An Information Security Place

Some of you astute readers may have noticed a few posts from someone other than yours truly.  These are coming from my friend David Nester.  David is a Sr. Security Engineer over at Hewlett Packard, so you can guess that before he was with HP, he was an employee of Spi Dynamics.  Before that he ran his own gig with a company called iCrew, where he did a lot of things in the security world, including trying to sell me a bunch of crap.  He has also done a stint with MD Anderson as a UNIX Security Architect and with Citibank as a UNIX Security Engineer.

David is a talented wed security guy, and I have tried to get David to help me on the blog for a while now.  I have wanted some more stuff regarding web application security, and I thought David would be perfect for the role.  He finally decided to help out after a lot of arm-twisting and a promise to share some of my ad revenues.  (He’s going to clear about $5-$10 / month - not bad, huh?)

So welcome to David.  Thanks for helping out.  And guys, David is new to the blogging world, so don’t beat him up too bad yet.  I don’t want to scare him off.

Vet

An interesting download to come out of the OWASP camp — books are now available for your reading pleasure. The initial group of books are:

• OWASP CLASP v1.2
• OWASP Top 10 - 2007 Edition
• OWASP Top 10 - Testing - Legal 07′
• OWASP WebGoat and WebScarab
• OWASP Code Review - 2007 (RC1)
• OWASP Evaluation and Certification Criteria
• OWASP Top 10 - Ruby on Rails Version
• OWASP SpoC 2007
• OWASP World (Nov2007)
• OWASP Guide 2.0 (2005)

 All are available free of charge (download versions) from LuLu.com/owasp.

So you don’t consider yourself to be XSS savy, but you would really like to do some free testing? Well look no farther…you just might have a solution.  Introducing the XSSDB by GNUCitizen.  The XSSDB (i’m assuming) is heading in the direction as the Metasploit Project, however, soley based on Cross-Site Scripting checks.

A couple of the nice[r] features (IMHO) of the database:

• Ability to perform both GET and POST-based XSS
• Ability to add or submit your own vulnerability checks to the DB

So how could this be improved? Personally, while I do have several methods of testing for XSS, I would find it invaluable to have an offline solution where I could test non-internet connected applications. GNU? Perhaps some type of offline solution with a update capability? The solution does take a bit of getting used to (for example, if you aren’t terribly familiar with how GET, POST and Parameters work in web applications), but overall …. a very nice solution.

Billy Hoffman and Bryan Sullivan released a new book on AJAX Security this last month (or so). For those of you who aren’t familiar with Billy and Bryan, they are/were involved in the SPI Dynamics group before being acquired by HP Software in late 2007. I would highly recommend that you grab a copy of this book for your library.

AJAX Security Book

[Ripped from Amazon]

Billy Hoffman is the lead researcher for HP Security Labs of HP Software. At HP, Billy focuses on JavaScript source code analysis, automated discovery of Web application vulnerabilities, and Web crawling technologies. He has worked in the security space since 2001 after he wrote an article on cracking software for 2600, “The Hacker Quarterly,” and learned that people would pay him to be curious. Over the years Billy has worked a variety of projects including reverse engineering file formats, micro-controllers, JavaScript malware, and magstripes. He is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes.

Bryan Sullivan is a software development manager for the Application Security Center division of HP Software. He has been a professional software developer and development manager for over 12 years, with the last five years focused on the Internet security software industry. Prior to HP, Bryan was a security researcher for SPI Dynamics, a leading Web application security company acquired by HP in August 2007.While at SPI, he created the DevInspect product, which analyzes Web applications for security vulnerabilities during development. Bryan is a frequent speaker at industry events, most recently AjaxWorld, Black Hat, and RSA. He was involved in the creation of the Application Vulnerability Description Language (AVDL) and has three patents on security assessment and remediation methodologies pending review.

It’s simply amazing to me that folks will fall for the marketing literature. Hacker Safe? I think not….

http://www.cioinsight.com/article2/0,1540,2246925,00.asp

My friend and coworker Douglas Haider is going to be speaking at the ISACA New Orleans chapter meeting on Valentine’s Day (Feb 14).  So for any New Orleans-area readers, or for anyone that is going to be in the area on that day, you need to go see the talk.  Douglas is a great security and wireless guy.  I have worked with him quite a bit since I have been at Accuvant, and I am always impressed.  Below is a short blurb about the talk and a link to register.  It is open to non-members as well, and it is only about $40 to register.

