13597 items (0 unread) in 75 feeds
Watchfire Application Security Insider
sirdarckcat
Google Online Security Blog
Switch/Twitch
mybeNi websecurity
cat slave diary
Alex's Corner
Billy (BK) Rios
Chris Shiflett
christian's weblog
GNUCITIZEN
The Spanner
hackademix.net
Ruby on Rails Security Project
It's a shampoo world anyway
ha.ckers.org web application security lab
Yet Another Infosec Blog
PHP Security Blog
Sunnet Beskerming Security Advisories
Disenchant's Blog
Sylvan von Stuppe
Larholm.com
Jeremiah Grossman
Anurag Agarwal - Application Security Evangelist
Ivan Ristic
omg.wtf.bbq.
Tactical Web Application Security
.:Computer Defense:.
tssci security
Plynt Penetration Testing Blog
Security Retentive
Schneier on Security
Rational Survivability
terminal23
1 Raindrop
hiredhacker.com
Matasano Chargen
Michael on Security - Musings on Information Security
Fortify blog
GDS Security Blog
Vodun.org
Mark Curphey - SecurityBuddha.com
Liminal states
Security Ripcord
IBM Internet Security Systems Frequency X Blog
extern blog SensePost;
Zero in a bit
I have already blogged about AppScan's Glass box (IAST / Runtime Analysis) capabilities a while ago, but I've recently recorded a short demonstration of how to install and run a Glass box scan with IBM Security AppScan Standard.
Here's the Youtube movie (don't forget to watch it in 720p/HD, full screen)
In this, our third and final interview segment with Dan Guido, Co-Founder and CEO of Trail of Bits, Dan talks about security threats, and attack vectors that pose the greatest threat to enterprises today. Watch the interview below.
We also added in a quick summary to cover the highlights of the interview.
How can organizations prepare to face security threats?
Dan states that organizations should look at all the attacks that are happening in the industry they are in, (from peers, data releases from security companies), so they can learn from the lessons that other companies have experienced. Dan states that there is not enough sharing of information in the industry about attacker techniques, tactics and procedures that have been used to perform compromises. Companies need to collect and analyze attack data, understand what hackers are doing, and then utilize that information to develop defenses that work against the techniques being used. Security programs should be able to trace back to actual reductions in data loss.
Which attack vectors pose the greatest threat to enterprises today?
Dan stresses the importance of protecting the entire enterprise from threats, not just protecting one single application. That said, he also notes that attackers interested in financial fraud or credit card theft will be focused on compromising individual applications. To defend against them, enterprises may want to use dynamic web scanning, or source code auditing per application.
To view the other interviews with Dan Guido posted as part of this series, click on the links below.
1. Interview with Dan Guido on Vulnerabilities
2. Interview with Dan Guido on Mobile Platforms and BYOD
Let us know how you liked this interview series with Dan Guido, and if you have any suggestions for other hot topics you would like to see industry experts discuss.
Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms. Obviously, mobile phones would not be able to provide the level of tamper-resistance that hardware tokens would, but I was interested to know how easy/hard it could be for a potential attacker to clone RSA SecureID software tokens. I used the Windows version of the RSA SecurID Software Token for Microsoft Windows version 4.10 for my analysis and discovered the following issues:
Device serial number of tokens can be calculated by a remote attacker :
Every instance of the installed SecurID software token application contains a hard drive plug-in (implemented in tokenstoreplugin.dll) that has a unique device serial number. This serial number can be used for "Device Binding" and the RSA documentation defines it as follows:
Reverse engineering the Hard-Disk plugin (tokenstoreplugin.dll) indicated that the device serial number is dependent on the system's host name and current user's windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the above mentioned protection. Account SIDs can be enumerated in most of the Microsoft active directory based networks using publicly available tools, if the “enumeration of SAM accounts and shares” security setting was not set to disabled. Host names can be easily resolved using internal DNS or Microsoft RPC. The following figures show the device serial number generation code:“Before the software token is issued by RSA Authentication Manager, an additional extension attribute (<DeviceSerialNumber/>) can be added to the software token record to bind the software token to a specific devicedevice serial number is used to bind a token to a specific device. If the same user installs the application on a different computer, the user cannot import software tokens into the application because the hard drive plug-in on the second computer has a different device serial number from the one to which the user's tokens are bound”.
The SecureID device serial number calculation can be represented with the following formula:
device_serial_number=Left(SHA1(host_name+user_SID+“RSA Copyright 2008”),10)
Token's copy protection:
The software token information, including the secret seed value, is stored in a SQLite version 3 database file named RSASecurIDStorage under the “%USERPROFILE%Local SettingsApplication DataRSARSA SecurID Software Token Library” directory. This file can be viewed by any SQLite database browser, but sensitive information such as the checksum and seed values are encrypted. RSA documentation states that this database file is both encrypted and copy protected: “RSA SecurID Software Token for Windows uses the following data protection mechanisms to tie the token database to a specific computer:
• Binding the database to the computer's primary hard disk drive
• Implementing the Windows Data Protection API (DPAPI)
These mechanisms ensure that an intruder cannot move the token database to another computer and access the tokens. Even if you disable copy protection, the database is still protected by DPAPI.”
The RSASecurIDStorage database file has two tables: PROPERTIES and TOKENS. The DatabaseKey and CryptoChecksum rows found in the PROPERTIES tables were found to be used for copy protection purpose as shown in the figure below:
Reverse engineering of the copy protection mechanism indicated that:
In order to counter the aforementioned issues, I would recommend the use of "trusted platform module" (TPM) bindings, which associates the software token with the TPM chip on the system (TPM chip for mobiles? there are vendors working on it).
We were very excited and honored to announce that our own CTO and Co-Founder, Chris Wysopal, had been appointed to the Black Hat Review Board where he will advise Black Hat on its strategic direction, assist in reviewing and programming conference content, and provide extended reach into the research community. According to Trey Lord, General Manager of Black Hat, Chris’s appointment reflects his long-standing contributions to Black Hat as well his stature as an influential subject matter expert in the industry. A prestigious group, the review board is comprised of 21 experts from many different areas of information security and includes such luminaries as Robert Hansen, Jeff Moss, Chris Hoff, Yuji Ukai, and Alex Stamos.
Black Hat (Las Vegas – July 21-26, 2012) provides briefings and training for security professionals from around the world. Black Hat differentiates itself by working at many levels within the corporate and government communities. This unmatched informational reach enables Black Hat attendees to be continuously aware of the newest vulnerabilities, defense mechanisms, and industry trends. Black Hat has grown over the past 15 years from a single annual conference in Las Vegas to a global conference series with annual events in Abu Dhabi, Barcelona, Las Vegas and Washington DC. It has also become a premiere venue for elite security researchers and the best security trainers to find their audience.
Congratulations Chris!
We are pleased to announce the release of a new version of our Enhanced Mitigation Experience Toolkit (EMET) - EMET 3.0. EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation technologies. The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. Download it here: [www.microsoft.com]
This new version of the tool being released today addresses top feedback themes we have heard from users: EMET needs more enterprise configuration, deployment and reporting options. We have seen growing interest in adoption from enterprise and large scale networks and this new version includes enhancements for that segment. Here are some of the highlights of and new features in EMET 3.0.
Configuration
EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. Under EMET’s installation directory, these files are in the
DeploymentProtection Profiles
folder. You can enable them as-is, modify them, or create new protection profiles based on them.
The three profiles that ship with EMET 3.0 are:
Looking inside a profile, we see a list of programs with EMET mitigations. The example below shows all EMET mitigations enabled for Windows Media Player, with the exception of Mandatory ASLR:
<Product Name="Windows Media player">
<Version Path="*Windows Media Playerwmplayer.exe">
<Mitigation Enabled="false" Name="MandatoryASLR"/>
</Version>
</Product>
Notice the “*” in the Path attribute above? In EMET 3.0, we also expanded the EMET grammar rules. Existing rules that you might have continue to work as-is and it is possible now to also use wildcards in EMET rules. This means that you no longer have to use the full path of an application in EMET rules. You can use the “*” character or simply use the image name, such as “iexplore.exe” in your rules. EMET will protect them regardless of where these applications may be installed. This has been one of the most requested features.
Deployment
EMET also comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment.
For Group Policy: EMET includes an ADMX file that contains the three protection profiles mentioned above as policies that can be enabled/disabled through group policy. There is also a policy that demonstrates how to add custom EMET settings.
For System Center Configuration Manager: The SCCM team blog post this morning provides a package and instructions for integration with various SCCM features. Read that blog post here: [blogs.technet.com]
Reporting
With EMET 3.0, we have included an additional new reporting capability that we call "EMET Notifier". When you install EMET 3.0, this lightweight component is set to automatically start with Windows. It will show up in the notification area of your taskbar with an EMET 3.0 icon.
EMET Notifier has two duties:
EMET events are logged via the event source called EMET. These logs can be found in the Application log. There are three levels: Information, Warning and Error. Information messages are used for logging usual operation such as the EMET Notifier starting. Warning messages are used when EMET settings change. Error messages are used for logging cases where EMET stopped an application with one of its mitigations, which means an active attack has been blocked. An example entry can be seen below.
In addition to the error messages written to the Windows Event Log, when an EMET mitigation stops (crashes) an application by blocking an exploit, a message is displayed for the user. A toast style taskbar notification states which application is being stopped and which mitigation is causing EMET to stop it. You can see an example below.
Other EMET v3 developments
In addition to these features, EMET 3.0 comes with a number of other improvements and bug fixes. More details and a FAQ can be found in the User Guide that comes with the install. However, we would like to specifically highlight a couple of things here.
First, we have tested EMET 3.0 on the Windows 8 Consumer Preview and it works great - we encountered no problems at all so we encourage you to use EMET on all versions of Windows. Second, EMET 3.0 can be installed just fine on a system where EMET 2.1 (the previous release) was already installed. An upgrade or a new installation is no different. Your existing rules built for EMET 2.1 will continue to work just fine with EMET 3.0. Third, we would like to point out that EMET is an officially-supported Microsoft tool. That is a question we get a lot from enterprise customers. Microsoft's Customer Service & Support team offers forums-based support via [social.technet.microsoft.com]. We in MSRC Engineering are also very eager to promote EMET and help you use it so we are quick to respond to feedback, ideas, suggestions, or questions via switech -at- microsoft -dot- com. Please do not hesitate to reach out to us.
