Web Based Audits - are they safe?

"We're moving towards Web-based software, software that runs in the browser, and that's a really insecure device," says Grossman. What Web application providers want to do "can't be done securely in the browser right now." Web 2.0 applications are "the new place for malware," he says, "and as it gets larger the problems are only going to get worse." http://www.pcworld.com/businesscenter/article/149532/article.html?tk=nl_spxnws Black Hat Security Conference Las Vegas 2008

Well, what more can we say, about conducting software audits of your PC using Web based applications?

UPDATED 17th April 2007

How would you like your network drivenames listed on the WWW as a location along with IP addresses, user names and software license keys?

We posted this web page as an advisory ..... about web based audit issues in January 2003 .... but we didn't envisage anyone would actually start posting their own license numbers on the web. The end users are in violation of their EULAs as is the vendor as well which is unfortunate as they are highly respected in this field.

I am sure the vendor will act to rectify this BUT given the porisity of the web it is now posted out there for all to see for some time to come.

The reports also include license keys for other software installed when you examine each report plus other details of both commercial and private nature that are now being aired.

See also http://www.google.com/search?q=%22Windows+XP+Professional%22+%22Belarc+Advisor+Current+Profile%22+key%3A

Your organization needs to be made aware of this as a risk for them if their data is listed using this method of auditing. Its the end users who are at fault by the way!

Why doesn't PCProfile offer WEB BASED Auditing?


Quite simply, we believe that the RISKS to YOUR SYSTEMS are FAR TOO GREAT but you need to read the following to make up your own minds.       

Many are being tempted by the attraction of doing an inventory of their PC hardware and software by using Internet/Web based subscription services where the customer can dial-in and do the software and hardware audit using web based, site and email hosting services.

NOTE: We wrote this article back in 2003 so some of the web links listed below may be dead or removed.

The practise is growing and this raises some so-far unresolved issues that you as the end-user customer need to address.

The benefits offered by web based auditing seem to be;

………… and so-on

Extract from a sample log file whilst connected to the Internet;

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe:
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe:
/c/winnt/system32/cmd.exe:
/d/winnt/system32/cmd.exe:
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe:
/scripts/..%25%35%63../winnt/system32/cmd.exe:
/scripts/..%252f../winnt/system32/cmd.exe:
/scripts/..%255c../winnt/system32/cmd.exe:
/scripts/..%c0%2f../winnt/system32/cmd.exe:
/scripts/..%c0%af../winnt/system32/cmd.exe:
/scripts/..%c1%1c../winnt/system32/cmd.exe:
/scripts/..%c1%9c../winnt/system32/cmd.exe:
/scripts/root.exe:
/scripts/..%25%35%63../winnt/system32/cmd.exe:
/scripts/..%252f../winnt/system32/cmd.exe:
/scripts/..%c1%9c../winnt/system32/cmd.exe:
/MSADC/root.exe:
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe:
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe:
/c/winnt/system32/cmd.exe:
/d/winnt/system32/cmd.exe:
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe:
/scripts/..%255c../winnt/system32/cmd.exe:
/scripts/..%c0%2f../winnt/system32/cmd.exe:
/scripts/..%c0%af../winnt/system32/cmd.exe:
/scripts/..%c1%1c../winnt/system32/cmd.exe:
/scripts/root.exe:

The above "commands" have been viewed as scripted attempts to break-in to a PC based system using a series of open ports, by unknown attackers. Some of the capabilities offered by the above attempts are potentially destructive. 

WHY YOU SHOULD BE WARY OF WEB BASED AUDITS

1. INSTANT MESSAGING SERVICES POSE A WEB AUDIT  RISK

Instant messaging (IM) is gaining in popularity as it lets people interact instantly, and provide immediate contact, as opposed to the delays that can occur when using other forms of communication eg; voice-mail/e-mail. This means they are connected (and can be identified via port scanners) hence the risk increases whilst the ports are open.

