My Security Planet

Feeds

10026 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Recent items

Ian Bicking: a blog

• 

  What Does A WebOb App Look Like?

  Posted: March 12th, 2010, 5:50pm CST by Ian Bicking

  Tags:  Programming   [edit]

  Lately I’ve been writing code using WebOb and just a few other small libraries. It’s not entirely obvious what this looks like, so I thought I’d give a simple example.

  I make each application a class. Instances of the class are "configured applications". So it looks a little like this (for an application that takes one configuration parameter, file_path):

  class Application(object):
      def __init__(self, file_path):
          self.file_path = file_path
  

  Then the app needs to be a WSGI app, because that’s how I roll. I use webob.dec:

  from webob.dec import wsgify
  from webob import exc
  from webob import Response
  
  class Application(object):
      def __init__(self, file_path):
          self.file_path = file_path
      @wsgify
      def __call__(self, req):
          return Response('Hi!')
  

  Somewhere separate from the application you actually instantiate Application. You can use Paste Deploy for that, configure it yourself, or just do something ad hoc (a lot of mod_wsgi .wsgi files are like this, basically).

  I use webob.exc for things like exc.HTTPNotFound(). You can raise that as an exception, but I mostly just return the object (to the same effect).

  Now you have Hello World. I then sometimes do something terrible, I start handling URLs like this:

  @wsgify
  def __call__(self, req):
      if req.path_info == '/':
          return self.index(req)
      elif req.path_info.startswith('/view/'):
          return self.view(req)
      return exc.HTTPNotFound()
  

  This is lazy and a very bad idea. So you want a dispatcher. There are several (e.g., selector). I’ll use Routes here… the latest release makes it a bit easier (though it could still be streamlined a bit). Here’s a pattern I think makes sense:

  from routes import Mapper
  
  class Application(object):
      map = Mapper()
      map.connect('index', '/', method='index')
      map.connect('view', '/view/{item}', method='view')
  
      def __init__(self, file_path):
          self.file_path = file_path
  
      @wsgify
      def __call__(self, req):
          results = self.map.routematch(environ=req.environ)
          if not results:
              return exc.HTTPNotFound()
          match, route = results
          link = URLGenerator(self.map, req.environ)
          req.urlvars = ((), match)
          kwargs = match.copy()
          method = kwargs.pop('method')
          req.link = link
          return getattr(self, method)(req, **kwargs)
  
      def index(self, req):
          ...
      def view(self, req, item):
          ...
  

  Another way you might do it is to skip the class, which means skipping a clear place for configuration. I don’t like that, but if you don’t care about that, then it looks like this:

  def index(self, req):
      ...
  def view(self, req, item):
      ...
  
  map = Mapper()
  map.connect('index', '/', view=index)
  map.connect('view', '/view/{item}', view=view)
  
  @wsgify
  def application(req):
      results = map.routematch(environ=req.environ)
      if not results:
          return exc.HTTPNotFound()
      match, route = results
      link = URLGenerator(map, req.environ)
      req.urlvars = ((), match)
      kwargs = match.copy()
      view = kwargs.pop('view')
      req.link = link
      return view(req, **kwargs)
  

  Then application is pretty much boilerplate. You could put configuration in the request if you wanted, or use some other technique (like Contextual).

  I talked some with Ben Bangert about what he’s trying with these patterns, and he’s doing something reminiscent of Pylons controllers (but without the rest of Pylons) and it looks more like this (with my own adaptations):

  class BaseController(object):
      special_vars = ['controller', 'action']
  
      def __init__(self, request, link, **config):
          self.request = request
          self.link = link
          for name, value in config.items():
              setattr(self, name, value)
  
      def __call__(self):
          action = self.request.urlvars.get('action', 'index')
          if hasattr(self, '__before__'):
              self.__before__()
          kwargs = req.urlsvars.copy()
          for attr in self.special_vars
              if attr in kwargs:
                  del kwargs[attr]
          return getattr(self, action)(**kwargs)
  
  class Index(object):
      def index(self):
          ...
      def view(self, item):
          ...
  
  class Application(object):
      map = Mapper()
      map.connect('index', '/', controller=Index)
      map.connect('view', '/view/{item}', controller=Index,     action='view')
  
      def __init__(self, **config):
          self.config = config
  
      @wsgify
      def __call__(self, req):
          results = self.map.routematch(environ=req.environ)
          if not results:
              return exc.HTTPNotFound()
          match, route = results
          link = URLGenerator(self.map, req.environ)
          req.urlvars = ((), match)
          controller = match['controller'](req, link, **self.config)
          return controller()
  

  That’s a lot of code blocks, but they all really say the same thing ;) I think writing apps with almost-no-framework like this is pretty doable, so if you have something small you should give it a go. I think it’s especially appropriate for applications that are an API (not a "web site").

Schneier on Security

• 

  Friday Squid Blogging: Cipherlopods

  Posted: March 12th, 2010, 4:21pm CST

  Tags:    [edit]

  This makes no sense to me, even though -- I suppose -- it's a squid cryptography joke....
• 

  Another Schneier Interview

  Posted: March 12th, 2010, 1:19pm CST

  Tags:    [edit]

  This one on simple-talk.com....

GDS Security Blog

• 

  Multiple DOM-Based XSS in Dojo Toolkit SDK

  Posted: March 12th, 2010, 1:11pm CST by Bix

  Tags:    [edit]

  We released an advisory today to Bugtraq regarding a DOM-Based XSS bug I found in the Dojo Toolkit SDK 1.4.1 and earlier versions. The Dojo team was informed on February 19, 2010 and released the fix today along with some other security bugs. If you want some more information on this bug as well as the other bugs that were fixed, see their security bulletin.

  The files identified with the XSS issues are primarily designed for testing; however a quick Google search will identify numerous sites that have deployed these files along with the core framework components. Unfortunately, this is evidence of a much larger issue. All too often, test code gets deployed to production and ultimately leads to a security exposure. This is clearly a recipe for disaster!!! Folks, please clean up your web root. You clean up your house when relatives come by, right? You wouldn’t want them tripping over your GI Joe’s and breaking their leg! It’s the same thing, more or less : )

  Overview

  The Dojo Toolkit is an open source modular JavaScript library/toolkit designed to ease the rapid development of cross platform, JavaScript/Ajax based applications and web sites. Multiple instances of DOM-based Cross Site Scripting (XSS) vulnerabilities were found in the _testCommon.js and runner.html files within the SDK. The XSS vulnerabilities appear to affect all websites that deploy any of the affected SDK files.

  More information on DOM-based XSS can be found at OWASP’s site.

  Technical Details

  File: dojo-release-1.4.1-srcdojo-release-1.4.1-srcdijittests_testCommon.js
  1) Data enters via “theme” URL parameter through the window.location.href property.
  Line 25:
  var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
  ..snip..
  2) The “theme” variable with user-controllable input is then passed into “themeCss” and “themeCssRtl” which is then passed to document.write().

  Writing the un-validated data to HTML creates the XSS exposure.
  Line 54:
  ..snip..
  var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">');
document.write('<link rel="stylesheet" type="text/css" href="'+themeCssRtl+'">');

  ==================================================

  File: dojo-release-1.4.1-srcdojo-release-1.4.1-srcutildohrunner.html
  1) Data enters via “dojoUrl” or “testUrl” URL parameters through the window.location.search property.
  Line 40:
  var qstr = window.location.search.substr(1);
  ..snip..

  2) The “dojoUrl” and “testUrl” variables with user-controllable input are passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
  Line 64:
  document.write("<scr"+"ipt type='text/javascript' djConfig='isDebug: true' src='"+dojoUrl+"'></scr"+"ipt>");
..snip..
document.write("<scr"+"ipt type='text/javascript' src='"+testUrl+".js'></scr"+"ipt>");

  Proof-of-Concept Exploit

  This vulnerability can be exploited against websites that have deployed any of the 145 SDK files which reference _testCommon.js.

  Reproduction Request:
  http://WebApp/dijit/tests/form/test_Button.html?theme=”/><script>alert(/xss/)</script>

  (Note: test_Button.html is one of the SDK files that includes the _testCommon.js file)

  ==================================================

  This vulnerability can be exploited against any website that has deployed the runner.html file.