Acknowledgements
I would like to thank Chengyun Chu, Elias Bachaalany, Elia Florio, Jinwook Shin, Neil Sikka, and Nitin Kumar Goel for their various contributions to this release. Also a big thank you to Jason Githens and Hema Rajalakshmi from the System Center Configuration Manager team for their help and support.
- Suha Can, MSRC Engineering
In this second segment of the interview with Dan Guido, CEO and co-founder of Trail of Bits, Dan focuses on vulnerabilities in mobile devices, and shares the outcome of his research findings that he presented at SOURCE called “Mobile Exploit Intelligence Project”. Click Play to watch the interview.
Read below for a quick synopsis of the interview.
Is iOS the most secure platform?
Dan states that it’s definitely possible to exploit vulnerabilities in iOS. He then goes on to explain that it’s either too costly to do this or there are other mitigations that prevent this from happening. By disincentivizing the mobile malware community from performing malware attacks on the iOS platform using clever design choices, Apple demonstrated a different approach to tackle the problem of mobile malware. Dan concludes that Apple’s approach has been different and certainly a very effective response to the mobile malware problem
Dan mentions that trying to trace every single unique identifier for very single malicious application is neither effective nor intelligent, in addition to also being resource heavy on an organization.
What are your recommendations with respect to “bring your own device” policy?
Dan references his research presentation that he delivered at SOURCE Boston this year titled “Mobile Exploit Intelligence Project”. As part of the research, Dan collected a comprehensive database of every piece of mobile malware that affected iOS and Android. This research was used to draw conclusions as to what security measures would be effective if implemented on those devices to protect against the malware that currently exists in the wild.
He points out that there are not really any mobile security products in the market right now that can mitigate against these flaws. To have an effective BYOD policy, Dan states that you need to assume that your devices are compromised, no endpoint security products that can prevent your devices from being compromised. One possible solution Dan talks about is the concept of “secure containers” to store encrypted information on mobile devices. Dan’s colleague, Dino Dai Zovi has written a paper on how effective the data protection APIs are on iOS, and how it is somewhat tenable to create secure containers to store encrypted information in iOS.
CLICK HERE to view Dan’s presentation at SOURCE Boston titled “Mobile Exploit Intelligence Project”.
My talk at Secure 360 was on Process Not Outcomes, we've limited control over otucomes, but we can all improve our processes. One way to do this is with checklists. Checklists help us navigate complex domains and avoid mistakes around things that we know but don't apply.
One of the things that makes infosec an interesting field is the situation that I characterize as 50% gnarly, deep technical problems (think Kerberos) and 50% brain dead mistakes (think private keys in source code repository). You can fail by messing up either one, checklists are about avoiding the second class of mistakes.
The way that checklists are most effective is when you make them your checklists instead of blind adoption of industry top ten lists. Making it your checklist means mapping it to your development process, what must be done before promoting from dev, from test to prod and into operations.
Project Checklist has a great set of rules for writing effective checklists. Following the disciplines that they recommend forces hard choices on the infosec team to gather and prioritize items for the checklists that are actionable with clear, concise guidance. Importantly, it gets Infosec out of playing Dr. No and coming only with hugely time consuming and expensive solutions. Instead look to integrate the checklist into the development process, and make it simple enough for a developer to fill out in a short amount of time.
Hacktivity 2012 Call For Papers: Deadline June 1st
The 9th annual IT Security Festival for Central and Eastern Europe will be held in Hungary in late September. The Hacktivity 2012 conference/festival will bring together information security professionals from all of central Europe in an informal, educational, but highly technical form.
Papers for HACKTIVITY 2012 are now being solicited and we invite you to participate.
For more information see: [https:]
For a list of the 36 presentations done in 2011 see: [https:]
Like many other people, I try helping developing countries when I can. So to help boost GDP in Eastern Europe and Africa (or ‘redistribute the wealth’ if you will) here’s a quick tutorial that will help scammers get HSBC customers’ credit card numbers. All the steps below are done by the real HSBC, so you don’t even need to “fool” anyone.
An HSBC customer who has gone through this process before won’t be able to distinguish between you and the real HSBC. Customer that has not been through this process certainly won’t know better anyway. In fact, you can do it to HSBC employees and they won’t know.
All you need is a toll-free number for them to call (feel free to forward it to Nigeria). The nice thing about HSBC is that the process below is identical to how the real HSBC asks customers for information. In other words: HSBC is training their customers to follow this path. I propose a new term for HSBC’s method of breeding phish: spowning (spawn+p0wn).
Step 1:
Prepare an email that looks like:
Dear :
As a service to our customers and in an effort to protect their HSBC Premier MasterCard account, we are attempting to confirm recent charge activity or changes to the account.
Please contact the HSBC Premier Fraud Servicing Center to validate the activity at 1-888-206-5963 within the Continental United States. If you are calling from outside the United States, please call us collect at 716-841-7755.
If the activity is unauthorized, we will be able to close the account and reissue both a new account number and cards. Please use the Subject Reference Number below, when calling.
At HSBC, the security of our customer’s accounts has always been, and will continue to be a high priority. We appreciate your business and regret any inconvenience this may have caused you.
Sincerely,
Security & Fraud Risk HSBC USA
Alert ID Number : 10917558
Note: Emails sent to this repository will go unmonitored. Please do not reply to this email. —————————————– ************************************************************** This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ************************************************************** “SAVE PAPER – THINK BEFORE YOU PRINT!”
Step 2:
Replace the phone numbers with your own. The above are HSBC’s.
Don’t worry about the ‘alert ID’. Just make something up. Unlike other credit cards, the caller (me, in this case) can’t use the alert ID to confirm this is really HSBC.
Step 3:
Blast this email. You’re bound to reach plenty of HSBC card holders. The rest you don’t care about anyway.
Main perk: Before the customer gets to speak to a human they need to enter full credit card number and 4 digit SSN. So even the most lazy scammer can at least get those.
For the overachieving scammers, have a human answer and ask for Card expiration and Full name on the card before agreeing to answer any other questions from the customer. This is all standard procedure at HSBC so customers shouldn’t be suspicious.
Oh, and if the customer who happens to be a security blogger tries to authenticate you back, tell them to hang up and call the number on the back of their card. That will shut them up.
At HSBC, the security of our customer’s accounts has always been, and will continue to be a high priority.
If it really was, you wouldn’t make me such an easy target for scammers. But thanks for playing.
Als ich vorhin den Text von Michael Hanfeld mit dem Titel Die schwarze Liste von Anonymous in der FAZ gelesen habe, bei dem es um eine schwarze Liste der Unterzeichner des Aufrufs Wir sind die Urheber! geht, die Anonymous erstellt haben soll, bin ich beim Lesen etwas stutzig geworden - und zwar genau an dem Punkt, an dem von Angriffen mit Mailbomben die Rede ist. Mit diesen Mailbomben soll die Webseite der Krimiautoren, die die Kampagne Ja zum Urheberrecht ins Leben gerufen haben, lahmgelegt worden sein. Die genaue Textpassage:
Die Website des halben Dutzend Krimiautoren, die sich das ausdachten, wurde mit einer Mailbombenattacke lahmgelegt, die Initiatoren wurden mit Hass-Mails eingedeckt und persönlich bedroht, sie haben Anzeige gegen unbekannt wegen Belästigung erstattet.
Während der letzte Teil für jeden, der im Netz seine Meinung äussert, schon fast als Ritterschlag gelten kann und zeigt, dass man ernst genommen wird, hege ich keinerlei Zweifel daran, dass die Autoren diese üblen Mails auch wirklich bekommen haben, glaube an den ersten Teil des Satzes einfach nicht und will auch kurz erklären, warum das so ist.
Eine Mailbombe kann, vereinfacht gesagt, so etwas sein wie eine gepackte Zip-Datei, die bei der Prüfung einer Antivirensoftware auf Schadcode ausgepackt werden muss und dafür sorgt, dass der Arbeitsspeicher des Rechners so belegt wird, dass keine weiteren Operationen mehr möglich sind. Damit ein Webserver davon betroffen ist, muss aber der Mailserver auf demselben Rechner sein, denn nur dann beeinflusst er überhaupt das Verhalten anderer Dienste. Wenn man sich aber mal genau ansieht, welche Mailserver für die Domains der Krimiautoren und der Kampagne zuständig ist, dann sieht man, dass dies ein vollkommen anderer Rechner ist als der, der die Webseiten ausliefert (was nicht wundert, ist das doch ein sogenannter Shared Host, auf dem viele verschiedene Domains gehostet werden).
Für mich steckt hier also schon der erste Fnord drin, der mich direkt zu weiteren Überlegungen bringt: Warum sollten sie lügen? Was haben sie davon, diese Geschichte so aufzuziehen?
Eine Frage, die sich in dem Kontext stellt, ist aber noch eine ganz andere: Warum machen die Krimiautoren im Rahmen des Urheberrechts eine Aktion, die so direkt Anonymous thematisiert? Man kann jetzt natürlich sagen, sie wollten einfach provozieren, wollten, dass die Anons genau so etwas machen. Aber was bringt ihnen das in der ganzen Urheberrechtsdebatte?
Thomans Stadler stellt heute in seinem Beitrag Wer koordiniert die Urheberrechtskampagne? eine Frage, die sich meiner Ansicht nach tatsächlich ergibt, denn da passiert grade etwas, was man so auch noch nicht gesehen hat: Eine Kampagne, die von vielen Seiten her Angriffe auf die vermeintlichen Feinde des Urheberrechts im Sinn hat und mal mehr, mal weniger deutlich macht, auf wen dieser Angriff konkret abzielt, aber letztendlich alles andere als eine Dialogbereitschaft zum Ausdruck bringt.
Der Subtext dieser Kampagne aber ist: Anonymität im Netz ist eine Bedrohung - für Urheber und für die Demokratie. Damit stimmen sie in die immer wieder geforderte Äusserung nach Deanonymisierung des Netzes und Vorratsdatenspeicherung ein, die auch von Seiten des Innenministeriums immer wieder zu vernehmen sind.
Der Zeitpunkt für diese Kampagne ist gut: Das Thema hat nach dem zornigen Interview mit Sven Regener im BR-Radiomagazin “Zündfunk” eine mediale Präsenz wie nie zuvor. Viele der Akteure, die sich seit Jahren mit dem Thema auseinander setzen, sind über den Raum, die diese Debatte endlich einnimmt, sehr froh - gibt es diese doch schon seit mehreren Jahren, und sie wird auch auf recht hohem Niveau geführt.
