You may have heard about the recent SQL injection attacks and how they only affect Microsoft IIS servers. You may have also heard that Microsoft has said that it’s not their fault.

Basically, there are a suprising amount of sites that allow SQL code to be entered and executed, and Microsoft said that it’s not up to them to write good code for you.

This is when us security folks say, “See? You do need us!” While every programmer should be aware of SQL injection, it helps to have a security expert review your code. At the very least, holes that are as obvious and easy to fix as this will be avoided.

This week brought with it the exciting news that Exostar is launching a federated identity service for the aerospace industry.

Next week, however, Exostar will launch a new capability, the Federated Identity Service, that does the process of “credentialing” on behalf of Exostar’s members, ensuring that individuals that attempt to use the systems of the community or its members are who they say they are — and are authorized to use the systems they are trying to access.

The concept behind federated identity is a simple one. Leverage existing investments providing identification / authentication of users, and build an authorization structure that works across multiple applications, systems, companies, and vertical markets. The U.S. Government has their E-Authentication initiative, there are also the Shibboleth, Liberty Alliance, and WS-Federation standards. Tons of companies have interests and products in this area including Oracle, Microsoft, Novell, Sun, Symlabs, Ping Identity, CA, Siemens, IBM, etc. Other industry groups are looking to stand up their own federated identity infrastructures, similar to that performed by the aerospace industry.

The fortunate thing is that the SAML 2.0 standard seems to be the standard that most products, standards, and organizations are moving toward. However, just because everyone settles on SAML doesn’t mean that everyone will interoperate. I suspect there still needs to be some federating of the federation standards before more universal adoption is achieved.

And now let’s look forward 5-10 years toward a future where the entire Internet shares a federated identity infrastructure; where you can use one single CardSpace card and/or OpenID login to get into your email, bank accounts, paypal, social security benefits, buy things from Amazon, and forward your mail. Now, an identity thief needs to steal just one username and password and everything goes up in smoke.

I was at the Microsoft Health and Life Sciences Developer Conference last week in Atlantic City, where I got the chance to listen to a good presentation from Les Jordan of Microsoft about 21 CFR Part 11 compliance. The talk centered around how Microsoft is trying to make dealing with the V Model more manageable for validated application as it pertains to applying security patches.

One interesting point that was made was that if there is a security patch available for a validated system, and that patch has not been applied to that system, then the system is not considered by the FDA to be compliant. However, full qualification tests must be run and documented while applying the patch, which takes time. The issue that this creates is that security patches are released frequently enough and validation testing takes long enough such that validated systems become a bit of a mess to manage.

So, what can be done about this? One important step that was discussed is this: since the part 11 requirements only cover patches that affect the validated part of the system, any security updates released for non-validated portions of the platform should be pushed immediately. For example, a printer driver update for a printer that will never be used by a web server machine can be applied without testing, since it does not affect the validated functionality of the system. However, this just makes the problem a little more manageable; it doesn’t eliminate it completely.

If a validated system is out of compliance in an unpatched state but also out of compliance when a patch is applied without formal testing, I’m of the opinion that a “patch first, test second” approach should be taken. True, this may break some application functionality, but I would much rather have a broken application than an insecure one handling my personal data. [This assumes that compliance is taken as a binary data point: compliant or not-compliant. If there are degrees of non-compliance, I may change my mind about this.]

Aside from that, the only other option I can think of is to throw more resources at patch validation so security updates can be rolled out quickly. But, as we all know, security is not a value-add, so the goal is typically to throw as little money at security services as possible so as not to lose customers or run afoul of the law.

I thought this was interesting:

The pathogen disguises itself as waste material and tricks cells into digesting it, just as they normally would with the remains of dead cells. As the immune response is simultaneously suppressed, the virus can be ingested as waste without being noticed.
...
As soon as they impinge upon the cell membrane, an evagination forms, a bleb. The virus itself is the trigger for the formation of the evagination. Using a messenger substance to “knock on the door”, the virus triggers a signaling chain reaction inside the cell so that the bleb forms, catches the virus and smuggles it into the cell.

Apparently, the vaccinia virus is able to disguise itself as cellular waste which other cells readily ingest, causing them to become infected without setting off any alarms. The parallels with computer malware/trojans is apparent— they work in much the same way. If a computer user can be tricked into executing what appears to be an innocent or trusted program/application, they could inadvertently let in all sorts of nasties.

