I hate being proven right – mass pwnage

Seriously. When will people (even security pros) ever learn? This is the IRC log between a few security pros who are involved in w00w00.org and BlackOps.org from an insanely long tour de force brag post that seemingly showed up folks from the big guns like Google, through security ISVs such Core Security through several security pros that I truly admire. I am not perfect, and honestly, I feel for these folks as it could happen to me, but weak passwords? OMG! Passwords seem to have cost one of them a great deal of money and time, irreversible data loss and now involvesd law enforcement (update – see comments, this log is from the 1990’s I’m so duh that I missed that bit, but it still proves my point that passwords have sucked for a long time):

  [14:41] <@rkl> shit.
  [14:41] <@rkl> whoever broke into blackops.org
  [14:41] <@rkl> when we caught them
  [14:41] <@rkl> they began rm filesystems
  [14:41] <@rkl> and removed my only copy of some photos i had of me and my
  [14:42] <@rkl> that i had up there for like 2 days while i reinstalled my OS
  [14:42] <@rkl> she's going to be sad about that
  [14:44] <@nobody> ur shitting me
  [14:44] <@nobody> who broke in?
  [14:44] <@rkl> we know.
  [14:44] <@rkl> luckily they were incompetent
  [14:44] <@rkl> however
  [14:44] <@nobody> bunch of savages in this town
  [14:44] <@rkl> because they tried to use blackops as a platform to launch
          attacks against a few corporations
  [14:44] <@rkl> now the FBI is involved
  [14:45] <@nobody> wonderful
  [14:45] <@rkl> me and murray couldnt' give a rat's ass
  [14:45] <@rkl> we back up blackops 1 time a month
  [14:45] <@rkl> to cd, now dvd
  [14:45] <@rkl> they got in through a weak user passwd
  [14:45] <@rkl> cause there were near 100 users
  [14:45] <@rkl> just normal users, so they didn't practice good security with their passwds
  [14:45] <@nobody> typical
  [14:46] <@rkl> we've had to turn over everything to the FBI
  [14:46] <@nobody> a system is only as secure as its users

In my previous post, my first item stated unequivocally that passwords are crap and first against the wall when the revolution comes? That revolution starts today.

Everyone’s New Year resolution has to be to change their crappy password (or in the rare case, passwords) for their computer to a passphrase (20 characters or more), install a password manager, and change all those crappy passwords into long (20 characters or more) random passwords for every single service. If your service doesn’t let you use > 20 character passwords, STOP USING IT. There’s something very dumb, wrong and insecure with that service.

I do not have a single password that is the same for any service on the Internet. Changing a password to me is extremely simple because I DO NOT CARE about any of them. I do not type them, I do not remember them. They are all at least 20 characters long, and occasionally way more if I care about the system in question.

Additionally, I have no truthful answers for the weak Q&A security backdoor on any system I use. What is your first pet’s name? Just try to crack fazEha*u@eJAM#!#6DafRatrAm6Q before the universe ends. p.s. I generated that one just for this blog entry. Don’t waste your time trying it out anywhere.

Passwords are insecure, always have been, always will be, and that goes double for the horrifically insecure Q&A backdoor that many sites insist upon who should (and most likely do) know better. Passwords are unsuitable even for this blog. Folks who say passwords are free or worse – “the norm” – are idiots and should be ignored whilst the rest of us get on with getting rid of them as Priority #1.


If you are responsible for passwords on your site or service, the very first thing you must do when you get back to work is to call an urgent meeting with all stakeholders. The very first agenda item must be “We’re getting rid of passwords as of right now. How do we do that?” Don’t stop until you succeed. Your users will love you.

If you are a victim of passwords, you should ask “Why are we still using passwords? When will you get rid of them?”

Just Do it. Do It Now. I’m deadly serious.