Neben vielen anderen Forderungen an ein modernes Urheberrechtssystem ist eine, dass diese Regelungen bürgerrechtsschonend sein sollen, also ohne Überwachung der Nutzer auskommt. Es sollte sich u.a. an dem System der Pauschalabgaben messen, welches seit Jahren als Abgabe auf Drucker, Festplatten usw. existiert, aber auf das Internet übertragen werden könnte (dies ist nur ein Aspekt und der Einfachheit halber starkt verkürzt). Eine der Ideen dafür ist eine Kulturflatrate oder der Ansatz Kulturwertmark, der sich zudem noch des Problems der Verteilung Pauschalen annimmt.
Diese Ideen für neue Pauschalvergütungssyteme bedrohen allerdings das bestehende und ruft damit Widerstand hervor. Wenn man z.B. mit Kulturpolikern spricht, so fällt einem auf, dass sie immer wieder gerne auf Systeme abheben, die nur funktionieren, wenn es keine anonyme und pauschale Nutzung gibt, sondern eine, die genau nachvollziehbar ist (ob und wie technisch überhaupt machbar sei mal dahin gestellt).
Und hier sehe ich auch den Zusammenhang der Kampagne: Es geht im Kern darum, Anonymität, die für uns im Alltag selbstverständlich ist, im Netz zu diskreditieren. Dabei wird sogar in dem FAZ-Artikel wenig stringent argumentiert:
Dass diese Daten aber nicht allein aus öffentlichen, leicht zugänglichen Quellen stammen, sondern das Ergebnis von Recherche und Aushorchung sind, kann man schon an dem Beispiel des Enthüllungsjournalisten Günter Wallraff sehen. Auch er, der aufgrund seiner Arbeit besonderen Wert darauf legen muss, nicht für jedermann identifizierbar zu sein, wird von der Anonymous-Gruppe, die diese Datei angelegt hat, als Zielperson aufgeführt.
Es wird also mit zweierlei Mass gemessen: Die gute Anonymität, die für einen Journalisten bei der Recherche nötig ist und die schlechte, die im Internet. Dass es dieselbe Seite derselben Medaille ist, kommt dem Schreiber dabei nicht in den Sinn. Jedenfalls geht es auch hier wieder darum, wie bösartig die Netz-Anonymität ist.
Aber ein System, dass die anonyme Nutzung im Internet unmöglich macht, benötigt ein Komponenten, die prinziell die komplette Nutzung protokollieren und deswegen auch so vehement von den Aktivisten bekämpft werden. Es gibt da auch keine VDS-Light-Lösungen, die nur bei urheberrechtlich geschütztem Material greift, auch wenn das einige denken mögen.
Noch einmal deutlich: Ich halte nichts von irgendwelchen Listen von Leuten, die andere Meinungen haben und diese öffentlich und nachdrücklich vertreten, im Gegenteil. Aber ich frage mich schon, ob diese Liste tatsächlich das ist, was der Artikel vorgibt. Denn wenn man sich diese Liste ansieht, so stammen die Daten nicht aus einem Hack wie bei Sony oder Stratfor, sondern aus öffentlich zugänglichen Quellen - auch im übrigen bei Wallraff. Und ob das wirklich Anonymous war, ein Angry Kid, das früher mal Stress mit Abmahnungen hatte und deswegen freidreht oder vielleicht auch einfach eine False Flag-Nummer, kann man nicht so einfach ermessen.
Egal wie, es ist weit weniger dramatisch, als es in dem Artikel dargestellt wurde, wobei ich verstehen kann, dass die Leute, die dort aufgeführt, vollkommen zu Recht wenig amüsiert sein dürften. Was aber eben schon auffällt ist, dass sich die ganze Debatte von Seiten der (im übrigen recht priviligierten) Urheber um das Thema Anonymität im Netz bzw. dessen Aufweichung dreht.
Nachtrag: Ob die Krimiautoren bewusst gelogen haben oder einfach nur nicht verstanden haben, was da passiert ist, vermag ich nicht zu sagen. Es ist aber einfach eine unsinnige Ansage.
Tags: anonymitaet, anon, urheberrecht
Data integrity is a fundamental component of information security. In its broadest use, “data integrity” refers to the accuracy and consistency of data stored in a database, data warehouse, data mart or other construct. The term – Data Integrity – can be used to describe a state, a process or a function – and is often used as a proxy for “data quality”.
Data with “integrity” is said to have a complete or whole structure. Data values are standardized according to a data model and/or data type. All characteristics of the data must be correct – including business rules, relations, dates, definitions and lineage – for data to be complete. Data integrity is imposed within a database when it is designed and is authenticated through the ongoing use of error checking and validation routines. As a simple example, to maintain data integrity numeric columns/cells should not accept alphabetic data.
Editor’s PickWhat is OWASP? Guide to the OWASP Application Security Top 10
What is a Buffer Overflow? Learn About Buffer Overrun Vulnerabilities, Exploits & Attacks
As a process, data integrity verifies that data has remained unaltered in transit from creation to reception. As a state or condition, Data Integrity is a measure of the validity and fidelity of a data object. As a function related to security, a data integrity service maintains information exactly as it was inputted, and is auditable to affirm its reliability. Data undergoes any number of operations in support of decision-making, such as capture, storage, retrieval, update and transfer. Data integrity can also be a performance measure during these operations based on the detected error rate.
Data must be kept free from corruption, modification or unauthorized disclosure to drive any number of mission-critical business processes with accuracy. Inaccuracies can occur either accidentally (e.g .through programming errors), or maliciously (e.g. through breaches or hacks). Database security professionals employ any number of practices to assure data integrity, including:
Software developers must also be concerned with data integrity. They can define integrity constraints to enforce business rules on data when entered into an application. Business rules specify conditions and relationships that must always be true, or must always be false. When a data integrity constraint is applied to a database table, all data in the table must conform to the corresponding rule.
James Montier talks about the flaws of finance that led to the 2008 crash - bad models, bad incentives and bad behavior.
Jeremy Grantham said that in response to 2008 we would learn a lot in the short term, a little in the mid term and in the long term nothing. That's the historical precedent.
In the last six months we've had the trifecta come back only a few years removed from the staring into the abyss in 2008, here is what's happened since last fall:
1. Rogue trader at UBS losing $4B (and CEO ouster)- bad behavior
2. 40-1 Leverage blowing up MF Global - bad incentive
3. VaR models losing $2 billion for JPM - bad models
Bingo!
The subject of my talk at Secure 360 was on checklists which are essential to make sure we're trying to avoid mistakes. So many people said in the wake of 2008 well the models were not really bad in isolation just people were dumb in how they applied them. One possible answer to this is - so what? If it doesn't work in practice then the answer is not more theory. Another answer is that isolation itself is the problem. It turns out - no, you need to build in process discipline and restraints to avoid mistakes.
We've the same problem in infosec where we need checklists to have the right information in the right person's hand at the right time.
At a minimum, identify the people who have the biggest impact on your security and you should have a checklist for the biggest security influencers:
This week’s special guest on Better Know a WebDev, K Lars Lohn!
Officially, I am the the Software Architect for the Socorro project. Unofficially, I spread chaos and confusion as a self proclaimed Cowboy Programmer. I proudly stand as the only member of Webdev that does no Web development. My work is all behind the scenes at the server and daemon level.
Socorro was handed to me in May of 2008 as a non-working system that needed to be functional for the June Firefox 3 launch. Even with short schedule, I met the deadline, but the result was a pure unadulterated hack. With ambiguous to nonexistent specs, I continued development as a solo performance art piece. Some features still in use today went from concept to production in less than thirty minutes. Eventually, a team formed around me and we began the slow process of applying standards and retroactive forethought to the codebase. Today the system serves terabytes of data and handles millions of transactions per day.
Any fun side projects you’re working on?All of my side projects are fun, but they’re not all software related:
I’ve been captivated by computers and programming since 1974 when my high school math lab got its first timeshare account on the local university mainframe. I wrote games. By 1992, I had educated myself out of the local job market moving to the proverbial Silicon Forest of Oregon.
My first actual Web development project was in 1999 when I opened the nursery. Written in C++ with Rogue Wave and Microsoft tools, it was brittle, but fast. I rewrote the system in 2002 using an open source stack: Python, Apache and Postgres. In the era of Netscape and IE6, I learned very quickly that I am not a user interface designer: getting a consistent and aesthetic user experience is hard. My career doing user facing web design mercifully ended when I sold the retail part of the nursery business in 2007.
How did you get involved with Mozilla?In the mid aughts, I worked for Oregon State University at the Open Source Lab. My fearless leader volunteered me to work on Mozilla projects. At the time, Mozilla was primarily hosted at the OSL. On leaving the University in 2006, I ran into Shrep, then CTO of Mozilla, at OSCON and he offered me contract work. I converted to full time employment in 2008.
What’s a funny fail or mistake story you can share?I was asked to review the work being done in Ramora, a version of AMO. I thought what they were doing with MySQL was absurd and I expressed the sentiment giving some suggestions as to an alternative direction that could work better. I also recall pointing out the flaws in my own method: too many joins for MySOL to handle. I expected to start a lively discussion, but the debate never came and I forgot about it. I was horrified to discover a month later that my word had been taken as gospel. It was implemented and sent to production, warts and all. I shudder to think of how long it took the AMO team to undo that ill advice.
What’s something you’re particularly proud of?I was instrumental in the creation of DBTools.h++, an object oriented database abstraction class library in C++ for Rogue Wave Software in the early nineties. Think of it as a C++ version of SQLAlchemy, created ten years before that software came into existence. The class library became very popular with phone companies, airlines and investment banks. This evolved into a lucrative career for me later in the decade doing lectures and code reviews for Rogue Wave customers. Imagine me in my Harley t-shirt and jeans walking into a Wall Street investment bank ready to critique code written by the suits…
What’s coming up that you’re excited about?In Socorro-land, I’m excited about the adoption of Configman. The project started as a unification library for configuration and became a dependency injection framework. With the ability to load classes at run time, Socorro will be able drop in storage schemes, alternative processing algorithms, or swap out any number of other subsystems. Configman is the key that gives Socorro the ability to scale from a tiny installation receiving a handful of crashes per day, to huge systems like ours that processes millions.
