mostly useless crap from me

The Labor party is doomed to be a single term government. They are killing their support base – social progressives and young folks alike are abandoning ship like never before. I have never hidden my dislike for the conservative side of politics, but to totally kick sand in the face of your true believers time and time again is simply not smart.

WIth 99% of the Australian public against mandatory filtering, I just don’t see how this is a vote getter. The filter will not protect my daughter from pr0n, predators using Skype or MSN, spyware, or preventing her viewing unsavory sites. It will not block the primary mechanism for distributing child and extreme pr0n – P2P networks. There is no point to mandatory filtering except to stifle political dissent.

So why implement such an opaque scheme that’s already been abused and is open to further abuse? Who are the winners from this? Politicians don’t stick their necks out unless there’s a valid reason, and public morality is simply not one of them, especially when the idea is so repulsive to nearly all Australians except for a few ratbags. I can only imagine so it’s to shore up the crazy vote (Senator Fielding), without which Labor can’t govern.

To give some perspective, is it acceptable for the Government to:

• Discipline my child?
• Determine what my child will read, watch, or do?
• Decide on her schooling?
• Decide on her religious beliefs, or lack of them?

Government has no role in these key parenting decisions and in determining what she (and us all) will or will not see on the Internet. That’s every parents’ responsibility, and I will do it in my way – with no censorware. Her computer will be in a shared area until she can be trusted with her own, and even then… trust but verify.

Labor – you must dump Conroy now. He is a liability to you retaining the 18-40 year old vote, and indeed the 99% of folks who don’t want the Internet censored. Without this core set of voters (about 45% of the eligible voters), you’re never going to win office in your own right again.

In the rush to release hundreds of publication specific apps as quickly as possible, every media dinosaur is desperately trying to claw money from the cashed up iPad owners with micropayments and pay walls. This is a recipe for disaster – and it’s going to be a gold mine for security consultancies, and nothing but tears for users.

Why?

All of these apps have to implement their own pay wall, subscription model, and store regulated financial data. Whereas before Apple did all the hard yards, now Flash web designers are going to be cutting code in Objective C for the first time to handle credit cards.

Are they going to get it right every time? Absolutely not. Will some of them get it right? Yes, those that get code reviews or have a skilled financial services development team. How many media outlets meet these requirements?

Mark my words, there’s going to be a lot of folks making money out of the poor decision to not create a secure micropayments service for iPhoneOS.

Australia developed polymer (plastic) bank notes from the 1970’s onwards, and they’ve been our currency since the 1990’s.

This bank note technology is essentially counterfeit proof – notes can have holograms, microprinting, a transparent window, “watermarks”, very colorful inks, metallic strips, and the notes are long lasting and machine washable. There’s a lot of positives.

The company that is formed by the Reserve Bank of Australia to print and market this technology is called Securency. They’ve been embroiled in a bribery scandal.

I just don’t understand how a company with a technological monopoly (it’s hard to figure out how to print on plastic) let itself be the conduit for bribes, particularly in the countries where the bribes are alleged to have occurred.

If I was a negotiator, and my opponent asked for a commission, structured deals, or outright bribe, I’d just report them to the head office, let them report to the other side’s local police, and then wait for the other side to appoint a new negotiator after justice has seen to be done. Their new negotiator would be so careful it would not be funny – you mean to do business, but the stench of corruption will not be tolerated.

We’re talking central banks here. Countries that have corrupt central banks are failed states – we cannot and should not be a part of these countries.

Like all financial institutions, the RBA and Securency employees and agents would have had to have undergone background checks, and yet many of their representatives and head office staff still committed a very serious crime – one punishable by jail time in Australia. Just remember background checks are an indicator of past criminal convictions, not future actions. Don’t waste money on them – just have strict anti-corruption policies in place, and walk everyone is tainted. The rest of the staff will get the picture more than a background check ever will.

For as long as I can remember, the standard “security” talk is a negative and destructive talk, where the presenter presents their latest “research” as if it’s going to solve world hunger, totally end the Internet as we know it, cure herpes, or put the spooks out of business as anyone could spy on the whole Internet.

The reality is that a few hours, weeks, or if it’s someone like Oracle circa 2005, years later, the problem is solved and we go back to giving our identities away for free on Facebook as if nothing had happened.

