Saturday, September 13, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Jeremy Jaynes gets a free pass? [Richi Jennings]

Posted: 13 Sep 2008 06:27 AM CDT

It's déjà vu all over again. I see that Jeremy Jaynes has won his most recent argument in Virginia that the state's anti-spam law is unconstitutional. (Once again, thanks to Slashdot for the heads-up.)

Jaynes would have us believe that spamming is protected speech under the U.S. First Amendment. The court didn't exactly say that, but concluded that the law as written was overly-broad, because it didn't explicitly differentiate between commercial speech and any other kind of speech (e.g., political expression).

While I agree that anti-spam laws shouldn't restrict political speech, I have a couple of issues with this decision:
  1. Spam is spam, whatever the content; I'd hate this to be seen as a license for nut-jobs to fill my inbox with political rants.
  2. Doesn't the U.S. constitution already make it clear that commercial speech isn't unprotected?
As I noted back in March, it was worrying that the previous decision was split 4-to-3.

Again, I say I find it really hard to believe that the American founding fathers intended my inbox be full of spam.

Jeremy Jaynes Lost Appeal, but... [Richi Jennings]

Posted: 13 Sep 2008 05:28 AM CDT

Hmmm, so I see that Jeremy Jaynes has lost his appeal in Virginia that spamming is protected speech under the U.S. First Amendment. (Thanks to Slashdot for the heads-up.)

Jolly good, and no surprise there, I think. However, why on Earth was it a 4-to-3 split decision? What were those three state supreme court judges thinking?

Well, according to the AP:
Justice Elizabeth Lacy wrote in a dissent that the law is "unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mail including those containing political, religious or other speech protected by the First Amendment."
Oh, balderdash. I find it really hard to believe that the American founding fathers intended my email to be full of spam.

Apple is a black box company [StillSecure, After All These Years]

Posted: 13 Sep 2008 12:43 AM CDT

Image representing iPhone as depicted in Crunc...

The iPhone is my first experience being an Apple customer.  After a few months now, I have one thing to say to Steve Jobs and Co - Set my people free!  They talk about Microsoft locking you in?  Apple  makes Microsoft look like libertarians.

A few days ago I wrote about a frustrating experience I had flying across the country. I had a file attachment in an email on my iPhone.  It was a Power Point file. I wanted to edit it before I had to present in the morning.  There was just no way to get it off my phone on the computer, without mailing it to myself, which I could not do on the plane.  It was frustrating for me because for the last two years I had Windows mobile phones.  When you plugged in the USB, the phone became a mounted drive and you could drag and drop files back and forth between the phone and your computer.  Not with the iPhone it seems.  Even though when you plug it in and it syncs with iTunes, is not any different, Apple does not want you to be able to move your own files on and off the phone.

I received a note from a reader telling me that a new app was available called Air Sharing that would let you do this.  I downloaded the app and tried it out.  First of all you still can't just plug in the USB and move files.  It works by setting up a web server on your iPhone that can only be accessed via a wireless network connection.  So for the plane scenario that started this, it was basically useless.

I had music on my iPhone that was there from my old computer. It was my own MP3 files, not bought from iTunes and no DMR issues. I have been trying to get them on my new computer from the iPhone.  But again because of Apple's totalitarian philosophy, if you want to sync your iPhone with iTunes it will wipe out your iPhone music and replace it with what you have in your iTunes library.  Again, it is the Apple way or no way.  Well it turns out that Air Sharing is the same garbage. You can move files from your computer to the iPhone but not the other way.  What good is that?  I could just attach and mail them to myself and do the same thing.  I don't blame the developers of Air Sharing, their hands are tied by Apple.

In spite of this uselessness, the Apple fan boy crowd can't stop crowing about the legendary Apple user experience that this App allows and how great it is.  Here is a news flash for you:  You want to see how it should really work, go check out a Windows mobile phone! In the meantime I am in countdown mode to when I can ditch the iPhone.  I am tired of dropped calls, poor signals and black box controls. 

My message to Apple is - Set the people and their files free!

More on Apple.  Mitchell sent me a wav file to edit for our next podcast. I clicked the link it opens in my browser and the quicktime plug in that I don't even remember giving permission to install starts playing the wave file.  Go to save the file and it tells me I have to buy Quicktime Pro.  The heck with that. I opened the URL in Windows media play and clicked save file as.  Easy pizy,

Reblog this post [with Zemanta]

Rumors of acquisitions abound [StillSecure, After All These Years]

Posted: 12 Sep 2008 11:43 PM CDT

It is not just who is going to put Lehman Brothers out of their misery in the M&A grist rumor mill.  In the tech world there are two interesting potentially big deals being rumored:

1. Why are wireless companies like bellybuttons?  Because it seems like everyone has one.  Continuing the recent trend Juniper wants to be latest one on the block to acquire their own wireless company.  According to reports, they are interested in buying Meru Networks (96 million raised) or publicly traded Aruba.  While Meru has nice technology, an Aruba buy would be a great fit for Juniper.  Aruba is Cisco's biggest competitor in the wireless space, so should fit well with Juniper's take on Cisco persona.

From various sources, it will be one or the other of these two wireless providers, but Juniper is certainly buying one.

2. What took them so long?  I have always thought for the longest time that Citrix was a good buy for Microsoft.  Now once again rumors are flying that Redmond will finally pull the trigger on this multi-billion dollar deal.  Cicso, IBM and HP are also rumored to be in the hunt this time though. I guess the virtualization stuff is driving a lot of that.

I have also heard rumors that Citrix will be moving its HQ from Ft Lauderdale to Silicon Valley.  The South Florida tech community would certainly be a big loser in that one.

In any event, the march of consolidation moves on.