  Reproduction Request:
  http://WebApp/util/doh/runner.html?dojoUrl=’/>foo</script><’”<script>alert(/xss/)</script>

  Recommendation

  Update to Dojo Toolkit SDK 1.4.2

Schneier on Security

• 

  Why DRM Doesn't Work

  Posted: March 12th, 2010, 11:31am CST

  Tags:    [edit]

  Funny comic....

terminal23

• 

  talk about a security mistake, get booted

  Posted: March 12th, 2010, 9:34am CST by michael

  Tags:    [edit]

  Threatpost has an article up about Bob Maley, the Pennsylvania CISO dismissed this past week because he discussed an incident during an RSA panel. I saw this come in through the Twitter stream and my immediate thought was how this is exactly why we have such issues sharing useful information. We make an attempt to share information, and someone boots us hard in the ass. While the booting may be justified by the state's policy, I would question that someone is not understanding the reasonable intent of the policy.
  
  What's funny is more people likely know about what happened in Pennsylvania due to this than if they had just slapped him on the wrist or done nothing. Well played, sirs. Maybe that in itself violates the policy...

SEO BlackHat: Black Hat SEO Blog

• 

  Corrected: Top 100 Site Traffic Breakdown

  Posted: March 12th, 2010, 9:02am CST by QuadsZilla

  Tags:  SEO   [edit]

  

  I saw this over at the BBC: A breakdown of traffic for the top 100 sites.

  Their infographic was helpful, but it needed a slight correction. After careful study (many hard hours), I have concluded that this updated Infographic more accurately represents the traffic breakdown:

  
  Margin of error +-50%

Schneier on Security

• 

  More Hollow Coins

  Posted: March 12th, 2010, 6:58am CST

  Tags:    [edit]

  A hollowed-out U.S. nickel can hold a microSD card. Pound and euro coins are also available. I blogged about this about a year ago as well....

Jeremiah Grossman

• 

  Password Managers, is this the best option user’s have?

  Posted: March 12th, 2010, 5:58am CST by Jeremiah Grossman

  Tags:    [edit]

  Before reading the following, ask yourself if you’d recommend to the average user that they store their passwords in a local password manager.
  
  Today there are four primary ways users lose control over their web-based passwords. Phishing Scams (email or SEO), Malware (installing malware or drive-by-downloads), website break-ins (SQLi, RFI, misconfiguration, etc.), and website brute-force attacks. For a user to protect themselves I’ve outlined the client-side technologies they can deploy (reason MFA is left out) and possible changes in their online behavior.
  
  Phishing Scams (user hands over their passwords)
  Client-side technology solution(s): Web browser security add-ons and anti-email-spam tools.
  Behavior: Tell the difference between real/fake and safe/dangerous websites & emails using available visual indicators.
  Outcome: The technology is not consistently effective and users are unable to reliably make accurate real/fake or safe/dangerous decisions.
  
  Malware (passwords stolen off the PC)
  Client-side technology solution(s): Update Web browser, Web browser security add-ons, desktop anti-malware, and scheduled patch management.
  Behavior: Don’t install “bad” software off the internet. Don’t use a local password managers.
  Outcome: The technology is not consistently effective. Users WANT to install software and by extension WILL install “bad” stuff. Users are unable to remember multiple hard-to-guess passwords so they’ll either write them down, have the same password across multiple websites, or use a password manager anyway.
  
  Website Break-ins
  Client-side technology solution(s): nothing
  Behavior: Use different hard-to-guess passwords across websites.
  Outcome: Users are unable to remember multiple hard-to-guess words so they’ll either write them down, use a password manager, or have the same password across multiple websites anyway.
  
  Website Brute-Force Attacks
  Client-side technology solution(s): nothing
  Behavior: Use different hard-to-guess passwords across websites.
  Outcome: Users are unable to remember multiple hard-to-guess words so they’ll either write them down, use a password manager, or use the same password across multiple websites anyway.
  
  Now, consider the options users have for personal password handling:
  

  1. Mentally remember different passwords
     
  2. Write password down
  3. Use a password manager
  4. Use the same password across multiple websites.

  Which should the experts recommend to the average user?
  
  By enlarge users are unable to remember multiple hard-to-guess words so let's cross #1 off the list. From a security perspective the prevalence of malware has made written passwords easier for a user to keep safe than storing them on a PC. But, from a user perspective, this approach is terribly inconvenient and makes password managers or using the same password across websites more attractive.
  
  If we consider the threat landscape, massive numbers of websites compromises who don’t encrypt their password, a password manager is preferable to having the same password across many websites. If a users account is compromised via website hack, ideally it should not impact the security of the rest of their online accounts.
  
  On the other hand a PC getting infected with malware is a very common problem and could lead to every record in the password manage being lost. However when this happens the user has worse problems than a compromised password manager, i.e. Man-in-the-Browser attacks makes a password-only theft highly unlikely.
  
  When you boil everything down, if a user can mentally remember multiple hard-to-guess passwords across various websites, this is their best option. If they can’t and don’t mind the inconvenience, write the passwords down and keep in a safe place. If they do mind (the inconvenience) and feel their PC is reasonably safe, password managers are the next most secure option. Perhaps the browser vendors should provide a native hard-to-guess password generator in the browser to auto-populate login/registration fields. Better still if they store them in the password manager by default (opt-out rather than opt-in). Then again, unless truly fixed this would encourage using XSS to steal from password managers.
  
  What we do know is left to their own devices, users will continue to the use the same (weak) passwords across multiple websites -- and we know where that leads.
  
  WhiteHat Security is a leading provider of website security services.
  

Mozilla Webdev

• 

  getpersonas.com status

  Posted: March 12th, 2010, 3:55am CST by rdoherty

  Tags:  Web Development   [edit]

  We’ve seen a huge spike in traffic to getpersonas.com due to our prompted update for Firefox 3.0 and 3.5 users to upgrade to 3.6. Some users may have seen a degradation in site speed and reliability during the past 12 hours.

  Our amazing IT team has been hard at work keeping the site up and has fixed most of the performance issues. We also turned off search functionality temporarily to alleviate load. We’ll turn it back on as soon as we can, thanks for your patience!

CGISecurity.com: Your Web Site and Application Security Resource

• 

  Random FireFox URL handling Behavior

  Posted: March 11th, 2010, 3:29pm CST by Robert A.

  Tags:  Browsers   [edit]

  About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc... You can also substitute [] for {} or " and it...

Schneier on Security

• 

  Wikibooks Cryptography Textbook

  Posted: March 11th, 2010, 12:26pm CST

  Tags:    [edit]

  Over at Wikibooks, they're trying to write an open source cryptography textbook....

ha.ckers.org web application security lab

• 

  Using Parameter Pollution and Clickjacking to Aid Anti-CSRF Bypass

  Posted: March 11th, 2010, 11:06am CST by RSnake

  Tags:  Webappsec   [edit]

  It’s been a while since I’ve talked about Clickjacking, with only a few exceptions here and there. Mostly because I haven’t seen it much in the wild - at least not yet. But there’s still a lot of research out there to be done. I got an interesting email the other day that talked about a way to use parameter pollution (or a mix of URL parameters and POST) to create a condition where you can defeat CSRF tokens:

  The technique, found by Lava Kuppan describes a scenario where a mix of CSRF, parameter pollution and Clickjacking can defeat CSRF tokens in JSP and (sometimes) in ASP.NET. It’s worth a read. I did briefly mention using CSRF to pre-populate fields that may be necessary to create a Clickjacking scenario during Jeremiah and my brief talk at the world OWASP in New York. But this takes it to a new level, where you can pre-load information in such a way that it will actually defeat the application logic in the process. Anyway, cool stuff by Lava.

The Spanner

• 

  Hackvertor and JSReg

  Posted: March 11th, 2010, 10:55am CST by Gareth Heyes

  Tags:  Security   [edit]

  I’m not a developer any more so I find it difficult to update the experiments I’ve been working on but I managed today to upload the work I’ve done with JSReg and update Hackvertor. They are both integrated closely together because Hackvertor allows untrusted Javascript using JSReg.

