News from AppSecUSA 2012 in Austin TX

[Updated Post Friday November 30, 2012]

Conference videos posted, http://videos.2012.appsecusa.org/

[Original Post Follows]

This years Open Web Application Security Project(OWASP) AppSecUsa 2012 was in downtown Austin Texas at the Hyatt.  There were many sessions and speakers from across industry.  Whether your just starting out, or a seasoned computer security professional, OWASP conferences provide good value across all levels of experience.  In addition to security training, OWASP events are a great place to gather as a community and exchange ideas around security.

James Wickett (left), Milton Smith (right)

AppSecUsa was organized by the local OWASP chapter.  In the photo to the right is James Wickett (Twitter, @wickett), Austin OWASP Chapter Leader.  Josh Sokol (Twitter, @joshsokol) chairs OWASP Chapters Committee Chair, not shown.  Matt Tesauro (Twitter, @matt_tesauro) is the OWASP LiveCD Lead, also not shown.  I know I’m understating their credentials.  Amazing what these individuals have done in Austin.  Good job on the conference.  You rock and it’s great to see you again!

Jim Manico (right)

There were a number of interesting presentations this year, I will cover a few. Top 10 Web Defenses – Jim Manico (Twitter, @manicode) VP Security, Whitehat Security.  The surprise for me, Jim communicated is that SQL Injection is still the largest attack vector.  I keep hearing the same rant from others so maybe I should start believing it.  We’ve known about SQL Injection attacks for years so it surprises me and it’s disappointing.  The most pervasive attack I’ve seen to date is Cross-Site Scripting(XSS).  In fact, I contemplated interrupting or raising my hand during Jim’s presentation but the next sentence out his mouth was, “XSS is the cockroach of the Internet”.  Bravo!  Jim’s a resident of Hawaii.  No, the hand signal in the photo is not a Hawaiian gang sign, it’s a friendly greeting.

Jim provided a number of useful resources throughout his session like OWASP’s cheat sheets covering a variety of topics[1].  The cheat sheet mentioned in the session is the Password Storage Cheat Sheet[2].  Another cheat sheet mentioned is the Forgot Password Cheat Sheet which you can find on main cheat sheet page[1].   I notice there is no cheat sheet specifically for storage of application or service passwords or at least one I find.  Some of the cheat sheets are work in progress while others are more mature.  In any case, the cheat sheets are a good emerging resource for common challenges.

Discussion around Content Security Policy(CSP)[3] kept surfacing in different sessions.  CSP is new to me but one of the interesting features is that it help’s prevent content reposting.  From a practical perspective, you can use CSP to prevent attackers from iFraming your protected page content.  CSP protects content by including a new HTTP header (e.g., X-Frame-Options) communicating to browsers not to embed protected content.  Without even looking at the spec, my intuition tells me there are ways around CSP like using old browsers where CSP is not supported, MITM proxies to strip out the header, etc.  CSP is likely in the same camp as HTTPOnly, not bullet proof, but good defense-in-depth measure especially when combined with HTTPS and other measures.

Why Web Security Is Fundamentally Broken – Jeremiah Grossman, CTO, WhiteHat Security (Twitter @jeremiahg) Most noteworthy, Jeremiah demonstrated some social media hacking.  The hacking demo uses clicks provided by the user to authorize calls to social media sites like Twitter and Facebook.  In the demo, the Twitter Tweet box or Facebook Like button, usually provided on news pages or blog articles, is made to follow or tail the user’s cursor around on the page.  Anywhere, the user clicks on the page, the social media button is clicked by the user — a type of click jack.  User data is gathered from their social media site and populated into a redacted demo page.  In a real implementation, these same buttons can be made invisible so it’s not obvious the linkage between the redacted demo page and the social media sites.   The redacted form demo is clever, when users see their personal data populated into the redacted form, one field at a time before their eyes, it’s compelling and shocking.  When Jeremiah gets the real redacted demo page live it’s guaranteed to get grab some press headlines.

Real World Cloud Application Security – Jason Chan, Cloud Security Architect, Netflix. (No Twitter)  Jason’s presentation was interesting since Netflix is laying a lot of new ground with operational and engineering practices.  It’s safe to say, almost nothing in their operational or engineering practices is standard.  For instance, Netflix combined both the development and operations into a single unit.  Netflix is largely operating on Amazon’s cloud infrastructure.  An interesting fact is that 1/3 of all US Internet traffic is Netflix streams.  To harden their production infrastructure Netflix crashes their servers and applications on a regular basis.  Yup, you heard me right, they crash their systems regularly and purposefully.  To crash their systems they employe a framework of Monkeys — stay with me for a moment.  One of the monkeys, Chaos Monkey, periodically kills a process, service, or an entire virtual machines at random.  The idea of killing various cloud components at runtime is that it builds more resilient applications.  Programmers and operations staff, that enjoy sleep, quickly learn how to build fault resilient applications tolerant to environmental changes.  Phew, that must have been a prickly implementation assuming they started with traditional processes.

