RSSC

Practical gun reform

2012-12-18T11:30:00.002+00:00

The Connecticut shooting this week has really affected me. Far more than similar incidents in the past. Not really sure why but probably because of the young age of the kids that were killed and my own impending fatherhood. Just the thought of 9 months of caring for this little thing and then all the love and care you put in afterwords to all be taken away in a random event like this. It is sickeningly frighting. My thoughts and emotions like many others spring to why does these type of events always seem to happen in America? Bowling for Columbine comes to mind and the gut reaction is that guns have a large part to play and something must be able to be done to reduce the chances that this type of event could ever happen again. Is there any chance for practical gun reform not just in the US but improvements in all countries?

I have been debating with a few colleagues, one of which has a high degree of opposition to any form of gun reform even though he has never owned a gun nor would ever own one. I have also read a quite a few articles on this topic since the weekend including a lot of good debate on Hacker News. The statistics also start to come out (lies, dammed lies and...). This from the NY times (researched by quite a few studies) stuck with me (particularly because growing up in Australia I remember this incident):

"In Australia in 1996, a mass killing of 35 people galvanized the nation’s conservative prime minister to ban certain rapid-fire long guns. The “national firearms agreement,” as it was known, led to the buyback of 650,000 guns and to tighter rules for licensing and safe storage of those remaining in public hands. The law did not end gun ownership in Australia. It reduced the number of firearms in private hands by one-fifth, and they were the kinds most likely to be used in mass shootings.
In the 18 years before the law, Australia suffered 13 mass shootings — but not one in the 14 years after the law took full effect. The murder rate with firearms has dropped by more than 40 percent"

However many of the comments and articles urge people to look past the initial emotional reaction and to approach the problem rationally. Articles like this one in particular ask some questions that really hit home: is public policy really the best way to the reduce the risks of shootings such as this? Would policy do more good than harm (unintended consequences especially)? As most government programs cost money and considering the US especially has more debt than it can ever pay back and Europe is in a hole, what is the opportunity cost of such programs?

One person suggested the 5 why's be applied to this shooting. So here is an attempt at that:

The problem: kids were gunned down
1. Why? A 20 year old apparently wanted to get revenge on his mum
2. Why? He was potentially mentally ill and was able to obtain three guns from his mums house

I'm not going to explore why he was mentally ill here because there is no way I can answer that.

3. Why? She had the guns easily accessible to him in the house
4. Why? Could be a range of reasons, the most common I have seen people provide:
4a. Self defence / safety
4b. Provide food by hunting
4c. Target practice / sport (hunting)
4d. As a defense mechanism against the state holding a monopoly on violence / she was part of a minority group that required three guns to fight oppression

5. Why?
5a. The area she lived in had a high rate of violence which the authorities were not effective enough at combating. She had gone through a violent incident in the past.
5b. It was a way of getting cheaper food / earn money
5c. It was a hobby
5d. Belief that an armed populace is the best defense against state tyranny. That arms are required to fight oppression when the authorities can/won't assist

Working up from what could be some underlying causes. 5a and 5b: reducing crime and improving living standards are things governments should be working on anyway. Is the best we can do to reduce the risk of horrific events such as these, simply to keep working on these areas?

5c and 5d and 3 seems like areas where some practical gun reforms could help. Some of the ideas I was thinking of:

Background checks including psychological evaluation before purchase of any gun
Any guns that are stored at home must be stored in a locked container. If random spot checks could be performed and some on a risk based manner in a cost effective manner, similar to tax audits that would be ideal. Perhaps a levy on gun owners to fund this (rights and responsibilities and all)
Annual safety training at the cost of the gun owner

These type of measures all seem sensible and even intuitive. But there are hundreds of studies on gun control or gun reform, the most worrying for suggestions like the above are studies like this: Mass Shootings in Schools The Worst Possible Case for Gun Control. It even specifically mentioned regulations that require locks were not effective.

Even if any of these changes were proven the be the right thing to do, could they even be implemented? Could the laws be passed in every state in the US for example, what would the unintended consequences be, and what would the opportunity costs be?

At least the only thing that seems guaranteed is that there will be a lot of debate on this topic in the next few months. A lot of people will be reading the research, pouring through the statistics, working out how they can use this incident to further their own motives. All I hope is that at the end some practical actions get taken that at least reduce the risk of this type of horrific incident occurring again.

Like this post? Get updates via RSSor follow me on Twitter: Follow @rakkhis

How security surveys could be improved

2012-12-16T10:42:00.000+00:00

"It is a matter of opinion, there is isn't any science behind it". A quote from a partner at a Big 4 accounting firm at a presentation I attended recently. In security, very few companies have the systems in place to capture the data to accurately perform quantitative risk assessments, assess security costs and investments in a true cost benefit manner nor measure the true cost of security incidents. Sadly this means that we are reliant on surveys as a source of insight into everything from emerging threats, benchmarks of maturity and whether we are investing in the right areas. So if this is the case, why aren't security surveys better and what could be done to make them better?

There seems to be plenty of security surveys and especially at this time of the year, people are evaluating how the last year went and trying to predict the next. They mostly seem to be run by consulting companies and governance institutes with motives ranging from building business development opportunities to providing a service to their community of members. My particular experience came recently from an internal security person presenting the results of a survey he has been contributing to for over 5 years and then a few weeks later a presentation from a Big 4 accounting firm to our team on the survey they had just run. I was quite interested in both because having attempted to benchmark a security practise before on a capability maturity model, write a security strategy and write business cases for security investments the insight and methodology were highly relevant.

Sadly though when both were presenting, the main thoughts going through my head was whether this data was really accurate and whether its conclusions could be relied upon. This led me to ask the question at the end of the Big4 presentation: to me it seems like this survey based approach relies greatly on the wisdom of crowds principles, so how have you tried to align to these or something similar? The risk and technology partner presenting looked bemused, she started to stammer and didn't really seem to understand the question. I tried to explain: so the wisdom of crowds is a book that talks about how the collective view of the crowd can be smarter than the smartest person(s) in the crowd but this requires a few principles to be adhered to, these being diversity of opinion, independence, decentralization and a method to aggregate the private judgements into a collective view. She seemed even more confused but then provided a potential slip of brutal honesty: "It is a matter of opinion, there is isn't any science behind it".

The last part of that statement was what I found most disappointing. She was right, the responses were a number of opinions but why does there mean that there is no science behind it? It seems to me that if you are going to spend a lot of money, time and resources to collect this information, print glossy brochures and publications and run a number of show and tell sessions to share the insights from it, why would not employ some data scientists and people that run surveys and polls for a living and put some scientific rigour about it? Would this not greatly increase the confidence you have in the results which would then allow greater success in meeting the underlying motives e.g. sell some work in the areas that are growing or provide a service in the areas that need the most improvement / provide best bang for buck.

To me it seems like some simple measures could align security surveys to the principles in the wisdom of crowds:

Diversity of opinion

This seems to be the big one that most security surveys struggle with. At this presentation a colleague of mine asked: so who typically fills in this questionnaire? The answer: a range of people, usually it is sent to the CISO and he/she completes it or delegates it. It seemed reasonable, except there was not any real rigour in the methodology to ensure that true diversity was achieved. The danger here was there was a high chance that someone in the security department completed the survey. This was highlighted by questions such as "is security delivering the value required by the business?" A truly diverse range of people in the organisation completing a response this question seems like it would be valuable rather than say 5% business, 95% security staff. The gentleman answering the question did not even have any stats of how many of the survey responses had been completed by someone in the security department vs. outside of that. This seems like a really simple thing that could be tracked in the survey. In fact ideally the methodology would be more proactive and actually seek responses from as diverse group as possible: from all different roles in the business, technology and security, from the C level to the coal face.

Independence
The crowd became less intelligent when "members of the crowd were too conscious of the opinions of others and began to emulate each other and conform rather than think differently". You could see this in 2008 coming upto the financial crises and with how much of the financial community was using the same models when it came to rating CDO's. This is a particular insidious problem within the security community. If you have attended a security conference in the past year or so it would have been amazing if there was not a majority of talks on mobile security, cloud, APT's etc. It is not like most companies have solved the basics, nor that the business has stopped caring about things like passwords or single-sign on, it is just that these topics are not sexy at the moment. Therefore addressing this point could be a simple benefit of doing the above: ensuring the responding parties are diverse. There could perhaps even be some filtering questions asked of the responder which would allow measurement in their alliance to the herd on key opinions e.g. can data be stored securely in a public cloud? There response could still be collected to the main questions but you could cut the data in a way that took the independence of responses into account.

Decentralisation

It appears if you are able to get the knowledge of specialists, especially local knowledge that only they have the the overall collective decision or insight is smarter. In a security context this could be improved by ensuring the survey is truly global rather than western English speaking countries, again ensuring that people on the coal face provide responses e.g. the firewall engineer, the investigator, the penetration tester in addition to the CISO who may have a more generalist knowledge. Also in business and technology, including the teller, the machine operator as well as the GM of Internet Banking.

Aggregation
Generally the survey itself is a good way of doing this. However some basic improvements could be made:

Ask the question with the end in mind - in many of the surveys the questions do not appear to be crafted by people with a high degree of experience in polling or surveying field. They are probably written by security people. A question should always be driven from what decision can we make with this data, what stakeholders would be interested in this and why (and does this match our actual target audience), what insight does the answer being one of the options rather than another tell me? Many of the surveys seem to want to move with the times (e.g. have cloud and mobile etc in the responses). However not only does changing the question every year reduce it's value in historical trends, the way the question is asked, the end answer does not provide anything valuable. Insights which security people are always interested in and which questions should be crafted around to answer seem to be:

What areas of security is my organisation performing well in or poorly in (what the maturity level is) relative to my peers?
Where should I focus my investment and where could I make savings? Is the level of investment / spend on security technology, people, process reasonable commiserate with peers? Is more or less justified and in what areas?
What areas of security are providing the most value to the business and which areas could the most value be provided?
Where is the next major set of incidents or regulation coming from and how could I get in front of the curve/demands?
Is the investment / focus I'm making in various areas of security actually resulting in improvements and benefits being realised?
How can I measure improvements or reductions in my security posture / risk exposure? How secure am I relative to peers and the threat environment?
Where is the lack of security controls actually costing me money or causing harm in terms of reputational damage, legal, contractual or regulatory impacts vs. being a theoretical risk?
What should be my top three priorities for the next year or within the next three years and how would I make some practical improvements in these areas?

There are probably many more but my point being these should be identified and a clear mapping of survey question results to how these are answered. A pilot could be run of the survey or even purely computer based simulations of answers to see how various answers would provide insight, which could then be used to tune the questions prior to the real survey.

Basis statistics - understanding average vs. median, how outliers affect / skew your results, the value of standard deviations and confidence intervals, the difference between correlation and causation. Actually presenting commentary and explanation and not just pretty graphs. The value of sorting and infographics. All of which and more I'm sure experience people in running surveys would be able to provide and all of which would greatly increase the value of the results. I mean surely a big global accounting company running an annual global survey could build a competent team of these people (e.g. hire the pollsters that run these for political campaigns) rather than simply asking managers, directors and partners to run these simply because they sell services in the risk and security space.

Summary (TLDR;)
The security industry has a high reliance on survey based data. These survey's unfortunately seem to have a lack of scientific rigour and could be improved by adhering to the principles in the wisdom of crowds:

Diversity of opinion - designing the survey to include a broad range of business, technology and security responders at all levels in a broad range of organisations
Independence - testing for herd think with filtering questions and allowing different data cutting with higher or lower independence
Decentralisation - looking for specialist local knowledge rather than generalists
Aggregation - designing questions to answer things people actually want to know, ensuring the responses can actually provide this and testing it. Improving the basic statistics and presentation

Related posts:

PS: no blogs for a whole year, epic fail and typically what happens to most blogs. No excuses really, just a lack of serious inspiration combined with other hobbies taking time, working on projects I've already talked about (DLP, SIEM) and long delivery times on other projects. Goal is to write a couple of posts in this Christmas break (Oracle security stack and Big data in SIEM are the goals), will see how we go. Don't think this will ever be a regular blog but hopefully some interesting and valuable content and a bit out of the box thinking and challenging the norms. Especially if you got this far, thanks for reading and please comment / link me your content!

Like this post? Get updates via RSSor follow me on Twitter: Follow @rakkhis

Picture source: http://siliconangle.com/files/2012/11/BigDataFail-300x208.jpg

Simple tips for getting a job in #infosec

2011-11-19T10:59:00.001+00:00

With the global financial crisis many people have been looking for stability. I on the other hand have worked mainly as a contractor in the past four years so have had a great deal of experience in finding new roles. Many roles have been really interesting and rewarding, generally lasting between 6 months and 1.5 years. I have been lucky enough to only ever have a maximum of two weeks between roles. These are some practical tips and lessons learnt for finding a job in security that have worked for me.

The CV

Like most endeavors some time spent planning upfront really makes a difference. Working out what you really want to do and why is critical. The more specific you can get that the better. Security has so many areas of specialization, a clear concise decision here really sets you up for success. Mind mapping to brainstorm this is a great way to get some thoughts down. It does not even have to be a specific role but at least a clear idea of the work you want to do day to day and what you do not want, based on what you enjoyed and motivated you in the past.

Once you have this description, it is a case of cutting your CV down to fit this and only this. As many have said about Steve Jobs, one of his key skills was the ability to say no, to cut out everything that is not required. I have found in security you can get invoked in so many different things and even some of your achievements in the past may not be what you want to do going forward. This is a really hard process but from the other side of the table, people really want to work out where you would best fit, what projects or work allocation you would be best suited to. Making this easier for them by clearly highlighting two or three real strengths and achievements with what you actually want to do works for everybody. I have worked in policy development, third party risk assessments, PCI-DSS, but if I list these three times each they are the only roles I will find. Also expect to be questioned about what you list, do not put things where you had a marginal involvement, but rather those that you know in intimate detail.

I am also not a fan of big lists of technology or skills without clear experience or achievements. Listing clear measurable wins with the relevant technology and skills demonstrated is the way to make an impact. Avoid generic cover letters and a shotgun approach. Even 10 minutes spent mirroring a reflecting back the wording of the job spec / advertisement with the fit to your experience and achievements will get significantly better results. There are many ways to order your CV but I like key achievements linked to experience first, education and certifications later.

Finding a role

There is a lot said about finding jobs through your contacts network and a large number of roles not being advertised but for me old fashioned job boards and recruiters have got me every job over the last four years. Find the major job board for technology in your city / country, setup a profile and some very specific alerts. Target the work you really want to do rather than generic or all security roles. I think the advertised roles are actually only useful to find recruiters who get these roles. Get to know these recruiters. Meet with them, keep in touch. Every role I got in the last four years was a recruiter I knew contacting me about a role that had come up, not for ones I had applied myself.

That said cultivating your network is never a waste of time. Personally I never got a role directly due to my network, however it is always a good way of keeping up with what is going on and security tends to be a small world so you never know where you may run into a contact. The monthly meetups like Defcon, OWASP are ideally suited for this and the best way to get people taking to you in these, is to do a short presentation. It does not have to be anything that special, just a perspective on a current issue with some fun and informative slides will do the trick.

The number

When dealing with recruiters again having a clear statement of what you want to do and what you do not, really makes them work for you. Fight the feeling that you may miss out on something, being specific will get you more of what you want faster. A common question from recruiters is also what you are on currently and what you are looking for. My approach here is to have one number. Not a range. Just a researched number on what is realistically achievable. This should be from people that actually do the role you are after than recruiters of possible. If it is a recruiter number get at least 3 opinions and add 20%. State this number clearly and shut up. Do not negotiate at this stage, if there is an actual job offer latter you can work out whether any trade off is worthwhile but at this stage go in with the best position to negotiate down from. It is a lot easier for you to decide to go down rather than get it up later.