  The recent upgrade to JSReg allowed me to upload the Hackvertor changes I did a while ago, it is now very nice and easy to share code between users. At the moment registration is disabled but I plan to enable it once I’ve figured a way to stop user’s overloading the tag list.

  You can see how the integrated JSReg parser works by visiting Public Hackvertor this will eventually replace the original one now online. There are only a limited set of tags as I’ve not had time to code them all but we have a couple of users on there that might start adding code if they haven’t forgotten their password =)

  I found the untrusted Javascript feature difficult to code as sharing each tag inside a tag for example would require some tricky Javascript but I think I’ve managed to pull it off. I’ll document the JSReg stuff here and how Hackvertor allows tag objects inside tags.

  Playing nice with JSReg

  In order to use the parser effectively we need to be able to inject our own objects into the sandboxed environment without compromising the security of the sandbox. To do this JSReg supports some extension functions which allows you to inject a object directly. The following code sample shows you how to do it:-

  parser.extendWindow('$tags$',(function(tags) {
    return function(obj, callback) {
                  var code = obj.$code$;
                  var tag = obj.$tag$;
                  var param1 = obj.$param1$;
                  var param2 = obj.$param2$;
                  var param3 = obj.$param3$;
          if(!tags.hasOwnProperty(tag)) {
                  return null;
                                                          }
  return tags[tag].execTag(code,callback,[param1,param2,param3]);
  }
  })(window.Hackvertor.tags)
  );
  

  So here the “parser” is the JSReg parser, we use the extendWindow function to place a “$tags$” object within the sandbox. Notice the $ prefix and suffix, this is how JSReg protects objects/properties. We use a closure to send a Hackvertor Tag object to the sandbox which passes it a function that accepts a tag object and a callback. Hackvertor now uses callbacks for each tag, this allows conversions to be run in sequence without waiting for each function to return the output.

  A simplified version of this can be seen below, this time we assign a value from a dom object outside of the sandbox to a reference inside the sandbox.

  parser.extendWindow('$code$',document.getElementById('input').value);
  

  The new Hackvertor

  All tags are now user definable! Each tag can have up to three parameters, provide some help text and call existing tags from inside the sandbox To create a tag you simply have to return some output, inside a tag it has some special variables that are automatically assigned when a tag is called. The special variables are listed below:-

  code, params, tags
  

  The code refers to the original text passed to your tag, this could be plaintext or some text that has been transformed by a previous tag. The params is a simple numeric indexed array which refers to any params supplied by the user so for instance if you tag supports 1 param, you can refer to it inside your tag as param[0]. Tags contains the Hackvertor tag reference mentioned previously and allows you to call existing tags without having to write the same code over and over. I will show below how you to call the base64 tag that currently exists in the Hackvertor tag space.

  tags({code:'abc',tag:'base64',param1:'encode',param2:'',param3:''},function(result) {alert(result);})
  

  So this will call the tags function defined by extending the sandbox, it accepts a object and callback as it’s arguments. I send a string ‘abc’ and use the tag ‘base64′ I supply one param ‘encode’ and then use the callback to get the result of the conversion.

1 Raindrop

• 

  Notes Richard Bejtlich OWASP Podcast

  Posted: March 11th, 2010, 10:39am CST by Gunnar Peterson

  Tags:    [edit]

  Jim Manico has produced another great addition to his OWASP podcast canon, the latest discussion is with Richard Bejtlich. Jim is very good as an interviewer which means the questions are all meat and potatoes on in the trenches issues. 

  One of the main points that Richard makes that is lost on many security programs is how to take information security concerns and then communicate them to the business. How do you talk about security to people (i.e. business) that could care less about SQL injection. As James McGovern says, the business doesn't want a maturity model, they want working software. 

  Richard talks about extending the communication through using threats, and that this is a way to put a face on the problem. I have no doubt that this works well. The BBC show "Spooks" (called MI-5 in the US) is a pretty detailed (for a TV show) look at counter terrorism in the UK, they get into a lot of hidden assumptions we have about the intersection of security and privacy. One of the criticisms of the show is that it looks like all the problems are solved in one hour by the same three people. And this is one issue I have with using threats as the primary means for communicating security concerns to the business. I have no doubt its effective, and its for sure an important part of telling the story, but I think some aspects are not addressed if there's an overfocus on threats. Threats must be assumed but its resilience and survivability that matter in the end and that goes back to your company's mission. 

  I came up originally looking at security as something that we solve through equal parts access control, defensive coding, and crypto. Those are still the basic workhorses of most software security regimes, but there is a missing piece. For me, Richard's work going back Tao of Security Monitoring is the best distillation that made me realize that all of the above areas must be backstopped by a robust detection and response lifecycle, or what Richard calls "Building Visibility In" 

  So in terms of building visibility in, every process that we design/code for should have a "monitor first" mandate. We saw the lack of this just recently with the Chip and PIN fiasco. There are real challenges to getting the right amount of visibility in the app. Where you put the detection determines what you see. On the presentation layer it looks like raw HTTP, at the middle tier it looks more transaction-like and at the DAO layer you can observe the data operations. In the secure audit logging class I teach we go through each of these areas and its very interesting to see what you can see from these different angles, just like turning a Rubiks cube. 

  Jim and Richard explore a couple of other areas - issues around incidents/compliance for funding (for which I propose the need for a flat tax). Jim asks about how attackers have advantage, and Richard responds with his black hat budget, in other words what can the bad guys do with a fraction of your assets.  

  Jim asked Richard a question I sent in - "The trustworthiness of a digital asset is limited by the owner's capability to detect incidents compromising the integrity of that asset." Given that we don't have any high integrity database, identities or application servers - how do you detect a breach of integrity when there is no verifiable integrity in the system in the first place?"

  Richard's response is that trustworthiness impossible inside an asset itself (agree)- for an asset to defend itself look outside of the asset. The network is a cheap way to watch. That logic makes perfect sense to me, but it still makes sense to push for more and better data out of the apps. There is a lot of context there about transactions, data, identity and so on that can be harvested.

  I quite liked the final challenge that Richard threw down - enterprises need to focus on getting real data. How many of us have an accurate scoreboard based on real data?

Ivan Ristic

• 

  ModSecurity Handbook shipping soon!

  Posted: March 11th, 2010, 8:29am CST by Ivan Ristić

  Tags:    [edit]

  It's been an adventurous journey, but we are nearing a major milestone: the official publication of the first book published by our publishing company, Feisty Duck! We've just received a batch of ModSecurity Handbook paperbacks and we're enjoying them in all their glory. Two further batches are on their way to our warehouses (one in the US and one in the UK), from where they will be shipped to early adopters. (If you're one of the early adopters, you will soon get an email from us with more information.)

  Our work is nowhere near the end, however, because now we need to focus on reaching out to the book's audience to inform them that the book exists.

  If you haven't purchased the book yet, now would be a very good time: because the official publication date is the 15th, we'll be maintaining the pre-order discount for a little while longer. You only have about 4-5 days to take advantage of the 25% discount. Buy now!

  

Schneier on Security

• 

  Wanted: Trust Detector

  Posted: March 11th, 2010, 6:17am CST

  Tags:    [edit]

  It's good to dream: IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions. A second part of the IARPA proposal might involve using new types of...

Ian Bicking: a blog

• 

  Configuration management: push vs. pull

  Posted: March 10th, 2010, 7:45pm CST by Ian Bicking

  Tags:  Programming   [edit]

  Since I’ve been thinking about deployment I’ve been thinking a lot more about what "configuration management" means, how it should work, what it should do.

  I guess my quick summary of configuration management is that it is setting up a server correctly. "Correct" is an ambiguous term, but given that there are so many to configuration management the solutions are also ambiguous.

  Silver Lining includes configuration management of a sort. It is very simple. Right now it is simply a bunch of files to rsync over, and one shell script (you can see the files here and the script here — at least until I move them and those links start 404ing). Also each "service" (e.g., a database) has a simple setup script. I’m sure this system will become more complicated over time, but it’s really simple right now, and I like that.