This raises potentially serious security issues posed by IM usage especially where the systems have been implemented using an ad hoc approach, and may open up a company to many potential security and legal problems.

2. WEB SERVICES, INTERNET COLLABORATION POSE BIG SECURITY CHALLENGES 

Read what the Industry Pundits are saying about Security over the Web at http://www.securityfocus.com/bid/3767

Increased use of videoconferencing and Internet-collaboration technologies, the rush to Web services and a new class of malicious code that blends virus and wormlike capabilities are some of the biggest security challenges for 2002, analysts said.

3. INTERNET EXPLORER HAS SERIOUS VULNERABILITIES (if not fixed)

MS security patch opens new hole http://www.zdnet.com/zdnn/stories/news/0,4586,2836273,00.html

Microsoft urges Passport users to install IE patch Microsoft Corp. is urging almost 200 million Passport users to install a patch released nearly two months ago to fix a problem with its Internet Explorer browser.

A flaw exists in Microsoft Internet Explorer that may allow a remote attacker to view known files on a target system when a user views web content containing a specially crafted script. This vulnerability could be used by a malicious web site administrator to view any known file on a target system. It may also lead to the execution of arbitrary code. Microsoft Internet Explorer is prone to a vulnerability which may disclose sensitive information to a malicious webmaster. Details sourced from http://www.securityfocus.com/bid/3779  

The above vulnerabilities exist for Microsoft Internet Explorer 5 on the following systems
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities exist for Microsoft Internet Explorer 5.01 on the following systems

Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows ME
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows 2000 Terminal Services
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities exist for Microsoft Internet Explorer 5.01SP1 on the following systems
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities exist for Microsoft Internet Explorer 5.01SP2 on the following systems
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities exist for Microsoft Internet Explorer 5.5 on the following systems
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities exist for Microsoft Internet Explorer 5.5SP1 on the following systems
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities exist for Microsoft Internet Explorer 5.5SP2 on the following systems
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98se
Microsoft Windows ME
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows 2000 Terminal Services
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Terminal Server 4.0

Please note some of the external web links are several years old and may not work as this article was first published in 2003

4. Suggested fix for AIM hole has back door and spyware

The fix recommended by security group w00w00 Security Development to plug a hole in America Online Inc.'s Instant Messenger (AIM) opens a user's system to hacker attacks and can direct the user's Web browser to pornographic Web sites. Most commercial IM services use port 80, the port that carries most HTTP traffic. But, because port 80 is used for HTTP traffic, there is no easy way to keep an eye on IM traffic alone. IM traffic can open up port 80 many times a day, which can significantly increase a company’s exposure to security breaches.

Messages exchanged have not up until now been usually scanned for viruses or malicious programs. This means hackers with knowledge of this vulnerability can exploit this openness by sending attachments containing viruses, worms, and other malicious software and may also allow them access to files stored on local drives or peer to peer connections. When these enter a corporate network undetected then you are at risk!

5. What about Web based Audits using TCP/IP? 

TCP/IP (Telecommunications Control Protocol / Internet Protocol) is the most commonly used port-based protocol on the Internet, but it does not provide a great deal of security. Security is provided by making sure incoming packets match within a range of expected sequence numbers, and the sequence numbers are randomised when the connection is set up. It is possible to intercept an existing TCP/IP connection if the sequence is known. On some TCP/IP stacks, the state of the initial sequence number for new and old connections can be derived if the attacker can witness a few new connections being set up, as in the case of a web based audit. See http://www.cert.org/advisories/CA-2001-09.html for further details.

6. THERE ARE LARGE NUMBERS OF PORTS AVAILABLE AND IN USE

If your network administrator has not secured the port vulnerabilities that are currently known then there are added risks when using web based audit techniques over the Internet.