The interview

This seems to be where a lot of security people let themselves down. Technical questions are specific to the area you are applying for but having a clear structure with the answer or solution followed by a solid example of where you demonstrated this seems sensible. Like public speaking or presenting practice your response to common questions aloud many times. I believe every security professional should have a good answer to dealing with risk acceptance and influencing and convincing the business. I always found a whiteboard or bringing a pad to draw on was my friend. It is so much easier to explain ideas when you have a visual aid and it can get the interviewer involved in problem solving and provide a frame of reference for questions and answers. Even if the answer is not visual, anchoring with a mindmap works well. Definitely have some questions for them. It is a good opportunity to evaluate if you actually want to work there and also get them imaging you in the role. I like questions like what will my priorities be for the first month. What does good look like or success measured? What will be my decision authority? What is the style of management - hands on or off? How is bad news received by the organization?

Summary / TLDR;

Decide what you really want to do day to day
Cut down your CV to suit this only
Get to know the recruiters that get your roles
Pick a salary or rate number, state it and shut up
Provide all interview answers with an answer from experience.
Present visually if possible and ask questions that get them imagining you in the role

Photo credit Flikr

Top 3 reasons why fighting small battles is losing us the war

2011-10-19T11:50:00.000+01:00

Are you sure you are a security guy? A friend and colleague working in anti-fraud has asked me a number of times on a recent project. The answer is no I am not. Not your typical one anyway. I think sometimes I am more of a business guy trapped in the body of a work prevention officer. I care about viability, the bottom line and time to market. I spam people with the latest developments in the industry. I am also a tech geek trapped in the body of InfoSec guy. I think web sockets, noSQL, node.js, coffee script is cool; not worry immediately about security hazards they bring. I believe most things that benefit the business can be done securely enough to mitigate the risks to a level the business would accept. For these reasons, I have become increasingly frustrated with the InfoSec industry and security in large companies in general. If we stopped crying wolf at the small stuff, there is a better chance we could have some real influence on the big issues.

Large corporations today are not getting the benefits startups and consumers enjoy. The technology innovation and adoption cycle used to go government > corporations > consumer. That is now reversed. This is not entirely the fault of security and compliance groups but some of it certainly is. Maybe not by directly saying NO, but by the perception that security, compliance or risk would never approve this. By making the review and assessment process so long and onerous, it is just easier to not do it.

I will provide three examples where fighting small battles is losing us the war:

1. Fear of the external and loss of control

See if you agree with the following statements in today's world:

Security of the internal network is a myth e.g. RSA, Sony
Having a hard outer shell and soft center(s) is pointless
Firewalls are porous
Anti-virus is ineffective
You have to give someone access. Someone has to administer systems
Data loss and leakage is simple and occurs every day
Many services are outsourced, this includes the cleaners in your office and datacenter, repairmen, temps and contractors, all the way to HR, infrastructure, desktop and networks management
Great volumes of data are already stored outside the corporations network, often unencrypted e.g. emails sent externally, backup tapes
Data sent externally, even where encrypted, will be decrypted and stored on external systems. It may not be disposed of securely
An organizations most valuable data is unstructured and stored in email and file shares (on servers, endpoints, mobile, backups)
Due to email your most sensitive data already lives and traverses the Internet daily
Most web applications still have the most basic cross site scripting and SQL injection vulnerabilities
Many systems are still vulnerable to default or simple passwords or are missing patches
Social engineering is still one of the most effective attack vectors. Coming through the front door is still good enough and easy enough

Still with me? At least for the 20% that matters? How about these:

Moving security controls as close to the sensitive data as possible makes sense
If the sensitive data is secured, network controls, remote access, where the data is physically matters a lot less
Five of the most effective security controls in most scenarios would be authentication, authorization, logging and monitoring, encryption and patching

Still with me? I would be surprised if many battle hardened security professionals today disagreed with the general observations above. Still having come all the way to the edge of the cliff, many will not take a leap to the logical conclusions.

Many startups today will begin with their life on the Internet. The required tools are simple, easy to access, easy to use and often free. Tools such as collaboration, social networking, video conferencing, group messaging or social coding. Even the basics just work so much better than in large corporations. Email is fast and easily searchable, calendars and available time sharable across anyone. Documents live in one place on the web, do not need to be emailed and can be worked on by anyone simultaneously. Endpoints and mobile can be whatever makes you most productive (e.g. Mac, Android, Ubuntu) and information and functions accessible easily from anywhere in the world.

All of these services could be available to large corporations at reasonable security. The fear of putting data outside of the corporate internal network, the fear of staff you do not control, the over reliance on network controls and antivirus is a major barrier. To even consider these business enabling tools, security would need months due diligence, weeks of evaluation, signing over of the vendors first born in case something goes wrong. As InfoSec professionals we do not want to do the same boring simple cheap controls that make 80% of the difference, no this is new and risky so there must be mountain of new controls, which we never have to deploy on internal networks because there was no business case. My favorite is when we pretend we are lawyers and are concerned about the liability and data jurisdiction restrictions. Why don't we assess the risk, put reasonable controls in place and let the business get on with it?

The thing we do not seem to realize is that for there to be any need for security there must be a business first. Many of the things that startups and consumers take for granted now is the small stuff. In the scheme of things and if you subscribe to the above truisms they are not the big risks to the business. By simply denying them or making it so hard for the business to do them, all we do is lose our seat at the table. They work around us or approach us too late to allow any influence. By working with the business on the small stuff that simply reduces the friction and allows them to compete in today's world, we have a far better chance at getting a seat at the table for the decisions that really matter.

2. Too much complexity

Most security professionals would subscribe to the view that increased complexity reduces security and increases the likelihood of vulnerabilities. Yet we seem unable to be comfortable with a parato level of security. An example: once we had a project to improve the supplier security schedules at a company. These are the legal clauses relating to security that goes into contacts with suppliers. The organization recognized that they were a mess. There were too many different versions, they were inconsistently applied and had no relation to the risk posed by the supplier. There was a wise view that the internal policies and standards could not be simply applied to all suppliers in a legal contract, as they were simply not written for that purpose and any suppliers that read them would not actually signup to them.

Me and two security guys I respect a lot were tasked with coming up with a new security schedule to solve this problem. One of the guys in particular is quite brilliant, he is recently told me "I have no idea what I would do if a company actually did the basics right. If they did passwords and patching, I would be lost. Everything else is just window dressing". I liked the cut of his jib. Therefore, we wrote a one pager. Just the absolute minimum security controls we could accept with a simple, unambiguous four step criteria of which controls would apply to which type of product / service.

Of course being a large company, it then needed the dreaded review cycle. Every security, risk and compliance professional that reviewed it felt that their touch was needed; a critical security control that could not be lived without has to be added. Not surprisingly at the end, it was over 85 pages and completely unusable. The organization itself was no way close to compliant with it and no way would any supplier sign it.

I think after giving so much ground and having security cut from initiatives, after having to battle to get funding for every security initiative we now just shoot for the stars expecting to be beaten down. Being naturally risk averse and afraid of missing something we ask for everything. The latest advanced persistent unicorns are defeating all our controls; we need new and advanced defenses. It does not matter if you are just doing point-to-point web services with mutual authentication. TLS is too old and not sexy. We need this cool message signing to defeat the evil Zeus and Stuxnet!

The role of security is not to get cool tools deployed. Most of the time the basics done well is enough and applying the appropriate controls at the least cost and effort will get the business to engage more frequently and on issues that are more important.

3. Passing the buck

Agree with some of what you wrote above but end of the day I do not care. As long as the business accepts the risk, they can do what they want. I still get paid and do not need to stick my neck on the line.

This is just wrong.

Like a doctor or lawyer of old, be a trusted processional. A true expert. Like when faced with a complex and risky surgery or an experimental drug. You will not feel the consequences as patient (the business) will but like the doctor you are often, the best positioned to make an expert recommendation. You will fail and make the wrong recommendation sometimes but if you out yourself in the shoes of the business owner and use all your domain expertise and experience to make the best recommendation you can then would that not more often that not result in the best outcome for the organisation? Ultimately, it is still a business decision, like the patients, and they may choose to ignore your recommendation. However, where we save our own arse and do not even make a recommendation then that is the biggest disservice.

We should be fighting for the big stuff and not sweating the small stuff. We should identify and focus on the big risks to the organisation and not get dragged down rabbit holes every time they occur. And the occur often. What could put the business out of business? There should only be a handful. What just helps the business get stuff done? These things are not without risk but the risk can be managed with simple, cost effective measures. This is not about passing the buck to the business but rather stepping up as domain experts and security professionals. Accepting responsibility, sticking our necks on the line for the overall best outcome for the business.

Summary (TLDR;)

Apply modern attitudes to security. Internal is not safer than external these days. There is no reason that security should directly or indirectly prevent services to big companies that consumers and startups use safely
Be pragmatic and reduce complexity. Resist the temptation to implement additional security controls because it is a new service or a new control when the basics reduce the risk to an acceptable level
Use your expertise to make recommendations not just get risk acceptances

Related posts:

PS: For anyone who subscribes to this blog, apologies for the lack of articles recently. Have been busy moving from London back to Melbourne and getting a new job. Article about what I have found effective in getting a security role to follow soon and hopefully at least one a month.

Like this post? Get updates via RSSor follow me on Twitter: Follow @rakkhis

Photo credit: ProtestPhotos1 Flikr

Apple bringing secure email to the masses with iOS 5

2011-08-09T14:38:00.000+01:00

One of my worst ever projects was implementing PGP email encryption. Considering I have only worked in large financial services companies, that is saying something. I have reflected on the lessons learnt from this project before, but I felt that PGP was fundamentally flawed. When Apple iOS 5 was unveiled, there was a small feature that no one talked about. It was hidden among the sparkling jewels of notifications, free messaging and just works synchronization. That feature was S/MIME email encryption support. Now S/MIME is not new, however Apple is uniquely positioned with their ecosystem and user-centric design to solve the fundamental problems and bring secure email to the masses.

Written for security.blogoverflow.com

I have detailed the problems that email encryption solves, and those it does not solve before. To re-iterate and update:

Attacker eavesdropping or modifying an email in transit. both on public networks such the Internet and unprotected wireless networks as well as private internal networks. Recently I have experienced things that have hammered home the reality of this threat: Heartfelt presentations at security conferences such as Uncon about the difficulties faced by those in oppressive regimes such as Iran, where the government reading your email could result in death or worse for you and your family. Even "liberal" governments such as the US blatantly ignoring the law to perform mass domestic wire tapping in the name of freedom. The right to privacy is a human right. Most critical communication these days is electronic. There is a clear problem to be solved in keeping this communication only to it's intended participants.

Attacker reading or modifying emails in storage. The recent attacks on high profile targets such as Sony and low profile like MTGox, who were brought low by simple exploitation of unpatched systems and SQL injection vulnerabilities, have revealed an un-intended consequence. The email addresses and passwords published were often enough to allow attackers access to a users email account as the passwords were re-used. I don't know about you but these days a lot of my most important information is stored in my gmail account. The awesome search capability, high storage capacity and accessibility everywhere means that it is a natural candidate for scanned documents and notes as well as the traditional highly personal and private communications. There is a problem to be solved of adding a layered defense; an additional wall in your castle if the front gate is breached.

Attacker is able to send emails impersonating you. It is amazing how much email is trusted today as being actually from the stated sender. In reality normal email provides very little non-repudiation. This means, it is trivial to send an email that appears to come from someone else. This is a major reason why phishing and spear phishing in particular are still so successful. Now spam blockers, especially good ones like Postini have become very good at examining email headers, verified sender domains, MX records etc to reject fraudulent emails (which is effective unless of course you are an RSA employee and dig it out of your quarantine). You can also have more localised proof of concept of this. If your work accepts manager e-mail approvals for things like pay rises and software access, and it also has open SMTP relays you can have some fun by Googling SMTP telnet commands. There is a problem to solve in how to reliably verify the sender of the email and ensure the contents have not been tampered with.

Problems not solved by email encryption and signing:

Sending the wrong contents to the right person (s)
Sending the right contents to the wrong person (s)
Sending the wrong contents to the wrong person (s)

These are important to keep in mind because you need to choose the right tool for the job. Email encryption is not a panacea for all email mis-use cases.

So having established that there is a need for email encryption and signing, what are the fundemental problems with a market leading technology like PGP (now owned by Symantec)?

Fundemental problems in summary:

Key exchange. Bob Greenpeace wants to send an email to Alice Activist for the first time. He is worried about Evil Government and Greedy OilCorp reading it and killing them both. Bob needs Alice's public key to be able to encrypt the document. If Bob and Alice both worked at the same company and had PGP universal configured correctly, or worked in organisations that both had PGP universal servers exposed externally, or had the foresight to publish their public keys to the public PGP global key server, all would be well. However this is rarely the case. Also email is a conversation. Alice not only wants to reply but also add in Karl Boatdriver in planning the operation. Now suddenly all three need his public keys and he theirs. Bob, Alice and Karl are all experts in their field but not technical and have no idea how to export and send their public keys and install these keys before sending secure email. They have an operation to plan for Thursday!

Working transparently and reliably everywhere. Bob is also running Outlook on his Windows phone 7 (*chuckles*), Alice Pegasus on Ubuntu and Karl Gmail via Safari on his iPad. Email encryption, decryption, signing, signature verification, key exchange all need to just work on all of these and more. It also cannot be like PGP desktop which uses a dirty hack to hook into a rich email client. This gives it extremely good reliability and performance. Intermittent issues like emails going missing and blank emails never occur. Calls to PGP support for any enterprise installation are few and far between. All users in companies love PGP and barely notice it is there. In many organisations email is the highest tier application. It has to have three nines uptime. If Alice and Karl are about to be captured by Greedy Oilcorp and they need to get an email to Bob they cannot afford to get a message blocked by PGP error.

Less fundamental but still annoying:

Adding storage encryption - there is no simple way with PGP to encrypt a clear text email in storage. You can send it to yourself again or export it to a file system and encrypt it there but that is it. This is a problem in where the email is not sensitive enough to encrypt in transit (or just where you just forgot) but where after the fact, you do care if script kiddies with your email password get that email and publish it on Pastebin.

How Apple could solve these fundamental problems with iOS 5

Key exchange - If you read marknca's excellent iOS security guide, you will see that Apple has effectively built a Public Key Infrastructure (PKI). Cryptographically signing things like apps and checking this signature before allowing them to run is key to their security model. This could be extended to users to provide email encryption and specifically transparent key exchange in the following manner:

Each user with an Apple ID would have a public/private key pair automatically generated
The public keys would be stored on the Apple servers and available via API and on the web to anyone
The private keys would be encrypted to the the users Apple account passphrase and be synchronized via iCloud to all iOS and Mac endpoints
To send a secure email the user would just click a secure button on their email tool
When sending an email via an iOS device, a Mac or via Mobile me web it would query the Apple servers for the recipients private key and encrypt and sign (optional) the email
On receipt as long as the device had been unlocked the email would be decrypted. For web access as long as the certificate was stored in the browser the email would be decrypted (could be an addon to Safari)
To encrypt an email in storage you would just drag it to a folder called private email. You could write rules for what emails were automatically stored there.

