This Blog Has Moved

For all of those reading or following this blog... This blog has moved to http://misc-security.com Please update your bookmarks/rss feeds accordingly.

Thanks,

Brett

SQL Injection - Primer

SQL Injection is a security vulnerability where a web application allows a user to send un-sanitized input into a SQL query.

The textbook example is that a web application has a username field that inserts the user's input into the following SQL query:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

The user then types a' or '1'='1 into the username field. This creates the following SQL statement:

SELECT * FROM users WHERE name = 'a' or '1'='1'

If the statement variable is used for the authentication procedure then the evaluation of the SQL statement will always be true.

An attacker can cause damage if they appended something like, '; DROP TABLE users;--

This would produce the following statement:

statement = "SELECT * FROM users WHERE name = ''; DROP TABLE users;--';

Which would result in the users table being deleted from the Database.

OWASP Top 10 - Primer

When developing a security strategy for web applications many companies have no idea where to begin. The Open Web Application Security Project (OWASP) understood this problem and developed the OWASP Top 10.

The OWASP top 10 are the top 10 vulnerabilities that are found in web applications. This will begin a 10-part series dedicated to each of these vulnerabilities.

If you are a developer, you should understand these vulnerabilities. Understanding them is critical into introducing less vulnerabilities into your code.

The OWASP Top 10:
A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - Cross Site Request Forgery (CSRF)
A6 - Information Leakage and Improper Error Handling
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access

Don't Click That Link!

Why did you just click that link? Most likely you have came to this site by clicking a link from another site. Why did you do that? Did you trust the person who sent you the link? Did you click a link from twitter, facebook, or an email someone sent you?

When you click a link, you are telling your browser, "I trust this person." However, this is not the way we use the internet. We click on links all the time. We click on links from "untrusted" sources. We click links from people we don't know and we even click on URL's that have been modified. On Twitter, a person is much more inclined to click the shortened link http://bit.ly/5hXRW then they are to click http://somewherebank.com/transfer.jsp?amount=1000&to_account=56777564. Even though the shortened link could redirect to the somwherebank.com site.

But, why would someone trick you into clicking a cleverly disguised link? The site that you are redirected to may seem harmless. It could also be extremely malicious.

What happens if this page, (the one you are currently viewing), was filled with Cross-Site Request Forgery (CSRF) links? This web page could be setup with all types of malicious intent. However, you didn't know that when clicking the link. Now, it is too late.

If this site did have Cross-Site Requests, I could do things such as:

• Change the password on your facebook account
• Transfer the money from your online bank account to another account
• Enact trades from a financial institution such as E*Trade

The sites that I exploit would have to be vulnerable to CSRF. But researchers, such as Mike Bailey and Russ McRee, are constantly finding CSRF vulnerabilities in web applications.

An example of how clicking links from untrusted sources is never good was demonstrated in Billy Rios and Nitesh Dhanjani, Bad Sushi talk. In their presentation they described sending phishers a word document stating their account numbers were inside. They sent this email to 25 known phishers. 10 of the phishers opened the word document and were presented with this. In additon, there was another link that said, "Actually, my account information is here." 3 of the 10 clicked on that link. Even the phishers click links they shouldn't.

What should be done? Who knows. It is human nature to trust people and we can't get things done if everytime someone sends us a link we open up a VMware image to view a link. So continue using the Internet the way you have been and remember, "These aren't the droids your looking for."

Buzzword: FUD - Fear, Unccertainty, and Doubt

FUD is becoming a very common acronym to hear in security circles. The acronym FUD has been popping up on Blog postings, emails, tweets, and at security conferences.

FUD is an acronym that stands for Fear, Uncertainty, and Doubt. The phrase describes marketing schemes that are focused on using Fear, Uncertainty, and Doubt to sell a product. Good example of FUD are sensational headlines such as, "Conficker Now Instructed to Steal" or more famously, "Hackers Can Turn your Home Computer into a Bomb!"

With FUD campaigns the marketer is attempting to use FUD to sell something. This marketed item could be a "security" product or FUD can be used to create a buzz around the "item at hand."

One quick way to identify FUD is spotting a headline or article that is greatly sensationalized, has a lot of speculation, or makes gross generalizations. The other critical factor in FUD is there is a lack of information in the article. FUD articles clearly point out the problem, but fail to point out how the author arrived at this conclusion.

