Archive for the ‘Life, the universe, and everything...’ Category

Speaking at OWASP AU

I will be speaking at OWASP AU 2009 this year!

I am conducting a one day training session on how to BUILD secure applications using ESAPI and verifying the same using Application Security Verification Standard (OWASP ASVS). If you are a builder, you will want to attend that class, which is very reasonably priced at USD $650. Typical instructor led training is $2500 per day – at least. The main conference is only USD $425, which is a bargain compared to Black Hat or RSA. 

During the two day main agenda, I will be speaking about why you should be protecting your VALUE, and not worrying so much about THREATS. It’s time we stopped worrying so much about XSS and so on, and move on to something that actually pays some returns. 

Get your registration fingers happy here:

See you there!

Andrew: Cultural Learnings of America Benefit Glorious Nation of Australia

Well, it’s time to go home.

We’re leaving the USA at the end of the month, and should be back in Australia February 2-4.

It’s going to be a bit busy over the next few weeks whilst we pack, sell all our worldly goods, and organize our new life in Australia.

I’ve had a blast whilst in the USA, and I’ve been to (at last count) 25 states. I will update my Google Map and find out for sure. I’ve seen lots of places I’d never come to by myself, like Pittsburgh, and loved every bit of it. I’ve been to places that I would have been, and loved it – like Miami, SF, NYC, and DC. Recently, we started exploring Baltimore, but unfortunately, that’s going to be cut short. I hope to make the Air and Space Museum before we go, but the amount of stuff we have to do, including sell the car, may simply preclude that.  

I don’t have a job lined up yet, so if you are in a position to hire a remote worker or have a position in Melbourne or Geelong, Australia, I’d love to hear from you. You can find me on Linked In, and I’d be happy to give you my current resume.

2009 – The Year of WebAppSec Solutions

“He who controls the present, controls the past. He who controls the past, controls the future” – Orwell, 1984

Looking back at the last few years, we’ve made some huge leaps at swatting at issues that bit us in back in the past, but still have not made a huge fundamental leap to controlling the future, and in particular controlling the risk from VALUE attacks, such as phishing, crime ware, and process issues (aka business logic issues).

I’ve been interested in process issues for a long time as its the easiest way to get VALUE out of a system. One the earliest web app sec attacks was against CDNOW back in the mid 90’s. They preceded and were bigger than Amazon for a long time. Ultimately, Amazon acquired CDNOW. Why? Apparently, they had a cool front end shopping cart, a payment system and a shipping system. Sure enough, the shipping system took a bunch of hidden fields and accepted a “paid=yes” type of flag. So essentially, you could fill in the hidden fields with the CDs you wanted and skip ahead to the ship bit, and get free stuff. End of story, they’re part of Amazon today instead of the other way around. The opportunity cost of being insecure for CDNOW can be measured in billions and will continue to rise as the years go on. That one attack wasn’t the end of the business, but it set them along the path.

So why in 2009 we do we allow 1995 era attacks to succeed? Why is this stuff not taught at University? Why are the business folks who make really bad decisions allowed to continue on doing the same old, same old, when they should know – do know – that it’s going to cost them a lot more in the long run?

So let’s look at the lows and highs of 2008:

Highlights of 2008:

  • PCI compliance starts to hit merchants. They still suck, but they’re unlike before, they’re now going to have to fix their stuff or go out of business
  • PCI 1.2 updated to OWASP Top 10 2007. Awesome. 
  • OWASP has a huge security summit in Portugal, deciding on future directions, and an awesome set of security conferences around the world. I think we have hit critical mass
  • OWASP Application Security Verification Standard Released

Low lights of 2008:

  • Phishing and malware links as tracked by APWG rose to its highest level ever. 
  • Massive compromise of credit cards continues – vendors continue to flout PCI regulations and common sense.
  • SQL injection attacks launch a million malware infestations

This basically means that attackers have been noted by the mainstream media and others as attacking VALUE through web apps, and not assets, like pwnage. They don’t care about the mechanism so much as the money. This has been my view for at least five years. I don’t care about if you control a 100,000 bot fleet – your just desserts are coming soon in your very own dawn raid. I do care if you can steal from 95,000,000 folks or defraud thousands with one e-mail.