SPAM Protected Under 1st Ammendment in Virginia? [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 12 Sep 2008 11:34 PM CDT

You read right.

My colleague Scott sent me an email today with this story from the Atlanta Journal-Constitution, which basically strikes down the law which put one of the most infamous spammers in history in the slammer for 9 years. Unbelievably, he was allowed to argue that his "email campaigns" were covered under the "freedom of speech" provisions in the US Constitution... even though his email spews were 100% commercial - how does that work?

Of course... the question is, will this reversing of the Virginia law cause a cascading failure of legal precedent up into the US Federal CAN-SPAM Act? We'll have to wait and find out I guess - but I have some additional thoughts on this topic - namely - does this have anything to do with security, or is it simply a nuisance to administrators, mailbox owners, and network managers have to learn to live with?

Interesting that arguing "freedom of speech" could reverse a law that makes it illegal to send unsolicited, commercial email to random people.

My favorite quote of the article is this one... from the ruling itself.
The Virginia law "is unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mails, including those containing political, religious or other speech protected by the First Amendment to the U.S. Constitution," Justice G. Steven Agee wrote. because the law prohibits the transmittal of *any* type of unsolicited email (including religious and political emails) it means that the law in whole is unconstitutional.

--Thanks Scotty... interesting development indeed.

Picture of Ike [An Information Security Place]

Posted: 12 Sep 2008 07:57 PM CDT

Image credit: NASA

Here’s a slightly modified pic that I posted on TwitPic.  It shows where Ike is supposed to go and where I live (Tomball, TX).

ike tomball

Image and me.

Thanks for the prayers.  I’ll see everyone on the other side…


My Picks for OWASP NY AppSec 2008 [Jeremiah Grossman]

Posted: 12 Sep 2008 02:04 PM CDT

OWASP NY AppSec 2008 is only week away and is going to be big, really big, bigger than anyone expected I think. So big in fact that Tom Brennan, conference organizer, had to find a larger venue this week to accommodate all the attendees. The Park Central Hotel - 870 Seventh Avenue at 56th if you hadn't already seen the updated page. What Tom and Co. also did was create a jam-packed line-up of sweet looking presentations. So much so that everyone will probably miss something they wanted see because of dueling talk. Oh well, that's what video is for! While the schedule still seems to be in a bit of flux, I thought I'd list the stuff I'm most interested in and get my personal schedule going.

Disclaimer: If I don't pick your talk it doesn't mean I don't like you or the material. :) It might be that I've already seen it and/or familiar with the content.

Day 1

Web Application Security Road Map - Joe White
Because its initiatives like this one that will eventually serve as a template for other organizations to follow.

Http Bot Research - Andre M. DiMino - ShadowServer Foundation
I have a soft spot for bots, seemed interesting, and wanted to see what data they have.

Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - Trey Ford, Tom Brennan, Jeremiah Grossman
Well, you know, I sorta have to be there. :)

New Exploit Techniques - Jeremiah Grossman & Robert "RSnake" Hansen
One of those presentations exposing what Web attacks in the next 12-18 month will look like. We've purposely kept really quiet about what we plan to demonstrate, but its certainly going to make people a little nervous. :)

Industry Outlook Panel
Curious about what these folks have on their mind.

Multidisciplinary Bank Attacks - Gunter Ollmann
Good speaker and I enjoy hacking backs. :)

Case Studies: Exploiting application testing tool deficiencies via "out of band" injection
I have no idea, though appeared to be an interesting topic

w3af - A Framework to own the web - Andres Riancho

I'd like to see this tool demonstrated and understand what it can really do.

Coding Secure w/PHP - Hans Zaunere
Want to see more about how this is done. It can be right?

Day 2

Best Practices Guide: Web Application Firewalls - Alexander Meisel
A big toss up between this one and Pen Testing VS. Source Code Analysis, but had to go with the WAFs. Wanted to see what their point of view is and the guidance they're suggesting.

APPSEC Red/Tiger Team Projects - Chris Nickerson
Sounded cool, that's about it.

Industry Analyst with Forrester Research - Chenxi Wang
It's always good to know how the certain enterprises will be influenced

Security in Agile Development - Dave Wichers
As before, is this possible? And if so, how!? TELL ME!

Next Generation Cross Site Scripting Worms - Arshan Dabirsiaghi
cmon Arshan, no holding back. Give me the next NEXT generation XSS worms! :)

NIST SAMATE Static Analysis Tool Exposition (SATE) - Vadim Okun
Tools lined-up side-by-side and tested always interested me.

Practical Advanced Threat Modeling - John Steven
It's been a while since I attended a threat modeling talk, especially one targeted towards webappsec, which I hope this is.

Off-shoring Application Development? Security is Still Your Problem - Rohyt Belani

Uh yap it is, but what to do about it is the question. Hopefully Rohyt will answer that one.

Flash Parameter Injection (FPI) - Ayal Yogev & Adi Sharabani
Flash security is HUGE! HUGE I SAY!

Most of these speakers I've never seen present before, which I find refreshing. New talent, new ideas, and shows an emerging industry. Good luck everyone!

iPhone 2.1 actually lists its updates?! [Random Thoughts from Joel's World]

Posted: 12 Sep 2008 08:49 AM CDT

Very uncharacteristic for Apple, but the update screen for 2.1 actually lists its updates.


  • Decrease in call set-up failures and call drops
  • Significantly improved battery life for most useres
  • Dramatically reduced time to backup to iTunes
  • Improved email reliability, notably fetching email from POP and exchange accounts.
  • Faster installation of 3rd party applications.
  • Fixed bugs causing hangs and crashed if you have lots of 3rd party applications
  • Improved performance in text messaging
  • Faster loading and searching of contacts
  • Improved accuracy of the 3G signal strength display
  • Repeat alert up to two additional time for incoming text messages
  • Option to wipe data after ten failed passcode attempts
  • Genius playlist creation.

