Last year, my employer paid for a “security audit” for our software, and any “issue” on their report was then a high priority to fix.
I think the majority of the issues they stated were incredibly unlikely to happen, or there would be an easier means of acquiring such information. One of them was that UDP messages, which are only sent on the user’s local network – had an unencrypted username. But if the attacker was already inside the user’s building, it would probably be much easier just to look at the user’s screen rather than plugging into their network and running a packet-sniffer.
Problem 1:
Shortly after we released some “security fixes”, we had a few bugs reported, one of which was:
“Users unable to reset their own passwords using the self-service password reset process”
So the security improvement created a Security major incident. Brilliant.
Problem 2:
A colleague was explaining another problem which I only had a vague understanding of. But it was to do with the version of a protocol being sent in the header of a message. It is classed as a security flaw because an attacker can look up known security flaws for that version and try to exploit the system that way. I suppose they can still guess what the version is, and try different “attack vectors”; but I suppose the less information you give them, then the more hassle it is. As my colleague explained it, a change had been made to remove the version, and tested on a specific version of SQL server, but we have multiple versions on our live infrastructure. When it came to demoing it with a client, they discovered a particular feature was broken on a different SQL Server version. A little awkward, but at least it didn’t go live.
Potential Problem 3:
When it comes to authentication failures, if you tell the user that the login attempt has failed due to the username being wrong, or the password being wrong – you are making it easier for malicious users to attempt to gain access to someone’s account. So if an attacker is guessing usernames and normally sees “Invalid username”, and eventually gets an “invalid password” message, then the attacker knows the account exists and now just needs to get the password.
There was one API call that returned an error code along with the message “Invalid username”. So as advised by the security audit, the developer changed the message to “Invalid username or password”.
On the code review, I pointed out that the developer also needs to change the Error Code too, and they replied saying the security audit stated that the message was the problem. They definitely hadn’t thought about the actual problem. If Error Code 40 is “Invalid username” and Error Code 41 is “Invalid password”, and you change both texts to say “Invalid username or password”, then it’s not really any more secure is it? since we are still returning 40 when the username is wrong, and 41 when the password is wrong. What we need to do is make 40 and 41 obsolete, and make a new Error Code for “Invalid username or password”. However, can we actually do that? When you have third parties using your API, if they have written code which relies on certain return values – then you break their software when you change yours. So we would need to inform everyone that the change is coming, then release this change.
UDP and ChatGPT
A senior developer questioned why we were encrypting elements of the UDP message. The developer struggled to explain and then incorrectly used ChatGPT. It was obvious by the increase in technicality and vocabulary in his response.
George Out of interest, why are you encrypting this? Karthick According to the system audit query, MAC address and Sending user display name and the location name should be encrypted. George But Mac Address is sent in plaintext as part of UDP - I can see it in your screenshot above Karthick It is encrypted at Controller before sending. George Yeah I know you encrypt it in the payload, that was my question, why are you encrypting something that is in plaintext elsewhere on the network traffic? Karthick In most cases, the visibility of the sender's IP address is not a concern. IP addresses are public and essential for routing data across networks. While it's possible to use techniques like VPNs or proxies to obscure your real IP address from the recipient of the data, these techniques are not directly related to the encryption of the UDP packet payload. George Did you ask ChatGPT for that? Also, I'm talking about MAC Addresses, not IP addresses. I don't really care if you encrypt it or not, I was curious what decision led to you encrypting a MAC address. Karthick ChatGPT gave a good answer 😃 I cannot see MAC address of Wireshark UDP packet trace done in my laptop. Govind From the Pen test, it is reported that the "Disclosing MAC Addresses and display names of users provides a wealth of information to a potential attacker" via panic alerts. That's the reason we are encrypting the Mac address. And I believe the Mac address showing on the Wireshark, is the system Mac address(the interceptor machine) on which the Wireshark tool is running. George All you had to say was "Pen testers" and I would have been happy 😄