Google's recent trouble with Chinese hackers has brought mainstream media attention to very old news in the security world: China has lots of hackers; some of them work for the government; some of them are criminals. Is this really the best the NY Times can do?
Internet security experts say China has legions of hackers just like Majia, and that they are behind an escalating number of global attacks to steal credit card numbers, commit corporate espionage and even wage online warfare on other nations, which in some cases have been traced back to China.
via www.nytimes.com
At least they interviewed Scott J. Henderson, even if it is after the page jump. He has been studying the Chinese hacker culture for a very long time. If you're interested in the topic, his work is pretty much the definitive view (at least in the non-classified world). You should follow his blog,The Dark Visitor. I'd also recommend his book of the same title.
The Electronic Frontier Foundation (EFF) has a new tool called Panopticlick that examines you browser configuration (or at least what it announces about itself) and compares against it's database to determine how unique your presense is. It turns out that significant identifying information is available even with IP obfuscation and cookies disabled; Private browsing doesn't quite cut it ...
Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies.
Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web.[from panopticlick.eff.org]
Generally, she's saying the right things -- an open and uncensored Internet is a tremendous force for good in the world. She should also be addressing net neutrality in this context, but I can understand that she didn't want to broaden her scope too much.
Then, a couple of minutes in, she says this:
Now, all societies recognize that free expression has its limits. We do not tolerate those who incite others to violence, such as the agents of al-Qaida who are, at this moment, using the internet to promote the mass murder of innocent people across the world. And hate speech that targets individuals on the basis of their race, religion, ethnicity, gender, or sexual orientation is reprehensible. It is an unfortunate fact that these issues are both growing challenges that the international community must confront together. And we must also grapple with the issue of anonymous speech. Those who use the internet to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities. But these challenges must not become an excuse for governments to systematically violate the rights and privacy of those who use the internet for peaceful political purposes.[Full text of the speech here]
So, privacy, anonymity, and an open economy of ideas is good except when our enemies have it? Despite all of the rhetoric to the contrary, I don't think she really wants a free Internet. She just wants an Internet that promotes US best-interests.
Considering some of the electronic surveillance actions our government took after 9/11, adminishing China is a little bit of the pot calling the kettle black. I was hoping that we'd also take this opportunity to embrace these ideas domestically as well as promoting them overseas.
Embracing a free exchange of information means embracing the exchange of dangerous and radical ideas along with the popular and prosperous ones. You cannot selectively grant privacy and anonymity -- either you support it or you don't.
This is a posting I've been planning to do for several months but am just finding time for. One of the most common questions I get from developers is how they should be handling authentication. My advice is always the same - don't. I have no idea why developers want to be custodians of data as sensitive as a username and password when there are federated identity providers such as OpenID that will accept that risk on the developer's behalf.
Some developers insist on localized identity management, so the next couple of posts are going to illustrate how they can implement web forms securely using MySQL stored procedures and UUIDs to insulate them from the risks storing credentials.
Before getting to code-level specifics, let's define the problem we're solving.
First, we want to make sure that a single user's credentials cannot be discovered via SQL injection or other application-level security flaws. Most developers mitigate this by only storing one-way hashes of passwords.
Second, because hashes are susceptible to rainbow tables attacks, we want to make sure that an attacker cannot obtain any aggregated credential hashes. Keep in mind that many users utilize the same (or similar) passwords across many system. This means that aggregated credential hashed are extremely valuable to an attacker. To mitigate this, we will check authentication within a stored procedure. If the password hash is checked via a stored procedure and the application user only has execute permissions, an attacker cannot extract aggregated credentials even if they completely control an application.
Finally, we want to make sure that an attacker cannot easily mine your database for aggregated private or sensitive data through application-level flaws. By using a UUID as the primary key instead of a username or canonical index, we make it very difficult for an attacker to extract data for a single arbitrary user; this also makes data aggregation more difficult.
That's probably as clear as mud, so I'll explain via code examples. The principals all apply no matter what platform you're on, but the examples are all using MySQL 5.1.x.
Here's a simple MySQL stored function for creating users:
DELIMITER |
CREATE FUNCTION addUser (
name VARCHAR(16),
pass VARCHAR(32),
fullname VARCHAR(32),
email VARCHAR(64))
RETURNS CHAR(36)
BEGIN
DECLARE returnValue CHAR(36) DEFAULT UUID();
IF ((SELECT COUNT(username) FROM users WHERE username = name
GROUP BY username) > 0)
THEN SET returnValue := NULL;
ELSE
INSERT INTO users (userid, username, passphrase, fullname, emailaddr) VALUES (returnValue, name, pass,
fullname, email);
END IF;
RETURN returnValue;
END;
In this case, we are inserting values (username, password, full name, and e-mail) into a table called users. We are also creating a UUID for the account as it's created. If the function is successful, it will return the UUID. If it fails, it will return NULL.
If we create this function with "definer" privileges, then it can be executed as different user than the web application's MySQL account, which is the invoker. This way, the invoker account can create a user without any permissions to the underlying users table. So, even if an attacker can compromise the application's MySQL username and password, they cannot extract any data from the users table.
Here's how we authenticate the user:
DELIMITER |
CREATE PROCEDURE authenticateUser (
IN uname VARCHAR(16),
IN passphrase VARCHAR(32)
)
BEGIN
SELECT u.userid FROM users AS u WHERE u.username = uname AND u.pass = passphrase;
END
Notice that all we're getting back is a UUID (or NULL if the authentication attempt fails). This UUID is the primary key for the user and necessary to extract any other data from the database. For example:
DELIMITER |
CREATE PROCEDURE getEmail (
IN userUuid CHAR(36)
)
BEGIN
SELECT u.e-mail FROM users AS u WHERE u.userid = userUuid;
END
Do you see the elegance of the solution? The attacker cannot get the e-mail address without the UUID. In order to get the UUID, the attacker needs the username and password even if they've compromised the web application's database account. While e-mail isn't particularly risky, you can image the usefulness of the technique in protecting your customer's sensitive data.
There is one important limitation on this technique -- it doesn't solve old fashioned SQL injection. To solve that, only access the database using parameterized queries (or, as PHP developers refer to them, prepared statements). This is the only technique that can completely eliminate SQL Injection vulnerabilities.
Ted has posted another fascinating talk, this time by behavioral economist Dan Ariely. The talk is essentially about how context and complexity can influence decision-making contrary to what one would generally call a rational process.
While interesting in its own right, this analysis could have an immense effect on security. In it's simplest form, OpenBSD understood this years ago with "secure by default" -- make insecure configurations more difficult than secure configuration and systems will, for the most part, be configured properly.
One can take this a step further and apply it to user interface design. Internet Explorer 8 does this with SSL errors -- the user is steered towards not viewing a site instead of blindly clicking through to a potentially hostile page.
Human error is the single largest vulnerability out there. Instead of looking at security as the enemy of usability, there could be a significant security gain by engaging our usability experts to guide users into making smarter decisions about security.
The folks at LayerOne have already posted video of the talks. There were some excellent talks. If you have the time, I'd especially recommend David Bryan's talk on GNURadio and Joe McCray's Advanced SQL Injection.
Here's my talk, Is XSS Solvable? (and yes, I know I speak too quickly):
I just finished my LayerOne talk. My slides are available here via Scribd. The demo code is also available via Subversion here.