  The other system I’ve been asked about the most about lately is Puppet. Puppet is a real configuration management system. The driving forces are very different: I’m just trying to get a system set up that is in all ways acceptable for web application deployment. I want one system set up for one kind of task; I am completely focused on that end, and I care about means only insofar as I don’t want to get distracted by those means. Puppet is for people who care about the means, not just the ends. People who want things to work in a particular way; I only care that they work.

  That’s the big difference between Puppet and Silver Lining. The smaller difference (that I want to talk about) is "push" vs. "pull". Grig wrote up some notes on two approaches. Silver Lining uses a "push" system (though calling it a "system" is kind of overselling what it does) while Puppet is "pull". Basically Silver Lining runs these commands (from your personal computer):

  $ rsync -r <silverlining>/server-files/serverroot/ root@server:/
  $ ssh root@server "$(cat <silverlining>/server-files/update-server-script.sh)"
  

  This is what happens when you run silver setup-node server: it pushes a bunch of files over to the server, and runs a shell script. If you update either of the files or the shell script you run silver setup-node again to update the server. This is "push" because everything is initiated by the "master" (in this case, the developer’s personal computer).

  Puppet uses a pull model. In this model there is a daemon running on every machine, and these machines call in to the master to see if there’s any new instructions for them. If there are, the daemon applies those instructions to the machine it is running on.

  Grig identifies two big advantages to this pull model:

  1. When a new server comes up it can get instructions from the master and start doing things. You can’t push instructions to a server that isn’t there, and the server itself is most aware of when it is ready to do stuff.
  2. If a lot of servers come up, they can all do the setup work on their own, they only have to ask the master what to do.

  But… I don’t buy either justification.

  First: servers don’t just do things when they start up. To get this to work you have to create custom images with Puppet installed, and configured to know where the master is, and either the image or the master needs some indication of what kind of server you intended to create. All this is to avoid polling a server to see when it comes online. Polling a server is lame (and is the best Silver Lining can do right now), but avoiding polling can be done with something a lot simpler than a complete change from push to pull.

  Second: there’s nothing unscalable about push. Look at those commands: one rsync and one ssh. The first is pretty darn cheap, and the second is cheap on the master and expensive on the remote machine (since it is doing things like installing stuff). You need to do it on lots of machines? Then fork a bunch of processes to run those two commands. This is not complicated stuff.

  It is possible to write a push system that is hard to scale, if the master is doing lots of work. But just don’t do that. Upload your setup code to the remote server/slave and run it there. Problem fixed!

  What are the advantages of push?

  1. Easy to bootstrap. A bare server can be setup with push, no customization needed. Any customization is another kind of configuration, and configuration should be automated, and… well, this is why it’s a bootstrap problem.
  2. Errors are synchronous: if your setup code doesn’t work, your push system will get the error back, you don’t need some fancy monitor and you don’t need to check any logs. Weird behavior is also synchronous; can’t tell why servers are doing something? Run the commands and watch the output.
  3. Development is sensible: if you have a change to your setup scripts, you can try it out from your machine. You don’t need to do anything exceptional, your machine doesn’t have to accept connections from the slave, you don’t need special instructions to keep the slave from setting itself up as a production machine, there’s no daemon that might need modifications… none of that. You change the code, you run it, it works.
  4. It’s just so damn simple. If you don’t start thinking about push and pull and other design choices, it simply becomes: do the obvious and easy thing.

  In conclusion: push is sensible, pull is needless complexity.

• 

  Joining Mozilla

  Posted: March 10th, 2010, 5:46pm CST by Ian Bicking

  Tags:  mozilla   [edit]

  As of last week, I am now an employee of Mozilla! Thanks to everyone who helped me out during my job search.

  I’ll be working both with the Mozilla Web Development (webdev) team, and Mozilla Labs.

  The first thing I’ll be working on is deployment. In part because I’ve been thinking about deployment lately, in part because streamlining deployment is just generally enabling of other work (and a personal itch to be scratched), and because I think there is the possibility to fit this work into Mozilla’s general mission, specifically Empowering people to do new and unanticipated things on the web. I think the way I’m approaching deployment has real potential to combine the discipline and benefits of good development practices with an accessible process that is more democratic and less professionalized. This is some of what PHP has provided over the years (and I think it’s been a genuinely positive influence on the web as a result); I’d like to see the same kind of easy entry using other platforms. I’m hoping Silver Lining will fit both Mozilla’s application deployment needs, as well as serving a general purpose.

  Once I finish deployment and can move on (oh fuck what am I getting myself into) I’ll also be working with the web development group who has adopted Python for many of their new projects (e.g., Zamboni, a rewrite of the addons.mozilla.org site), and with Mozilla Labs on Weave or some of their other projects.

  In addition my own Python open source work is in line with Mozilla’s mission and I will be able to continue spending time on those projects, as well as entirely new projects.

  I’m pretty excited about this — it feels like there’s a really good match with Mozilla and what I’m good at, and what I care about, and how I care about it.

1 Raindrop

• 

  Don't Trust and Verify

  Posted: March 10th, 2010, 3:20pm CST by Gunnar Peterson

  Tags:    [edit]

  Bill Gross is the manger of the world's largest bond fund, his quarterly letters contain many insights on the economy as a whole. This one is no exception, and it contains a typically witty yet telling story, about how much people at cocktail parties care about what you are saying as opposed to themselves.

  
   

  During that unbearable minute-and-a-half, however, you’re likely to have covered some of the following topics:

  1. Where are you from? (If it’s not a place where I’ve been or have a distant second cousin – don’t care.)

  2. How’s the family? (If Johnnie is in advanced placement courses and my kids aren’t – don’t care. Don’t care about your kids’ soccer games either or that upcoming wedding.)

  3. Medical problems. (Unless you’re dying from cancer – don’t care. Your artificial hip and kidney stone stories are important only to let me tell you about mine.)

  4. How’s work? (Forgot where you work, but it’s a good lead in. Don’t really care though unless you can direct some business my way.)

  5. Can you believe Tiger? (Now there’s something I care about, but the wife is only five feet away.)

  In his last letter in January, Gross took the UK to task for being among the high risk members of the dubious Debt Ring of Fire club:

  the U.K. is a must to avoid. Its Gilts are resting on a bed of nitroglycerine. High debt with the potential to devalue its currency present high risks for bond investors. In addition, its interest rates are already artificially influenced by accounting standards that at one point last year produced long-term real interest rates of 1/2 % and lower.

  Like high ranking central bankers everywhere, Bank of England Governor Mervyn King has been reassuring the financial world that their investments in the UK are safe. Gross has an interesting take on this:

  Just last week Bank of England Governor Mervyn King said that it would be difficult to cut government spending quickly, but that there needs to be a clear plan for doing so. Not good enough, Mr. King. Don’t care. Show investors the money, not vice-versa. An investor’s motto should be, “Don’t trust any government and verify before you invest.” 
  

  Don't care is a particularly useful precept for security architects to keep in mind. You are assessing a company's product and they have a slide on their security that features a large number of security protocols. Don't care. Need to lift the hood. You are using Chip *and* PIN so your authentication is stronger? Don't care. Let's look at the tokens used for authorization, the authorization, audit logging, and so on.

  You are sending my Web services requests via XML message data to my service's application methods and you are using SSL to secure the channel, so you think that should suffice for security?   

   

  Don't care. Make sure the message has integrity, give me a security token, a way to authenticate the request, authorize and audit it. Why should I trust the data and the method request simply because they were sent over SSL? If someone sent you a message over SSL and told you to jump off a bridge would you do it?

  So the mantra isn't "Trust but Verify", its "Don't Trust and Verify." 

  Verification along the lines of static analysis, fuzzing, and other means is still required. Verification is done because of complexity and to ensure linkage between design time intent and run time reality. But verification is not an adequate substitute for trust.

Schneier on Security

• 

  Nose Biometrics

  Posted: March 10th, 2010, 1:47pm CST

  Tags:    [edit]

  Really: Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance. The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people. "Noses are prominent facial features and yet their use as a biometric has been largely unexplored," said the University...

SEO BlackHat: Black Hat SEO Blog

• 

  $200 Twitter Contest: 122 Characters Sent Back 2000 Years

  Posted: March 10th, 2010, 1:05pm CST by QuadsZilla

  Tags:  SEO   [edit]

  

  Today, I saw what I thought was an interesting thread over on reddit:

  If we could transmit a single, 140 character message back to the year 2000, what should it be?

