radi::blog

SDL courses in the public

2010-03-04T18:57:00.001-05:00

A while ago I was pointing out some interesting stats about the secure development lifecycle (SDL). Last week, Microsoft made its four core SDL training classes available to the public. The titles are:
- Basics of Secure Design Development Test
- Introduction to the Microsoft Security Development Lifecycle (SDL)
- Introduction to Threat Modeling
- Privacy in Software Development

I would encourage everyone with a bit of spare time to take a look at these courses.

The daily /.

2010-03-02T15:13:00.003-05:00

A few interesting stories from my daily /.-ing:

1. CAPTCHA troubles
"Ticketmaster used various means to try to thwart Wiseguy’s operation, at one point switching to a service called reCAPTCHA, which is also used by Facebook. It’s a third-party CAPTCHA that feeds a CAPTCHA challenge to a site’s visitors. When a customer tries to purchase tickets, Ticketmaster’s network sends a unique code to reCAPTCHA, which then transmits a CAPTCHA challenge to the customer.

But the perpetrators were able to thwart this as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, the authorities said."

After having a chat with Aldwin on the topic, it seems like this might be a serious flaw in CAPTCHA (i.e. mapping a challenge to a response via identifying the filename of the CAPTCHA image). After all, CAPTCHA should allow developers to feed arbitrary text that will then get rendered on the fly.

The original article is here.

2. Nearly 60% of apps fail first security tests. Interesting number from Veracode; however, I wonder in what phase of the SDLC were those apps when they were tested. Although I agree with their argument that more work is required in educating the developers, I must also add that more tooling is necessary (e.g. code annotations, code scanning when committing code to the repository, etc.) to enable developers focus on the bigger security problems.

More on the topic here.

Plastic problems

2010-02-13T04:43:00.000-05:00

...or Cambridge 2 PCI 0

This past week I landed on two very interesting papers that came out of Cambridge. The papers basically discuss the weaknesses of Chip & PIN and the 3-D Secure protocol for online transactions. Highly recommended read.

The Flying Dutchman

2010-01-09T09:00:00.001-05:00

Some recent stats about my whereabouts during the past 3 months:
6 countries
7 cities
3 timezones
2 economic areas
5 currencies
21 flights
27 hours of flight time

Yep.

Martin Palermo... no comment

2009-10-05T17:13:00.001-05:00

This is the guy who missed 3(!!!) penalty kicks in the same match for Inter Milano a few years ago. Now he scores a header from 40 meters. :)

The Story of Stuff

2009-09-29T08:18:00.001-05:00

The 7 plagues of testing

2009-09-07T05:49:00.003-05:00

James Whittaker was running the series of the 7 plagues of software testing on the Google Testing Blog. Since the series are at their last stretch, here is the list of plagues:
1. The Plague of Aimlessness
2. The Plague of Repetitiveness
3. The Plague of Amnesia
4. The Plague of Boredom
5. The Plague of Homelessness
6. The Plague of Blindness
7. The Plague of Entropy

There are also some additional plagues that were suggested by various readers (myself included):
- The Plague of Metrics
- The Plague of Semantics/Assumptions
- The Plague of Infinity/Endlessness/Exhaustion
- The Plague of Miscommunication/Language
- The Plague of Rigidness/Complacency

Out of the suggested bunch, I really like Roussi's notion that complacency can be the result of a product's success.

Recycling security test cases

2009-08-03T09:49:00.006-05:00

Test cases are precious. In my day to day work, a lot of what we do is built around the notion that a test case either passes or fails. Think about the time when you withdraw money out of your favorite ATM or when your favorite application may have compromised your privacy... it's always the case of a passed or failed test case. Is there a flaw in the system? Can the system under test be put to its knees because of it?

A while ago James Whittaker talked about building repositories with reusable test cases. The whole discussion is available at the MSDN blogs. I definitely recommend reading it. As applications often have common flaws, it is beneficial to have such a repository. Tweaking the test cases to the application under test is definitely a "must-do". However, once those tweaks are done for the particular software under test, the job gets much easier.

Reflecting at the security industry, it's hard to not notice the need for James's idea to be adopted. In fact, a typical problem report from a security vendor will include the following bits:

What is the problem?

How can the problem be reproduced?

How can the problem be fixed?

Maybe we should start swapping the second bit with the actual executable test case? I know it's hard to do this for any type of application, but for the most common type -- Web apps -- it's certainly doable. Just look at tools like Selenium and you'll get the idea.

