8068 items (0 unread) in 75 feeds
Accessibility is a pretty hairy issue in web development. When attempting to determine if your site is accessible, there are so many standards and recommendations to follow. 508, WCAG, WCAG 2.0, WAI Priority 1, 2 & 3.
Well, now there is a new standard from the W3C called WAI-ARIA (Web Accessibility Initiative - Accessible Rich Internet Applications)
The simplest definition of ARIA is adding UI semantics via HTML element attributes. Simply, you add things like ‘<div role="nav">‘ or ‘<form role="search">‘ to specific HTML elements to give screen readers a better understanding of your content.
The ARIA spec is huge (160 pages), so I won’t go over every part of it in detail. The four areas I will focus on are landmarks, required, invalid and live regions.
ARIA LandmarksToday, when a blind user encounters a website, navigation between elements of the page can be difficult because there is no established method of marking areas of the page as navigation, content, footer, etc. Luckily with ARIA, we can.
Here’s some example markup of a typical webpage:
<div id="header">
<h1>My Awesome Website</h1>
<form> </form>
</div>
<div id="content">
<ul id="nav"></ul>
My website rocks!
</div>
<div id="footer"></div>
And here’s what it looks like with ARIA Landmarks:
<div id="header" role="banner">
<h1>My Awesome Website</h1>
<form role="search"> </form>
</div>
<div id="content" role="main">
<ul id="nav" role="navigation"></ul>
My website rocks!
</div>
<div id="footer"></div>
What I’ve done is add ARIA roles to certain parts of the page (header, nav, search form, primary content). Because the roles are a defined spec, screen readers can parse the page for roles and allow a user to jump to each part without having to navigate through all the content.
ARIA Required & InvalidAnother part of the ARIA spec is the attribute ‘aria-required’ and ‘aria-invalid’. These attributes are for communicating to screen readers that a particular form field is required and/or invalid without requiring the user to look for asterisks or other text near the field. The screen reader would alert the user to this information. Here’s an example:
<form id="searchform" role="search">
<p class="error">You did not enter a search term</p>
<input name="query" value="" aria-required="true" aria-invalid="true" />
</form>
The above code has the ‘aria-required’ and ‘aria-invalid’ attributes set to true. When a screen reader encounters this code, it will read aloud ‘required’ and ‘invalid’. This is a lot simpler for a user than attempting to find error messages and/or asterisks in the page.
ARIA LiveA particularly difficult area of accessibility is dealing with AJAX. How can you communicate to a screen reader that content is loading or has changed? Thankfully, with ARAI Live Regions, it is quite simple. Here’s an example:
<div id="sidecontent" aria-live="polite"> AJAX content goes here... <div>
Adding the ‘aria-live’ attribute to an element alerts a screen reader that content will change in this region and to read it aloud when it does. The aria-live attribute has ‘politeness’ levels, which allow you to specify how polite the updates should be. The four levels are
The various levels of politeness allow for different situations where users would need to be notified immediately of important information or for content that is not as important.
SummaryThis is just a quick overview of ARIA and its uses, but I’m really excited about the possibilities it creates. We can communicate the intent of our content much more explicitly. There’s also a lot of other aspects to ARIA including widgets (slider, checkbox), application structure (alerts, log, progressbar) and document structure (article, grid, definition) that are exciting.
Further Reading
The story “Michael Jackson rushed to hospital” was the highest clicking story in our history. It generated a whopping 800,000 clicks within 10 minutes and news of his death saw 560,000 clicks in 10 minutes. Also, the news area on our front page experienced five times the amount of traffic it normally receives.
Yahoo! News set an all-time record in unique visitors with 16.4 million people, surpassing our previous record of 15.1 million visitors on election day. Four million people visited the site between 3-4pm Pacific time, setting an hourly record. We also recorded 175 million page views yesterday, our fourth highest after Inauguration Day, the day after the Inauguration, and Hurricane Ike.