Thanks for letting us know all these things Apple, please keep up the straightforwardness in updates!

Subscribe in a reader

iPhone 2.1 is out, and here it is [Random Thoughts from Joel's World]

Posted: 12 Sep 2008 08:45 AM CDT

iPhone v2.1
  • Application Sandbox
CVE-ID: CVE-2008-3631

Available for: iPhone v2.0 through v2.0.2

Impact: An application may be able to read another application's files

Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.

  • CoreGraphics
CVE-ID: CVE-2008-1806, CVE-2008-1807, CVE-2008-1808

Available for: iPhone v1.0 through v2.0.2

Impact: Multiple vulnerabilities in FreeType v2.3.5

Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at

  • mDNSResponder
CVE-ID: CVE-2008-1447

Available for: iPhone v1.0 through v2.0.2

Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information

Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.

  • Networking
CVE-ID: CVE-2008-3612

Available for: iPhone v2.0 through v2.0.2

Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking

Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPhone versions prior to v2.0.

  • Passcode Lock
CVE-ID: CVE-2008-3633

Available for: iPhone v2.0 through v2.0.2

Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications

Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call. This update addresses the issue through improved handling of emergency calls. Credit to Matthew Yohe of The University of Iowa's Department of Electrical and Computer Engineering for reporting this issue. This issue does not affect iPhone versions prior to v2.0.

  • WebKit
CVE-ID: CVE-2008-3632

Available for: iPhone v1.0 through v2.0.2

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.

Subscribe in a reader

Wow, Um, So hey, how you doing? [Random Thoughts from Joel's World]

Posted: 12 Sep 2008 08:06 AM CDT

Haven't Blogged in awhile, I've been working on some other stuff as well over at

For those of you that haven't seen, here's a bit of mac news, Apple released iTunes 8, a new set of iPod Nano's (going back to the more vertical shape), updated and dropped the price on the iPod Touch, as well as refreshing the iPod Classic line.

Basically, for the holiday shopping season. Good stuff.

They also released an update to the iPod Touch software (2.1), and it has some nifty features in it (like the Genius feature from iTunes 8.0). Reports are also, that it is faster. The iPhone update 2.1 is supposed to hit today, so I might blog again with some updates about that.

Otherwise, for those who know me, and know that i have been on a single customer site for the past year+, I have 12 days left (including weekends.)

Subscribe in a reader

Your iPhone Is Watching You [Liquidmatrix Security Digest]

Posted: 12 Sep 2008 07:43 AM CDT

image from Cultofmac

Well, inadvertently it would seem. Data forensics wonk, Jonathan Zdziarski, indicated that when the iPhone does that cool fade out, when you switch applications, it takes a screen shot. No, there are no black helicopters here. This is apparently how the effect is achieved.

From Wired:

The phone presumably deletes the image after you close the application. But anyone who understands data is aware that in most cases, deletion does not permanently remove files from a storage device. Therefore, forensics experts have used this security flaw to successfully nab criminals who have been accused of rape, murder or drug deals, Zdziarski said.

“There’s no way to prevent it,” Zdziarski said during the webcast. “I’m kind of divided on it. I hope Apple fixes it because it’s a significant privacy leak, but at the same time it’s been useful for investigating criminals.”

I imagine it has the potential for being a privacy issue. In all fairness though, if someone already has access to your phone you’re pretty much fubar anyway.

Article Link

Tags: , ,

Web Application Security Tomorrow [tssci security]

Posted: 11 Sep 2008 06:39 PM CDT

Jeremiah Grossman wrote in the opinion section for Application security in CSO Online magazine about Web Application Security Today — Are We All Insane?

I have an opinion of my own which I would like to share with my readers.  Jeremiah spreads FUD — Fear, Uncertainty, and Doubt (mostly fear) in his message.  I wanted to walk through some parts of what he wrote that were especially messages of fear, particularly ones that are over-blown.

Seventeen million programmers are churning out an estimated 102 billion new lines of code per year.  […] Web application exposure has reached the crisis stage because criminals have taken notice and made Web applications their primary target. There’s an old proverb that explains how to determine whether or not someone is sane. An individual is shown a river flowing into a pond. He is given a bucket and asked to drain the pond. If he walks to the stream to dam the inflow into the pond he will be considered sane. If he decides to empty the pond with his bucket without first stopping the inflow then he would be considered insane. This is analogous to today’s approach to software security, and specifically Web application security.

Many of us (including myself) know exactly where Jeremiah is going with this.  However, my addition is that the purity of the water in his example is what is important — not the flood of code.  We shouldn’t slow down the production of code, or put an end to it.

The techniques used by the modern cyber-criminal are truly scary. They’re backed by mafia, supported by nation states, and often even carried out by, or in conjunction with, rogue insiders. We are dealing with polymorphic malware, 100,000-computer strong botnets, drive-by-downloads, rootkits with anti-forensic capabilities conducted by adversaries who fear no U.S. law. The bad guys make certain their newest tricks are packed, encrypted, and undetectable by the most popular security products.

While some of this FUD is certainly true to a point, we don’t have any specific measurements on the reality of our situation.  What Jeremiah purports as fact is merely theory, speculation, and potentially myth.

Think the payment card industry’s new regulations or the breach disclosure laws are going to save us? Neither do I, but they certainly do make a good excuse to get more budget dollars.

I’ve been having a lot of interesting conversations about compliance with my colleagues lately.  It’s been indicated to me that PCI-DSS is not the only compliance standard or regualation that has a framework to enforce application security or application penetration-testing.  Stranger, the “cost of a breach” isn’t the only cost of insecurity.