What question do you wish you’d been asked?There is great wisdom in the aphorism, “everything old is new again”. Just like most aspects of human endeavor, programming is subject to the whims of fashion. Perfectly legitimate languages and engineering practices fall from favor because something new and shiny comes around. The old technologies are a gold mine of ideas and techniques that can solve today’s problems. Take time to explore Lisp, Smalltalk, APL or even Fortran. Don’t let dogma limit freedom of expression. Monoculture is a bad idea in software engineering just like it is in agriculture.
What kind of app do you want to see on Boot2Gecko?Good Lord, I can’t just think of just one. I want a full spectrum of apps on B2G. GTD (Getting Things Done) software plays an important part in my daily life. Omnifocus is what keeps me tethered to iOS. Liberate me!
Happy Friday all! Make the day go by a little faster by taking some time out to catch up with a few highlights from this week’s news stories:
Twitter In The News: An interesting occurrence with Twitter this week was the supposed hack that resulted in the posting of over 50,000 user names and passwords online. An initial report by John Mello in PC World reported that “some of the accounts are duds created by robot programs.” Jay Alabaster said in a later article posted in ComputerWorld that, “None of the recently leaked Twitter logins and passwords came from within the company, according to a message posted on Twitter’s Japanese blog Thursday,” after it was determined that the posted accounts were duplicates, unmatched credentials, and spam accounts.
Editor’s PickNutshell">HTML5 Security in a Nutshell
Deadly Combo: Zero Day Application Vulnerability + OS Vulnerability = Attacker Win
New Unit of Reviewed Code Quality
How To Protect Your Users From Password Theft
A Financial Model for Application Security Debt
Spike in SQL Injection attacks: A mass increase of the number of SQL Injection attacks has occurred. A Dark Reading article by Ericka Chickowski reports that researchers have found that there has been a spike in automated SQLi attacks, which are being used by hackers to seek out sites that are vulnerable to the attack, who then sell the information in a monetization process. Organizations are being warned to keep up with patches, monitor applications, and use appropriate security measures. More information about Veracode and SQL Injection, as well as how you can protect yourself can be found here.
BYOD: A recently trending issue in the security world is BYOD. As reported by Ellen Messmer in PC World, a new survey “shows wildly abundant use of mobile devices, but profound concerns about security and how employee-owned devices ought to be used for business purposes.” It is also found that, “One-third of the IT professionals in the survey reported their company has already experienced some type of security threat associated with personal mobile devices accessing corporate data.”
Vulnerability in PHP: A very large number of sites using PHP scripting language are currently endangered by an unpatched vulnerability in the code, writes Dan Gooding in Arstechnica. The weakness allows hackers to remotely take control of servers when the PHP sites are running CGI (not FastCGI). Even worse, the full details of the exploit went public, providing hackers with all the information they need to locate and take advantage of the vulnerabilities. There are updates and patches available to mitigate the risk.
Keeping the London Olympics safe from cyber attacks: With the threat of cyber attacks on the 2012 Summer Olympics in London, Atos, the IT outsource for the games, has wrapped up its first round of testing writes Anh Nguyen. He further reports that, “The CIO for the London Organizing Committee for the Olympic Games (LOCOG) said last year that cyber criminals would find it ‘very hard’ to launch a distributed denial of service (DDoS) attack on the Games’ website.”
We recently sat down with Dan Guido, CEO and Co-Founder of Trail of Bits at SOURCE Boston 2012, to get his views on topics related to application security. In the first of a three part segment, Dan’s commentary focuses on vulnerabilities in general. You can watch the interview here.
We’ve also included a short recap of highlights of the interview in this post.
How can organizations better communicate around vulnerabilities?
Dan details the behavioral problem that exists in most organizations today when vulnerabilities are found in software. He notes that organizations are very concerned about individual vulnerabilities, not as much about the reasons as to why the vulnerabilities exist. Dan notes that mitigation efforts should be focused around classes of vulnerabilities, not the individual vulnerabilities that are found.
Which vulnerabilities matter most on the web?
Dan talks about the disparity between the vulnerabilities that the security industry focuses on vs. vulnerabilities that hackers care about. He further goes on to mention that vulnerabilities that matter most on the web are the ones that gain the hacker a shell on a server, like SQL Injection or remote command execution.
Should different businesses focus on different vulnerabilities?
Dan focuses on the vulnerabilities organizations should care about, depending on the type of business model they use. For instance, a service provider whose customers have individual user accounts or a social networking websites like Facebook should care about Cross-site scripting (XSS). On the other hand, SQL Injection attacks have increased in frequency, and should be on every organization’s watch list.
Stay tuned for more sessions with Dan Guido which we will be showcasing next week on our blog.
NOPcon is a non-profit and free hacker conference which will be held in Istanbul, TURKEY on the 21 May.
The conference will be the first technical and international hacker conference in Istanbul. The conference aims to learn and exchange ideas and experiences between researchers , consultants and developers.
SPEAKERS
Moti Joseph – “Advanced Browser Exploiting”
Mohhammad Hluchan – “Militarization of Hacking and the New Cyber Arms Race in the Middle East”
Sertan Kolat – “Attacking iOS Applications”
Yasin Surer – “Kernel Exploiting”
Mert Sarica – “Attacking Android Applications”
Nebi Senol Yilmaz – “Defeating DDOS in FreeBSD Kernel”
Melih Tas – “Penetration Testing VOIP”
Ozan Ucar – “Real-world Penetration Testing Examples [Workshop]”
Evren Yalcin – “Advanced Web Application Security [Workshop]”
Celil Unuver – “SCADA (in)Security”
Registration
Registration for the conference can be made at free: [www.nopcon.org]
First, some background on CREST in the form of blatant plagiarism...
CREST — The Council for Registered Ethical Security Testers - exists to serve the needs of a global information security marketplace that increasingly requires the services of a regulated and professional security testing capability. They provide globally recognised, up to date certifications for organisations and individuals providing penetration testing services.
For organisations, CREST provides a provable validation of security testing methodologies and practices, aiding with client engagement and procurement processes, and proving that your company is committed to providing testing services to the highest standard.
For individuals, CREST provides an industry leading qualification and career path for security penetration testers. By gaining a CREST certification you are proving that you are committed to your professional development in security testing.
CREST has been serving the industry as a pivotal player in the Penetration Testing landscape for many years now, and has also recently established a government-approved chapter in Australia.
There have been numerous discussions about CREST in South Africa over the years and we believe now is the time to take the conversation further. Ian Glover - President of CREST - will be in South Africa next week to deliver a presentation at the ITWeb Security Summit in Johannesburg, and this affords interested parties and excellent opportunity to discuss the concept with him.
With the support of ITWeb we're setting up a workshop to be held at the Sandton Convention Center from 10h00 to 12h00 on Thursday 17 May to meet with Ian, understand the process, and discuss a possible path forward.
Interested parties, whether from testing companies or clients, should please RSVP by commenting on this post (we'll keep it private) or mailing us via info <at> sensepost <dot> com.
Be part of the discussion. We look forward to hearing from you!
This year, for the fourth time, myself and some others here at SensePost have worked together with the team from ITWeb in the planning of their annual Security Summit. A commercial conference is always (I suspect) a delicate balance between the different drivers from business, technology and 'industry', but this year's event is definitely our best effort thus far. ITWeb has more than ever acknowledged the centrality of good, objective content and has worked closely with us as the Technical Committee and their various sponsors to strike the optimal balance. I don't think we have it 100% right yet, and there are some improvements and initiatives that will unfortunately only manifest at next year's event, but this year's program (here and here) is nevertheless first class and comparable with almost anything else I've seen.
Dominic White was interviewed for a short video that sums it all up quite nicely.
This year's Summit explores the idea that trust in CyberSpace is "broken" and that, one for one, all the pillars we relied on to tame the Internet and make it a safe place to do business in, have failed. Basically the event poses the question: "What now"?<Shameless plug>If you're in South Africa, and you haven't registered, I highly recommend that you do</Shameless plug>
We've tried hard to get all our speakers to align in some way with this theme. Sadly, as is often he case, we had fewer submissions from local experts then we hoped, but we were able to round up a pretty killer program, including an VIP list of visiting stars.
After the plenaries each day, the program is divided into themed tracks where talks on a topic are grouped together. Where possible we've tried to include as many different perspectives and opinions as possible. Here's a brief summary of my personal highlights:
Plenaries:
Its gonna be excellent. See you there!
With a goal of helping people understand the overall state of application security, Chris Wysopal, Veracode’s CTO and Co-Founder, recently gave a webinar, “Data Mining a Mountain of Zero-Day Vulnerabilities.” Chris examined the anonymized vulnerability data set produced by Veracode over the course of our analysis of thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers. This data set generated interesting observations about application security in various industry verticals, and common mistakes developers make when coding software.
The webinar enjoyed ample audience participation and response, including a few questions submitted by attendees which did not get addressed live on the webinar due to time constraints. Below we highlight a few of those.
Editor’s PickPossible PlayStation Network Attack Vectors
MBTA Hack: Is It Really This Easy?
Learning From Sarah Palin’s Yahoo Mail Compromise
Q: Of the software development houses that are producing these “vulnerable” applications, how many of them have a security assessment phase in their development life-cycle?
Wysopal: The software developers do not disclose to us what security they perform in the SDLC. It is likely that those who have robust programs are the ones passing our test and the ones with no programs are failing but that is just a hypothesis. We would need to ask each customer what application security processes they are performing.
Q: Did you study look at the platform or Operating System upon which the application executes as a factor?
Wysopal: No it does not. For most application layer vulnerabilities this does not matter however.
Q: Can you define the “information leakage” vulnerability? Is there a catalog describing all the vulnerabilities commented in this presentation?
Wysopal: Information leakage happens when sensitive information is displayed to the user inadvertently. An example would be pathnames or database IP addresses returned within an error message to a user. An attacker can use this information to attack the system. The MITRE CWE website catalogs application vulnerabilities. Here is an example: [cwe.mitre.org]
Q: Of all of the vulnerabilities you find in these applications, which is the most easily exploited ?
Wysopal: The top 4 exploited as determined by the Web Hacking Incident Database are :
1. SQL Injection
2. Cross site scripting
3. Information leakage
4. Command injections
Other reports have ranked directory traversal as another often exploited vulnerability.
Q: Once you complete your testing for a company, what is the usual request/reaction from the business and do you provide them a solution regarding how to make their environment more secure?
