OWASP Top Ten is really the OWASP Top 6.5

Announcement of changes in company password po...
Image via Wikipedia


This is somewhat dated, but so what? Most of the points raised still hold valid.
It opens:

CIO/CSO: “I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!”

… and it goes on with the sad-but-true

Consultant: “Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I’m diabetic.”

Wasn’t there a Dilbert strip about that?   “Invoking the awesome power of certification“?

Speaking of which:

Dilbert “Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?”

How true; how poignant! And we all know the response to that:

Consultant: “I’m sorry that is not on the list! hmm what to do? I will use the consultants Top Ten Scarry Word List!” Sarbanes-Oxley, HIPAA, PCI…”

Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: “The top 10 ways …”, “10 things you should know” and such like were going to attract more readers.

Well heck, who wants to read an article titled:

“Six and a half ways to secure your web site”.

Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.

Reblog this post [with Zemanta]

Swine Flu Issues – insufficient discrimination

The trouble with some people is that they make some deceptively reasonable comments that don’t stand up under critical analysis

 With an ailing economy and a whole lot of cancelled contracts resulting from
that poor economy. Pandemic planning is a major threat to our most important
asset people and it appears as though that vulnerability may have been
activated. Its time to dust off the BCP plan and update it with a Pandemic
Mitigation strategy.

If it takes a pandemic to motivate you to create or review a BCP then
something is seriously wrong, and it has nothing to do with the pandemic.

As one manager said to me a long time ago, “show me the numbers”.
I read:

The number of confirmed cases rose Monday to 50 in the U.S., the result
of further testing at a New York City school. The WHO has confirmed 26
cases in Mexico, six in Canada and one in Spain. All of the Canadian
cases were mild, and the people have recovered.

The Mexican government suspects the virus was behind at least 149 deaths
in Mexico, the epicentre of the outbreak, with hundreds more cases

I’m sure just about any ocotr – or the ‘Net – can supply us with figures on the cases and deaths from ‘regular’ flu world-wide, as well as the named versions. Continue reading Swine Flu Issues – insufficient discrimination

Famous Last Words

My favourite ‘famous last words‘ are

“I wonder what this button is for”

Mind you, one job I had that worked the graveyard shift, we had a TV
tuned to the late night Axe murder horror movie channel. They get to
look funny after a while ‘cos they are so hackneyed. Scenes such as
walking backwards though the door or opening the cupboard to have the
corpse or monster leap out are the ‘visual’ last-words.

But sometimes its not a joke, as when someone says

“We have put in place a very secure network and I can confidently say
that it cannot be tampered with,” said signal officer-in-chief
Lt-General P Mohapatra on Monday.

In plain English he’s saying “we can’t be hacked”.

Read more about this at:

Couldn’t happen to a nicer buncha guys …

An independent security consultant describes how vulnerabilities in
unpatched releases of the Zeus crimeware kit are being exploited by
hackers in order to steal resources from their fellow criminals. The
security researcher has come across an interesting posting made by a
botnet runner, who asks for help to secure his infrastructure after
being compromised several times by other hackers.


Reblog this post [with Zemanta]

Small firms are taking fraud protection too lightly, says Visa Canada


Forty-one percent of small businesses surveyed by Visa Canada said they
don’t believe data thieves and hackers will target them because of their

Where have we heard that before?
Isn’t there some security adage about the hackers (aka criminals) going or “the low hanging fruit” – the easy to get at stuff – first?


The IDE of Choice: VI

I do a bit of work on the fringe of the Ruby community, and the Mac is popular there along with an IDE or two. However I’m beginning to see a few articles to the effect that the IDE is getting in the way after a point and that reverting to your favourite text editor as an IDE is actually more productive.

For old-farts like myself that would be VI (or VIM). Such a comment will probably bring cries of derision, more so than the idea of an editor replacing an IDE. But after a few decades editing is no longer a conscious act. Just as some people touch-type and the words appear on the screen (or paper) without any thought about the mechanics, so too with your favourite editor – only it extends to the non-alphanumeric keys too.

Of course I cheat; VIM has panels and Linux has all these windows and other things that make VIM usable as an IDE. Integrated? Yes, in my head. Its the best place for it.

