Friday, October 17, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

End-to-End Encryption in the AP Region [PCI Blog - Compliance Demystified]

Posted: 17 Oct 2008 01:05 AM CDT

I (Chris) recently completed a training session in Australia and while meeting with the Visa representatives in the Asia Pacific region I was surprised to learn about some of the initiatives in the region.  Visa has sponsored a program that resulted in  the entire country of Malasia employing end-to-end encryption for payment card transactions.  This is a tremendous step forward in data security and demonstrates that end to end encryption is viable.  Thailand, and Australia are also moving quickly toward end-to-end encryption in addition to chip and PIN with the support of card brands in the region.  As anyone that has read any of Aegenis’ writings knows, we are big proponents of end-to-end encryption and other technologies that reduce the risk to payment card data, as well as minimize the need for PCI DSS.  Recently we published a whitepaper on the topic of Cardholder Data and whether encrypted data is, or is not, Cardholder data.  It is my position that the categorization of data is predicated not upon the use of encryption rather upon the key management processes.    You can read the paper here.

To truly be able to reduce the risk to cardholder data, it is going to require more than compliance with any standard.  Companies are going to have to begin looking at methods to remove the value of data or protect the data during the entire transaction cycle.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Grecs’s Infosec Ramblings for 2008-10-16 [NovaInfosecPortal.com]

Posted: 16 Oct 2008 11:59 PM CDT

The top sales mistake: lying [StillSecure, After All These Years]

Posted: 16 Oct 2008 10:23 PM CDT

Pet Peeve (1954 film)

Image via Wikipedia

Was reading an article in connectIT news today.  Colleen Francis recounts the top three fatal mistakes that sales people make.  Actually it was the same mistake made in three different situations.  In all three situations the sales person lied about their relationship with the alleged buyer.  Why a salesperson would do that is kind of ridiculous to me.  Do they not think they are going to get found out? 

My pet peeve is when I get calls that are clearly sales calls and I ask the guy point blank what is it he is selling.  I hate the guys who say they aren't selling anything.  They will tell me how they are working with so and so, dropping names.  Than that they have a great thing going on that they think would really help me.  Hey dude, cut to the chase.  What are you trying to sell me and what does it cost. If I say I am not interested, don't try to keep me on the phone with your objection handling script. 

So lying is definitely the top mistake, but wearing out your welcome is a close second!

Reblog this post [with Zemanta]

Techno Forensics Conference Infosec Event [NovaInfosecPortal.com]

Posted: 16 Oct 2008 09:59 PM CDT

TheTrainingCo will be holding this year’s Techno Forensics Conference infosec event at the end of this month. Here are the logistics for this year’s conference:

  • Who: TheTrainingCo
  • What: Techno Forensics Conference
    • Techno Forensics 2008 is presented by NIST, Maryland InfraGard, ICFP,  and University of Fairfax. The conference is founded on the principles of standardization in the field of digital evidence investigation. The conference will cover many of the general disciplines in the areas of digital evidence investigation to include some of the latest information on software and hardware solutions.
  • When: 10/27 - 10/29/2008
  • Where: NIST (100 Bureau Drive, Gaithersburg, MD 20899; Administration Bldg. 101)

For more information on the Techno Forensics Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the Techno Forensics Conference main page for more information.

StillSecure, After all these years, Podcast 59 - Mike Murray [StillSecure, After All These Years]

Posted: 16 Oct 2008 08:06 PM CDT

Mikemurray Mitchell and I did not have guest lined up for tonight. We put out the word on Twitter and who came to the rescue?  Mike Murray!  Mitchell and I know Mike for years, through his nCircle days, than to lab testing and now onto the next chapter for Mike as he is consulting.  Mike is a very bright guy and a real security guru. He has lots to say about what the economic conditions could mean for security guys like you!  Lots of interesting things from Mike including rants on why most security people are not as educated as they need to be. Why signature products just don't cut it and more.

MIke has a great blog on here, if you want to hear more from him. Its good to be doing these podcasts regularly again. Hope you enjoy it! If you have any questions, write to us at podcast@stillsecure.com.

Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley! 

Enjoy the podcast!

This posting includes an audio/video/photo media file: Download Now

New & Improved PaulDotCom Mailing List [PaulDotCom]

Posted: 16 Oct 2008 03:33 PM CDT

While we love Google (I mean, they make a fantastic search engine), it was time to say goodbye to Google groups and get our very own mailing list server. Look for more good things to come on that front...

In the mean time, I have moved everyone over from the old Google groups mailing list to the new one. The "PaulDotCom" mailing list is for discussions about the show, general computer and network security topics, hacking, and the like. Feel free to discuss and ask questions. If you don't get an answer right away, be patient, it may take some time before people are able to respond.

If you have not yet joined the mailing list, then what are you wait for?

You can subscribe here.

You just have to join the debate, who knows, we may even bat around the old "Ninjas Vs. Pirates" debate just for fun.

ninja-vs-pirate.jpg
(Just sayin', Ninjas rule!)

Cheers,

PaulDotCom

A Cryptographer and a Data Communications Guy Talk About Risk Management [RiskAnalys.is]

Posted: 16 Oct 2008 10:32 AM CDT

Sounds like the beginning of a joke, right?  So these two guys walk into a bar…

“The” Bruce Schneier and Marcus Ranum have an article up on TechTarget/Information Security Magazine called, creatively enough, “Bruce Schenier, Marcus Ranum debate risk management“.

Unfortunately, to get to the article, you’ll have to either already be a subscriber to IT Security, a subscriber to TechTarget, or go through the 20 minute process of signing up by giving TechTarget all sorts of “market information” about how you’re really Brandon Walsh, CSO of “The Peach Pit” Industries in Beverly Hills, CA 90210 (phone 714-867-5309).

For those of you who are already a TechTarget person, the link is above.  For those who aren’t, or those who just don’t have the time, I’ll summarize.  The “debate” is kind of awkward because both authors seem come to the same conclusion:

Risk Management, it’s something our profession should do, something humans do naturally, it’s necessary in business, but gosh - we don’t have enough data.

I’m not a cryptographer.  I don’t *nearly* have the insight on privacy and politics that Bruce has.  I’m not deep in IP communications.  I haven’t got a proven track record of innovation in IP Security products like Marcus has.  But here’s the thing, I hope you’ll never hear me pretend that I have the skill set to speak authoritatively on those subjects.  Heck, I wouldn’t claim to be a “risk” expert because I have a some insight into my shortcomings and what is needed to tackle such a complex problem.  But such a tepid article on something that (at least I think) is so important kind of, well, confuses me.