Wysopal: Veracode provides a remediation roadmap which includes prioritization and information on how to remediate each specific issue. Some organizations remediate and others choose not to. It depends on the severity of the issues and the businesses tolerance for risk.
Q: The total of Percentage of Hacks seems to be low in the below slide. What methods of attack make up the other 64%?
Wysopal: According to the Web Hacking Incident Database, the other top attack methods are the following:
Less than 1%:
If you have any additional questions for Chris Wysopal on this subject, feel free to send them over.
To get a recorded video of the webinar with slides, click here.
I am a better Security Pro because I am an Investor & I am a better Investor Because I am a Security Pro. - Why investing is important, and why Security Pros are uniquely suited to it
Society of Information Risk Analysts Conference
By Gunnar Peterson
May 7, 2012
Thanks to Jay Jacobs for allowing me to speak on this topic. I am going to take you a little off track but I hope the journey will be worthwhile from personal and professional development standpoint, we will return in due time to infosec topics.
Effective information security and investing require similar skills - risk management is the obvious one but it goes way deeper than that.
First, good investors foster a defensive mindset - they know they are playing a losers game and act accordingly.
Next, investors deal with data ( but only to a point) - investors have great historical data and next to nothing about the future risks - sound familiar?
Last, "Hacking the system" mentality pays off - good investors find obscure features nobody cares to see and figure out how to exploit it.
What I really want to talk about is the shared mindset of successful investors and what infosec can learn from it. I would like to offer my thoughts on this and leave plenty of time for Q&A and open discussion.
Learning about and practicing investing offers security pros concrete benefits - on a personal level protecting money (always welcome), but really we're used to thinking in terms of retirement pensions and this is no longer the case. Most everyone will need to manage their own retirement, start now; finally there is a professional benefit in the sense that once you understand the capital dynamics of certain business decisions that formerly made zero sense become crystal clear with an capital allocation hat on.
Part 1. Why You Should Care
What's one of the most common complaints in infosec? managers, developers, execs don't understand the threats, the state of the vulnerabilities and the assets in play. in short they don't understand the risks they are taking they simply stick with status quo, kicking the can down the road.
However it turns out that in our own lives most infosec people do the exact same thing with their own family balance sheet.
Most of the people in this room are probably not saving enough for their own retirement. there are good reasons for why this is happening, people never learned to save and invest. America's track record on saving is awful. and in the old days investing did not matter so much and so it was not a skill passed down the generational tree. For one thing, people would rely on their company to take care of them, they used to have pensions. Anyone here have a pension they are counting on? Hands? Bueller?
So we cannot rely on pensions, what's next well there is the government and social security, medicare, medicaid and so on, however we saw in 2008 as well as last year in the debt ceiling showdown precisely how little value add the "management" in DC brings to the table to protecting your assets. I am sure we are all somewhere on the priority list but there is a long line of lobbyists and lawyers ahead of us.
It turns out that financial planning has the same problem to solve as infosec, getting people to envision their future self and act accordingly.
The Wall St Journal reported on a set of studies to see if people would turn from spenders to savers if they looked through VR at their older self. What would your older self want you to do? Buy that humungous TV or put some money away for a rainy day?
For some perspective, China's saving rate is close to 50%, while the US hovers close to zero percent. This study showed that people's willingness to save increased when looking at their future selves. Jim Rogers has a great practice on saving - when you think of buying something today, simply multiply its cost by twenty to see how much it will be worth down the road when you are retired. A dinner out is "only" $75, but would you still go out to eat if you figured the cost at $1,500? Warren Buffett pithily sums this up as - do I really need a $300,000 haircut?
A shocking number of professional people have said to me over the years, I know you are into investing but I don't have time and/or interest to do that. Hello? To that I would quote - Deming you may not be interested in the future, but the future is most certainly interested in you. Whenever you decide to allocate a percentage of your income to you 401k, IRA or whatever versus spending versus debt like home and student loans, you already are making these decisions today. The only question is are you making them consciously or are you kicking the can down the road like so many middle managers we all deal with from 9-5 M-F who fob off the hard decisions until a tomorrow (they think) never comes. Hope is not a strategy.
To be clear, when I say I am going to talk about investment, I am not talking about short term trading. When I talk about investing I mean 3-5 year time horizons or more. This context is important because the financial world is filled with short term thinkers where close of business this Friday is considered long term.
In terms of investment strategy, most people save too little and what they save they put into a mutual fund. Again this common practice sets you up for future failure. First consider that 80% of mutual funds underperform the S&P 500 index, and that is before fees. Gains in the stock market are temporary but fees are forever. Charlie Munger said on Saturday if you are reviewing an investment and the fees are too high don't even read the prospectus - run. Fees are a tapeworm that eat your returns (if you are lucky enough to have any in the first place), Paying a Management fee of 2% over 20 years in a mutual fund is identical to paying a 33% upfront load. You would never think about doing the latter, so you should avoid the former. individuals should defend against fees and regularly review the cost structure.
Instead, we're lucky that Jack Bogle at Vanguard [1] in the 1970s invented the low cost index fund to solve precisely this problem for individual investors. If you are like many people I have talked with over the years and don't want to spend time and don't care much about investing, then low cost index funds that allow you to "buy the whole market return" at a very low cost are where you should focus. Still I hope you will stay for the rest of this talk.
Part 2. Defensive Mindset
Now that we've looked at why you should care, let's consider some of the advantages a career in infosec may give you over the general population. Part two of this talk is on the defensive mindset which is of course a requirement on some level for everyone in infosec.
In infosec, we are constantly bombarded by people wanting to ship risky products and we're faced with daily challenges as to what, where and how to both assess the risk and figure out how to protect our companies' assets.
In investment, every single day there is a barrage of information on CNBC and the like of hot new companies that will manage your facebook follower, keep you social media up to date, check you in for your flight and cure cancer all at the same time, now wouldn't you want to pay $500 a share for that?
The question in both cases is not can i believe these claims, but rather must i believe these claims that I am being presented with?
Asking these questions in infosec is why infosec people are not the most popular in their companies. Its reminiscent of what Warren Buffett described what the role of the chairman of the Federal Reserve should be, which is to take away the punch bowl right when the party gets started. Everyone thinks that they can stop dancing right 11:59 pm, but at midnight someone is still dancing and it all goes to pumpkins and mice.
Despite not winning popularity contests, Infosec people should take heart from the great value investor Jean Marie Eveillard. He famously refused to buy tech stocks during the dotcom hey day saying - I would rather lose half my clients than half my client's money.
In infosec, we won't be the most popular across the organization but we're paid to find ways to protect assets not win beauty pageants.
Steven Sears [2] in his great new book The Indomitable Investor says bad investors try to make money, good investors try to think of ways not to lose money.
Like good investors, Infosec people should recognize we're playing a loser's game.
Charley Ellis looked at studies of professional tennis which pointed out that professional tennis is a “winner’s game,” in which the match goes to the player who’s able to hit the most winners: fast-paced, well-placed shots that his opponent can’t return. But the tennis the rest of us play is a “loser’s game,” with the match going to the player who hits the fewest losers. The winner just keeps the ball in play until the loser hits it into the net or off the court. In other words, in amateur tennis, points aren’t won; they’re lost. A loss-avoidance strategy the version of tennis amateurs try to play.
Howard Marks [3] applied this idea it to investments. "on market efficiency and the high cost of trading led him to conclude that the pursuit of winners is unlikely to pay off. Instead, you should try to avoid hitting losers. I found this view of investing absolutely compelling. I can’t remember saying, “Eureka; that’s the approach for me,” but the developments over the last three decades certainly suggest his article was an important source of my inspiration.
Because of his conviction that markets are efficient, Charley recommended passive investing as the best way to end up the winner – let others try the tough shots and fail. Our view is a little different. Although we believe in the existence of inefficient markets as well as efficient ones, we still view the avoidance of losers as a wonderful foundation for investment success. Thus we diversify our portfolios, limit the fundamental risk we’ll take, try to buy things that provide downside protection, and emphasize senior securities. We, too, try to win by not losing."
So the defensive mindset pays off in investing and in infosec. Protect the downside. The question for infosec people is what and where should we defend. our systems are so complex, this question matters a lot.
In infosec a good game to play is if you have a $100 to spend where should you spend it? Unfortunately today, probably $40 goes to firewalls, $30 to antivirus and a chunk of the rest goes to so-called risk assessments that tell you whether or not spending 70% of your budget on legacy technology is a good idea.
If we can focus on efficacy not legacy where should we invest our mythical $100, what should we defend? Lots of people say its threats, threats, and more threats. And they say they give me $120 to do it. These people will always get some funding because they have great stories, and people love stories for the same reason people would pay $300/share for nonsense companies pets.com during the dotcom phase. Dotcom was a great story in 1999 and cyberwar or cybersecurity anything is a great story today, however this does not mean that throwing money at threats is the best use of your time, capital and resources.
We'll always have threats, yes we need to focus on them but not solely; if you have something someone else wants threats are never going to zero. Its better to focus on the thing you have that someone else wants and where you should have a knowledge advantage - your assets.
What matters in investing and what matters in infosec is building margins of safety. Assume failure. This is stark contrast to how the rest of your business operates and its a valuable service that infosec provides when its done constructively.
When we're faced with such complex IT systems and increasingly complicated business structures and supply chains where should infosec people focus their time and energy? And further, what's the main thing to protect? Is it financial or intellectual property or the transactional backbone or the supply chain? It varies on an industry by industry basis, so much in infosec is driven by the financial industry that if a martian visited earth, they would think the entire information security reason for being is to protect credit card numbers.
Certainly, for companies in that industry it is job one, but other companies have vastly different concerns. Financial data is not the sum total of information security. A better way to model this in my view is to look at competitive advantage, so a financial fraud isn't necessarily a game changer for financial institutions because those domains have fraud hard wired into their models. If it gets above a certain level then its a problem. But in the case of events that eat into a firm's long term competitive advantage then its a different story, stealing intellectual property and locking your company out of a market, so you can't sell your products there against a local entity that uses your designs which they stole. For some companies its not financial data or IP as their biggest competitive advantage, though/ There's not a universal model the same way measuring financial fraud isn't applicable to a biotech, there are only domain models.
So in our job infosec to figure out what should we defend? The investment world has some answers for us here.
Buffett says “The key to investing is ..." as an aside, any time one of the world's greatest investors starts out with 'the key to investing is' you really want to hang around for the end of the sentence.