Seriously, why do we put up with this?

I believe it is because negative Chicken Little (“the sky is falling”) talks are much easier to do:

• Hand waving talks can be put together on the plane whilst going to the conference, or even later if you don’t hit the bar as soon as you get to the hotel. Talks of this type include “Why the IT Security industry sucks”, “This language is garbage”, “What you know is all wrong”, and my favorite, “PCI sucks”. These talks have zero merit because you can’t fix them. They’re opinion pieces barely better than a script kiddy blog entry, and are typically badly researched opinions rather than game changers.
• The buffer overflow, CSRF, Ajax, RIA, XSS, SQL injection, or latest attack with a twist talks are easy to do. You might need to start working on these talks at the airport lounge, but you’ll still pump out a talk. Patches for these talks are sometimes delivered before the talk has finished. The world has not ended.
• The fuzzing talk is is a bit harder. You have to run the fuzzer and let it find at least one badness. Probably a good idea to do it the night before you fly. Better yet, run it against a bunch of products in case someone did a good job.
• Developing new devastating attacks that can be blocked by CS101-level controls, like the magic pixie dust of input validation. What a complete WAFTAM.
• The pinnacle of negative talks has awesome demos, but realistically still demonstrates a paucity of ideas (such as how to detect if you’re in a VM – I mean really, who cares?). I have respect for these researchers, and really wish they’d apply their talents to good quality positive research instead of wasting their most productive research years on pointless baubles.

Why are positive talks harder? Because you have to work at them!

• Firstly, it’s about research, and original research is hard to do properly.
• Research takes time, and consistent application to an idea that may not even pan out. But if you don’t do it, you’ll never know.
• You have to find an area that is not yet solved. There’s a reason it’s not solved yet. These issues have made talented brains hurt already.
• You have to think of a new and novel solution to the issue, and the solution should be effective, simple and cheap. Most of the speakers on the party circuit simply don’t have this capacity, and haven’t had an original idea in years.
• You have to develop your solution and test it out against lab and real world scenarios to make sure it doesn’t suck. It helps if your solution is repeatable, your solution and code is documented, and its useable by others without sacrificing chickens.
• Many folks write papers and talks as if they succeeded at first go. That’s not science, that’s puffing up Brand Speaker. We learn from the paths not taken more than the eventual solution. Think about CSRF and session fixation for example – there’s heaps of folks who think CSRF is solved by a random nonce. But it’s not the entire story. Same deal with click jacking. Write up your failures as much you write up your successes.
• You have to hand your research and methods around to trusted peers to see what they think and hope they don’t spill the beans or steal your thunder. Once you’ve published, you need to make sure others can repeat your experiments and results.
• If you want to change the world, you have to give it away. You can’t patent it. You can’t tie it up in trade secrets. You can’t keep it to yourself. This is the hardest of all – think of the IT landscape today if AT&T had kept Unix to themselves. Exactly.

Lastly, and probably the most important – positive research and subsequent talks means sticking your neck out. Your peers evaluate what you’ve said and how your solutions work. If you’re not sure of self, this can be a huge risk to one’s ego. If you’re wrong, it’s real bad and you’ll be a virgin for another year. If you’re right, you will get {girls, boys, furries} and invites to all the sexy parties*

I will not claim that all of the hundreds of controls I documented in the OWASP Guide 2.0 are right. In fact, I know some of them are wrong. That’s how science works. At least I stuck my neck out and documented what I thought at the time. I’m happy to come back to the controls, do the research to find new controls that do work with minimal cost, and document those.

For those of you lucky to know me personally, you’ll know that I have no shortage of self, in fact probably enough self for two people, but you need it if you’re going to have a shot at this brave new world of repeatable, scientific progress in the web application security field.

I hope to see more conferences like OWASP’s AppSec Research conference, to be held in Sweden this year. Make sure you go to it. More importantly, stop wasting time on negative talks, and get moving on doing that research for next year’s conference.

* This is actually false advertising, as you’ll struggle to be invited to most conferences even though your research and talk will mean more long term than 100 negative talks. On the other hand, I’ve been told that Furries are easy to rub the right way.