Fear, Uncertainty, and Doubt pray on human emotions and marketing campaigns that exploit this will not be going away any time soon.

Graph Theory: Analyzing Social Networks

Social networking applications are among the most popular websites that are used on the Internet. Facebook.com and myspace.com are both in the top 20 most visited pages on the internet. According to Alexa, 17% of global internet users visit facebook.com on a daily basis.

How can attackers use the abundant amounts of information that is available on these websites to aid in their attacks?

One method is by analyzing a victims social network using network analysis.

Network analysis is a way to infer information from the social connections that someone makes. An attacker could use a social applications data set to:

• identify positive and negative relationships
• identify their victims mood
• identify individuals that are most influential in a group

By assigning people and organizations to nodes and linking nodes based on relationships, attackers can begin to infer information from these social graphs.

Who is the Most Influential?
It is beneficial for an attacker to know who is the most influential person in their victim's social network. Constructing a malicious instant message or email that requires user intervention (think Reflective Cross-Site Scripting) will have a higher success rate, if it is sent from the victim's most influential friend.

In order to analyze the victim's social network from an influential perspective, the attacker begins by constructing a graph with the victim in the center and each of the victim's friends as node off of the victim.

In this example, Sam is the attacker's target. Sam has five friends, Alice, Bart, Charlie, Dave, and Ed. This would create a star graph that would look like this.

The next step is for the attacker to analyze the connections between Sam's friends. The attacker identifies that Alice communicates with Bart on a regular basis, so a link is made between Alice and Bart.

It is also easier for the attacker to understand who is the most influential by assigning a value to each vertice. Alice and Bart's vertice would change from 0 to 1, since they know one of Sam's friends. In this example, we have made the vertice larger and assigned it a number. Once the social network is analyzed the attacker will have a graph similiar to this.

Since Ed knows 3 of Sam's friends, it can be infered that Ed is the most influential in Sam's network. If an attacker wanted to send a malicious instant message or email to Sam, the attacker would have the highest rate of success if the malicious message was from Ed.

This is a simple example. In reality, social networks are vastly more complicated. However, with the use of certain API's an attacker could use network analysis to his benefit.

Quantifying XSS - Why Merchants Won't Fix Their Cross-Site Scripting Vulnerabilities

From previous articles, you should be aware that Cross-Site Scripting (XSS) is an issue that is not going away any time soon.

Unlike it's buzzword predecessor, SQL injection, Cross-Site Scripting is a difficult vulnerability to quantify. What is the risk of not remediating a Cross-Site Scripting vulnerability in your web application?

If you have recently gone through a web application assessment, the report most likely indicates the risk factor of having XSS is high. But, what evidence does the report writer have to support this statement?

Basic security teaches us that risk can be quantified as:

Risk = (Probability of the event occurring) x (The impact if the event occurs)

To support the consultants statement, we would need to identify the probability of an attacker using a Cross-Site Scripting vulnerability as an attack vector and what the impact is, if the user is exploited.

Impact
It is important to realize that XSS is a means, not an end. XSS is simply a transportation mechanism. It is used to facilitate the actual attack which could be system compromise or stealing a users session. The only limitation on XSS is that it operates in a browser enviroment.

Do to the numerous things an attacker can do with XSS, it is hard to quantify an impact for all XSS vulnerabilities. Since XSS has different severities in regards to impact, an orginization should always choose the impact that is most severe. In other words, the worst-case-scenario.

If a user is exploited through an XSS attack, an orginzation can assume the attacker is doing the most damaging thing imaginable. Therefore, if a user is compromised from XSS, the impact is high.

Probability of the Attack Occuring
We have now identified that the impact of Cross-Site Scripting is high. But, what about the probability of it actually occuring?

It is difficult to find evidence of people using Cross-Site Scripting as an an attack vector? There are cases where XSS was used, in conjunction with SQL injection, to insert an offsite iframe into a web page in order to attempt a traditional overflow. Should these attacks be included into the equation for probability of it happening? Since it can be argued that these attacks used SQL injection, and not XSS for propigation, these attacks need to be excluded.

The only evidence I can find is Verizon's 2009 Data Breach Investigation Report. That docuement however, doesn't go into much detail about the specifics of the XSS attack.

Due to the lack of overwhelming evidence, XSS currently is not a common attack method. The probability of a Cross-Site Scripting attack occuring is low.