Marcin and I were discussing an article on Sound compliance polices, practices reduce legal costs.  I had other discussions about cyber-insurance in the Security Catalyst community regarding a presentation at the recent Defcon conference from Taylor Banks and Carric on [PDF] The pentest is dead, long live the pentest!  At the end of their presentation, Taylor and Carric provide a long list of cyber-insurance providers — extremely useful for anyone unaware of such a thing or looking to buy.  In David Rice’s book, Geekonomics, David makes mention of AIG’s cyber-insurance offerings and how the ISAlliance and AIG provide discounts to ISAlliance members who implement security-framework controls.  In other words, doing compliance “right” not only buys protection from the regulators, but it also demonstrates cost-improvements for legal and insurance activity.

Another conversation with colleague Adam Muntner discussed how “compliance readiness” is both more profitable and more enjoyable than compliance work itself.  Many organziations realize that the time and effort it takes to pass any given set of criteria for an audit standard, so they prepare themselves ahead of time using experts in application risk, network penetration-testing, and application penetration-testing.  What most organizations are looking for is custom-tailored advice in the form of strategy consulting, not just another fancy report that they can give to the auditors.

Compliance and breach disclose laws could possibly be the primary motivators towards spending on application security, but there is certainly more at work here.  If compliance is driving application security, then what is driving compliance?

Want to rent a 10,000-computer botnet for the day? No problem. Unreported vulnerabilities (zero-days) are being researched, bought, and sold on the black market for tens or even hundreds of thousands of dollars. At the same time, when software patches are released, attackers are immediately (it is rumored, automatically) reverse-engineering them to find the flaw. Exploit code is then sent back into the wild before patches can be widely deployed by legitimate users. Large-scale patch rollouts taking only a few days seems like a great advancement until compared against exploit code ready to go in hours.

Here’s where Jeremiah’s FUD really kicks in.  I don’t know where his sources are, but the factual nature of this information should definitely come into question.  I have heard of one or two exploits that have been sold for US 30,000 dollars.  However, this is not the norm. The rumors of automatic reverse-engineering of patches into exploits has been disproved, so why make mention of it?  Even the Asprox botnet that coordinated the SQL injection attacks is over one year old — and I’m certain that a large majority of Enterprises are patched.  The clear target of the malware behind the SQL injection attacks is consumers, particularly those whose Windows XP operating system has some sort of automatic update deficiency or mis-configuration.

In response to the inadequacies of first-generation Web application security measures, an entire industry has emerged beating the drum for software in the Software Development Lifecycle (SDL) and touting secure software as the cure to all our woes.

Actually, application security principles have been around for a lot longer!  I think that security in the SDLC has definitely been talked about before the invention of the web.  The only concepts that I’ve seen emerge from the “inadequacies of first-generation Web application security measures” that have been “beating their drums” and touting their solutions as the cure to all our woes are:

  • Black-box web application security scanners (WASS)
  • Web application firewalls (WAF)

Secure code review has been a concept that I’ve been aware of since OpenBSD opened their doors.  Improving software development processes for both quality and security go back in the literature to the 1970’s.  Unit testing, and security unit testing, are relatively new concepts — but certainly not as new as WASS or WAF!

Secure code review is a competitive sport that is different than the sales/marketing approach of security product vendors.  When Theo de Raadt, a renown (some would say notorious) NetBSD core member who had an appetite for application security branched OpenBSD from NetBSD — he didn’t have it directly in mind that he and his team would scour their source code looking for security-related bugs.  However, the NetBSD team provided some extra competitive eyes on the OpenBSD commits — looking especially hard on security-related bugs to embarrass Theo and crew.  From this back-and-forth competitive challenge — the application security industry was really born.

Certainly, some will claim that fuzz testing was invented earlier.  However, before OpenBSD — security-related bugs were found mostly by accident (while looking for something else).  If they were found on purpose, like in the case of the Morris Internet worm, it was a personal matter — potentially shared by a group, but not taken on by a group, rarely even in academia.

One could claim that WASS has its roots in fuzz testing, while WAF has its roots in packet filtering or the classic network firewall.  Unlike those two: security unit testing, secure code review, and white-box dynamic analysis have really not changed much over time.  When I use Javascript breakpoints in FireBug, it is strikingly similar to using gdb.

In today’s world, there is an unimaginable amount of insecure code, and therefore websites, already in circulation. Just taking up the battle cry of “secure software” alone does not solve this problem. As Web 2.0 applications continue to proliferate (blogs, social networks, video sharing, mash-up websites, etc.) the problem will expand in parallel, but we also must consider the existing large financial institutions, credit unions, healthcare operators, ecommerce retailers that run mission-critical business applications online. Even our 2008 U.S. presidential candidates are having trouble securing their campaign websites against amateur attackers.

It’s interesting how Jeremiah views “secure software” as a battle cry.  For many security-focused developers, this isn’t a war — it’s just a way of coding properly.  Maybe he pictures that the war is “secure software vs. WASS+WAF”, which from his wallet’s perspective — might be right.  I am having some issues separating application penetration-testing and general application security, but I don’t see it anywhere near as bad as the case that Jeremiah has got.

The one thing about the above paragraph that is potentially very sad is that he calls XSS bugfinders “attackers” — “amateur attackers” at that.  There were no real attacks against the presidential candidates’ websites — there were just some vulnerability findings.  No exploits were written or used.  Jeremiah really has a way of twisting words around — maybe he should be working for one of the presidential candidates!