Security trends for 2012

  1. Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned.
  2. Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned.
  3. Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re completely pwned.
  4. Folks will continue to click shit. They will then be surprised when they’re completely pwned.
  5. van der Stock’s immutable law of gullibility: Folks will continue to be sucked in by incredibly basic scams. They will then be surprised when they’re completely pwned.
  6. Folks despite extensive and continuous evidence to the contrary for over 25 years, will continue to be sucked in by grandiose vendor claims (“buy X now, and you’ll be protected from X…”) in the unfounded belief that technological solutions can fix people problems. They will then be surprised when they’re completely pwned.
  7. Folks will continue to allow mobile and web apps to transmit their sensitive crap without any form transport layer encryption. They will then be surprised when they’re completely pwned.
  8. Folks will turn on a firewall and think they’re safe. They will then be surprised when they’re completely pwned. It’s not 1995 any more. Never was.
  9. Folks will continue to run old crap, or allow old crap to connect to them. They will then be surprised when they’re completely pwned.
  10. Folks will continue to think that they will be safe if they just virtualize or cloud enable their crappy apps. They will then be surprised when they’re completely pwned.
If we can’t learn from our most basic of basic mistakes, 2012 will be exactly like 1989 – 2011. And that’s sad.
Because I hate solution free hand waving posts like the above, here are some basic solutions:
  • Adopt strong authentication TODAY – passwords have NEVER been appropriate.
  • Patch your crap.
  • Implement low privilege users and service accounts.
  • Don’t click shit.
  • Learn about basic phishing and scams.
  • Fire folks who post on Twitter or Facebook all day. You know who they are.
  • Don’t buy any product marked “Protects against APT”. If you do, fire yourself as you’re an idiot.
  • Only use products that use SSL. If you don’t know, assume it doesn’t and find something that does.
  • Evaluate your security needs with 2012 in mind – firewalls alone are a few sheep short of a full paddock.
  • Upgrade to the latest OS and apps. Not only will your users love you, it’ll be harder to attack you.
  • Protect data assets no matter where they are. The plumbing is unimportant.

Resurrecting the wife’s laptop – Asus hates you and you and you

At Christmas last year, I bought a new laptop for the wife, an Asus K52DR with 4 GB of RAM and 500 GB hard drive. I quote from then:

[…Asus should…] supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and hours getting rid of the circusware. Asking folks to sit there for 2.5 hours to create 45 cents worth of DVDs is morally repugnant and evil.

Although I stand behind every word I said above, I’m begrudgingly glad I spent the extra 2.5 hours creating those DVDs as I’m restoring her computer to factory default after she killed the previous HD by cooking it in the bedding. Obviously, not Asus’ fault, but what happens after replacing the HD is most certainly Asus’ fault. This Asus will be our last PC – my life is just too precious to donate to absurd and evil corporate practices.

When I bought the Asus, it took me about three days to get the PC to a default-ish Windows installation, Office 2010, and iTunes with just enough drivers to run “advanced” technical devices like the display or the wireless network. Don’t get me started on the number of reboots or gigabytes of patches required. Copying Tanya’s data, migrating her PST and recovering her calendar was simple by comparison.

I am dreading wasting yet another two to most likely three days of my personal life YET AGAIN to weed out all the circusware from the factory default build. Asus must start providing a fast circusware free method of complete restoration like Apple do. The time I’m going to spend over the next few nights, and probably the next weekend, is like a working week away from my family. Completely unacceptable.

I tried restoring the repair partition I dd’d off, but due to the new 750 GB drive having different sized clusters and alignment than the old 500 GB drive, I struggled to create a bootable recovery partition without spending yet more time than it would take to restore using the DVDs. So I’m using the restore DVDs.

I still don’t have a Time Machine work-a-like that can back up Tanya’s data. This is a serious issue as hers is the most likely computer to die. […]

And die it did. I tried Windows 7 Backup for months on and off after buying a new 2TB external HD, but as per usual being a Microsoft product, it doesn’t actually work. So too late, I found Rebit, which is just like Time Machine … but expensive. I’ll be trying that after restoring Tanya’s data. Luckily, I was able to get her most if not all of her data off under Linux all the while the HD was making very high pitched death screams. It’s dead now – all the sparing sectors are spared and the computer wedges hard if you try to do anything with it in read / write mode.

My newish MacBook Air 11.6″ is significantly faster and cheaper than this Asus, and more so every time I have to fix it up. Once I had recovered Tanya’s data to my 2TB dumping ground on my Mac, she was up and running with one of our AppleTV’s in about two minutes.

Tanya’s next computer will be a Mac when this one dies. I will not tolerate the loss of any more of my life to Asus insistence on circusware in the default build, and cheapening out by not providing real installation media, or Microsoft’s insistence on a recovery CD and crappy end user experience.

I stand by my recommendation:

Score so far: 2/5. Do not recommend. PCs are only cheaper if your time is worthless. I just don’t get it.


I’m going to reduce the rating to 1/5, and the 1 is only due to the surprisingly resilient Seagate 500 GB drive that survived just long enough to get nearly all of Tanya’s data off it.