I’ve just finished a job where I used OWASP’s Application Security Verification Standard as a light weight security architecture template.

The good news is that it helped us decide a bunch of controls (using ESAPI of course) that will hopefully improve the security of the application. I’ll find out in a few months if any of it helped.

What worked: pretty much everything.

What didn’t work: Some controls are not relevant to some classes of application. Do your homework before you go into the meeting so you can skip over ASVS controls that simply can’t work.

We found that there are controls we discussed that aren’t in the ASVS. The ASVS is a 80%/20% (Pareto principle) standard as pretty much all apps come from such a low basis today, so any security improvement is a worthwhile improvement even if it’s not milspec. I wasn’t too fussed that we missed a few key items.

For those of you floundering around trying to figure out how to do Security Architecture reviews, ASVS can be your friend!

I know I’ve ranted about this before, and this post is no different. OSCON still doesn’t have any security talks, which is like an engineering conference that doesn’t have any structural integrity talks.

A sample of non-functional requirements in the OSCON 2010 program:

• Configuration Management – check*
• Deployment – check
• Documentation – check
• Efficiency – check*
• Legal issues – check
• Performance – check*
• Maintainability – check*
• Quality – check*
• Scalability – check*
• Testability – check*

* I’m going to a few of these tutes and talks

And what they don’t cover:

• Compliance – 0 talks
• Privacy – 0 talks
• Safety – 0 talks
• Security – 0 talks, 1 three hour tutorial

And yet, security is the only NFR that can close your business, destroy shareholder value, get you sued, cost you dearly in compliance and remediation costs, limit your organization or project to irrelevance, and destroy privacy for millions of folks in one fell swoop of ineptitude and cluelessness.

One day, the papers committee will get a clue. It’s not 2010, though.

So all my open source chums – see you in Portland!

I upgraded my VMware Fusion image to Ubuntu 10.04 LTS over the weekend, and everything went well except for the keyboard. It wouldn’t work.

So here’s how I found out how to fix it:

• Go to the Accessibility Preferences at the bottom of the screen, and tick on screen keyboard.
• You have to reboot because for some unknown reason, it doesn’t start unless you do.
• You can now type in your password on screen. Once logged in, your keyboard works
• Go to terminal, and reconfigure your console:

sudo dpkg-reconfigure console-setup

• Reboot, and you’re done.

Hilarious fun for all the family. Google’s GMail service has been blacklisted by an ORBS product.

These ORBS places are run by dumb ass vigilantes. The Internet just doesn’t need wanna-be-cops who have no legal basis for their operations. Just in case you’re wondering, I’ve been blacklisted by similar morons in the past and simply couldn’t get off their stupid lists, despite NEVER being a spammer and only sending maybe 30 messages a day from my host. Greebo, my not so clever cat, has more spam spidey sense than these oxygen bandits will ever have.

So here’s the transcript:

“Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 5.7.1 Rejected 74.125.83.43 found in dnsbl.sorbs.net (state 13).”

Let’s look that IP up, as it’s not mine:


% nslookup 74.125.83.43
...
Non-authoritative answer:
43.83.125.74.in-addr.arpa name = mail-gw0-f43.google.com.


FAIL.

Good luck getting off that list, Google! Let’s see if your billions of dollars and many lawyers will make it happen where my pleas fell on dumb ears.

Here is a two page cheat sheet for the OWASP Top 10 2010.

OWASP Top 10 2010 Cheat Sheet (100 kb PDF)

Double side to create a single piece of paper and hand it out to all your developers for free – it’s licensed under a Creative Commons Sharealike with attribution license. Once I’ve had a bit of feedback and I’ve tweaked it a bit, I’ll donate it to OWASP.

This cheat sheet is an unapologetically developer centric list of things to do right.

I’ve made it as simple as possible by only including things that I personally know will work with the least amount of (re-)work. Therefore, I have purposely left out all the different alternatives. You can (and probably will) have differing views as how to do it better.

The cheat sheet assumes the reader knows how to program, use a search engine and thus find OWASP. I might have to change these assumptions.

I’d love to hear feedback. Comments or e-mail will work fine.