“How’s that working out for you?” – Dr Phil McGraw

When we do something that is clearly not working, it is beyond time to do something different.

Back in 2002, I was doing security architecture in web apps for some of my more forward thinking clients. I have a draft book in my OWASP folder on Web App Security Architecture I started in 2003. When I moved to the USA in 2006, security architecture was completely off the average US enterprise architect’s radar. Only today are seeing some traction in this space, and not everywhere. 

Success stories elsewhere

With air safety, various safety bureaus review crashes and make binding resolutions on pilots, manufacturers and airlines to remediate design issues and human factors. For example, in many cultures, a strong hierarchal society is the norm. More than a few co-pilots have sat meekly by, refusing to override their captain as they plowed straight into the ground. So the airlines were forced to change the human element in the cockpit, forcing sub-ordinates to take control when the situation warranted it.

Air safety is a poster child for what can and should be done. From the early days when cowboys ruled the roost and many died, to today when only rail is safer per million passenger miles, air travel is one of the safest transport forms, despite being so inherently dangerous from a physics point of view (speed, height, traffic density, weather conditions, etc). We need to emulate air safety. Web application security is at the point where enforceable regulations are in their early days, like seat belts in cars were 50 years ago. 

We can and must skip 50 years. I’m not a huge fan of heavy handed regulation as I feel it will stifle the next big thing if done wrong, but I think many languages and frameworks are settling around a few major paradigms. We can help them, and they must help their users. 

We KNOW how to secure those meta-issues. We MUST secure those meta-issues. So here’s my 2009 Wish List:

Education

We have to educate those who come after us. This means getting into every CS and Software Engineering course world wide, and ensuring they have at least one mandatory security architecture / software security subject.

All applications share exactly one feature: security. I don’t think you can be a sound practitioner unless you have at least heard about this most fundamental of issues. It’s like graduating accountants who have not completed Audit 101. It’s completely ridiculous that there’s no equivalent in most CS and software engineering degrees today. 

I am also only going to speak at developer and architecture conferences. Speaking at security conferences is awesome and I usually get married or drunk or both, but it really doesn’t advance the state of the art. Architects and developers must get on board, and to do so requires their buy in. 

Eliminate XSS and SQL injection

We really need to get some basic technical things off the radar, so in 2010 and beyond we can deal with VALUE attacks. To that end, 2009 should be spent encouraging open source and vendors to fix XSS and SQL injection. We know how to fix these things. OWASP’s ESAPI has the canonicalization, input validation, and output encoding features that every application can use. Every modern framework has prepared statements or a safe(r) mechanism than dynamic statements.

I encourage the OWASP leadership and those in leadership positions to take a stand on these two items. I call on all framework providers to make the simplest possible output mechanism XSS safe. I call on framework providers to deprecate and eliminate dynamic SQL queries, or at least make serious warnings pop up so that folks know that they should not be using those interfaces. I call on open software reporsitories to stop downloads of packages that have open CVE entries. It’s important to bubble up the importance of safe software, and we can’t do this by wishful thinking.  

We can do this. It’s not a pipe dream. 

Security Architecture Is a First Class Citizen

It’s important to start putting security architecture in its place – which is every bit as important as the shiny buttons folks click or the processes businesses use to get stuff done. We cannot hope to eliminate design issues that allow VALUE attacks unless security architecture fu is strong within every organization writing software today. 

Although history is written by the victors, we’re a long way from victory. Let’s get cracking!

Santy Paws Came To Town

Well, that was a blast. 

On Wednesday afternoon, I took Baby Girl to see Santy Paws (Satan Claws or Santa Claus, depending on if you believe in Ceiling Cat, Basement Cat, or are just a plain pagan). We stood in line for close to three hours. There was one Santa’s helper on duty, and for obvious reasons (being ridiculously old), he kept on taking breaks. You’d think Columbia Mall would  work out… 

Thousands of parents  x $13.95 (at least) per sitting == they can afford more than one Santa, and possibly a few hundred Santa’s. 

