Wednesday, February 24, 2010

InfoSec News You Probably Missed

Hey everyone, I've been reading the wires, posts and articles and have found a few nuggets that you may or may not have already read.
There seems to be a heavy emphasis on Cyber Warfare which I can only imagine fuels security vendors' sales efforts...but probably not much else in terms of reality.  All that FUD that the government-sponsored "think tank" raised a few weeks ago with their Cyber Shockwave (of bullsh**) ..has really done nothing to give us any sort of "realistic" view of what will happen (or could happen) in an actual cyber-attack... but the fallout is everywhere. 

But I digress... enjoy the stories and articles I find relevant - I hope they're relevant to you.

  • China calls Google & US's allegations of state-sponsored hacking bullsh** via the press [LINK]
  • Intel, not wanting to be left out releases 10K filing that says "Me too! Me too!" to being hacked by China [LINK]
  • Huffington Post's brilliantly written piece [sarcasm] titled "Are we on the Brink of a Cyber War?" ...as only the Huffington Post's sensationalist needs can produce [LINK]
  • Someone calling himself "Neo" (seriously, get an original name dude) and trying to Robin Hood his way into fame in Latvia hacked the Latvian version of the IRS... Kudos! [LINK]
  • This "hacker" is my new hero - he got arrested for putting porn on a billboard! [LINK]
  • Here's an article I bet you didn't see - Chemical Facility Security News had an interesting piece on a break-in at a water treatment facility...chilling how inept the investigators are! [LINK]
That's it for now!  Send me anything you think people should be reading or hearing about ...cheers!

Tuesday, February 23, 2010

Web "Hacking" Gets (even) Easier

Just when you thought "hacking" web apps could not get any easier ...


First, there was RSnake's "XSS Cheat Sheet" which set the bar at giving you endless possibilities of XSS attack right there so you didn't have to think about it, and now a new tool has been released that makes the whole process even more brainless.  This tool even saves you the time and clicks of copy/paste!

I'm talking about "NoMore AND 1=1".  This tool comes in 2 flavors, stand-alone and attached to the OWASP WebScarab web proxy tool... and it sets the bar even lower for those wishing to poke and prod at web sites without actually being good at hacking.

The stand-alone version can be found here, while the WebScarab attached version is here.  I highly recommend you install the Java JRE 1.6+ ...

OK, so what's so cool about NoMore AND 1=1?

Aside from the fact that it's a cheat-sheet which auto-copies to your clipboard, it has a cornucopia of attack vectors for everything from  databases [ MS SQL, Oracle, MySQL, DB2, to Sybase, to Postgre-SQL] to LDAP, to XSS, to X-Path, CSRF, and on and on and on... all you have to do is select an attack vector, click it and it's copied to your clipboard.  Then just paste it into an input field and voila! You're a hacker!  (not really...)

Adding to the cool factor is the way that Dani does updates to this tool.  Rather than including the signatures inside the code somewhere, they're maintained in a separate .csv file which can be regularly (or when genius strikes) downloaded and updated.

The WebScarab version is even more awesome.  Once you've got the intercept proxy working OK, you just wait for a request, and then highlight the parameter you want to tamper with, right-click, select "NO MORE AND 1=1" and pick an attack vector and BANG! You're haX0ring... (again, sort of).

Now, being the ever-curious person I am, I tested this out (just to see how simple it was!) against a site that I spend a lot of time on, Digitally Imported.  I really love my Trance music so I'm on that site a lot, and needed to make sure for myself, since I already had a tool fired up and handy that they were taking my web security at least semi-seriously.  I was, pleasantly surprised when the response to a rather complicated XSS attack was this:
"incorrect fields, stop messing around. you've been logged (IP_ADDR)"
Nice job, DI.FM coders :)

Anyway, NoMore AND 1=1 is a really neat little toy you can add to your arsenal of simple web application hacking tools, and I highly recommend it if you're ever in need of a "quick and simple way" to test the basic web app security of where-ever your browser takes you.

Good hacking!

Friday, February 19, 2010

Be careful -that slope is slippery

I remember when I first started working in corporate information security - back when no one really cared about security.  Come to think of it... nothing really has changed in 10 years - but I digress.

