Monthly Archives: May 2006

OWASP EU – Day 2

Posted on by
3

Excellent day again.

I’m still waking up far too early, but that’s okay, particularly since I had still to complete my Day 2 keynote slides, much to Dave’s disgust.


- Leuven University

The keynote went well, but I finished what I thought was early, when in fact, it was dead on time. This left Ivan Ristic with much less time than he had intended. :(

Ivan’s talk was pretty cool – he went through the stuff you’d expect of the author of the open source web application firewall, mod_security, discussing the four major features of the software. I’ve used it before in a DDoS attack, and it worked well.

After the morning break, I went to the invited papers track. I think this was a good idea, and the quality of the ideas was good. I think it allowed people who are not conference whores like myself to get up and speak. And considering that only a small percentage of the attendees are native English speakers, I was pleasantly surprised at the quality of the English at the conference. Awesome.

The session riding talk was cool, but again, they’re using a non-mainstream technology to fix the problems. I think people really need to start using the major technologies which are weak rather than using esoteric languages which take their fancy. PHP needs a lot of help, for example.

After lunch, I went to Dinis’ tool heavy presentation on the stuff he’s made this last year. Awesome tools. Might see if they work under Mono on the Mac. Except for the report generator, which is basically a waste of time. As a customer I HATE (and I mean I will return your report and not pay you HATE) getting nessus or other tool output auto-gen’d from XML into PDF. I don’t pay the pound for my reports. I prefer short (10-20 page) reports which tell me what is wrong, carefully considered and rated. This is something that can be done in Word more easily than Dinis’ tool. I’m sure Dinis’ report writing tool (he’s a total XML freak :) works for his customer, but I’m not interested. If it gets out in the big bad world, I hope it doesn’t catch on. Our value is our skilled interpretation, not 1000 page automated reports.

After the last break, there was a panel discussion, which was far more lively than the previous day when everyone agreed with each other. It was hard as Gunnar let people speak who had more than their turn. There was one particular lady who just butted in all the time. I had my hand up for half an hour before I could a word in edge ways, thus not allowing me to state a couple of points about user security education which I vehemently disagreed with, but couldn’t as the flow had moved on. Oh well. I’ll butt in next year – being a good guy does not pay off if you want to be heard. Despite this, it was a good and lively session.

Dave finished the conference up. After we had finished, Pravir Chandra and I went out to dinner. I wished a few more could hang around, but many needed to get on flights home, and several wanted to go back to Brussels for food. We had a good meal in the center of the old city. Awesome food.

I think it was extremely valuable as a conference. If I can, I’ll be back next year.

OWASP EU: Day 1

Posted on by
Reply

Great day yesterday.

Dinis’ keynote went off great, but he got rid of all my images and loaded it up like an essay. Might need to encourage the OWASP presentation template to only contain a limited number of words per page, and increase the visual appeal of the slide pack. We don’t read slides, we present them.

The panel I sat on after the keynote was amazing – Microsoft sent in a sacrificial victim in the form of Alex Lucas, and he did really well. The crowd was a bit restless, but honestly, I think they saw the light by the end. The funny thing was that Microsoft was arguing for more stringent safeguards than most of the panel members, but even more funny is that the panel members agreed with the SDL (for the most part). This got a laugh from the audience when it was brought up, but also demonstrates how far Microsoft has come over the last few years.

Alex had a proof galley of the forthcoming SDL book from Lipner and Howard. I considered mugging Alex and stealing the book – it is totally awesome! This book is what everyone needs, particularly if you don’t have a strong security process today.

I went to a bunch of presentations (including my own!), and learnt a lot. I was particularly freaked out by Amit Klein’s talk on HTTP Request / Response | Smuggling / Splitting and peripheral devices. Awesome research.

My slides for my Ajax presentation are here.

After the day finished, we had a chapter leads meeting, where we discussed what we want to do over the next twelve months. We prioritized, and I think it’s going to be great. I’ll blog more on this in the next few weeks.

Last but not least, we had a fabulous dinner at the Faculty club. Leuven is very confusing, and the trip to the Faculty club was via taxi, leaving me confused where I was located. But that’s okay, a fine meal, good wine, and excellent company left me warm and fuzzy. I trundled into a taxi near 11 pm (when it was just going dark!) and made my way back to my hotel, where I promptly fell asleep.

OWASP EU – Day -1, the free day

Posted on by
Reply

I got up nice and early again. 6.30 am. So so wrong. Alien Andrew has landed and it’s freaky time again.

After breakfast, I retired to my room to work on my slides. Good move! They look great now.

After lunch in my room, I felt a bit tired, so took a nap. Awesome sleep. Woke up just before I had to go out for dinner with Dave Wichers and a few others.