Also Interesting are the related searches that have been spiking:
* Who is the girl in the Thriller video?
* Who is the most famous person in the world?
* Who bought Neverland ranch?
* When did Michael Jackson turn white?
* How did Michael Jackson bleach his skin?
* Who was in the Jackson Five?
* Who owns the Beatles catalog?
* How is Randy Jackson related to Michael Jackson? (not related)
* How much was Michael Jackson worth?
* How tall was Michael Jackson?
* Is the real Michael Jackson dead?
* Was Michael Jackson a muslim?
* What is Michael Jackson’s favorite color?
* What is Michael Jackson’s favorite number?
* Where will Michael Jackson be buried?
The Interest, while interesting, is not surprising. He’ll be remembered as one of the greatest Artists of All Time.
The startup VoIPShield is changing its disclosure policy to stop giving out VoIP bugs for free and start charging vendors for it. CEO Rick Dalmazzi writes:
Avaya doesn’t “have to” pay us for anything. We do not “require” payment from you. It’s Avaya’s choice if you want to acquire the results of years of work by VoIPshield. It’s a business decision that your company will have to make. VoIPshield has made a business decision to not give away that work for free.
I can totally see his point. While we would like to see all vulnerabilities out in the open, for free, companies and researchers that have worked hard to find security vulnerabilities should be compensated.
But I do think Rick is taking the long and hard path by asking the vendors directly - there’s still a long way to go there. We’ve been helping researchers sell their research to organizations who wanted to pay for 0-day vulnerability information through our SSD (SecuriTeam Secure Disclosure) program and the main conclusions so far are that there are organizations willing to pay for this information to protect themselves, but those are not the vendors (yet).
What we see is that organizations use this information as leverage on the vendors. Since they have information about undisclosed vulnerabilities, they can easily exercise this (better than we can, as researchers) to force the vendors to plug those holes. After a while, maybe vendors will choose to drink upstream and subscribe for this information. But that may take a while (a friend of mine that is responsible for product security for a very large vendor says that will be a cold day in hell).
In any case, good luck to VoIPShield and their new paid-disclosure program. If they are successful I think security researchers will benefit, and in the long run customers will be more protected as vendors get direct access to zero-day vulnerabilities. 









-
Let the experts make sure your website is safe. Vulnerability Assessment is the answer.
My only complaint on the news article is this part:Federal agents say Nelson said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters.
With absolutely no reference on why that sort of information might be useful or dangerous. Is my full name and address sensitive information? I would hope not since it's public...CBS13 was able to find processed deposit slips and junk mail with full names and addresses in the garbage of a local bank.
I wish more of these prints were available for sale, or at least in a large format image for printing. I love this style of art.
[ Image Link ]
[ Image Link ]
[ Image Link ]
[ Image Link ]
[ Image Link ]
The final image especially reminds me of Todd McFarlane's artwork in Pearl Jam's Do The Evolution Video (which contains one of my favorite guitar riffs of all time).
[ Video Link ]
When I was in London last year I snapper this photo of Andre/Obey graffiti coming in from Heathrow.
Two weeks ago, I announced SSL Labs and my technique for passive SSL cipher suite analysis. It won’t surprise you to learn that I've been carefully observing the cipher suites used in the requests that came to the web site since. (In fact, I announced the site slightly earlier than I had planned because I wanted to get my hands on some real-life data.) One client’s SSL fingerprint immediately caught my attention, because it supported only 4 cipher suites. It was Googlebot.
There were 115 visits from Googlebot in the two-week period, using 5 different User-Agent strings (although Googlebot will sometimes send a request without User-Agent set):
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)
DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)
Googlebot-Image/1.0
Feedfetcher-Google; (+http://www.google.com/feedfetcher.html; feed-id=9430846974815548184)
The first one is by far the most common, although the other ones appear on regular basis. I used reverse DNS to verify that the IP addresses belong to Google, with the exception of one Feedfetcher request, for which I had to use ARIN.