Cost-Benefit Justification of Fixing Cross-Site Scripting
Since it is difficult to quantify the cost of having an XSS, it is just as difficult to do a cost-benefit analysis on fixing XSS vulnerabilities.

Why should merchants spend money on remediating their XSS vulnerabilities when there is no supporting evidence of attacks occuring?

Until more web applications are compromised through XSS vectors and there is more evidence to support this happening, not much security budget will go towards remediating Cross-Site Scripting vulnerabilities.

Top Five Web Application Security Blogs

Today, I thought I would post great resources for information. If you want to be good at security, it means you need to be well read.

Here are the top five web application security blogs in no particular order.

• Jeremiah Grossman - Probably the most read web application security blogger. Jeremiah reads all of the material so you don't have too.
  
• Rsnake / Robert Hansen - The other most read web application security blogger. Interesting Note: Graduated my alma mater.
  
• Holistic InfoSec - Russ McRee's blog. Russ puts people on the stove. He posts are controversial and exciting. According to ISS, Russ was one of the Top Vulnerability Discoverers in 2008. Keep an eye on him, it is interesting to see what he will do next.
• Billy Rios - Also known as the XS-Sniper! Billy is behind some of the most innovative research as of late. He is the man behind Gifars and URI overflows. He is also known to smuggle olives on occasion.
• Nitesh Dhanjani - Although he covers a wide range of topics outside of web application security, Nitesh continually blogs about topics that are thought-provoking.

60-day Cyberspace Policy Review Released and the Crowd Falls Silent

Today, the 60-day cyberspace policy review has been publicly released. Melissa Hathaway, the Cybersecurity Chief at the National Security Council, was in charge of leading the effort and was one of the keynote speakers at RSA.

Here are some of the main points of the document:

• Establish a person in the White House who's responsibility it is to report to the president on matters of cyber security (cyber czar position)
• Review the laws and policies that are currently in place and issue more by tying the position into congress.
• Increase public awareness about the risks of the internet
• Increase public education about how to be secure when conducting internet activities.
• Expand federal IT workforce (A.K.A. The government needs to pay more)
• Executives need to be more aware of cybersecurity.
• Governement and Private Sector need to work together.
• Laws regarding "collusion" need to be relaxed so that companies can work together more. (Scary Thought)
• Work with International Governments to form jurisdiction lines.
• Build a framework for incident response.
• Enhance information sharing across government bodies for better incident response handling.
  
• Improve Cybersecurity across all infrastructures
  

The policy review should upset anyone in security field. It points things out the obvious. I expect much more from our National Security Council. Metaphorically, this paper is like taking your car to a mechanic and asking for a full diagnostic for the health of your vehicle. After 2 weeks, you come back and the mechanic gives you a piece of paper with the phrase, "Your Car is Black."

This review is a complete miss from a security standpoint. Hopefully, it will bring awareness to multiple parties on what needs to get done, but it doesn't help to fix anything.

Government was designed to move slow. The founders of this country did not want the government to make any hasty decisions, hence bureaucratic red-tape. The internet on the other hand is designed to move very fast. As soon as something becomes popular on the internet, the next thing is being developed.

It is hard to comprehend a government body that would be able to keep pace with the internet. In fact, as soon as the policy review was completed, the internet has already changed.

What Motivates Hackers? Why, Money of Course.

Attackers are motivated by multiple factors. Previously, "experts" believed most attackers were social outcasts who were writing malicious software out of their parent's basement. These attackers were not driven by any particular motive. They were more driven by the problem-solving aspect. They wanted to know if they could do it. This idea that attackers are socially inept kids based in the United States is quickly becoming inaccurate.

Most security articles are focused on the means of the attack. They don't address what attackers are actually after.

The four motivating factors for attackers that have been identified are:

1. Financial Gain
   
2. Notoriety
3. Political
4. Vengeance

Financial Gain
Hacking, Malware, and Worm Creation is a money making opportunity. Worms, such as Conficker, are being tied to organized crime based in Soviet republics.

The tightly managed criminal organizations behind such scams—often based in Russia and former Soviet republics—treat malware like a business. They buy advanced code on the Internet’s black market, customize it, then sell or rent the resulting botnet to the highest bidders. They extend the worm’s life span as long as possible by investing in updates—maintenance by another name. This assembly line–style approach to crime works: of all the viruses that Symantec has tracked over the past 20 years, 60 percent of them have been introduced in the past 12 months.

