Blog

  • Rebutting MJR’s rant

    It was nice to see Marcus Ranum (who has an interesting slant to the security industry) get some press again. This time it’s on responsible / full / no disclosure. In a probably unrelated attack, his site is defaced by a SEO blackhat. Irony, eh? If only he had patched or used software which has learnt the hard lessons.

    Here’s the anti-rant I wrote my co-workers a Friday or two ago:

    Ranum’s argument has four major elephant sized flaws (at least).

    Firstly, he states that security has not gotten better. This is clearly wrong. Security has gotten a great deal better, but so have the attacks and our knowledge. However, the impact of attacks has been steadily decreasing. When I first joined the Internet, there were perhaps 100,000 people on it at a very small number of sites. That year, the Morris worm nearly destroyed the entire Internet. There have been no significant attacks like that for some time. Yes, there are more attacks, but considering there are more than a billion of us on it now, that’s to be expected. Attacks require a great deal more skill today than in Morris’ time. Old software, particularly in the webappsec is trivial to exploit. Proof – modern stuff which is hardened through the lessons we’ve learnt is very hard to exploit. Software which does not heed the lessons is trivial to exploit (see MJR’s site, natch!). Without some pressure, all software would be trivial to exploit, not just the lesser used stuff.

    Secondly, he states that disclosing vulnerabilities is akin to shouting fire when there is barely any smoke. The implication is that you should never shout fire, even if there is the possibility of fire. However, if no one shouted fire, children’s pajamas would still be made of highly flammable materials resulting in third degree burns or death instead of slow or insulating materials we have today. Only through research, standards and indeed, advocates (akin to vulnerability researchers) doing shock stories on tabloid TV did we move from obviously deadly dangerous to moderately safe. Fire is a particularly weak analogy as the metaphor breaks down very quickly – fire always occurs and is a natural phenomena.

    Thirdly, Ranum ignores evidence that contradicts his position. Vendors and customers are hurt by rampant full disclosure, and I agree that some folks are only out to get on CNN for a few cycles. However, responsible disclosure is the only proven way to make security sloppy companies like Oracle pay attention – eventually. It made Microsoft more secure, and I think if you look at NT 4.0 (1996) versus Vista (2006), Vista is a much larger but harder target. Oracle’s CSO (is in my view) negligent because she thinks like Ranum, and refused to protect her customers and ipso facto all of us.

    Lastly, Ranum HATES – and I mean truly despises – upgrading software. This leads directly to his point of view that if there was no disclosure, there would be no (or much less) patching, therefore he wouldn’t have to upgrade. This is a logical fallacy as one does not lead to the other. If all of us had his world view, we’d be running NCSA web server with no firewall on SunOS 4.1, i.e. completely unsafe. How would have Microsoft|Apple|Sun learnt how to secure (as best they are able) their operating systems without the challenges of security researchers and malware creators? It’s like MSRA golden staph – damn near unkillable around hospitals today. It didn’t get like that because we used soapy water.

    He rants against the creation and sale of malware as if we’re powerless to stop it. However, it is already illegal to do this in many countries. So if someone writes malware, they are already breaking the law. Why would they stop now, or in the past in his alternate no disclosure universe.
    I remember a few years ago that CERT sat on a major DNS issue for oh 8 years (I’m making this number up, but it was not a few months) until the last root server was upgraded to bind 8.something. There was an architectural flaw that could have destroyed the internet with a few packets. And I knew about this in like 1992 or 1993 and at that stage I was not in the security game fully – just a sysadmin. It only required someone with bad intentions and the Internet would have been dead. Why X years? Because there was no impetus to upgrade the root servers, despite it being 14 times redundant, simply because CERT sat on the problem. When I met Spaf a few years later at a SAGE-AU conference, I asked him about this, and he was unapologetic about it. Who gives him the right to decide if the Internet stays alive or not? It should have been fixed, and indeed it was fixed – eventually.