Application security vs. Application penetration-testing

Some of us choose to focus our efforts on penetration-testing — finding bugs in the code that can be used as an exploit.  Others focus just on building the code with security in mind — to enhance security.  This is an important distinction.

In a recent presentation entitled [PDF] Code Scanning: Success and Failure in the Field, Alex Stamos discussed some differences between false-positives and non-exploitables.  Sure, black-box web application scanners, including SaaS vendors such as WhiteHatSec indeed find exploitable conditions.  This comes at a serious cost.

Problems with black-box web application security scanners, including and especially WhiteHatSec:

  1. The penetration-test runs unencrypted over the Internet, exposing not only a MITM condition, but various types of proxy and logging problems
  2. Anyone in this path — present or future — may gain (potentially illegal) access to these exploits, pre-built for them, so that almost no knowledge or expertise is required on their part to run them
  3. Changing an exploit so that it bypasses WASS+WAF is often trivial
  4. Use of an encrypted VPN or testing on the local LAN does not settle this problem, it only protects some of the path involved

I think Jeremiah said it best himself:

The techniques used by the modern cyber-criminal are truly scary. They’re backed by mafia, supported by nation states, and often even carried out by, or in conjunction with, rogue insiders.

What I propose is that it is safer and easier to avoid the exploitability arguments.  Who cares if something is exploitable or not?  A better question is: how obviously secure is the code?

Advantages of security unit testing, secure code review, and white-box dynamic analysis:

  1. No exploits means that no rogue insiders can steal them and give them to adversaries
  2. Source code is full-knowledge.  There is nothing “black-box” about it, so every software weakness and vulnerability can theoretically be found
  3. These practices encourage finding security-related bugs “accidentally”, which includes new classes of vulnerabilities (often referred to as software weakness research)

Certainly, I have some ideas and products in mind when I think of true application security tools: security unit test frameworks (which don’t exist), security code review tools, and white-box dynamic analysis, or hybrid/composite analysis.  However, the primary focus should be on the expertise needed to perform application security tasks, the process in place to allow individuals and teams to rise to the occasion, and guidance/governance from organizational figureheads and leaders.

It is unreasonable to expect publishers, enterprises and other site owners to restart and reprogram every website securely from scratch. Nor can we fix the hundreds of thousands (maybe millions) of custom Web application vulnerabilities one line at time.

Jeremiah thinks that developers work with source code one line at a time.  They don’t.  Modern developers utilize techniques such as metaprogramming, code generation, templating, and model-driven architecture.  They’re programmers, why wouldn’t they write programs to help them develop other applications?!

Some web applications are so legacy, that they require re-writing from scratch — however we don’t have numbers or statistics on this amount.  Also note that if Jeremiah is going to only include SSL web applications as important — than he should also include them in these numbers as well.

Developers have been using unit testing frameworks, IDE features, and processes such as iterative programming, Extreme programming, and Agile to help them refactor their applications for quite some time now.  Refactoring does not require re-writing from scratch.  With refactoring, developers can restructure the design of their applications by tweaking small parts of the code.  Dependency injection, Aspect-oriented programming, and Attribute-oriented programming make this faster — as do general development concepts such as Design-by-contract, Test-driven development, Reflective programming, and many others.  Some of these practices don’t even require use of an object-oriented language — let alone an Enteprise web application programming language such as Java Enterprise or ASP.NET.

There are numerous books on refactoring the Web, databases, and specific programming languages.  Some languages have used metaprogramming to build refactoring, unit testing, TDD, and many other quality/security-control concepts into the entire framework — such as Rails for Ruby.

Our pond is actually an ocean of code in need of security defect purification and the dams in the rivers feeding it have holes requiring patches. In many ways, the state of Web application security is where we started a decade or so ago in network security when no one really patched or even had the means to do so.

I dislike how Jeremiah fails to bring this analogy back around in order to prove any point.  If WASS+WAF is supposed to signify blocking the inflow of water, this neither cleans up the already dirty pond, nor does it prevent the acidic/polluted water from immediately disintegrating the wooden plug that is supposed to stop the inflow.

This approach lets us mitigate the problem now giving us breathing room to fix the code when time and budget allow. Of course there is still the option of waiting the next 10 years for the Web to be rebuilt.

If classic firewalls and virtual-patching didn’t work the first time around — what makes people think they’re going to work now?

The web does not require 10 years to be rebuilt — especially not the SSL web.  It requires smart developers with metaprogramming, refactoring, and high-efficiency skills that can be focused towards security.  Do not hire cowboy coders.  Hire developers that can utilize and spread TDD, Design-by-contract, metaprogramming, and code generation concepts and tools throughout your organization.  Hire application security experts that can work with these super-developers.  Train and promote modern, secure development practices to every developer-newbie, veteran developer — and every network, application, or information security professional.

Human Exploitation 101 [Episteme: Belief. Knowledge. Wisdom]

Posted: 11 Sep 2008 02:26 PM CDT

So, my first column is up over at Ethical - this one’s an overview of the skills required to be good at exploiting vulnerabilities in humans.

Give it a read and let me know what you think.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Fear Sparks Increase in Spending [Ascension Blog]

Posted: 11 Sep 2008 10:47 AM CDT

Bill Brenner, Senior Editor over at CSO Magazine has a great Podcast where he covers a recent security gathering in Boston, MA.  The one that captured my attention is a summary of some Forrester Research study on the increase in security spending.  According to their research, and I'm just going on the information from the Podcast,  I haven't read the paper yet, FUD has fueled an approximate 10% increase in information security budgets – a 2% increase over last year. 

If you have the time – and you only need seven and a half minutes – it is worth your time to listen to Bill Brenner's Podcast. 