This shouldn't be suprising. If criminals have no problem killing another human and taking their wallet, why would they have problems stealing massive amounts of money electronically?

However, organized criminals aren't the only attackers driven by financial gain. There is also evidence of financially driven attackers being petty criminals. These are the types that don't have a great understanding of what they are doing. They can be found on websites specifically setup for trading credit card numbers or other Personally Identifiable Information (PII). Some researchers, such as Rios and Dhanjani, have done research into this subgroup.

Notoriety

There is still evidence of hacking for notoriety. Most of these attackers are the "13-19" year old kids described above. The reason these individuals attack systems is driven by their want to become famous.

A recent example is the Mikeyy worm created by Michael Mooney of StalkDaily. This sub-group usually will justify their attacks by stating, "I wanted to bring awareness to the problem." This is a constructed answer but demonstrates their want to become famous. They are clearly stating, they were the ones who wanted to bring awareness to the issue. These attackers typically have a Robin Hood type mentality of bringing knowledge to the uninformed.

Political
These attackers are politically focused or driven by political means. This group includes "hacktivists" and foreign nationals driven to cause damage to an enemy country. Examples of these attacks are the Titan Rain and more recently Power Grid hacking.

Political motivation is frightening. Many countries will not deter attackers from hacking a foreign country. In addition, law enforcement has a hard time tracking down or arresting these type of attackers due to the lack of cooperation of foreign countries.

Vengeance

These attackers are the most dangerous. They will attack people who have somehow made them upset. Their driving factor is causing as much pain as possible for their victim.

These attacks typcially target an ex-girlfriend or a celebrity. These are the electronic equivalent of breaking someone's windshield. There is nothing that can really be done to prevent it other than to stop using the internet.

How to Hack: Hacking by Numbers?!

A course will be offered this year at Black Hat entitled, "Hacking by Numbers: PCI Edition." A quote from the appropriate literature:

The PCI Data Security Standard (DSS) has had a huge impact on the information security industry. One effect that it has had is to make annual penetration testing mandatory in some segments, and thereby spawn a whole new class of off-the-shelf penetration testers.

The term "off-the-shelf penetration testers" makes my stomach churn. It is my belief that hacking is more of an art than a science. Hacking is methodical, but takes a specific type of person to do it. Typical hackers are very methodical and analytic. In addition, ever hacker that I have ever met has a never-give-up mentality about them. This attribute is used as a feedback loop into the problem they are working on.

Sure some security work and/or security methodologies can be taught, but to be a "breaker" you have to have a certain personality type.

What are your thoughts on this? Feel free to tweet me about the topic. @miscsecurity

Information Gathering: A Way to Identify Who Uses Social Sites

Information gathering on targets is key for attackers. They need to understand their targets to construct more successful attacks.

Recently, I came across http://namechk.com/ I was blown away with the amount of information this site reveals.

The site promotes itself as a way to "check to see if your desired username or vanity url is still available at dozens of popular Social Networking and Social Bookmarking websites."



From an attackers standpoint, lets say I want to identify all of the resources that Jeremiah Grossman, the CTO of WhiteHat Security uses. I simply type in his blogspot id, "jeremiahgrossman" and I identify that in addition to blogspot he also posts to delicious and youtube. This is great!

For an attacker, this resource provides a way to identify additional paths of research.

An XSS Primer - Understanding Cross Site Scripting

If it hasn't already, Cross-Site Scripting (XSS) will soon be replacing SQL injection as the new buzzword in the security sector.

XSS will continually be a topic on this blog as well as others [1],[2],[3],[4]. Due to this fact, I think a primer would be a good idea for those who don't know or understand this problem.

Many articles have been written about Cross-Site Scripting and if you want to have a better understanding of the problem, I suggest you read those documents (Links at the bottom of the post).

Basically, There are 3 types of Cross-Site Scripting:

1. Stored/Non-Reflective/Persistent Cross Site Scripting (User visits the XSS'ed page)
   
2. Non-Stored/Reflective/Reflected Cross Sited Scripting (User clicks a link that embeds the script into the loaded page)
   
3. DOM Based Cross Site Scripting (please read this article)
   

All of these names make it confusing for a first timer to understand XSS. There really should be a better web application security standards organization. Here is a breakdown of Persistent XSS and Reflective XSS. These are the big two that most people talk about when they are referring to Cross Site Scripting. If you understand these well, you will be able to participate in 90% of XSS conversations.

