cat slave diary

Blog

  • The Impossibles

    I thought recently about the ways in which folks who are looking for research projects in web app sec might make a useful contribution to the field. Part of that is the list of impossible tasks – those tasks that are so hard that it is unlikely to be solved in my lifetime. If you solve these, you’re a rocket scientist.

    • Universal XSS Prophylactic – it seems simple enough – blow XSS out of the water. In all code for all time. We know how to do it well enough, but how do you solve it for all that crappy code still running? Think of a design pattern, injection, or mechanism that will blow XSS out of the water with minimal changes to existing code. Don’t say h().
    • The No Injection Design Pattern. Almost all of our major commercially successful protocols are mixed data / program (i.e. not Harvard Architecture). Think about a design pattern, architecture, or API that allows ANY arbitrary protocol (SNMP through XML) to have no injections. This is not just about prepared statements, this is about taking an injectable grammar, and transforming it into a work of uninjectable beauty that is orthogonal and deep. There is previous work in this area (and you’ll be off to good start if you know who wrote it and include them in your research team).
    • Common Off the Shelf Anti-Corruption Business Processes. Realistically, we’re here to support solutions, not enable security “features”. There’s no value to be had from security per se; we are the guardians against dumb luck and bad risk. There should be a open source business process library that is resistant to fraud, corruption, coercion and bribery, as well as just going from Step 1 to Step 10. Think of how a simple process of acquiring pens from the office supplies cupboard should be built compared to say acquiring a data center populated with 3843 servers. Or was that 3842 servers?
    • Working with infected platforms. Financial institutions know that a certain percentage of their customers are infected with malware. At one institution I worked at, it was approximately 35% of a Certain Popular Operating System had at least one, and more often 10 or more different pieces of malware installed, ranging from hostile toolbars all the way through to Banking trojans. We knew absolutely that their computers would most likely steal their logins, and try to steal their funds. Think about ways you can perform “trusted” computing on a clearly untrustable platform. Booting a LiveCD is not going to cut it for my Mum. Think harder. This one will make you millions if not billions if you do it right.
    • Creating a math or notation for access control that “proves” protection. This one is a big one. Many a time, we do code reviews and penetration tests and find insecure end points – client, presentation, controller, model, or data and we can exploit them. We shouldn’t be able to find these at all – your compiler and IDE should alert developers to leakage of secured data / functions. Come up with a notation or mechanism that can be easily parsed by compilers that helps prove that every piece of secured data and secured function is protected end to end. You must satisfy “principle of least privilege”, “default deny”, “fail safely”, and “complete mediation” principles.

    Some of these items are dealt with by OWASP’s ESAPI, others by the judicious use of WAFs. But there is huge scope with billions of lines of legacy code hanging out there in any number of languages and frameworks. These are simply never going to be fixed, and yet we rely on them to keep the lights on, water flowing and sewerage flushing. Literally. These are the first five that I think are worthy of top class researchers. Go for it.

  • How to get around censorship

    The Great Firewall of Australia is still being worked upon by the evil legal minions of Senator Conroy. At the time of writing, it’s not illegal to tell you how to bypass censorware. I’m hoping that the legislation has no retrospective provisions in it (which would be really evil).

    Here’s how you get around censorship in case Australia decides to become a totalitarian state and block free and unfettered access to the Internet.

    Free and pretty easy

    • Tor. Install Tor into Firefox. Done.
    • Anonymizing Proxies. This is the easiest path, especially if you don’t use Firefox. Find one that is hosted outside of Australia. There’s heaps available.
    • P2P software helps transfer files around, but I only use this for downloading Ubuntu ISO’s. Seriously. Don’t breach copyright – it’s how I make a living. P2P is not particularly secure, and can be monitored and seeded by hostile entities.
    • Most messenger programs allow file transfers. Again, don’t breach copyright. Most Messenger protocols are unencrypted and thus can be monitored, and realistically, how do you know the other party is not a dog? See Chat Roulette for proof of this principle.
    • Most transparent ISP caches only work on port 80, and can’t work with SSL due to the way SSL works. Use SSL.
    • Most transparent ISP caches only work on port 80. Go to sites on ports other than port 80, such as port 81, 8080 or similar.

    Free, but might cost you your job

    • Using head office’s proxy in another country. If you work at a large multi-national, use their proxy. Remember, most workplaces have anti-pr0n acceptable use policies, and they’re more likely to police them than Australia. Otherwise, Done.