  But I misread it as:

  If you could send a single 140 character message back 2000 years, what should it be.

  And I think my misread is way more interesting. So much so, that I’m making a $200 twitter contest out of it.

  Now we’ll need room for link, so lets make it 122 characters.

  The Contest

  Assume for a second that the message will be widely read, and that the readers can all understand English. What 122 character message would you send back to the year 10 AD (2000 years ago)?

  Answer in a tweet: Up to 122 character answer followed by a space and then this url: http://tr.im/RllZ

  Whoever comes up with the best answer wins $200 (via paypal). Best answer decided by me, but I may be influenced by the comments on this post.

BindShell.Net

• 

  BeEF Key Logging

  Posted: March 10th, 2010, 10:28am CST

  Tags:  Events   [edit]

  By default, BeEF will log all the keys entered into the Zombie's page. View the Zombie Details and the logged keys will be displayed in the 'Key Logger' section.

Schneier on Security

• 

  The Limits of Identity Cards

  Posted: March 10th, 2010, 7:09am CST

  Tags:    [edit]

  Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010. Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer...

SecuriTeam Blogs

• 

  ASCII gone bad / Zer0-overflow

  Posted: March 10th, 2010, 4:20am CST by Weis

  Tags:  Commentary   [edit]

  This post is a followup on my previous post on KISS shellcoding and exploitation. Like before this is part of the job I do for SecuriTeam’s SSD. Those that are not aware of the project its aim is to give researchers compensation for their researcher efforts, compensation of course being money not just fame and glory
  The most common and classic shellcode char restrictions is “zero tolerance”. this can be solved in a verity of different methods. ranging from substitution to polymorphic escape decoders. Solving zero-tolerance is a very useful and thought-provoking problem, however provides a limited amount of fun:). especially once a basic set of solutions has been developed.

  Let’s have a look at slightly more challenging problem - can we write shellcode that contains a null char at every other byte, and *only* every other byte, for e.g. sx00hx00ex00lx00lx00cx00ox00dx00e0

  This can happen if our shellcode were to pass through a call to MultiByteToWideChar() or similar function. This is often encountered in browser bugs (especially DOM and/or scripting).

  Some work has been done on this subject, namely a method was described by ngss reasercher Chris Anley. This method was coined “Venetian Blinds” or ”The Venetian exploit”. The method I suggest here is similar, but slightly different in that it does not make as many assumptions and presents a more theoretical approach. This work is an original unrelated effort.

  Let us get to it.

  Enumerating the methods we can use to write ugly ascii-to-unicode shellcode we find many are similar to regular zero-tolerance or ascii shellcode methods.

  We can decode in-place, copy, byte-substitute. These methods will become more clear as you read. In some cases it will be necessary to find eip/getPC.

  This also can be done in several ways, similarly to shown in my previous post, but differently( Try encoding FSTENV with null bytes, email me if you succeed

  It will take many pages to thoroughly cover all of these methods and so I’ll start with the simplest copy method.

  Instead of just presenting the final result, I will walk through my thought process working on this. In this post I present several different trials at shellcode, some of which are not immediately useful. This will allow you to better understand the intricacies shellcode-restriction, and get a feel for the different problems I faced.

  Let’s copy our code somewhere. If we were to decode in-place, we would essentially write the same code, as well as extra getPC code.

  Not as easy as it sounds. let us start from building restriction-compliant basic-blocks which can br used later. These blocks shall suffice:
  1) set register
  2) string operation
  3) branch
  4) glue block

  These translate to:

  1) mov reg32, imm32
  2) mov [reg32],imm8
  inc reg32 # imm8 !=0
  3) jmp/call reg32
  4) a “glue block” that can be use between every two blocks, and between two compliant opcodes. This is a compliant block that starts and ends with a null byte. we’ll mark it *GB.

  if we want to get a bit fancier we may need:
  3) pop reg32
  4) mov [reg32],imm16 # imm16 bytes not equal 0
  inc reg32
  inc reg32

  (U) basic block number one: setting a register - attempt 1.0
  the following opcode:
  mov ecx, 0×11223344
  decodes like this:
  B9 44332211

  which of course is not very helpful to us. The best we can do with our restriction and this basic opcode is:
  B9 00330011 == mov ecx, 0×11003300

  this is not very useful. we want to be able to put an arbitrary value into r32. let’s divide in to two parts by bytes:

  two lower bytes(”3rd and 4th”):let’s start by setting the two lower bytes. this is easy

  *GB ; zero-out ecx
  push 0
  pop ecx

  mov edx,77007700 BB00770077 ; use edx as help-reg

  *GB
  add ch,dh - 00F5 c
  mov edx,66006600 - BB00660066.

  *GB
  add cl,dh - 00F1

  This is a good method for the lower bytes. let’s call it “set (cx, 0×1122)”.

  Those readers with a keen eye may notice that assembling these opcodes may not result in compliant shellcode.

  This is because different byte-sequences may represent the same opcode. x86 opcodes are built of micro-codes or U-codes(with the greek letter mewh). Every Ucode performs a very basic operation. Several of these are dubbed “opcode”. Different sequences of Ucodes may result in the same end and therefore be functionally-equivalent, usually an assembler will choose the faster one.

  topmost two bytes:
  in order to set the topmost byte we can:

  mov ecx,66006600 - BB00660066.

  In order to set the topmost byte to zero we can: zero out the whole r32, later setting byte’s 3&4 . this is done by replacing our first opcode with the sequence:
  push 0 - 6A00
  pop ecx - 59

  onwards.

  we are now able to set the 1st,3rd, and 4th bytes of a register. how will we set the second? if the value needed is very low or very high we could:
  set (cx, 0xFFFF)
  *GB

  inc ecx - 41
  *GB
  set (cx, 0xFFFF)
  etc.

  or

  set (cx, 0×0000) ; this is not trivial, but easy
  *GB
  DEC ecx - 41

  etc.

  This method is not very space-conservative. let’s try finding a better method.

  And now for something completely different - let’s find a better method. This time the process will include taking a peak at the intel x86 reference manual (I used the xeon manual) in search for interesting opcode encodings.

  (U) basic block number one: attempt 2.0 - setting the top two bytes.

  this time, we’ll try using program memory, specifically - the stack. this may a good method because many stack operations are single-byte. this may be bad, if sp points somewhere unwritable when the shellcode is running(but can be adapted).

  fun fact - sifting through the intel reference manual we can see that the set of operands al /ax /eax can provide plenty compliant opcodes which will not be compliant with other registers used. for eg:
  MOV DWORD PTR DS:[EBX],110011 - C7 03 11 00 11 00
  MOV DWORD PTR DS:[EAX],110011 - C7 00 11 00 11 00

  now consider the following opcodes:
  push 11003300 - 6800330011
  *GB
  push esp - 54
  *GB
  pop eax - 58
  *GB
  add dword ptr [eax], 00220044
  *GB
  pop ecx

  now ecx == 0×11223344
  this is better than we expected. we have set all four bytes.

  we already know how to change the two lower-most bytes if we want to zero them out. we also know how to zero out the 2nd topmost byte,or both high bytes. if we want to get 0×00112233 we can use (i’m omitting opcode encoding from hereon):

  push 11003300 ; [esp] = 11003300
  *GB
  push 11003300 ; [esp] = 11003300
  *GB
  inc esp ; [esp] = 00110033
  *GB
  pop ecx ; ecx = 00110033
  *GB
  dec esp ; [esp] = 11003300
  pop eax ; to restore stack

  and then set the missing low bytes. We already know a different way of doing this - look for it.

  Thus we have a compact method of performing mov r32,imm32 for any value.