We moved to The Troubadour and had a nice meal, followed by a trip to a nearby square and some more beer. Beeer! Around 11.30 pm I retired into the rain, and walked in the wrong direction. Leuven is a little town, so the cabs were hard to find. By the time I got one, I was thoroughly wet and cold.

Got back to the hotel room – sore feet and wet and tired. Went to sleep straight away. Fantastic, productive day with friends, food and beer.

OWASP EU – Travel (MEL -> LHR so far, roughly 16000 km and 24 hours)

Posted on by
Reply

I’m sitting in London Heathrow after a monumental flight. It’s so wrong. Even in business class there’s no avoiding the fact that it’s a long time to sit down. And as many of you know, I love a good sit down.

After flying in business class to Europe for the first time, it’s definitely 1000% better than being in cattle class. The (hardish) seat folded down nearly flatly, or would have if it wasn’t designed for small women and children. My shoulders hit the sides of the capsule when my feet fit under the capsule in front of me. Now I know I’m a bit on the round side, but I doubt my shoulder girth will change if I ever become svelte. I’m not going to be less than 180 cm any time soon, so these seats need a little fine tuning. Even if the capsules had a soft side, it would be acceptable.

After exhaustion set in, I took sleep where I could, and I must say I’m feeling much more awake and less tired than even the last time I travelled to Las Vegas.

The flight was fun – we flew over many countries I’ve never set foot in – China, Tibet, bits of Nepal with the Himalayas in the distance with a fine dusting of snow, Russia (seemingly forever!) including flying near St Petersberg, Latvia (Riga), Ukraine, Finland, Denmark, Holland, Belgium (… I’ve been to those last two!). Unfortunately, although we flew during the day, it was clouds all the way from China through to landing with only a break or two when I bothered to open the blind.

Landing in England brings back memories. Obviously, they laid the best English late spring weather on for us, with being 16 C and rainy. It was 17 C, sunny and fine on the day I left Melbourne, and that’s three days shy of winter proper. It’s going to be amusing if the weather doesn’t clear up in Belgium for the conference.

I’m not feeling very hygienic right now – could definitely use a shower. Unfortunately, the little airline (BMI) I’m travelling on for my next leg doesn’t have a shower in their “Business” class lounge, so that will have to wait until I get to the hotel in a few hours.

At least I’m having a good time with roaming and wireless networks. Have SMS from the fiancée (yay team!) and knowing that my cats are well and likely to get good tummy rubs whilst I’m away is all good.

eBay: do not recommend, waste of time

Posted on by
7

Well, I’ve just had my first experience with eBay of being kicked in the teeth for being honest. I’ve been a member for six years, and until last week, I maintained a perfect 100% reputation basically by being me in all my dealings. Here’s a hint – it’s simply not worth it as eBay will not back you up when the going gets tough.

A woman wins one of my four auctions last week. She bid several times on a table setting, comes to my place, asks to measure the table in a lame effort to prove that the table is smaller than I said in the listing, and says she doesn’t want it as it’s too narrow and she likes to spread out. She then leaves.

Sorry lady, on eBay, like all auction houses, if you bid on it and you win it, you own it. So I leave her negative feedback for abandoning the sale:

Refused item even though exactly as described and as per photos. Not recommended

She then leaves negative feedback for me, but in her case, she lied:

item failed to meet description. do not recommend, waste of time

This is a laugh as:

0) the description is accurate (8 seat table with 6 chairs). The table can seat eight if you must, but six is about right.
a) the description of the condition is accurate (as new, with minor dints from regular use)
b) there’s photos of the item including a photo of the only chair which has (cleanable) marks
c) there’s accurate measurements in the questions area five days before the auction ended for all to read

I complain to eBay. They suggest asking her to withdraw the feedback. I do so, even though I know she wont. She didn’t. I complain again to eBay. They tell me that due to US law, they can’t remove even slanderous postings. Sorry fellas, Gutnick proved that Victoria, Australia defamation law trumps US defamation law. All the way to the High Court. eBay have a responsibility to deter and remove slanderous postings when they occur, and not hide behind some lame interpretation of US law which simply doesn’t apply here.

So what’s eBay’s final offer? Ask the liar who didn’t pay for her winnings to mutually withdraw the negative feedback. I’m loathed to do this as a poor rating is a good warning to other sellers / buyers that all is not well with that person. But I want my 100% back for exactly the same reason, and I’m buggered if I’m going to pay some shiny arse lawyer $20k or more to get a clean eBay account again through winning a defamation case.

Six years of being “me” down the drain.

So if you want to be treated nice at eBay – shit all over the other sellers. There’s nothing that eBay will do to you. At all. eBay is not the good guy’s friend. do not recommend, waste of time.