Why is it such a boring article?  I’m not sure.  Maybe because they’re just two guys who would rather debate the merits of specific controls or control activities (after all, their penetration testing debate was a huge success), but there’s no new information in the “debate”.  It’s the same old “insurance companies know risk because they have scads of data and we don’t have that” complaint. You know what?  I’m tired of hearing that line, so let’s talk about it.

HOW DO YOU KNOW WE DON’T HAVE THE AMOUNT OF DATA WE NEED TO DO RISK MANAGEMENT WELL?

Not particularly picking on Marcus, but in the article he uses the common complaint, “We lack the data to do risk management well.”  This mantra is repeated to the point where I’m blase’ about it.  But for some reason, this sentence really jumped out at me this time for two reasons.  It made me ask:

1.)  How do you know we don’t have the proper amount of data?

2.)  Can we even define “well” (i.e. what “good” risk management is) yet?

I really don’t know that the industry, especially concerning IT risk, is mature enough to really conclude that we don’t know (in the case of the former), nor that we can define (latter), conclusively.

PLAYING THE CONTRARIAN

Just because I’m feeling kind of zany this morning, let me suggest something.  Maybe there actually is lots of evidence out there for us to use.  Maybe:

1.)  It’s just that we don’t have particularly good models that provide context.

2.)  When that evidence isn’t an obvious phenomena that lends itself to easy measurement, we throw our hands up in disgust and fall back on “lack of data”, “can’t quantify risk”, “best practices work just fine” or any other number of arguments, no, excuses we use to justify our inability to be precise about the past (more or less the present or future - apologies to Niels Bohr).

IT’S IN THE WAY THAT YOU USE IT

Now I actually am happy to acknowledge that we don’t have enough data to be precise.  You, me, even smart guys like Marcus and Bruce - we’ll never be able to “engineer” risk management.  But you know what?  Neither can Insurance companies.  Sure, there are plenty of places where they have enough data to apply a traditional frequentist approach to risk valuations.   But there are plenty of times Insurers actually insure and they don’t have centuries or decades of data.  There are plenty of times when they rely on the “estimates” of subject matter experts.  There are many times they have enough information to be accurate rather than precise, and that’s good enough for them.

For that matter, it’s worth noting that there are plenty of scientific disciplines that have to deal in imprecise prior information, or evidence that’s fraught with uncertainty (what Ranum calls “squishy”, and what I’ve heard real honest to goodness physicists call “noisy”).  Unfortunately, we’re going to be like them.  Until we can read minds and predict the future, there will always be uncertainty in our measurements and posterior conclusions.  The trick is in how you deal with it and express it.  And while I really don’t know how much time Marcus or Bruce have really spent in the deep end on the subject of risk and its management - I have seen people doing brilliant things around risk (though they just aren’t mainstream).  Whether the tools are Bayesian methods, Monte Carlo engines, reductionist models of complex problems, there are risk analysts trying to deal with the problem.  These analysts are applying scientific method(s) and developing reasonable approaches to a very complex problem.  There are people trying, and our body of knowledge is growing, growing well beyond “gee, I haven’t got an obvious solution so I’ll blame it on lack of data”.  Heck, I’ve seen readers of this blog suggest Douglas Hubbard’s book in other security forums!*

I’VE GOT YOUR DATA RIGHT HERE…

But we don’t have enough data?  I have to ask, how much more do we need?  I mean crikey, JPMC just visited our ISSA chapter claiming, like, a bajillion events an hour.  There’s not one, but several companies out there that will want to tell you about how they have deep “insight” into the attacker community.  The boundaries of IT Risk losses are pretty well established by events that happen to public companies.  We have pretty mature testing/assessment tools and methodologies now that help us test our ability to resist the force an attacker can apply to us.  So what part of the Threat Landscape, Asset (Controls) Landscape, or Loss Magnitude landscape is too incomplete (and what are you doing to find the information you need)?

SO WHY DO WE FAIL?

Which brings me to a final, somewhat depressing conclusion.  Maybe there’s data, and maybe we’re starting to see the means to use it.  But in the end I do have to agree with Marcus that the vast majority of the infosec world *is* doing a really, really bad job with regards to “risk” and “risk management”.  The majority of people I know consider GRC to be a cruel, expensive joke.  Risk Assessment Methodologies tend to be built on the faulty premise that if we create a repeatable process, our measurements and conclusions will magically become accurate and wise.  Risk models tend to be factors loosely measured by ordinal scales and then somehow “multiplied” together to create a relatively meaningless qualitative value.  The State of the Union here is not good.  But after reading such a superficial treatment of an important and complex subject, I am left wondering if Bruce and Marcus were the right people to write about risk management in a mainstream publication.  As Inspector Callahan says, “A man’s got to know his limitations.”

===============================

* Speaking of which, if you want to do one cost effective thing to address your uncertainty - go find Douglas Hubbard’s book. It’s even got a nice recommendation from Peter Tippett.  The book is called “How To Measure Anything” - the title sounds rather hyperbolic, but there are good techniques in it we can use to identify useful information and refine our ability to frame that qualitative information into quantitative values. The key is how Hubbard has you deal with your uncertainty.  For those of you who are more scientific minded and want to dig deep into the subject, I have on good authority that E.T. Jaynes “Probability Theory, The Logic of Science” is a rather under appreciated work.

Cisco ASA hacker tips: Hexadecimal to decimal conversion tool [Francois Ropert weblog]

Posted: 16 Oct 2008 09:44 AM CDT

Do you know that the famous Cisco ASA security appliance can convert hexadecimal to decimal for you ?

Cisco ASA secure your packets. On top of that, ASA has a calc.exe tool that is called PING :>

Unfortunately, this is just a tiny calc because it only works up to 255.

Here are some examples (check values in bold):

ciscoasa# ping inside 0xA repeat 1 timeout 1 size 28

Type escape sequence to abort.

Sending 1, 28-byte ICMP Echos to 0.0.0.10, timeout is 1 seconds:

?

Success rate is 0 percent (0/1)

ciscoasa# ping inside 0×42 repeat 1 timeout 1 size 28

Type escape sequence to abort.

Sending 1, 28-byte ICMP Echos to 0.0.0.66, timeout is 1 seconds:

?

Success rate is 0 percent (0/1)

Enjoy!

Taking the Week Off [PaulDotCom]

Posted: 16 Oct 2008 09:33 AM CDT

Yes, you guessed it. We're taking a break for the week!

Don't worry, we'll be back next week with more awesome shows you've come to expect. We've got some great interviews planned for the coming months, and maybe even an episode of PaulDotCom TV in the works!