Today, it’s all about mobility!  Companies continue to expand their use of wireless technologies to improve productivity, transmit voice and data, and use new mobile applications. Mr. Haider will discuss the importance of finding the right equipment, project team, and methodology to deploy wireless technologies.  In addition he will discuss common deployment errors and mitigation techniques.

Luncheon attendees will be able to:
- Discuss emerging wireless technologies and their common uses.
- Identify best practices to mitigate common risks associated with wireless deployments.
- Identify key skills for the deployment team and steps that should be included in a wireless deployment

You can register at http://www.isaca-nola.org/Events_Services/events.htm. 

Also, Douglas is going to be speaking at the ISACA North American conference.  Congratulations to Douglas for that one. 

Vet

Here’s another law (trying to get passed in New York) to try to stop sex offenders from getting on social networking sites, and in particular those sites where they might contact minors.  I haven’t seen the bill yet, but from what I am reading, it is essentially useless.  Just like all of these laws, it is really just political posturing.

Here are some of the details I have:

• The bill is called E-STOP, which stands for Electronic Security and Targeting of Online Predators Act (very witty). 
• According to InformationWeek, the bill “requires paroled sex offenders to submit their e-mail addresses and online identities to a central registry that will be used to deny them access to social networking sites. The bill also would forbid sex offenders, on parole or probation, from communicating online with anyone under the age of 18 if the offender is classified level 3 (high-risk of re-offending) or if the offender’s crime involved the Internet or a minor.”
• According to cnet: “It would be a violation of parole for a convicted sex offender to change e-mail addresses without notifying authorities within five days.”

So from those last two points, we see that sex offenders must register their email, online ID’s etc., then the sites will deny access based on that database.  And also, it is a violation of parole if they CHANGE their email and don’t notify authorities within five days. 

First, notice the all caps above.  I sincerely hope there is a provision for adding emails and not just changing emails.  Second, it really doesn’t matter anyway because a criminal is a criminal.  If they are not reformed, then they are going to continue to do what they do.  Drug dealers BREAK laws.  Car thieves BREAK laws. And sex offenders BREAK laws.

I applaud the fact that this law is trying to be proactive and will probably stop a few people.  But for the most part, this is useless.  Sex offenders are going to get around this easily.  It is just too simple to fake your ID on the web.  But politicians have to justify their paycheck, so this won’t stop anytime soon.

Vet

I just read an article over at SearchSecurity.com that was talking about the security issues of opening an IPsec tunnel to a partner in order to secure some file transfers.  But the real thing that got to me was the person asking the question, as the author of the post pointed out, seemed to have some type of issue with the IT guy because he would not open up a port to help out.

Of course, there is no real explanation behind what the guy was trying to accomplish and what ports he wanted open.  He might have been asking for something totally ludicrous for all I know.  But the main point comes towards the end of the article:

Remember, business and security professionals are all on the same team, trying to achieve the same mission. They do, however, have different perspectives on what’s best for the organization. Put yourself in your counterparts’ shoes and try to understand that they’re attempting to manage the risk to the business.

I agree with sentence one.  I agree with sentence three.  However, sentence two makes no sense to me.  The security departments perspective may be different, but what’s best for the company should not be.  Yes, they should have a say so.  Yes, they should be crucial to the decision making process on what is best for the company.  Yes, they should write policy for management to approve.  But management makes the decision on what is best, and once that decision is made, the security department should follow that decision.  Again, their perspective may be different, but they cannot decide what is best for the organization.  If they are doing that, then the company is being run backwards.

Don’t get me wrong.  The guy making the request has the same responsibility.  The company is run by management, and if he is trying to force something down security’s throat, then he deserves the push back.  Everyone should be trying to abide by the decisions of management, which hopefully is what is best for the company.

Now, if the decision making by management is horrible, then obviously one has to decide if it is time to fish or cut bait.

Vet

Man, am I getting hammered for my latest post over at Computerworld about the DDoS launched on the Church of Scientology! I really can’t engage in a lot of back and forth over there since it is not my personal site, so I will do it over here.

For all you people slapping me around over there, let me ask you something.  Do you advocate the use of DDoS attacks every time you don’t agree with someone?  I am seriously dismayed when an attack is downplayed such as this one.  Yes, the school was inadvertently attacked.  Yes, COS was the original target.  And maybe the attack only lasted for a few minutes.  And an apology may have been issued… BUT THAT IS NOT THE POINT!!!