I am so sick of APT this and APT that. Advanced Persistent Threats, essentially state sponsored intelligence gathering, are no different to the age old espionage between EADS and Boeing – something that CANNOT be prevented by coining yet another new FUD term like APT. Espionage is at least the second oldest profession in the world, and moaning about whatever APT is called this week is not going to change that. If your CFO wants to leak information to a competitor, there is NO information security system ever built that has or can prevent that level of misconduct.

Look behind who is promoting APT this time around. Companies that have IT security services and products to sell. I have worked in that industry for over 12 years now. We have enough work without ambulance chasing as part of our marketing plan.

Remember SOX? Lots of FUD then just like APT today. Lots of “security” (and even non-security) programs designed to bring in so-called SOX compliance – and for what? There were more breaches and losses post SOX compliance than before and its getting worse! Lots of money was wasted on useless programs, and hundreds of millions if not billions of dollars went down the drain for no business return.

If you ever wondered why business folks are rebelling against PCI DSS (which is actually fairly good), fear factor is to blame. We lose respect every time we yell “fire!” when there’s not even a match’s worth of smoke, and when asked for a solution, we want to bring in a DC-10 water bomber. It’s even worse when we come with a reasonable, cost effective, and long term solution and we can’t do it because of the reasonable expectation it’s just another false alarm.

Stop doing it! We have plenty of good reasons to do security (properly), and APT is simply not one of them. If you’re going to yell “APT APT APT!” have the courage to talk about solutions and make them workable, effective, financially responsible, and not to just rabbit on about security theatre solutions to sophomoric movie plot threats. I am not diminishing those organizations like the oil and steel industry who are responding properly where they have a real expectation that industrial or state based espionage will occur or has occurred in the past, but responding to APT for 99% of organizations is just a complete WAFTAM.

I hate APT and all the FUD surrounding it. Scaring the punters is chicken little or crying wolf. Get with the “do something” program. If you’re a news org, instead of talking about folks who got pwned, let’s talk about folks who through good management and effective IT Security programs have survived such “advanced persistent threats”.

What would I suggest we do about APT? Let’s take it back a step – what would I suggest EVERY firm of more than about 10-20 employees should do. Let’s start at the beginning with:

IT Security Management 101

AS/NZS 4360 Standard for Risk Management (1999) and ISO 17799 (now 27000 family) is a great starting point. This stuff is simply not rocket science, any organization no matter what business (charity, big oil, health, military, government, financial, etc) can and should look at what they have today, and start implementing them if they have nothing.