The Impact of Cybercrime [Ascension Blog]

Posted: 11 Sep 2008 10:25 AM CDT

NetworkWorld just released an excellent article on the impact of Cybercrime on businesses.  Now this article isn't technically oriented so it is perfect to print out and send to senior management to highlight the need to properly secure company information. 

The article showcases the efforts that computer and electronics retailer TigerDirect goes through to combat credit card fraud.  TigerDirect's system is homegrown and looks to flag online transactions that originate from countries known to be hotbeds of credit card fraud and online anonymizer sites.  These transactions can then be investigated further (by either calling the customer or the bank) to determine if they are legitimate. 

The one item in the article that I disagree with is the following quote:

In spite of caution and preemptive actions, TigerDirect will still get hit by costly card-related fraud each year through a small percentage of bad sales — which the retailer absorbs, not the victim of the stolen card. "It costs us millions and it costs the industry billions," Fiorentino says.

(Gilbert Fiorentino is the CEO of TigerDirect)

The retailer does not absorb the cost.  The customer does.  Every product that is sold carries a mark-up that includes a percentage of the retailer's overhead costs as well as the profit margin.  Now you may not be able to find a fraud markup on the balance sheet but rest assured it is there typically hidden in some sort of overhead figure. 

Consumers carry the burden of fraudulent activity as well as other increases.   Just look at the cost of Milk.  The New York Daily News ran an article earlier this year on the cost of Milk jumping 36%.  This price increase was attributed to the increase in demand on the feed corn.  The corn is being used to meet the increased in demand for ethanol therefore it is becoming more expensive to purchase.  Just as these increases in costs are impacting the price of the final product (the milk) so do increased overhead costs impact the retail prices of all other products. 

Now if we can work to reduce the cost of fraud by implementing appropriate security measures then we can contribute to lowering costs for consumers, or by increasing the profit margin for the company.  Either way it is important to tie information security to these final end results as it could very well help you to make the business case for information security. 

Security Briefing: September 11th [Liquidmatrix Security Digest]

Posted: 11 Sep 2008 08:23 AM CDT


Off to visit a client site today. Then into the studio tonight. Won’t be home until the wee hours. And for those of you who might have missed it. Myrcurial has dropped his Mexican wrestler mask to reveal his true identity. World, James Arlen. James, World.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Consulting firm sacked over data loss | Reuters
  2. Florida attorney general warns of security breach | Jacksonville Business Journal
  3. SF Computer Network Safe From Hacking, City Says | CBS 5
  4. Arizona pulls death certs from website over ID theft fears | The Register
  5. Report: In-Depth Analysis Finds More Severe Web Flaws | Dark Reading
  6. Hackers find use for Google Code Search | Computer World
  7. IBM Unveils Hardware-Based Encryption Tool | Information Week
  8. Where the browsers are going | The Globe and Mail

Tags: , , , ,

The Daily Incite - September 11, 2008 [Security Incite Rants]

Posted: 11 Sep 2008 06:28 AM CDT

Today's Daily Incite

September 11, 2008 - Volume 3, #76

Good Morning:
Today is a solemn day in the US. It's the day we remember the senseless attack. The fallen innocents. The serious chaos that resulted. We also need to celebrate the resilience of a democratic and free way of life. The terrorists wanted to cower us, and not so much. Our financial markets recovered in days, not weeks. Our country rallied to fight against the common enemies. There is no purpose in winging about still being in the Middle East or any of the other debates smart passionate people argue about today. That is not respectful of the memory of those lost.  
I was actually in Boston on Sept 11, 2001. I flew into Logan that morning. By the time I got to the office, the first plane hit and they were trying to find the second. had crashed, so one knew what was going on. Then my CEO brought out his little TV and we watched until the towers came down on a 4" screen. I finally had to take the train home to DC 2 days later because all the flights were still grounded.

I don't think I was ever so happy to get home and hug my wife and baby (Leah wasn't yet a year old).

As serious as 9/11 is, September 12 is truly a celebration in my house. Tomorrow we'll wish the twins a Happy 5th Birthday. I remember both 9/11 and 9/12 of 2003 like it was yesterday. I was wrapping up a sales rally at TruSecure and hoping to not get the "call" that the Boss was going into labor before I finished up my last presentation for the field. She was 37 weeks pregnant and carrying almost 14 pounds of baby. She could have popped at any time.

But she held on until the scheduled birth on 9/12. The funny thing is that we know another 3 or 4 kids that have 9/12 birthdays as well. We picked that day and evidently we weren't the only one's with this idea. We didn't want the twins to have any kind of stigma to the day they entered the world.

My folks kept telling me that time just flies, and it really does. I look at Lindsay and Sam and I'm just amazed. They were born one minute apart, but they are so very different.Twin Dolls They've got different temperaments, personalities, opinions, and likes/dislikes. Yet, they are best friends. We went to our niece's birthday party last weekend (Happy Birthday Rachel!) and saw the two playing together, they were inseperable. And it was really cute.

Happy Birthday Lindsay and Sam. 

Have a great weekend. 