This is illegal, and it is irresponsible.  Tom Cruise may be weird.  L. Ron Hubbard may have made up a cult out of whole cloth.  But they are still an organization that has the right to exist and practice their religion.  Just because they are strange does not give you the right to make the Internet your personal playground.  These things always end up affecting other people, even if it is for a few minutes.

Grow up people.  Quit hiding behind the anonymity of the Internet and do something about your issues the way grown ups do.  Call people.  Write letters.  Protest on their front steps.  Get the attention of the media and the people WITHOUT acting like brats.

Sheesh…

Vet

Hello everyone.  Accuvant (my employer) is looking for people for the wireless practice.  You do not have to be an expert in wireless right now.  Really they are in need of some people who have good routing and switching skills.  They can teach a lot of the RF stuff.

It will require a good bit of travel, but they are starting to do some cool stuff.  I have been working with the wireless team a lot lately on a couple of RFP’s (large wireless backhaul networks for cities, wireless audits, etc.), and these guys are top notch.  The wireless practice director (Matt Bossom) is one of the best guys I have ever met.  He is extremely responsive on helping with projects, and everyone on his team says he is a great boss.  He also speaks quite a bit on wireless and wireless security, as do a few other guys on the team.

I know the other teams are looking for people as well (Assessment, Compliance, and Security Technologies), but I don;t know the details.

Let me know if you are interested.

Vet

I recently discovered this site.  This is definitely the worst exposures of PIN numbers I have ever seen.  Please visit the site to see if you have suffered any inadvertent disclosure.

I’ll keep everyone updated as to the progress of my investigation into this breach.

Vet

I took a class a couple of weeks ago on DLP (data leak/loss prevention).  it was specifically the Websense Content Protection Suite (former PortAuthority).  The class was very good because the instructor spoke a lot about how to position the product as well as the technical workings (good stuff for an SE to know).  One question that arose was whether DLP was a security product.  Now I have a very large definition for the term “security product” because I don’t believe that security can be stove piped like it was in the past (even a switch can be a security product because of its role in availability).

But the point of the conversation was this: do you implement DLP for purposes of protecting data from malicious activity, or do you implement DLP for purposes of protecting against inadvertent data leakage?  Basically, are you protecting against the smart bad guy looking for stuff to steal or the dumb good guy who doesn’t know it is a bad idea to send credit cards in plain text?

I was a little mixed on my opinion on this one.  I understand that you have to protect against the biggest risk.  Most companies are going to experience much more inadvertent loss via SSN’s, CC numbers, customer info, etc. going out through email or some such method.  And because of this, it makes sense to position this type of product in such a way that you are most likely to get a sale.  If you go into a medium-sized shop that has a lot of customers but little-to-no intellectual property, then you are better off positioning the product in this way.

However, let’s look at a few other scenarios:

• Client A is a B-2-B company with no CC numbers, a little customer data, and a huge software app that they developed and is bread and butter to them.
• Client B is a publishing firm that has a new book coming out from a best seller and is afraid that someone will try to steal the manuscript before publishing.
• Client C is a law firm that has all its client data in a SQL db and has not setup any encryption tools yet.  They also have an application that builds legal docs for them and holds the data in a flat file.

Here is where I see DLP having problems, at least from what I have seen so far (PLEASE correct me if I am wrong, especially Mogull).  You might consider positioning it in such a way that shows it can protect against data theft rather than something protecting against inadvertent loss.  Then it IS a security product in that sense of the term.  But the problem I have seen thus far from DLP is that unstructured data is very hard to protect.  It is just not as simple as making a hash of the data and looking for that in a signature.  That type of data just changes too much, and the hash would get broken all the time.

Let’s take Client A.  They are trying to protect their application, so they are protecting against their source code getting out.  Source code is very unstructured, so it is the hardest for a DLP solution to protect.  So Joe Programmer gets paid off by a rival company, and he starts shipping out the code.  If he grabs the source code and just starts dumping it, then any good DLP solution will stop the dump.  But what if he starts breaking it in to pieces and puts it out a bit at a time?  With some experimentation, he can figure out how much gets stopped and how much gets through.  It will be time consuming, but he can get it all out without getting stopped.  Of course, you hope someone notices the dump while he is experimenting and goes to see what is going on, but it is still a feasible scenario.

The same is true for Client B.  A book is also a very unstructured document, and the same problems will arise. 