Reblog this post [with Zemanta]

Codify Hacking


The Hacker Foundation, a non-profit organization of ethical security researchers, is trying to extend its reach and encourage more people to join its ranks to help further codify the United States hacking community.

“Codify” as in “Criminal Code”?

Many people working on important security research programs need financial help to allow them to pay their bills

If they are as white-hat as they claim, why not go to work for a bank or IBM or Symantec? If they object to that as too ‘establishment’ then I’d question their real motives. Is it the betterment of society at large or their own self gratification?

… the group also raises funds for any legal defense fees incurred by white
hats as they bend rules to help test the concepts they build.

Ah, there we have it.
The difference between the Noun and the Verb.
They call themselves ‘white hat’ but they don’t want to work within the law.

Cabling blunder fouls up DoD network


I had a similar experience with a manufacturer based her in TO.
They insisted in using their own electrician, who was a power/HVAC guy.

Of course he did EVERYTHING wrong

  • route the cable through steel conduits
  • with power cables
  • and past fluorescent lights

And of course the company was doing it all on the cheap so it wasn’t shielded cable!

But the real showdown was that he punched the wires into the rack and the outlets in a completely arbitrary manner.

And guess who got yelled at when the network didn’t work?

When I FINALLY convinced the COO what was wrong he went through with me and we re-routed and re-punched the wiring together. Of course I billed for that time, which he wasn’t happy about.

The moral is that you should do the job properly, which often means getting the experienced professional.

Denial – Software Quality and the C-I-A of Security

There is only one really meaningful light-bulb joke:

Q: How many psychiatrists does it take to change a lightbulb?
A: Only one, but the lightbulb has to really want to change.

The last few decades have shown that developing software is hard and costly. Repeated surveys highlight overruns of 75% to 100%, cancellations and unsatisfactory results. These figures are well known, and haven’t changed, indicating either we don’t know how to “fix it” or aren’t willing to change. Since there are some industry segments and individual organizations that do seem to be able to deliver on-time, on-budget, there must be a method that works.

Continue reading Denial – Software Quality and the C-I-A of Security

Europe must be crazy

http://www.csoonline.com/caveat/060606.html?source=csoupdateMaybe they know something we don’t?

Maybe they do have good security, but they are doing what we say security should be, and that is being unobtrusive as far as the user is concerned.

Maybe there are hidden fiber optic cameras everywhere and those ‘tourists’ and ‘tour guides’ will casually ask someone aside and …. “poof!” There goes another terrorist.

Now that strikes me as an interesting idea.
If the terrorist organizations find their people are mysteriously disappearing with no publicity, no evidence, no trail, it might make them a bit worried.

But it does raise some question about the kind of society that would act that way.
But then who am I to talk. I grew up in one of the ultimate police states – the UK of the 60s/70s, where the police had no need to carry guns.

Encrypted USB flash drives

Yea, right.
Fine for the monoculture, but what about us types for whom MS-Windows is not the ne-plus-ultra, not the first choice?

Oh, I can use Linux-specific tools to protect the USB drive, but that doens’t play well when I use them to move between Linux and Windwos and certainly doen’t ‘automount’.


Win either way

AT&T leaks sensitive info in NSA suit

The beauty of this is whether ATnT wins or looses, we in InfoSec come out ahead.

If the EFF wins, then its a strike again governmental monitoring and for privacy.

…The Electronic Frontier Foundation, … alleges that the room is used by an unlawful National Security Agency surveillance program.

The deleted portions of the legal brief seek to offer benign reasons why AT&T would allegedly have a secret room at its down town San Francisco switching center that would be designed to monitor Internet and telephone traffic.

“AT&T notes that the facts recited by plaintiffs are entirely consistent with any number of legitimate Internet monitoring systems, such as those used to detect viruses and stop hackers,” the redacted pages say.

Continue reading Win either way

Laws won’t stop cybercriminals, say experts

They won’t?
Tell us something we didn’t know.

(A follow-on to http://www.securityabsurdity.com/failure.php)

Is this any different from the Canukistani Federal Gun Registry Boondoggle?
You expect criminals to register their guns?