    Not free, but still fairly easy

    • SSL reverse proxies. There’s a fair few of these services around. Done.
    • VPN’s. Buy a Virtual Private Server (VPS) in another country, preferably the USA. Install OpenVPN, PPTP or IPsec on it. Done.
    • Set up a local web proxy server that has child-parent caches. Set up a remote parent cache in another country, or subscribe to a remote cache service. Done.

    There’s more ways to bypass this stupid proposal, but I’ll leave those off this list for now.

    I seriously hope that there will be mass protests and heavy campaigning if there is any legislation tabled.

    We need to show Senator Conroy that the government is truly misguided on this – voters unanimously don’t want to be censored. Parents don’t want it. ISPs and our entire IT industry doesn’t want it. The ALP support base hates it. Censoring Australia WILL lose the ALP power. It will allow all the tin pot failed nations on the planet to say, “We have the right to do this, Australia did it.”

    We must resist this most evil proposal in any way possible. See you at the protests.

  • Censorship – Bye bye Labor

    The Labor party is doomed to be a single term government. They are killing their support base – social progressives and young folks alike are abandoning ship like never before. I have never hidden my dislike for the conservative side of politics, but to totally kick sand in the face of your true believers time and time again is simply not smart.

    WIth 99% of the Australian public against mandatory filtering, I just don’t see how this is a vote getter. The filter will not protect my daughter from pr0n, predators using Skype or MSN, spyware, or preventing her viewing unsavory sites. It will not block the primary mechanism for distributing child and extreme pr0n – P2P networks. There is no point to mandatory filtering except to stifle political dissent.

    So why implement such an opaque scheme that’s already been abused and is open to further abuse? Who are the winners from this? Politicians don’t stick their necks out unless there’s a valid reason, and public morality is simply not one of them, especially when the idea is so repulsive to nearly all Australians except for a few ratbags. I can only imagine so it’s to shore up the crazy vote (Senator Fielding), without which Labor can’t govern.

    To give some perspective, is it acceptable for the Government to:

    • Discipline my child?
    • Determine what my child will read, watch, or do?
    • Decide on her schooling?
    • Decide on her religious beliefs, or lack of them?

    Government has no role in these key parenting decisions and in determining what she (and us all) will or will not see on the Internet. That’s every parents’ responsibility, and I will do it in my way – with no censorware. Her computer will be in a shared area until she can be trusted with her own, and even then… trust but verify.

    Labor – you must dump Conroy now. He is a liability to you retaining the 18-40 year old vote, and indeed the 99% of folks who don’t want the Internet censored. Without this core set of voters (about 45% of the eligible voters), you’re never going to win office in your own right again.

  • Welcome to iPad fraud

    In the rush to release hundreds of publication specific apps as quickly as possible, every media dinosaur is desperately trying to claw money from the cashed up iPad owners with micropayments and pay walls. This is a recipe for disaster – and it’s going to be a gold mine for security consultancies, and nothing but tears for users.

    Why?

    All of these apps have to implement their own pay wall, subscription model, and store regulated financial data. Whereas before Apple did all the hard yards, now Flash web designers are going to be cutting code in Objective C for the first time to handle credit cards.

    Are they going to get it right every time? Absolutely not. Will some of them get it right? Yes, those that get code reviews or have a skilled financial services development team. How many media outlets meet these requirements?

    Mark my words, there’s going to be a lot of folks making money out of the poor decision to not create a secure micropayments service for iPhoneOS.

  • Securency and bribery

    Australia developed polymer (plastic) bank notes from the 1970’s onwards, and they’ve been our currency since the 1990’s.

    This bank note technology is essentially counterfeit proof – notes can have holograms, microprinting, a transparent window, “watermarks”, very colorful inks, metallic strips, and the notes are long lasting and machine washable. There’s a lot of positives.

    The company that is formed by the Reserve Bank of Australia to print and market this technology is called Securency. They’ve been embroiled in a bribery scandal.

    I just don’t understand how a company with a technological monopoly (it’s hard to figure out how to print on plastic) let itself be the conduit for bribes, particularly in the countries where the bribes are alleged to have occurred.

    If I was a negotiator, and my opponent asked for a commission, structured deals, or outright bribe, I’d just report them to the head office, let them report to the other side’s local police, and then wait for the other side to appoint a new negotiator after justice has seen to be done. Their new negotiator would be so careful it would not be funny – you mean to do business, but the stench of corruption will not be tolerated.