    Will we ever be secure? No. Will Ranum’s or my site be safe from attack? Doubtful. Ranum is simply wrong in his thinking if by stopping disclosure we will suddenly become safe.

    Ranum’s alternative is no alternative.

    ps. I am no apologist for unrepentant full disclosure types out for their 15 minutes on CNN. Hint: I will never employ or recommend ANY full disclosure folks.

  • OWASP Top 10 2007 nearly done

    This edition’s headings:

    A1. Cross-site scripting
    A2. Injections
    A3. Insecure Remote File Include
    A4. Insecure direct object reference
    A5. Cross-site request forgeries
    A6. Information leakage and improper error handling
    A7. Malformed input
    A8. Broken authorization
    A9. Insecure cryptography and communication
    A10. Privilege escalation

    Note what’s missing? Note what’s new? 😉

    If you want to review it, please mail me. We are putting it out to at least a month’s peer review, including previous users such as PCI and SANS, as well as folks who had no particular love for the old 2004 edition.

    Unlike 2004’s edition, updating the Top 10 will become a yearly event. With some luck, we will be releasing it each and every January.

  • I’m so glad I waited…

    JUNE!!!! Why June!

    Looks as if I’ll be an AT&T customer come June. Buy AT&T stock now!

  • Our new car

    As most of my friends know, I’m a bit of a car nut. It always gives me pleasure to buy a new car, which is why I keep them about three years on average. However, this time it was less than pleasurable on two fronts: I had a terrible cold and Tanya had a broken nose (more on that in another post), and the strange way pricing and haggling works in the USA.

    Dealers have so long dealt with consumers who are terrified of not getting a unbelievable deal that they create fake “invoice” prices, along with the MSRP (RRP to Australians). Generally, you can find out what the invoice price is from web sites. The invoice price is hidden in Australia, but typically, it’s 15-20% less than tax ex RRP. In Australia, you try to get options and the dealer prep charge thrown in for free, and generally I think a good deal is done when this occurs. The dealer makes a reasonable profit, you get a good price, and relations with the dealer remain cordial.

    However, here in the USA folks will start a few hundred or more under “invoice”. However, dealers have holdbacks and volume bonuses beyond the invoice price, which mean that the invoice price is no longer the invoice price, plus they are sticklers on keeping the destination charge, despite freight being part of the invoice price.

    So if you get a car for invoice, the dealer makes about a $500 – $1k profit or so, and you think you’ve done a good deal. However, on some popular cars, dealers will hold out for MSRP and they make a few thousand per car. This is what happened to us. We originally started out looking at the Honda Fit (Jazz in Australia), Toyota Prius, and VW Rabbit (Golf everywhere else in the world). I wanted a Prius, Tanya wanted the Jazz.

    The Jazz is backordered to March. No good for us – the USA is not a place to be without a car. But we found ourselves looking at the new CR-V. Again, as most of friends know, I hate SUVs. But for some reason this one is different. It drove really well, it’s not that huge, and it’s car like (it’s monocoque construction and modern suspension and Honda’s version of all wheel drive (it favors the front wheels unless they slip, in which case drive heads to any remaining wheels with grip)) made it a nice ride. But the dealers knew they had limited stock and lots of waiting buyers, and even though they wanted to shift units (they have to pay tax on any units left on their lot on January 1st), they universally stuck to MSRP. So we walked away, which is a shame as it’s a very nice car.

    Strangely enough I now have a bunch of Honda dealers giving me very close to invoice pricing on the CR-V. So I will remember this in the future – go a week beforehand and walk away when they give you crappy pricing.

    After Honda, we test drove the Prius. I loved it. I wish we could have bought it. But Tanya HATED it with a passion. Oh well. Maybe I can buy one as a second car in a couple of year’s time.