“You can’t attack this castle unless you are this high”
Its back to erecting a pole in your garden for the burglars to run into and knock themselves out on.


Terrorists and organized criminals are using computer vulnerabilities to line their pockets, but many cybersecurity ideas coming out of the U.S. Congress may not help much, some experts said Wednesday.

Congress tends to make reactive laws, too late, that address style not substance and get rolled in with other matters that dilute and weaken. Look at DHS. Where’s its budget? Where’s it vision?

I’ve read other articles recently to the effect that people who manage technology can no longer remain ignorant of the technologies they manage. Sadly, we’ve had a ‘management’ view that the science of management is independent of what it manages. We are not seeing the end of that paradigm.

Since a rash of data breaches in early 2005, Congress has introduced more than 10 bills related to data breach notification.

TEN!! Can’t they get it right?
Obviously not.
But with a shotgun you don’t have to be precise, do you?

The working model for a data breach bill seems to be the SOX law, which has cost U.S. businesses hundreds of millions of dollars Kobayashi said. “The model is a sledgehammer,” he said. “What economists hope is Congress steps back and looks at the costs and benefits before they do something like that.”

I’m sorry? Why should they do that?
Yes it would be nice, even sensible, but what evidence is there from past behaviour that they do this?

Instead of waiting for Congress to act, businesses should demand more secure IT products, said Ken Silva, chief security officer for security vendor VeriSign Inc. He encouraged technology buyers to join organizations that advocate for more secure products.

Well, lest skip the ‘self serving’ bit in that, and just look at “What do you mean by ‘secure’?”. When we’ve solved that we can start on the trivial stuff like “Does God Exist” and “why do men and women have trouble communicating”.

“We can’t wait for Congress to solve this problem because it’s not going to solve the problem,” Silva said. “The fact of the matter is extortion is already illegal. Passing a law to make electronic extortion even more illegal looks good on television, but it doesn’t really solve the problem.”

Therein lies the difference between the US and the Canukistani approach. Here in the GWN we have a “Criminal Code”. Instead of whole new bills that are “Seen to be doing something”, we insert an extra clause in the Criminal code to extend scope or definition.

As its says above, extortion is extortion is extortion. Fraud is fraud is fraud is fraud. It doesn’t matter what medium or technology.

This is no different from what I preach in my workshops on Developing Policies and Procedures. I try to show that your “Access Control” policy is NOT about passwords, its about authorization – be it to the computer, the parking lot or the executive washroom. If you have all your policy as ‘reductionist’ low level statements, each one addressing a technology rather than an principle, you will be forever revising them.

But some people never seem to learn from past mistakes. What’s the line in my quotable quote database…

People who won’t quit making the same mistake over and over are what we call conservatives.
– Richard Ford, in his novel Independence Day

(Note the small ‘c’. Ford should have listened to Disraeli.)
However I can find about a dozen more in the quotes database that are appropriate.

New twist on laptop theft

We’ve all read about how the Big N-1 Accounting firms have had laptops stolen with financial & personal details of their client’s employees.

Well Here’s a new twist on laptop theft.


A San Francisco finance manager stopped in at a Mission District cafe and was tapping on his laptop as he enjoyed his coffee just before noon on a Thursday. Suddenly, he was under siege.
“I looked up, and I saw this guy leaning into me as if he was asking a question,” he said. “I leaned forward, and out of the corner of my eye, I saw someone fiddling with the computer cord. I tried to stand up, and as I stepped back, he stabbed me in the chest.”
The attack marked a violent turn in a wave of crime that has hit the city — the “hot spots” frequented by wireless laptop users are becoming hot spots for laptop robberies.
The 40-year-old San Francisco victim of the March 16 attack suffered a partially collapsed lung and was hospitalized for six days. The two suspects fled with his Apple PowerBook, worth $2,500.

The punchline:

The victim in San Francisco’s Mission Creek Cafe stabbing, who requested that his name not be used, said since he was attacked, his friends from New York have urged him to go back there. It’s safer, they say.

The moral of the story is: Telecommuting is fine but telecommute from home, don’t skive off to the local coffee shop while you’re supposed to be working.