One of my favorite TV shows is the Gruen Transfer, a show deconstructing advertising. Don’t laugh, it’s the ABC’s #1 TV show.

A few weeks back, one of the panelists revealed that there are two fundamental ways to sell things – fear, as in:

Late 1980\’s Anti-AIDS advert 


and hope, as in:

Durex condom ad

The panellist’s comments are revealing – fear sells well for a short while and then stops working. This is true of the AIDS campaign. The campaign reduced HIV / AIDS infection rates to a low that hasn’t been repeated anywhere else on the planet since that time. Then the ad stopped, and there’s been no replacement campaign for nigh on 25 years. You can guess that the HIV / AIDS infection rates are back up.

We need to change the security industry from selling fear to selling (and delivering) hope. The results will last longer, and have better long term outcomes.

RIP Meebles 1997-2011. Best cat ever

Some blog entries are easy to write. Not this one.

Meebles is no more. In the end, it was peaceful, but his last days must have been hell. At least he had chicken (and lots of it) last night.

I first met Meebles in early 1998 when I was looking for a companion to Greebo. I went to the Lost Dog’s Home, and picked the most feisty cat there. After 14 years, I know now why his original slaves put him up for adoption again, but I didn’t mind the random attacks, the aloof distance he preferred, and his general bat craziness. It was part of his charm, and it’s the reason I picked him. He had 3 days to go before what I had to do today would have been done to a six month young cat back then.

All in all, I got the best of the bargain for all 14 years. He was steadfast in his loyalty. You had to earn that loyalty, something dog owners will never and don’t understand, but once you had it, he was a part of your life.


Meebles watching over me

I miss him already. Catchya round buddy.


Recently, RSA was attacked by adversaries who targeted their two factor authentication fobs.

These devices have known MITM issues, but folks still used them because there was so little information out there to say that a better choice is required. RSA liked it that way.

RSA chose not to discuss the details of the attack, using the old furphy that disclosure will damage their customers (reality: it would damage RSA’s brand). RSA’s silence allowed




to execute the boldest cryptographic information warfare attack since Enigma.

RSA’s (IMHO) cowardly silence has actually damaged their customers in highly spectacular fashion. RSA told us nothing, so we couldn’t ask our clients to change vendors in a staged way, or to disable access, or put in other controls. We could guess, but business decisions are not made that way.

Now the brand damage to RSA will truly begin. This is the end of the simple RSA fob. Even if a better algoritm or fob is used, RSA are toast as no one will trust them any more, particularly in the sort of organizations that buy fobs by the palette.

APT boosters have said vociferously – “see, it was APT!”. Yep, I agree. It’s one of the few times that truly worthy attacks are out in the open enough for us to get a small glimpse into what’s really going on.

Unfortunately, due to widespread abuse of the term, APT is the laughing stock of the information security world. The folks who routinely use it with knowledge can’t discuss why APT is any different to the other threats out there today. Everyone else has no clue.

I’ve seen CSOs give up, thinking that since these attackers are so advanced, surely we can’t protect against them, or they buy stuff marked “Solves APT TODAY!1!” when in fact, hard work is required. Nothing very hard, just simple stuff like input validating every field and not tolerating insecure software any more.

But for your average CSO, finding out if an application was developed in a secure fashion and that every parameter is validated is impossible. It shouldn’t be. But that’s not the main point of today’s post.

It’s moderately clear in the fog of active disinformation that the weaknesses used in the RSA, Sony, and PBS hacks are well known and easily exploitable. The solution is like losing weight. There is a simple solution that works – albeit slowly. It’s called eating the right amounts of good food for a year or two and exercising hard every day. Anyone who has tried to lose weight, including myself, knows that we really just want an APT strength diet pill.

I think most of us in our industry will acknowledge that penetration testing has become “different” over the last few years, from literally shooting fish in a barell with the most rudimentary or no tools, to requiring a fair bit of work, and moving up the value chain to find interesting and exploitable issues the business cares about.

In terms of results, I think we’re still finding 10-20 things wrong in every app. Attackers need one. This is the attacker’s advantage. The number of weaknesses, the type of weaknesses, and the severity of the weaknesses are NOT “advanced” in any way shape or form in 95%+ of the code reviews and penetration tests I perform. The other 5% have been working with me for a while, are mature risk managers, and they’re hard to attack as a result.