This system would make key exchange, email encryption, decryption and signing totally transparent. Because S/MIME uses certificates it is easy to get the works everywhere property. However Apple would first enable this only for .me addresses and iOS devices and Mac's to enable them to sell more of these and to beef up their enterprise cred. Smart hackers and addon writers would soon make it work everywhere though. There you go, secure email for the masses.

Summary (TLDR):

Email encryption solves the problems of interception in transit and adds a secondary layer of defence if your email account is compromised. Signing ensures the recipient can trust it is you sending
Email encryption and signing does not solve human errors relating to email
PGP fails at key exchange, working transparently and reliably and email storage encryption
Apple with S/MIME support in iOS5 and existing Public Key Infrastructure (PKI) could make secure email just work by simplifying key generation and exchange and integrating encryption, decryption and signing into iOS native mail applications

Related posts:

Like this post? Get updates via RSS or follow me on Twitter: Follow @rakkhis

Photo credit: u2canreed Flikr

Editing and review assistance: Rory Alsop

Google+ because I hate being put in a box

2011-07-03T21:35:00.003+01:00

No one talks in my Facebook groups. People talk too much on my Twitter feed. These are my two biggest problems on social networks at the moment. I'm pretty sure this only impacts me though. I have been playing around with Google plus for a few days now and interestingly I think it could solve both problems. I also have some suggestions that would improve the service for me at least.

Too little engagement

As you can see my Facebook groups are pretty bare.

I have created and got added into the following groups:

Geek channel - new technology, gadgets and other geek stuff.
Current and ex gamers - computer games
Sporadic photographers
UK friends - close friends I see regularly in real life
PwC Melbourne alumni - work colleagues and friends from my first job

There is very little engagement in these groups. The largest contributor by far is me. There is very little discussion. I posted this question on Quora and the answer came back that this clearly only impacted me.

The main reasons for this are:

Got no friends - I have a low number of friends, just over a 100. These are all people I have met in real life. I have my privacy settings set to pretty much share anything only with my friends. This is how Facebook grew up. It is in Facebook's genes. Long before groups existed you only shared content that you wanted your "friends" to see and they saw everything you shared. I am not a particularly private person but I cringe now at adding anyone that does not fit this profile.

Got no groupies - This means I have a low number of people in each group. I'm scared of adding random people that may fit well into the groups because it means I need to friend them first and I have no idea what I have shared over the years with just "my friends".

Low online engagement - I got told in the geek tech group there is low engagement because they read the same types of things e..g Techcrunch, Hacker news etc they do not feel the need to share nor discuss items in the Facebook group. However offline I know this to be false. I have discussions around things I have read with these people who had no idea what it was and seemed genuinely interested in having a dialog about it. This suggests at least in part it could be the tools and process.

Too much engagement

I must really annoy anyone that follows me on Twitter. My profile reads:

#infosec, sporadic blogger, risk, #privacy, mobile. gadgets, new technology, startups, stock and currency trading, football #epl, #F1, photography

These are most of the things I am interested in and talk about. Just for good measure if I will also throw in the random thought or something inspirational or just interesting.

Anyone who has well organized Twitter lists and put me in a specific list must be driven mad. E.g. I do tend to talk about information security a lot so the following lists I am added to make sense:

So when I post some random thoughts about new technology, like going on about #googleplus recently it must drive people mad. Or more likely they would not even see it. If you are like Jason who follows over 73,000 people his twitter stream looks something like that this second:

And then 2 seconds later (yes he had followed 3 more people in that short time):

Similar to the way Facebook has organically evolved, people just accept that they will miss tweets. They will dip into their feed every now and occasionally get some value. Things like mysixthsense addon have tried to solve this, but it does not work on mobile. The noise to signal ratio gets so bad that I actually feel bad having a conversation with people or especially participating in a hashtag e.g. #bbcsml when the program is on TV or #bsideslondon when I am at that conference. I am effectively spamming my followers with content that do not want to read and outside of the box they put me in when they followed me.

How Google plus solves these

Google plus has been designed from the ground up to solve these problems. If it is used as designed. I appreciate that is a big caviet, however being baked in there is a far greater chance of success as people who start using Google plus will start to use the product correctly. As we know well in security, it is ridiculously more effective to bake something in rather than bolting it on later.

The way it solves these problems is primarily via Circles. When someone follows me they add me to a circle. Now this is the key part. Even though circles are asymmetric following like Twitter, for the whole model to work well I need to also follow them and add them to a Circle. They will then see what I share publicly as well as what I share to that Circle.

An example of this would be:

John sees someone link to one of my posts about information security. He is wowed by its sheer brilliance and decides to follow me to receive further words of wisdom
He adds me to his Circle called infosec
He can currently see everything I post publicly
However I get a notification that John has decided to follow me
I check his profile and see that he interested Information Security
I add him to my Circle called infosec
Now he sees anything I share as public as well as anything I share that is information security related

John sees what he followed me for. He does not see any other random crap I share e.g. with my Photography circle or conversations I have about currency trading. This will hopefully also mean that I don't hate de-friend people (or people hate de-friend me which is more likely) for sharing baby photos or clogging up my stream with check-in's, Farmville and other BS posts.

Some have said that Circles should have imported your Gmail contacts groups (for those who have set those up). I started organizing my Circles in the same way but now I think this is the wrong idea. You need to organize your Circles around how you want to receive and publish content. This means primarily around interests rather than location, common contacts etc.

The comments feature means that he can comment directly on anything I say about infosec with other interested people without clogging up his or their streams. The notifications on any Google property alerts him and keeps him engaged once he has commented. If John is really interested in Currency trading also because he is also not one dimensional I can add him to that Circle also. He will hopefully return the favour and limit his conversation on Currency trading to his Trading Circle.

Suggested improvements

Suggested circles when following - Google shines in big data analysis. To go back to the above example, they should analyse John's profile, past posts, likes (+1), searches, emails, check-ins, purchases (Google checkout) etc, analyse my circle and suggest to me what Circle I should add John to. Each option analysed can be an Opt-in for privacy

Suggested circles when sharing - when I post something including text, images, links etc it should suggest which Circle maybe interested in this information and also suggest Circles I should not post it in. This could be a similar feature to the Gmail lab that currently suggests users in emails you have missed. It should provide me analytics on things like the level of engagement, click through's etc to also help me tune my Circles and what I share to them

Circle tree - circles should have a hierarchy. As a geek I like the idea of normalization of my circles. So my Gaming friends are also my Fiends. Currently if I get a new gaming friend I have to add him to two circles. This could be made easier if the Gaming Circle could just part of my Friends circle. The user interface is also really well designed and could accommodate this easily. However I'm not sure if this would be more confusing to non technical people, thus the current slightly more in-efficient way maybe better (or it could be an option to enable).

Circles in all sharing contexts - the choice of circle to share to should extremely simple on the native mobile applications. This is where an increasing amount of content sharing, generation and discussion will occur and this design needs to be baked in there (not share to public as default and only simple option). I also read a lot of content offline and use the Tweetymail feature to share it with both Twitter and Facebook groups. Google plus needs to provide an email address to do this (should be simple as Blogger does this currently). Also the email needs to have tags to specify the Circle e.g. [Trading] or #trading. Adding features such as buffering (e.g. bufferapp.com) and scheduling of G+ posts would also be welcomed.

Mitigate accidental sharing - Currently I use Facebook for close friends, Linked-in for work colleagues and ex work colleagues and Twitter for anyone. Google plus has the potential to allow you to combine these into one social network. However one of the big risks of combining groups in an application like G+ rather than keeping separate networks is there is a greater chance of sharing the wrong thing with the wrong crowd. This means Wiener type moments and DM's sent as public could be a lot more common (the media rejoices). Google should detect when you maybe making a mistake e.g. sharing a picture with a Circle or people you have not shared it with before, sharing a photo publicly when you usually only share links publicly. It can then prompt you to make sure, add an undo option like the Gmail labs for 30 seconds, solve a simple maths problem to reduce drunken and fat finger sharing.

I can understand why these were not added as they could be seen as a privacy breech and after the Buzz disaster Google wants to avoid them like the plague. Also potentially not part of the minimum viable product. It would be great however if they were added in as an Opt-in.

Summary (TLDR):

People do not engage enough on Facebook groups because that is not how Facebook is used
People ignore Tweets because there is no way to specify a list when tweeting and no way to isolate conversations except via messages with bi-directional follow
Google solves both of these if used correctly by Circles, which allow you to group incoming and outgoing content to suit the audience. The comments feature is fast and encourages localized discussions
Suggested improvements are for Google to use its awesome analytical capability to suggest Circles when both adding people (and on changing tastes over time) and on sharing. These should be an Opt-in feature to minimize privacy impact. The Circle architecture needs to be preserved in mobile and offline sharing.

Related posts:

Connect on Google Plus:

If you are interested in any of the following contact me on Google plus and I will add you to the right circle. If you add me, please send me a message saying what Circle you have added me to (i.e. what content you will be sharing with me) and what you are interested in (or fill your profile in well in English :)

I tend to share and want to discuss information from my sources on Twitter (may change to Google plus over time), Hacker news, Techmeme, security.stackexchange, Techcrunch my Reader list, and of course what I'm thinking and writing about currently:

Information security - specifically security architecture, threat modeling, application security, risk management, security metrics, NFC and mobile security, payment systems and privacy
New technology and cool gadgets
Startups - I attend monthly meetups for Silicon Round-about London and Hackernews
Stock and currency trading - my watchlist on stocktwits
Football - English premier league
Formula 1
Photography - my stuff on Flikr (moving to Google plus most likely in future) and Instagram

Like this post? Get updates via RSS or follow me on Twitter: Follow @rakkhis

Photocredit: Flikr recubejim

I was hacked @MTGOX #bitcoin – 3 reasons I am not worried

2011-06-20T17:44:00.001+01:00

I have been violated. It is a sobering experience. Username, email, hashed password available on the Internet in a prime database for ~~script kiddies~~ Lulzsec et al. I now have some sympathy for RSA. Actually, hang on a sec. No I don’t. I actually did what I preached. Read on for three simple strategies that game me comfort after having my details compromised as part of the MTGOX bitcoin hack.

Aside: why Bitcoin? I will let you Google the augments for and against. Certainly been enough coverage lately even on Techmeme and Hackernews. For me it boils down to:

I am an infosec geek and the idea of a non fiat virtual currency, that has built in inflation controls, less vulnerable to manipulation by ~~special interests~~ central governments and rooted in good crypto appeals to me
I am a disciple of Peter Schiff and Nassim Taleb, so for the same reasons I am long gold and short the US dollar. I was not in a position to exploit Y2K, neither the dot com boom nor the 2008 housing bubble. The potential for a mass return any of gold, short USD or bitcoin in the next few years is too good an opportunity to miss out. Bitcoin could work. It could fail completely. However, for a very limited capped downside and very little effort there is the potential for a very large gain. I hope that all three provide exposure to positive black swans with a capped loss in case of a blowout.

So what about all the hacking? MTGox, Trojans, individuals having their machines stolen for bitcoins. Well remember why people rob banks. That is where the money is. This is the equivalent of Ned Kelly (showing my roots) or Jessy James Wild West days. Banks were not very good at protecting themselves back then. After hundreds of years, billions of dollars invested you could argue they still suck. Unfortunately, for bitcoin, in the Twitter age, you have to secure at lightening speed and any failure is broadcast to the world instantly. But you know what? If you want to take a punt and potentially be the next Rothschild, start a bitcoin bank and/or trading exchange. Put the security in place, hire your sheriffs, and guarantee deposits and holdings.

So the three strategies that gave me piece of mind when my username, email, and MTGOX password was exposed:

1. Long complex password. Yes size does matter. It is simple but like SQL injection and Cross Site Request Forgery (CSRF) and the rest of the OWASP top 10 that led to compromises like this, hardly anyone does the simple things well and do them consistently. My strategy is to use a phrase I can remember, which has upper case, lower case, numbers, and symbols, about 10 characters long. Then I add a salt or unique random value per site / service. This salt is stored in Laspass and 1Password. I do this because even password vaults can be comprised and have security vulnerabilities and this reduces the centralized risk. Practically for those I use frequently I can remember the salt, so for apps that do not let you switch to a password manager and back on the iPhone or iPad, this is particularly handy. Total password length is about 15 characters and complex. Even with a botnet of GPU’s this would be a challenge to bruteforce, rainbow table or dictionary attack. If I ever need to update the password because of silly password expiry rules, I just need to change the random salt.

2. Unique password for each site. With the above system, I have unique password on each site but using the common phrase, I get less of a usability trade-off. Using the salt first, so you allow the password manager to auto-fill, then entering the phrase makes it work practically. Therefore, even if point 1 above fails and the password is discovered in clear text, the attacker does not automatically gain access to every other site. In situations like this, I also do not have the headache of changing hundreds of passwords; worrying about if one or more is compromised in the time interval. The recent hacks have demonstrated even your “do not care” sites should have unique passwords unless you absolutely do not care if they and other “do not care” sites are compromised. Where the site allows I also try to register with the additional plus e.g. rakkhi.s+mtgox@gmail.com . This little trick still gets email delivered to my inbox and allows for easy identification of spam and illegal sale of information. There was a idea on HCanaryN a while back, which is also good if you can live with having one unread email

3. Two factor authentication. Google in their awesomeness locked my account and informed me there was suspicious activity detected. I also had the piece of mind knowing that I had the two-step verification enabled on Gmail. So again, even if they got my password it is not automatic entry into my email. I use two factor wherever it is offered. E.g. Paypal (both Yubikey and mobile SMS), Laspass (Yubikey), my business banking (RSA for now).

Summary:

Make a large number of small bets on things that have a caped downside and low effort but a extremely high potential upside
Use a long complex password and store all or part in a password manager
Use unique passwords per site even the low priority ones
Use two factor authentication where possible

Related posts:

Good tool to see if your email account has been hacked in recent events from dagrz: http://shouldichangemypassword.com/

Like this post? Get updates via RSS or follow me on Twitter: Follow @rakkhis

Agile != security

2011-06-15T14:14:00.000+01:00

I am going to fail. Agile and security just do not mix, especially secure at source. Agile is all about rapid development, everyone in a room with brown paper plastered across the wall, product backlogs building up while developers code feverishly on today's priorities. Security works well in a structured environment. We influence through control points and project gates. Oh, you are writing requirements? Let me provide you some from security. Design stage? A threat model and design review. Build we will mostly ignore but test is our Coup de grâce. The pen test is the height of security skill where your lovely creations will be decimated! But how do I apply this magnificence to agile when I am called a CHICKEN and thrown out of the room?

I have been reading some of the Microsoft material on a Secure Development Life-cycle (SDL) in agile. There was also a good post on the Security Architecture Linked-in group on my last post on this security people coding in agile environments. Apparently secure at source in an agile world is just what we struggle to do in waterfall projects, with all our control and gates, but just done every sprint. How hard could it be?

Therefore, this is really a post of two halves. I probably should have told you that from the start so you would not think there is gold in these hills. However, I am reading Little Bets so here is to failing fast and often. Aside: why do I buy books that tell you the whole argument in the title? The Long Tail, Blink, Little Bets etc... Right so this is what I am going to try:

Per sprint:

Get to the daily scrums and fortnightly sprint planning sessions so I can put forward my valuable chicken advice and requirements. This will probably only work if I am in the same room, which could be a challenge since I am in a different continent but I will work on my boss on that.