As I’ve already mentioned, Googlebot's SSL fingerprint is quite short:
h2,03.01,010080,04,05,0a
The first token indicates the version of the SSL handshake used. In this case it’s h2, which is a code for the SSL v2 handshake. The second token indicates the highest SSL version a client is willing to support. Googlebot’s choice, 03.01, indicates that is willing to go as far as TLS v1.0. Modern browsers do not support SSL v2.0 so it's generally rare to see a browser use a SSL v2 handshake. Search engines don’t care about security but they do care about accessing as many servers as possible: they’ll compromise and support the weaker protocols.
What follows is the most interesting part: the codes for only 4 cipher suites. They are:
SSL_CK_RC4_128_WITH_MD5 (0x010080)
SSL_RSA_WITH_RC4_128_MD5 (0x04)
SSL_RSA_WITH_RC4_128_SHA (0x05)
SSL_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)
The first suite is only valid with SSL v2.0, while the three remaining ones work in SSL v3.0 or TLS v1.0. It's obvious that, unlike with most other SSL clients, the cipher suites on this list were hand-picked. If I would have to guess, I would say that the motivation was to save on bandwidth. It’s likely that all SSL v2.0 servers support the one SSL v2.0 cipher suite, while 3 suites are needed to support the rest of the Internet.
Assuming the reason for such a short list of cipher suites is frugality, I am surprised it doesn’t contain suites with weaker ciphers. A search bot doesn’t really care about security so it could afford to negotiate a weaker cipher and perhaps save some CPU cycles. Similarly, 3DES is significantly slower (than, for example, RC4) so it would be my first candidate for removal if I am concerned with performance. Thus, I am guessing it’s there for interoperability.
It would be interesting to get someone from Google to comment.
Interestingly, my net caught one search engine imposter, who claimed he was Googlebot, but wasn't. While I could have also used a reverse DNS lookup to determine what the imposter wasn’t, in this case I was also able to identify what it was—someone browsing the Internet using a Firefox 2.x browser with and altered User-Agent field. Nice!
In my experience the concept of "policy" is a hard one for many developers to get their heads around, they don't immediately grok what "policy" is or what its supposed to do and it conjures up eastern european cold war regimes. Unfortunately policy is a central concept throughout information security.
An as-yet-unnamed potential startup company is planning to develop some revolutionary software that relates to how people work together. One of our first steps is to set set up a research community and making some ethnographic observations — in other words, getting an understanding of how people work today. We’re especially trying to get a diverse set of participants: not just techies, not just straight white guys, not just Microsoft-related people.
At the end of the first round of observations, we’ll provide all the participants with a summary of our findings. And as a way of showing our appreciation, we’ll also give them each a free copy of our first product once it’s available.
Interested in being a part of it? We’ll need two to three hours of your time.
At a time that works for you, two members of our team will come to your workplace, sit by your side as you do your work, take pictures of your environment from time to time. It’d be ideal if this time includes at least one meeting or conference call. Our focus will be on what communication tools you use to interact with others, how you use these tools, and what’s working or not working for you.
During the observations, we may ask you some questions, but will try not be too intrusive so you can go about your normal business. After the observations, we’ll conduct a 15-20 minute interview to discuss what we saw. Everything we see while we’re there will be held as strictly confidential and will not be shared with anyone outside of our team. Our notes will focus on how you manage your workday, and will not include any details about your work or your company. And of course it’s up to you whether we share your name and company name with anyone outside of our team.
If you’d like to participate, please leave a comment here or contact me via Twitter, Facebook or MySpace. We’re starting in the Seattle area; over time, we’ll branch out more broadly.
Thanks much!
jon
PS: If this is too big of a time commitment for you, no worries; we’ll be gathering information in other ways as well. Stay tuned for more!
Somebody had to do it, and I’m glad it’s Aviv Raff who finally went for it. This is just the first of what I’m sure will be many twitter-related vulnerabilities.