The PORTS Number Registry illustrates the LARGE number of ports (many of which are used for scanning / sniffer / snort devices)  http://www.iana.org/assignments/port-numbers  The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023. The Registered Ports are those from 1024 through 49151 The Dynamic and/or Private Ports are those from 49152 through 65535

http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;q150543
The above article discusses the known TCP/IP ports (TCP and/or UDP) that are used by services within Microsoft Windows NT version 4.0 and Microsoft Exchange Server version 5.0. This is not a complete list of TCP/IP port assignments.

For additional TCP/IP port assignment information, see the following articles in the Microsoft Knowledge Base:
http://support.microsoft.com/directory/article.asp?ID=kb;en-us;Q174904

7. PEER to PEER and FILE SHARING HAS EXPANDED THE RISK FURTHER

February 2001 http://www.infosecuritymag.com/articles/february01/cover.shtml
P2P, OR NOT P2P? Napster, Gnutella, IM and other peer-to-peer applications are still the "flavour of the week." But if you're not careful, these programs could have already been used to undermine your network security. A peer-to-peer (P2P) network is one where each workstation has both server and client capabilities and users can initiate communication between any two (or more) computers. P2P is an alternative to the traditional client-server model of networking, and is especially handy for trading files across the Internet. With the advent of file-exchange programs like Napster,  peer-to-peer has also come to describe the exchange of files through a mediating server If you are running a peer-to-peer and not aware of the risks and conduct web based audits then you are at bigger risk than you think!.

WHY YOU SHOULD BE WARY OF WEB BASED AUDITS

How does the above details affect Web AUDITS? Unless the web based auditing service uses a dedicated specific port as allocated and authorised by ......org for its service, and not port 80 or some other common open port, then you have NO WAY of tracking what occurs during the course of a web based audit.

The web based audit service may use or offer encrypted communications between the corporate site and the audit site, however whilst the port is open, and there are gaps in send and receive status times then other users may attach themselves to the port whilst open and use the port to gather data and information direct from your site.

Think it can’t happen? Have you checked? When did you last check? Do you know what to look for? How secure are your systems when you use a web based auditing service? Can you afford to take the risk?

There are now web based audit tools on the market that enable you to conduct an audit whilst you are logged on to the Internet BUT you need to be very careful as some of these require you to lower your level of security to enable the web audit to function. This is NOT a smart way to conduct an audit! Some of these audit tools are available when you log on to a https site (a secure server_) but have you thought about this? The secure server ONLY protects their side of the connection NOT YOUR SIDE!

To conduct an audit on your PC you need to have some OPEN PORTS available.

SO AGAIN, WHAT IS THE RISK DURING WEB BASED AUDIT?

During the time of an audit via the web it is quite possible for a port scanner device to attack your PC and download other files in between the transmission polling times that are used in transmission. If you think this is a risk then you would be well advised NOT to consider web audits of your PC based systems. The web is NOT a secure place for conducting audits. 

If you think that you are SECURE whilst the web based audit is under way you need to make sure. The way to do this is to establish a separate connection device to listen to the PC traffic and monitor every event both inbound and outbound and analyse the results to establish how safe the traffic activity has been during the course of the audit. In many instances you just won't be able to tell. If you think its worth the risk then be prepared for the possibility of corruption of PC data, theft of PC information, installation of trojans on your system and so on. 

Think it doesn't happen? Then read the following details;

During 2001 CERT said it received more than 52,000 reports of security incidents last year, compared with more than 21,000 in 2000. A CERT analyst explained the sharp rise as a result of heightened awareness by users.

Other areas of risk with Web Based audits (which can only be conducted if they have access to your open ports on your PC) can be identified when you read the following details regarding Port TCP/21 (ftp), TCP/80 (http), and TCP/443 (https). http://www.cert.org/tech_tips/win_intruder_detection_checklist.html

Have you examined the processes used in conducting a web based audit yet?

What would you think if you saw the log files for a PC system that had been busy auditing and seen the attempts "behind the scenes" NOT from the audit house/hosting service but other "attackers" trying to break-in whilst the ports were opened during an audit cycle.