Threat model. Try to get the developers and product guys to think of mis-use cases and attack trees per sprint. This could be challenging, as they will probably say NO (although Lulzsec, Sony and RSA are helping my cause here and I know a few physiological tricks now to exploit). Nevertheless, a sprint may also be too small a unit for threat modelling. This may work best per release.

Security unit test cases. Writing security unit tests along with the developers’ functional unit test. These should be from the threat model and will also be automated and added to the regression suite where possible

Static analysis. We have an automated code-scanning tool, which the developers should be running every time they check-in code. Tickets are then raised for defects. Let's see how quickly these get fixed and what priority they receive. I will also be pushing for manual peer review by both developers and me. One of the biggest problems I can for see is although there is a lot of new code being written, there is many existing assets to be re-used. The web stuff from the start-up is being manually pen tested but doubt anyone has reviewed the code and we will not have time to do that.

Dynamic analysis. We also have the Q/A group that use an automated application vulnerability scanner. I will be looking at that, working with them to tune and raising tickets for defects.

Per release:

Manual penetration test. Sorry I promised at B-sides to call this a security controls review, as we are too soft and squishy for outcome based testing. Even if we were not the CEO is probably not going to like the spear phishing email nor our partners when we try to hack through them. Still we have an internal team for this testing and it will do what it always does give us some comfort we are running faster than the guy running from the bear.

For the program:

Try getting the developers some secure coding training. They have already started so I like my chances of finding some time between 1-4am. Maybe bribing them with beer will work. We have secure coding standards, which I will also make them aware of, but unfortunately, they do not cover all languages in use. Enough general OWASP stuff to be of use though.

Security incident response plan. I am a big fan of having the fire engine well tuned. A full rehearsal hardly ever happens in a project but once again, at the start I am optimistic.

Security architecture. We have specialists within the architecture team drawing boxes and lines. This all looks good, reusable loosely coupled authentication services, role based authorisation, logging, and encryption in the right places, DDOS protection. Policies and standards are providing the broad requirements.

Infrastructure and network security. The ops guys will do their normal job of reviewing builds, installing configuration compliance, vulnerability scanning and setting up the correct firewall rules. YAWN.... Well until IP V6 stuff-ups makes all this important again. Manual controls review will test this all as well for what it's worth.

Security governance and risk reporting. All the existing 10 levels of security and risk committees will be used. The big test as always will be whether we can convince them to delay launch to fix the 10 medium-low risk security bugs. Think about that for a bit before you comment.

Metrics. Therefore, we can actually measure the ongoing state of security and whether the secure at source approach has been effective.

Summary:

Security at source in agile development my approach:

Get in the room, be a pig if possible
Write threat models and security test cases per sprint or release
Source code review on check in. Dynamic and manual testing
Developer secure coding training and coding standards
Security architecture at least conceptual
Infrastructure and network security. #bettersafethansony
Incident response plan that is rehearsed
Security governance and risk reporting and escalation
Measure everything. Especially after you release

Only time will tell if this is all effective. I can see some massive challenges ahead and I really wonder if anyone is doing security well in agile, especially in large organisations. Do we all just have the waterfall SDL hammer and everything looks like nail? Of course if you are doing this well, I would love to hear what you have found works practically. Especially if you have proven it works more than once. If you have been able to measure this impact even better. Please leave a comment or contact me at rakkhi@rakkhis.com , I'll be happy to share my thoughts in more detail also. Watch out for my post in a few months for lessons learned on this. A few Lulz to be had.

Related posts:

Like this post? Get updates via RSS or follow me on Twitter: Follow @rakkhis

Photo credit: antiguan_life Flikr

7 ways to exploit psychology to sell security

2011-05-31T11:51:00.004+01:00

@J4vv4d

I have felt the bitter taste of defeat many times. That feeling in a meeting, on a call at a presentation when you feel the tide turning against you. All the logical arguments that seemed so persuasive ten minutes ago have evaporated and all you have is another meeting or a working group to explore options. The security improvements that were so badly needed rejected once more. @J4vv4d from Quantainia writes for a new years resolution "If you’ve heard me talk about security but still don’t think it’s important. That’s my fault not yours". So why not use some techniques from psychology to help?

I am slowly making my way through the Schneier's essays on Instapaper and found this one on the Psychology of security. If you have ever wondered why certain security projects get funded, why some decks work a lot better than others and why some arguments seem to resonate over others of equivalent merit; then psychology of security holds a lot of answers. Schneier provides the theory, research and some tricks and recommendations on using psychology to sell security; this is my take on expanding those techniques. The basis for all of this is grounded in scientific experiments, all the links to the research are in Schneier's essay.

How do you use these? You are never going to remember all of them and that's often the biggest problem with things like NLP. They are too hard to use in everyday life because they take a lot of un-natural practice before they become second nature. So I suggest that you use it as a checklist or put the key points into a mindmap. Check them before and after writing your next deck or business case. Practice often enough and you will start using them in conversations, meetings, and calls.

1. Play up spectacular risks.

Schneier: "People exaggerate spectacular but rare risks and downplay common risks." Intuitively you know this to be true. There is a far greater risk of dying in a car crash but more people are afraid of flying. At time of writing in May 2011, 9/11 was nearly 10 years ago, but it led to a massive pay day for every security agency. Even 10 years on it's power is so great that the US government was able to extend the patriot act for another four years. The massive over-reaction that meant a huge erosion of American civil liberties extended without cause all because of a spectacular risk from 10 years ago. Now you may not want to use this because it seems like FUD. Well guess what? FUD works. You can either continue an ideological objection to FUD or you can get paid. Or feed your kids, increase your reputation and influence, get that security improvement you know that really needs to be done. Whatever rocks your boat. So play up the China hackers, cyber-warfare and advanced persistent threats.

Risks from sources people do not trust seem more plausible. This is why you need to forget about that insider threat argument. It is never going to work. You want to play up the uncertainty. Detailed scenarios also increase believability. Put in gory details; really describe a scenario rather than a scattergun bullet-point approach of possible threats. That's why I love attack trees. If you do not have the numbers, as we often don't, use the fact that people tend to ignore probabilities where there is a high emotional content. Play up the emotions in your detailed scenario of Chinese hackers for maximum effectiveness. Grouping risks together for executive management is not your friend. Evaluating risks as a group makes them seem less risky. If you are only getting 5 minute slot, or one slide, prioritize and present them the most compelling, most emotional and spectacular risk scenario. Finally leverage the anchoring effect. High loss numbers like Sony 100 million records lost, or HSBC being fined $4 million for loosing 2 CD's of customer data are great for this. Write the number on a white-board they can see when they walk in. Even if you do not directly talk about it, the number is anchored in their minds. When you talk about a loss or risk this will then make them perceive it as more risky.

2. Make it personal.

If you really want that new Dataloss prevention system talk to the execs about their email being stolen, if their laptop or blackberry was hacked. What would they do there were fraudulent credit card transactions on their statement? Even for impacts like damage to the company brand, it is so much more persuasive if put in a personal context. A major incident would affect the brand and reduce long-term share price and growth which would have a significant impact on anyone with share options to vest in a few years. Kids are a great lever. We seem to have an evolutionary response against any thing that will harm kids. While logical from an evolutionary perspective, today this is often applied irrationally and can be exploited. Link your risk not just to Mr senior manager and his wallet but also his kids. We store a lot of personal data in our databases. Imagine if your kids personal data was all over the Internet?

3. Overestimation of current risks

At the time of writing this links very nicely with 1. Spectacular risks. With the high profile hacks of RSA, Sony and the Apple and Google location gate scandals there should be plenty of current events to shape to your purpose. Emotional events are even better i.e. 9/11, location and privacy issues work well for us also. This works because recent events are easier to imagine therefore more effective regardless of their actual likelihood or applicability to your company. Imagination is also a wonderful thing. Considering a particular outcome in your imagination makes you think it is more likely to occur. An outcome that is more difficult to imagine will be marked down even if you have all the numbers to back it up. You can link this with anchoring through techniques like getting your manager to imagine a malware infection on their kids computer before you make your pitch for the new IDS.

4. Overestimation of risks outside their control

Again, this is another reason for the flying vs. driving risk failure. This is why the cloud seems so scary, even though the insider threat could happen in any company. There is an illusion of control over "employees" in your own company vs. another company you contract with. Even though, especially in large companies it would be just as easy for organized crime or government to get a cleaner or temp into either. Any risk that is imposed, where they have no control always seems higher. This is another reason to play up regulation, class actions and contract breeches rather than internal policies and standards when you want to get something done.

5. Risk of large loss chosen over certain small loss

This is why you lose. The risk of a massive loss e.g. Sony now estimated at $130 million from the PSN hack, part of an overall $1.3 billion loss and untold reputational damage. I bet some poor sucker in security tried to convince them years ago that that they should patch the Apache servers or they should encrypt customer personal information. Take the certain ~~loss~~ security investment now over an uncertain huge loss. Guess which one was chosen? Better safe than Sony. Given a chance of a big loss vs. certain small loss, the big loss will be chosen by most people. Strangely enough though that is how we try to make most business cases for security. Spend this small amount now to avoid this big risk in future. And we are still surprised when it doesn't work. Getting though today is what is most important. This project. This quarter. This year. Even presenting the risk as a small, immediate loss will be more successful than the complex calculation of future losses. A delay to the project, extra defect repair costs, a certain fine from a regulator are all good things to use. People are also more likely to accept a smaller incremental gain than a chance at a larger gain. The bird in the hand. This is actually also good for your delivery. Do not go for big bang. Focus on small incremental gains. It maybe easier and ultimately more fruitful to go for extra features in what you already have. That web application firewall or IPS module in your load balance than a completely new system.

6. Exploit heuristics

Rules of thumb. Just the wording and re-framing an argument can make all the difference. In studies over 70% choose the positively worded outcome even when the probability is equal. So why say the chance to lose 10 million when you can present it as an opportunity to save 10 million? People tend to accept things closer to the current state. They are going to trade-off more for security they have accustomed to. This explains the success of firewall and anti-virus companies. Can you bolt on an IPS to a firewall or removable media control to your AV? Risks involving people rate higher. If you really want to sell your APT or malware threat talk about the humans that wrote and benefit from it and how they and their kids are personally affected. We evaluate small numbers well but suck at larger numbers. So use small percentages. A computer in our company, just like the one you use or your kid at home, is infected once every 2 seconds. One in every three documents, just like the board minutes for this meeting, sent out of the company is an office document.

7. Costs

Finally, on presenting costs in a way that increases your chances of success. People judge costs on reference. They are willing to may more for something that seems like it should be more expensive. Tiffanie's have been using this for years, why can't you? To build a world-class security to support a world class consumer experience you need to spend $X on security. Small costs are not accounted for in mental costs. Can you present your cost as a cost per user, cost per event or incident, $ per day? The framing effect. Always show the highest cost option first and the one you actually want in the middle. Time discounting - costs and benefits in future are discounted. Gains are discounted more than losses and smaller amounts are discounted more than large. Present your savings in the first year and load up your higher costs on the back end.

Recap

To sell security effectively:

Play up spectacular risks
Make it personal and use kids
Use 1-3 examples of current events
Use examples of threats outside of management control
Present certain, current losses even if small. Aim for incremental improvements in security
Re-frame your argument as an opportunity for gain. Bolt onto existing investments
Present costs smartly. Use anchoring, break costs into small units, load up near term gains.

Security is the art of managing trade-offs. No matter what security role you do, you will always be selling. Do it well.

Related posts:

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Photo credit: Woody1969 Flikr. Not really @J4vv4d

The suprising security model for NFC payments

2011-05-14T10:36:00.001+01:00

One of my new years resolutions was to learn more about NFC security. Not because I disagree completely with people saying it is over-hyped but since Chip and pin was added to credit and debit cards, NFC is one of the most interesting innovations in payments, at least in the west (Japan has been using NFC for years). NFC presents some really interesting security challenges so I have been reading a lot of research papers and buying coffee for a number of experts. What I have discovered so far really surprised me.

I approached NFC asking the standard questions (insert hammer and nail joke here). How is authentication and authorisation performed, how is sensitive data protected in transit and in storage, what logging is available and how are configuration stores protected? What I have been finding is that the security model really does not have many of these features at all especially on the client side (i.e. the NFC device such as the Samsung Galaxy S). Speed is the primary emphasis, the main benefit of the technology seen as enabling people just to touch and go even on a Roller coaster. The trade-off for this is in security. So when an NFC device connects to a reader there is no authentication, no authorisation and no encryption of information in transit. That's why you see attacks like this and this being possible.

The NFC device contains a secure element (SE) on a phone this would be usually on the SIM, in-built chip in phone or Micro SD. The SE's are manufactured to the same standards and certifications as the chip in chip and pin credit and debit cards, often by the same manufacturer. The SE is the only component of an NFC solution that will undergo any evaluation against security requirements and accreditation. The card number (PAN), card holder name, expiry, card security code (CVV2) is loaded into this and can only be read by the authorised application on the phone. However when transmitting this information it is sent in the clear and can be intercepted if you are in range. There is the capability for a challenge response mechanism (similar to chip and pin where the user would enter a pin to pay) and for the NFC application to communicate with a mobile gateway for out of band authorisation via a one time CVV2; but these features, at least currently, are rarely used.

Instead all of the security is essentially server side, which is actually pretty smart. Issuers have set limits on NFC transactions e.g £10 so the maximum fraud potential is contained. They know which PAN's are allocated to NFC capable cards / devices, and even on contactless cards the PAN transmitted for the NFC transaction can be different to what is shown on the card. So if an NFC PAN shows up in a card not present transaction e.g. buying something online or even in a non NFC point of sale the Issuer can reject it. The other protections for cards currently are also in place, even obtaining all the card details from an NFC device most issuers now require address validation and 3D secure for card not present transactions. There are some merchants that will not implement these and not even ask for the CVV2 but this is usually a business decision to accept liability for any fraud to get increased sales and a better customer experience. All the normal fraud checks such as checking or stolen card lists, real time risk scoring based on transaction velocity, history, location also apply to NFC payments.

So overall the systems are fairly well designed and while there will no doubt be plenty of FUD whenever a researcher "hacks" NFC payments, holistically the systems in place provide a good balance of convenience and fraud risk.

I am just starting to learn about this technology and the above was fairly high level. If I have made any errors or my interpretations of various documents and conversations have not been accurate feel free to comment. I'm always happy to learn.

Some good research papers on NFC security if you are interested in reading further:
Security in Near Field Communications
Proximity mobile payments: leveraging NFC
Practical experiences with NFC security on mobile phones
Mobile payments in the United States at retail point of sale

Related posts:
Native apps vs mobile apps
Beating crackberry: if Google and Apple were serious about enterprise mobile
Privacy in the age of augmented humanity

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

PS: first blog post created entirely my new iPad :) it's awesome
Photo credit Flikr Robert van der Steeg

What does Sony need to rebuild confidence after #sonyhack ?

2011-05-06T16:33:00.005+01:00

Was debating with a few security collegues whether this massive 77 Million + data breech would actually hurt Sony on the bottom line and discussing TJX as a good example where actually as a retail organization the impact may not be that large nor that permanent.

Posting my answer to the Quora question on the same title: Q: what does Sony need to do to rebuild confidence after this massive and potentially avoidable security incident?

