Grumpy Security Guy

This seems pretty scary. Apparently the FBI posted a link on some online forum that claimed to display kiddy porn. The story is here.

Upon reading this the first thing that popped into my mind was CSRF(Cross Site Request Forgery) Now this is not classic CSRF since CSRF generally implies I am exercising some functionality on the target site. I am using CSRF as a handy term for “if you visit a page I control content on I can make you request any other link I want”. Now remeber this is not only pages like this blog where I clearly control the content, but any other place I can provide links, usually to images. Social networking sites, forums, image hosting sites and even in email signatures.

This is an even better scam than the now famous 911 swatting scams. Now instead of SWAT busting in to rescue you the FBI bust in to arrest you. What great fun! It will be interesting to see how many of these stick. It seems to be based on some pretty flimsy evidenc. The article above points out that open wireless networks are just one way someone could fool the system. CSRF is better because your browser will actually go to the page and a forensics examination of your machine will show that you went there. Not a good position to be in in court with a jury and often times judge with no technical background at all.

Update from my buddy Zeno: The file that keeps track of places IE has been, index.dat, does not log refers and apparently that file and it’s contents have held up in court…

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’ve not been this pumped about something in a long time. Jeremiah actually has been pulling me into liking this idea for a very long time. I hated it at first. I mean WAFs, bleh. Plus I mean didn’t we already try scanners + WAFs before? Oh yeah the total trainwreck that was AVDL. So one thing I failed to realize was that Jeremiah’s approach is a bit different and when combined with WhiteHat Sentinel (aka NOT a scanner) it is a no brainer.

WAFs generally struggle in a few different areas, the people running them are not web app. security experts and trying to apply a default deny policy, while a great idea in theory, is pretty hard in the real world . There is just way to much movement in most applications to pin it down. Even if the app does not change frequently, WAF admins are very hesitant to even come close to blocking legitimate traffic. What really sold me though is when I saw it in action for the first time. From the Sentinel UI we clicked a button that updated the F5 with a rule to block a vulnerability. The rule is automatically generated based on the vulnerability. We then clicked the retest button and the vulnerability was no longer exploitable . Note my careful choice of words, exploitable VS. “not there anymore”. The vulnerability certainly still exist in the code but now that the attack is blocked the business can decide if this is a good enough solution or they need to go fix the actual flaw.

The geek in me is screaming that it still needs to be fixed, the business side is saying that the rule is good enough and I am not going to commit resources to fixing it until that code is worked on again. From the PCI Section 6.6 perspective this gives the business some great options. As our customers are becoming aware of the PCI requirements and the PCI auditors are becoming tougher on web application vulnerabilities we run into a difficult situation. PCI audit is coming up and the app. is riddled with vulnerabilities.  I now have to dedicate precious development resources to fix these vulnerabilities ASAP. With this solution I can apply this rules and effectively mitigate the issue.

I am pretty excited to be part of this. I think we have moved the industry forward today, even if it was just a small step. People now have some more options to mitigate risk besides running to the development team with yet another fire.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Regardless of what you think about now former governor Spitzer and what he did, we can learn a lot from how he handled the public disclosure of his err “vulnerability” Here are 5 lessons you can use if you ever find yourself involved in a public disclosure of a vulnerability on your web site or a disclosure of a massive breach.

1. Understand that you have been caught.

Spitzer quickly understood that the cards where stacked against him and decided denials and platitudes where not going to work for him. Perhaps as a former prosecutor he knew how strong the case was against him. If you are dealing with an incident it is important to understand that excuses for poor security are not helpful right now and dealing with the task at hand has to take top priority. Also do not try to deflect by making up stories of honeypots, false alarms, or “really it is not a problem” statements.

2. Get out in front.

Maybe it is just because I am on the west coast, but it seemed like as soon as I heard the story I also heard that he had a press conference. This is a pretty quick response. In this case he probably knew it was coming since The New York Times probably gave him a courtesy call. You are not going to be that lucky so you will be playing catch up but it is important to respond quickly and decisively.

3. Don’t give up the ghost.

Spitzer’s first press conference was masterful. He admitted everything and nothing at the same time. This is when a good PR person can prove invaluable to the Incident Response Team. You want to acknowledge the problem, give concert steps you are taking, and buy time to get all your ducks in a row. If you are dealing with a large leak of credit cards for example you are going to need some time to figure out just what the heck is going on, who is effected, and what your response is going to be all while waiting for law enforcement to get out of the way.

4. Use the time you just bought.

Assuming you did #3 reasonably well you now have some time to figure out how you are going to respond. If you have law enforcement involved your hands are probably somewhat ties as they are going to want to control the flow of information. One area law enforcement is not going to get involved with is how you are going to respond to your customers. This template seems to have already been written, credit monitoring for a year and some gift cards. You can do better!