One trick I learned quickly back then and have been using ever since is that if you want to make something happen, prove there's a need.  If you can't prove there's a need, stage a mock incident to prove there's a need.  In case you haven't paid attention, the news has been flooded lately with the story of the US government staging a mock "massive cyber attack" to gauge response and figure out where we as a digital nation are lacking.  To some, the results were shocking.  Those of us who have worked in information security for more than 30 minutes just yawned and said "so what?"...

The Washington Post wrote "War game reveals U.S. lacks cyber-crisis skills", Information Week (Government edition) had a headline reading "Cyberattack drill shows U.S. unprepared", and Yahoo! among other outlets kept using the term "digital doomsday"... incredible.

What caught my attention initially on this was not that it was semi-officially dubbed "Cyber Shockwave" ... or that it was staged for the world to watch the epic failure we all knew would come - but this gem of a quote:

Half an hour into an emergency meeting of a mock National Security Council, the attorney general declared: "We don't have the authority in this nation as a government to quarantine people's cellphones."
The White House cyber coordinator was "shocked" and asserted: "If we don't have the authority, the attorney general ought to find it."

There is a great line from a movie, I think, that goes "if you peer into the darkness long enough, the darkness peers back"... I'm not sure I like what's staring back at us.  For those of us that are cynics of government's "good intentions" (and repeated abuses of trust and power) this has got to scare the pants off you.

The thought of the government quarentining people's cell phones is insane -think of the incredible power that the government would officially have if that were the case.

More now...
In a crisis, she said, "Americans need to know that they should not expect to have their cellphone and other communications to be private -- not if the government is going to have to take aggressive action to tamp down the threat."
She recommended that the Obama administration seek legislation for comprehensive authority to deal with a cyber emergency.
Participants also wrangled over how far to go in regulating the private sector, which owns the vast majority of the "critical" infrastructure that is vulnerable to a cyber attack. Stewart Baker, a former assistant secretary at the Department of Homeland Security who played the "cyber coordinator" on Tuesday, said that the private sector was not prepared to defend against a cyber act of war and that the government needed to play a role.
That's right, the government is going to further intrude into the private sector - or at least they have plans to.  Forgive me for donning the tin hat for a moment but doesn't the government already have secret wire-tap and other intrusive elements under the Patriot Act?  There were rumblings some time ago that President Obama wanted to be able to "shut down portions of the private Internet" in a crisis... lest we forget.

Let's widen our focus just a little bit folks... I'm all for security and being able to defend my homeland from Internet-bourne attacks BUT... we need to be careful on the motivations of our dear government...
  • Over the last several years our civil liberties, specifically the right to privacy - have been depleated at an alarming rate... mostly in the name of "anti-terrorism"
  • Our government has proven that it cannot be trusted with keeping to its own rules and regulations about breaking privacy
  • Our government is at the top of the list of entities suffering massive break-ins from hostile nations, rogue states, and hackers at large
  • There are no established (at least no well-understood) precedents for search and seizure of digital devices ...yet
So let me ask you this, conspiracy fans and logical thinkers alike - was this exercise really sincere in its given intent?  Or was this a staged show (much like the security theater we're all familiar with called the TSA) to shock and awe and scare the general population into begging the government to take away more of our rights to protect us from this "doomsday scenario" which may or may not ever happen.

What sort of risk analysis has been done to see whether this type of attack is even practical?  Having worked in the energy sector for a few years doing information security I can tell you that the "fire sale" event like in the latest "Die Hard" movie is extremely unlikely at best - partially due to the Neanderthal systems and manual knobs still out there.  I could be entirely wrong - but I know for damn sure I am no more comfortable letting the government have more intrusive power than I am giving my psychopathic mother-in-law the same.

Think.  Don't follow the hype curve, and get caught up in the hysteria.  There has to be a better way than turning over our last shreds of privacy to a government... I mean, we already do that with Google!

I'm going to go put my tinfoil hat back on and sit in my panic room in the basement.

Tuesday, February 16, 2010

Seriously?

Seriously.  What the hell is wrong with everyone freaking out over yet another Google privacy snafu?



What part of "Google is a marketing company, relying on advertising revenue" don't you get?  You think Google (and others like them) make money by protecting your privacy?  Seriously?

I had that segment of Saturday Night Live called "Seriously?" run through my head just now ... Google privacy? Seriously?

Are you not aware that when you use Google's free services that you're paying the price of having your personal information exploited for the benefits of Google's monstrous financial gains? Seriously?