But no. Oh well.

Baby Girl was awesome. She hung out in line with me even though she had little to do, and couldn’t go crawling or exploring – which as every parent knows is a recipe for Total Munchkiness. However, she was happy for the most part – including the first bit when we shuffled past Santa’s Grotto on the way to the entrance some hour or so ahead. She liked what she saw – kids sitting on this old man’s knee and stuff going on. However, looking back now, I think it may have been the computer and the cameras. She’s an awesome geek grrl and loves her gadgets.

The line went on and on. When she got too antsy, I gave her some puffs and water. After about two hours, she started getting really antsy, trying to stand up and get out of the stroller. So I fed her one of the last pre-made bottles. Awesome baby girl returned. I didn’t know how much longer she’d last as it was well past nap time, but I persevered. She let the slightly older girls just in front of us touch her face and play with her toys on the front of the stroller. Things were looking good, even though I really wished she had taken a nap.

She was ultra good right until the end. Santa took a break just before me, and as he walked past, Baby Girl started to show the five early signs of being tired, which is being a bit crotchety and rubbing her eyes and being a bit of a munchkin. Oh well, only a few more minutes. 

So Santa came back, and I quickly put her on his lap thinking this could be a one shot deal, all the while making sure she could see me. I didn’t even let go of her hand before…

WAAAAAAAAAAHHHHHH!

Tears started flowing, tears of real fear. She stared at Santa, pulled away towards me, and started gulping air. Not good. Although I secretly (okay, not so secretly) wanted a photo of her crying as that makes an awesome 21st birthday picture, I didn’t want what came next…

BAAAAAAAAAAARRRRRRRRF!  WAAAAAAAH!

Santa got it good, and so did baby girl’s costume and the floor. Suffice to say, as she’s growing up fast she doesn’t do inoffensive and small up chucks any more. She did a veritable projectile exorcism of toddler barf. It stunk of mostly digested puffs, milk, lunch and formula. Poor baby girl!

I took her to the men’s bathroom, which thankfully had a change area, and got her cleaned up and changed into emergency  civilian clothes.

She looked at me so sadly that I couldn’t take her back to go sit on the old man’ s lap again. I’m reasonably certain Santa was relieved as well.

So no Christmas photo with Santa this year. Of course, from the Silver Lining in Every Bad Cloud Situation Department: I have an awesome story for her 21st birthday! Yay!

A review of 2008

Last year, I made the following observations / resolutions. Let’s check out how well I did:

  • Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife. 

I think I succeeded at this one

  • Lose some weight and mean it this time. What New Year’s Resolution is complete without this one?

Although I am lighter (149 kg down from probably ~ 155 to 160 kg), I’m not significantly lighter. I could have been close to 100 kg if I had stuck to an appropriate diabetic friendly diet and exercised more. I blame baby girl. JOKING. I’m a member of the cult again, and I have diary entries for walks and gym, so hopefully this time next year, may be I could be closer to 100 kg than I am today. 

  • Finish at least one piece of first class research in the web app sec field

Nope. Not even close. Started a few though. And that’s the subject of my next post – what to look forward to in 2009.

I fear mitochondria

I was having lunch today at a nearby Chinese restaurant. I was seated next to some young folks who were loudly having a biology discussion. I tuned in because I’m a geek, but I kept my mouth shut after I heard one bad science moment after another.

Unfortunately, the discussion quite quickly changed from being a biology discussion to a metaphysical discussion about whether mitochondria see us as the parasite or vice versa. Whilst I am not a biologist, I do receive “Nature” and therefore have the right to blog mindlessly on this topic and any other science related topic.

From what limited understanding I scraped from the Wikipedia article, mitochondria and us are at best symbiotes, but the reality is that without mitochondria we would be nothing and without us, our specific types of mitochondria would not exist. Therefore, I doubt the mitochondria fear me any more than I fear the trillions of them running around my body right now.