See you all in a week. Thanks for listening!

- Paul and Larry

foliage.jpg

Security Visualization Workshop in Hong Kong [Security Data Visualization]

Posted: 16 Oct 2008 08:56 AM CDT

As part of the ISSummit in Hong Kong, I will be teaching a one day workshop on security visualization. The following is the abstract of the training:

As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today's state-of-the-art data visualization techniques, you can gain a far deeper understanding of what's happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods. The attendees will get an overview of visualization, data sources for IT security, and learn how to generate visual representations of IT data. The training is filled with hands-on exercises.

The talk is going over the following individual topics:


  1. Section 1:Visualization
    Visualization is the core topic of this training. The first section introduces some basic visualization concepts and graph design principles that help generate visually effective graphs.

  2. Section 2:Data Sources
    Visualization cannot exist without data. This section discusses a variety of data sources relevant to computer security. I show what type of data the various devices generate, show how to parse the data, and then discuss some of the problems associated with each of the data sources.

  3. Section 3:Visually Representing Data
    Data can be visualized in many different ways. This section takes a closer look at various forms of visualizations. It first discusses generic graph properties and how they can help encode information. It then delves into a discussion of specific visualizations, such as charts, box plots, parallel coordinates, links graphs, and treemaps. The section ends with a discussion of how to choose the right graph for the data visualization problem at hand.

  4. Section 4: Data Visualization Tools
    After a short introduction to different data formats used by visualization tools, this section then discusses visualization to
    ols and libraries. Based on the Data Visualization and Analysis UNIX (DAVIX) distribution I show how simple it is to generate
    visual representations of IT data.

  5. Section 5: Perimeter Threat
    This section is a collection of use-cases. It starts out with a discussion of use-cases involving traffic-flow analysis. Everything from detecting worms to isolating denial-of-service attacks and monitoring traffic-based policies is covered. The use-cases are then extended to firewall logs, where a large firewall ruleset is analyzed first. In a second part, firewall logs are used to assess the ruleset to find potential misconfigurations or security holes. Intrusion detection signature tuning is the next two use-case. The remainder of the section looks at application layer data. Email server logs are analyzed to find open relays and identify email-based attacks. The section closes with a discussion of visualizing vulnerability scan data.


Should you be in Hong Kong on November 20th, come check out the training. Should you miss it, I will be teaching a two day workshop at SourceBoston, Boston in March 2009.

Sex Offender Registry Law = FAIL [Carnal0wnage Blog]

Posted: 16 Oct 2008 04:14 AM CDT

more adventures of non-technicians making technical policy FTW!

"Registered sex offenders will have to start providing their e-mail addresses to a national database available to social networking sites, under the misleadingly titled "Keeping the Internet Devoid of Sexual Predators Act of 2008" — a bill authored by Senator John McCain and signed by President Bush on Monday.

The idea behind the law (.pdf) is that a social networking site can query the database to keep registered sex offenders from signing up, and thus prevent them from preying on underage users. Needless to say, the law does nothing to stop first-time predators. But it's doubtful that even recidivists will be affected. Pedophiles looking to victimize children — a felony worth years, even decades, in prison — won't be afraid to violate this new law by using an unregistered Gmail address. And now law enforcement will have to struggle to discern whether an offender is using a disposable webmail account to commit new crimes, or just to shunt the blacklist and network with their adult friends and family."

http://blog.wired.com/27bstroke6/2008/10/mccains-sex-off.html

(edit) making laws that are not enforceable or are easily bypassed are a waste of time and money just like regulations that can be followed or enforced. Once we all have a john.smith@person.usa email address AND we all had to use it this might be a law worthy of some effort put into it.

Infosecurityadviser.com highlights need for central e-crime body [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 16 Oct 2008 03:02 AM CDT

This just entered my inbox:

London, UK 16th October 2008 Research carried out by Infosecurity Europe has shown that 95 per cent of people would prefer to report online fraud directly to a dedicated e-crime agency, rather than having to go through APACS and/or the financial services firm with whom the fraud took place.

The research by the Infosecurity Europe show - which took in online responses from 359 visitors to the site - follows on from a debate in the House of Lords on e-crime and IT security issues.

In that debate, their Lordships noted it was anomalous for UK banks not being obliged - in law - to refund account holders who have been electronically defrauded.

Lord Broers, the Chairman of the House of Lords Committee on Science and Technology, said that the current situation is that account holders are only being refunded under a voluntary code, noting that that in today's environment, this is scarcely appropriate.

In addition, Lord Broers said, whilst customers currently report their e-frauds to the banks, it is not in the banks' interests to draw attention to the fact that their anti-fraud systems have failed.

Against this backdrop, their Lordships concluded there is a need for specific legislation - similar to the Bills of Exchange Act 1882 - which specified that if a bank honoured a forged cheque, the bank, not the customer upon whose account the cheque had been drawn, was liable.

Commenting on the results of the security debate and the Infosecurityadviser.com research, the Earl of Erroll, a cross-bench member of the House of Lords, said that he was not surprised that 95 per cent of people would like to be able to report online fraud directly to a dedicated body.

"I think that people instinctively realise that you cannot expect people or organisations to report their own shortcomings reliably," he said, adding that the industry must always have independent bodies looking after our interests.

"I am delighted that money is finally being put into out into the new National Fraud Reporting Centre and is actually going to be given some teeth in the form of the new Police Central e-crime Unit," he added.

Lord Erroll's comments were echoed by Mike Barwise, Editor of Infosecurityadviser.com, the online forum for the information security industry who noted Lord Broers' description ( "extraordinarily complacent" ) of the government's response to the August 2007 report on personal Internet security by the House Science and Technology Committee.

The House of Lords debate, he said, was fascinating, as it illustrated the degree of confidence that consumer must have in a system for it to flourish.

"Lord Sutherland of Houndwood's comments that Internet trading and purchase... depend on confidence and trust in the processes employed by the banks and in the priority that they give to personal Internet security, highlights this fact," he said.

"As events in the financial world in recent weeks have shown, without an underlying level of confidence in a given market, that market will collapse spectacularly. The danger with e-trading security is that, if confidence fails, the e-trading market will similarly slump," he added.

For more on Mike Barwise's comments: http://www.infosecurityadviser.com/view_message?id=74

 

, ,

Oracle Critical Patch Update, October 2008 [securosis.com]

Posted: 16 Oct 2008 12:10 AM CDT

The Oracle Critical Patch Update for October 2008 was released today. On the database side there are a lot of the usual suspects; DMSYS.ODM_MODEL_UTIL seems to be patched in every CPU during the last few years. All in all the database modifications appear minor so patch the databases according to your normal deployment schedules.