A: Potentially not much. As per Howard Stringer Sony are offering:

$1 million identity theft insurance policy
A welcome back package including a month of free PlayStation Plus membership for all PSN customers,
As well as an extension of subscriptions for PlayStation Plus and Music Unlimited customers to make up for time lost

First comment on blog:

Thank you kind sir. Let’s not make the same mistakes again, shall we?
It’s all good Sony. Got tonnes of Single Player trophies waiting to be synced :P

If that is any indicator of the average PSN user they don't really care. If they see some wierd credit card charges they will not be liable anyway. The identity theft insurance will provide some financial recourse to anyone who is a victim of identity theft. The exit costs of moving from the Playstation console, game and friends network to an competitor like XBOX is very high. Sony has excellent lock-in, this will be forgotton about in 6 months except by security people using it in powerpoint decks to get more money.

Case in Point TJX incident 94 Million credit cards stolen

Lets have a look at the share price shall we:

The chronology:

Hackers break in in Jan 2007
Discovered and publicy reported Dec 2008 (makes Sony look good eh?)
May 2001 Share price has more than returned to pre-incident levels and over the past 3 years considerably out performed the S&P500 (red line)

Lets take a Snapshot of Sony for posterity:

Maybe worth buying some Sony shares....

Related posts:

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Apple Google #locationgate: breaches EU Data Protection Directive

2011-04-24T16:15:00.010+01:00

The story over the last week has been ~~the~~ ~~royal wedding~~ Apple and Google collecting location information including GPS and closest cell phone towers on their iOs and Android devices and transmitting these back to big brother. In the case of Apple the file containing this information was stored un-encrypted on the device, backed-up also in the clear to any machine the device was synchronised with and contained far more historic location information that was required. At least Apple annonimized and sent this information every 12 hours (reducing real time tracking ability) and technically did ask for "permission" because everyone reads through those privacy and terms and conditions policies. Google asked for permission in a little bit less opaque way but transmits location information back in near real time. Microsoft has also joined the party admitting they collect location data but do not store it on the device. Symbian or WebOS anyone for a complete set?

I really don't understand why companies still feel it is a better long term move to do these types of activities covertly. The first principle in the EU Data Protection Directive is Notice. "Ensure the end user is clearly informed when data is being collected". I have so many arguments with the marketing people on projects about this exact point. To me it is really simple, if you are performing a legitimate activity and it provides benefit to the user there should be no problem for clearly and explicitly asking for permission not burying it in a 100 page document no one is every going to read.

On both iOS and Android devices collecting this information on the device provides significant performance benefits. Just try using location in just GPS only mode on Android. Welcome back its been about 10 minutes! I'm not sure if this the direct cause but there was a massive improvement in the accuracy and speed of GPS when the iPhone 4 and the corresponding iOS version was released. I'm sure most users would be to happy provide their location information to Apple for better location services if they were open about it and asked upfront. I mean look at how many millions use check-in services providing this information for free just to be major and how many geo tag photos, tweets etc.

Figure 1

The second principle in the Data Protection Directive is Choice. This is not either use location services or don't. It is a choice of whether this information is stored and transmitted Apple. To make matters worse Apple on the other hand continues to collect location information even when the Location services is turned off. Google as least allowed users the choice of option of participating in this collection as a option on the device (refer figure 1), however the language could again be a lot more clear that they will also be transmitting this information in near real time back to Google. In addition for Android versions older than 2.3 the location files do not seem to be deleted which is great with the fragmentation in the Android market. Also the option to not transmit data to Google is hidden away under Location and security - Use wireless networks option. The opt-out option comes up when you tick this option. Selecting disagree means you are back to GPS with its performance delays. There is no simple option to get the benefits without transmitting the data to Google.

The third principle is Onward Transfer. One would hope that Google or Apple would only turn over this information with a warrant and never directly to advertisers. Hopefully it is also truly annonimized as they say be of no use as a historical location tracking of individuals; I am a bit suspicious of device ID's and unique random identifiers

Then there is the principle of Security. Why is this information being stored in an un-encrypted format? Is there any good reason for this? Apple especially should know better - in the 13-page letter sent by Apple’s general counsel Bruce Sewell in July 2010, he states the information is transmitted over secure wireless. If they recognise the information is sensitive enough to require encryption in transit then why not storage?
If there is a reason like they need to access the database when the phone is locked, surely something like a one way hash of the information that needs to be read would be a lot better design.

Purpose is another principle to be considered. The data should only be collected, stored and used for the specified approved purpose. Apple's general council states in the same letter "these databases must be updated continuously to account for, among other things, the ever-changing physical landscape". This basically implies that there is little value holding a large amount of historical data and it should not be stored locally on a device nor by Apple. Steve Jobs in his usual verbose style stated "We don't track anyone". I think the point he is missing is that this data, especially the historical data, allows the possibility of tracking any iOS user. Clearly if that is not the purpose this data should not have been kept. A positive for Google is at least they do not store this large cache of historical location data.

Finally there is the principle of access. From the kings of design and user experience, how hard would it be to add a button to wipe the information on an iOS device, opt-in or out of it being collected and select how far back it goes?

Summary:
The collection, storage and transmission of personal location information by Apple and Google violates some basic privacy principles set out in the EU Data Protection Directive being:

Notice and consent - users should have been clearly informed and their permission explicitly obtained, like they are informed an APP contains over 18 content. Google does this better than Apple but it could still be improved
Security - the data should have been encrypted or one way hashed on the device
Purpose - if historical information was not required it should not have been kept
Access - users should have a simple option to delete the information collected

I hope that Apple and Google take measures to address these in a patch to iOS and Android shortly.

Updates:
27/04/2011 - Adding Microsoft to this also now. Apparently no data stored locally but it is collected and transmitted.

27/04/2011 - Apple provides official press release response. Firstly this is written in really clear language and very little marketing speak +1 for Apple. It is good they acknowledge that while the data is transmitted in an encrypted form it is not encrypted on the phone and will only be encrypted in backup if you enable backup encryption (we all do right? right?). Major point: "The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data". Good that they acknowledge they are collecting far more data that is required for the purpose and plan on fixing it. This is also very good and validates what I hoped regarding the onward transfer principle: "location is not shared with any third party or ad unless the user explicitly approves".

The patch I was asking for:
"Sometime in the next few weeks Apple will release a free iOS software update that:

reduces the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
ceases backing up this cache, and
deletes this cache entirely when Location Services is turned off."

Overall excellent response, they may still get sued and EU may look into Data Protection Directive breech but the patch is a good outcome.

Related posts:

Background

Photo credit caseorganic Flikr. Google Android image from Stuart Ward.

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Federated authentication: security that makes you money

2011-04-10T23:29:00.000+01:00

Federated authentication: using the same login details across multiple organizations and services; it is one of the few security technologies that can actually be revenue generating for end-user (non security vendor) businesses. There seems to be so many reasons to adopt it, but it is still a hard sell and does not have widespread implementation. However we maybe reaching a tipping point where this may all change.

I want to get something out the way first of all, any writing on federated authentication can get bogged down in using one identity everywhere. Governments in particular, all over the world including the US [PDF] have had this vision and promoted it via their agents. As I have posted quite a few times before, I don't think one identity for everything will ever work but I am all about reaching a happy middle between the current situation and that Orwellian hell.

Business case for federated authentication

The first comment on the Schneier post on federated authentication is "There is no problem here that people need solved. Linking all these iDs only serves corporations and the government". This is simply not true, increased use of federated authentication would provide significant benefits to users in terms of convenience and security. Convenience in not having to register, setup and maintain profiles for every new service and not having to remember the current plethora of usernames and passwords. Security is also improved because a limited number accounts are easier to authenticate strongly and access is a lot easier to revoke if credentials are every compromised. While some would argue these problems are effectively solved for most ordinary users via the remember me option in browsers or via a password manager. However these are a band-aids for the symptoms not a treatment for the root cause.

Where I do agree with the comment above, is that federated authentication certainly serves corporations and the government; so much so that it is hard to believe that it is not more widespread. These benefits can be considered from a B2C and B2B perspectives. B2C: A 2007 study by Future now found that over 50% of top online retailers required customers to register before checkout. One would hope this has improved by 2011 but a Forrester study in 2008 identified that 25% of potential customers would leave the site without purchase if asked to register. These type of numbers make it seem obvious that if you need any form of registration or signup, make this as easy as possible for the user as it directly affects your bottom line. With federated authentication users can in one or two clicks use an existing identity, no forms to fill, no profile to complete, simples!

B2B: growing your business is increasingly creating a mash-up of services and with SAAS services getting cheaper and more ubiquitous, they continue to grow in popularity. Jim Scully and Barbara Levin found in a 2010 study for Employment Relations Today that more companies implemented shared services in the two years to 2009-2010 than in the last 15. Any time one company needs to use another companies resources for non public services or information there is an identity and access management problem to solve. This adds cost and time to any project to work out provisioning, approvals, resets and un-locks, and recertification. If part of the business case for using a SAAS solution for something like time-sheets or HR is speed and cost to implement, it hardly makes sense to weigh it down with yet another access control process. There is also an on-going maintenance cost that increases the total cost of ownership, for example in 2005 Forrester reported that 25-40% of helpdesk calls are password related. With federated authentication, all those problems are already handled by the users existing identity provider.

Barriers to implementation

With so many easy to identify benefits, why has federated authentication had such slow adoption? Security concerns are no doubt a major reason. Trusting another organization to be an identity provider to your resources and in reverse exposing the crown jewels that are your directory services, is a bridge too far for most organizations. These are a valid concerns, however practically anytime you allow another organization access, you are trusting their processes and the contractual measures in place. This includes their staff vetting, their physical access controls and their joiners, leavers, movers processes. Especially where permanent access is required, is it really that different to trusting their identity and authentication systems? In fact where they make take days or months to tell you when staff have left, there is a greater likelihood with federated access than this process is synchronized with their own systems.

Another valid concern is the keys to the kingdom problem. This also applies to password managers, but securing a small number of identity and authentication systems is a lot easier and more effective than having hundreds of weak passwords (or the same weak password a hundred times). Open-ID providers like Google now offer two factor authentication; if you do not like a soft token on your phone, Yubikey USB hardware tokens are also supported by many Open-ID providers. Control and auditing is also greatly improved; do you know every application where you have used a password? Me neither. Yet many Open-ID providers have all the sites where you have granted access to that identity, revoking access is a one click process.

The difficulty or perceived difficulty of establishing a federated identity infrastructure is also often a barrier. No single project wants to take the risk and cost of implementing the required technology and processes for the corporation and security departments struggle to get funding and priority for these projects. Microsoft really missed a trick with not making a version of Windows where all forests had a simple discover and federate option. They were probably too scared of the security and privacy outcry that would have no doubt followed in their hayday to ever try it. Active Directory Federation Services (ADFS) especially version 2 is a great step forward and Windows 2008 provides read only domain controllers for securing directory servers in DMZ's. However it is still not a simple process, requiring each company that wants to federate to setup trusts and manually exchange configuration materials. A fair amount of testing is still required and it is certainly not something business users can setup without IT. To their credit Ping Identity and OpenSSO have also made the process about as simple as it can be. OpenSSO (now OpenAM supported by Forgerock) provides a simple servelet, an agent that can be installed on any web server, configured to use an LDAP and you are ready for federated authentication and single sign-on.

Tipping point

There are a number of reasons that I think federated identity and authentication has reached or is nearing a tipping point. Firstly technologies such as Open-ID, oAuth v2, SAML are now mature and have robust and simple implementations. There are plenty of Open-ID providers with at least one vendor that everyone on the Internet has an account with for products they actually want to use; federated authentication capability is just a nice fringe benefit. Open-ID can be implemented with a great UI that is intuitive even for non-technical users. The Stack Exchange login and I would hope Simple Security Risk Assessment (SSRA) (shameless plug) are good examples. As more and more services move to the cloud, shedding their legacy applications and their password databases, it will become easier to use federated authentication. For example Amazon AWS offers an Identity and Access Management service and I would not be surprised if this offered the option of federated access at least across AWS in future. Anyone using Google App's benefits from being able to collaborate with other businesses simply by entering an email address - this is how easy it should be to setup federated access, it should be business driven rather than requiring a technology project.

For new companies it is a no brainer to use an existing identity provider. As a straw-poll consider the latest of batch of Y-combinator ~~recruits~~ millionaires:

Convore - Real-time group conversations. Chat with public and private groups on the Web, or the iPhone app IRC for everyone - Twitter and Facebook login
Tutorspree - Airbnb for tutoring - Facebook login
Earbits Radio - Internet radio that serves as a marketing platform for music-related products. Labels, artists and live music promoters bid for airtime. Shortcut description: “The Google AdWords for the music industry.” - Facebook login

You get the point. Also notice the elephant in the room and our favorite CIA agent yet to be mentioned: Facebook. Unfortunately they are not an Open-ID provider but they do support something similar, for user and businesses there are few practical differences in use. Facebook also highlights a key business reason for federation: access to all that social data and possibility of going viral. More attractive than cost reductions and time savings, this is a real revenue side reason to use federated access. Listening to a startup pitch from Recip.ly at a recent Silicon roundabout meeting, "of course we use Facebook connect so we already know what they like". While this makes the privacy and security side of me cringe if you want to sell federated authentication maybe start with your marketing department.

Summary

The business case for federated access is based on making it easier for consumers to sign-up and use your services and cheaper and faster to integrate with business partners
Security and implementation costs are often barriers however these can be overcome with strong authentication for a limited number of identities and via technologies such as OpenAM
The tipping point for federated authentication is here, if you want to get in front of the curve Open-ID is well worth implementing

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Photo credit: KatB Photography Flikr

Agile: Most security guys are useless

2011-04-06T22:41:00.000+01:00

[1]

The return of king Larry to his rightful throne at Google with his ~~nerds~~ engineers rule edict and Jason Fried of 37 Signals talking about the culture of a flat company got me thinking whether in an Agile development world are most security guys useless? The short rationale is that in Agile and really any lean, successful company, you want "everyone to touch the product". Security guys need to code, those that don't (the majority) are not required. But is this the whole story...

The 12 principles [2] behind Agile development are (emphasis mine):

Customer satisfaction by rapid delivery of useful software
Welcome changing requirements, even late in development
Working software is delivered frequently (weeks rather than months)
Working software is the principal measure of progress
Sustainable development, able to maintain a constant pace
Close, daily co-operation between business people and developers
Face-to-face conversation is the best form of communication (co-location)
Projects are built around motivated individuals, who should be trusted
Continuous attention to technical excellence and good design
Simplicity
Self-organizing teams
Regular adaptation to changing circumstances

If you are a startup in particular I don't think you can develop any other way than Agile. Your best bet for survival is to get something out there and iterate like hell. Even in large companies these days rapid delivery, reduced costs, adapting to requirements that get elaborated as you go are increasingly the norm. Paul Graham says "a programmer working as programmers are meant to, is always making new things". I would argue this should be true for everyone working on agile projects including security people. The only people that add value are coding, designing the UI, testing etc; "touching the product". Unfortunately most security people are not doing this; they create documentation, provide advice and consulting, "manage risks" or manage other security people and thus at best add zero value. Arguably you would be far better having only security engineers that coded the security components and where they performed code reviews and security testing actually fixed the problems.

How about the opposite perspective though? Starting from the top: CISO's sit on executive committees, ten or more layers removed where such hierarchies exist. CSO Online states they are the "executive responsible for the organization's entire security posture" these days expanding their empire to risk, governance, information security, IT security, physical security, data loss and even fraud. Surely that is an important position for ensuring your project delivers the business benefits really quickly. So what if startups don't have them, every Fortune 500 company does right? They must add a lot value. I mean it is the big stuff that makes the difference, securing the budget for that new DLP system, funding for enough resources to review all the projects and changes, keep the security operations running. Even I have argued before that enterprise security controls make the biggest difference in the security posture of an organization.