    We’re talking central banks here. Countries that have corrupt central banks are failed states – we cannot and should not be a part of these countries.

    Like all financial institutions, the RBA and Securency employees and agents would have had to have undergone background checks, and yet many of their representatives and head office staff still committed a very serious crime – one punishable by jail time in Australia. Just remember background checks are an indicator of past criminal convictions, not future actions. Don’t waste money on them – just have strict anti-corruption policies in place, and walk everyone is tainted. The rest of the staff will get the picture more than a background check ever will.

  • Sticking your neck out

    For as long as I can remember, the standard “security” talk is a negative and destructive talk, where the presenter presents their latest “research” as if it’s going to solve world hunger, totally end the Internet as we know it, cure herpes, or put the spooks out of business as anyone could spy on the whole Internet.

    The reality is that a few hours, weeks, or if it’s someone like Oracle circa 2005, years later, the problem is solved and we go back to giving our identities away for free on Facebook as if nothing had happened.

    Seriously, why do we put up with this?

    I believe it is because negative Chicken Little (“the sky is falling”) talks are much easier to do:

    • Hand waving talks can be put together on the plane whilst going to the conference, or even later if you don’t hit the bar as soon as you get to the hotel. Talks of this type include “Why the IT Security industry sucks”, “This language is garbage”, “What you know is all wrong”, and my favorite, “PCI sucks”. These talks have zero merit because you can’t fix them. They’re opinion pieces barely better than a script kiddy blog entry, and are typically badly researched opinions rather than game changers.
    • The buffer overflow, CSRF, Ajax, RIA, XSS, SQL injection, or latest attack with a twist talks are easy to do. You might need to start working on these talks at the airport lounge, but you’ll still pump out a talk. Patches for these talks are sometimes delivered before the talk has finished. The world has not ended.
    • The fuzzing talk is is a bit harder. You have to run the fuzzer and let it find at least one badness. Probably a good idea to do it the night before you fly. Better yet, run it against a bunch of products in case someone did a good job.
    • Developing new devastating attacks that can be blocked by CS101-level controls, like the magic pixie dust of input validation. What a complete WAFTAM.
    • The pinnacle of negative talks has awesome demos, but realistically still demonstrates a paucity of ideas (such as how to detect if you’re in a VM – I mean really, who cares?). I have respect for these researchers, and really wish they’d apply their talents to good quality positive research instead of wasting their most productive research years on pointless baubles.

    Why are positive talks harder? Because you have to work at them!

    • Firstly, it’s about research, and original research is hard to do properly.
    • Research takes time, and consistent application to an idea that may not even pan out. But if you don’t do it, you’ll never know.
    • You have to find an area that is not yet solved. There’s a reason it’s not solved yet. These issues have made talented brains hurt already.
    • You have to think of a new and novel solution to the issue, and the solution should be effective, simple and cheap. Most of the speakers on the party circuit simply don’t have this capacity, and haven’t had an original idea in years.
    • You have to develop your solution and test it out against lab and real world scenarios to make sure it doesn’t suck. It helps if your solution is repeatable, your solution and code is documented, and its useable by others without sacrificing chickens.
    • Many folks write papers and talks as if they succeeded at first go. That’s not science, that’s puffing up Brand Speaker. We learn from the paths not taken more than the eventual solution. Think about CSRF and session fixation for example – there’s heaps of folks who think CSRF is solved by a random nonce. But it’s not the entire story. Same deal with click jacking. Write up your failures as much you write up your successes.
    • You have to hand your research and methods around to trusted peers to see what they think and hope they don’t spill the beans or steal your thunder. Once you’ve published, you need to make sure others can repeat your experiments and results.
    • If you want to change the world, you have to give it away. You can’t patent it. You can’t tie it up in trade secrets. You can’t keep it to yourself. This is the hardest of all – think of the IT landscape today if AT&T had kept Unix to themselves. Exactly.

    Lastly, and probably the most important – positive research and subsequent talks means sticking your neck out. Your peers evaluate what you’ve said and how your solutions work. If you’re not sure of self, this can be a huge risk to one’s ego. If you’re wrong, it’s real bad and you’ll be a virgin for another year. If you’re right, you will get {girls, boys, furries} and invites to all the sexy parties*

    I will not claim that all of the hundreds of controls I documented in the OWASP Guide 2.0 are right. In fact, I know some of them are wrong. That’s how science works. At least I stuck my neck out and documented what I thought at the time. I’m happy to come back to the controls, do the research to find new controls that do work with minimal cost, and document those.