Phish me a Safari

2009-07-22T04:07:00.004-05:00

Recently I decided to install Safari 4. The experience is quite nice, except I'm paranoid about phishing. Yes, I check the certificates of sites where I'm about to provide my user credentials. I check the validity of links before I click on them. I even use different browsers when browsing trusted and not so trusted sites (some might point me to this surf jacking article, but oh well).

In general, phishing is a concept that's been around for a while. It revolves around the idea to trick a user into performing an action while thinking he/she was performing another action. One of the mechanisms to do so is through obfuscating links inside a Web page. More on this can be found here.

Typically, Windows based browsers have been pretty good about revealing the URL of a link before clicking on it as this was a valid concern a few years ago (circa 2004/5). However, after switching to Mac I could say that I'm quite disappointed of not seeing any notification about the links I'm about to click on a page. In a way that goes against the secure by default concept that OS makers started adopting in 2003. Or maybe I'm just assuming too much from Apple?

P.S. - Of course, I can turn on the Safari status bar and everything will be fine; but then, would all users do the same?

Chrome and Privacy Mode

2009-07-15T05:34:00.002-05:00

A while back I was playing around with Google Gears and Incognito mode. The test was simple: I store some data in Gears while in Incognito and try to read it while in Normal mode.

The goal
The goal of this test is quite simple: prove that privacy related data (yes, with Gears gaining momentum a lot of apps like Google Docs, Google Reader, Google Calendar, MySpace, etc. are beginning to utilize Gears' SQLite engine to cache information) that was obtained in Incognito mode will persist in Normal mode and vice-versa.

The code
Load the following code in Incognito mode:

var db = google.gears.factory.create('beta.database');
db.open('privacy-test');

db.execute('drop table if exists secret');
db.execute('create table secret (message text)');
db.execute('insert into secret values (?)', "secret message");

Load the following code in Normal mode:

var db = google.gears.factory.create('beta.database');
db.open('privacy-test');

db.execute('create table if not exists secret (message text)');
var rs = db.execute('select message from secret');
if(rs.isValidRow()) {
 alert(unescape(rs.field(0)));
}

The result
Data indeed persisted. I've posted the code for Incognito mode here and for Normal mode here.

Conclusion
Browsers' attempt to provide additional privacy to users is noble; however, this is valid only for data that the browser controls directly (e.g. cookies, browser cache). As Web applications are becoming richer in features, third party technologies like Google Gears, Flash, and Silverlight will soon need to start playing the privacy game as well if browsers are to fully allow privacy modes to users.

SSN Predictability

2009-07-07T06:42:00.002-05:00

Carnegie Mellon has conducted a study in which they proved the predictability of Social Security Numbers in the U.S. given that date and location of birth are known. Because it is a common practice to tie an individual's SSN to his/her bank accounts, phone bills, drivers license, or practically anything, I'd love to see whether organizations in the U.S. will move more and more toward what their counter parts in Europe are doing -- namely to check the individual's social security number, the government ID number, and various other details about the individual.

This study will also be presented at BlackHat at the end of July.

Web Security 101

2009-06-24T04:00:00.002-05:00

Mike has released a set of webcasts that cover Web security for beginners. These webcasts, including the slides, are available here. Mike's announcement and comments are available here.

Defining a leader

2009-06-22T05:47:00.000-05:00

Recently I've found the following quote from this page:

The team of more than 600 professionally trained consultants is three times larger than that of any other competitor, and makes the company a leader in the constantly developing Bulgarian market.

So from a pure economic/business perspective, how do you define a leader? Is it in terms of sales? Is in terms of customers? Is it in terms of capability/throughput? Or is it simply in terms of head count?

The thought that provoked this post are simply this: many companies these days present themselves as leaders in something. Whether it's technology, ability to handle big projects, or throughput, everyone these days claims the to be a leader. As D says, they could be leaders in one thing compared to their competitors, but lack in something else.

I think marketing is trying to get a competitive advantage once again. ;)

Secure the textbook

2009-06-16T03:56:00.001-05:00

Coop, a good friend of mine, is starting an initiative to revise college textbooks that teach software engineering and weed out insecure practices from them. The goal of this project is to bring security awareness throughout the entire computer science curriculum and not in just 1-2 courses. If you're interested in participating in this effort, go check out the project site.

Threat modeling: bringing it all together

2009-06-10T13:19:00.007-05:00

There are few ways to do threat modeling. For those that are in the financial sector, it's all about business risks. For those in the technology sector, it's all about fending off direct attacks. What both approaches have in common is the fact they all try to identify and counter any event that may offset the normal order of operation within a given business process. One at the business level, while the other at the more technical level. Because both approaches have different starting and ending points, there is the risk of having gaps in the overall risk analysis process.