It does seem that every time that I view this list there is an entirely new section. It is not just the database and Oracle Apps, but BEA, Siebel, JD Edwards, and the eBusiness suite. As a security researcher, one of the tough chores is to figure out if these vulnerabilities inter-relate, and if so, how any of these in conjunction with The others could provide a greater threat than the individual risks. I do not see anything like that this time, but then again, there is the BEA plug-in for Apache that’s flagged as a high risk item by itself. Without details, we cannot know if the BEA bug is sufficient to compromise a web server and reach vulnerable databases behind it.

The BEA plug-in was awarded Oracle’s highest risk score (10 out of 10), so if you’re using that Apache plug-in, PATCH NOW! I am guessing it is similar in nature to the previously discovered buffer overflow described in CERT VU #716387 (CVE-2008-3257). However, there is no mention of a workaround in this CERT advisory as with this previous attack, and in general Oracle is not very chatty about the specifics on this one. And I love the teflon coated catch-all phrase in the vulnerability ‘description’: “…which may impact the availability, confidentiality or integrity of WebLogic Server applications…”. Helpful!

Friends I have contacted do not know much about this one. If you have more specific details on the threat, shoot me an email as I would love to know more.

-Adrian

An Information Security Place Podcast - Episode 7 [An Information Security Place]

Posted: 15 Oct 2008 11:35 PM CDT

Hey everybody.  Here’s podcast episode 7.  There’s some great stuff in here, and some great interviews.  Enjoy!

BTW, iTunes is downloading episode 6 for episode 7 for some friggin’ reason.  I will look into it, but I have to finish a proposal tonight.  Sheesh.

Link to MP3

Show notes:
Segment 1 - InfoSec News Update

Interview Segment:

Geek Toys: Jasager on the FON Router - Watch Episodes 403 and 405 of Hak5 or hop over to DigiNinja’s Jasager page

Consultants Corner: Discussion on doing some due diligence on checking vendor claims. Open discussion on the recent Evil Bits Darkreading blog post

Music Notes:

  • Intro/Outro - Digital Breaks - “Therapy”
  • Segway 1 - Jimmie Bratcher - “Bad Religion”
  • Segway 2 - The Erotics - “Walk All Over You”
  • Segway 3 - Megaphone - “Not Your Enemy”
  • Segway 4 - Kickstart - “Theme Song”

Vet

This posting includes an audio/video/photo media file: Download Now

iPhone 3G: No shared filesystem, no cut and paste, no mail attachment editing…No Joy. [Vincent Arnold]

Posted: 15 Oct 2008 10:42 PM CDT

Well my iPhone frustrations continue…

I loathe the fact that I can’t do anything with email attachments other than just read them. It would be nice to be able to edit a word attachment on occaision. It also would be cool to be able to attach a doc to an email.

As I have said before, a system wide cut and paste feature, available on almost all smart phones, is something that should have been included in the first gen iPhones.

And why does every single text editor have to have it’s own, independent storage area for docs? I can’t even share docs from one text editor to  another. If it is stored in one text editing app’s filestore, there is no way for another text editor to get to it. This is just plain ridiculous.

The cool thing though? I’m posting this from my iPhone.

Ok Apple…You’re forgiven…for now but my patience is wearing thin. Beauty will only get you so far.

USB Goodies 2008 [Room362.com]

Posted: 15 Oct 2008 09:57 PM CDT

EDIT: Switching something from “DRAFT” to “PUBLISH” is a really important step. Sorry guys.

Let me preface all of these tools with, the fact that some don’t come “portable”. To make them so, I have dropped the installer / setup file into Universal Extractor and then cleaned up the directory.

  • PortSwigger’s Burp Suite - http://portswigger.net/suite/
    • This tool is essential to any web application security guru’s tool belt. If you haven’t used it already it is time to get schooled up on this wreaking ball.
  • Network Miner - http://sourceforge.net/projects/networkminer/
    • Takes a live feed, or a pcap file and dumps files, frames, and runs p0f. It even allows you to do searches for keywords like “password”
  • NZB-O-Matic Plus - http://www.bunnyhug.net/nomp/
    • I swear by this tool for downloading NZB files. Now other people us hellanzb on Linux. There is another one that was even more recommended for Linux but I can’t remember it at the moment. I’ll find it and post it to Mubix’s Links or if someone wants to comment on this post.
  • Wootalyzer - http://www.wootalyzer.com/
    • Woot.com has one awesome deal each day that shows up like clock work at 1 AM EST, and always 5 dollars shipping. (Yes, even if it is a 60 inch plasma). And if you get as addicted to Woot as my family has, this application is a must.
  • FastStone Capture - http://www.faststone.org/FSCaptureDetail.htm
    • Still hands down the best screen capture utility known to man. You can still find the Freeware version out there if you look around a bit. The built in editor, ruler and color picker just add to it’s awesomeness
  • HFS (HTTP File Server) - http://www.rejetto.com/hfs/
    • Always at the top of my list, this tool has been my most valuable asset on my USB keys for a couple years now.
  • Looking Glass - http://portal.erratasec.com/lg/
    • A tool by Errata Security, it’s designed for checking files on Vista to see which ‘advanced security’ features aren’t being used, such as ASLR, NX and unsafe functions (swprintf)
  • MobaLiveCD - http://mobalivecd.mobatek.net/
    • Allows you to boot a LiveCD within your Windows environment using QEMU. Booting Back Track 3 works but the networking side is a bit flaky. Can’t wait to see where this project goes.
  • Process Explorer - http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
    • If you haven’t switched out Task Manager with Process Explorer yet I think you have been living in a cave.... Well, get to it! In fact, put the whole Sysinternals Suite on your usb stick - http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
  • GoPC - http://www.gopc.net/
    • I haven’t had to use this that much, but when I have it has come in really handy. Best way to describe it is a remote desktop that you don’t have to maintain. You can install the app on your USB stick and be ready to login at the drop of a hat. It uses port 22 to tunnel the connection automagically.
  • sbd - http://www.cycom.se/dl/sbd
    • This awesome gem was the result of taking the Offensive Security 101 course. It’s a netcat clone that adds some nice encryption features to the mix as well as being less detected via VirusScans.
  • SmartSniff - http://www.nirsoft.net/utils/smsniff.html
    • This tool is on the list along with all of the tools by nirsoft, because of it’s portability. I can fire up SmartSniff, look at the packets there, or dump them to a pcap file for inspection via WireShark or Network Miner later.
  • -=Xploitz=- Master Password Collection - http://thepiratebay.org/torrent/4017231/-_Xploitz-_Master_Password_Collection
    • This is an awesome collection of password files, extract, combine, sort, uniq and you have about a gig worth of passwords to check against.
  • Peer Guardian - http://phoenixlabs.org/pg2/
    • A must have for anyone torrenting files, legal or not. Plus the fact that you can make your own ACLs makes it an instant win. When I am in an airport I usually fire PG2 up with my ‘local’ ACL list and have it block everything but my gateway and DNS.
  • Proxifier PE - http://www.proxifier.com/
    • One of the only tools that I would recommend spending money on. There really isn’t anything out there like it. You can instantly proxy any application you want, or all applications. Anyone up for some Hak5 LAN Parties, from work? Word of advice, bring headphones and don’t use voice chat.
  • PS2DIS - http://www.geocities.com/SiliconValley/Station/8269/ps2dis/
    • Originally created for PlayStation 2 hacking, and yes, still hosted on GeoCities. It is a great way to start looking into HEX editing for free.
  • Recuva - http://www.recuva.com/
    • I have used many different undelete programs and this is the one that made to to my main USB stick. Consistently found and was able to recover more deleted files than any other out there.
  • WinShove - http://tombell.org.uk/blog/projects/8
    • Sweet little program by Tom Bell that takes away the painstaking annoyance of having to find the title bar to move a window around, by letting you use any part of the window.
  • Universal Extractor - http://legroom.net/software/uniextract
    • Ever had a file that you couldn’t extract for one reason or another? Well this baby is the cure. It extracts almost everything, including most installers which leads to a lot of my installed apps becoming ‘portable’
  • BareGrep and BareTail - http://www.baremetalsoft.com/
    • Grep and Tail for windows, free and portable. Need I say more?
  • SIW - http://www.gtopala.com/
    • If you ever wanted to absolutely everything about the machine you are on, and be able to dump it to a file, the is the tool. But it doesn’t stop there. Check out the Tools menu option for the real hotness
  • SoundCardPicker - http://www.phasequest.com/soundcardpicker.htm
    • This tool hasn’t been updated to even recognize the existence of XP, but it still works on XP. I don’t know about Vista. But I get real tired of going all the way into my sound settings and changing the Default Sound Card, every time I want an application to use a different one. This might be uniquely my problem, but then again, it may help some of you audiophiles out there.