    For those of you lucky to know me personally, you’ll know that I have no shortage of self, in fact probably enough self for two people, but you need it if you’re going to have a shot at this brave new world of repeatable, scientific progress in the web application security field.

    I hope to see more conferences like OWASP’s AppSec Research conference, to be held in Sweden this year. Make sure you go to it. More importantly, stop wasting time on negative talks, and get moving on doing that research for next year’s conference.

    * This is actually false advertising, as you’ll struggle to be invited to most conferences even though your research and talk will mean more long term than 100 negative talks. On the other hand, I’ve been told that Furries are easy to rub the right way.

  • OWASP ASVS – also good for architecture reviews

    I’ve just finished a job where I used OWASP’s Application Security Verification Standard as a light weight security architecture template.

    The good news is that it helped us decide a bunch of controls (using ESAPI of course) that will hopefully improve the security of the application. I’ll find out in a few months if any of it helped.

    What worked: pretty much everything.

    What didn’t work: Some controls are not relevant to some classes of application. Do your homework before you go into the meeting so you can skip over ASVS controls that simply can’t work.

    We found that there are controls we discussed that aren’t in the ASVS. The ASVS is a 80%/20% (Pareto principle) standard as pretty much all apps come from such a low basis today, so any security improvement is a worthwhile improvement even if it’s not milspec. I wasn’t too fussed that we missed a few key items.

    For those of you floundering around trying to figure out how to do Security Architecture reviews, ASVS can be your friend!

  • Going to OSCON 2010

    I know I’ve ranted about this before, and this post is no different. OSCON still doesn’t have any security talks, which is like an engineering conference that doesn’t have any structural integrity talks.

    A sample of non-functional requirements in the OSCON 2010 program:

    • Configuration Management – check*
    • Deployment – check
    • Documentation – check
    • Efficiency – check*
    • Legal issues – check
    • Performance – check*
    • Maintainability – check*
    • Quality – check*
    • Scalability – check*
    • Testability – check*

    * I’m going to a few of these tutes and talks

    And what they don’t cover:

    • Compliance – 0 talks
    • Privacy – 0 talks
    • Safety – 0 talks
    • Security – 0 talks, 1 three hour tutorial

    And yet, security is the only NFR that can close your business, destroy shareholder value, get you sued, cost you dearly in compliance and remediation costs, limit your organization or project to irrelevance, and destroy privacy for millions of folks in one fell swoop of ineptitude and cluelessness.

    One day, the papers committee will get a clue. It’s not 2010, though.

    So all my open source chums – see you in Portland! 🙂

  • Upgrade to Ubuntu 10.04 LTS in VMWare Fusion – Keyboard issues

    I upgraded my VMware Fusion image to Ubuntu 10.04 LTS over the weekend, and everything went well except for the keyboard. It wouldn’t work.

    So here’s how I found out how to fix it:

    • Go to the Accessibility Preferences at the bottom of the screen, and tick on screen keyboard.
    • You have to reboot because for some unknown reason, it doesn’t start unless you do.
    • You can now type in your password on screen. Once logged in, your keyboard works
    • Go to terminal, and reconfigure your console:
    sudo dpkg-reconfigure console-setup
    • Reboot, and you’re done.

  • GMail – ORBS blacklist FAIL

    Hilarious fun for all the family. Google’s GMail service has been blacklisted by an ORBS product.

    These ORBS places are run by dumb ass vigilantes. The Internet just doesn’t need wanna-be-cops who have no legal basis for their operations. Just in case you’re wondering, I’ve been blacklisted by similar morons in the past and simply couldn’t get off their stupid lists, despite NEVER being a spammer and only sending maybe 30 messages a day from my host. Greebo, my not so clever cat, has more spam spidey sense than these oxygen bandits will ever have.

    So here’s the transcript:

    “Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 5.7.1 Rejected 74.125.83.43 found in dnsbl.sorbs.net (state 13).”

    Let’s look that IP up, as it’s not mine:


    % nslookup 74.125.83.43
    ...
    Non-authoritative answer:
    43.83.125.74.in-addr.arpa name = mail-gw0-f43.google.com.

    FAIL.

    Good luck getting off that list, Google! Let’s see if your billions of dollars and many lawyers will make it happen where my pleas fell on dumb ears.