Armadillo Races

The photo on the right was from the Armadillo races.  Armadillo’s move really fast.  I don’t think they ever stopped moving and they almost never travel in straight lines.  I have seen many dead armadillos on the side of the road so to finally see a live one is refreshing.  Live armadillo, check.  Now I only need to see a UFO and our national debt disappear.  We also had a mechanical bull on site.  Anyone wanting to ride the lightning could give it a try.  Also so everyone knows, I do have photos of Jim Manico (Twitter, @manicode) riding the mechanical bull.  No, I’m not going to post them.  There’s some things you need to attend in person to see for yourself.

Lock Pick Village

Of course, no security event is complete without a Lock Pick Village.  Several years back I was attending a security conference with a lock pick village.  Interestingly enough, I learned how to pick locks with Johnny Long,  (Twitter, @ihackstuff) , author Google Hacking[4].  I bought my first set of lock picks at the conference(hope they are legal in California).  Actually, mine got rusty so I threw them out years ago.  You learn lots of life skills at security conferences.  Johnny’s charity organization was at the conference but he was overseas assisting helping his team.  He’s pretty active about making the world a better place, admirable.  Yes, I did buy a ihackcharities.org t-shirt.  There’s just something wrong about that URL I like.

[1] “Cheat Sheets.” OWASP. OWASP, 28 July 2012. Web. 27 Oct. 2012. <https://www.owasp.org/index.php/Cheat_Sheets>.

[2] Manico, Jim. “Password Storage Cheat Sheet.” OWASP. OWASP, 26 Aug. 2011. Web. 27 Oct. 2012. <https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet>.

[3] Stern, Brandon, and Adam Barth. “Content Security Policy 1.0.” Content Security Policy 1.0. W3C, n.d. Web. 27 Oct. 2012. <http://www.w3.org/TR/CSP/>.

[4] Google Hacking for Penetration Testers, Volume 2, http://www.amazon.com/Google-Hacking-Penetration-Testers-Johnny/dp/1597491764/ref=sr_1_cc_1?s=aps&ie=UTF8&qid=1351625349&sr=1-1-catcorr&keywords=google+hacking

Do Not Track, Why Does it Matter?

Figure [1]: Do Not Track

If your a software developer or browser power user it’s likely you’ve heard some discussion around Do Not Track(DNT) features[2].  Like the name implies, DNT communicates the user’s desire to the application not to be tracked[3] — simple enough.  The fire storm around DNT is the implications for individual privacy and industry access to your personal information.

From a technical perspective, DNT is implemented as an HTTP header and sent by the web browser to the web application.  The application receives the DNT header and hopefully honors the user’s wishes.  The setting is user adjustable via browser configuration settings, if supported.  The technologies are well established and relatively simple to implement.

The meaning of DNT is clear enough to many users and hardly requires explanation.  However, advertisers steadfastly refuse DNT since it impacts access to user personal data.  Favoring instead to self-regulate or other measures.  The Digital Advertising Alliance(DAA), representing over 5000 advertisers, does not support DNT[7].  So what’s the problem?  Are the specifications not clear enough?  Nobody understands that user’s value their privacy?  No, not at all.  So if industry understands what we want why don’t they keep our information private?  To understand the industry viewpoint about your data a Verizon exec captures it succinctly — “Data is the new oil”[8].  To me that says, our personal data is an incredibly valuable product.  A trip to the gas pump helps put the comparison in perspective.

The challenges of DNT are…

  • How best to implement within the applications.
  • Industry favors unfettered access to your personal information.
  • Support for DNT is voluntary.  Few rules and consequences around use or even abuse of your data.
  • Incredible financial incentive exists not to implement DNT.
  • It’s not clear when — if ever — DNT will be formally adopted by IETF.  In fact, it’s not looking good at all.

Beyond the commercialization of your data, there are practical reasons to retain some user information.  Clearly, information about the user must be retained to promote a good experience with the application.  Imagine if Facebook didn’t have access to your list of friends — the service would not be very useful.  Implementation of “no tracking” in the strictest sense is not desirable for anyone.  On the other end of the spectrum, data brokers gathering your personal information for resale is likely considered abusive to most users; that is, if they were even aware their data was being sold.  All this begs the question, what is considered good and bad tracking?

A Stanford University team did a pretty good job at defining good and bad tracking[6].  Their starting point was to consider tracking from the user’s perspective.  A site you visit and interact directly is considered a 1st party.  Sites you do not directly interact with directly are considered 3rd parties.  The scope of DNT applies specifically to 3rd parties.  Any practices defining bad tracking apply to 3rd party use of your information.  Of course, there are some legitimate 3rd party uses like supporting infrastructure services so definition is tricky.