There’s a lot to check in twitter, and I’m sure this will be an interesting month. While Aviv is bringing home the meat, here’s a question to ask yourself in the meantime: How many web services have your twitter password? More than 5? More than 10? How many of them are still active and what happens if one of them goes bankrupt and sells the list to someone?
Update: apparently this was fixed after a few hours. The power of “Month of Bugs” I guess. 









-
Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!
In the space of a week and a half the world has lost some major celebrities, with Billy Mays, Farrah Fawcett, Ed McMahon, and Michael Jackson all passing away. Although each passing is tragic, it is the sudden death of Michael Jackson that has had the most effect on the online world, though there are reports that the deaths of the others have also led to online scam attempts.
Jackson's unexpected death demonstrates the power that "non-reputable sources" can have in being able to break and follow important news that is normally ignored until a more "reputable" source picks it up. The Internet may make it possible for anyone to have a voice, but it also means that carrying authority and reputation with that voice still takes time and effort. Michael Jackson's passing was first identified and reported on by TMZ, however the "reputable" news agencies and sources were much slower to pick up the story and run with it. One of the primary reasons why is that they had a much stronger reputation and weight of authority to risk running with a potentially inaccurate story, especially one that could be damaging if it was inaccurate. When everyone on the Internet is able to go and visit the originating source site, then the decision to delay the coverage of his death can result in lower overall readership of their particular coverage of the story.
Savvy online users and the skeptical will still try to get independent validation of the breaking story, something that came with time even though many of the early 'reputable' stories were derived almost exclusively from TMZ material. This sudden rush of Internet users seeking out independent validation in a very narrow timeframe led to some interesting side effects for Google and major news sites. Google's side effect was that the massive wave of traffic was initially identified as an attack and so accurate information was withheld for a short period while Google's defences were activated to deal with the significant but legitimate traffic flow.
Twitter was another service which found itself struggling to cope with the increased traffic that came as a result of Jackson's death. Various elements and features of the service were temporarily disabled to allow it to carry the messages being created by its users. Reportedly this was in the vicinity of 66,000 messages per hour, but that figure seems extremely low. If the service is going to struggle on 1,100 messages per minute, then it needs to be re-engineered to be able to carry more capacity if it is going to have wider appeal and usefulness.
Sites that were reliant upon third party advertising hosting found that serving the external ads was causing bottlenecks when serving up news reports, so much so that it made the overall sites seem unresponsive, despite the site itself still being responsive and fully functional.
Not only were mainstream "reputable" media sites and sources scooped by a non-traditional source and means, but there are questions about the appropriateness of media organisations self-censoring material that would normally be published.
When that material is suppressed because it pertains to a reporter that they employ it leads to accusations of double standards from external observers.
Not only was news of the reporter's kidnapping suppressed from traditional media sources, but an active and successful campaign was led to keep the information suppressed from Wikipedia, where the reporter already had a page describing their life and employment. Critics of Wikipedia have seized on this as a clear example of how Wikipedia is not the neutral, freely-editable source of information it claims to be. Political and commercial interests can trump the efforts of contributors to improve and enhance the usefulness and accuracy of the site.
Even though each of the situations described above took place recently, it isn't quite yet the case where people can claim that "The Emperor has no clothes", but it is beginning to look that way. How each situation came about and was resolved should provide lessons to the companies and organisations involved to help them provide better results the next time something similar takes place or else they will find themselves with no clothes.
The smallest, three to five, is a "clique": the number of people from whom you would seek help in times of severe emotional distress. The twelve to 20 group is the "sympathy group": people with which you have special ties. After that, 30 to 50 is the typical size of hunter-gatherer overnight camps, generally drawn from the same pool of 150 people. No matter what size company you work for, there are only about 150 people you consider to be "co-workers." (In small companies, Alice and Bob handle accounting. In larger companies, it's the accounting department -- and maybe you know someone there personally.) The 500-person group is the "megaband," and the 1,500-person group is the "tribe." Fifteen hundred is roughly the number of faces we can put names to, and the typical size of a hunter-gatherer society.