“The key to investing is ..." Buffett says is "determining the competitive advantage of any given company and, above all, the durability of that advantage.”
Probably the best work on this is done by Morningstar[4] which pioneered the concept called moats (patterned on Michael Porter's work on competitive advantage)
Morningstar identified five kinds of moats
1. Low Cost producer: better profit margins through lower cost, example Walmart
2. High Switching Costs: disincentive for a customer to switch to competitor leads to customer retention and pricing power example banks or proprietary software
3. Network Effect: virtuous cycle where the network gets more valuable the more people use it example Google
4. Intangible Assets : brands, IP, trademarks, patents, government agreements
5. Efficient Scale: a limited market served by small number of vendors example Lockheed Martin - you only need one nextgen strike fighter supplier
When I teach secure coding to developers, most of the examples we use to say show SQL injection works involve stealing credit cards. So I joke that stealing credit cards is the "Hello World" of computer security, I stole the cards out of the database so now I know how SQL Injection works, but of course this is not the end of the story just like Hello World isn't everything you need to know to write Python.
Businesses that have one of the above types of moats have widely different assets that they require to ensure their moats endure, the old school notion of breach does not pertain directly to most of their competitive advantage, but its more than just IP that's only one type of moat and most businesses don't have IP moats. So the campaigns to be concerned about are the ones targeted at your business' moat and for us to begin to value those that requires at least five different models to analyze across industries.
This is a core lesson - defenders who try to defend everywhere defend nowhere. You have to pick your spots. The two most important things in infosec are Identifying what kind of moat your business has and then defending that moat.
From identifying the oat type the lesson for infosec is clear: Making the moat around the castle wider, deeper and filling it with alligators. Defend the moat.
Be defensive - remember Howard Marks - there are old investors and there are bold investors, but there are no old, bold investors.
Part 3. Dealing with Data
One of the most fun things in life is to steal models out of one knowledge silo and adapt it for use in another. Steal models, but please steal ones that at least work in their own domain, before trying to apply them in infosec.
People in general have a hard time admitting that they don't know something, however this is at least as important as recognizing what you think you know.
Howard Marks calls this the "I know" school versus the "I don't know" school
"One thing each market participant has to decide is whether he (or she) does or does not believe in the ability to see into the future: the “I know” school versus the “I don’t know” school. The ramifications of this decision are enormous.
If you know what lies ahead, you’ll feel free to invest aggressively, to concentrate positions in the assets you think will do best, and to actively time the market, moving in and out of asset classes as your opinion of their prospects waxes and wanes. If you feel the future isn’t knowable, on the other hand, you’ll invest defensively, acting to avoid losses rather than maximize gains, diversifying more thoroughly, and eschewing efforts at adroit timing.
Of course, I feel strongly that the latter course is the right one. I don’t think many people know more than the consensus about the future of economies and markets. I don’t think markets will ever cease to surprise, or thus that they can be timed. And I think avoiding losses is much more important than pursuing major gains if one is to achieve the absolute prerequisite for investment success: survival."
For infosec, the different mindset required for survivability is clear from Howard Lipson's 3 R's of Survivability [5] - Resistance - ability of a system to repel attacks, Recognition - ability to recognize attacks and the extent of the damage, and Recovery - ability to restore essential services during attack, and recover full services after attack
The notion of risk is certainly at heart of this, Pat Dorsey [6] recently wrote an insightful piece on this point, he wrote that risk means different things to different people
"a little bit like discussing the existence of God with a theologian. An academic says risk is volatility--the more an asset bounces around in price, the riskier it is.
A mutual fund manager might say it's career risk. If he lags his benchmark for too long, he gets fired.
An individual might frame it as pain. Of course, we feel losses much more than we value gains. So just seeing your portfolio go down is a lot of risk.
And of course Warren Buffett would just define it as permanent capital impairment--the odds that an asset's value will go down and never recover.
Those are pretty different notions."
In my view, these varying definitions of risk are at the heart of what we saw in 2008. In particular, academic models of risk as volatility were hard wired into trading algorithms, and then further juiced by leverage (up 30x-40x leverage!). The risk as volatility assumption by itself would have just led to dumb trades and losses. But with the extra weight and status of the false precision that academic models can provide, this gave large institutions the courage to lever up 40 to 1 and this turned bad trades into catastrophes and meltdowns. Overconfidence in what one could count and ignoring what one couldn't model.
In the late 1990s, Long Term Capital Management (an early hedge fund) almost blew up the financial system a la 2008 crisis. This fund was run by a small cadre of the smartest people in the business, who had most of their own money in the fund, the staff included two Nobel prize winners (Merton and Scholes) whose work is at the center of modern financial and risk theory, and they went bankrupt very quickly. This is a fascinating story recounted in Roger Lowenstein's "When Genius Failed", and its essential to read it to understand the limitations of models, exactly how the way models are used and the false confidence they create leads to failure. The counterweight to any model is embedding it inside rigid process to enforce sane behavior and limit risk taking.
From Howard Marks in the The Most Important Thing:
"According to the academicians who developed capital market theory, risk equals volatility, because volatility indicates the unreliability of an investment. I take great issue with this definition of risk.
It’s my view that — knowingly or unknowingly — academicians settled on volatility as the proxy for risk as a matter of convenience. They needed a number for their calculations that was objective and could be ascertained historically and extrapolated into the future. Volatility fits the bill, and most of the other types of risk do not. The problem with all of this, however, is that I just don’t think volatility is the risk most investors care about.
There are many kinds of risk. . . . But volatility may be the least relevant of them all. Theory says investors demand more return from investments that are more volatile. But for the market to set the prices for investments such that more volatile investments will appear likely to produce higher returns, there have to be people demanding that relationship, and I haven’t met them yet. I’ve never heard anyone at Oaktree — or anywhere else, for that matter — say, “I won’t buy it, because its price might show big fluctuations,” or “I won’t buy it, because it might have a down quarter.” Thus, it’s hard for me to believe volatility is the risk investors factor in when setting prices and prospective returns.
Rather than volatility, I think people decline to make investments primarily because they’re worried about a loss of capital or an unacceptably low return. To me, “I need more upside potential because I’m afraid I could lose money” makes an awful lot more sense than “I need more upside potential because I’m afraid the price may fluctuate.” No, I’m sure “risk” is — first and foremost — the likelihood of losing money."
In obsessing over volatility and price movements, the Value at Risk and Efficient Market Theory models missed human behavior in markets (driven by fear and greed), the safety of an asset, the liquidity of an asset in the face of certain events, and an overall conservative approach to investing - try to buy dollars for 50 cents, and not lever up 40 to 1 to buy many $100 bills for 99.95 each. This, of course, goes to the heart of risk management - namely building a wide margin of safety as a hedge against your own ignorance, instead overconfidence in flawed models.
Hedging against your ignorance up front (usually by paying a cheap price) means that you have more time and resources to spend on constructing a margin of safety to protect assets and ensure they are there when you need them. It also means you live to play another day. Ill placed confidence in risk models like Value at Risk (VaR) instead of conservative process led people to ignore these virtues. When events began to unwind the dominoes fell quickly because there were no buffers and no foundation just algorithms gone wild running atop a mountain of leverage. As Buffett says you don't know who is swimming naked until the tide goes out.
The Lesson here from Howard Marks is that you can't predict with models but you can prepare by limiting your downside and planning for failure.
Although risk models don't help us much and have only limited utility, fortunately we have checklists.
Checklists are essential for both infosec and investing. Checklists are vital in complex domains where failure is governed not what we don’t know but what we know but don’t apply.
Jean Marie Eveillard said that sometimes what matters is not the probability of something happened but the impact if it did. We all know that attacks in the DMZ are more likely than "inside the firewall", but what about impact? The resources that infosec throws are high probability, but rather low impact attacks on DMZ dwarf the attention given inside the firewall systems. Anyone run unauthenticated web apps on the Internet? But there are many enterprise messaging systems where all you need to know is the address and you have a trail right to the keys to kingdom.
its not that we don't know that authentication is not important. Its not that we don't know that our mainframes, ESBs, and databases are not critical to the businesses, its that we don't apply what we already know.
A checklist is also vital as part of a process to check for failure in behavior and protect against biases and unchecked emotion. Every day there are events that trigger greed, fear, and anxiety radically change people's willingness to take risk. Investors should always have a checklist or more formally an Investment Policy Statement that spells out precisely the purpose of their portfolio, its goals, time horizons, asset class mix, and other factors. The Investment Policy Statement should include a set of "We Will Never.." to check against bad behavior such as use of margin and leverage.
In 2008, the models missed the most important part - safety. Howard Marks describes that a six foot tall person can easily drown in a river that is on average 5 feet deep.
Although, we're limited in what infosec can learn from financial models, I am optimistic that infosec can do better than finance in models, just that we will need to mainly rely on models from other fields like biology, transportation safety and other domains that account better for behavior.
Part 4. Hacking the system - Reverse engineering for fun and profit
In part 2 we talked about the defensive mindset, but this would not be an infosec discussion without looking at the breaker side in addition to the builder side. Wall Street is a rigged game, its rigged against me and you, individual investors. Luckily there are some structural weaknesses that we can exploit if we know where to look.
I would bet a lot of money that I can beat both Garry Kasparov and Michael Jordan in a game. The way I would do this of course is to play Kasparov at basketball and Jordan at chess.
Buffett noticed long ago that Wall Street observed that markets are mostly efficient and immediately leapt to thinking (through lots of Nobel winning mathematics) that they are always efficient. The difference here is night and day and that's the area that individual investors can readily exploit.
The first as I mentioned early on is the importance of time horizon. Looking out three to five years as an individual automatically gives you two big advantages over Wall Street. For one thing you can wait for a thesis play out. You invest money you don't need for three years or more, who cares if it goes down next week. Whereas Wall St shops are just like any other big company - short time horizons, forced closing out of unprofitable trades, long term may be next Friday. The other advantage is efficient taxes. If you are paying 15% long term cap gains you have an immense head start over someone paying 30% even if their before tax return trumps yours.
The long term orientation means that you can buy at the point of maximum pessimism. John Templeton said that "bull markets are born on pessimism, they grow on skepticism, and they die on euphoria."
If you can decouple price and value somewhere around the first two stages is when to buy and stage three when every thinks the future will be perfect forever is when to sell. Again, infosec is no stranger to contrarian behavior and going against the crowd, this trait is very helpful in investing.