Did you think that Google makes a crap-ton of cash in every possible economic condition by providing free search, email, and social media apps?  Seriously?

Did you think that your friends, their contact details, emails, their interactions, places you've searched, places you've called, places you've mapped, sites you've tagged, things you've buzzed about, medical records, chat logs and everything else is ...private and cared-for by the Google privacy police? Seriously?

Hey - wake up McFly.  If you think Google's Buzz is anything but another way to exploit people's relationships, and data-mine the "hot topics" for Google's financial gain you seriously need to wake the hell up.

Hi, Google Buzz has security bugs, privacy whoopsies and most likely tons of other crap you're never going to find out about wrong with it... surprised?  Seriously?!

Someone had to say it...(again).

Saturday, February 13, 2010

Further Proof You Don't Get It

At OWASP AppSec last year I had some remarkably accurate conversations with Josh Abraham (of Metasploit, Rapid7 fame)... and I've gone back to those in my mind several times now over the last few months and scoured the 'net for signs that someone is running with those thoughts and ideas.

Sure as the DC snowpocalypse ... nope.

It's a little scary to me that Josh's thoughts on "Pen testing with a purpose" (paraphrasing) hasn't gotten any buzz. I know he's worked hard on it and even wrote a pair of blog posts on it a while back ("Goal Oriented Pentesting - The New Process for Penetration Testing" and the follow-up).

I still see penetration testers using the buckshot approach where they're hired to "break into a site" and they just go at it like rabid wolves on a wounded impala.  I don't get it - how do you know when you've succeeded?  Do you count it a success when you've found XSS?  SQL Injected the database?  Broken authentication?  What's the logic?  Just sad that this topic has been rejected from conferences since so many testers need to hear it!

I say this is further proof that "you don't get it" (well, maybe not you, but...you know, you) because this seems to be the sorry state of the security field right now.  Call me insane but I would love to have a standards-based penetration testing framework which everyone built SoWs (statements of work) from.  Would it be too much to ask for some sanity?

Look, I just got done working with a customer who decided they didn't need an internal security program for their 1,000+ web applications because, and I quote, they "had an external 3rd party assessing their apps once a year".  It's so ridiculous I couldn't make this stuff up!  What's worse is that this isn't the type of company that can afford to be lax with data protection... They were kind enough to introduce me to one of the "Statement of Work" documents which basically outlined what this 3rd party (a well-known security firm, by the way...) was going to do.  "Assess the external exposure of {company} web applications"...  I made the effort to call their penetration testing "guy" and had a quick chat to see how they were doing things.

"We have repeatable processes we follow.  We basically try to identify all the stuff that's broken in the site."  {mouth agape}  I asked how they knew what the important targets within the site were - was it based on a site profile, some insider knowledge, or what... "Nope, it's just a web site, the goal is to break in".

Fail.

I could have sworn there were already some pretty good penetration testing frameworks (at least for web app pen testers) that could help focus an effort like this to things of importance within the site.  Goal-oriented penetration testing is the only way to test some of these behemoth web sites (applications) we're all seeing ... I can't be in the minority of people who thinks so, this isn't a revolutionary thought.

So - is it time to add an OWASP project for this?  (Or maybe it already exists and isn't well known?)  Let's hear it ... there has to be something I'm missing.

Friday, February 12, 2010

Comparing Apples, Oranges, and IEDs

[Before you start reading I would like to make sure I let you know that this post is my own personal thoughts, no one else's, not my employer's, my mother's or any influential friends... capicé?]


I read a Securosis post by Mike Rothman today that nailed it.  Absolutely brilliant... but I wanted to expand on it some because I think there is a little more that needs to be said.

The long and short of it is this - product reviews are dead.  The days of real, useful product reviews have gone the way of the honest politician.  Not only that - but publishing one is a great way to lose any credibility you have and potentially make enemies.

The sad fact as Mike points out is that there aren't any good independent review companies out there ... (wait - are there?) I submit for consideration NSS Labs, run by Rick Moy and Vik Phatak has both the capability and credibility to perform an "unbiased real-world comparison" of security software/hardware.  The problem is defining "real world" and making it useful for anything beyond a baseline.

As I mentioned, "real world tests" are very hard to come by.  Here's why... (if you get it, skip ahead)...