    Some folks on newbeetle.org recommended a nearby VW dealer and the sales dude there. We went to Antwerpen VW, and test drove the VW. I was worried about the test drive as Tanya seems to be very picky with her cars, which is strange as she’s very much a car appliance (A to B) buyer. VW has a reputation (which I can back up personally) for making unreliable shit heaps, so that was weighing on my mind as we test drove a Rabbit. Luckily, Tanya liked it, I liked it, and they had a few on hand so I knew I’d be getting a good deal.

    The haggling was straightforward – he offered us invoice straight up. So the haggling being over, we started on finance. That was awful. After three visits and nearly a week later, we finally can announce our new car: a black VW Rabbit 2.5 auto, with ESP, extra airbags, upgraded stereo and sunroof.

    It drives lovely, is nice and quiet, has a delicious throbby 5 cylinder note, and has all the mod cons you’d expect. The only downside is that our car payments are horrendous, but after 12 months, the car is ours to own. Luckily, my new job has a salary to match, so although we will have to be careful, we’ll be okay. This means when we likely to have a new kid (assuming we succeed!) we will not have any car payments, which will be lovely.

  • WebAppSec Past and Future

    All the cool kids get the press for the wrong reasons. It’s much easier to destroy than to create. Therefore, my 2006 and 2007 lists will only highlight those things which I think have helped create safer web apps, not made it harder for us to protect against them.

    2006 Highlights

    • IE 7.0 released. Seriously. Prevents many phishing attacks, reduces the damage through low privilege browsing, and stops some forms of XSS (including the recent Adobe PDF problem). Firefox and Apple could learn a few things from Microsoft.
    • Publication of Ajax Security guidelines by many folks (including me)
    • PCI updated their guidelines to encourage vendors to take CC handling seriously, mandating code reviews by 2008
    • Folks who are normally hidden started blogging, such as this PCI DSS blog and this
    • OWASP Testing Guide gets off the ground in a big way. When this is released (soon!), normal folks will have a way to review existing code properly.
    • OWASP Autumn of Code starts, funding approximately nine projects (8 were chosen and we funded another as it is strategic to OWASP’s mission). Many projects are nearly finished! This has been extremely successful and we will be doing it again in 2007
    • Encoding gets a fresh look: OWASP Encoding library and Microsoft’s revamped AntiXSS library which takes the refreshing approach of deny all crap and let through known good.

    2007 Projections

    It’s going to be a very busy year for vendors in this space, such as my new employer, Aspect Security. With PCI compliance coming through the works, folks writing PHP apps finally grokking that they need code reviews and pen tests, it’s going to be a bumper year.

    Things that I think will make a difference or need more research:

    • Protections against malicious XSS. This will almost certainly focus attention on Javascript implementations
    • Better browser protections for users. All browsers need to look at IE 7.0 and think of that as a starting point. You hearing me Firefox and Safari / webkit devs?
    • Research into safe I18N methods and prevention. This is an almost completely green field today, and needs serious researchers
    • Working on safer API for free form protocols such as XML and LDAP which are essentially utterly injectable today
    • Work with the PHP group to get them to make PHP 6 safe by default. They have an excellent opportunity and a huge responsibility to not screw up
    • Open source web app sec training for open source languages such as PHP and Ruby is direly needed. Lots of information out there, but how to publish to this audience? Extremely challenging
    • Projects utilizing the latest fads (Spring, Ruby, Ajax, etc) MUST catch up with the latest in webappsec trends or they WILL fail. It is not enough to adopt the latest and greatest fad and think it’s secure. It’s not.
    • Folks like Gunnar Petersen are getting the secure SOA message out there. This baby’s time was several years ago, but I think in 2007 large organizations will finally start realizing that hooking up web services to 30+ year old Cobol is an insane proposition without a dose of security
    • REST will be put to rest, as it is insecure and cannot made to be so… without looking an awful lot like WS-*. At which point you may as well use WS-* and be done with it. SSL != secure.
    • A lot greater focus will have to be paid to business logic security. Code scanners and app scanners CANNOT find this stuff, and yet it is the raison d’etre for the web apps. Securing business logic requires hard graft, and a great deal of focus in the architecture and business requirements phase. Hopefully, OWASP will be working on secure architecture, business requirements and design resources this year.