  (U) basic block no. 2: mov [reg32],imm8, inc reg32 # imm8 !=0 - attempt 1.0

  First, let’s assume we know what data is present at the copy destination address. In this case, it will be pretty easy to build this BB. We will be using an add operation. here we are adding 0×90 to a one byte at [ecx], and ecx++.

  mov eax,90009000 ; ah=90
  add byte ptr [ecx],ah ; [ecx] += 0×90
  inc ecx

  this of course will be padded with *GB whenever needed. if we don’t know what data lays at [ecx] we could try this:
  push ecx
  pop eax ; eax =ecx
  mov byte ptr al,[eax] ; al= [ecx]

  ;negate eax
  push 0
  pop ebx
  add bh,al ; bh =al == [ecx]
  xor ebx, ff00ff00
  push 0
  pop eax;
  add al,bh ; al = al ^ 0xff == [ecx]^0xff
  inc al ; al++ == -(byte ptr [ecx] )

  ;add negated value, and wanted value
  mov edx, 11001100
  add al,dh
  add byte ptr [ecx],al ; [ecx] = [ecx] + (-[ecx] + dh) == dh == 11
  inc ecx

  once again, padded with *GB. this is not very elegant or small, but seems to work nicely. let’s give it another try. this time using completely different types of opcodes:
  push esp
  pop edx

  inc ecx
  inc ecx
  inc ecx
  inc ecx

  push ecx
  pop esp

  set(ebx,0×90909090)
  push ebx

  push edx
  pop esp

  this looks nicer.

  (U) 3) jmp/call reg32
  this is easy:
  push ecx
  *GB
  retn

  (U) 4) the star of the evening - our very own - Glue Block we could try this:
  ADD BYTE PTR SS:[EBP],AL - 004500

  or this - after setting the right registers.

  ADD BYTE PTR DS:[EAX],CL ; (we could probably pull eax off the stack, but can’t use set(eax,0xADDR) because we can’t use this GB, which is needed to do this there are probably a few others. Using these may require us to do minor fixups. this basically sums up everything we need to build a fancy ascii-to-shellcode decoder. now that we have our 4 basic blocks we can use them to program/ like this: 2-3-4-1-1-1-2-3-4-4/ just kidding.

  An example simple windows code that copies four nop bytes to [7FFE0300 +0×100] looks like this:
  what we would really be copying is a short code to find the original shellcode, and decode it. this is pretty simple straight-forward assembly

  ; ecx = 7FFE0400
  68 0004007F PUSH 7F000400
  0045 00 ADD BYTE PTR SS:[EBP],AL
  54 PUSH ESP ; GB
  58 POP EAX
  8100 0100FE00 ADD DWORD PTR DS:[EAX],0FE0001
  59 POP ECX
  0045 00 ADD BYTE PTR SS:[EBP],AL
  49 DEC ECX

  ;al = 0×90

  0045 00 ADD BYTE PTR SS:[EBP],AL
  B8 00900090 MOV EAX,90009000
  00E0 ADD AL,AH

  ;byte ptr [ecx] = 0×90
  ;ecx ++

  0045 00 ADD BYTE PTR SS:[EBP],AL
  0001 ADD BYTE PTR DS:[ECX],AL; [ecx] = 0×90
  0045 00 ADD BYTE PTR SS:[EBP],AL
  41 INC ECX ;ecx++

  ;byte ptr [ecx] = 0×90
  ;ecx ++

  0001 ADD BYTE PTR DS:[ECX],AL [ecx] = 0×90
  0045 00 ADD BYTE PTR SS:[EBP],AL
  41 INC ECX

  ;byte ptr [ecx] = 0×90
  ;ecx ++

  0045 00 ADD BYTE PTR SS:[EBP],AL
  0001 ADD BYTE PTR DS:[ECX],AL
  41 INC ECX

  ;byte ptr [ecx] = 0×90
  ;ecx ++

  0045 00 ADD BYTE PTR SS:[EBP],AL
  0001 ADD BYTE PTR DS:[ECX],AL
  0045 00 ADD BYTE PTR SS:[EBP],AL

  ;jmp [ecx-4]

  DEC ECX
  DEC ECX
  DEC ECX
  DEC ECX

  51 PUSH ECX
  0045 00 ADD BYTE PTR SS:[EBP],AL
  C3 RET

  0000

  Of course, all the methods I discussed here can be highly optimized(such using dword values?), and probably some other methods may be used. these are the basics

  Also, if we want to keep a code-shellcode ratio anything close to plausible, we will have to be able to write small amount of bytes that can find the original chunk and decode it from our
  destination address. this can very often be done through use of register and stack state at the time the shellocde started running. we’re in luck with this - pushad is compliant.

  -

  Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!

SecurityFocus News

• 

  News: Change in Focus

  Posted: March 10th, 2010, 12:00am CST

  Tags:    [edit]

  Change in Focus

extern blog SensePost;

• 

  Decrypting Symantec BackupExec passwords

  Posted: March 9th, 2010, 11:06pm CST

  Tags:    [edit]

  Decrypting Symantec BackupExec passwords

1 Raindrop

• 

  Minnesota ISSA Talk

  Posted: March 9th, 2010, 4:39pm CST by Gunnar Peterson

  Tags:    [edit]

  Next week, I am speaking at the Minnesota ISSA. The meeting is on 3/16 and runs from 1:30-4. If you would like to come, details are here.

Schneier on Security

• 

  Marc Rotenberg on Google's Italian Privacy Case

  Posted: March 9th, 2010, 12:36pm CST

  Tags:    [edit]

  Interesting commentary: I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established...

1 Raindrop

• 

  Three Steps to a Rational Security Budget

  Posted: March 9th, 2010, 11:27am CST by Gunnar Peterson

  Tags:    [edit]

  Security budgets are often based on combination of last year's spending, this year's threat du jour(s), and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s. 

  A simple three step process to achieving a Security Budget that maps to business reality rather than security silver bullet fantasies is as follows:

  

  Step 1. Gather the relevant data for where the enterprise is investing its dollars in IT. Let's assume our company is Jones Widgets.

  Step 2. Apply a "flat tax" for security budgeting, for this example let's say 7%, so if Jones Widgets invests $5M in its Customer relationship systems, $2M in Order Management, and $1M in ERP, this is the starting point for assigning priorities on security budgets. This is the part that security people miss, you don't need to do asset valuation - there is a whole group of people in the business that have already done that for you. Your job is to enable the intent that they have already clearly communicated in budget decisions. 

  So applying the flat tax, our Jones Widget's budget look like this

  IT System	IT Budget	Initial InfoSec Budget
  Customer Systems	$5M	$350k
  Order management	$2M	$140k
  ERP	$1M	$70k

  
  

  Notice that the starting point in this step is aligning the budget with overall Enterprise IT spending. Its not based on whatever area that infosec happened to invest in last year, or what someone at a conference said, its about starting by aligning with what your business values. Its not about security foo-fa-ra, its about Jones Widgets.

  Step 3. Efficacy. Let's assume that the Customer Management and ERP systems are behemoth packages that are purchased third party apps, and the Order management system is built in house so you have the source code. The way that you choose to deliver security to third party purchased systems versus the ones where you design, build, and deploy the code will vary. So the next step after initially rationalizing the budget is to assess what's the most effective security I can get for each area. 

  Its not that the business budget should trump the infosec budget, but its a very useful starting point. Moving off of those priorities should require a statement of efficacy that some security dollars are better spent in say the Order Management system, because the company controls the code. So if Jones Widgets' Order Management system is built in house, and the business relies on that to process orders, if that Order Management asset is compromised then its not like Jones Widgets can go and buy another Order system off the shelf from a vendor. Its their core business, their DNA.

  So let's assume that Jones Widgets wants to scan its code, invest time in threat modeling and so on for its core business asset. This results in pulling 20% in from the ERP and Customer systems

  IT System	IT Budget	Updated InfoSec Budget
  Customer Systems	$5M	$280k
  Order management	$2M	$224k
  ERP	$1M	$56k

  
  

  There's no need to get wrapped around the axle on asset valuation, the business gives you a starting point, use it. Then only move away from that when you can make a concrete case on improving efficacy by altering priorities. Or put another way - its your job. Do it.