In the next few minutes, the discussion on the next table did not get any closer to making any sense. In the end, I realized that they were design students (I am lunching near Madison Ave). Nothing wrong with design and fashion per se beyond its obvious superficiality and banality, but it’s obvious that science is not a part of their education.

I wonder about this country’s long term future. The USA needs folks who at the very least understand science and do not fear it.

Diabetes: One Year To The Day

This is the one year anniversary of being diagnosed with type 2 diabetes. It’s been an interesting year, and I’ve learnt a lot about what it means to have diabetes, and it’s definitely impacted my diet.

The biggest change is a sad one for me – some of my favorites are simply not good for me. I can’t eat a bunch of stuff, including white rice (> 200 mg/dL blood glucose for even small amounts), which eliminates so many foods and makes eating commercial asian food basically off limits. Pretty much everything white – white flour, white bread, sugar, potatoes, etc, is off limits.

Another loss, which I feel sad about the most is alcohol (I do have the very occasional drink, but I’ve had less than 1 litre of alcoholic drinks in the last year, mostly beer, and I usually pay at the finger jab for it too).

In some ways, knowing that I have diabetes helps explain some of the things I have had wrong with me for a while, but in other ways, I’m sort of frustrated as I’m at the very low end of the diabetic scale. My A1C is 6.1 for several endocrinologist visits. I’ve been put on some interesting medications, including one that helped me mostly get over my needle phobia. Nothing concentrates the mind more than having to inject yourself three times a day. However, that med made me feel quite ill, so I was able to stop it.

The one disappointment is that I’ve not had much luck in losing weight, which is a key component of getting off the various medications I’m on. I really need to spend way more time at the gym as my diet is optimized to the point that I’m no longer losing weight by eating less (and different). My body is extremely good at making me awesomely tired and exhausted rather than giving up the fat reserves. The only way to beat this thing is get the metabolism moving. I hope this time next year, I will have better news on the weight front. The good news is that I now fit into the clothes I came to the USA in, but that’s not as good as I wanted or expected of myself.

Decoding wp-admin/js/revisions-js.php easter egg

From time to time, I look at WordPress, which as you may have guessed, runs my blog. It’s had a spotty security history. If I can find something in a few minutes, I’ll help out as it’s my data at risk.

But then they go and do this:


<?php

if ( !defined( 'ABSPATH' ) )
exit;

/** @ignore */
function dvortr( $str ) {
return strtr(
$str,
'\',.pyfgcrl/=\\aoeuidhtns-;qjkxbmwvz"<>PYFGCRL?+|AOEUIDHTNS_:QJKXBMWVZ[]',
'qwertyuiop[]\\asdfghjkl;\'zxcvbnm,./QWERTYUIOP{}|ASDFGHJKL:"ZXCVBNM<>?-='
);
}

$j = clean_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
$n = wp_specialchars( $GLOBALS['current_user']->data->display_name );
$d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );

wp_die( <<<EOEE
<style type="text/css">
html body { font-family: courier, monospace; }
#hal { text-decoration: blink; }

<script type="text/javascript" src="$j"></script>
<script type="text/javascript">
/* <![CDATA[ */
var n = '$n';
eval(function(p,a,c,k,e,r){e= ... crap deleted ...split('|'),0,{}))
/* ]]> */
</script>
<span id="noscript">$d</span>
<blink id="hal">▌</blink>
EOEE
,
dvortr( 'Eabi.p!' )
);

So what does it do? Let’s undo this obfuscation one thing at a time:

The Caesar Cipher was easy – I created a new PHP file with the dvortr() function and the strings to be decoded. They came out as:


Don't let this happen again. Go Back.
Danger!

The packer was also easy, I changed the code to pump out the HTML on the command line, plonked that back into Eclipse, and changed the definition of eval to alert, one of the more evil / stupid things JavaScript can get up to:


eval = alert;
eval(...)

I then copy and pasted the code in the alert pop up and re-formatted it in Eclipse.