But because of the hard core mystique surrounding the use of the term “APT”, we’re seeing completely inappropriate uses of the term everywhere from anti-virus scanners through to security appliances that promise data loss protection but forget that the information security triangle is people-process-technology. Putting one in place doesn’t solve the other two, nor negate your responsiblities to put in appropriate controls that PEOPLE can live with to do their JOBS and make the business MONEY.

My twitter icon is the famous drive around control image:

Access controls are only for those with easy access
Access controls are only for those with easy access

This is where folks promoting APT fail. I am not denying that the attackers who have found a end run around a widely known security control are




Anyone who targeted a particular firm, and utterly broke a long standing crypto system, and everything else required to obviate hardened controls of at least two military industrial giants are worthy of the term APT.

Unfortunately, APT as a term is so brand damaged in the info sec community (try saying it at a public event without being openly laughed at), that we have to choose a better one, one that marketers would never dream of using inappropriately. I don’t know what it is, but surely

Enemy Combatent


Soon To Be A Small Pile Of Glowing Ash (STBASPOGA, or the more friendly sounding Strasbourg)

are right up there.

Worse still, the fact that these Strasbourgs really are APTs doesn’t mean that we should forget to do the hard work, but instead demonstrates the paucity of protective information security research. Some of you might remember me saying a year or two ago that too much attention is paid to those who hack, and not enough on those who defend. Strasbourgs should mean more dollars in pro-active research. We need to make it difficult to develop insecure software. We should make easy to determine if Acme’s latest release of their widgets are insecure. We should have metrics that easily demonstrate insecure software costs more. We should make it legally untenable to ship insecure software, and give redress to consumers when their investments, privacy and intellectual property are violated due to stupid, simple weaknesses that we knew about in 1965.

Time for something new

As many of you have probably noticed by now, my larger than life frame is not at AusCERT 2011. This is a shame as it sounding like one of the best AusCERTs in the history of AusCERT. There’s a couple of reasons for my absence – flu and the strange case of the disappearing job.

My services at Pure Hacking are no longer required, and so I need to get on with the job of getting on with the next phase of my life – and that means finding a great job that allows everyone to win.

There are a couple of options on the table as I write this. But the most intriguing to me right now is to be the advanced gun for hire for consultancies with schedule overload. If you think your consultancy could use me in that fashion even a few times a year, I definitely want to hear from you. If I can make alliances with even a few of you, this could work for us all. This would allow me to work for anyone in the world from my lab here, and would allow consultancies all over the world to plug their scheduling nightmare with one of the best web app sec minds* out there period.

I have a strong preference for remote telecommuting jobs as I live in a regional city. This doesn’t mean that a full time job in Melbourne is out of the question, but I will be upfront about my need for flexibility (i.e. allow me to work on the train and a day a week at home), or full time remote working from Geelong. Being 2011, full time or partial telecommuting should not be a difficult decision today.

I know I have a small but loyal readership in this blog, so if you know someone who knows someone, I’m available. I only have a short window before I have to make a decision, so if you’re able to pick me up, I definitely want to hear from you – vanderaj @ greebo . net.

* Just in case you didn’t know, I was the Project Leader and primary author of the OWASP Developer Guide 2.0, OWASP Top 10 2007 (the one in PCI DSS), and ESAPI for PHP, and I helped set the exam for the SANS GSSP (Java).

Upcoming speaking engagements – AusCERT and iTSMF

I am scheduled to talk or give tutorials at a couple of places so far this year.


I am giving a two day Secure Coding tutorial using OWASP’s Application Security Verification Standard.

This course is different to most security training courses you’ll ever take. It teaches architects, lead developers and developers how to design and code in a positive fashion. You’ll learn of about 80 controls over the two days, and complete four hands on labs and a bunch of demos. Of course, you’ll see me demonstrate ninja levels of breaking crappy applications, but my primary goal is for you to build secure software.

Now that you want to come, you should bring your laptop with the ability to run a 64 bit VMware VM. As the VM is Linux, it could be converted to KVM, Xen, Parallels, or Virtual Box. You can take the VM home along with the slides and learn even more later.

This is the cheapest method of getting instructor led training by me. Registration here. There’s about 10 spots left as far as I’m aware.


Later in the year, I am giving my well received talk at itSMF, an ITIL aligned operations conference, on how to make your security dollars work harder for you. This talk is aimed at CIO, CISO’s, and those who are tasked at securing their stuff with ever less budget, or ever more capability (or both).