First let me give you a completely non-IT example.  If you watch TV at all you've seen one of those really cool car commercials where the SUV is racing through the desert, or doing something you look at and think "I'm never going to do that".  Then, the voice comes on to tell you that in a "real world comparison" their car got better gas mileage than the competition"; "people preferred their soda 3 to 1" ... you laugh at those right?

Now consider the IT environment you work in.  The hardware, software, techniques and nuances of your business.  Furthermore, consider how vastly different it is from your previous job.  Now ... imagine trying to build something that would be a perfect fit into both environments.  If we're talking web application testing tools [my particular specialty] this becomes even more complicated and you can see where things get out of control.  Some develop .Net, some Java, some PHP and others ColdFusion... then there's AJAX, Web Services, Flash, Flex and that's just the easily defined stuff.  If your head isn't spinning tell me how you do it.  There are too many things here to keep straight, much less write a piece of software that will "address them all".

Moving on.

Assuming that you trust the source of the report as independent and competent (a big leap) you can,on a good day, at best use it as a baseline.  Your deviation from that baseline directly impacts your mileage from said report.  The big question once you've decided the source is both trustworthy and intelligent (again a big leap these days...) is how much can you actually gain from reading a product comparison against some far-off battery of tests.  Consider this - if a WAF product is tested in a "real-world test" against a .Net application, how does that translate into my business which is made up of RESTful Web Services built on a custom web platform?

Let me make it real simple - 9 out of 10 dentists agree - the answer is "who the hell knows?!"

Here's another angle to this that makes no sense to me.  Working for a web app security tools vendor [for full disclosure, vendor name is irrelevant] I have seen people read reports from independent 3rd parties and go into a mental melt-down.  Inevitably they see results that someone in a lab somewhere produced and it doesn't match the evaluation they did for themselves... in their environment.  Whiskey Tango Foxtrot.  Talking someone off a ledge after they've done this to themselves is no fun, either - because they assume you're just another vendor trying to spin it your way.  While it's true - no matter who does the testing, what the results - everyone will spin it their own way.  Please, folks I urge you not to lose your heads... nothing trumps the evaluations you do yourself.  If the SUV you drive performs better in your case than their competitor says on a commercial - don't go out and buy the competing product just because they say so.

Finally, just a quick word on independence.  Look boys and girls, no one is truly independent.  Everyone has an agenda, everyone has their personal bias they acquired through personal or professional experience, friendships, whatever.  I would love to say I'm different but I'm not... and you're exactly the same.

Philosophically - I would love to see each niche group in InfoSec go through a yearly "product validation" by a 3rd party that is truly independent and transparent in their methodologies and practices.  I think that, in the end, would result in higher quality products, less smoke/mirrors from sneaky sales folk, and a general increase in the security posture of everything ... and why wouldn't we all want that?

Tuesday, February 9, 2010

Accidental Anti-Automation in Web App Sec

(or ...To Custom Error Page, or Not to Custom Error Page?)

Sherif wrote an interesting piece today on his blog titled "Why You Should Re-consider Custom Error Pages" and it got me thinking.  I've seen a few web applications in "large companies" over the last several years both from the developer side, and now as a vendor working with web app security scanning tools - and there are two sides to this debate over custom error pages.  Custom error pages actually serve two very distinct purposes - and I want to outline them here for discussion.

First off, it's probably most widely accepted that custom error pages (or "friendly" error pages) are a usability bonus for the user.  When something goes south it's nice to give the user a sense that the administrator (or developer, as the case may be) has the issue under control and is working on a fix.  The "oops, something went wrong, but don't worry we're working on it" page has become somewhat common in the SoMe (Social Media) landscape. That's all well and good, and making the user feel less disheartened is always a good thing - but there are actually other benefits here.

Secretly, security people like me love it when developers choose to custom-code error pages.  Rather than giving a possible would-be attacker any more knowledge of the site by throwing some error dump to the browser it's significantly more "security conscious" to just throw a generic error page.  Often times error pages have hidden nuggets of information an attacker can use against you - such as internal IP addresses, server names, connection strings (in the case of SQL Injection) or other useful information that can be used in the commission of the attack.  Custom-coded error pages generally throw up a cute graphic and something to the tune of "Oops... sorry" and that's pretty much it.