Then there is everyone that does "Governance Risk and Compliance (GRC). Bingo! Sorry thought I was at Infosec. Afterall the majority of what companies only do security for compliance and regulations are growing increasingly ~~insane~~ complex; even Agile projects need to know whether sending data out of Europe where the evil CIA may watch breaches the Data Protection Act right? It's not like email flows freely around the world, no would store the company's most valuable information in email right? In addition there are the physical security guys obsessing over slab to slab construction and separate rooms for developers, got keep those desks clear and laptops leashed! Also not be forgotten information security that reviews all the supplier contracts including all those pesky cloud vendors and perform all the supplier due diligence visits. Developers in Hawai in Summer and a data center in the Alps in Winter; it's a dirty job but someone has to do it.

Then all the middle managers in security, risk, compliance; absolutely mandatory to keep the troops motivated and in line. No decently large company could do what 37 signals has achieved right? Of course we still need all the bottom of pyramid security underlings running firewalls, providing access, monitoring the SIEM. We would never want outsource or automate these services.

Finally where the bullet hits close to home: security architecture and design for projects. Even on Agile projects we perform a CIA analysis and advice on the inherent risk of a project even before it starts, which of course is always listened to. We write security requirements, driven from threat models that reduce re-inventing the wheel and integrate with enterprise security infrastructure. We review and collaborate on the design, develop attack trees and mis-use cases for sprints and plan security testing. When Fortify360 finds 300 cross site scripting vulnerabilities, we advice how they can be fixed. Look even Microsoft says we are necessary even for Agile processes and that is working so well. But does the business care about any of this, or would they rather have someone that is helping to get the code completed securely and delivered?

All the security guys I know that can code enjoy breaking things too much and either run or work for pen test companies, very few seem interested in working for end-user companies building defenses. Even the few that do, do so as part of security consulting vendors, very few real security hackers work for companies building new systems.

Thankfully it seems unlikely that any large company will soon replace all its security, risk and compliance staff with security engineers that code but just to hedge my bets a little bit I'm going to work on some node.js and jquery to maintain http://www.simplesecurityra.com (shameless plug). Any links to outstanding resources for either that I can't find easily on Google would be greatly appreciated #lazyweb. Dam in the hour it took me to write this I could have got hello world and a twitter feed working on my node server.

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Sources:
[1] Agile software development poster. http://en.wikipedia.org/wiki/Agile_software_development
[2] Beck, Kent; et al. (2001). "Principles behind the Agile Manifesto". Agile Alliance. Retrieved 2011-04-06

RSA APT hack - blogger tells all

2011-04-04T01:08:00.002+01:00

So an RSA employee released a blog post with some more details of the "Advanced Persistent Threat" attack that involved the theft of information related to SecurID. RSA should be praised for this, as I like many others, had been disappointed with them for less than responsible disclosure. Although this post does not provide details of what was stolen (maybe they don't know?) that would enable smaller organizations and individuals without direct contact with RSA to perform a risk assessment, it does at least provide opportunities for lessons learnt. It also raises questions on why a security company did not have appropriate controls to mitigate these risks.

"The number of enterprises hit by APTs grows by the month... examples are in the press regularly, and some examples are [Arora attacks] and [HB Gary]"

Never a good sign when they start with: look it wasn't just us getting hacked. This was terrible for HB Gary and even worse when you release a deck a few days before stating how one of your flagship products is great for mitigating APT's or and a post titled "What we did to fight to APT's" written on February 18th 2011 (month before the attack was disclosed).

"These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?"

Agreed that you can never get the risk to zero but without details on what mitigating controls RSA did have in place, there appears to be some basic security controls that have failed either in design or effectiveness.

"they then send that user a Spear Phishing email... The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file"

RSA really? So any training on email security including spear phishing? Was the false positive rate so bad in your email filtering service that such an email was put in junk mail for retrieval by the user, without further authorization, rather than being quarantined?

Lesson: you should be training users not to open emails from senders they do not recognize. Spear phishing training needs to be part of any user awareness program. Any email that triggers a junk rating, especially where it has an attachment, should be placed in quarantine for review.

"The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609)"

RSA really? Is there a good business reason why Joe from HR needs to have Flash? Is it necessary for his job or is it easier to roll it out to everyone rather than field the complaints for not being able to watch iPlayer? In fact did Joe need Internet access at all? Could he have a white list of allowed sites required for his job and a simple and automated way to apply for additional access with justification?

Lesson: basic advice many of us have been providing for years to small business and non techy Internet surfers: for things like browser's and browser extensions, really common software that has an attack surface you can drive a bus through such as Adobe Acrobat Reader and Flash, MS office; patching is really good idea, using alternatives such as Open office, PDF creator, not flash and to eliminate them altogether is even better. Internet access to all sites should not be carte blanche for all, whitelist where you can and put effective approval processes in place to cut your attack surface significantly.

"Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around."

RSA really? Now this is where the story gets really bad. Any IDS should be able to detect new outbound connections from desktops to addresses on the Internet. I have worked for organizations where Confika and plenty of other malware was detected in this way. Envision should have been configured to alert the security team of anything like this. A desktop firewall should have stopped outbound connections to anything other than authorized programs.

Lesson: Configure a firewall and host based IDS on every end point, do not allow unlimited outbound connections, but rather whitelist a set of programs e.g. the browser. Everything else like AV should be updated via internal servers. Configure IDS on the Internet perimeter to specifically alert and ideally IPS to block suspicious outbound connections, even where they piggy back on a browser or other allowed programs.

"You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars"

Actually an attack, even if it is a zero day exploit being sent by email was caught by your existing radar, it just wasn't dealt with effectively. An endpoint connecting to an unknown address on the Internet, that is not a stealth fighter that is a 747 and your existing radar works perfectly

"Already we’re learning fast, and every organization hit by an APT is much more prepared against the next one... What we’re witnessing now are the early days. "

This really is not a new type of attack, in fact I would be surprised if RSA had not earned millions in for years scaring organizations into buying Envision for exactly this type of threat.

"by detecting what is happening early on, RSA was able to respond quickly and engage in immediate countermeasures"

RSA really? The key information left out is how quickly? Are we talking minutes, hours, days? He mentions other organizations taking "months" so more than a minute and less than 3 months? Doesn't Envision have real time alerts to your 24x7 monitoring team? No IPS to automatically block outbound Internet connections like this? No automated preventative action configured in Envision?

Lesson: Investing in SIEM software like Envision is pointless unless you spend the time to setup the alerts and have a robust and step by step procedure for your Security Operations Center (SOC) on what to do when an alert is detected. I wrote a bit about this in getting more ROI from your SIEM . Even better use an IPS and automate your response within acceptable false positives.

"They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators."

RSA really? This provides some answer to the above question, the detection and response certainly was not immediate. Why do even administrators have permanent access to critical systems? Why is access not provided on an as needs basis with an incident or change ticket? Was Envision configured to monitor for administrator logins outside of these approved reasons for logging in? Finally the greatest irony, where was the two factor authentication to for administrative users? If this was in place at best the attacker is only able to capture a one time password with limited timeframe to use.

Lesson: More away from permanent privileged access to critical production systems. Establish a process for access to be enabled only with an approved change or support ticket. Configure monitoring for administrator logins outside without this rationale. Two factor authentication for administrator access even to internal systems should be mandatory.

"Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction.

The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider."

RSA really?
Data Loss Prevention (DLP) - What about securing the data not the infrastructure? Discover, educate, enforce and report? We know the information stolen was related to SecurID, surely this should have been indexed in your DLP tool and any outbound connection over the Internet blocked? Even if the files were encrypted and could not be read by a DLP tool, the ad-hoc transfer of a encrypted files from highly sensitive servers to internal staging servers and then external servers via FTP should have raised a flag in DLP to block and review.

Encryption in storage - Why was the SecurID information not encrypted? Even if the malware was able to exploit a zero day to get to the servers storing this information, finding a clear text version should have been next to impossible. Decryption keys should have been stored on a Hardware Security Module (HSM).

Lesson: It may be impossible to truly prevent malware getting to your endpoints in particular, so move your protections closer to what is really valuable by using tools like DLP and actually implementing them correctly.
Encryption should also be used to protect really sensitive data in storage.

RSA really?
Network segmentation - why can malware than infects an endpoint even reach the servers that hold information on SecurID? Don't tell me you had *shock* flat corporate network?

Lesson: Jericho failed for a good reason, don't believe the hype, firewalls are still useful security tools and getting better all the time with dynamic rules, coordinated systems linked to a central point and application layer analysis. Using them to segment your most valuable assets is a good idea.

RSA really?
Thin client endpoints - Malware on desktops using zero days is clearly a risk especially with business critical software like Flash installed, so how about a purely thin client infrastructure? It saves money, can provide better performance and provides better sandboxing capability for endpoints.

Lesson: Add improved security to your business case for thin or zero client endpoints that work anywhere

Summary and conclusions:

I admire RSA for writing this type of post providing at least a little bit more information on the attack but I reject their premise that this type of attack requires a "new defense doctrine". Good mitigations to this type of threat vector has existed for years and many organizations have them in place, clearly better than a premier security company.

Summary on the lessons learned from RSA getting hacked:

Email as a malware distribution mechanism is not dead. Dig out those user awareness presentations and add some training on spear phishing and trusting the junk filter a bit more
Internet access is a luxury not a default right. Do not provide it if it is not required for a clear business benefit.
Consider white listing websites that need to be accessed based on the user role, being smart like rules that check referring URL to be Google can prevent the backlash and loss of productivity while significantly improving security
Re-evaluate the business reason for software like Flash, Adobe reader, Office, browser extensions as part of the gold build for all desktops and laptops. Alternatives exist, users with a specific business reason can request it - cut your attack surface
Use IDS to detect and ideally IPS to prevent connections from endpoints to suspicious sites
Configure a desktop firewall and host based IDS to block any new outbound connections without approval
Monitor alerts from your IDS/IPS - have a team that is trained to react to these alerts with clear and rehearsed procedures
Implement two factor authentication for administrator access even to internal systems. Move away from permanent privileged access for critical systems and monitor for logins outside of approved changes and support tickets
Move your security controls closer to your most valuable data with tools, people and processes for DLP. Your monitoring strategy needs to consider encrypted files, either analysing a decrypted version or flagging any new encrypted transfers. Encrypting the data in storage to add further layer of protection even if is stolen is also a good idea
Network segmentation - create secure network zones even within your internal network for your crown jewels, control and monitor access to these
Think about thin or zero client endpoints

You may never reduce the risk of an "APT" to zero but you can certainly take a lot of measures to build defence in depth and mitigate the risks to an acceptable level without re-inventing the wheel. People maybe the weakest link but this hardly news and plenty can be done, perhaps some security companies should change to do as do rather than do as I say.

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Photo credits: rickh710 Flikr

Risk assessment: a glimpse of the future

2011-03-26T14:53:00.001+00:00

I believe a great risk assessment gives you a glimpse of the future. It gives you more control, more certainty; trust is good, control is better. If you are like me and on occasion have a niggle in the back of your mind about the security of your company or a new project going live, a risk assessment is the way to get that peace of mind. If you like to be confident that you have thought through the all the issues and angles, this is an exercise you should do regularly. When you need to decide on anything security related and you need to know is this the right decision, you need to first answer the question of what is the risk? If you need to know am I getting value from this security investment? This is why you need to do a risk assessment.

A security risk assessment is a thought process. You need a tool that guides you through assessing:

Value - what is your most important information? You only need as much as security as you have value to protect
Threats - is there anyone that has the incentives and ability to cause you a problem?
Weaknesses - what are the weaknesses in your systems, your people and processes that could be exploited? How serious are these?
Risk - based on all this what is your actual risk? What is the real exposure?
Controls - how does everything you have spent on security so far help you reduce this risk? If you got rid of a control would it significantly increase the risk? Is it worth investing in new technology, people and process?

This is why I created Simple Security Risk Assessment (SSRA). It is really easy to use and intuitive. It is a structured mapping tool to help you make decisions about security. It will help you comply with PCI-DSS, HIPPA and other regulations that mandates performing a risk assessment. When you have a list of audit findings or penetration testing results, make sense of your priorities and your actual risks using SSRA. Try it out now and let me know what you think.

Photo credit: Stuck in Customs Flikr

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Share this, that's how ideas spread:

RSA and SCADA: two ends of the disclosure spectrum

2011-03-26T02:25:00.003+00:00

In the last week we have seen what I feel is two ends of the disclosure spectrum for security. The RSA SecurID incident with such a high level statement on one end (called "corporate spin" by Schneier) and 34 vulnerabilities and proof of concept code on SCADA systems on the other; disclosed by a researcher without following responsible disclosure principles. Both are far from ideal and badly in need of improvement.

The RSA statement seemed like exactly the wrong way to disclose a security incident. It teased with morsels like "information is specifically related to RSA’s SecurID two-factor authentication products", played buzzword bingo with "the attack is in the category of an Advanced Persistent Threat (APT)" and just confused with "customers should increase security for social media applications". Their advice to worried customers read like a Jedi mind trick; use strong passwords, do not open unknown email attachments, we were never ~~here~~ hacked. For Coviello’s credibility I hope it was some marketing or PR blunder that made this statement so devoid of useful facts.

The problem with this type of minimal disclosure is that all pundits could do was speculate. There was some good analysis of the possible impacts but without real data on what was stolen, what vulnerabilities they exploited and whether the threat had now been fully neutralized, it was all just blind guesses. So many outstanding questions: is SecurID now broken or can we rely on the fact that you need a pin, a serial number and the other factor; you know those pesky passwords we don't value so much anymore because we have a SecurID token... oh wait... In addition, with the obvious focus on SecurID, since it was mentioned in the press release, hardly anyone was considering everything else that RSA holds e.g. emails as HBGary found out can occasionally have some valuable information, the RSA portfolio includes DLP software, SIEM software, GRC, Identity Management and even a Fraud center which is provided as a SAAS and no doubt many banks use RSA datacenters for storing some interesting data. Oh yeah and apparently Envision is really good at mitigating APT's [PDF] if we only we had such a tool....

The extent and nature of the information stolen and how the breech occurred has many different implications for different companies and individuals. No doubt RSA is working with large companies, especially large banks that have rolled out hard token's to millions of customers around the world, but what about everyone else? A small company or individual has no way of performing a risk assessment and RSA has not provided anything of use beyond general security good practices. Schneier in 2007: "Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it".

On the other hand what Luigi Auriemma did with the SCADA vulnerabilities is also irresponsible. While these systems are typically not connected to the Internet the world learnt of SCADA through Stuxnet. SCADA systems control some of the most critical national infrastructure around the world. Disclosing security vulnerabilities without providing any chance for the manufacturers to release patches and organizations to install them is disappointing for a skilled and professional researcher.

In the impact analysis that followed, I really do not understand statements like this: "systems deployed are not directly connected to the Internet, Løppenthien said. Those that are connected are usually protected by a firewall, which the hacker would have to bypass first" and "In my opinion there is absolutely no risk because these systems are not made to be reached via the internet" both statements in a Computerworld article. I consider a system connected to the Internet IF it can be reached via an Internet facing firewall, how long have we been preaching about application layer threats and the ubiquitous port 80 and 443? I really hope that Løppenthien meant these systems are behind multiple internal firewalls or better air-gapped networks with no systems that connect to the outside world (a nigh on impossible task these days). Also absolutely no risk? Stuxnet highlighted that attack does not need to be via the Interent, USB devices carried in by trusted employees with access work just fine.