Tactical Web Application Security

• 

  WAF Virtual Patching Workshop at Blackhat USA 2010

  Posted: March 9th, 2010, 10:10am CST

  Tags:    [edit]

  Submitted by Ryan Barnett 03/09/2010
  
  Just wanted to let everyone know that if you are headed to Blackhat USA 2010 this summer in Las Vegas, we have just added a 1-day workshop on the day before the Briefings start -
  
  [www.blackhat.com]
  
  In the workshop, we will be mainly discussing the "Virtual Patching" concept of using a WAF (ModSecurity in this case) and we will use the OWASP WebGoat app as the target. In the workshop, we will talk virtual patching theory and then have hands-on labs where we will show how to use Mod to virtually patch the various WebGoat lessons. As a side note - we will also have a section on the new CRS v2.0 when discussing negative security models. So, if you want to come and dive into the deep-end of the pool and have fun using some of ModSecurity's advanced features (such as Lua and Content Injection) then sign-up now!
  
  Brian Rectanus and I hope to see you all in Vegas!!! :)

ModSecurity Blog

• 

  WAF Virtual Patching Workshop at Blackhat USA 2010

  Posted: March 9th, 2010, 10:09am CST by Ryan Barnett

  Tags:    [edit]

  Just wanted to let everyone know that if you are headed to Blackhat USA 2010 this summer in
  
  Las Vegas, we have just added a 1-day workshop on the day before the Briefings start -

  http://www.blackhat.com/html/bh-us-10/training/bh-us-10-training_RB-WAFVirtPatch.html

  In the workshop, we will be mainly discussing the "Virtual Patching" concept of using a
  
  WAF (ModSecurity in this case) and we will use the OWASP WebGoat app as the target.  In
  
  the workshop, we will talk virtual patching theory and then have hands-on labs where we
  
  will show how to use Mod to virtually patch the various WebGoat lessons.  As a side note -
  
  we will also have a section on the new CRS v2.0 when discussing negative security models. 
  
  So, if you want to come and dive into the deep-end of the pool and have fun using some of
  
  ModSecurity's advanced features (such as Lua and Content Injection) then sign-up now!

  Brian Rectanus and I hope to see you all in Vegas!!!  :)

1 Raindrop

• 

  On the Risk of Overfocusing on Seductive Details

  Posted: March 9th, 2010, 9:43am CST by Gunnar Peterson

  Tags:    [edit]

  Learning about security means understanding types of risk, and investors, specifically value investors, have a long demonstrated track record of framing ways to think about asset protection and making it actionable. Recently I've been reading James Montier, very impressed with his approach which is based on a pretty rigid process and objective checklists, here is an excerpt from a recent interview:

  Miguel: Let’s talk about the concept of seductive details…can you give us an example of how investors are trapped by irrelevant information?

  James Montier: The sheer amount of irrelevant information faced by investors is truly staggering. Today we find ourselves captives of the information age, anything you could possibly need to know seems to appear at the touch of keypad. However, rarely, if ever, do we stop and ask ourselves exactly what we need to know in order to make a good decision.

  Seductive details are the kind of information that seems important, but really isn’t. Let me give you an example. Today investors are surrounded by analysts who are experts in their fields. I once worked with an IT analyst who could take a PC apart in front of you, and tell you what every little bit did, fascinating stuff to be sure, but did it help make better investment decisions, clearly not. Did the analyst know anything at all about valuing a company or a stock, I’m afraid not. Yet he was immensely popular because he provided seductive details.

  In the infosec world the "seductive details" are threats, hollywood movie plots and the like that infosec people use to get funding. Meanwhile the real structural problems of the core assets (apps, data, identity) remain unaddressed whilst the security world chases the taillights of the latest threat du jour.

  Miguel: Interestingly you connect the dangers of irrelevant information to modern risk management. I’m referring to your comments on Value at Risk – “VAR is fundamentally flawed after all it cuts off the very it of the distribution that we are interested in: the tails! This is akin to buying a car with an airbag that is guaranteed to work unless you have a crash…” Can you tell us more?

  James Montier: Sure. Modern risk management is a farce; it is pseudoscience of the worst kind. The idea that the risk of an investment, or indeed, a portfolio of investments can be reduced to a single number is utter madness. In essence, the problem with risk management is that is assumes that volatility equals risk. Nothing could be further from the truth. Volatility creates opportunity. For instance, was the stock market more risky in 2007 or 2009? According to views of risk managers, 2007 was the less risky year, it had low volatility, which they happily fed into their risk models and concluded (falsely) that the world was a safe place to take risk. In contrast, these very same risk managers were staying that the world was exceptionally risky in 2009, and that one should be cutting back on risk. This is, of course, the complete opposite to what one should have been doing. In 2007, the evidence of a housing/credit bubble was plain to see, this suggested risk, valuations were high, it was time to scale back exposure. In 2009, bargains abounded, this was the perfect time to take ‘risk’ on, not to run away. Risk managers are the sorts of fellows that lend out umbrellas on fine days, and ask for them back when it starts to rain.

  The airbag that's guaranteed to work unless you get in accident is of course the network firewall, which "protects" your system until someone tries to attack it.

  For some strange reason, infosec is far removed from business realities. The layers of seductive details about threats create an artificial separation between what infosec spends its money and time on versus what the business invests its money and time in.

  By itself this misalignment would be a medium sized problem (there's plenty of wasteful IT spending, and infosec's penchant for overallocating on network toys is just another example). But what makes this a much larger problem is the lack efficacy of protection and detection mechanisms that only work so long as they are not attacked. The reason for this is that security architecture is removed from the core business assets (apps, data, identity) they are supposed to be protecting. Instead the protection and detection mechanisms must form fit to that which they are supposed to be protecting. The reasons air bags work is that they are very close to the asset they are protecting.

SEO BlackHat: Black Hat SEO Blog

• 

  Why 6th Place in Search Might Soon Be a Player

  Posted: March 9th, 2010, 8:02am CST by QuadsZilla

  Tags:  SEO   [edit]

  

  Right now, Ask, Bing, Yahoo and Google control 99% of the search market. In Europe, Google controls close to 90% of that.

  That sounds like about the same market penetration that lead to the EU decision to force MS to offer browser choice this month on new machines.

  But right now, most (all?) of those browsers default to Google search.

  Europeans need more choice. Just like they needed choice on the browsers. On new machines, after they download whichever browser, they need a screen with the top 6 search engines and to ask people who will be their default search provider.

  Even if the browser is Chrome.

  It’s only “fair.”

  What’s good for the Goose is good for the Google.

Schneier on Security

• 

  Guide to Microsoft Police Forensic Services

  Posted: March 9th, 2010, 6:59am CST

  Tags:    [edit]

  The "Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)" (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here's a good summary of what's in it: The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also...

funkatron.com

• 

  Links for 2010-03-08 [del.icio.us]

  Posted: March 9th, 2010, 2:00am CST

  Tags:    [edit]

  • OpenClipart Beta - OpenClipArt

  

terminal23

• 

  a flaw in the daemon (the book) system

  Posted: March 8th, 2010, 4:39pm CST by michael

  Tags:    [edit]

  I've recently finished reading Freedom, the sequel to Daemon by Daniel Suarez. I made a longer post which I have yet to clean up and release, but wanted to throw out this idea. (I highly recommend the books!)
  
  I just read a post on isc.sans.org about an SEO poisoning attack. This reminds me of all the efforts to legitimize malicious accounts, sites, and activities. For instance, want to avoid the malware-radars on Twitter? Make a ton of accounts, follow each other, and get a few dozen or hundred randomly posted tweets. You'll blend right in!
  
  (Tiny, TINY spoiler here for Daemon, but not for Freedom. I'm really not giving anything away that will spoil the plot.)
  
  In Daemon/Freedom, the daemon creates this new system which is based in part on reputation. As users in the daemon's system, you can vote up or vote down other users based on your interactions with them.
  
  This still suffers from problems of gaming the system, just like we see malware attempting to do today. You get enough "people" going, and you can inflate your scores. Likewise, this breaks down when you don't have people voting based only on rational reasons and instead vote on popularity or for irrational reasons. Ashton Kutcher was the first person to 1 million followers on Twitter. Would it be appropriate for him to be the most powerful user in any legitimate system that has real world ramifications? Probably not.
  
  

SEO BlackHat: Black Hat SEO Blog

• 

  Microsoft Cross Platform Flow

  Posted: March 8th, 2010, 3:35pm CST by QuadsZilla

  Tags:  SEO   [edit]

  

  Via download squad:

  It’s the same game, the same code, compiled to run on three different Microsoft devices. This type of thing really is going to be huge.