Demise of BlueSecurity

Posted on by
Reply

According the Register, Blue Security has decided to close up shop.

http://www.theregister.co.uk/2006/05/17/blue_security_folds/

The problem with Blue Security’s model is that a single attacker with sufficient resources can bring it down. Blue Security had it nearly right – if enough people took the spammers up on their offer to de-list users from spam registries, then the spam issue starts to become managable until such time it becomes law the spammers are jailed and refused access to the Internet forever and ever all over the world.

We need to set up a (de-)centralized place for spammers to check the “do not intrude” list without blowing their cover or exposing e-mail addresses, and a totally anonymous decentralized categorization effort without causing any harm to innocent bystanders (such as Tucows or Typepad).

The primary spammer who took out Blue Security can be considered to be essentially an organized criminal, and has committed criminal acts in taking out Blue Security. In general, fighting organized crime takes a lot of guts as it can be quite dangerous as they have nothing to lose and live in generally lawless societies. These thugs are like extremly stupid gruff dogs – they must be shown exactly who the boss is, and it’s not them. If they require a good slap on the snout or worse for shitting all over the Internet, well, it’s not for us to do so – it’s for the local police and SWAT teams to do. And in my personal opinion, I’d love to see that on COPS instead of their usual fare of poor drugged out wackos, who need social workers not arresting.

As I do not want any innocent bystanders, developers, moderators, ISPs (who are somewhat guilty), or key infrastructure targeted, I have thought about ways to protect as many stages of the life cycle as possible. I propose the following:

Server Infrastructure

Use newsgroups.

The infrastructure already exists at nearly every ISP, and is available read only at many other places to allow both the spammers and newsless ISP customers to participate, is sufficiently de-centralized, replicates relatively well, and the attacks are already well known (post flooding, etc)

Process:

  • Spammer would upload a batch file of e-mail hashes to a particular newsgroup (say alt.evil.spammers.must.die) with a response address to which the user’s clients will respond with a lightweight message. This prevents emails from being exposed to other spammers.
  • Individuals run a plugin on their mail application, which parses each message posted to this newsgroup
  • If the plugin’s protected e-mail address(es) are found, the plugin will ping the response address in the batch file
  • The ping would traverse a peer to peer network set up via the plug-ins. All of the plug-ins communicate via a de-centralized model to prevent the sort of attacks which might take it out (flooding, rubbish pings, etc). After a random number of hops, the last random peer will perform the takedown notice to the properly categorized spammer page.
  • The Spammer receives the do not intrude ping request from the individual and they take them out of their lists.
  • Problem solved for “less evil” spammers.

What to do about more evil spammers

Escalate. Spammers who refuse will get 2x … 4x … 8x the number of “unsubscribe me” from various anonymized addresses spread over a few days. In time, they’ll learn. Take the e-mails out, hits go down.

Categorizing spam

The plugins will need to know how to deal with spam, and to do that, it must be categorized, URL form found, and regulatory reports performed (ie, BSA for pirate software, FDA and other drug regulators for meds, etc).

However, as Blue Security demonstrated, being the centralized categorization source of truth does not work. That’s soooo Web 1.0. Let’s move on to a decentralized, people power version for several reasons:

  • If it’s a small group, they would be in severe danger. I don’t believe we could protect this model
  • If it’s a moderate sized group, taking out even one or two could cow the rest. This is how organized crime works today
  • If it’s the entire group, the risks are spread out over a large population, and taking out even a small number of users will not affect (and indeed will drive) membership.

Being in a large anonymous group makes it harder for attackers to find or attack anyone. If no one is a permanent moderator / categorizer and can always decline the task, taking out any number of individuals simply wont work – the service continues and the spammers continue to get hit with unsubscribe requests. This makes it impossible for the most mobile and ruthless of spammers to take effective action against the network and is a first hand demonstration of people power.

Each node is randomly chosen to be a categorizer for a few hours as per slashdot. If a user decides to participate, the nearby network will hear about it, and new uncategorized spams will be sent to current categorizers.

The hash of the spam is noted to remove dupes and this is spread everywhere. This will help prevent the same spam being categorized more than once.
If the categorizer can’t read the spam (say it’s in another language), it can be categorized to be a particular language, and then re-forwarded to peers who accept that language.
Let’s make it reliable via voting. Completed categorizations are offered to three other plugin users for peer approval. If all two peers agree with the categorization, it’s accepted and spread throughout the network.
If the spam is not categorized, for safety’s sake it is not acted upon, but instead spread to another node when the node’s time is up. This stops big spams from being lost in the system. However, there should be a maximum age for spams to prevent overload. Spammers usually send out more in a few days time.
At install time, node owners can say they are “advanced” nodes when their turn comes to be a categorizer. Each approved categorization will be looked at by one advanced node to see if it has enough information to detail the source. Let’s get those zombies closed down – find and report each and every zombie to the ISP abuse queue. Do this politely and in batches so they can deal with a bot fleet in a managable way. ISPs are not our enemies – they need to be helped to clean up the net from being abused. Hopefully the ISPs will get the idea and close down outbound SMTP from the zombies, or even better take the customers offline until they’re cleaned up.

An alternative I had thought of – a network of resilient web apps, which allows anonymous volunteers to contribute to categorization with voting to ensure that only good categorizations are let through, wouldn’t work. Spammers would just DDoS it out of existance. This particular model wouldn’t work.

Another alternative is to use another newsgroup to distribute categorizations. I like this as Plan B in case the attacker manages to kill the P2P network. However, as more headers are available, the attackers may be able to identify key nodes, particularly categorizers, so I don’t really think this is a safe idea.

Attack models

PharmaSpammer basically threatened to take the Internet out. As it’s essentially protected infrastrucuture these days (with no real SLA though), doing so will create a real law enforcement retaliation, as well as get ISPs to finally take responsibility for their zombie customers and get them the hell off our Internet. So let’s discard this attack – the spammers want to spam, and to do so, they need the Internet to be more or less working.

Let’s look at more realistic attacks:

a) Attacking news servers. DDoSing each and every news server in the world is just not likely, especially if ISPs make sure their news servers can only be reached by their own customers (which is typical today).

b) Attacking news groups. Post flooding can be dealt with via automated moderation of articles. This is a very old attack, and there are some methods to deal with it. Automatic cancellation is the wrong approach as this creates 2x replication traffic. Lastly, adding huge quantities of fake hashes to slow down client plugin processing of the newsgroup or to force the news server to archive legitimate and reasonably fresh articles to conserve disk space.

c) Attacking the peer to peer network. The RIAA has yet to make huge inroads into their little P2P problem, so I think with a bit of research, we can come up with a manageable P2P model for our purposes. Things to worry about are: rogue clients injecting rubbish. Flooding. Rogue clients looking for identifying information, rogue or real clients injecting “unsubscribe” URLs to attack competitors. These issues would need to be looked at.

d) Attacking the categorization volunteers / moderators. This is definitely a problem, but one which if there are enough moderators (say 100 or 150 volunteers) makes it that much less likely that attacking one or two of them will make any difference to the spam meisters – they will still be receiving one cancel message for each spam they pump out.

e) Attacking the plug in development. I propose that like the spread of DeCSS or Linux, this could be done in a relatively de-centralized fashion – let’s propose a standard for the p2p protocol, and then allow as many implementations as possible. Individual implementations could be distributed via P2P networks with known good hashes found on the more trusted sites to prevent malware being issued. Obviously we need open source implementations, as well as allowing vendors to integrate this feature into their fat apps.

I’d be really interested in peoples’ thoughts on this one. We can’t let organized crime win this one.

Moronic security is a risk in itself

Posted on by
Reply

There must be a special breed of moron common in the physical security world. Much is made of how secure many office buildings are, but this is not my experience as a gifted tailgator.

Today, after 14 months of waiting, I managed to get a car park in my building. I am chuffed as it is nice to have a fast easy way to get to work. I know I am lucky** as many people would like to park there, but there’s a … 14 month waiting list. That’s not why I write.

My spot is on level 2. I work on level 3. The benefits of parking so close should include not having to go out in the crappy weather – what with a short lift ride between the two floors. However… moronic “security” comes to the rescue and ensures that this is not to be.

Upon entering the carpark in my car, I can only exit via the lifts as the emergency exits are alarmed. I enter the lifts, swipe my card and press “3″. Nothing happens. It turns out I have to press “G” (ground in Australia = “1″ in the US), and exit the building completely, walk *all* the way around it, re-swipe my access card to re-enter the building … walk to the same lifts, and then press “3″. I am not making this up.

It makes no sense. I am authorized to be in the car park *and* the building. But I can’t transit one floor.

kurios119.jpg

(Image from Bruce Schneier’s excellent blog. See links to the right and subscribe to his blog and Cryptogram!)

This sort of stupidity makes people disrespect actual security measures. Until we can eliminate morons in the “security” industry, real security will always be worked around. We’re all seen as fools until we rid ourselves of fools.

** For environmentalists reading this… I have a tiny fuel efficient car (Citroen C3), and I carpool with my girlfriend, so it’s not just a single person clogging the roads. It’s two people clogging the roads and dirtying the air. However, it’s faster and cheaper for us to drive than to take public transport, even when you take into consideration the cost of parking, fuel, depreciation, insurance, and other running costs. Peter Batchelor needs to improve public transport in the west of Melbourne. It should *never* be cheaper or faster to drive in compared to public transport. But whilst it is, I’ll drive and park at work.