    However, it’s going to be a annus horribulous for folks who cannot or will not undergo PCI compliance. PCI compliance is mandatory in 2008, and doing brain dead stuff like storing credit card details will mean many smaller CC gateways and providers will have to shut down, leaving only the big providers. This will mean higher processing fees and less competition. However, the reality is that the financial and identity theft losses from non-compliant places outweigh the benefits from letting them live. I’m happy to pay a little extra and know that my details are reasonably safe from unsavory types.

  • Welcome 2007! You cannot have come soon enough

    We’ve moved to the USA and we’re nearly settled in now. Only 13 boxes to unpack… which is funny as we shipped 13 boxes.

    Unfortunately, we’ve had a bit of a illness closeout to 2006, and if anything, we’d like to say “sayonara” to 2006 with a vengeance.

    Just after arriving, Tanya ended up with reactive arthritis. After nearly a month of painful days, drugs which make her ill, and with a lot of tender loving care, she was finally getting better. We had almost a day where she could walk without crutches and do stuff without being nauseous or tired.

    However, we bumped into each other whilst pottering around in the bedroom, and in the jostle her nose broke again. To top it off, I got a bad cold the following day just as we needed to buy a car (I’ll blog about this later). Now I’ve given the cold to her. I can’t imagine how painful blowing a broken nose is.

    We’ve had some really good times here since moving – we were invited to several Christmas parties, offers which we took up. Tanya came to two of them, but unfortunately, had to give Diann’s Christmas party a miss due to her illness, and we had to leave early at the Wichers. Despite the health issues, we’re settling in nicely.

  • Comments for 2006 lost 🙁 🙁 🙁

    My host was attacked, and there was a fair amount of data loss. In this blog’s case, it is all of 2006’s comments.

    We’re moving hosts soon, but unfortunately, some really key comments have been lost, including the ones I didn’t believe in.

    Oh well.

    Andrew

  • It’s not opinion, Richard

    For the second time, I helped SANS compile their Top 20. I don’t know about the other sections, C1 is primarily my section. As always, there will be knockers. However, I was a bit surprised about one contrarian, the normally interesting and challenging Richard Bejtlich. Richard writes:


    As far as the nature of the list goes, it’s important to realize that it’s based on a bunch of people’s opinions.

    Actually, no. My section is based upon hard core data from MITRE, as will the forthcoming OWASP Top 10.

    MITRE web app sec data

    The only entry which I forced into SANS Top 20 is CSRF because it’s REALLY important to fix over the next 12 months. We only get so many chances to speak to this particular audience and CSRF deserves attention. The OWASP Top 10 also has CSRF. Remote File include, which affects PHP more than most, is EXTREMELY heavily attacked. It’s actually the primary attack vector for PHP stacks. It belongs in the list. My mum can discover XSS – it belongs in there. SQL injection can be found via automated means and this is the worst bit – we have methods to utterly avoid it – if only devs would stop using vulnerable API! rdbms_query() should simply not be supported in future PHP releases. And ditto for other languages and frameworks.

    Worse still, Richard misses the forest completely when he says that “… it’s called an ‘attack targets’ document, since there’s nothing inherently ‘vulnerable’ about …”. It doesn’t really matter if it’s a weakness, action item, vulnerability or attack. If it’s something you should know about, it belongs in there. Like phishing, like webappsec, and so on. Don’t play semantics when people are at risk. That’s the job of cigarette and oil companies.