Persistent Cross-Site Scripting
Persistent XSS is arguablly more dangerous than reflective XSS. This attack embeds the malicious script permenatly into the web application. The script will then wait until people access the page it is located on.

Here is an attack using Persistent Cross-Site Scripting:

1. The victim visits a website they trust, amazon.com.
2. A script has been inserted by an attacker on a page they happen to visit while on amazon.com.
   
3. The script executes in the context of amazon.com.
4. The victim is then compromised.
   

Note: Obviously, someone can increase the chances of the victim visiting this page (step 2) through social engineering, phishing, etc.

Reflective Cross-Site Scripting
These are the ones the media usually reports on. [1],[2],[3]. In this attack, some type of social engineering is involved for the attack to be successful.

Here is an attack, using Reflective Cross-Site Scripting:

1. The victim gets an email/Instant Message that contains a link.
2. The victim clicks the link. (Requires User Intervention)
   
3. A script has been inserted by an attacker on the page they then visit.
   
4. The script executes in the context of that site.
   
5. The victim is then compromised.
   

Note: I want to reitterate that this attack requires some type of user intervention (step 2).

Why is Cross-Site Scripting Bad?
Cross-Site Scripting can lead to all sorts of different exploits, including system compromise. For an attacker to do this, they need to break out of the browser's context. We have seen examples that breaking out of the browser is not that hard to do.

In addition, an attacker can also establish a bi-directional channel using iframes. This creates a man-in-the-middle attack. The attacker can then intercept key strokes, use the victim as an intranet portscanner, and even stealing creditials. The attacker is only limited by their knowledge of scripting.

Example of a bi-directional channel

Hopefully, this gives you a better understanding of Cross-Site Scripting. Feel free to leave comments if you don't understand something and I will address it in the article.

Additional Resources:
Cross-Site Scripting (XSS) FAQ
OWASP Guide to XSS
XSS tutorial
XSS Video Tutorial (via youtube)
XSS Attack API

5 Key Factors of Complexity

Brian J. Truskowski, General Manager of Internet Security Systems (ISS), gave a keynote presentation at RSA 2009. His talk touched on an interesting topic that he referred to as the "5 Key Factors of Complexity."

He identifies that the key cause of compromise is human nature; the ability that humans are susceptible to social engineering. Instead of focusing on securing systems, Mr. Truskowski argues that we should design systems that are "resistant to human frailty." He goes on to state, that designing these systems (by reducing complexity) is difficult.

According to Mr. Truskowski, the 5 key factors of complexity and the key to designing these systems are:

1. Threats
   
2. Compliance
3. Technology
4. Economics
   
5. Business Needs

Contrary to security, Businesses have to keep focused on all of these factors or they will be unsuccessful. Vendors however, are according to Mr. Truskowski, only focused on one of these factors... Threats. He argues, If an enterprise doesn't focus on compliance, they are fined. If a business doesn't focus on business needs, the business can't change.

"It's like building the titanic. The ship's designers optimized around being able to withstand collisions at the sacrifice of maneuverability. There have been many theories over the years over why the Titanic sank, from Brittle steel to sub-standard rivets. But, in reality, it is obvious why the Titanic sank. It couldn't get out of the way of the iceberg. The Titatic's designers focused on size, strength, resilience, and luxury but not on maneuverability."

I think Mr. Truskowski's talk was the hidden gem at RSA. It is an interesting idea for security vendors to begin focusing on things other than threats. Of course, if the idea gets legs, it will be 10-15 years before any change occurs. It is great to see people thinking holistically about security.

The video/webcast can be seen here: (5 Factors of Complexity starts at 19:49)

http://media.omediaweb.com/rsa2009/webcast.htm?id=3_1

Information Gathering At Its Best: Using Google Alerts for Fun and Profit

Knowledge is Power.

Sun Tzu stated in the Art of War, "So it is said that if you know your enemies and know yourself, you will fight without danger in battles." Having intelligence on your enemy is a key to winning military battles. In business having any competitive edge, including intelligence, can be the difference between winning and losing a key-project, beating an advisory colleague, and getting a raise or promotion.

Google, a small start-up out of Mountain View, has a feature called Google Alerts that will help keep your enemies informed. Google Alerts is a way for people (or attackers) to stay informed of new pages that have been indexed by Google. When Google's bots are scanning/indexing the Internet, they will look for specific keywords that the user sets up before hand, just like issuing a Google query. When Google's bots identify these keywords they will email you a link to the page the keywords were found on.