Photo: "9/11 Reflections" originally uploaded by Sister72

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today

Security Mike's Guide to Internet Security

Top Security News

Too busy? Nah, just addicted to the status quo
So what? - Running my own business, I know a bit about investing time now to save time later. Whether it's systematizing some business process, outsourcing some busy work, or just trying to do things smarter - sometimes you have to suck it up and invest the time now because you won't be able to scale later. Looking at this Dark Reading article on SIEM reminds me of those decisions. But I think many security managers are missing the point of what a security management platform is supposed to do. It's about control and automation. The reality is no human can wade through the morass of data that comes out of our security devices. Add in a bunch of other devices (like the network) and any shred of monitoring (like NetFlow, for example) and there is just no way a human scales. So you need tools. Saying you're too busy to do your job is a cop-out, pure and simple. Now if it was just about time, then I can accept that. But this is about not being able to do your job, so the too busy excuse just doesn't hunt. But it's not just the customers that are at fault, it's a continued indictment of the security management market that the solutions still don't go in cleanly and with little integration. When a customer doesn't have the time to implement a solution that will change the way they do things (for the better), then lots of things are screwed up.
Link to this

You don't just get honey from that honeypot
So what? - I talk pretty frequently about testing your defenses (Hack Thyself!) and the importance of using the same tools and techniques the bad guys are trying to ensure you are protected. Interesting post here by Jimmy Ray in the NetworkWorld Community about the importance of running your own honeypot. Is this to "trap" the bad guys? Nah, it's to learn. By checking out attack traffic and spending some time analyzing how the honeypot was attacked (and presumably compromised), you can learn what's happening out there. You can see potential new attack vectors that will allow you to tune your defenses. But ultimately you keep your knowledge fresh, and in a business as dynamic as security, that's where the real honey is.
Link to this

99% Guarantee - That's bold!
So what? - I do appreciate bold marketing campaigns, and when I saw this release from Secure Computing guaranteeing 99% effectiveness, I though it's a pretty bold move. Though it would have been a lot more relevant 3 years ago. I can't recall the last time I saw catch rate being used as a differentiator. Doesn't everyone know that all the devices are equally mediocre? Today one is at 98%, tomorrow 93% and the next day 100%. That's the way spam works. It's still a serious arms race. So let's say a customer is swayed by the thought of a 99% guarantee. How do they know? Oh, Secure's appliance tells them what the catch rate is. I wonder if they've hard coded an automatic 99.1% catch rate in the reporting engine. Yes, I'm joking. It's kind of like the fox reporting that they haven't eaten any of the chickens, even though the hen house is empty. So let's say the box does say you only get a 97% catch rate, what then? You get a 3 month extension on your maintenance. Right, it's not like they are going to give you the money back on the box. Or let you pull it out and buy something else. So, don't look behind the curtain and appreciate this for the sound bite that it is.
Link to this

The Laundry List

  1. Symantec claims the "fastest" security products. Does it do 100 gig? Oh, we're talking about AV. And who cares about speed? It's all about reducing the amount of overhead and resource consumption, which they mention as the 2nd bullet. I guess speed is security's attempt at "change" in 2008.  - Symantec release
  2. CIS looks to define security metrics for all of us. I look forward to the output, since metrics is still the gaping hole in our ability to manage our security. - NetworkWorld coverage
  3. Deal: Someone I never heard of acquires CounterStorm, who I though had already gone out of business. Another insider threat thing goes away. - Trusted Computer Solutions release
  4. ArcSight beats the number, promotes COO to CEO, and gets a 10% haircut. Maybe something to do with that decelerating growth rate. - ArcSight earnings release

Top Blog Postings

The business should be managing business information
Interesting nuance here from Shrdlu about separating business information from identity/security information. Anyone that deals with SOX now understands about separation of duties. You don't want any single individual to be able to commit significant transactions. This idea of 'information separation" is similar. The example used is the difference between the IAM system (mostly for authentication and authorization) and a CRM system. The IAM system doesn't need a lot of detail besides who you are and what you are supposed to get to. I get the leverage of integrating disparate silos of data to enable new analysis or new processes, but when we are talking about defense - it's strictly a need to know basis. So stay focused on security, not on data management. You should have other folks to do that for you.
Link to this

Are you a playa?
Arthur Treacher makes a great point on Emergent Chaos about whether you are involved in the discussion or not. Basically, pulling an analogy from the fine economic risk management field, if you aren't privy to the wider set of data, you can't do your job. And that's exactly the point for security folks. If you aren't consulted during the architecture phase, if you don't know about mergers or divestitures, if you have no idea about a totally new Internet-based business being launched next week - THEN YOU CAN'T DO YOUR JOB. How to fix the situation? Well, there is no easy answer to helping you build credibility. It's all about evangelizing the program, setting milestones and then hitting the milestones. Yes, it's about being Pragmatic.
Link to this

Preventing FOI
No, this isn't a food blog. Following up on Schneier's indictment of security ROI, AndyITGuy coins a new metric that we need to be concerned about. FOI - Failure of Investment. This dovetails nicely with my general perspective that security is pretty binary. As far as your executives care (and they have the only opinions that matter), you have been compromised or you haven't. Of course, the easiest way to ensure a zero FOI is to unplug all your devices fro the network. And it doesn't really help you constantly improve your operations or figure out which investments need to be made. So we don't get off the hook of having to deal with some of these other numbers. But at the end of the day, FAIL is the only thing most people are worried about, so we need to make sure we are doing enough to avoid the FAIL, but not so much that no one can get anything done. Oh yeah, one other things. FAIL happens. So you better be able to recover the FAIL as well, or else you'll be dusting off your resume.
Link to this

Curious Developments… [Liquidmatrix Security Digest]

Posted: 10 Sep 2008 12:09 PM CDT

To the proud constituents of the Liquidmatrix Army:

I call upon you this day to take note, not since the dark ages of October 2006 has there been such a glorious day for our proud people.

Much as was said by El Jefe, our glorious leader (shall he reign forever), it’s time to grow up and own it.

As you may have noticed in recent times, I’ve been… shall we say… the anti-recluse.

If you were paying attention, you would’ve seen me here:

And of course, no one could possibly forget seeing me here:

And with such public excursions, the swiftest reconnaissance squadron known to any - the Liquidmatrix Army - would have also noticed me (or my evil twin half-brother) in a few other places.