1. ISMS – Create an Information Security Management System. This requires an effective CSO or a CIO who are a force for change with a mandate to take the opportunity cost out of the equation. Spending money on IT security seems a cost for most orgs, but if you see it has an opportunity to do better, you will succeed. Security is a business enabler and indicator of growth. CIO / CSO’s that choose the negative “no” speed hump path simply don’t get it and should be replaced. However, in all cases, it’s important that the CSO or CIO can force business owners to do the right thing or make the business owners accept the responsibilities and risks of poor security decisions. Most orgs do not have an ISMS, and rarely do CIO’s / CSO’s sit on the board or are effective in any fashion. If the CIO / CSO has responsibility and accountability, but no budget and no power to improve things, resign. There’s no way you can effect substantial change when all software is insecure.
2. Create and maintain IT security policies, procedures and allocate (and enforce) responsibilities. Someone has to have the power to say “turn that off”. Someone has to know when it’s time to “turn that off”. Someone should have known before hand that certain systems are more likely to end up in the “turn that off” category and have the power and responsibility to do something about it. The best IT security policy I ever saw* was 10 pages long, had less than 500 words (none of which were “don’t”) and 20+ images in it. Staff knew what they had to do and they did it as it worked with human nature rather than just saying “no” or “don’t do this” or “you’ll get the sack”. If your IT Security policies would make Stalin proud, occupies three massive binders, and is gathering dust in a cupboard, you’re doing it wrong.
3. Create and maintain a global risk register. Start with an Excel spreadsheet if you have to, but most of you should probably go out and acquire one of the many excellent products out there that satisfy the ITIL marketplace.
4. Create a catalog of all your assets (particularly DATA and the systems that handle that data!) and make sure it’s kept up to date. ITIL related products are your friend here – there’s heaps of asset register products out there, but make sure you register data assets as most are all about physical boxes. Assign all assets a classification and make sure folks know how things with that classification are to be dealt with. I prefer a simple three tiered classification system (public, internal, restricted), but whatever floats your boat. 90%+ of all orgs I deal with do not have any idea of what they are running nor the value of their assets or how they should treat them. I know of one org whose HR system was running on a desktop in a cupboard. Unacceptable. But if you don’t know it, you’re negligent, pure and simple.
5. Perform a risk assessment of all assets, particularly critical ones. Risk assessments used to be popular, but I haven’t seen any done for a while now. This is a huge mistake. Put the risk assessments and any findings from reviews in there. Track, assign responsibilities and dates, and …
6. Fix – Assign – Accept. Remediate what you can where it makes sense to do so. This doesn’t mean fix everything, just the things that matter. Insure (risk assign) the truly catastophic outcomes. Accept what’s left.
7. Security is an enabler! Be treated how you’d like to be treated! Train the business folks and developers in secure requirements and coding. Adopt a SDLC and do it. Get and use a defect tracker. Get and use code control. If you’re doing agile, make sure security is a key deliverable of every single user story / sprint / milestone. Make sure your testers test for abuse cases as well as business cases. Think outside the box and think about your customers when you do your security. Security that doesn’t work is wrong. Security theatre is wrong. A multitude of security features doesn’t mean you’re secure. Do security well, and you’ll win because your customers / clients / users will love you and appreciate the efforts you made to make security transparent, easy and effective.
8. Expect to keep up with the Joneses. You don’t need to be bleeding edge, but anyone running Lotus Notes from 2001 or IE 6 should put money aside to deal with the cleanup of any lame attack from the last X years. Just because you’re not paying out on cap ex this year doesn’t make you a good manager. Long term, you’re gonna pay. Even out the expenses and roll out new stuff all the time and retire old stuff all the time. Don’t be afraid to run XP, Vista, Linux, Windows 7, and Macs all side by side. You shouldn’t require everyone to use the same XP image from 2003 on modern hardware – that’s just stupid. Keeping up is the cost of using IT and those who update regularly pay less than those who wait. And wait. And then get attacked. Plant and equipment is tax deductible in most tax regimes, so there’s no excuse not to depreciate and retire old crap. It does mean you’ll need to cope with patching and scalable roll outs of new hardware and software. You need this anyway for those zero days.
9. Get rid of crap that costs a lot to operate. Systems that need patching all the time are doing it wrong. Systems that are attacked all the time because they are insecure should be retired. These systems are not worth supporting. Make the ISVs realize that you only pay for secure software that requires little maintenance. Wean off any supplier who refuses to understand this most basic of requirements. They’ll go out of business, and you’ll save money. Ensure when you buy customized software or have it developed for you that the contract states that the ISV has to fix all security bugs for free and they are responsible for paying for the code reviews and penetration tests to prove that they are secure. That’ll keep the ISVs in line.
10. Monitor and escalate. No system is perfect. Put in procedures to cope with the horse bolting, but try not to have your entire herd and all their tackle gallop out the stables.
11. Don’t be a cowboy – do it all the time. A good ISMS is not a “fire once and you’re done”. You can’t buy a product that does it for you. This is a commitment like GAAP is a commitment to financial standards to use the same systems year in year out. Those that forgot this lesson are now paying for APT. I’m not going to justify why you need to do this stuff, it should be obvious.

This stuff is simply not rocket science. It’s not new. Most well governed orgs already have this in place and have been doing it for a decade or more. The problem is that few orgs are well governed or have any particular driver to do IT Security well. Most CIO’s are untrained in security as they’re often accountants who are brought in to rein in costs – which is a mistake. Most CSO’s lack board presence and have no authority other than to be a speed hump. This has to change. Orgs who grew up overnight (like Google) will get hit –  and hard – by APT.

I don’t want to hear about APT unless you have a solution to whatever you’re bleating about. If you’re going on about how the script kiddies have all grown up and now do exactly what they did before, but are now bank rolled by intelligence agencies, my question to you is “so what?” If you’re doing IT security and governance right, APT is just so much hot air.