Interesting look at group dynamics. Explains why I feel most of "the company" are soulless whores whose job is to tell me "no." ;-)
Slightly over a year ago I discussed the SSL certificate error handling in Firefox. Where Firefox 2.x allows users to simply click through a warning about an invalid SSL connection, Firefox 3.0.x improves the handling and makes it difficult to access the invalid web site.
My blog post turned out to be quite popular, sparking a lively discussion, which spilled onto the Mozilla's Bugzilla when I filed two bug reports for Firefox:
The first bug report was rejected after a short discussion (still, I was happy to have been heard), but the second lingered on and, one year later, resulted in the change in how Firefox handles invalid SSL certificates. In Firefox 3.5, when you encounter an invalid SSL web site, you get a screen similar to this one:
Notice the improved language. The message now ways "[...] we can't confirm that your connection is secure", instead of "[a site] uses an invalid security certificate" (followed by technical mumbo-jumbo). Clicking the two headings at the bottom uncovers the hidden areas, which contain more information and the button to create an exception:
Many people use their hosts file for resources blocking purposes, especially against ads or known malicious sites.
Since your hosts file takes precedence over your DNS in domain name resolution, you can redirect undesired domain to invalid IP addresses, saving both bandwidth and CPU because resolved IPs are cached.
Unluckily, most information sources about this useful technique, including the Wikipedia article above, instruct the reader to use 127.0.0.1 (the local loopback IP) as the dead-end destination, rather than a truly invalid address such as 255.255.255.0. This is not very smart, especially if you installed a web server on the loopback interface (like many web developers do), because you’re spamming it with dummy requests whenever you browse an ad-laden web site.
Furthermore, I’m currently receiving several reports about ABE warnings popping up everywhere. If you read my post about ABE yesterday, you know that it ships with a built in “SYSTEM” ruleset containing just one rule which alone implements the whole LocalRodeo functionality:
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Such a rule blocks any HTTP request for resources placed in your local network, including localhost (127.0.0.1) and any other LAN IP, unless it is originated from your local network as well. This protects your internal servers and devices (e.g. routers and firewalls exposing web interfaces) against CSRF and XSS attacks performed from the internet.
As a side effect, though, if you’re redirecting arbitrary hosts to 127.0.0.1, you’ll get bombed by a storm of ABE warnings whenever those sites are linked from external web sites. The solution is simple: just open your host file and replace 127.0.0.1 with 255.255.255.0 everywhere it’s used to block something, but being careful to keep 127.0.0.1 on the localhost entry and other really local domains, if any.
Inspired by the new federal IT dashboard, here is a sample infosec dashboard that details where information security groups elect to invest their shareholders' money
Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous. In reality I’ve been talking about this for close to 5 years privately with the Mozilla team - back when their offices were about 2000 square feet and the entire office smelled like feet. Ahh, those were the days. Well, we are creeping very close to seeing Content Restrictions (now named Content Security Policy) in reality, finally! Thanks in huge part to Gerv and Brandon over at Mozilla.
I hear rumors that it should be released in Firefox-next (also known as 3.6 - scheduled for early to mid 2010). So give it another year or so and we should have a workable defense against XSS on pages that must allow user submitted HTML and JavaScript - think eBay, MySpace, and so on. The only trick is making sure the companies who have these problems have projects in their pipelines to use this header once it becomes live. So if you happen to know someone who works for a company who has this problem or happen to work there yourself, please make sure others are aware of this well ahead of time. I for one am very excited to see this approaching reality after all these years, and I encourage you to watch their website for updates if you are at all interested in building user submitted widgets and the like.