Thinking more about data again.  On deeper and more personal level, information about your present medical and financial conditions and history you post to friends on social media can be gathered and used by potential employers, insurance companies, to their benefit.  Be mindful of everything you discuss online and every bit of personal information you enter.  Unlike derogatory credit reporting data there is no limitation on life span of derogatory social media or even rules about how your personal Internet data may be traded or brokered[5].  My rule of thumb, if it’s technologically possible to achieve and beneficial to someone or group, than I assume it’s being done.

“If you don’t know who the customer of the product you are using is, you don’t know what the product is for. We are not the customers…we are the product”.  –Doug Rushkoff[4] 

So to answer, why does DNT matter?  DNT matters because it communicates the individual’s desire not to be tracked.  Any web site that does not comply with your privacy wishes runs the risk of a flogging by the court of public opinion.  DNT stabs at the very heart of information profiteers benefiting by knowing everything about you.

Individual privacy is an unfolding drama that will take years to sort out but I have every confidence it will be sorted out.  I have faith the industry will continue to misbehave, and regulators will do what they do best — nothing or error on the side of more money for business.  Eventually, the confluence of injustice will produce a public outcry for privacy the likes we have never seen.  Already privacy is in the news every day.

Most people understand, to use a really good web site for free they must give up something.  Most think in terms of tolerating some advertisements in the web page.  However, many don’t have a good understanding of what is being negotiated away and industry likes it that way — but people are learning fast.

[1] Bug. Digital image. http://donottrack.us/. Stanford, n.d. Web. 10 Oct. 2012 <https://www.securitycurmudgeon.com/wp-content/uploads/2012/10/bug.png>.
[2] “Do Not Track.” – Universal Web Tracking Opt Out. Standford, n.d. Web. 10 Oct. 2012. <http://donottrack.us/>.
[3] Mayer, J., A. Narayanan, and S. Stamm. “Do Not Track: A Universal Third-Party Web Tracking Opt Out Draft-mayer-do-not-track-00.” Ietf.org. Internet Engineering Task Force, 7 Mar. 2011. Web. 10 Oct. 2012. <http://tools.ietf.org/id/draft-mayer-do-not-track-00.txt>.
[4] Solon, Olivia. “You Are Facebook’s Product, Not Customer.” Wired UK. Wired.co.uk, 21 Sept. 2011. Web. 11 Oct. 2012. <http://www.wired.co.uk/news/archive/2011-09/21/doug-rushkoff-hello-etsy>.
[5] Singer, Natasha. “Senator Opens Investigation of Data Brokers.” The New York Times. The New York Times, 11 Oct. 2012. Web. 11 Oct. 2012. <http://www.nytimes.com/2012/10/11/technology/senator-opens-investigation-of-data-brokers.html?_r=0>.
[6] Mayer, Jonathan, and Arvind Narayanan, Ph.D. “Re: Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” Letter to Federal Trade Commission, Office of the Secretary. 18 Feb. 2011. Donottrack.us. Stanford University, n.d. Web. 12 Oct. 2012. <http://donottrack.us/docs/FTC_Privacy_Comment_Stanford.pdf>.
[7] Naples, Mark. “DAA Statement on DNT Browser Settings.” BusinessWire.com. WIT Strategy, For the DAA, 9 Oct. 2012. Web. 16 Oct. 2012. <http://www.businesswire.com/news/home/20121009005980/en/DAA-Statement-DNT-Browser-Settings>.
[8] Morran, Chris. “Does Verizon’s Monitoring Of Customer Behavior Violate Wiretap Laws?” Http://consumerist.com/. The Consumerist, 16 Oct. 2012. Web. 17 Oct. 2012. <http://consumerist.com/2012/10/16/does-verizons-monitoring-of-customer-behavior-violate-wiretap-laws/>.

Five Digital Fouls in the Information Age

[1]

Technology changes quickly but sometimes people are slow to change.  Some digital fouls in the information age…

1)  Facebooking or Twittering in bed
In the old days, life was simple, if you saw a light on under the sheets it’s because your electric blanket is malfunctioning and your sheets are on fire.  These days it means you’ll be getting some rest tonight.  Foul.

2)  Criticizing your satellite radio provider about their limited 80’s selection
Your tired of listening to the same songs over and over again.  You want some new 80’s music.  And your not going to stop until you get it.  Think before you call customer support.  Foul.

3)  Texting the kids upstairs to come down for dinner
Texting anyone within 3 meters should be against the law.  What’s next, text me the salt and pepper please?  Foul.

4)  Talking on cell phones in the bathroom
There’s just something not right about this (even if your’re using Bluetooth).  Foul.

5)  Warming up your electric car
No, sorry, this does not work.  Must I say more?  Foul.

[1] Donkey image, “Weather Proverbs and Folklore.” – Bureau of Meteorology. Australian Government, 22 Sept. 2011. Web. 05 Oct. 2012. http://www.bom.gov.au/social/2011/09/weather-proverbs-folklore/.