September 2008 Archives

It is becoming more and more common for companies to weigh WAFs vs. secure coding options as they try to determine the best way to protect their web applications.  After talking to many developers, one thing I've learned is that many coders are not fully aware of the risks that come with secure coding.  And, on a related note, many companies are not fully aware of all the costs that come with secure coding.

Let's be honest, most of the pro coders already know about SQL Injection and the risks it brings to the table.  And most of them already knew about how to write better code in order to try and avoid that hole.  However, when it comes to attacks such as XSS, Forceful Browsing, and Cookie Attacks, they are much less certain how to write the code needed to block those threats (which in most cases is not even an option). 

As I wrote yesterday, the PCI Community Meeting discussions are interesting and useful. Many have asked me to provide insights on the actual changes to the specification and especially on section 6 and 6.6 (ensuring that all public Web-facing application are protected against known attacks), section 10 (track and monitor all access to network resources and cardholder data) and section 3 (protect stored cardholder data).

While we still need to respect the embargo on disclosing the actual details of the PCI DSS 1.2, there are few insights that I can share regarding the community culture and the spirit of this event. As you can see below, section 6.6 can also be used as an opening sentence when one is looking for new friends...

As soon as the embargo is lifted, I will share our thoughts and insights.  And for more insight into the world of the PCI QSA, I encourage you to attend our upcoming webinar, "The Inside Story of PCI: Confessions of a QSA." 

I'm at the 2008 PCI Community Meeting in Orlando. The Standards Council asked us not to disclose any information or pictures regarding the content of the upcoming PCI DSS version 1.2 beyond what has been already discussed in the press or on the Council's web site. For those that are not familiar with the subject (can't spell P-C-I as Bob Russo, General Manager of the council explained), here is a complimentary image. 

Seriously, this is one the more important events for the data security community and if you are reading this blog, you are probably affected in some way. More reports and coverage (without revealing anything that I promised not to) will be coming soon.

Reading web server and search logs can be is fun. Every day, several people from different parts of the world (and across the web) are reading the ADC Glossary. One of the more popular search terms is 1=1. Many look at SQL injection techniques; others are learning about SQL injection signature evasion. 

For those that are interested in learning more about 1=1, check out this page. There's also a related movie:

Last week, a security researcher published a "zero-day vulnerability" regarding a specific CCTV control server (although you can hardly call something that can be accessed through Google "zero day"). Expected fire from the CCTV vendor did not fail to arrive shortly after the disclosure.

 

This is no longer an isloated incident but rather a growing trend in this past year. I am seeing more and more "full disclosures" prior to vendor patching. Believing that this is indeed becoming a trend, I had to give it a second thought. The only thing I came up with is that this is a strong counter-reaction to practices that have been established in recent years.

The Register was picking on the IRS last week, citing a Department of Treasury document and using a sensational headline that the U.S. Internal Revenue Service is putting tax payers at risk by operating thousands of web servers that either contain security vulnerabilities or have not received proper authorization. (BTW, the Department of Treasury should improve their overall report card score listed in this report prepared by Tom Davis of the House Oversight and Government Reform Committee in May 2008 )

This headline makes it looks like the IRS is in complete chaos, but I think the Register is not being fair and some restraint is needed (a colleague of mine explained that the Brits will always like to sling mud at US based agencies). First, I do not think that the IRS is much different than many other agencies, commercial organizations and universities. In my experience, many large organizations have rogue and vulnerable web servers simply because they are unable to discover, find, control and manage all those systems that were previously deployed to serve a specific business need. Examining the report, I'm learning that the US Department of Treasury's Inspector General for Audit is trying to control the situation by raising a flag about the situation and recommending a solution.

I've been watching this story since Network World first reported that a hactivist group had hacked into VP Candidate Sarah Palin's Yahoo account and posted it on the Internet. On first pass, there wasn't enough data so it didn't look real. However, the Register later entered into the conversation and now Wired has reported that one of the emails is real. Now here's where it gets interesting: turns out that the screenshots of the hacked emails were kind enough to include the full URL of the proxy server used.  

And now the operator of the proxy server has indicated that if he is asked by authorities to look up in his logs, he will report the the session information. Oh my, now things are getting interesting...

I returned from Dallas last Friday and "missed" IKE. First and foremost, I sympathize with the victims and feel bad about the damage, pain and high gas prices.  However, judging by some of the amazing photos, it was quite a scene. 

According to the following story, the answer is simple: a lot.

This is a few weeks old, but I was recently asked for some ROI calculations and thought that this story could provide a good example. It also shows database activity monitoring can work even for small organizations.

Jackson Lewis, law firm for Nye Lubricants, has notified the New Hampshire Attorney General that an employee "may have accessed electronic personal information stored in certain of the Company's databases without proper authority and/or for improper purposes," on or about August 15.

According to the notification, 173 employees are being notified that their personal information, including their Social Security numbers, may have been accessed or misused, but the firm was reportedly unable to determine whether any of the current or former employees' data were accessed or misused.

