The InfoSec Blog

Toronto – OWASP

This month’s meeting was about layer 7 errors in web applications. Trey Ford was a fast spoken Texan and gave some good examples.

The common thread, as I saw it, was that no amount of pen testing, no amount of risk analysis would have uncovered these flaws. What they had in common was ‘failure mode’. Its another FMEA situation. The designers were optimists and never conceived of the abuse and trickery that might be perpetrated.

Let me give another Layer 7 example.

One of the lists I belong to forbids Out-of-the-Office messages. If anyone is so foolish as to have one set up to respond to list messages he gets ridiculed on the list. If his message leaves other contact information, we’ll contact those people and tell them of the mistake.

Other lists I’m on seem to suffer from what amounts to OotO broadcast storms. When I submit a post to them I get a flood of OotO messages that compares to my daily spam. Sending OotO response to a mailing list message is dumb in the first place, but its also a security issue. Some of these lists don’t have restricted membership, so someone could join with the express intention of harvesting addresses or other inside information.

Even worse, try googling for “out of the office“. Its amazing how easy social engineering can be.

Your company may mandate the use of OotO, but its most useful internally and should not be used in response to mailing lists. If you are going to use this mechanism make sure you have it set up properly.

Back in 2003, my German friend and fellow CISSP, Axel Eble, wrote a draft RFC about OotO best practices. Sadly it died without becoming an IETF baseline.

See also:
‘Out of office’ messages turned into spam relays

Maybe I’m just punchy from dealing with too much real spam, but I found this hilarious.

Introducing–Penis Reduction Pills!

Shipped to you, not in the stereotypical plain brown wrapper, but in a
large box proudly labeled on all six sides. Because you wouldn’t be
ordering them if you didn’t need them, right? Just leave the bottle
around the house where the girl you are interested in can find them.

http://www.penisreductionpills.com/

(Note: placebos may have unintended side effects. Depending on the
context …)

Thanks to Rob Slade for bringing this to my attention – http://victoria.tc.ca/techrev/rms.htm

Related articles by Zemanta

• Penis Reduction Pills
• Sure, you’ve got a giant penis – but … [Bait And Switch]

BSI Germany have an extensive list of threats.

Comprehensive? Well, pretty good.
The kind of thing that could keep a client’s IT staff occupied for weeks. If they had hard copy to annotate and work with.

However it is bottom-up as opposed to top down, dealing with details (aka threats) rather than FMEA – failure modes and their effects.

Its interesting that classical Business Continuity Planning works more along the lines of a FMEA than Threat-Risk Analysis. BCP identifies the business processes that are most essential and hence must be brought back into operation with the most urgency – that is what are the most critical failures that will affect the operation of the business.

The TRA approach has many flaws ranging from the fact that threats are just about infinite and mostly unknown, that vulnerabilities are infinite and unknowable, that they interact in complex ways, which boils down to playing whack-a-mole, and that there is not enough information for statistical analysis.

FMEA on the other hand identifies criticality regardless of the cause.

See also

• “FMEA As a Risk Assessment Methodology“
• “FMEA: Preventing a Failure Before Any Harm Is Done“

Related articles by Zemanta

• 10 of the Biggest Platform Development Mistakes
• How do I plan for the unexpected?