On a less thrilling note it also has some clickjacking defenses in it, but just like Microsoft’s X-FRAME-OPTIONS header, I think it’s really not particularly interesting, it’s an opt-in model and clickjacking is so prevalent as an avenue for attack. Opt in security models work on sites that know they’ve got a problem (like user submitted HTML and JS) not on sites that don’t know they’ve got a problem (like wireless access points and web enabled firewalls). Alas - I digress, and I don’t mean to diminish the overall positives of this solve. Indeed, I’m very excited by the future of Content Security Policy as it may make surfing “fun” sites safe again - even with JavaScript and Flash enabled! Wouldn’t that be a crazy thought?
In unrelated news, I did a podcast with Dennis Fisher over at Threatpost on some of the RFC1918 issues I discussed a few weeks back and Slowloris. If you’re interested, please feel free to have a listen!
A few years ago, the personal blog of the Iran president Ahmadinejad included a special piece of malware code that would only be displayed for Israeli IP addresses, attempting to infect Israeli machines visiting the site while preserving a seemingly harmless appearance for any western visitor that is not an Israeli. I thought that was quite a clever attack at the time.
But now the Iraqis are flexing their cyber-muscles too. According to a Hebrew article in law.co.il (this is not yet available on their English site, but may be soon), several domain names of Israeli government entities and large Israeli institutions have been registered by users outside Israel, some users having addresses in Iraq.
These domains use names with Hebrew characters, which are now available under the IDN. However, the method of typing Hebrew domain names is not in wide use and companies still prefer the English domains with the .il or .com suffix, which is why those Hebrew domains were available for purchase. Some of the domain names that were purchased include the Mossad, the Shabak (the “Shin Bet”), the IDF, Israel Police, Knesset, and several major banks.
Since the domain name is in Hebrew and contains the full name of the company or institution, it is incredibly useful for phishing attacks. law.co.il traced many of the domain names, particularly those of major ministries and public service names to a company called “ICU Agency” with a registered address in Baghdad. I’m sure there are other clever uses for such domains in war time that exceed simple phishing. With the speed in which news travel on the Internet these days, it shouldn’t be difficult to do some psychological warefare if you own “credible” domain names. 









-
Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!
One of the single most annoying things about CSRF and router hacking etc… is that you get the annoying popups on Basic and Digest authentication pages, asking you to log in. More and more devices are moving away from these popup style alerts and moving more towards form based authentication, which is better from a hacking perspective. But still, I would say the vast majority of firewall/switch/router devices out there use Basic or Digest based authentication. The problem with that from an attacker’s perspective is that it creates a noisy popup if it fails (if the user isn’t authenticated) that the user is bound to notice and question. Well, now we have an answer - at least in Internet Explorer:
<DIV STYLE="background-image: url(http://router/path.to.hack)">blah</DIV>
I know there are others tags that work, but probably not as well as this method from what I’ve seen so far. I haven’t found a reliable way in other browsers to allow this to happen, but I’ve only barely scratched the surface of the vast number of CSRFable tags out there. But anyway, yes, this doesn’t cause the Basic or Digest auth dialog to fire so it will be more stealthy upon performing a CSRF that fails. Of course for POST based CSRF you’re still out of luck…
Last week, I blogged about using threat models to identify and locate countermeasures. Now, I would like to add a little more detail and context. Recall, the purpose of the threat model is to map threats to countermeasures, but he catalyst comes through some part(s) of the attack surface. There are several attack surface models out there, I use a simple one where the attack surface is the sum of the data + method + channel, that entail the ways the system can be attacked.
|
Threat |
Countermeasure Located in Attack Surface |
||
|
Data |
Method |
Channel |
|
|
Spoofing |
XML Signature (response only) |
None |
TLS/SSL |
|
Tampering |
XML Signature (response only) |
None |
TLS/SSL |
|
Dispute |
None |
None |
None |
|
Information Disclosure |
XML Encryption (response only) |
None |
SSL |
|
Denial of Service |
None |
None |
None |
|
Elevation of Privilege |
Oauth |
Oauth |
None |
The NIST SAMATE project conducted the first Static Analysis Tool Exposition (SATE) in 2008 to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test sets and to encourage improvement and speed adoption of tools. The exposition was planned to be an annual event.