Schneier on Security

• 

  Google in The Onion

  Posted: March 8th, 2010, 2:24pm CST

  Tags:    [edit]

  Funny: MOUNTAIN VIEW, CA—Responding to recent public outcries over its handling of private data, search giant Google offered a wide-ranging and eerily well-informed apology to its millions of users Monday. "We would like to extend our deepest apologies to each and every one of you," announced CEO Eric Schmidt, speaking from the company's Googleplex headquarters. "Clearly there have been some...
• 

  Eating a Flash Drive

  Posted: March 8th, 2010, 11:00am CST

  Tags:    [edit]

  How not to destroy evidence: In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents, records show. The article wasn't explicit about this -- odd, as it's the main question any reader would...

ha.ckers.org web application security lab

• 

  RSA Conference Wrapup

  Posted: March 8th, 2010, 10:45am CST by RSnake

  Tags:  General News   [edit]

  Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren’t making as hard as a pitch as I’m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah’s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn’t make it to as many parties as I would have liked to this year - maybe I’m getting old, or maybe I started drinking too early. Either way…

  One notable quote was from Howard Schmidt who said, “There is no cyberwar,” but I don’t think he ever defined what a cyberwar would look like - so I don’t know how we’ve decided we aren’t in the midst of one. Maybe he’s absolutely right and we aren’t in the middle of anything like a war (just the low rumble of espionage), but I’d like to hear his definition one way or another so that I can know when I should start being outraged.

  
  Click to enlarge

  But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don’t. Physical security is tough, don’t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a “Diagnose Connection Problems” error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like they’re protecting the application from most classes of attacks simply by disallowing outbound network access. Let’s assume there were no way around that for a second (and I’m not convinced of that, incidentally).

  Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn’t exfiltrate the data off of that machine. Oh, but it’s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people’s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant’s information. And there’s the cookies and any other tampering I might be able to do in the config options in IE. It’s definitely NOT a huge deal, but rather just another example of how it’s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

Schneier on Security

• 

  De-Anonymizing Social Network Users

  Posted: March 8th, 2010, 6:13am CST

  Tags:    [edit]

  Interesting paper: "A Practical Attack to De-Anonymize Social Network Users." Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data. In this paper, we introduce...

Jeremiah Grossman

• 

  Best of Application Security (Friday, Mar. 5)

  Posted: March 7th, 2010, 9:20am CST by Jeremiah Grossman

  Tags:    [edit]

  Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
  

  • Verizon Incident Metrics Framework Released
  • Wiseguys net $25m in ticket scalping racket
  • State of Software Security Report
  • Internet Explorer 8 and the Security Development Lifecycle (SDL)
  • Top 10 Hacks of 2009 and WAF Mitigations
  • FTC alleges that ControlScan offered 'little or no verification' of site security or privacy
  • I’m in ur 4sq, snarfin ur password — Part I
  • Fifteen Common Activities from BSIMM2
  • Even if You Don’t Invent Your Own Crypto….It’s Still Hard
  • Facebook founder Mark Zuckerberg 'hacked into emails of rivals and journalists'

  
  
  WhiteHat Security is a leading provider of website security services.
  

Sunnet Beskerming Security Advisories

• 

  Microsoft Security Patch Release March 2010 Advance Notification

  Posted: March 6th, 2010, 8:43am CST

  Tags:    [edit]

  In February, Microsoft released a massive thirteen security bulletins, after January's single bulletin. This month, there are only two security bulletins expected, at least according to the Advance Notification that they have released for next week's bulletins.

  Both bulletins are rated as Important and are expected to address remote code execution vulnerabilities in Windows XP, Vista, 7, and Microsoft Office Excel and related components. The Office bulletin is also being made available for the OS X versions of Office, so it is important that OS X users also apply the updates when they are released next week.

  The publicly disclosed vulnerability with Windows Help files and VBScript remote code execution is not expected to be patched this month, but it is possible that an out-of-cycle patch could be released to address the issue.
  

  

Schneier on Security

• 

  Friday Squid Blogging: Squid Teapot

  Posted: March 5th, 2010, 4:32pm CST

  Tags:    [edit]

  Squid teapot. Could be squiddier....

Mark Curphey - SecurityBuddha.com

• 

  Farewell Security Buddha – Hello Curphey 2.0

  Posted: March 5th, 2010, 12:55pm CST by mcurphey

  Tags:    [edit]

  I openly admit I had a mis-spent youth. I was expelled from school and then went on a rampage of sex, drugs, booze and rock and roll for the best part of a decade. I lived hand to mouth and did everything from stacking yogurts in a yogurt factory (working nights), selling houses, working behind [...]

Schneier on Security

• 

  Another Interview with Me

  Posted: March 5th, 2010, 12:53pm CST

  Tags:    [edit]

  I gave this one two days ago, at the RSA Conference....

1 Raindrop

• 

  Web Services on SSL - Giving Attackers Room to Roam

  Posted: March 5th, 2010, 11:45am CST by Gunnar Peterson

  Tags:    [edit]

  At RSA conference this week, I gave two talks on building a margin of safety into your software. In various conversations during the week at least 25 different people brought up to me (unprompted) that they "just used SSL for security on their web services". Chris Walsh immediately picked up on the preposition that says it all - "security on your web services" instead of course security in your web services. Of the legions of vendors on display, I could count on one hand the ones that help you get security in web services or anything else for that matter.

  The other matter of course is the notion that the defender gets to choose the security model and define its efficacy. I find this notion a network security centric view at best; its quaint yet dangerous out moded thinking. 

  Web services are the primary way to integrate whether its web server to ESB or mobile device to web server. The attack surface is typically comprised of the HTTP channel, some application methods like HTTP verbs URLs, URIs, and the data like XML. 

   

  If you put SSL on your web service, then what confidence, if any, should the recipient have in the Data and Method? Where did it originate? What is protecting it? Has it been tampered with? and so on. These are all open, unaddressed questions, and the real problem is that blithely stating "we use SSL on our web services" is at best an opening in the security chess match, its not the end game, its the beginning of the game and the attacker has the next move. If your only web service security is on the channel, then there are vast spaces for the attacker to operate in.

  As the Cole Porter song goes - 

  Give me land lots of land, under starry skies above

  Don't fence me in

  Let me ride through the wide open country that I love

  Don't fence me in
   

  Putting SSL on your web service and calling it good leaves acres of space for attackers to roam How does this all end? I think we know. In the 90s people wrote web apps with similarly naive network centric trust models, and then they started to discover that their opening move of SSL and firewalls did zippo to defend against XSS, SQL Injection and friends. The defender's opening move does not decide the game, particularly when its weakly mapped to only one part of the attack surface (the communication channel). It took a few years for attackers to find all those holes left open in the web apps, and web services have been the dominant integration technology for mobile and other areas for a few year now, its just a matter of time til the naive trust on SSL network security breaks down. If you want to get busy on solving problems now, consider getting down to the message level as quickly as possible,

Schneier on Security

• 

  Mariposa Botnet Shut Down

  Posted: March 5th, 2010, 6:02am CST

  Tags:    [edit]

  The Spanish police arrested three people in connection with the 13-million-computer Mariposa botnet....

Suspekt...

• 

  Suhosin-Patch 0.9.9.1

  Posted: March 5th, 2010, 2:26am CST by Stefan Esser

  Tags:    [edit]

  Together with the release of PHP 5.3.2 by the PHP team I have released Suhosin-Patch 0.9.9.1 which comes with bugfixes and new features. The changes are:

  • fixed some crashbugs for IA64 architecture
  • check return value of mprotect() to ensure that memory is read only - credits: PAX Team
  • fixed mprotect() call - encrypted pointer was used in revoked 0.9.9 - credits: PAX Team
  • added additional hardening to destructor protection
  • added pointer obfuscation to memory manager

  The most important new feature is the pointer obfuscation inside the PHP memory manager. This mitigation makes it much harder to exploit lots of memory corruptions correctly. Pointer obfuscation is also used to protect the pointer to the read only configuration inside Suhosin-Patch that allows it to be configured by environment variables.