OWASP Podcast 82 – Authorship of OWASP Top 10 2007

Dave Wichers* appears in the latest OWASP Podcast (go get it!). In the podcast, he goes through the huge number of OWASP projects he’s been involved in. There’s no doubt Dave’s massive investment in time, intellectual property, and money have been instrumental to OWASP’s success. Without Jeff and Dave’s leadership and contributions, OWASP would be a far poorer place.

But…. the problem starts when he goes through attribution for the OWASP Top 10, starting around the 17 minute mark. Dave says “Jeff Williams and I basically wrote it” (17:10 onwards), and had various people in OWASP review it such as Dinis Cruz and myself. This is exactly what happened for the 2004 version. But the way it was said implies that the OWASP Top 10 2007 was Dave and Jeff’s and I reviewed that too. I’m sure Dave didn’t mean to miss out on appropriate attributions (he’s a straight up and down sort of guy), but just in case anyone thinks like I did when listening to the podcast, I’d like to set the story straight:

The OWASP Top 10 2004 was Jeff and Dave’s. Absolutely agree with this. I’m pretty sure I reviewed it as I was working on the Developer Guide 2.0 at the time.

The OWASP Top 2010 is primarily Jeff and Dave’s efforts. No problems. I gave up leadership in the project sometime in 2008 when I had to concentrate on personal matters. At that time, I had no draft or made any effort to update the text. Dave’s effort to restart the project didn’t start until after I’d left Aspect. After the draft PPTX was complete, I reviewed drafts of the release candidates, along with about another 30 or so folks.

The OWASP Top 10 2007 is primarily mine in methodology (strict adherence to MITRE statistics in 2006), research and development, authorship, editing and leadership. For example, I sat down with Raoul Endres in a pho restaurant in a wintery day Melbourne, Australia well before I moved to the USA and worked out the methodology. I delivered a draft to about 30 folks in early January of 2007. Jeff Williams and Dave re-wrote and included a few items that I disagreed with (effectively two crypto sections that were not representative in the statistics), and dropped important issues that I felt strongly about. You don’t win them all, but I would have loved for these findings to have made it.

Some of the sections I wrote up in the draft that missed out in the final version:

  • A7 – Malformed input (dropped – a bad call in my opinion as nearly all flaws are due to insufficient input validation and output encoding)
  • A8 – Broken authorization (dropped – a bad call in my opinion, as most of the easily discovered business logic flaws are authorization related)
  • A9 – Insecure cryptography and communications (became A8 – A9 in the final version)
  • A10 – Privilege escalation (dropped – a bad call in my opinion, as attackers try to do this all the time)

You can see an early draft here. DO NOT USE THIS VERSION – IT’S NOT OFFICIAL!

I strongly disagreed with the dropping of RFI as it’s one of the biggest reasons that PHP sites are taken over, and PHP is by far the most prevalent server platform. RFI belongs in the OWASP Top 10 probably as the #1 item in the Security Configuration section. There are still millions of sites with this particular flaw.

Call me hypersensitive to the way Dave phrased just one sentence in 45 minutes, but I want folks to realize that I didn’t dedicate many nights and weekends to the OWASP Top 10 2007 to have that taken away from me in glossing over of efforts. I also want to make sure that folks understand that I consider Jeff and Dave friends and utterly respect their long time efforts with OWASP.

* Full disclosure – I worked for Aspect Security between December 2006 and January 2009. Dave and Jeff are founders of Aspect Security and thus my employer during the latter stages of Top 10 2007 gestation. I had a great time at Aspect, worked with amazing customers on cool projects, and have very fond memories of the USA.

Need a secure code review? We have slots available

I don’t normally pimp my employer, but I’d rather be doing secure code reviews than pen tests any day of the week. 🙂

We have open slots in our schedule for secure code reviews starting from mid March 2011.

We perform our code reviews against the OWASP Application Security Verification Standard

  • Level 2B – Automated Review using Fortify 360 coupled with a manual verification of 83 items (Architecture, Authentication, Authorization, Session Management, Data Protection, Cryptography, etc)
  • Level 3 – Includes all of the above, but 110 inspection points. The sweet spot of our reviews in my personal opinion.
  • Level 4 – Includes all of the above, plus manual inspection for trojans, backdoors, etc.

These reviews help folks wishing to comply with PCI DSS or PCI PA DSS, or just wish to know that their websites are safe and secure.

If you’d like to discuss things further, please e-mail avanderstock (at) purehacking.com.