This is a great feature that can be used to stay informed on all sorts of things. Say, you would like to stay informed of Gavin Newsom, the mayor of San Francisco, running for Governor of California. You could set up a Google Alert with "Gavin newsom" and "governor" as the keywords and be emailed any new pages that Google identifies.

It seems that Sun Tzu was correct. Knowing your enemy, and knowing what he knows, is the key to winning battles.

Buzzword: Managed Services

What is the word most likely to be heard at a non-technical security conference? If you said, "Managed Services," "Managed Information technology services," "Managed Solutions" or some variant of it, then you have been spending too much time at security conferences.

Managed Services is the idea that you take some piece of your company and have someone else do it. Companies typically take something that is expensive for them to do and then outsource it. For instance, most large companies pay an accounting firm, such as a Big 4,  to do their taxes instead of having a dedicated tax department. This of course is an analog managed service, and is sometimes regulated by compliance. Another analog managed service would be a law firm.

The type of managed service this article is referring to is a digital one. The idea that you can pay someone to outsource some piece of your general solution. That could be web hosting services or security services.

Although managed services is not a new idea, it is gaining snow-ball style momentum. There are, of course, companies who have built their entire model on Managed Services such as Savvis and Akamai. More recently, larger companies are jumping on the band wagon to also offer managed solutions. These companies include, AT&T, BT, and an unlikely candidate Amazon with their S3 cloud/EC2.

So, if you want to make sure your company can play with the big boys, make sure you have a managed service solution.

Note: Totally off topic from the Buzzword itself is the site, www.managedsoultion.com. They cashed in on the buzzword and actually named the company after the buzzword. I am going to start making a note on each buzzword to see if any other companies have done the same. Great Marketing!

Fortify Has No Understanding Of the Problem

Note to IT people. If you don't know about a subject, don't blog about it like you do.

Case in point, Fortify recently posted this blog entry about XSS (cross-site scripting).

Fortify states, "In short, XSS vulnerabilities can enable an attack to alter the price of an item displayed on a reputable website. At first glance this appears harmless since the attacker can't actually purchase the item at the modified price. However, by printing out the page showing the modified price and requesting a price match at a competing store, the attacker can leverage this technique to acquire goods at radically discounted prices"

WHAT?!?

Why doesn't the attacker just save the content of the website locally and then just modify it? This article is ridicioulous and should discredit "mmadou", the author of the article, as a security expert. Ridiculous.

What businness actually want: lessons learned on the RSA floor

From a security perspective, companies want simple solutions. As I walked the RSA expo floor a few weeks ago, this became very apparent.

Vendors were pitching products that were among other things, "in the cloud", "self-maintained", and "auto-updated." It seems that companies are looking for simple solutions for complex problems. (Duh?)

As I walked around the exposition floor, I began to chuckle, realizing that there were more people in the Moscone center than there are attackers in the world. More money gets pumped into security products than actual money gets stolen. What an amazing idea.

Now, imagine I have a product that you can:

1. Plug into your network or computer.
2. Requires no "maintenance".
3. Will prevent your network/computer from being attacked.
4. Alert you after it has successfully prevented the attack.
   

This was essentially every product that was being offered at RSA.

My two-cents: No product or grouping of products will prevent an attack. You can do some preventative measures, however, if an attacker wants to get you, they will.

Good Luck!

Marcus Ranum

Marcus Ranum, credited with the invention of the firewall, publishes very interesting articles on security. He is currently employed as the CTO of Tenable Security. He also will contribute to his own page from time to time also.

Mr. Ranum reminds me of Maddox if Maddox only talked about security and was much more articulate. My first introduction to Mr. Ranum was a rant entitled, "The Six Dumbest Ideas in Computer Security." One of the key points in this paper was the that pentesting is not needed (Penetrate and Patch). As a pentester I was outraged, but Mr. Ranum made a good point. Ever since reading that posting I have attempted to follow Ranum's postings. Note: There is also a funny topic that states, "Hacking is Cool", which Ranum argues isn't.