Thats all for now folks. I will add more later as this is by far not a complete list and fix the USB Goodies page when I publish the torrent and updated list.

My Take On The Database Security Market Challenges [securosis.com]

Posted: 15 Oct 2008 07:28 PM CDT

Yesterday, Adrian posted his take on a conversation we had last week. We were headed over to happy hour, talking about the usual dribble that analyst types get all hot and bothered about, when he dropped the bombshell- one of our favorite groups of products could be in serious trouble.

For the record, we hadn’t started happy hour yet.

Although everyone on the vendor side is challenged by such a screwed up economy, I believe the forces affecting the database security market place it in particular jeopardy. This bothers me, because I consider these to be some of the highest value tools in our information-centric security arsenal.

Since I’m about to head off to San Diego for a Jimmy Buffett concert, I’ll try to keep this concise.

  • Database security is more a collection of markets and tools than a single market. We have encryption, Database Activity Monitoring, vulnerability assessment, data masking, and a few other pieces. Each of these bits has different buying cycles, and in some cases, different buying centers. Users aren’t happy with the complexity, yet when they go shopping the tend to want to put their own cars together (due to internal issues) than buy a single full product.
  • Buying cycles are long and complex due to the mix of database and security. Average cycles are 9-12 months for many products, unless there’s a short term compliance mandate. Long cycles are hard to manage in a tight economy.
  • It isn’t a threat driven market. Sure, the threats are bad, but as I’ve talked about before, they don’t keep people from checking their email or playing solitaire, thus they are perceived as less urgent for prevention.
  • The tools are too technical. I’m sorry to my friends on the vendor side, but most of the tools are very technical and take a lot of training. These aren’t drop-in boxes, and that’s another reason buying cycles are long. I’ve been talking with some people who have gone through vendor product training in the last 6 months, and they all said the tools required DBA skills, but not many on the security side have them.
  • They are compliance driven, but not compliance mandated. These tools can seriously help with a plethora of compliance initiatives, but there is rarely a checkbox requiring them. Going back to my economics post, if you don’t hit that checkbox or clearly save money, getting a sale will be rough.
  • Big vendors want to own the market, and think they have the pieces. Oracle and IBM have clearly stepped into the space, even when their products aren’t as competitive (or capable) as the smaller vendors’. Better or not, as we continue to drive towards “good enough” many clients will stop with their big vendor first (especially since the DBAs are so familiar with the product line).
  • There are more short-term acquisition targets than acquirers. The Symantecs and McAfees of the world aren’t looking too strongly at the database security market, mostly leaving the database vendors themselves. Only IBM seems to be pursuing any sort of acquisition strategy. Oracle is building their own, and we haven’t heard much in this area out of Microsoft. Sybase is partnered with a company that seems to be exiting the market, and none of the other database companies are worth talking about. The database tools vendors have hovered around this area, but outside of data masking (which they do themselves) don’t seem overly interested.
  • It’s all down to the numbers and investor patience. Few of the startups are in the black yet, and some have fairly large amounts of investment behind them. If run rates are too high, and sales cycles too low, I won’t be surprised to see some companies dumped below their value. IPLocks, for example, didn’t sell for nearly its value (based on the numbers alone- I’m not even talking product).

There are a few ways to navigate through this, and the companies that haven’t aggressively adjusted their strategies in the past few weeks are headed for trouble.

I’m not kidding, I really hated writing this post. This isn’t an “X is Dead”, stir the pot kind of thing, but a concern that one of the most important linchpins of information-centric security is at risk. To use Adrian’s words:

But the evolutionary cycle coincides with a very nasty economic downturn, which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those who earn most of their revenue from other products or services may be immune, but DB security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire sales, or bankruptcy, depending upon how and when they act.

-Rich

PaulDotCom Security Weekly - Episode 126 Part II - October 9, 2008 [PaulDotCom]

Posted: 15 Oct 2008 03:37 PM CDT

Paul and Larry are in the studio with special guest Ed Skoudis!