Guess what? It’s got another layer of obfuscation, again using the same crappy caesar cipher. Figuring out the strings and what it does it pretty easy from that point on.

Interestingly, when Firebug stumbles across code it thinks is compressed JS, it stops showing you the code. WTF? You can still step through it one line at a time, but the compressor is NOT a security mechanism, and hiding it will not stop me. I will report a bug with the Firebug team as stopping the display of JavaScript is a defect, not a feature to protect the revenues / reputations of compressors.

So, decoding in multiple passes, the final output is this:


Self-comparison detected.
Initiating infinite loop eschewal protocol.
Self destruct in... 3
2
1

It’s an easter egg error message when a revision comparison fails. Or something like that. This is completely unnecessary – there’s no dark secret here requiring this level of sneakiness, and it’s an excellent place for malicious folks to hide attacks.

The code is so obscure, that no static analysis tool can inspect it, or security auditor would normally take the time out to look at it, and yet it may contain an XSS or DOM injection, or it may contain malware if the download is corrupted, or a fake version comes out

I really wish that folks who think this sort of thing is necessary really stop to think about the amount of time it took them to craft this particular gem

It would be best to delete this – and every other WP easter egg – now before it infects any 2.7 installations. Easter eggs are incompatible with secure software.

Coding Standard

I’m repro-ing this from the OWASP Top 10 mail list. I would like to hear folks’ thoughts about what I have included, taking into account that this is designed to be a standard, and not just a guide.

The OWASP Top 10 Coding Standard

I’ve been working on this on and off (mostly off) ever since getting a few comments back in 2005 that the Guide was too big. The big idea is that it’s short and every single item is actionable. If it’s not actionable, it’s not in there. It doesn’t try to fix everything, just the 80-90% of things that really bite folks. Looking through the breach chronology, I think if folks had to stick to this list, they would have been safe, or at least a lot better off.

My goals are

* Scalable – works from a single open source developer through to major enterprises through to huge ISVs
* Applicable – nothing in here is because I wear tin foil underwear, but because it’s essential for a secure app – the omission of that one item will create insecurity
* Easy to apply for new code – the proper way should be the fastest, easiest way to do it right without causing performance issues
* Not hard for old code – the controls in here are going to be a stretch for the billions of lines of existing (crap) code. We can’t ask all that millions and millions of lines of COBOL or Java or C# or VBScript or PHP to be secure overnight. It’s not possible.

To make it scalable, I propose a self-rating system, where single developers and small groups can state up front that they’ve complied with the small group version, with the sole exception of framework authors, who would have to comply with all relevant sections. I’m sick of frameworks being insecure because they can’t be bothered or believe (wrongly) that it’s not their problem. If you’re a framework / library author, such behavior / attitudes are criminally negligent as far as I’m concerned (Jack Slocum – I mean you! http://extjs.com/forum/showthread.php?p=68097#post68097 ). Large ISVs and enterprises have no excuses as they can generally afford this stuff; it’s just as cheap to do it the right way as the wrong way. Just pick those controls that are essential for the risk level and do them.

My current outline is:

1. Secure Development Lifecycle Best Practices
- Discussion about SDLCs and ensure that folks have one
- Development methodology – mandatory. Just pick one, add security as necessary
- Code repository – mandatory. I never seen secure code without one
- Defect tracker – mandatory. I never seen secure code without one
- Peer review of checkins and break the build check in policy – nice to have
- SCA tools – nice to have
- Way to report security bugs – nice to have (although required by some RFCs)

2. Secure Architecture and Design
- Apply Security Principles to your design
- Apply Risk Management to your design
- Picking and implementing the correct controls for your app
- Architecture Reference Model for Initiator / Approver / Receiver transactions
- Architecture Reference Model for privileged CSR, admin features / apps
- Documentation – mandatory. Secure apps have documentation