5. Cut your loses.

At some point you are going to need to get back to work and put this incident behind you. If the police are not involved this should probably be sooner rather than later. I have seen companies sink a lot of time and effort into trying to catch the person when there is little chance of getting anything out of it. I worked several cases where I tracked the attacker back to some non-US country that is practically impossible to get anything done and especially if it is just you and not the feds. There is some joy in finding out who did it but your time and money      is generally better spent finding out how it happened and correcting the the issue then finding out who. The who is most times irrelevant (unless it is an insider of course).

If you enjoyed this post, make sure you subscribe to my RSS feed!

When the clueless are on the intarwebs this is what happens:

http://thedailywtf.com/Articles/So-You-Hacked-Our-Site!.aspx

If you enjoyed this post, make sure you subscribe to my RSS feed!

Sorry for my silence here for the past month. I had a new son

and on top of that March 10th WhiteHat will be announcing something really big that we think is going to change the Web Application Security space. I have been busy on analyst calls as well as marshaling it through the development process. I have had 0 time to write much snarky humor or riveting insight. I am back in the saddle now though. I should have plenty of stuff to make fun of after RSA. I get a press pass so people treat me a lot differently, it is fun!

If you enjoyed this post, make sure you subscribe to my RSS feed!

I thought this was a pretty funny quote from this article.

Nine out of the world’s top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it’s not immediately clear who ranked those top 11.

The “he” is Mark Potts CTO of Software, Hewlett-Packard. When I read that the first thing that came to mind was; Billy Hoffman is top 10 material? The end is near!! (joking…) Then I wondered who is ranking hackers and how much would it cost to get the #1 spot. Then later I thought there must be a real ranking because if you where making it up you would just say “nine out of the top ten, not 9 out of the top 11″ which would generally mean you had 8 of the top ten and one person at eleven so you went for Top eleven instead of top ten. Maybe people from Australia use a top 11 system?

If you enjoyed this post, make sure you subscribe to my RSS feed!

Sometimes I just want to give up. I really hate XSS because it is really a tricky issue to explain to people that don’t understand.  It basically boils down to bad people using my website to compromise clients. What they do with those compromised clients can range from fairly benign replicating worms ,  phishing scams, all the way to total remote control of the end users browser. The fine folks at Scam ScanAlert clearly don’t think this is a problem though.

It is hard enough to educate web site owners that this is a problem and how it impacts them without having to fight against people in our own industry telling them it is OK to have XSS vulnerabilities.

Jeremiah and Jericho provide more great commentary.

If you enjoyed this post, make sure you subscribe to my RSS feed!

I love when Bruce and I agree, it makes me feel smarter then I am. I have had a wireless network in my house for about 5 years. Never once has it had any kind of encryption or security. When I setup my neighbors wireless I leave it wide open as well. The crazy foil hat wearing guy in my skull freaks out every time I do this. I was shocked when I read the Bruce Schneier does the same thing!

So now I can say I am as smart as he is! I wonder if he uses double Rot-13 like I do? He is probably not THAT smart!

If you enjoyed this post, make sure you subscribe to my RSS feed!

1. We will see the first multi-website XSS worm.

I think we will finally get a true cross site XSS work in 2008. Combining XSRF and XSS to propagate a worm across multiple sites and multiple domains. The first one will be benign but the others will be much more malicious in nature. Leading victim candidate are social network sites that are becoming increasingly open.

2. More consolidation in the security industry.

There is still a great difference between the small security players and the giant ones in terms of cash flow. As the old guard (McaFee, Symantec, etc) see dwindling revenue on various fronts they will begin to convert some of that pesky cash into acquisitions. Could this be the year Qualys gets gobbled up?

3. PCI will clarify section 6.6

This is more of a hope really. Since it goes into full effect mid-2008 I hope to see some clearer definitions around what companies are expected to do.

4. 2008 will set another record for breaches

Yeah big shocker! The trend will continue with more smaller breaches this year as opposed to a few massive ones.

5. RBN will disappear again. Someone related to them will get busted.

With the light too bright they will morph again and change tactics. Money will still flow in to them by the millions though. However with increasing public knowledge of the group someone will get busted and connected to them. No one high up in the group, but some poor sucker at the wrong place at the wrong time. Law Enforcement will trump it as a “significant” blow to the group. RBN won’t notice.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Someone has found an XSS vulnerability on mastercard.com. The place it was found, the search function, is a notorious location for XSS vulnerabilities. The XSS payload that triggers the vulnerability leads me to believe that there was a fair amount of filtering going on but I guess not enough.

Who does Mastercard pay PCI penalties to?

If you enjoyed this post, make sure you subscribe to my RSS feed!