  • Sponsored by Core Security, listen for the new customer discount code at the end of the show
  • Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
  • Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
  • Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
  • Be sure to check out "Maltego" from Paterva, try the community edition for free!
  • Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
  • Full Show Notes
  • ninja.jpg

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Trade names in Extended Validation SSL Certificates [Tim Callan's SSL Blog]

Posted: 15 Oct 2008 03:19 PM CDT

As I discuss EV SSL with a variety of online businesses, one question I get a lot is about the name that appears adjacent to the address bar in compatible browsers. The question goes something like this, "We do business under the well-known brand of HipCoolStuff, but our company is actually called Old Stodgy Holding Corporation. We don't want the Old Stodgy name on our Web site. Nobody knows us by that name, and it's not the brand identity we choose to present to the public. What can we do about that?"


The answer is that you're allowed to use any legal trade name that you possess in that address bar. A business may obtain EV certificates under an organization name that is a legally registered trade name of the organization in question (referred to in the EV guidelines as "Assumed Name"). VeriSign or the other CA must authenticate the legal status of that trade name as a valid name registered to the Organization before we are allowed to issue the certificate. Then when the certificate appears on the site, you will see the trade name first and then a parenthetical note with the legal name of the organization. For example, HSBC also owns the first direct Internet bank. On the first direct site<, the organization name is not "HSBC Holdings." Rather it is "first direct Bank (HSBC Holdings plc)."


In my experience organizations are pretty buttoned up on trade names. The risks involved with building a brand on what is not a legal trade name are pretty unacceptable, and I don't recall ever having bumped into a company that got that one wrong. So if there's a name that you're trading under as your main brand, I expect you'll be allowed to put it in your EV SSL Certificates. If your company has several or many of these trade names, you can hold active certificates under more than one trade name concurrently (although each certificate will be limited to a single trade name for its duration, of course).

In my opinion... [IT Security: The view from here]

Posted: 15 Oct 2008 01:46 PM CDT

It's funny, I keep getting invited to dinners, phone calls, webinars, etc... by people who have done surveys, created documents, got an expert in, etc... and I keep on politely turning things down. Not because I don't want to speak to people, far from it, I'd love to talk all day, but because I have more pressing engagements, and my life, to get on with.

I received a missive from Compuware earlier in the week, who have actually done a really good job of surveying IT professionals and printing out some relevant statistics. It makes a refreshing change from previous surveys I've had to rip apart here. Having said that, I'm not really 100% sure what they are trying to achieve with it, and fully expect them to explain by return of mail tomorrow...

HP have also come knocking, with an invitation for dinner up in London in a couple of weeks. On a Monday night. I don't know about you guys, but I have busy weekends, stay up late, watch "Poker After Dark" (Hellmuth is a dick isn't he?), occasionally even play poker and even less frequently win, but I'm always up past my bedtime. Monday morning, I get up at 6am, drive to the gym, churn out a couple of k's, and by the time I go home I'm ready for anything except getting on a train to London. I'm normally asleep on the sofa by 6:30pm.

I know exactly why they approached me though, and I AM interested in what they have to say, just not in London on a Monday night. Southampton on a Wednesday lunchtime, when they're paying, different matter entirely. And I think that's really my point here.

Neither of these companies is wrong, bad, or even out of line. They have both done good things, reached out to me in a polite and positive way. However, I can't help thinking that something isn't working. How much research gets done in the name of security, only to find that 70% of attacks/breaches/losses are accidental/internal/external/laptops? How much of it do you read?

How many solicitations do you receive on a daily basis for your opinion/answers/blog space/ or just to plain sell to you? How do you like it?

I like the personal approach, and don't even mind when it comes through a third party, although I'd prefer it was direct from the companies themselves - shows more respect somehow. Just a perception maybe?

I like the offer of something for my time/blog space/amazing company - it doesn't have to be much, but I kind of value my time, and it doesn't normally come that cheap.

I hate being sold to. I've worked for vendors all my working life in one way or another, and know what every sales cue sounds like a mile away. I will most likely lead you down a very inviting path and slam the door in your face rather than buy anything, sorry, but I just don't own the budget, I'm a contractor. By the way, you can hire me... :)

Will Database Security Vendors Disappear? [securosis.com]

Posted: 15 Oct 2008 11:02 AM CDT

Rich and I got into a conversation Friday about database security, and the fate of vendors in this subsegment, in light of recent financial developments. Is it possible that this entire database security sub-market could vanish? Somewhat startled by the thought, we started going down the list of names, guessing who would be acquired, who was profitable, and who will probably not make it through the current economic downturn without additional investment- it seems plausible that the majority of today’s companies may disappear.

It’s not just that the companies’ revenue numbers are slowing with orders being pushed out, but the safety blanket of ready capital is gone, and the vendors must survive a profitability ’sanity check’ for the duration of the capital market slowdown. And that becomes even harder with other factors at play, specifically:

Trust. The days of established companies trusting the viability of small security startups are gone. Most enterprises are asking startups for audited financials to demonstrate their viability, because they want to know their vendors will be around for a year or two. Most start-ups’ quarterly numbers hinge on landing enterprise clients, with focused sale and development efforts to land larger clients. Startup firms don’t keep 24 months of cash lying around as it is considered wasteful in the eyes of the venture firms that back them, and they need to use their money to execute on the business plan. As most startups have financials that make public company CFOs gasp for breath, this is not a happy development for their sales teams or their VCs alike.

Breadth of function. Enterprises are looking to solve business problems, and those business problems are not defined as database security issues. Enterprises customers have trended towards purchase of suites that provide breadth of functions, which can be mixed and matched as needed for security and compliance. The individual functions may not be best of breed, but the customer tends to get pieces that are good enough, and at a better price. Database security offers a lot of value, but if the market driver is compliance, most of vendors offer too small a piece to assure compliance themselves.

Too many choices. I do this every day, and have been for almost 5 years. It is difficult to keep up with all the vendors- much less the changes to their offerings and how they work- and get an idea of how customers perceive these products. Someone who is looking at securing their databases, or seeking alternative IT controls, will be bombarded with claims and offerings from a myriad of vendors offering slightly different ways of solving the same security problems. For example, since 2004 (or their more recent inception) I have been tracking these companies on a regular basis:

Application Security Inc.
Lumigent
Imperva
Guardium
Tizor
Securno
Sentrigo
NGS
Embarcadero (Ambeo)
Symantec
Quest
IPLocks

And to a much lesser extent:

Phulaxis
Idera
DBi (Database Brothers)
Nitro Security (RippleTech)
SoftTree Technologies
Chakra (Korea)
Performance Insight (Japan)

For DB security product vendors, there are just too many for a $70-80M market subsegment, with too large a percentage of the revenue siphoned off by ancillary technologies.