SATE 2008 was one of my last project at NIST. I really enjoyed working on this project from the beginning, it was challenging especially because we had to create so many artifacts to make the tool reporting the weaknesses the same way, integrate them all together and provide ways for assessors to make meaningful reviews.
In a nutshell, we selected 6 different open-source programs (3 en C, 3 in Java) and made tool vendors running their tool on these test cases. Tool vendors were allowed to customize their tool if their tool provide such capability. Fortify was the only vendor who created a custom rule (to help the tool with a validation routine for MVNForum). Our goal was then to combine the results all together and analyze: provide information on the correctness of the tool.
If you are interested, you can download the SATE data and the NIST SATE Special Publication.
Thanks to all the SAMATE team for this effort, and especially Vadim Okun and Paul E. Black.
For more information, you can reach the SATE page at NIST.
Preliminary Agenda
1. Baseline Scoring Methods
Reproducible Measurement as a Foundation for Security Assessment Metrics
SCAP Metrics
2. Measuring Impact
Business Focused: Foundations for Security Business Intelligence
Metrics for Detecting Compromised Systems
3. Enterprise Security Management
Security Metrics in Governance, Risk and Compliance
Using Security Metrics to Motivate a Response to A Critical Vulnerability
Foundational Control Practices
4. Software Security
The Building Security In Maturity Model
Does Software Quality Matter?
5. Trends and Stats
Measuring the Future Basis of Competition among AV Products
Crunching Metrics from Public Data
Data Loss DB
6. Security Manager Panel
Asset Profiles
Initiative Alignment
Metrics for Predictive Analysis
7. Discussion Groups on Topics of Mutual Interest
Enterprise Network Security Metrics
PCI DSS Statistics & Metrics
SOX Material Weakness
Vulnerability Response Decision Assistance
The “Mobius Defense” is a somewhat novel defense model proposed by Pete Herzog, founder of ISECOM and lead author of the Open Source Security Testing Methodology Manual (OSSTMM). Before continuing to read the following post I suggest you take a few minutes and breeze through the slide deck linked here. It’s an easy and interesting read so get to it…
Mr. Herzog suggests in this presentation that the “Defense in Depth” strategy, with regards to network defense, is ineffective and antiquated, and needs to be replaced with a new and updated defense model. His proposed model is called the “Mobius Defense”.
The basic tenet of this defense is one in which each individual asset should be protected as if it were the only asset in the model as opposed to forming lines of defense to secure the entire asset base as a whole. Two important facets are stated in his presentation:
If we take the above two statements to be true, then there really are no clearly defined lines of defense in which we can accurately create a defense in depth model and instead we should secure the individual asset by limiting its in and out dataflow, minimizing trust, and implementing a minimal interconnectedness policy across the board. Distilled, the Mobius model creates a network security design that disregards network boundaries and theoretical demarcation lines in favor of “guerilla defense” in which every actor fends for themselves.
So what does this mean for the application security landscape? If what Mr. Herzog presents is reality, then the application layer truly is the last, and best, line of defense (pardon the pun). With the degradation of the network perimeter, thanks in part to the iPhone, Blackberry, Web Browser, and other assorted peripherals and client based designs; there is a new found urgency to secure each individual network touch point to the best extent possible. It’s with this urgency in mind that application security assessments should move upward in the prioritization of security spending. While I don’t suggest that defense in depth should go away and die, I do suggest that we should focus on securing the most common target of attack, the application layer. If the paradigm of the network has changed shouldn’t our defense models change as well?
A depressing look at "future" browser features.
The main goal of Content Security Policy is to prevent malicious code from being injected into a website and executed within the context of that site.
This could be huge. At the fullest implementation the only JavaScript that will be allowed to execute is external JavaScript files that are specifically white listed by the server. Good bye attribute injection, javascript URIs, and plain SCRIPT tags. No dynamic code execution either! no eval(), no setTimeout() or setInterval() with a string of code. Goodbye obfuscated JavaScript problem. Thanks to native JSON parsing functions, we don't need you anymore.