The high priests of Efficient Market Hypothesis tell us that assets priced perfectly, reflecting all the available information. The standard retort to this is about two Wall St economists walking down the street, one spots a $20 bill on the ground the other says don't bother stopping to pick it up, if it was real someone else already would have.
The market overreacts on the upside and the downside, finding these opportunities is the job of the investor.
To demonstrate the myth of EMH in action, we do not need to go back any further in time than this past Friday. Let's consider the (not so) curious case of Arcos Dorados
Arcos Dorados has the license to operate McDonalds' in Latin America. McDonald's stock has done quite well over the years and emerging markets is one of the major investing trends of the decade. The franchise is solid with plenty of room to grow.
The US has 14,000 McDonald's for 300M people vs Latam/Arcos 1,800 McDonald's for 500M people, Arcos just opened 86 restaurants in the last 12 months so this is pretty nice combination. They even pay a dividend approaching ~1.4% with plenty of room to grow. The market average is ~1.8% so for a startup with a ton of runway ahead of it, and dividends matter way more than people think
If you were an Arcos Dorados investor on Thursday night this is what you were buying: a solid franchise, great management team, in region with lots of room to grow. What happened on Friday? All hell broke loose. Why? Arcos reported quarterly earnings that included net income rose 9% (not bad), same store sales rose (good), they opened 86 new restaurants (know anyone doing this in the US? or eu for that matter?), and oh and they chose to do some accounting the Brazilian real not the dollar. And the real hit a low on the exchange rate versus the dollar. That shaved $600 Million of their market cap (22%) in the time it takes you to eat a Big Mac. While this was certainly fast, was this "efficient"? On Thursday night you went to bed thinking that the solid franchise and management team were important. The Latam region is important for global diversification and yet one of the reasons for the dramatic one day move had zero to do with business fundamentals, it was a currency reaction.
Who knows if Arcos will be a good or a bad investment, only time will tell. May be kids in Latin America will prove to hate French fries, but one thing seems sure a 22% move in one day over a currency issue is not tied to the value proposition of hamburgers and fries. Things like fluctuations in Real are short term noise in my view but its noise that individuals can exploit.
Just as we do vulnerability assessments in infosec, as the pentesters say we don't break standards we break implementations, individuals should look beyond Wall Street theory and find Wall Street blindspots, biases, and structural weaknesses and use them to your advantage.
I'd like to thank Ivan Arce for suggesting the idea for section 4, and thank you all for your time.
References
1. “Little Book of Common Sense Investing” by John Bogle
2. “The Indomitable Investor: Why a Few Succeed in the Stock Market When Everyone Else Fails” by Steven Sears
3. “The Most Important Thing” by Howard Marks
4. “The Five Rules for Successful Stock Investing: Morningstar's Guide to Building Wealth and Winning in the Market” by Pat Dorsey
5. Howard Lipson on Survivability, http://1raindrop.typepad.com/1_raindrop/2005/11/howard_lipson_o.html
6. "High Ticket Price on Flight to Safety" by Pat Dorsey, http://www.morningstar.com/cover/videocenter.aspx?id=532937
There are several interesting “stories” to tell about security update MS12-034:
Addressing the Duqu vulnerability again?
Five months ago, we released security update MS11-087 to address CVE-2011-3402, a vulnerability that was being exploited by the Duqu malware to execute arbitrary code when a user opened a malicious Office document. As you can read from the SRD blog post we published at the time, this vulnerability was due to an insufficient bounds check within the font parsing subsystem of win32k.sys.
In the time since we shipped MS11-087, we discovered that several Microsoft products contained a copy of win32k.sys’s font parsing code. Unfortunately, each copy of the code also contained the vulnerability addressed by MS11-087. The most troublesome copy was in gdiplus.dll. We know that several third party applications – 3rd party browsers in particular – might use gdiplus.dll to parse and render custom fonts. Microsoft Office’s version of gdiplus, called ogl.dll, also contained a copy of the vulnerable code. Silverlight included a copy of the vulnerable code. And the Windows Journal viewer included a copy of the vulnerable code.
The Office document attack vector leveraged by the Duqu malware was addressed by MS11-087 – Duqu is no longer able to exploit that vulnerability after applying the security update. However, we wanted to be sure to address the vulnerable code wherever it appeared across the Microsoft code base. To that end, we have been working with Microsoft Research to develop a “Cloned Code Detection” system that we can run for every MSRC case to find any instance of the vulnerable code in any shipping product. This system is the one that found several of the copies of CVE-2011-3402 that we are now addressing with MS12-034.
Why so many affected products?
At first glance, MS12-034 may seem to be addressing a number of unrelated vulnerabilities in unrelated products. For example, why would a keyboard layout handling vulnerability be addressed in the same update as a Silverlight issue? However, as described above, we needed to address the font parsing vulnerability (CVE-2011-3402) in a number of different products. As each new product was added to the security update package, the vulnerabilities planned-to-be-addressed in the same binary were also included.
Addressing CVE-2011-3402 required us to service ogl.dll, gdiplus.dll, win32k.sys, Silverlight, .NET Framework, etc. Because gdiplus.dll was being addressed, several other fixes that were scheduled to be released in the same binary were looped in to this update. For example, the local elevation of privilege vulnerabilities in win32k.sys (CVE-2012-0180,0181,1848) were added because we had already included win32k.sys to address TTF parsing issues. The Silverlight and .NET Framework vulnerabilities were added because we were already servicing those binaries via CVE-2011-3402. In the end, its probably for the best to require fewer updates to be installed but we understand that it can be confusing. Hopefully that explanation will help you understand the reasoning behind the decision to include ten CVE's in a single bulletin.
Keyboard layout behavior introduced with Windows Vista conditionally applied down-level
In addition to addressing the vulnerabilities described in the bulletin, this security update also closes the malicious keyboard layout file attack vector. Windows Vista introduced a requirement that all keyboard layout files be loaded from %windir%system32. MS12-034 ports that change downlevel to Windows XP and Windows Server 2003 as well. With this new update in effect, vulnerabilities like CVE-2012-0181 (being addressed today) and CVE-2010-2743 (one of the privilege escalation vulnerabilities used by Stuxnet) will be non-issues. Requiring an attacker to place a malicious file in the system32 directory prevents the vulnerability from being a threat.
You can read more about how this change is rolled out in the bulletin’s FAQ section, specifically “Are there special requirements related to applying the security update packages that address CVE-2012-0181?” The change will not affect systems where a keyboard layout outside %windir%system32 is already registered on the system. You can also read more in Microsoft KB 2686509.
Acknowledgements
Many engineers worked hard to bring this larger-than-usual MS12-034 security update to you. From the MSRC Engineering team, I especially want to thank Richard van Eeden and Cristian Craioveanu for their work on the font issues. Ali Pezeshk and Gavin Thomas both also made larger-than-usual contributions to this update. Elias Bachaalany, Elia Florio, Jinwook Shin, Neil Sikka, Ali Rahbar, and Suha Can all contributed to this update from the MSRC Engineering team. Finally, thanks to Chengyun Chu for his work on the cloned code detection system that discovered the other instances of CVE-2011-3402.
Conclusion
MS12-034 addresses ten CVE’s affecting a number of different products. We hope that this blog post answers questions you might otherwise have had around the servicing decisions that went into this update. If you have any further questions, please email us at switech –at- microsoft –dot- com.
- Jonathan Ness, MSRC Engineering
Over at Sensepost Security, there’s a new blog entry wondering about Haroon Meer‘s talk “Penetration Testing Considered Harmful“. Those who know me know that I’ve had this view for a very long time. I’m sure you could find a few posts in this blog.
Security has to be a intrinsic element of every system, or else it will be insecure. Penetration testing as a sole activity and piece of assurance evidence makes security appear on the fringes of the development, something that you pass or fail, something to be commodotized, a box to be ticked, and ultimately ignored. Penetration testing as is done by most in our industry is incredibly harmful. It’s a waste of investment to most organizations, and they know it so they try to minimize wastage by minimizing the scope, the time, and poo-pooing the outcomes.
Penetration testing should be a part of a wider set of security activities, a verification of all that came before. All too often, we come across clients who want to do a one or two day test the day before go-live. They’ve done nothing else, and when you completely pwn them, they’re terribly surprised and upset.
We need to move on to make penetration testing the same as unit testing – a core part of the overall software engineering of every application.
Penetration testing should never be ill informed (zero knowledge tests are harmful and a WAFTAM for all concerned), and it should have access to source, the project, and all documentation. Otherwise, you’re wasting the client’s money up against the wall and acting unethically in my view.
Tests should come from the risk register maintained by the project (you do have one of those, right?), as well as the use cases (the little cards on the wall) as well as from the OWASP ASVS / Testing Guides. More focus must be made on access control testing and business logic testing.
Penetration testing has become vulnerability assessment – run a tool, drool, re-write the tool’s results into a report, deliver. No! Write selenium tasks and automate it. If you’re not automating your pentests, how can your customers repeat your work? Test for it? They should be taught how to do it.
Folks at consultancies will shriek away in horror at my suggestion, but getting embedded is actually a good thing. Instead of hearing from a client once in a blue moon, you’re integrated into the birth and growth of software. This is a huge win for our clients and the overall security of software.
It’s time to do some curating of the OWASP Developer Guide. This is where my tastes meet the community’s – what do you want in the Guide, and what do you want out of the guide?
As much as I want to be comprehensive, there is a real risk that a 800 page book would never be read. There ARE easter eggs in the Guide that no one has found or bothered to e-mail me about yet, so I know it’s not being read widely.
I want to ensure the Guide is used, in a way that the OWASP Top 10 and ESAPI are used daily throughout our industry.
Let me know by June. I’ll be sure to share your thoughts with the Developer Guide mail list.
And I like this quote from Zuckerberg, which sort of illustrates that we're often not talking about the same things when we talk about privacy:Facebook collects more data than you may imagine. For example, did you know that Facebook gets a report every time you visit a site with a Facebook “Like” button, even if you never click the button, are not a Facebook user, or are not logged in?
That's great to hear about users accessing other users information, but what about the data you use for your purposes and keep for however long?...a blog posted last year by founder and CEO Mark Zuckerberg, who wrote, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.”
Following new SEC guidance issued in the US relating to disclosure of cybersecurity risks in company filings, public companies are beginning to be measured by regulators and investors on the strength of their cybersecurity solution and ability to protect intellectual property and customer data. This infographic looks at the state of software security in public companies, and shows why companies and investors alike should care.