Extract from a sample log file whilst connected to the Internet;

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe:
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe:
/c/winnt/system32/cmd.exe:
/d/winnt/system32/cmd.exe:
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe:
/scripts/..%25%35%63../winnt/system32/cmd.exe:
/scripts/..%252f../winnt/system32/cmd.exe:
/scripts/..%255c../winnt/system32/cmd.exe:
/scripts/..%c0%2f../winnt/system32/cmd.exe:
/scripts/..%c0%af../winnt/system32/cmd.exe:
/scripts/..%c1%1c../winnt/system32/cmd.exe:
/scripts/..%c1%9c../winnt/system32/cmd.exe:
/scripts/root.exe:
/scripts/..%25%35%63../winnt/system32/cmd.exe:
/scripts/..%252f../winnt/system32/cmd.exe:
/scripts/..%c1%9c../winnt/system32/cmd.exe:
/MSADC/root.exe:
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe:
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe:
/c/winnt/system32/cmd.exe:
/d/winnt/system32/cmd.exe:
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe:
/scripts/..%255c../winnt/system32/cmd.exe:
/scripts/..%c0%2f../winnt/system32/cmd.exe:
/scripts/..%c0%af../winnt/system32/cmd.exe:
/scripts/..%c1%1c../winnt/system32/cmd.exe:
/scripts/root.exe:

The above "commands" are scripted attempts to break-in to a PC based system using a series of open ports, by unknown attackers. Some of the capabilities offered by the above attempts are potentially destructive. 

UPDATE 17th April 2007 ........................and from another popular PC Audit program that has users posting their "own" profiles on the web the following key details are being exposed! This places your organization at severe risk if the data is not properly firewalled and secured!

All of the aspects listed above are the key reasons why we WILL NOT conduct WEB BASED Auditing! We firmly believe the RISKS are FAR TOO GREAT!

THERE IS ONLY ONE  SAFE WAY TO CONDUCT A SOFTWARE COMPLIANCE  AUDIT!

The safest method to conduct an audit is;

and not at risk when port scanners, sniffers and other attack tools are being used to break into your systems.

"The primary purpose in conducting a software compliance audit is to REDUCE YOUR RISK, so why INCREASE it using web based audits?"

CAN'T AFFORD AUDIT SOFTWARE?  

If you've been fighting a losing battle about having a budget for audit software tools and need to convince management, accountants and directors, then you need to read this article and make a comparison between what "could have been avoided" vs what needed to be budgeted. It might just tip the scales in your favour as you strive to achieve software compliance using software audit tools.
No Budget For Audit Software
and It's a Risky Business if you think you are 80% Compliant!

Performing a software inventory involves analysing the software products installed on your computers and comparing this against licenses owned. Depending on the size of your organisation, and the condition of your records, this may be quite simple, or it can take a bit of effort.

Remember, there is no excuse for using illegal software and the financial and legal costs can be very high.

WHERE DO YOU START on an AUDIT?

Our Message System http://www.pcprofile.com/swmessage.htm is a great place to start off with Software Compliance. A US version is available spelt "authorized". Without this message 'from the management" you are wasting your time! Followed very closely by;

Take a Snapshot
using AUDIT Baseline which will give you a broad look at the extent of the non-standard and non-authorised software, loaded on your PC's - the results will astound you!

Use the Software Licence Cost Model to assess what the risk and damage might be if you get caught

AUDIT BaselineV4  FAST server based auditing - NOW there is NO EXCUSE for not auditing your PCs

(C) Rob Harmer Consulting Services Pty Ltd All rights reserved Worldwide
Rob Harmer Consulting Services Pty Ltd
P.O. Box 196
Modbury North Sth Australia 5092
fax +61 8 8265 1961
pcprofile@internode.on.net
http://www.pcprofile.com
Please contact pcprofile@internode.on.net regarding any problems with this site
 Site & Contents Copyright ©  2008 Rob Harmer Consulting Services Pty Ltd
Originally posted January 2003

selected items refreshed 17th April 2007

ast Updated August 2008 but not all links updated!