Granted, this is just my list, which I used to track for new development; and granted, some of these firms do not make the majority of their revenue through sales of database security products. But keep in mind there are a dozen or so IDS/SIM vendors that have dabbled in database security, as well as the database vendors’ log analysis products such as Oracle’s Audit Vault and IBM’s AME, further diluting the pool. There have been services companies and policy management companies who all have claimed to secure the database to one extent or another. Log file analytics, activity monitoring, assessment, penetration tests, transactional monitoring, encryption, access control, and various other nifty offerings are popping up all the time. In fact we have seen dozens of companies who jump into the space as an opportunistic sortie, and leave quickly once they realize revenue and growth are short of expectations. But when you boil it down, there are too many vendors with too little differentiation, lacking implicit recognition by customers that they solve compliance issues.

Database security has never been its own market. On the positive side it has been a growing segment since 2002, and has kept pace almost dollar for dollar with the DLP market, just lagging about a year behind. But the evolutionary cycle coincides with a very nasty economic downturn, which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those who earn most of their revenue from other products or services may be immune, but DB security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire sales, or bankruptcy, depending upon how and when they act.

Rich will give his take tomorrow, but although both of us believe strongly in the value of these products, we are concerned that the combination of market forces and economic conditions will really hurt the entire segment.

-Adrian

Switching to Linux? 10 questions to ask before the switch! [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 15 Oct 2008 06:12 AM CDT

Jack Wallen takes a challenge head on with his post on questions you need to ask before moving to Linux.

I love Linux myself, but that does not mean that I have migrated all my systems. I run several systems on Linux, and I have clients doing the same. Still I find it useful to run Windows on many occasions, and more importantly, I have a few situations where I have no choice but running Windows.

One such situation is a booking platform for one of my customers. The platform itself is developed using Java, and is remotely hosted. The platform developer has not bothered to port the solution to Linux (or anything else, for that matter), even considering it should be an easy task. Of course, most of their customers are not aware that there are alternatives to Windows, but this very client would actually prefer to run their workstations on Linux. (Yes, I know we could use Wine etc, that is not an alternative atm).

For this very customer, Linux would be a great choice because it would enable us to harden the system in order to stop users messing about and installing malware etc. But, due to the booking system, their computers will keep running Windows XP with full administration rights for every user. Duh.

Technorati Tags: Linux, Windows

Security policy being bypassed by employees, survey finds [Vincent Arnold]

Posted: 15 Oct 2008 12:11 AM CDT

By Robert Westervelt, News Editor
14 Oct 2008 | SearchSecurity.com

Many companies have security policies and procedures in place, but the results of a recent survey found that employees are bypassing many of them, bringing sensitive data home with very few protections.

In many cases, companies are struggling to find the right balance between strict security requirements and employee productivity as more employees work at home. Encryption and other security technologies are available, but some firms are accepting the risk and some may be unaware that end users are bringing customer data, personally identifiable information or company financial data home with them on laptops, smartphones and Universal Serial Bus (USB) flash drives.

Source

Grecs’s Infosec Ramblings for 2008-10-14 [NovaInfosecPortal.com]

Posted: 14 Oct 2008 11:59 PM CDT

  • ANTI-AV TOOL: PaulDotCom list mentioned a tool called PE-Scrambler. Looks interesting. Think link is http://www.rnicrosoft.net (clever domain). #
  • EXPLOIT PREDICTION: Article on how MS is rolling out a exploitability rating for patches today. http://tinyurl.com/4k5z7v #
  • DARKMARKET.WS FBI STING: FBI has been running this site for 2 years and seem to have had a lot of success with it. http://tinyurl.com/48chko #

Federal IA Conference Infosec Event [NovaInfosecPortal.com]

Posted: 14 Oct 2008 10:41 PM CDT

FBC announced this year’s Federal IA Conference infosec event a while back. Here are the logistics for this year’s conference:

  • Who:FBC
  • What: Federal IA Conference
    • For the past seven years the FIAC has brought together the leading advocates for IA within the Federal Government, Industry, and Academia. In their eighth year they intend to continue this trend while providing a venue which will be more accessible to those who have been deterred from participating in the past, thereby increasing the number of participants for this year's event.
  • When: 10/27 - 10/29/2008
  • Where: Ronald Reagan Building & International Trade Center (1300 Pennsylvania Avenue NW;  Washington, DC 20004; the Federal Triangle metro stop is located on site and Metro Center is two blocks away)

For more information on the Federal IA Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See FBC’s Federal IA Conference site for more information.

OWASP - VA Local Chapter Infosec Meetup Event - Thursday, 10-16: Incident Mgmt & Crime Scenes [NovaInfosecPortal.com]

Posted: 14 Oct 2008 10:10 PM CDT

Here is some information regarding this week’s Thursday OWASP - VA Local Chapter infosec meetup event. If you plan on attending, RSVP to Jeremy Epstein so they can get your badge processing started.

  • Who: Dave Merkel, Mandiant & Inno Eroraha, NetSecurity Corporation
  • What:
    • Merkel - Enterprise Grade Incident Management - Responding to Persistent Threats
    • Eroraha - Responding to the Digital Crime Scene: Gathering Volatile Data
  • When: 10/16, 6:00 - 8:30 PM EST
  • Where: Booz Allen, One Dulles Facility (13200 Woodland Park Road; Herndon, VA 20171)

For more information on the OWASP - VA Local Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

ISSA - NoVA Chapter Infosec Meetup Event - Thursday, 10-16: Is it Time to Change FISMA? [NovaInfosecPortal.com]

Posted: 14 Oct 2008 09:39 PM CDT

Here is some information regarding this week’s Thursday ISSA - NoVA Chapter infosec meetup event.

  • Who: Marc Noble (moderator), FCC, Bruce Brody, CACI, Allan Paller, SANS, Dr. Ron Ross, NIST, & Michael Castagna, DoC
  • What: Is it Time to Change The Federal Information Security Management Act (FISMA)?
    • Distinguished experts and critics argue that while FISMA has been around for over 6 years, it still measures the wrong things and promotes compliance over true security. To discuss how good security can be measured, ISSA NOVA Chapter president, Marc Noble, will moderate a panel of supporters and critics of FISMA. This presentation will highlight both the successes and the failures in the current FISMA process and will propose solutions by which the federal computing enterprise can better protect its systems from those who would do them harm.
  • When: 10/16, 5:30 (doors open) & 6:30 (meeting starts) PM EST
  • Where: The MITRE Corporation, Mitre-1 (7525 Colshire Drive, McLean, VA 22102)

For more information on the ISSA - NoVA Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

Phishing adapts to use financial meltdown to its advantage [Tim Callan's SSL Blog]

Posted: 14 Oct 2008 05:15 PM CDT

We know that the practice of phishing, when done effectively, involves surprising the victim, taking him out of his normal context, and creating a sense of urgency through fear. What better opportunity to use all three of these principles than by sending phishing e-mails that are hand-crafted with the current financial crisis in mind. WashingtonPost.com's Brian Krebs gives us a great summary of some of the new attacks the prey on targets' financial concerns.