Infographic by Veracode Application Security
Large Version
Infographic by Veracode Application Security
Infographic by Veracode Application Security
As 44Con 2012 starts to gain momentum (we'll be there again this time around) I was perusing some of the talks from last year's event...
It was a great event with some great presentations, including (if I may say) our own Ian deVilliers' *Security Application Proxy Pwnage*. Another presentation that caught my attention was Haroon Meer's *Penetration Testing considered harmful today*. In this presentation Haroon outlines concerns he has with Penetration Testing and suggests some changes that could be made to the way we test in order to improve the results we get. As you may know a core part of SensePost's business, and my career for almost 13 years, has been security testing, and so I followed this talk quite closely. The raises some interesting ideas and I felt I'd like to comment on some of the points he was making.
As I understood it, the talk's hypothesis could be (over) simplified as follows:
Next, I'd like to consider the assertion that penetration testing or even security assessment is presented as the "solution" to the security problem. While it's true that many companies do employ regular testing, amongst our customers it's most often used as a part of a broader strategy, to achieve a specific purpose. Security Assessment is about learning. Through regular testing, the tester, the assessment team and the customer incrementally understand threats and defenses better. Assumptions and assertions are tested and impacts are demonstrated. To me the talk's point is like saying that cholesterol testing is being presented as a solution to heart attacks. This seems untrue. Medical testing for a specific condition helps us gauge the likelihood of someone falling victim to a disease. Having understood this, we can apply treatments, change behavior or accept the odds and carry on. Where we have made changes, further testing helps us gauge whether those changes were successful or not. In the same way, security testing delivers a data point that can be used as part of a general security management process. I don't believe many people are presenting testing as the 'solution' to the security problem.
It is fair to say that the entire process within which security testing functions is not having the desired effect; Hence the talk's reference to a "security apocalypse". The failure of security testers to communicate the severity of the situation in language that business can understand surely plays a role here. However, it's not clear to me that the core of this problem lies with the testing component.
A significant, and interesting component of the talk's thesis has to do with the role of "0-day" in security and testing. He rightly points out that even a single 0-day in the hands of an attacker can completely change the result of the test and therefore the situation for the attacker. He suggests in his talk that the testing teams who do have 0-day are inclined to over-emphasise those that they have, whilst those who don't have tend to underemphasize or ignore their impact completely. Reading a bit into what he was saying, you can see the 0-day as a joker in a game of cards. You can play a great game with a great hand but if your opponent has a joker he's going to smoke you every time. In this the assertion is completely true. The talk goes on to suggest that testers should be granted "0-day cards", which they can "play" from time to time to be granted access to a particular system and thereby to illustrate more realistically the impact a 0-day can have. I like this idea very much and I'd like to investigate incorporating it into the penetration testing phase for some of our own assessments.
What I struggle to understand however, is why the talk emphasizes the particular 'joker' over a number of others that seems apparent to me. For example, why not have a "malicious system administrator card", a "spear phishing card", a "backdoor in OTS software" card or a "compromise of upstream provider" card? As the 'compromise' of major UK sites like the Register and the Daily Telegraph illustrate there are many factors that could significantly alter the result of an attack but that would typically fall outside the scope of a traditional penetration test. These are attack vectors that fall within the victim's threat model but are often outside of their reasonable control. Their existence is typically not dealt with during penetration testing, or even assessment, but also cannot be ignored. This doesn't doesn't invalidate penetration testing itself, it simply illustrates that testing is not equal to risk management and that risk management also needs to consider factors beyond the client's direct control.
The solution to this conundrum was touched on in the presentation, albeit very briefly, and it's "Threat Modeling". For the last five years I've been arguing that system- or enterprise-wide Threat Modeling presents us with the ability to deal with all these unknown factors (and more) and perform technical testing in a manner that's both broader and more efficient.
The core of the approach I'm proposing is roughly based on the Microsoft methodology and looks as follows:
Threat Modeling makes our testing smarter, broader, more efficient and more relevant and as such is a vital improvement to our risk assessment methodology.
Solving the security problem in total is sadly still going to take a whole lot more work...
This sort of discussion is worth having in really any part of IT. Are you making infrastructure decisions based on what the business wants, or creating a space for the business to find uses for what you do? I'm no expert in this area, but sometimes you need to worry about how your infrastructre or solutions scale and are agile and fill multiple needs quickly, and let the business worry about the monetization, ya know?The hardware model is radically different from the software model. Software is innately scalable; you can acquire a hundred thousand users overnight. Monetizing the user base in software is trickier, but most software plays start with scale and then worry about money.
I think we in security can relate to shipping unfinished products. But hey, that's the name of the game.In the face of ‘ship or die’, one should not be looking to ship the perfect product. It is more important to ship a product that’s good enough, than a great product that’s late.
But that does show one of the flaws of fact-based reasoning. Engineers love to make decisions based upon available data and high-confidence models of the future. But I think the real visionaries either don’t know enough, or they have the sheer conviction and courage to see past the facts, and cast a long-shot. It’s probably a bit of both. Taking risks also means there’s a bit of luck involved.
Two months ago, the former Flux team had an offsite where we played with lasers.
But I also gave a talk on browsers internals. This is just an introduction but it should give web developers a better understanding of this black box that we work with everyday.
Slides are also available. Since I’m not smart enough to hack on browsers, I heavily rely on other people’s writings to document myself. Take a look at those resources to get into the details.
If you speak French, you can watch the original version of the talk that I gave at Paris-Web last year.
I suppose I really can’t let this one … pass …
Last weekend a young woman fell to her death while on a tandem hang glider ride with an experienced pilot. The pilot, owner of a company that takes people on hang gliding rides for kicks, promises video of the event: the hang glider is equipped with some kind of boom-mounted camera pointed at the riders.
Somehow the police investigating the incident suspected that the pilot had swallowed the memory card from the video camera. (Presumably the video was running, and presumably the pilot knew it would show something unfortunate.) This was later confirmed by x-rays.
So, this week we have all been on “memory card movement” watch.
And it has cr… I mean, come out all right.
The most recent episode of Silver Bullet features a chat with Robert Vamosi, a long time tech reporter who has written about computer security for years. Robert is the author of When Gadgets Betray Us, a book about what happens when the faith we put in our gadgets may not be justified.
From a security perspective, gadgets let us down all the time. Sometimes it is because they compromise our privacy in the name of convenience. Sometimes it is because the information they provide us is fallible. Sometimes it is because they were not designed with security in mind.
The real question is whether its the gadgets themselves that are betraying us or rather the humans who designed and built the gadgets. I would say the latter.
TGIF! There was certainly a lot happening in the cybersecurity space this past week. Here are our picks for the top stories. Have a great weekend readers!
Also, if you would like to get a understanding of how to build and scale an Application Security program within your organization, check out Veracoder Fergal Glynn’s latest blog post on threatpost.
Enterprise Security Practices: “Latest wave of healthcare data breaches symptomatic of sloppy security practices” by Neil Roiter (@nroiter). In this Security Bistro blog post Neil Roiter takes a look at the current state of security in the healthcare industry. Neil offers statistics from Symantec’s recently released Internet Security Threat Report that focus on the major security concerns plaguing the industry today – particularly data breaches. He also offers a more in-depth look at some of the severe data breaches the healthcare industry has suffered in the past decade or so. The post ends with a sliver of hope: the Health Information Trust Alliance (HITRUST) has created the HITRUST Cybersecurity Incident Response and Coordination Center, a multi-organizational effort aimed at preventing attacks through collaboration.
Editor’s PickSafe Coding and Software Security Infographic
Which Tastes Better for Security, Java or .NET?
Decoding the Verizon DBIR 2009 Cover
CWE/SANS Top 25 Most Dangerous Programming Errors
Apple Security: “Flashback malware exposes big gaps in Apple security response” by Ed Bott (@edbott). In this article Ed Bott offers his take on Apple’s security practices following the two large scale malware attacks against the company over the past year or so. This issue has received a lot of attention lately, especially after Eugene Kaspersky’s criticisms of Apple’s security responses. Ed breaks down Apple’s security shortcomings into four basic issues: poor response time in releasing security updates, the lack of an option for automated updates, Apple’s practice of only releasing updates for the most recent versions of its operating system, and inadequate disclosure practices.
PHP Vulnerability: “Serious Remote PHP Bug Accidentally Disclosed” by Dennis Fisher (@DennisF). This past Wednesday saw the unfortunate disclosure of a PHP vulnerability that was discovered and reported by researchers in January of this year. The remote-code execution vulnerability allows attackers to to access information and execute arbitrary code using certain query strings. PHP Group Developers are currently still working on patching the flaw, just as they were when it was accidentally disclosed.
Skype Security Hole: “Skype knew about IP address security flaw since November 2010” by Lisa Vaas (@LisaVaas). Voice and video chat app Skype has received lots of criticism this week after it was found that the application has knowingly contained a significant security flaw for the past year and a half. The flaw allows hackers to access private user data including location, internet provider, and IP address. This information is sensitive because it can be used to facilitate industrial espionage and potentially cyber attacks against corporations. Skype reports that they are looking into a solution.
SOCA Attack: “UK’s SOCA website taken offline in DDoS attack” by Zack Whittaker (@zackwhittaker). The website for the United Kingdom’s Serious Organised Crime Agency has been down since Wednesday evening following a distributed denial-of-service (DDoS) atack. It is suspected that the attack was done in response to SOCA’s announcement in late April that they had regained the credentials of 2.5 million stolen credit cards and had begun arresting the individuals found responsible. SOCA willingly shut down their site in order to protect taxpayers from bearing the financial burden of running the site during the attack. It is still unknown as to who is responsible for the attack.
Following the explosions in two BC sawmills, which experts are speculating may have been caused by fine sawdust caused by excessively dry wood, the TSA has banned any particulate materials, such as sawdust, flour, and icing sugar, to be banned from all flights.
Also included in the ban are any objects made from particulate materials, such as particleboard, bread, and icing sugar dusted donuts. (The union representing TSA workers had argued, unsuccessfully, against this last item.) The TSA’s Director Of Really Dangerous Stuff also noted that materials with larger particle sizes, such as table salt and sand, were also being included in the ban.
At press time, we were still awaiting word on whether computer equipment was to be included in the ban, since silicon chips are commonly said to be made of sand.
(Yeah, yeah, I know, don’t give the TSA ideas …)