Some excellent innovation coming out of these Browser wars...
The biggest addition to the plugin is integrated text and image search. While Office comes with a directory of clip art, it leaves something to leave desired â I almost always find myself just going straight to Google Image search. Now, using OffiSync, you can search Google Images directly from within Office. The plugin supports advanced searches, like sorting by color, size, and usage rights. Once youâve found an image you like, simply hit âInsertâ and the picture will appear wherever your text cursor was. Thereâs also an integrated browser: just navigate to the page youâd like to quote, highlight the text, and hit Insert.
This is damn helpful!
I’m pleased to announce that ABE, the Application Boundaries Enforcer meant to fight CSRF and related web attacks, has finally been included in a stable NoScript release: version 1.9.5, available here.
It’s been quite a long development journey since my first announcement, made possible by NLNet’s foresight, and it required more than one month of beta testing: among the thousands of testers victims I inflicted twenty builds upon, I must especially thank therube, GµårÐïåñ, Tom T., Alan Baxter, dhown and the other friends at the NoScript forum, who devoted their time to aid debugging and optimization. A special thanks goes also to Edoardo “Sirdarckcat” Vela, talented hacker and loyal NoScript fan, who offered many useful suggestions to model the threats which ABE can counter react.
Great but.. now that I’ve got ABE, what can it do for me?
If you’ve got latest NoScript version installed on Firefox 3.0.11 or another compatible Gecko >= 1.9 browser, you’ll notice a new “ABE” tab in NoScript Options|Advanced. There you can find a list of the loaded “Rulesets”, i.e. groups of firewall-like rules (syntax specification PDF).
Rulesets can be:
All these rulesets (built-in, yours, centralized and site-specific) cooperate to properly insulate your most sensitive web applications and prevent them from being abused by unrelated malicious web sites.
Drop-in LocalRodeo replacement
The “SYSTEM” built-in ruleset currently contains just one rule definition:
Site LOCAL
Accept from LOCAL
Deny
This simple rule protects your local network from CSRF attacks coming from outside, for instance from a malicious web page trying to hack your router. If this scenario does not sound new to you, maybe you’ve heard of LocalRodeo, an experimental Firefox extension which was meant to defeat exactly this kind of internet-to-intranet threats. In facts, the default ABE configuration shipping with NoScript 1.9.5 and above is as effective as LocalRodeo at least, but more performant, especially when DNS queries are involved, and much more flexible, since it’s not limited to this specific attack scenario: if you’re using both NoScript and LocalRodeo, it’s time to uninstall the latter.
While centralized subscriptions aimed to protect the most popular web applications have been planned but are not implemented yet, you as a web author can already start experimenting how to protect your own web application by enforcing your own rules.
Just deploy your rules.abe file at the root of your HTTPS site and be sure to check Allow sites to push their own rules in the ABE options panel. This preference is initially disabled in 1.9.5, but this default will be likely inverted in next stable iteration, as soon as it gets enough testing.
More details here.
The State Motto of Rhode Island is “Live Free or Die”.
Their state assembly passed a law to try to impose sales tax on Amazon.com. The Law essentially states that because some of amazon’s associates have a physical presence in the state, that amazon must pay sales tax.
Amazon’s response? “Alright, then we’ll shut down the affiliate program in your state.
“In an email sent Sunday to its Rhode Island associates — which receive a cut from Amazon for sending customers on to Amazon’s Web site from their own — the company said it was closing its program due to what it called an “unconstitutional tax collection scheme” passed by the General Assembly.
The bill has yet to be signed.
Last week, Amazon shut its associates program in North Carolina and shot off a letter to California lawmakers, warning them that a similar bill introduced in that state’s Assembly would force Amazon to end its program in the wealthiest U.S. state.
They mean business!