Mr. Ranum recently published an article entitled, "The Anatomy of Security Disasters"

Some of the ideas in the paper are:

• Ideas that are bad for security can get legs and then be hard to stop.
• The person in the room who can articulate their idea is always the one who wins the argument, regardless of whether it is the "right" thing to do.
• Management typically blames the security team for not informing them adequately enough even after emails from the security team to that manager are discovered.
  
• At the end of the day, no new processes are developed to prevent the problems from happening again.

It is a great read and you should take 30 minutes out of your day to read it.

Buzzword: Compliance

Compliance is not a new buzzword, in fact in other industries compliance has been around a long time. During the RSA conference, every vendor had the word compliance on their cardboard bulletin board, an adult version of a diorama. [1]

What are the different types of compliance?

In computer security, compliance began with the government. This is where all good ideas come from (sarcasm). Over time compliance regulations evolved into something that was "needed" by the industry to make sure that corporations took steps to protect their user's data. It is sad that corporations need an intervening body to tell them that they should secure their data. However, this is why HIPPA and SOX came about. Why should a hospitial spend money to protect patient's records? That is crazy talk!

I have been in the security community for a long time and I hate to tell you but companies will never care about security. They will do the minimum thing required in order to satisfy the masses. In the U.S. the only thing that matters is the bottom line. Companies pay for Cost-Benefit analysis on things to determine what the corporate strategy should be. Corporations don't do this because they care about the result, they do it to save money, thus being profitable for their shareholders.

If the only thing that matters is the bottom line, you need independent regulatory agencies to mandate certain rules for the greater good.

As long as consumers believe that the products they buy are safe, they will continue to buy them.

Let's take the protection on a container of Tylenol. In 1982, a bunch of people were poisoned in Chicago because someone decided to put potassium cyanide in random bottles of Tylenol. What was the result of this? The market share of Tylenol dropped from 35% to 8%. It took an entire year for Johnson & Johnson to grab the market share again. They did this by creating a triple-sealed package and dropped their cost to be more competitive. After this Johnson & Johnson grabbed more market share than they had before!

In this example, the consumer stopped trusting that Tylenol was safe and subsequently stopped buying Tylenol. They didn't stop buying medicine just Tylenol. The attacker could of poisoned other bottles too, but that didn't matter. What the customer cared about was the saftey of a product. When the consumer felt good about Tylenol again, they begin buying the product again.

The purpose of compliance is to make the consumer feel safe. The government needed to step in and mandate in order to have the people feel protected.

Does compliance work?

It depends on who you ask. Mike Bailey doesn't think so. However, others do. For instance, Companies that make profit from compliance defiantly think it works.

Why is compliance so often talked about?

Companies that do cost-benefit analysis like the ones above need to be compliant. They will comply the cheapest way they can, thus keeping their operating costs low. Companies will continue to offer cheaper and cheaper compliance products. Just remember, they get what they pay for.

Verizon's 2009 Data Breach Investigation Report

Verizon's annual data breach investigation report came out last week, and I finally had a chance to read through it. I read others security bloggers synopsis of it but none of them seemed to point out anything that was interesting to me.

Here is the interesting bit that I found: Verizon actually recorded someone using XSS as an attack vector.

Typically, it is very difficult to find anything online that points to people using XSS maliciously. Most of the time, XSS is used to increase page views (recent Mikeyy worm) or for popularity (Sammy Worm).

We, the security community, now have some type of hard evidence to explain how XSS could potentially be an issue for companies. Is this enough to bring awarness to management?


Technorati Tags: Verizon 2009 Data Breach Investigation report 2009 XSS Sammy Worm Mikeyy

Rsnake's Bullet Metric: A Response

A thought experiment asking the following: "If you put Anti-virus on every desktop in the world, would you stop viruses from existing?"

It seems that a critical assumption that is made is faulty. Early in the post, Rsnake answers the above question stating, "I think any reasonable person who understands how viruses work would say no. It will, however, make the bad guys work harder and iterate faster to get by the filters (boutique malware)."

But would virus developers continue to develop? At some point all attackers, and computer scientists, are generally lazy. Attackers want to follow the path of least resistance. If every desktop in the world had Anti-virus installed, would the attackers actually want to "work harder and iterate faster?"

linkage: Silver Bullet Metric ha.ckers.org web application security lab

First Post

I have been reading, thinking, and discussing miscellaneous security topics more often and I have decided to start putting them down somewhere.

A book will also soon be published, and I figure I need somewhere to continue writing.

Feel free to email me, I am sure there is a button around here somewhere. :)