve all their problems.

Its easy to get caught up in all the technical details and forget the real issue – the people using the network resources. As future security professionals I believe part of our responsibility is to educate users on how to securely navigate the information age, whether its our family and friends or even our employers. As long as there are careless users who don’t understand how to protect themselves online, exploiting technology will continue to become more and more profitable.

What would happen if everyone online practiced secure computing? Would viruses and botnets be a thing of the past? Would Identity theft disappear? Would the need for security professionals diminish?