That's two great benefits... but as those TV pitchmen say "but wait, there's more!"  There's also an added benefit here that's been eluding even some of the more security-conscious developers.  Generally you don't think of this issue (or benefit) until you've tried to scan a site that has this accidentally brilliant feature.  What am I talking about?  Try scanning a site with a web application security tool (it doesn't matter which you pick) when every "error" page (404, 500's, etc) throws back a status code 200.  Maybe you're even sent back the index (or home) page!  If my scanner is looking to execute some attack whereby I request a specific resource on the machine - even though it's not there - the server returns a status code of 200 ("everything's OK") and the home page - the scanner is left thinking that the attack was successful.  This has a tendency to generate thousands of false positives.  This kind of thing can frustrate some of the less determined attackers (I won't give them the hacker title here, they don't deserve it) and cause them to move on.

If no matter what you request the site sends back an HTTP/200 status code with some normal looking page - how do you tell that something worked ... or failed?!  Now, arguably there are parameters you can tune, and tell your scanner that even though you get an HTTP/200 the fact that the "homepage" comes back means that the attack failed - but seriously - how many people actually get that deep into the configuration of these tools?  What's worse, many of the freely available, or custom-written ones, don't even have that as an option!

Frustrating the "low hanging fruit" attackers is beneficial for many reasons including less noise in your logs - so this added side benefit comes in handy!

So, there you go... write those custom error pages!  Demand that every site you work with behaves in this manner... no matter what ridiculous thing you ask it to fetch - make sure the response is "OK, no problem!"

Good luck!

Monday, February 8, 2010

A Quick Word on Security Conferences

Since I started speaking at conferences again just over a year ago I have started to notice a few things:

  • I am seeing the same people over and over
  • These same folks are the ones who already "get it"
  • Attendees vary by region (rarely do people get to travel too far)
  • Those that I can't say get it are -really- clueless
  • Some very basic concepts are still eluding many security conference attendees
  • Attendee counts have dropped drastically
Now, as a quick commentary on what this really means - I thought I would start by saying that I think it's good that we're getting attendees that continue to come out and support the cause.  Even though, predictably, the crowds are smaller it seems like the folks who are coming out are still fighting the good fight in their respective corners of industry.  My one concern is that the newcomers to some of these security conferences are really green.  I'm not talking about being environmentally conscious, I mean clue challenged.

I recently spoke at SANS, and while it was a small niche conference on the left coast I think we had a pretty good turnout.  My topic was pretty high level, speaking of the Web 2.0 dangers ("When Web 2.0 Attacks") and I could tell that some of the folks clearly got it - but what concerned me was that I could tell not everyone did.  Specifically speaking my talk wasn't rocket science and I wasn't releasing any ninja code-fu 0-day, nor was I explaining how to write shellcode for embedded systems ... this was conceptual "Web 2.0" stuff... hrmm.

I also saw some of the same things I'm used to seeing- people falling asleep (seriously, why show up?), people yacking on their cell phones or thundering away on their iPhone or BlackBerry keyboards answering emails (again, why come?), and then there were the glazed-over faces which can only mean one thing: clue challengedness.  I would break down the room like this: 30% got it (or they already knew it), 40% were being successfully woken up to the harsh realities, and the remaining 30% was absolutely lost.  I welcome you to read through the slides, then answer this one question: "Was this something the average person should comprehend?"

If your answer is yes - then you're in my camp.  You're wondering why people aren't getting int.  If you're answer is no - leave me a comment and I want to know where I failed.

Oddly enough, earlier tonight I had a great conversation with Jeremiah Grossman, and he reminded me of something someone had mentioned a while ago... There are no easy entries into web application security.  Think about it.  As Jeremiah put it- "If someone asked you right now what they should do to get into web application security, what would you answer?"  I've been asked that question many, many, many times and I always have a really crappy answer... because I fear there are no good resources for beginners.  I think that's a failure of those of us that get it.  I think we're completely failing to educate others and thus we're causing a serious lack of talent, and thus driving down the overall security posture all around.

Now, I get that some people simply can't travel due to insane budgetary cuts all around every industry but that's really no excuse to be clueless.  We shouldn't be (as Jeremiah put it) "eating our young"... but I'll let him expand on a post of his own.

I encourage those of you who are out there, and "in the know" to reach out and teach.  Help increase collective IQ of the security fold... the more smart people we have the better we all are.
Google+