Also consider the nature of the findings: remotely exploitable vulnerabilities that allow arbitary file transfer and memory and buffer overflows. These are potentially high impact. SCADA is not Windows but I would not be surprised to see a Critical or Important rating assigned from Microsoft and a CVE rating of 8 or higher for types of vulnerabilities. There are some good arguments for both full disclosure immediately and responsible disclosure on the Bugtraq thread, ultimately though this debate has already occurred and responsible disclosure won. This does not mean avoid full disclosure forever but provide a period for the vendor to release patches and risk aware customers to apply them. Schneier: "the threat of publishing the vulnerability is almost as good as actually publishing it".

Both these incidents highlighted to me that a middle ground is required. Vulnerability researchers have an obligation to follow responsible disclosure if they want a collaborative and profitable partnership with companies and companies need full and timely disclosure if want our trust. Especially a security company more than most; it is human nature to respect those that walk the talk. Do not just release some marking about how Envision mitigate against APT's; prove it. I hope one day there is an international regulation or binding industry standard for the disclosure of security vulnerabilities and incidents. It has worked well for the financial services industry that has excellent reporting and central databases for things such as credit card fraud. While service such as the Veris framework and ironically RSA e-Fraud network have made a start, we really need regulation to fix this externality and a set clear standards for what security vulnerabilities and incidents need to be reported, the level of detail required to protect the public and in what timeframes to allow reasonable notice but not the ostrich effect. Data loss reporting has made a start on this in many countries but broader security disclosure clearly needs a G20 level agreement and mandate. Schneier: "Vulnerabilities [and incidents] are largely an externality" and governments exist mainly to correct externalities, its past time they got on with it.

Photo credit: Krsoci Flikr

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Share this, that's how ideas spread:

Feeding an offline reading habit

2011-03-25T13:03:00.004+00:00

Ever since I got an iPhone 4 with the retina display I have been hooked on keeping up with my favourite tech and security blogs on the move. Yes I’m one of those annoying zombies you see reading on their phone while walking, standing in line, on the train etc. It has enabled me to make better use of this time and keep entertained. However one of the major problems is that I live in London and most of my reading is done on the one hour commute to and from work on the tube (underground subway). The tube has no Internet access so I have had to find some offline ways to feed my habit. These are some of the best ways I have found to read and share what I like:

Reeder – a lot of people say RSS is dead and most outside tech circles do not even know what it is. But for offline reading it is absolutely brilliant. This is the most used app on my iPhone, just sync it to a Google reader account, add your favourite RSS feeds and it is good to go. It has great sharing options (more on that later) and has recently added Readability get those articles which only give you a partial post via RSS (online capability unfortunately). It also has a copy link button which is great for…

Instapaper – the second most used app on my phone .You can copy a link to a long article from Reader, switch to Instapaper and it will pop us with a notification to add that to your reading list. Instapaper is awesome and has also had an upgrade recently which adds more sharing options, a way to see what articles your friends have liked and editor curated feeds like Techmeme [edit: unfortunately RSS feeds to folders were removed in v3.0 apparently no one was using them, a very sad event for us offline readers]. I have heard that Readability is also good but with Instapaper I have had no need for anything else

Tweetymail – again bucking the trend that email is dead. Email is great because it allows caching of messages. With Reader and Instapaper you have the option to mail link, setup Tweetymail with your Twitter account and you can tweet your message and the link via email. These can simply queue up when you are offline and automatically send, much better than the drafts in the Twitter app which you have to remember to post. Tweetymail will also alert you on @mentions via email, so if the iPhone notification system annoys you it is a great alternative. You can also get your timeline with filters, and of course any links can be added to Instapaper for later reading.

Friendmail – a new addition from the makers of Tweetymail for Facebook. Gives you a twice daily Facebook news feed, allows you to post status updates, comments and even likes. All done via email offline and posted when you have an offline connection

Email PDF’s and IBooks – PDF’s and PDF links can be emailed to yourself and then opened in iBooks. Until Instapaper adds PDF support this is a good way, if a little cumbersome to read documents people annoyingly insist on publishing only via PDF

HNRecap – good site that sorts the best hacker news stories of the day with a handy button for adding to Instapaper.

Posturous and Tumblr apps – Both of these have a much better interface than the Blogger app unfortunately for now. Make it very easy to post pictures and blogs. Posturous in particular is great as it allows you to write a blog post via email without even needing the app.

Push email - a lot of what I talked about above needs push email that is automatically downloaded to your phone. Setup your email to use IMAP, instructions for Gmail here and then set on your iPhone: Settings > Mail, Calender, Contacts > Fetch New Data - Push and I use every 15 minutes. I have found IMAP a lot better than Exchange for accurate and timely sync.

[Edit] Yahoo pipes and WizardRSS - After the disappointment of Instapaper removing the full text RSS to folder, I found WizardRSS. This is service based on Yahoo pipes lets you get the full text of any RSS feed. I was very happy to find it worked well for Hacker news. You can do some amazing things with Yahoo pipes, for example an Engadget feed I built that is ranked by Postrank. Great set of slides showing you the power of Yahoo pipes and getting more out of RSS for your busy day and offline reading below.

I have created the following pipes which you are welcome to use, you can just add the links directly into Reader to get the RSS feed. The Postrank numbers work for me, feel free to clone the pipe and adjust the number:

Popular tech blogs - Techcrunch, Readswriteweb, Mashable, Techmeme etc with a Postrank above 8.0
Hacker news - full copy of Hackernews articles with Postrank above 8.0
Security bloggers network - filtered for articles with Postrank above 7.0
Daily news - with Postrank of above 10.0, because I feel like I live in a geek bubble

If you create any cool pipes, please leave the link in comments.

SXSW Hacking RSS: Filtering & Processing Obscene Amounts of Information

View more presentations from Dawn Foster

Would love to know any other tips, message me @rakkhis or leave a comment.

My curated lists:

Photo credit: Matthew Stuart Flikr

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Share this, that's how ideas spread:

Mitigating OWASP top 10 without any code

2011-03-14T00:00:00.002+00:00

We have been taught in the last 10 years that application security is what is important, that software must be coded securely and that infrastructure was becoming less and less relevant. So why is it then that when I am writing a security view for a recent project, the majority of my web application security threats are mitigated via the infrastructure?

The OWASP top 10 has become a bible for web application security and the Microsoft security frame a very useful checklist. How about if you could defend against all the OWASP top 10 and implement all the controls in the security frame without touching one line of code? That is what we got close to on this project:

MS Security Frame Control	OWASP Top 10 threat mitigated	Infrastructure control
Input validation	A1 - Injection A2 - Cross site scripting	A BIG-IP F5 with a web application firewall and layer 7 IPS modules deployed in front of the presentation servers. As a web application with less than 20 forms and 50 input fields it was simple to write whitelist validation rules for all input. The input was generally alphanumeric only and/or could be tightly validated with a regex. Where input is used in output the WAF provides escaping. A further protocol analysis firewall between the application and database servers validated that no SQL or OS commands were passed even though paramaterised queries are being used, adding defence in depth.
Authentication	A3 - Broken authentication and session management	All requests to the web application are intercepted by Siteminder as the web application manager (WAM). Site minder provides an authentication screen and validates credentials against an LDAP. Siteminder also calls on the RSA server to provide a step up two factor authentication and can be used to include federated single sign-on in future.
Authorization	A4 - Direct object references A8 - Failure to restrict URL access A10 - Un-validated redirects and forwards	Siteminder checks the users LDAP group, determines the users role and ID and injects this into every http header as an encrypted and signed token. The application can then use this to determine the functions and information that should be available to the user (note code is required here but the Java Spring framework built-in operator)
Configuration management	A6 - Security misconfiguration	Secured through authentication and authorization detailed above Hardened builds are used for all infrastructure and Tripwire is used to monitor file integrity and key configuration settings. nCircle is used to scan for vulnerabilities and a patching process exists.
Protecting sensitive data	A7 - Insecure cryptographic storage A9 - Insufficient transport layer protection	The F5 also establishes the TLS connection and provides SSL offload capability to improve performance. Sensitive data fields are encrypted using the DB2 database encryption. Keys are stored in hardware security module attached to the database server.
Session management	A3 - Broken authentication and session management A5 - Cross site request forgery	WebSphere application manager manages the session and inserts form tokens to prevent CSRF
Cryptography	A7 - Insecure cryptographic storage A9 - Insufficient transport layer protection	No custom cryptography is used as it is all performed by the infrastructure. RSA2048, AES256, SHA256 algorithms and key lengths are used. The passwords stored in the LDAP are hashed and salted.
Exception management		The F5 web application firewall ensures that only a white list of exception data can be output. Stack traces, SQL, credit card numbers etc are not allowed to be output.
Auditing and logging		Logging is performed in the web application firewall, Siteminder and Apache. All logs are exported to a central Splunk repository where alerts and correlations are defined for monitoring

All the key controls are implemented in the infrastructure. Developers can be left to coding the functionality and improving performance. The security controls can also be implemented at a company level, with minimal security involvement required per project. Is it just that when all you have is a hammer, everything looks like a nail or is this truly a better approach?

Photo credit: MarcelGermain Flikr

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

Share this, that's how ideas spread:

Google+ - many ways to do identity?

2011-03-13T21:42:00.006+00:00

Update 2011/06/28 :

Looks like Google+ finally launched if only to a select group of invites: http://techcrunch.com/2011/06/28/google-plus/

Analysis of security identity implications of circles as more information comes out. Having it baked in should make a lot of difference. Lessons look learned with Instagram type filters for photo sharing and a mobile application built from the start.

Lets just hope it doesn't take a Wave time timeframe to launch to everyone.

--------
Exciting news today with Google circles to be announced at SXSW and then disappointingly not. Lets hope that Google can learn the lessons of Wave about not stretching the hype for too long before the launch and not screwing up privacy. Lets also hope they can deliver something that is truly engaging and delivers the vision of law 5 in the laws of identity where others have failed:

5. Pluralism of Operators and Technologies
A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers

Facebook groups has yet to solve this problem and Zuckerberg's quote "Having two identities for yourself is an example of a lack of integrity” may suggest they will never get it and don't see that as a problem.

More analysis as details on Google Circles is released. Until then, this deck outlining what is possible the vision behind Google circles is well worth reading:

The videos are well done:
http://www.google.com/intl/en_uk/+/learnmore/forum/

The Real Life Social Network v2

View more documents from Paul Adams

DDOS protection strategies

2011-03-13T01:35:00.004+00:00

Distributed Denial of Service (DDOS) has drawn attention lately with incidents ranging from Anonymous taking down the Visa and Mastercard sites as retribution for cutting donations to Wikileaks, to Wordpress being attacked by the Chinese. A talk at the DC4420 meetup in London described DDOS as the modern political protest, comparable to a crowd protesting on Oxford street. The protest means that some people cannot go shopping, and there is media attention drawn to the cause; Paypal goes down for a few hours, the techblogs, Twitter and eventually old media play a similar role. In addition, the few million the site loses to downtime means that they may think twice about bowing to pressure so quickly from a US senator. Regardless of motives, if you operate a major website today, especially one where every minute of downtime has an impact to the bottom line, DDOS protection is something you have to think about.

The most important thing to remember is that no DDOS protection strategy will be 100% effective. If the attackers can throw 100gbps at you for long enough then you will eventually go down. For most sites paying for that kind of redundant capacity is just not economical. But it's not just brute force, mitigating resource exhaustion is also an important consideration. Throwing a massive amount of network traffic from all around the world will eventually work but it is expensive and/or hard to coordinate. If an attack can simply exhaust the CPU, memory, file descriptors or target services such as DNS, they still achieve their goal.

In designing a DDOS protection strategy for a recent project my objectives were:

Run faster than the guy running from the bear e.g. Paypal did not go down in the Wikileaks fallout
Survive a sustained attack - at least for 24 hours and if possible a week. If a botnet is being hired then the longer it needs operate and the larger it needs to be, the more money it is costing the attacker. Even for crowd sourced botnets like the low orbit cannon, timing is critical. A political statement is only powerful if you can announce your message and then deliver while the fickle newscycle is paying attention
The cost for DDOS protection should be less than the downtime. The total cost of protection options can be annualized and then calculated as a cost per hour or minute. The cost of downtime is usually calculated as part of of DR or availability SLA's and even if you cannot get exact costs you should be able to make range estimates. If there is no downtime cost then there is no need to have DDOS protection. For example the Visa and Mastercard sites going down, they do not process any payments through those site so who cares? If Paypal or Amazon went down on the other hand.....Assuming there is a downtime cost your goal is something like this:

With a focus also on simplicity and defence in depth, here was my protection strategy:

DDOS filtering service - provided by the ISP or a specialist firm such as Prolexic, Verisign, Dosarrest etc. An ISP is the most simple and most large ISP's will offer this service. Specialist services will require DNS redirection or GRE tunnel for BGP route advertisement. The service should include detection and rapid response. When a DDOS attack is detected they should have a network to filter the DDOS traffic before it gets to your network. A good post on Hacker news also backs this as the number one strategy and recommends installing the tools to be able to describe to the protection service with precise and useful data on why you think you maybe under DDOS attack if they have not detected it and not just help I'm under a DDOS attack

Capacity to not to fail immediately - border routers, firewalls, IPS, web application firewalls need sufficient capacity to not be immediately overwhelmed. These are not so much for DDOS protection but as they are between the attacker and your servers, their capacity needs to be a consideration. My line in the sand was 5gpbs and 10 million packets per second (pps) for all in-line network kit for March 2011 considering the cost benefit equation above

DOS protection features in network appliances - virtually all modern firewalls and IPS have some DOS protection features. A web application firewall can also perform some layer 7 defence and specialist appliances such as Cisco Guard also exist (Edit: Cisco Guard is now end of life and you could try something like the Arbour TMS). For example we have a Big-IP F5 performing load balancing and with IPS and web application firewall modules. The old school ping of death, syn floods, smurf attacks are tickbox options and not representative of a DDOS attack today but still why not enable them. The web app firewall can also perform rate limiting on IP or URL, black list IP's when it reaches a transactions per second limit or certain latency. Both of these will require monitoring and tuning and may not help you greatly against attacks launched from numerous unrelated endpoints but it is protection against the lone gunman and defence in depth. Mod evasive and other Apache tuning can provide similar features if you do not have an appliance.

SSL accelerator - hat tip to to the DC4420 talk by THC for this one, he calculated a SSL connection takes 15 times more server resources than client resource. On a low power laptop he could generate 1000 SSL connections per second (cps), a small web server (think Amazon EC2 small allocation) could only manage 80 cps. However with an SSL accelerator it increased to 60,000 cps, so deploy an SSL accelerator

Rehearsed plan - having DDOS monitoring and response in the security incident plan and rehearsing it. Asking penetration testers to specifically look for architectural and technical DOS vulnerabilities and advising on remediating them

Another mitigation which was not right for this project but worth exploring:

Redundant ISP's with Nginx cluster - a great approach detailed here. Basically involves using a reverse proxy with web servers hosted at multiple ISP's:

Roboo - HTTP robot mitigator - open source tool that uses a challenge response mechanism to identify HTTP robots. Good powerpoint deck also on DDOS presented at Blackhat Europe 2011. Works on the Ngix webserver so really good if you also using the above strategy.