Why do I say this? If we look at the technical threat modeling exercise, everything begins with identifying the individual assets and the threats that affect them. The gap in this approach is that the application's business goals are not stated clear. Protecting assets is good, but why do they need to be protected? How do you convey to your higher-level management and external stakeholders that a particular asset needs protection? You simply speak in terms that can be understood by your audience: business goals. Similarly, if you look at the business risk analysis exercise, how do you ensure that the security test/audit of your application will cover all venues of attacking your system? How can you provide documentation of adequate security assessment coverage at the time of a breach? You simply provide your test plan, which is most likely derived from the attack vectors and pre-conditions in your threat model.

So what's the purpose of complicating things? As risk analysis is an essential part of ensuring any system's security, it is also essential that the report that is produced during this analysis provide meaningful, yet actionable information. Here are the steps that can help achieve that:
1. Gather information on the business goals of the system.
2. Identify the business risks that will harm those business goals.
3. Decompose the business risks into technical risks that can realize if a security breach occurs.
4. For each technical risk, build a tree of attack vectors that lead to the realization of this technical risk.
5. For each attack vector, identify the pre-conditions that are necessary for this attack vector to execute.
6. Using the attack vectors, their pre-conditions, and your knowledge of the system's attack surface, draft a document (most likely a test plan) that covers all possible venues of attack.

Thoughts?

Finding Software Insecurities through Password Policies

2009-06-08T10:48:00.001-05:00

There are a few main security strategies to consider when using password controls within an application:
- Users should always be forced to use fairly complex passwords
- Unless used with legacy software, passwords should always be salted and hashed (even encryption doesn't cut it as there are no other valid reasons besides legacy software that mandate that passwords must be recoverable)

Earlier I landed on this blog post by Johannes Ullrich from the SANS Institute. The bit that I like the most is:

Usually, if a site is imposing [maximum] limits to your password, like the length or it doesn’t allow certain characters, you can guess that your password will be stored in the clear.

The reason is simple: If the password is hashed, then it doesn’t matter how long it is, or what characters it uses. It will always end up as a fixed length hex string.

Secure Exception Handling

2009-06-06T07:22:00.002-05:00

Exception handling is an important part of building a secure application. Developers are often asked to pay close attention to the security context in which the exception handler executes as to ensure maximum robustness, both from performance and security point of view, of the application. The reason I mention this is a little ATM incident yesterday where a friend's debit card was swallowed in the middle of a transaction by the ATM. As my buddy provided his bank card, PIN, and withdrawal request, the ATM decided to crash -- resulting in a big red screen stating that the machine was out of order. After 3-4 minutes, while my friend was in touch with the bank's customer service, the machine restarted and started working as expected.

So what happened?
Based on the above observations it seems that the generic exception handler used in the ATM machine tells the machine to void the transaction and keep the card. There's nothing wrong with that. In fact, this seems like the most secure way to fail an operation without knowing the exact causes of this failure. However, this is where the flaw in this ATM actually is -- the gap between the source of the exception and the exception handler is too big. It's so big that the handler that catches the exception doesn't know what to do with it. This is where robustness fails and legitimate customers get pissed off. :)

Closing the loop: bringing the lawsuits to the auditors

2009-06-02T16:47:00.003-05:00

A while back I had a bit of a rant about security testing and certifications. Today a colleague of mine sent me an article on the first case of bringing legal actions against a security auditor. Some quotes that I found interesting:

In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

Security is a lucrative business... so lucrative that a lot of people have jumped in to play the game of "securing" business values. Just like with any other sector of the economy, when there are a lot of newbies joining the field, the overall quality of work diminishes. And this has it's consequences...

More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.

They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies.

Luckily, for those who still want to join this business, there is the right certification to give them a boost in front of competitors. ;)

When we say P.C., you say I.

2009-05-20T08:55:00.000-05:00

For those interested in security and haven't seen Hugh Thompson's talk at RSA 2009, go watch it. Having known the guy for a few years, it's incredible to see the works that he's presenting (both insightful and entertaining). :)

Facebook: All your privacy belongs to the Internet

2009-05-11T11:14:00.004-05:00

Privacy concerns in social networks are not something new. Take for instance Facebook's practice to keep user data after an account is deactivated or their new terms of service policy to name a few. However, even if these problem are resolved, Facebook users still face the risk of having their private content being exposed to the public.

Welcome to the content hopping approach.

Before I jump into describing this approach, let me provide a bit of information regarding Facebook's privacy model. By default the Facebook privacy controls allow a user to specify a predefined list of users that can access various parts of the user's content. The platform uses several such predefined lists:
- The user's friends
- Friend of the user's friends
- Any network which the user has joined
- Everyone

However, Facebook is flexible in defining these lists. Check here for more info.