Frederic C. Mock, Executive Vice-President of Nye Lubricants, wrote to those affected that an employee had accessed the network without authorization, but "despite our best efforts, we could not determine if any personal information contained in the databases on the Company's network was actually compromised, only that the opportunity for unauthorized access or use of personal information existed.  Nye Lubricants reports that it is reviewing its security and systems going forward and has offered employees free credit monitoring for one year.

Let's do the math. I'm assuming that they received group discount for the 173 employees and the cost of service is only $15 per month per employee: On top of that, we have to add the cost of legal fees (Jackson Lewis will not work for free). I suspect that the lack of database activity monitoring can cost $100K for this small firm.

Source: http://www.pogowasright.org/article.php?story=20080828115925605 

Graham Cluley from Sophos recently wrote about how hackers infected BusinessWeek's website via SQL Injection attack.

Unfortunately, it looks like the daily SQL injection stories are starting to become boring as the list of victims grows day-by-day. (Dilbert hints that there are too many databases. Some might be redundant). 

Sophos is providing the community a good service as they have created a nice visual of the attack, showing how the infected site appears to the innocent, soon-to-be-a-victim visitor as well as what the page code looks like. They also provide a list of some suggestions that would allow customers to protect their site.

However, I would argue claim that they do not emphasis the most immediate solution - Web Application Firewall (WAF) - or the benefits of integration between vulnerability assessment, code review and WAF. In the real world, the process of fixing the code can take some time...

One of things I love about IT Security is the requirement to bridge the gap between human behavior and technology.  Amichai and I recently delivered a webinar on the topic of Vulnerability Scanners and Web Application Firewalls that reminded me of this balancing act.

There are camps on both sides that say you should use either scanners or WAFs (depending on where you sit). Theoretically, if you lived in a vacuum, that is a valid argument. But the truth is, we live in a world run by humans, and that's the fundamental reason why WAFs and Scanners belong together. Let me illustrate fixing vulnerabilities in the real world:

     

I was in Boston earlier this week, participating in a vendor panel discussion. One of the other vendor representatives tried to explain how his solution added value by having a "true zero false positive" rate. I will not mention the name of this company as I think that the novel idea of having a security system with zero false positives is so far from reality that it simply shows that their representative does not understand security. It's like Superman - great idea and I wish it could be true - but in real life, he does not exist...(Wonder Woman does though :-)

I'm used to seeing all kinds of risk management strategies in my profession, but this is the worst I've ever seen. Check out the photo I caught on the way out of the coffee shop parking lot on the way to work this morning. A better version found online. 

What should the caption for this photo be?

And if you live in California and this is your strategy, hand me your keys and get off the road.  (BTW, as a recovering marketing person I suspect this is viral marketing of some sort, and if so well done.)

Hacking with new people is passe. It's now trendy to hack with old guys. Even though Sarah Palin is not a hacker, some stories and buzz around previous-life hackers have been recently uncovered. After reading the TechCrunch story of MySpace co-founder and real life 1980s WarGames hacker, Tom Anderson, I searched for known "old" hackers that changed their course of life. During the research I found an ancient 1984 TIME magazine article titled Let Us Now Praise Famous Hackers.

When you work in security, you learn to see the world through different glasses and sometimes it's frightening.

Yesterday I was on the phone with a-not-to-be-named cell provider. I had tried to link all my phones, faxes, and emails into an uber-account I could access from anywhere (internet, cell, land-line) and thoroughly messed up my voicemail. So the service representative reset my voicemail.

During the re-registration process, I was asked to set up a security passcode. Now here's what the phone tree told me: "press 1 to use your birthday as your passcode, press 2 to use your mother's birthday, press 3 to use your father's birthday..."  It walked right down the line of a hacker's password 101 guess list. No choices for custom passcode - you picked those choices or you got stuck.

So I said to the service rep, "you have to be kidding me, these are the only choices?"

Today, we announced that multi-language support to the SecureSphere management interface GUI has been added. Localized versions of SecureSphere are now available in Simplified Chinese, Japanese, and Korean languages, making the product more accessible to IT departments throughout these regions. SecureSphere has always provided multi-language support in its monitoring engine, but in response to accelerating demand for application data security appliances throughout Asia, we can now reach more customers.

The internationalization of SecureSphere's user interface allows IT departments to switch between the standard English version and the local language on the fly. This enables the user to manage SecureSphere, set up policies, and generate reports in their native language.

Here are some screenshots:  

So Google announced their fresh take on the browser. They sure know how to create a sensation. Follow the links and read the comic book - it's worth your time. If you wish, you can also read the Googleblogoscoped analysis.

After reading the many blog reports and examining the comics, if I understand correctly, the browser will change the current Anti Malware space as it will provide real-time updates and black lists of bad sites. The kind of services that is worth a lot of money to the URL filtering vendors.