It’s a crime to delete files

Occasionally I pluck up enough courage to read the Risks Digest.
I found this: http://catless.ncl.ac.uk/Risks/24.20.html#subj6

If you don’t read Risks Digest regularly you probably have a cheerful and upbeat disposition and positive outlook on the world and hope for mankind’s future.
If you DO read Risk Digest then you probably don’t need to read apocalyptic SF as you’d it unrealistic. Its not technology that’s going to destroy the world, not Global Thermonuclear war, no Nuclear Winter, no nanite “Green goop” scenario, not biotech poisoning.

It will be lawyers and politicians!

Now suppose that in this case Mr Citrin also kept purely personal stuff on the laptop: his calendar also included things like PTA meeting, kids baseball games, addresses of relatives … and he deleted those.

From my list of quoteable quotes – this seems apropos

The Internet is not the greatest threat to information security; stupidity is the greatest threat to information security.
– Will Spencer

Better than Free Chocolate Bars

Some while ago people were peruaded to give up their passwords in exchange for a chocolate bar. This goes one better

With chocolate bars you only get the password, which is not a lot of use unless you’re already behind the corporate firewall.

To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind.
By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London’s financial district last month was more nefarious than it appeared.
Like flies to garbage, dozens of victims took the CD, unable to control the irresistible attraction of “free.”
Secret agents behind enemy lines, the CDs piggybacked through companies’ physical security systems tucked in the bags and pockets of their couriers. The office workers dutifully took the CDs to their desks and plopped them in their employers’ computers.

There’s a moral here.  But the implication that  people can be so easily subverted is frightening.

“Vendors that don’t understand security, except that it will make them money”

That assertion is the title of this article:
http://www.crn.com/showArticle.jhtml?articleID=180203279I think they used the wrong tagline!

“Just about everyone is hawking security, secure networks, secure systems, secure applications, secure websites, secure whatever,” …… It is pretty clear that most of them don’t even know what security means, but they do know one thing: Security sells.”

Why does Internet Security Systems CEO Thomas Noonan say this?

“Business enterprises are starving for the solutions that live up to this hype,” he said. “Last year alone, the financial losses resulting from online fraud, theft and business disruption proved unequivocally that trustworthy, self-defending, fearless networks are failing.”

Oh, so he’s targeting Cisco. Well that understandable, one vendor sniping at another, even though his premise and evidence are – dare I say it – statistically evident.

The conclusion – this is a vendor speaking remember – is forgone.

Best-of-breed technology and security suites are not enough to solve today’s security challenges, Noonan said. The answer is through what ISS is calling security platforms.

So, guys and gals, what do YOU think is the answer?

Gates says security boils down to four focus areas


However its unclear what those four areas are from the article.

The best quote I can find relating to it is:

Gates then launched into the importance of security going forward and categorized a set of priorities under four headings: trust ecosystem, engineering for security, simplicity, and fundamentally secure platforms.

… but later …

Gates gave very little in the way of new initiatives or ideas at Microsoft for meeting his four broad goals, instead tailoring his remarks around announced features in the upcoming Windows Vista client operating system including smart card support, identity technology called InfoCard, and improvements in the Internet Explorer browser.

so I wonder what substance there is. Later on in the article: Gates used the demo to highlight his trust ecosystem, one of his four priority areas for improving security. “We have chains of trust,” Gates said. “What we need to do is track those trust relationships, to grab permissions, to revoke those trust relationships, to develop reputation over time.” He said today people live without a trust ecosystem. I’m not sure I like the idea of “grabbing” permissions. My mother always told me it was rude to grab. Do you think software and system engineering rates well on

  • trust ecosystem,
  • engineering for security,
  • simplicity,
  • fundamentally secure platforms.

Of those .. well ‘simplicity’, yes, but be careful; there are many naive approaches to that. As for fundamentally secure platforms – hogwash! We do know how to engineer secure and reliable systems from insecure and unreliable components. We’ve been doing it for years in other fields. Perhaps what we really need to do is to overthrown the mystique of computers and treat software like any other engineering discipline. Where is Steve McConnell when you need him?