As Jean-Baptiste Alphonse Karr once said, “Plus ça change, plus c’est la même chose…”

“The more things change, the more they stay the same…”

I just closed on a new home last week. One of the first things I had to do was change out all the locks. Mainly because I didn’t have keys to any of the deadbolts nor the utility room on the back of the house, which stores the furnace, hot water heater, all that good stuff.

So I went to my local hardware store. At first I was very tempted to get something like this Kwikset SmartScan but I decided at $100 a pop I could hold off. After looking through the selection one thing became very apparent to me. Because I was going to need 3 complete sets (knobs / deadbolts), I wanted them to share the same keys. To do this you need to match up the codes on the packages that way you can get the same sets. Upon picking out a design, style, and type I quickly looked through all the sets only to realize that every package on the shelf had the exact same key code. This meant that the key in any package would work in any of the other locks.

So what are the chances that someone else would come in right behind me, purchase the same set, and now they’d have a key that would work in my house as well. Now I know with such a densely populated area here in DC that the actual chances of someone stumbling upon my house and knowing they have a key that fits is completely low. But someone could just as easily prey on someone who was in the exact same scenario as myself (notice their selection, follow them home, and later wreak some havoc) – maybe a far stretch, but hey, IT COULD HAPPEN.

My solution was somewhat simple, the lock sets I decided to buy feature a smart key system, where I could change the actual key pattern at anytime. So I simply went over to the key cutter, had 3 keys made up of the same style but at a completely random pattern. That way the chances of my new key pattern matching anything that is provided from the factory is very slim.

Lets just hope my new locks can withstand some degree of key bumping

According to Bruce Schneier it is and it might not be fixable.

It’s expensive to investigate, and it’s cross-jurisdictional. It might not be fixable. A lot of [the solution] is going to be making the things that criminals are going after harder to get. You’re not going to stop the criminals [from trying]. But in the United States, it’s really easy to get a credit card in someone else’s name. The credit card companies like it that way.

Isn’t any fraud, stealing, trespassing online a crime? Of course it’s the biggest problem, and no it’s not fixable – just manageable. A long as people try to commit crimes, there will be crimes.

As some of you may have picked up from my previous post, I was recently married, and am taking my husband’s name. Let me tell you both how easy and how much of a hassle changing your legal name is.

I was married in Frederick County, Maryland which has an interesting Marriage License system. When you apply for your license, you’re given three pieces of paper: a fancy piece of paper, a green sheet, and a white one with a raised seal. All three have the same information: full names, ages, and addresses of the bride and groom. It also has blank spaces for the date and location of the marriage. The final piece of information it has is a signature block for the officiant. It does not have anywhere for the bride or groom or witnesses to sign. When I went to apply for the license (only one of us has to go), I showed my ID and gave them the information printed on the license as well as both of our social security numbers. I had to state under oath that all of the information was correct to my knowledge and that we both intended for the marriage to take place.

Once the officiant signed the three copies, we kept the “fancy” one, the officiant kept the white one with the seal, and we mailed the green copy back to the courthouse. I will never get an “official” copy of the marriage license from the county, the “fancy” copy I have (with no raised seal) is considered my official copy to use when changing my name.

I see several issues here:
1: neither of us signed it, how does the county know that the officiant isn’t just completing it for one party?
2: there is no raised seal or any other indicator that the marriage certificate is an official government issued document. In fact, it is copyable (yes I tried…).
3:We have no confirmation that the county received the completed copy of the license (I called later to confirm that they did receive it.)

Some of these factors made it quite interesting to start the process of getting my name changed (and it’s not even close to finished yet).

I had a lot of bank accounts, investment accounts, and credit cards that would need changed, so before the wedding, I had called all of these companies and asked what I needed to do to change my name. I was honest with them and said the wedding would be in a week, and I was just calling to get information. The banks and investment accounts gave me the address to send a copy of the marriage license once we had the official copy. The credit card companies said “we can do that over the phone for you right here, what’s your new name?”. So, before the wedding, I had in my possession credit cards in my new name. I didn’t activate them yet since all of my ID was in my maiden name, but wow, that was easy.