    It’s basically impossible to find out how much certain types of attacks net criminals, or how much pain identity theft victims suffer, or how much a life is worth when an attack takes out vulnerable biomedical equipment. I’d rather have my blog spammed by hundreds of scripts than one single skilled and motivated attacker take over the host this blog resides on due to security defects in WP. A simple numerical attack number is useless. A simple $$$ figure is going to be wrong and misleading. It’s impossible to *rate* attacks.

    We must do it via vulnerabilities discovered, and I’ve done that.

    So for us, MITRE data is as good as it’s going to get, and I’ve used that for the top 4, plus one item which is going to be the major form of weakness/vulnerability/attack as folks work out how horrible it is to use CSRF resistant software, and it’s going to get worse when Ajax enabled apps do *everything* via XHR, rather than just a subset of their functionality.

    Rohit did a great job herding many, many cats. I really wanted 10 things in there for developers to check and do as web app sec vulnerabilities are now the Top 11 or so attacks. But SANS is a system administration resource, and thus they turned the focus around for system administrators. Fair enough. That’s why we have links to OWASP for those folks who need it.

    For Richard to state that the SANS document is my opinion, I don’t think so. I concentrated heavily on fact. In other related news, the OWASP Top 10 is nearing that happy point when it will need peer reviewing. If you’re interested, come join the Top 10 mail list at OWASP.

    ps. that graph above although it is the MITRE data does not indicate the Top 10 headings. We’ve got something special for you all! 🙂

  • Aaaah I can see!

    The last near 24 hours has been a complete nightmare. I now know how valuable my eyes are to my very existence and what a crap time partially blind and blind folks have with normal software.

    I was sitting in a waiting room with the wife, boasting that my glasses were indestructible as they were made of a titanium alloy. Less than two hours later, they were feeling a bit wonky. I took them off to clean them. To my utter surprise and dismay, two halves broke away in my fingers. The titanium bridge, supposedly one of the strongest points on the frame, had clean broke in two. 🙁

    glasses.jpg

    I can’t see crap without them. The entire world is a blur. I can’t read, I can’t see. I turn on universal access in Mac OS X and I can’t use it. Too many programs are inaccessible – Word doesn’t read to you unless you click the button on the speech toolbar to read to you. I can’t easily see that. I magnify the screen up and you see like three buttons at once, and it’s still blurry. I’m starting to get a headache. Entourage is “Button 3 Button 3 scrollbar”. It never reads e-mails to you. Apple Mail is MUCH better. So is Safari – both work just fine with the text to speech accessibility aide.

    At the moment, I’m using Eclipse, and being a Java program it’s simply not working properly with the system’s accessibility aides. So I give up. I’m stuck – I can’t drive anywhere, and I can’t do crap.

    Dinner is brown and white globs of food until they resolve themselves in my mouth. I try watching the big arse TV (bigger than the one Frasier’s Dad has), but it too is blurry. Tanya took pity on me and we went out to a nice coffee and cake place I know at the ferry terminal. There was a black and unreleased SUV (probably the new Freelander) doing an ad there. I wish I could have seen it as I’m a bit of a car nut, and even though I despise SUVs, I love seeing new releases before anyone else. I couldn’t even check out the hot chicks in the cafe as they’re all blurs. Tanya checked out the restaurant for hot chicks (other than herself) for me, and reckoned there was a couple of scraggers and not much else. Best. Wife. Ever!

    We come home, but Tanya would not read a bedtime car magazine story or three to me. I feel really helpless without being able to read myself, but remember her putting up with my pitiful moaning at the cafe and let it be.

    This morning, we got up early and went to a eye wear place which does “same day” prescriptions, had my eyes checked, and luckily, as my glasses are newish and very funky, they had the same exact pair there. They swapped out the broken bridge for the one from that pair. But as I don’t trust these glasses now and I don’t have a spare pair of glasses any more (it’s all packed away), I had my eyes checked and I’ve got a new pair of glasses on order. They’ll be here by next Thursday or so as my prescription is pretty funky and will require grinding of the lens.

    But at least I can see! Yay! I am so incredibly happy.