Now look at Client C.  The first part of the problem is a SQL database.  That can be fingerprinted fairly well and prevention can be done very well.  However, the second part of the problem is unstructured data, which leads to the same issue.

The other problem I see is protecting against streaming protocols.  Store-and-forward protocols are very easy to protect against, but protocols like FTP stream data out, so by the time a solution picks up on the data going out, much of it is already gone.  So if it is not some malicious insider but is Joe Hacker who got in and is stealing your stuff, then you will have lost some data and will likely not have anyone to go after to recover losses.

Anyway, these are some thoughts.  I am sure Rich and a few other people have written about this, but I wanted to get those thoughts out that have been on my mind since I started working on this product line.  I DO know that data, being the crown jewels, is what we have to protect.  I also know that many people forget to look at permissions to data as well as where the data resides, which I see as a flaw in the armor many times.  One of the products out there that can help with that in the Active Directory world is Varonis.  Very good stuff.

Also, Accuvant is starting a data security practice, which tells me that we are taking it VERY seriously.

Vet

In case you care, I am in Sedona, AZ this week for Accuvant’s annual sales kick off meeting.  It is generally death-by-PowerPoint, but there is good stuff in there as well.  We had a poker night last night, and I have to say that I did quite better than I did last year. 

We have had some really interesting SE discussions that have been rather enlightening, mainly about how it is essentially impossible to be an expert in every technology and trend that is out there and how to start and maintain customer relationships.

We also have made some huge internal strides within the organization to help our practice directors focus on growing and selling their respective areas.  We have brought in some project managers that will be helping with RFP’s and scoping jobs, which will help us SE’s.  in fact, I have already seen benefit from the PM in the wireless practice.  He is helping me answer a big RFP, and I really think his contributions are going to be vital to winning the gig.

I continue to be impressed by Accuvant.  We have made a lot of progress in the last year on getting organized.  It was really a necessary step since we are just getting too big to act like a small company anymore.  And some of the people the assessment, wireless, compliance, and implementation (security technologies) practices have brought on are very impressive.  I look forward to being here for quite a while longer.

Vet

Advice: if you are a crook working at a popcorn shop and are trying to scan credit cards, do it where the customer can’t see you.  Man, if all crooks were this dumb…

Vet

I was in a training class this week, and one of the subjects that came up was compliance (it was a data leak prevention class).  When the instructor mentioned a certain healthcare-specific regulation, I asked how it was spelled.  The instructor delayed 1/4-second, then replied, “H-I-P-A-A”.  I gave a hearty congratulations, and class resumed.

Then I was started looking through an RFP I was working on, and it mention the same regulation throughout the document.  Of course, it was spelled “H-I-P-P-A”, and no less than 5 times.  It was NEVER spelled correctly.  Just drives me crazy, and I am not even in healthcare anymore…

Vet

In light of me training on Websense Content Protection Suite (formerly PortAuthority) and The Mogull doing a webcast with Websense on DLP, I thought I would start a new poll asking if your company is looking at DLP technology.  Take a look and answer if you have a sec.

BTW, the class I am in is geared for SE’s, and the instructor is good about helping us learn how to position this for a sale.  Very good stuff.

Vet

No analysis.  Just info.

http://www.arubanetworks.com/company/news/release.php?id=56

Vet

Demystifying Data Loss Prevention with Rich Mogull

Data loss prevention (DLP) is one of the most hyped and least understood tools in the security arsenal.

Join us for an informative webcast featuring Rich Mogull, a renowned authority on data security. Rich will help you understand the technology behind data loss prevention and learn what to look for in a product that will work best for your organization. He’ll discuss regulatory issues, confidentiality, and the impact that unsecured information can have on your company’s business processes and, ultimately, your bottom line.

Join the webcast and you will receive a complementary data loss prevention white paper by Rich Mogull.

Register for webcast and white paper
Live, Tuesday, Jan. 22
8:30 AM PT

Webcast highlights:

Understanding and Selecting a DLP Solution

Points of Discussion:

• Introduction to DLP
• Content Awareness
• Technical Architecture
• Central Administration, Policy Management, and Workflow
• The DLP Selection Process

This message brought to you by:

© 2007 Websense Inc. All rights reserved. Websense, Websense Enterprise, and other Websense trademarks are registered trademarks or trademarks of Websense, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners. 

Jim (fellow Accuvant coworker) has some good technical advice for setting up a way to protect the kids on the Internet.  I am looking forward to seeing how his kids hack through it.

Vet