After the wedding, I started changing the more official IDs.
I had read that the first stop should be either your passport or your driver’s license, well, I was about to head overseas, and I was traveling under my maiden name, so the passport was out. I started with my driver’s license and SSN. Monday morning after the wedding found me waiting in line at the MVA with my driver’s license and my marriage license. It was quite painless. They took a new picture, charged me $30 and I was on my way with my new ID. The SSA office was a little more interesting. There was a man at the front desk checking to make sure everyone had the proper paperwork for whatever they were there for, and he had told me that I needed an official copy of my marriage license, with a raised seal. I repeated to him what the county had told me, and he let me wait in line anyway. When I got called, no problems, I got a nice letter that I would get my new card in 2 weeks (I haven’t gotten it yet, nor have I called about it, so there may be problems elsewhere).

My bank was pretty easy, I just walked in with a copy of the license, and they copied it and changed the name on my account. I haven’t dealt with the places I have to mail a copy to yet, but they’re on the list for writing this weekend.

However, I have not changed my passport yet. Supposedly, I only need to send my original passport and the original copy of my marriage license to the dept of state, and they’ll send me a new one. I haven’t done this for a few reasons. For one, there are a lot of places where I’m still Laura Bowser and I need ID to authenticate myself. Also, I’m registered to take a few certification exams, and the people running the exams weren’t sure if the system would have my name updated in time to take the exam. So I need a piece of ID in each name for a while.

It’s been an interesting journey. Even my husband occasionally forgets that I’ve taken his name and refers to me by my maiden name, but I’m sure that will eventually change. I have had to be extremely careful when signing my name since in cursive a capital B and capital R start very similarly.

At the ToorCon conference in Seattle this past Saturday, Microsoft announced it would allow ethical hackers to test and probe it’s services.

In a first for a major company, Microsoft has publicly pledged not to sue or press charges against ethical hackers who responsibly find security flaws in its online services.

I personally think this is great news, and wish more larger companies would do the same. Far too often are valid security holes being found, and not reported in fear of repercussions, and those same holes are then exploited by real hackers for their own personal gain. We need a community more open to the fact that there are good guys out here who are trying to help.

Luckily it seems I’m not the only one with these views.

Katie Moussouris, a Microsoft security strategist, said she is pushing to get a provision added to a proposed standard that’s making its way through the International Organization for Standardization that would protect ethical hackers who responsibly disclose vulnerabilities in other companies’ websites. “If I get my way, it’ll be in there,” she said.

Seriously, folks. This is just unacceptable.

The amount of effort put into securing an application needs to be proportional to the importance and sensitivity of the data. A SQL injection vulnerability that allows addition of records to the sex and violent offender registry? Are you kidding me? This wasn’t a “bad credit” kind of a security hole, this was a “completely ruin somebody’s life” kind of security hole…and the steps required to exploit it aren’t exactly rocket science.

Given the description of how much effort it took to get the hole patched, it doesn’t sound like these developers should have ever been let within 10 feet of a computer, let alone a Department of Corrections application. How does this happen? How can security be such a non-issue to people responsible for dealing with information like this? And how can any developer, security industry or otherwise, NOT know about SQL injection?

Now, an explanation of the title: XKCD rules

Maybe it’s just me, maybe I’ve just been busy with work, and not taking the time to scour over all the many news blogs, maybe there’s something there, and I’m just not picking up on it. But it seems lately, at least over the past couple weeks, it’s been pretty slow in the InfoSec news departments all around the net.

Some could even look at this as a good thing, as no news about bugs, exploits, vulnerabilities, and viruses, could be interpreted as good, meaning we’ve been doing our jobs and all is safe in the world.

I generally try to stay on top of everything, mostly for personal interest, but also for the self education process that usually comes with learning anything else about one’s field of profession. And in InfoSec, staying on top can be a job in itself. With vulnerabilities being discovered everyday, new viruses being created (we’ve topped 1 million now), and ensuring all customers/clients are protected from all of this, one can stay pretty busy.

So in all this, it’s hard to keep track of everything, on a good given week, I could literally spend all day learning about what’s been exploited, what’s been patched, who’s done what to help whom here and there. But learning is nothing if you never take time to implement what you’ve learned.