Hopping through content.

Typically users will limit access to their profile as a whole, but not to individual content. This make sense to a certain extend since a user's profile is often thought as the entrance to the user's content. However, in an era where content is constantly tagged and referenced from various sources, it is hard to clearly define one such "entrance". Assume the scenario where John has posted a photo and has tagged Jane. Anyone who can see Jane's profile can also see John's photo. Furthermore, if John didn't set the privacy controls on his album properly, that anyone can also see John's entire photo album...

With Facebook being 175 million users... a lot of things could be dug up. :)

Eating your own dog food, or how do you really protect against XSS in ASP.NET?

2009-04-21T20:08:00.002-05:00

There is a lot of literature that discusses ASP.NET and output encoding. There is even more literature discussing cross-site scripting (XSS) vulnerabilities and their exploitation. However, there is no particular literature that discusses how to fully solve the cross-site scripting problem in ASP.NET.

ASP.NET is built around a set of controls that the .NET framework transforms into HTML when outputting data to the browser. As any ASP.NET developer would agree, using these controls as well as any other functionality that is provided by the .NET framework makes the development of new applications a joy rather than a burden. However, as part of their functionality, some ASP.NET controls call the HttpUtility.HtmlEncode method to encode parts of their output (see this reference table). What is the problem with this? The HtmlEncode function uses a black-list approach to solve this encoding problem. It searches for the <, >, &, and " characters and replaces them with their HTML equivalents. The security problem with this approach is that if HTML specifications change, applications relying on this method might become vulnerable to script injection attacks. As proven in the past, most solutions that rely on such approach (e.g. WAFs, ASP.NET request validation) get bypassed at some point by some determined attacker.

To address this problem, Microsoft tries to give more momentum to its AntiXSS library, which uses a white-list approach... that is only known good characters (namely alpha-numeric) are left as is and everything else is encoded. The AntiXSS is also the recommended approach to use for encoding output by the Microsoft SDL methodology as it provides a longer lasting solution to the script injection problem. This, however, comes with a cost -- not all ASP.NET controls can work with the AntiXSS library. If a developer tries to use the AntiXSS library, he/she might run into the issue of double encoding output. If that developer does not use the AntiXSS library, his/her code might be become insecure.

IMHO, the best way to address this problem is to allow developers to override the encoding routines within the ASP.NET controls. This way the .NET framework will give developers more control over what is encoded and how it is encoded.

When is enough really enough?

2009-04-18T19:45:00.002-05:00

Marketing. It's a vital part in any business. It's the process of identifying your target customers, establishing your prices, and engaging your potential customers. It's a process where the core objective is to gain more attention, retain that attention, and turn that attention into profits. However, enough with the good side of marketing. As good as it can be, marketing can bring a lot of evil to an organization. Just think about the discrepancies between a product's advertisement and what that product really is, but most of all think about how the marketing efforts could act as a Trojan horse within your business model. What do I mean by this? Assume that you have a product or service that is trying to find its place on the market. Assume that you entitle your marketing team to promote your product or service by any means, including giving away free copies/access to your entire product or service. Assume that your marketing efforts are less secure than the security standards set within your organization. Assume that a copy of your product or an account to your service leaks out... that's right, your business model has been compromised.

A few years ago, a friend of mine was able to get free pre-release copies of upcoming Hollywood titles. The copies that we watched were marketing material that was distributed to video store owners. If a video then was compromised, something like this might have happened.

Marketing in the IT

2009-04-02T10:36:00.001-05:00

Gabe has an awesome post on using buzz words in marketing security products and services (which I think can be applied to the IT as a whole). The quote that I find really amusing is:

John’s UltraSecure Platform and Super AntiHacker technologies are the time-proven critical-acclaimed fast-reliant just-in-time cutting-edge self-healing on-demand value-added preferred choice for industry leaders and security-minded managers of today, just like you.

This is just sick!

When the human factor is of importance...

2009-03-30T12:22:00.003-05:00

Lately I've been reading Nick Leeson's Rogue Trader, which talks about his experience during the bankrupt of Barings Bank. Although the book has not impressed me that much, it led me to a few thoughts:

How can orgs be better at deciding who their key personnel is?

How can orgs be better at managing their key personnel?

What can orgs do to better protect their assets, brand, and most of all their org?

What would be the most efficient mechanism for keeping real-time checks on org critical operations?

What can orgs do to encourage their key personnel to stay focused on the orgs goals?

These thoughts will produce various responses depending on the circumstances during which they're asked. However, it is good to think about these things once in a while.

Visualizing the credit crisis

2009-03-22T06:18:00.002-05:00