Upon the sage advice of El Jefe, I did a funny (and potentially cripplingly foolish) thing.

In submitting an abstract for a speaking engagement, I did the unthinkable and just like Superman (III),

strangled that grey-hat hacker Myrcurial and completely outed myself in what has been amongst the info security (and control systems security) best held non-secrets.

So howdy everyone, just call me James.

And don’t worry, I’m not changing - I’ll be the same acerbic person you’ve all come to know and (love|hate) - I do have a reputation to uphold after all. :D

Top 10 security threats for the SMB market [StillSecure, After All These Years]

Posted: 10 Sep 2008 08:05 AM CDT

What is it about top ten lists that attracts bloggers like moths to a flame?  Are we all frustrated David Letterman wannabes?  In any event, I came across this top ten list of security threats to the SMB market. I think that many if not most of these apply to organizations of all sizes actually. I am copying it in here, as I think there is some good stuff here:

- Insiders - In many SMBs, business records and customer information is often entrusted to a single person. Without adequate checks and balances, including network system logs and automated reports, data loss from within can stretch over long periods of time.

- Lack of contingency plans - One of the biggest threats to SMBs relates to the business impact of post-hack, intrusion or virus. Many SMBs lack a data loss response policy or disaster recovery plan, leaving their business slow to recover and restart operations.

- Unchanged factory defaults - Hackers publish and maintain exhaustive lists of default logins (username and password) to nearly every networked device, and can easily take control of network resources if the default factory configuration settings are not changed.

- The unsecured home - in many small businesses, employees often take laptops home to work. In an unsecured home network environment, a business laptop can be dangerously exposed to viruses, attacks and malware applications.

- Reckless use of public networks - A common ruse by attackers is to put up an unsecured wireless access point labeled, 'Free Public WiFi' and simply wait for a connection-starved road warrior to connect. With a packet sniffer enabled, an attacker stealthily sees everything the employee types, and is then able to utilize that data for personal gain.

- Loss of portable devices - much SMB data is compromised every year due to lost laptops, misplaced mobile devices and left behind USB sticks. Although encryption of mobile device data and use of strong passwords would mitigate many of these losses, many SMB users simply fail to secure their mobile devices and data.

- Compromised WebServers - Many SMBs host their own websites without adequate protection, leaving their business networks exposed to SQL injections and botnet attacks.

- Reckless web surfing - Now more than ever, malware, spyware, keyloggers and spambots reside in innocuous looking websites. Employees who venture into ostensibly safe sites may be unknowingly exposing their business networks to extreme threats.

- Malicious HTML e-mail - no longer are attackers sending e-mails with malicious attachments. Today, the threat is hidden in HTML e-mail messages that include links to malicious, booby-trapped sites. A wrong click can easily lead to a drive by download.

- Unpatched vulnerabilities open to known exploits - more than 90 percent of automated attacks try to leverage known vulnerabilities. Although patches are issued regularly, a short staffed SMB may likely fail to install the latest application updates and patches to their systems, leaving them vulnerable to an otherwise easily stopped attack.

Security Briefing: September 10th [Liquidmatrix Security Digest]

Posted: 10 Sep 2008 07:43 AM CDT


I’ll be knee deep in docu-hell today. My day job project is heading to its conclusion nicely.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Sarkozy orders rethink of controversial police database | France 24
  2. DOD wants contractors to focus on data security | Washington Technology
  3. Google to anonymise Chrome user data after 24 hours | National Business Review
  4. Security agencies rally against Google Chrome | Computerworld Kenya
  5. PCI DSS under fire | Computing UK
  6. Patient data security proposals welcomed | Hong Kong Gov
  7. Businessman convicted of hacking into old firm | New Zealand Herald

Tags: , , , ,

Google To Dump User Data Earlier [Liquidmatrix Security Digest]

Posted: 10 Sep 2008 07:29 AM CDT

In a bid assuage privacy advocates Google has announced that they plan to dump IP addresses of users earlier than previously announced.

From BBC News:

The search giant has said it will anonymise identifiable IP addresses on its server logs after nine months.

Google said respecting users’ privacy is “fundamental to earning and keeping their trust”.

In April, an EU advisory body recommended search engines should delete personal data within six months.

Google currently collects and stores information from each search query, holding information about the search query itself, the unique PC address (known as an IP number), and details about how a user makes their searches, such as the web browser that is being used.

Which is a good thing. I wouldn’t feel to comfortable knowing that the authorities might be aware I was searching for things like this:

Hamster Fighting Machine

the horror…the horror…

Article Link

Microsoft Patches Affect Multiple Systems [Liquidmatrix Security Digest]

Posted: 10 Sep 2008 07:14 AM CDT

OK, where’s Waldo takes on a different spin. The patches are out and admins and vuln researchers alike are burning through the coffees and red Bulls. I found that the pre release announcement for Patch Tuesday seemed a touch vague. Now we know why.

From Network World:

"Admins will have a difficult time finding which patches are needed for which machines to get 100% coverage," says Eric Schultze, CTO of Shavlik Technologies. "It creates a challenge for them."
Read the latest WhitePaper - Determining the cause of poor application performance

The breadth of MS08-052 made it the worst of the four bulletins Microsoft released on its monthly Patch Tuesday because it touches so many pieces of software and because it attacks deep within Windows.

"Fifty-two addresses five vulnerabilities and affects the core operating system," says Amol Sarwate, manager of the vulnerabilities research lab at Qualys. "It affects .bmp, .wmf, and .gif [image] file formats, and an attacker could either send such files as e-mail attachments or have a victim view a malicious Web page."

I am counting my lucky stars that I don’t have to administer any Windows systems. Good luck to those of you who do.

Article Link

No comments: