mostly useless crap from me

For the second time, I helped SANS compile their Top 20. I don’t know about the other sections, C1 is primarily my section. As always, there will be knockers. However, I was a bit surprised about one contrarian, the normally interesting and challenging Richard Bejtlich. Richard writes:

As far as the nature of the list goes, it’s important to realize that it’s based on a bunch of people’s opinions.

Actually, no. My section is based upon hard core data from MITRE, as will the forthcoming OWASP Top 10.

The only entry which I forced into SANS Top 20 is CSRF because it’s REALLY important to fix over the next 12 months. We only get so many chances to speak to this particular audience and CSRF deserves attention. The OWASP Top 10 also has CSRF. Remote File include, which affects PHP more than most, is EXTREMELY heavily attacked. It’s actually the primary attack vector for PHP stacks. It belongs in the list. My mum can discover XSS – it belongs in there. SQL injection can be found via automated means and this is the worst bit – we have methods to utterly avoid it – if only devs would stop using vulnerable API! rdbms_query() should simply not be supported in future PHP releases. And ditto for other languages and frameworks.

Worse still, Richard misses the forest completely when he says that “… it’s called an ‘attack targets’ document, since there’s nothing inherently ‘vulnerable’ about …”. It doesn’t really matter if it’s a weakness, action item, vulnerability or attack. If it’s something you should know about, it belongs in there. Like phishing, like webappsec, and so on. Don’t play semantics when people are at risk. That’s the job of cigarette and oil companies.

It’s basically impossible to find out how much certain types of attacks net criminals, or how much pain identity theft victims suffer, or how much a life is worth when an attack takes out vulnerable biomedical equipment. I’d rather have my blog spammed by hundreds of scripts than one single skilled and motivated attacker take over the host this blog resides on due to security defects in WP. A simple numerical attack number is useless. A simple $$$ figure is going to be wrong and misleading. It’s impossible to *rate* attacks.

We must do it via vulnerabilities discovered, and I’ve done that.

So for us, MITRE data is as good as it’s going to get, and I’ve used that for the top 4, plus one item which is going to be the major form of weakness/vulnerability/attack as folks work out how horrible it is to use CSRF resistant software, and it’s going to get worse when Ajax enabled apps do *everything* via XHR, rather than just a subset of their functionality.

Rohit did a great job herding many, many cats. I really wanted 10 things in there for developers to check and do as web app sec vulnerabilities are now the Top 11 or so attacks. But SANS is a system administration resource, and thus they turned the focus around for system administrators. Fair enough. That’s why we have links to OWASP for those folks who need it.

For Richard to state that the SANS document is my opinion, I don’t think so. I concentrated heavily on fact. In other related news, the OWASP Top 10 is nearing that happy point when it will need peer reviewing. If you’re interested, come join the Top 10 mail list at OWASP.

ps. that graph above although it is the MITRE data does not indicate the Top 10 headings. We’ve got something special for you all!

The last near 24 hours has been a complete nightmare. I now know how valuable my eyes are to my very existence and what a crap time partially blind and blind folks have with normal software.

I was sitting in a waiting room with the wife, boasting that my glasses were indestructible as they were made of a titanium alloy. Less than two hours later, they were feeling a bit wonky. I took them off to clean them. To my utter surprise and dismay, two halves broke away in my fingers. The titanium bridge, supposedly one of the strongest points on the frame, had clean broke in two.

I can’t see crap without them. The entire world is a blur. I can’t read, I can’t see. I turn on universal access in Mac OS X and I can’t use it. Too many programs are inaccessible – Word doesn’t read to you unless you click the button on the speech toolbar to read to you. I can’t easily see that. I magnify the screen up and you see like three buttons at once, and it’s still blurry. I’m starting to get a headache. Entourage is “Button 3 Button 3 scrollbar”. It never reads e-mails to you. Apple Mail is MUCH better. So is Safari – both work just fine with the text to speech accessibility aide.

At the moment, I’m using Eclipse, and being a Java program it’s simply not working properly with the system’s accessibility aides. So I give up. I’m stuck – I can’t drive anywhere, and I can’t do crap.

Dinner is brown and white globs of food until they resolve themselves in my mouth. I try watching the big arse TV (bigger than the one Frasier’s Dad has), but it too is blurry. Tanya took pity on me and we went out to a nice coffee and cake place I know at the ferry terminal. There was a black and unreleased SUV (probably the new Freelander) doing an ad there. I wish I could have seen it as I’m a bit of a car nut, and even though I despise SUVs, I love seeing new releases before anyone else. I couldn’t even check out the hot chicks in the cafe as they’re all blurs. Tanya checked out the restaurant for hot chicks (other than herself) for me, and reckoned there was a couple of scraggers and not much else. Best. Wife. Ever!

We come home, but Tanya would not read a bedtime car magazine story or three to me. I feel really helpless without being able to read myself, but remember her putting up with my pitiful moaning at the cafe and let it be.

This morning, we got up early and went to a eye wear place which does “same day” prescriptions, had my eyes checked, and luckily, as my glasses are newish and very funky, they had the same exact pair there. They swapped out the broken bridge for the one from that pair. But as I don’t trust these glasses now and I don’t have a spare pair of glasses any more (it’s all packed away), I had my eyes checked and I’ve got a new pair of glasses on order. They’ll be here by next Thursday or so as my prescription is pretty funky and will require grinding of the lens.

But at least I can see! Yay! I am so incredibly happy.

Argggghhh…

The SANS Top 20 2006 update has been posted.

SANS Top 20 2006

I helped write the C1 Web App Sec section:
C1. Web Applications

We’re working on the updated OWASP Top 10 2007 which interlinks with that. It’s an interesting experience writing something like this for a completely different audience than web developers. As it’s coding issues, the SANS folks wanted things like configuration changes which system administrators could change and improve the security. But that’s not what this section is about.

Hopefully, next year, we can get more focus on the changes organizations who write or buy code can do to improve their security. In the near term, when it’s done, check the OWASP Top 10 2007. It’s very cool and has CSRF in it!

Greebo, my first cat, has disappeared from her new home at my brother’s.

As this is on the same road where she was run over back in 2001, I’m a bit worried. Tuesday will mark a week of her not being around, and realistically the upper bounds for her to return by herself if she’s just having a sulk. I hope that she has found a new home and carer – it can be tough to move and not have your previous cat slave living with you, and two small children trying to pull your tail.

She is microchipped. Luckily, we changed the contact details for her in the week prior to our honeymoon, so if a vet or the pound finds her, we will get a call to the right address. However, since she was chipped in NSW, it’s not entirely clear if they share data with the Victorian animal registry. I will find out tomorrow.

If she stays missing by the time we leave for the USA, I will take Meebles with us to the USA. I miss my babies desperately, and I want them to be close to us. I hope Greebo is okay, wherever she is.