A (Tentative) Wish-List for a Better, More Secure, Web Browser [Security Provoked]

Posted: 14 Oct 2008 04:28 PM CDT

Web browsers are where the client machine rubber meets the Web server road. So it stands to reason that strong Web browser security is paramount—far more effective than relying on thousands of Web application/ plug-in developers to write more secure code.

There are definitely some browser developers that are making strides in the right directions, but none of them are quite there yet. I’m still thinking through this, but if I were writing my wishlist for a more secure Web browser today (and, well… I am) then here’s what it would be:

1. It has to work. This is absolutely the most important piece of the puzzle. The trouble is, the most effective ways browsers have thusfar come up with to improve security also cause some truly damaging impacts on performance.

2. It has to be built like a platform, not like a singular application. Once upon a time, the Web was a series of static pages, and the Web browser was an application that let you find and view those static pages. Times have changed, however, and now the browser itself plays host to many rich, Web-based applications. Thus, browser development should be treated more like operating system development. Some browsers–Google Chrome, principally–are beginning to make strides in this direction. (As my fellow CSIers, Kristen Romonovich and Robert Richardson, said from the get-go, Chrome is more a Windows competitor than it is an Internet Explorer competitor.)

3. It needs a modular–not monolithic–architecture. In a modular architecture, the browser is divided into at least two components–generally speaking, one that interacts with the client machine, and one that interacts with the Web and operates from within a sandbox. The main benefit is that it’s a great defense against drive-by malware downloads. If an attacker compromises the Web-facing component of the browser, they won’t automatically gain full access to the client machine with user privileges. They’ll only gain access/privileges to whatever the Web-facing component needs. Internet Explorer 8 (beta) and Google Chrome (beta) use modular architectures. The OP Browser still in development by researchers at the University of Illinois uses a more granular modular architecture that splits the browser into five components.

Yet monolithic architectures are used by all the major browsers today. (Monolithic architectures are kind of like real-estate brokers who represent both the buyer and the seller–you just can’t quite trust them.)

4. It has to support some sort of process isolation. In essence, isolating processes means that when one site/ object /plug-in crashes, it doesn’t crash the entire browser.

5. Its security policies cannot rely heavily on the user. Average users should not be expected to understand the intricacies of privacy and security settings. They shouldn’t be expected to dig into their Internet options, flip JavaScript on and off and on and off again, disable plug-ins, delete nefarious cookies, or anything else.

6a. It’s got to figure out how to securely handle plug-ins.
6b. It’s got to figure out how to securely handle JavaScript.

The troubles with plug-ins are that they tend to run as one instance–so process isolation doesn’t really work with them–they’re given unchecked access to all the browser’s innards, and they tend to assume/require the user’s full privileges. In order to allow plug-ins to run properly, Chromium (the modular, open-source Web browser architecture used by Google Chrome) runs them outside of the sandbox, and with the user’s full privileges–so the browser can’t do anything to save the user’s machine from malicious downloads through an exploited plug-in.

The OP Browser has some very innovative ways of handling plug-ins. Rather than using the Same Origin Policy–which prohibits scripts and objects from one domain from accessing/loading content (scripts/objects) from another domain–the browser applies to plug-ins a “provider domain policy,” in which the browser can label the Web site and the plug-in content embedded in that Web site with separate origins. The plug-in’s origin will be the domain that’s hosting the plug-in content, which is not necessarily the same as the domain of the page you’re viewing. (So if you were here on GoCSIBlog.com and I’d embedded an Adobe Flash media file from YouTube, the OP browser could recognize the page’s origin as GoCSIBlog.com and the Flash file’s origin as YouTube.com.) The benefit here is that you can add a site to your “trusted” list–thereby allowing plug-ins and allowing any plug-in content that originates from that trusted site–without needing to allow plug-in content that is running on the trusted site but originates from untrusted sites. This greatly mitigates the risks of cross-domain plug-in content… however a) there are some cases where this policy will prevent plug-ins from operating properly and b) as Robert Hansen, CEO of SecTheory pointed out to me, the primary vector for cross-domain content attacks (XSS, CSRF) is JavaScript, not plug-ins.

Yet, browsers (the OP browser included) continue to apply the same origin policy to JavaScript, and there are many JavaScript-based attacks–JavaScript hijacking, for example–that sidestep the same origin policy.

The trouble is, none of the browser companies have really figured out yet how to securely handle JavaScript in a way that doesn’t disrupt one’s browsing experience and/or require security-savvy action from users. The NoScript plug-in for Firefox is a good tool, but a) it’s not a standard Firefox feature, and b) it’s a bit advanced for the average user. Other browsers allow you to simply disable JavaScript, but doing so means the user won’t be able to enjoy some of the fun, quintessentially Web 2.0 things the Internet now has to offer. Further, JavaScript is automatically enabled on any sites on the user’s “trusted” list, so malicious JavaScript on a legitimate site continues to be a problem.

Web browsers’ inability to elegantly handle JavaScript-related threats, is a big problem, because it means that we all must rely upon the individual Web site developers to keep their sites free of cross-site scripting flaws and cross-site request forgery vulnerabilities.

Part of the trouble may be that currently available rendering engines, used for parsing HTML and executing JavaScript, are error-prone and written in generally insecure languages. (So if you’re a young researcher, maybe “Creating a more secure HTML rendering engine” would make a good thesis project. Pretty please?)

I’m still thinking some of this through, so do let me know if you disagree, see errors in my judgment, or think something else should be on this list.

Also: should one browser be expected to do everything? How likely are you (and your users) to use one browser for everyday activities and another browser for more delicate activities?

We’ll be devoting the next issue of the Alert–CSI’s members-only publication–to browsers and other elements of client-side Web security issues. We’ll also be discussing some of during the CSI 2008 conference next month. Tuesday, Nov. 18 Gunter Ollmann of IBM-ISS will present a full 60-minute session on “Man-in-the-Browser Attacks,” and, also on Tuesday, browser security will be discussed during the Web 2.0 Security Summit, moderated by Jeremiah Grossman (CTO, WhiteHat Security) and Tara Kissoon (Director of Information Security Services at VISA, Inc.).

No comments: