The InfoSec Blog

Toronto - OWASP

This month’s meeting was about layer 7 errors in web applications. Trey Ford was a fast spoken Texan and gave some good examples.

The common thread, as I saw it, was that no amount of pen testing, no amount of risk analysis would have uncovered these flaws. What they had in common was ‘failure mode’. Its another FMEA situation. The designers were optimists and never conceived of the abuse and trickery that might be perpetrated.

Let me give another Layer 7 example.

One of the lists I belong to forbids Out-of-the-Office messages. If anyone is so foolish as to have one set up to respond to list messages he gets ridiculed on the list. If his message leaves other contact information, we’ll contact those people and tell them of the mistake.

Other lists I’m on seem to suffer from what amounts to OotO broadcast storms. When I submit a post to them I get a flood of OotO messages that compares to my daily spam. Sending OotO response to a mailing list message is dumb in the first place, but its also a security issue. Some of these lists don’t have restricted membership, so someone could join with the express intention of harvesting addresses or other inside information.

Even worse, try googling for “out of the office“. Its amazing how easy social engineering can be.

Your company may mandate the use of OotO, but its most useful internally and should not be used in response to mailing lists. If you are going to use this mechanism make sure you have it set up properly.

Back in 2003, my German friend and fellow CISSP, Axel Eble, wrote a draft RFC about OotO best practices. Sadly it died without becoming an IETF baseline.

See also:
‘Out of office’ messages turned into spam relays

BSI Germany have an extensive list of threats.

Comprehensive? Well, pretty good.
The kind of thing that could keep a client’s IT staff occupied for weeks. If they had hard copy to annotate and work with.

However it is bottom-up as opposed to top down, dealing with details (aka threats) rather than FMEA - failure modes and their effects.

Its interesting that classical Business Continuity Planning works more along the lines of a FMEA than Threat-Risk Analysis. BCP identifies the business processes that are most essential and hence must be brought back into operation with the most urgency - that is what are the most critical failures that will affect the operation of the business.

The TRA approach has many flaws ranging from the fact that threats are just about infinite and mostly unknown, that vulnerabilities are infinite and unknowable, that they interact in complex ways, which boils down to playing whack-a-mole, and that there is not enough information for statistical analysis.

FMEA on the other hand identifies criticality regardless of the cause.

See also

• “FMEA As a Risk Assessment Methodology“
• “FMEA: Preventing a Failure Before Any Harm Is Done“

Related articles by Zemanta

• 10 of the Biggest Platform Development Mistakes
• How do I plan for the unexpected?

My friend and mentor, Donn Parker, observes:

Build your security assuming that the enemy knows as much about
your security and what you are doing as you do.

The lesson of history, InfoSec, industry, literature, warfare and politics tells us this is so.

Chapter 13 of Sun Tzu’s great work, “On the use of Spies“, advises:

What enables the enlightened rulers and good generals to conquer
the enemy at every move and achieve extraordinary success is
foreknowledge.

Foreknowledge cannot be elicited from ghosts and spirits; it
cannot be inferred from comparison of previous events, or from
the calculations of the heavens, but must be obtained from
people who have knowledge of the enemy’s situation.

Therefore there are five kinds of spies used:

Local spies, internal spies, double spies, dead spies, and
living spies.

He goes on to say

Only the wisest ruler can use spies; only the most benevolent
and upright general can use spies, and only the most alert and
observant person can get the truth using spies.

Which is of course pandering. And then:

It is subtle, subtle!

Which is pandering still, but none the less true.

There is nowhere that spies cannot be used.

Which is also true. Hence http://privateeyespyshop.com/

Generally, if you want to attack an army, besiege a walled city,
assassinate individuals, you must know the identities of the
defending generals, assistants, associates, gate guards, and
officers. You must have spies seek and learn them.

However these days, many companies and countries publish all this information on the web. The identity theft in “Day of The Jackal” (which has been copied by many other authors since) can now be performed from the comfort of you local hot-spot equipped café or in some locals commuter train.

http://www.theregister.co.uk/2008/07/03/browser_insecurity_survey/

I gather than flaws browsers account for a lot of attacks, arising from malware and spyware that gets ’snuck in’ by various methods such as XSS.

Lets be realistic, though; the browser isn’t the only avenue by which a user’s workstation can be infected - I’ll leave servers out of this for the moment. Updating other key components of the operating system are important as well. But patching is more difficult in some systems than others, and some vendors & developers are more aggressive about updating their baseline than others. Which could also reflect the complexity and modularity of their products. What was that about complexity being the enemy of security?

Unsurprisingly the study concluded that update features within different
browsers played a key role in determining how quickly users update their
software. Firefox users “typically updated” within three days of the
availability of a new security update. Opera users averaged around 11
days before patching their browser while some IE users are still stuck
on IE6 a year and a half after the release of IE7.

So that makes me one of the ‘good guys’, a Firefox user. Actually I update my plug-ins ’same day’ - which might actually be a risk if they are not well tested. But that point is always a risk, and is the reason why some companies such as Intel, are staying with XP rather than upgrading to Vista. (Ever?)

The study found that Firefox users were the most diligent in applying
security updates, with 83.3 per cent using the latest version. Less than
half (47.6 per cent) of IE users used a fully patched version.

Now lets be fair, not everyone has control over what they use.

“I think it may be a little unfair for many IE users to be grouped in
the ‘less diligent’ bucket because they’re stuck to using IE5 or IE6 for
compatibility issues with their corporate applications but, quite
frankly, in this climate of commercial mass-defacements, ‘unfair’ isn’t
going to keep them safe,” Ollmann writes.

As it says in the article I’ve referenced …

A white paper on the study, Understanding the Web browser threat, can be
found here.

Image via Wikipedia…. and think about it the next time you take your laptop through
customs ….

http://securosis.com/2008/06/17/pink-slip-virus-2008/

Scarey, eh?

http://www.networkworld.com/news/2008/060208-smartphones-bigger-security-risk-than.html

I’ve just been looking at the Sony-Ericsson X1 as a replacement for my Newton.

I admit that many PDAs aren’t really that comprehensive, don’t really store much above names and numbers, but there is a awful lot of information on my Newton. The X1 looks like it will be a small laptop.

But then, depending on your job and working tools, there is a lot of ‘portable electronics’ hat can easily go missing. My voice recorder is about the size of a pen and has many interviews and notes. Their value to someone else (aka espionage) is small, but their loss would impact me.

However, lets be realistic. I’ve never lost or misplaced the recorder or my laptop or my Newton. I have lost my house and car keys on a number of occasions.

http://www.informationweek.com/news/security/encryption/showArticle.jhtml?articleID=208401643

BlackBerry maker Research In Motion (NSDQ: RIMM) told the Indian
government Monday that lowering the encryption level of its smartphones’
services will not solve the country’s security concerns because there
are other companies offering similar systems.

Indeed.
And in addition there are all the other encrypted services like PGP, S/MIME and any form of encryption tool you choose to download, never mind things like Skype.

I won’t even go into matters such as sending telegrams or conventional phone calls with code phrases, and other techniques that proved efficacious in the first half of the 20th century and prior to that.

Officials in New Delhi said they were concerned that because these
e-mails couldn’t be intercepted, militants could be using BlackBerry
services to coordinate terrorist attacks.

It seems odd to my mind that the highly terrorist-sensitive security forces of the USA are not also demanding RIM hand over a master key.
Is it because the NSA have cracked AES-256?

I doubt it. Its more likely that the value of business communications to the economy outweighs the risk of terrorists remaining undetected and using modern technology to communicate.

As the article goes on to say …

But during a presentation to India’s Department of Telecommunications,
RIM pointed to four other mobile e-mail systems in the country –
Windows Mobile ActiveSync, Nokia Intellisync, Motorola’s Good, and Seven
Networks — that utilize similar encryption.Because these other services are widely available, RIM contends that the government would have to also take actions against those companies
instead of singling out RIM.

Quite so. And it would have to ban and take enforcing action to deal with other forms of secure communication. And lets face it, the cold war showed that wasn’t feasible.

Do we have another example of governments emphasising ELINT when they should be developing HUMINT?

http://search.cpan.org/dist/App-Asciio/lib/App/Asciio.pm

This gtk2-perl application allows you to draw ASCII diagrams in a modern
(but simple) graphical application. The ASCII graphs can be saved as
ASCII or in a format that allows you to modify them later

So what does this have to do with security?

Well, one of the security risks we face is that Microsoft Office applications (among others) have embedded Visual Basic, often with extensions. These have been susceptible to macro viruses.

Yes, I’m aware that there are mechanisms for defending against this, but they are software, and we know that in the long run errors will be introduced in upgrades or patches and the bad guys will find alternative avenues of attack. The real problem is that VB is embedded in the application.

So this is a solution. We go back to the “data is data” era, when data was not executable. See also all the “why HTML mail is evil” articles - go Google for them.

Happy Friday.

http://www.networkworld.com/news/2008/042308-how-not-to-hire-a.html?page=1

One of the first questions to ask during an audit is “Do you have Policy?” (which is part of the ISMS - see ISO-27001)

Then after checking that for completeness and sufficiency start checking if its communicated to staff and if its followed.

Since policy defines how an organization is to be run, this is the top-down approach. Its why bottom up things like pen testing are a waste of time. The policy-driven approach ensures that there are processes and procedures in place, it allows for metrics and for improvement of both the compliance and the details processes themselves.
(CMM etc)

See also “Who Ya Gonna Call?“

http://www.theregister.co.uk/2008/01/17/globalization_of_crimeware/

… In many respects, malware creation mimics open
source communities, in which legions of programmers spanning the globe
tweak one another’s code to add new features and fix bugs.

So what happened to the proverbial socially maladjusted hacker in the bask room eating twinkies and drinking jolt?

“It seems somewhat different than the standard way of thinking of a
hacker,” says Thomas Holt, a professor of criminal justice at
the University of North Carolina at Charlotte, who presented his
findings Thursday to military and law enforcement officials at the US
Department of Defense’s Cyber Crime Conference. Crime groups “are
looking to one another for assistance. It’s no longer just a single
person distributing malware. Now there
appear to be groups and there appears to be a distribution of labor.”

And this when so many ‘mainstream’ companies are finding reasons to avoid using open source. No doubt they will misunderstand and use this as another reason.