Photo credit: Alatryste Flikr

Password stolen: an ounce of prevention

2011-03-09T03:01:00.000+00:00

My response to a HARO question: Recent hacks potentially compromised the passwords of hundreds of thousands of users on popular websites, a real problem since people seldom maintain unique passwords. This story looks at what you should do when your password is potentially compromised, outlining good password hygiene.

This got me thinking of a situation where someone has used the same password across almost every site and service on the Internet and they find it out it is compromised. I could brainstorm lots of ideas on how to prevent this from happening by very few once it had actually happened.

Response - the pound of cure

If the password is for a single site then you can follow a process like this:

The problem really arises if that same password works for tens if not hundreds of sites. If you are not even aware of what sites you have used that password on! Or the password is to your email accounts which allows someone to reset passwords to other sites or get enough personal information to have a good guess at other passwords or secret questions. If this is the case, then I think you need a multi pronged approach:

Discovery: you can use sources such as your browser history or the sites where your browser has saved passwords for to identify where you need to change your password

Prioritize: target the critical sites that can really hurt you. Anything banking or payments related, this includes anywhere you have linked your credit card or bank account e.g. Paypal, iTunes, a betting or online stock broking account. Email accounts that you could be used to reset passwords, social networking and other sites which hold a lot of identity information.

Other measures you can take are to contact the organizations such as your bank which can then monitor your Internet banking, credit cards etc more closely and raise the risk score for these in their systems. Getting some identity theft protection and monitoring over use of credit record checks are also a good move, especially if you believe some of those critical sites have been compromised.

That was really it for response, not a great deal I could come up with, prevention really does seem a lot better way to go even if it just minimizes the number of sites impacted

The ounce of prevention

There are a number of steps to prevent this from occurring:

Eliminating passwords - you could get a simple hardware token such as a Yubikey and there are a number of sites that will let you use that instead of a password. Registering for OpenID is also a good idea, this lets you have one account for many different sites which based on the OpenID provider can be strongly authenticated with something like a Yubikey or if you choose Google, their new two step verification process. Having a second authentication factor means that even if you lose your password an attacker cannot get access to your accounts without also having the hardware token or your phone.

Password manager - there are a number of popular ones such as Lastpass, 1Password and Keypass. An Ironkey is also a good option as it provides a hardware encrypted USB key with a built in Firefox browser and password manager. These allow you to generate a strong password that is different for each site but still get the benefits of convenient login and can be accessed on your mobile so they are available everywhere. I wrote in more detail about password managers here.

Choose a strong password - good practice these days is at least 8 characters, alpha and numerics, upper and lower case and symbols or special characters. This would make unlikely that someone could guess or bruteforce your password. Using a passphrase, which would be a longer phrase that is memorable is another good alternative.

Password reset - often a weak point. Make sure you choose strong security question answers, follow the practice for choosing strong passwords because there is no point having a strong password that can be reset with "apple" and "england". Having an alternate email account registered to receive password resets in-case your primary is compromised is also a good idea.

Internet hygiene - there are simple measures you can take to avoid disclosing your password online. Not clicking on any links from senders you do not recognize, not opening email from senders you do not recognize, running up-to-date antivirus, personal firewall and patching your operating system, browser, common programs like Acrobat reader, office and Java. Running a few useful addon's like No Script (allows you to enable javascript only where you want) and HTTPS everywhere (which attempts to connect to the secure versions of all your favourite sites). Only entering your password after verifying in the address bar that it is actually the site you are supposed to be at and there is a padlock indicating you are browsing over HTTPS. You will never win a free iPad so avoid those free surveys!

Photo credit: Ngọc Hà (Flikr)

Why advertise your Facebook site?

2011-03-09T01:16:00.000+00:00

If you do not learn from history:

You are doomed to repeat it:

Since reading Mark Evan's post last year everytime I see an advertisement on TV or a billboard with the Facebook site link (http://www.facebook.com/brand) instead of the brand's primary website I cringe. It is not that I have anything against Facebook, for me it is a brilliant tool for keeping in touch with people in a three continents. I just do not get people that follow brands on Facebook though, sure maybe there are deals e.g. the Starbucks page but that does not seem worthwhile to pollute your newsfeed.

I especially do not get brands that promote their Facebook page ahead of their primary website. Sure people are spending about a third of their time online on Facebook and about a quarter of everyone on the Internet is on Facebook but if you are going to spend millions on advertising why direct people to your Facebook page? I mean it is easy enough to link to the Facebook page, use it for deals, comments etc but surely your advertising should promote your primary site. Any users that spend their life on Facebook and want to follow brands are going to find your site from a link or by searching directly on Facebook anyway. Not only is advertising Facebook page putting all your eggs in the ~~AOL~~ Facebook basket it cannot be good for SEO and having your main site being front of mind with your consumers. Also unless you have started to use Facebook credits and are transacting through your site or sell nothing online, surely you are better off having users go directly to your main site and actually make you money?

Data classification: start with the end in mind

2011-03-04T22:41:00.000+00:00

My response to a HARO question: To be read by IT managers at SMB's: tips for setting up a data classification system that assigns levels of sensitivity to data. What do they need to know to get started and what tools will they need to invest in? What are the costs involved and what are the benefits and pitfalls?

The key to data classification is to start with the end in mind. I have seen organizations execute multi year projects with hundreds of consultants and thousands of workshop hours to classify all their data, only to find it a complete waste of time. This was because the whole exercise was a tickbox exercise to meet a regulatory or audit requirement and success was seen as classifying the data. Even if the project managed to complete, the classifications were stale almost as soon the project finished. The processes they put in place to sustain the efforts where just not effective. Processes such as requiring every user to classify the data they created or an annual process for every business unit to inventory their data and update the classifications.

Why? Because people do not want to classify data. As much as security people would like end users to classify everything as soon as they create it and think about the classification before they email something, it just does not happen. End users focus on their day jobs and farming on Facebook not classifying data.

Instead these organizations should have viewed classification as a means to an end. A starting point to using a risk based approach to protecting the most important data to the organization. To ensure the scarce security resources are spent in the most effective manner and productivity and usability are not hampered unnecessarily. The classification process and associated security controls need to be automated and transparent to the end user if you want them to be sustainable and truly effective.

The whole point of classifying data is a close alignment of security controls to the potential impact to the organization if the data gets compromised. Typically you will do one or more of the following to protect your most sensitive data:

Encryption - in transit and/or storage
Reduce data loss - stop it from leaving the organization when it should not
Stronger authentication - make it harder for the wrong people to get access through the front door
Improved network controls - protect the back door

So rather than run a data classification project in isolation or even viewing classifying data as a major phase to be completed first: identify, protect and iterate. Automate so that future data of the same type is classified and protected without requiring human intervention.

Firstly you do need a classification scheme but this is not as important and you would think. There is very little point in having more than three classification levels:

Public - self evident, data that has no impact if disclosed
Confidential - your most important data that will have a major financial, reputational, legal, operational etc impact if is disclosed
Internal - everything else in the middle, data that you do not want the general public to access but will not hurt you as much as Confidential data if it is disclosed

Remember the end goal - you will get the most benefits in the line between Confidential and Internal. Unless you are starting a complete green fields your public data is obvious will already be on places like your website front page and your marketing materials. Some of your Confidential data is not being sufficiently protected exposing you to that impact and some of your Internal data maybe over protected, providing an opportunity to improve performance or usability or reduce costs.

Confidential data without sufficient controls

Being a security person I will of course start here but you may want to skip ahead to Internal data with too many controls.

Some will say there is no point implementing encryption or data loss protection unless you have first classified your data. I take almost the opposite view, the best time to identify your most sensitive data is when you are in a position to protect it.

The approach I take in Simple security risk assessment (SSRA) is that that almost all companies will have data that fits into one of these categories, within each there will be data that will be extremely sensitive:

Personally Identifiable Information (PII) - health and medical information, criminal records, disability, religion, sexual orientation, government identifiers e.g. SSN, NI, disputes, disciplinary, investigations, industrial relations, redundancy plans
Customer information - customer lists, sales strategies, unreleased products and promotions, projections
Financial information - unreleased results, forecasts, guidance
Corporate, IP, legal - legal cases, forensics, investigations, prospective acquisitions, mergers, due diligence, major risk assessments, regulatory issues and correspondence, IP, trade secrets, unapproved patents and trademarks, private keys and passwords to access other Confidential information, unreleased restructure, redundancy, board papers, senior/exec mgmt correspondence
Transaction information - high value, low volume, special, exception transactions
Card data - card number, CVV2, expiry, magnetic strip, Track 2 info

If you want to think beyond confidentiality:

Data requiring very high integrity - where there will be immediate impact for loss of integrity e.g. automated decisions made on data
Data requiring very high availability - immediate impact for loss of availability, instant loss of revenue / increased cost

You can go through and manually identify this data but this not sustainable. The best approach is to automate the identification and protection processes. Data loss prevention tools have become very good at doing this and you do not have to invest millions to use them. Try MyDLP an open source tool.

Start with even the most structured of the above list: credit card numbers or government identifiers such as national identity or social security numbers. These are great because you can define a precise regular expression to find them. Most DLP tools have rules for this out of the box but even if they do not, instructions are not hard to find. Use the DLP software to find where this information currently lives, where it moves both internally and external to your organization and where and who uses it. If you are like most organizations you will be surprised when data you thought was in a single database is copied to emails, spreadsheets, share drives. If you do not want to try MyDLP or similar, most DLP vendors like Symantec or RSA will come out and do this type of discovery exercise for you free of charge (obviously as a great entry point for their tool).

Then put protections in place:

Encryption - a database of credit card numbers or social security numbers that is not encrypted is a great place to start. Hopefully you will not have too many of these and identifying them for your DBA's to encrypt is a good start. Going forward setting up an automated email if this is detected again is a good step - it will most likely be someone taking an extract or copy that they should not be. If you have email encryption software you maybe able to configure it to automatically encrypt emails that match the same signature or that are specifically flagged by your DLP software. If your disputes team or HR team need to regularly extract and work with credit card or employee data respectively, consider creating an encrypted share drive for them. They can then continue to work as normal and the data will be encrypted transparently

Reduce data loss - this is primary purpose for the DLP software. I have some practical lessons learnt on where and how to implement DLP

Stronger authentication - if you have two factor authentication for remote access already extend it to servers and applications that are storing your Confidential data. If you do not have something consider something open source like WikiD. A yubikey can be easy way to add two factor to just about anything due to its broad integration. Again hopefully this is not something have to do frequently - adding it to a project checklist and setting up a similar alert to the 2FA admins when a system holding this type of data is detected should be sufficient to ensure it continues going forward

Improved network controls - create specific VLAN's for systems that hold this data, put access controls in place to limit network access only to systems that should communicate with these systems. Everyone on your LAN should not be able to access the database storing your card data or HR data for example. If you have a firewall that supports dynamic rules, you maybe able to automate this, otherwise again it is project checklist and an alert to your network admin on detection

Structured data is the best place to start with this process, but you can also protect less structured data by taking a hash or indexing data that you first manually identify as Confidential. Everything from your CEO's email, the folder where your finance staff store the annual reports and projections, to your R&D database can be hashed and then an exact or partial match of the hash found. The above protections and alerts can then also be applied to this less structured data.

Internal data with too many controls

Unfortunately this will tend to be more rare than you hoped for. It will generally be present where you have applied it a control to everything because it was too hard to apply specifically. Nevertheless the benefits of having a uniform environment for troubleshooting and support will mean this actually makes sense. For other controls the type of threat it is mitigating may mean it is important to apply it to everything rather than focusing on just protecting your most sensitive information. For example you have anti-virus on all servers, or a standard build where you have disabled unnecessary or insecure services such as telnet or tftp or you maybe performing vulnerability scanning on all your systems. In these cases the benefits of classification are two fold:

Prioritization - once you know where your Confidential data is you can focus on patching these first in addition to your Internet facing servers
Monitoring - if you get an alert of a virus, a large number of failed logins etc where your Confidential data is these can automatically receive a higher rating

Typically the overhead of security controls is not sufficient where you would remove something already in place. But you could run also use your DLP software to identify data flows and stores that are not Confidential and remove some controls where appropriate, for example:

Very large files transferred frequently that you are transferring over SFTP that could actually be moved to standard FTP
If you define network zones to protect your most sensitive information could you remove some firewalls or at least simplify the ruleset
Systems only storing Internal data that any new employee could be given access to immediately, meaning they are more productive from day one and you have less access request to approve and provision

Summary
Three takeaways:

Start with the end in mind - the whole point of classifying data is so you can protect what is most important and save money and time on the rest
Identify, protect, iterate - do not get stuck classifying
Automate - consider how your most sensitive data will continue to be identified and protected with minimal human involvement. At least setup alerts which will trigger action

Apple succeeds where security failed with web developers

2011-03-03T00:45:00.000+00:00

Interesting article today some malware with the linkbait title "The mother of all Android malware has arrived". It involves the malware writer downloading over 50 free applications from the Android appstore, adding a trojan to them, repackaging them and releasing them for download. Aided by the fact they were existing applications, it is reported there were between 50,000-200,000 downloads in over 4 days (it took Google that long to shut down the malware spreading applications). The trojan used a root exploit and allowed stealing of data as well as opening up a back-door for download of further malware.

There is some really good discussion on comparison of the Apple vs. Google approaches to their respective appstores on Hacker News. What struck me the most though was how Apple's review process appears to have succeeded where security professionals have failed for years with developers.

There is some great discussion on the HN comments about the Apple review process. I think fair to say that the process is not infallible and there are some good examples of how malware could potentially be allowed through:

Using a dynamic binding that is not detected during static analysis:

"You need a message name (@selector), and the names are strongly typed

What do you mean by strong typing here? AFAIK ObjC has dynamic binding, which means you can send the same message to a different object based on a condition. So from what I see, you can pretend you're sending a message to an internal object, but then switch the object out for an external one later.

A "timebomb" - code that executes after a period of time or based on a specific condition not triggered during the review process:

A time bomb needs a callback in the binary

Nope. You read the current time in at startup, to, I don't know, display to the user, then at some later point, after enough obfuscation and misdirection, innocuously check if the number you got back was past 1335830400.

and then the app needs to actually do something if the response comes back as 1,000. Which means that code needs to be in the binary.

But the response won't be 1,000. The response will have lots of data you'd send otherwise, then an innocuous-sounding string like, I don't know, "true" or something, tacked on at the end, and you'll have a check for the end of the string being "true" buried somewhere deep within your code, which is where you'll switch the object out."

However 10 Billion app downloads later, we are yet to see malware like the above spread on the iOS platform. While this does not mean we could not see it tommorow or the day after as iOS gains greater marketshare and more high value applications such as banking and stock trading moves to mobile, it is an impressive record.

A great deal of the credit for this has to go to the strict Apple review process. They have succeeded where security professionals have failed for years with web developers. By implementing even "just" static analysis of code and making developers aware that their app will get rejected if they fail this testing, Apple has raised the bar on security and quality of code.

Compare this to web applications; cross site scripting (XSS) has been known about for donkeys years, great guidance has existed on preventing XSS for a similar amount of time but you still get a SECURITY application like Lastpass having a basic XSS vulnerability. Security professionals have been trying for years to implement secure development lifecycle disciplines. Practices such as a static and dynamic code analysis on every project prior to going live. But with studies like this finding 72% of their sample group not applying security at source and clearly with Lastpass as a case in point, we are not succeeding.

The truth appears that without a central gatekeeper like Apple these types of security practices will never be implemented ubiquitously. This is perhaps one of the greatest security benefits of software distribution moving to the Appstore type model and I hope that Google implements at least a minimal process of source code review, corporations can then follow suit.