3. Authentication
- Evidence of identity
- UML Sequence diagrams for common login and credential management scenarios for two factor, trx signing and SMS authentication
- UML Sequence diagrams for low value login and credential management scenarios using passwords. This has in-built countermeasures for brute forcing, etc
- Prohibition against questions and answers (this is how Sarah Palin was attacked. I’ve been railing against them since at least 2004 – see the Guide 2.0 drafts and final text)
- Prohibition against CAPTCHA if disabled access is required (usually is)

4. Access Control
- Create an access control matrix for each secured function and secured resource
- Deny all by default
- Principle of Least privilege
- Fail closed
- Environment Access Control
- Controller / Business Logic Access Control
- Data Access Control
- Access Reference Maps
- Presentation Access Control

5. Validation and Encoding
- Validate from all sources (trust boundaries, where and how much to validate at that layer)
- Canocalization
- Input validation methods (positive validation only, how to validate text fields, fail safe, etc)
- Output encoding (ESAPI like – encodeForJavaScript, encodeForXml() etc)

6. Data Protection
- Define a Collection and Retention of Sensitive Data Policy. Stick to it
- Protect Data at rest (what to encrypt and where, backups)
- In transit (SSL, IPsec, etc)

7. Securely Accessing Services
- Ajax and JSON
- REST
- Web Services (WS-Security)
- Operating System
- Databases (use only safe mechanisms, low privilege access)
- Directories
- Message queues and reliable messaging mechanisms
- Mainframes

8. Accountability
- Error handling (fail safe / closed, etc)
- Logging
- Auditing

9. Debugging, Testing and Maintenance
- Do not deploy test or debug code into production
- How to fix security bugs once and properly
- How to write security tests for fixes
- Prohibition against Easter eggs and magic modes

10. Testing and Assurance
- How to build up assurance
- Doing your own security tests every build
- When to get a SME involved
- SCA tools – nice to have
- Dynamic tools and services – nice to have

Obviously, this is starting to look like the Developer Guide 3.0. I’m not sure that it can be done in any less volume, but we should try, especially as the non-control stuff in the Developer Guide 3.0 is going to the ADSR, the Testing Guide and the Code Review Guide.

Thoughts?

Had the snip

Well, I’ve had the snip, which apparently is surprising to most of the folks who know us.

Both Tanya and I are pretty darn clucky. We want more kids. But there’s this huge issue we can’t get past – Tanya’s health is just not going to get any better any time soon. Her arthritis is looking like it is staying, and her meds to maintain a moderate level of activity are simply incompatible with a pregnancy. We were very lucky with Mackenzie that she wasn’t deformed or brain damaged or dependant. We can’t knowingly do that again to another child as it’s not our life we would be affecting.

After a couple of close calls recently, where there were two terrible choices – either Tanya going back to Australia with baby girl for nine months of bed rest at her parents and 10-15 hurls a day with the associated forced weight loss, or aborting, which both Tanya and I are against. We had to make a tough decision.

So here I am.

It’s not as bad a pain as I thought it would be, but it certainly wasn’t without it’s scary moments.

I’m not good with needles, and I’m sort of glad I was put under as I don’t think I could have coped with the normal process, which involves a needle to the each site to numb the skin, and then a big needle full of local to each of the testes so you can go home in some comfort before the real pain sets in. I don’t care if you’re brave or not, that’s just one big needle I could not face.

The biggest problem so far is getting up. You can’t lift more than 15 lbs, which is about 7 kg. Baby girl currently weighs about 10 or so kg, so basically I can’t lift her. I can’t easily lift me either. So getting up and down is a painful experience.

I’m resting comfortably. After 24 hours, the pain is manageable, and most likely I’ll be completely okay by Monday or Tuesday.

Return top

Say no to censorship - No Clean Feed!

This page is now black to protest the Australian Government's decision to censor the Internet. Censorship is possibly the most un-Australian act of all. Please write or call your local member and senators immediately to express your displeasure. Go to rallies. Twitter #nocleanfeed regularly. Blog. Facebook. Support the EFA. Vote for anyone but Labor. We must defeat this evil bill for our children's sake. Most of all - mass civil disobedience is vital.