Pwn2Own winner Charlie Miller is taking a different approach this year when it comes to releasing the vulnerabilities he used to the vendors, in this case Apple, Microsoft, and Adobe. In an interview with Computerworld Charlie stated:

“We find a bug, they patch it, we find another bug, they patch it. That doesn’t improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can’t make them do that.”

From this observation Charlie decided he’s not just going to hand over the vulnerabilities to the vendors. Instead, he’s going to sit down, show them the method he used to find them, and let them do the actual work to find them.

“People will criticize me and say I’m a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them,” Miller said. “What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing.” That, Miller maintained, would mean more secure software.

I think this is a great approach. Instead of simply giving the vendors the fish, you’re helping them learn to fish and fishing for vulnerabilities in software is something they need to be doing more often anyways.

Microsoft has already implemented a fuzzing in its Security Development Lifecycle (SDL), so how the vulnerabilities made their way into PowerPoint presentation maker who knows. I’m not sure if Apple or Adobe already implement a form of fuzzing in their development process, or to what extent their SDL goes to for security — I’m hoping Adobe at least has some pretty stringent processes in place seeing as they are not the most targeted vendor in the world.

Either way, I love this approach; it puts a little more pressure on the vendors to fix their software and in the process hopefully shows them how simple it is to detect this stuff.

If you’ve ever had to set up iptables rulesets, then you know how obscure the syntax for those configuration files can be (unless you’re used to it already). Fortunately, FireHOL provides a simple, clean, easy-to-understand language for describing complex iptables rules.

For example, lets say I was running a local DNS cache server that is configured to hit an external DNS server on cache misses:

iptables entry:
-A INPUT -p udp -s 0/0 –source-port 53 -d x.y.z.d/32 –destination-port 1024:65535 -j ACCEPT

fireHOL entry:
client dns accept

Obviously, FireHOL’s strength lies in its ability to represent iptables rules in a simpler, more intuitive format.

To be fair, iptables is designed to give the user as much freedom as possible to create their ruleset. This comes at a cost to usability, as the syntax can become pretty ungainly, especially for complicated setups. By simplifying the language used to describe firewall rules, FireHOL makes it that much easier to write the rules without having to google for examples to copy-paste-modify. Also, since FireHOL only provides a transitional language that is eventually converted to iptables rules, it is able to maintain that same flexibility to create highly-customized rulesets. This is true even on systems that require large and complex firewall rules.

As some of you know, a lot of my background is in the world of Public Key Infrastructure.  I’ve been involved in every phase of PKI, including developing certification authority and ASN.1/DER encoding/decoding software, developing automated registration authority components, creating certificate policies and certification practices statements, as well as designing and rolling out production PKIs for large organizations.

Increasingly, organizations are turning to the use of Active Directory Certificate Services, otherwise known as Microsoft Certificate Services.  The reasons are many: it’s included with the purchase of your Windows Server product, it’s easy to configure and use, and did I mention it doesn’t cost any (additional) money?  The Microsoft product is a fairly good one and provides for a lot of customization and configuration so that it can be useful in just about every environment.  We use this product for our company-issued certificates which are used to encrypt email.

Read the rest of this entry »

Chances are, if you read 10 articles or blog posts about the 2010 RSA conference, you will hear the term “cloud computing” ten times. The cloud was clearly the dominant theme of most of the presentations, product demonstrations, and discussions which took place at the Moscone Center in the first week of March 2010. However, another theme was nearly equally present in presentations and discussions: Cybercrime.

Read the rest of this entry »

As I mentioned in an earlier post, the 2010 RSA Conference Keynote addresses have been posted online and I’m linking some of my favorites from the 2010 conference. You can view an interactive webcast, view the video, or even listen/download audio-only podcasts of the keynote presentations. It is often hard to follow the keynotes in the first day, so I’m just going to mention the highlights from the rest of the week.

• Tuesday’s keynote by Philippe Courtot, Chairman & CEO of Qualys was a pretty good one, and should have been given prior to some of the other keynotes since it provided a bit of a primer on cloud computing. He discusses some basics around cloud computing and what it will likely become in the future.
• It is always important to hear what the Government has to say, so Janet Napolitano’s brief remarks are worth watching.
• Tired of pure security talk? Catch a good presentation and discussion on emerging brain-computer interfaces by Dr. John Donoghue.
• While I think Art Coviello’s keynotes have been getting better over the years, I always preferred the first day keynotes by Jim Bidzos. We were fortunate to get a keynote presentation from him this year about security and trust on the Internet.
• And finally, the always entertaining Hugh Thompson provides a look at the steps forward and back in security over the last year and interviews a few individuals including Craig Newmark from craigslist and Steve Wozniak.

Keep an eye on the 2010 RSA Conference website, especially if you were an attendee/delegate. Over the coming weeks and months they often make some of the most highly valued discussions and presentations available for viewing. It is a good way to stay connected to the themes of the year even if you couldn’t be at the conference.

Clickjacking is a relatively new term in the web hacking area. Although, the original paper by Robert Hansen and Jeremiah Grossman was published in September of 2008, clickjacking has become fairly “normal” and common. It’s a visual trick that gets users to click on something they weren’t intending to click on – like that “buy now” link or the “follow me” link that the marketer wants you to click on. Granted, it has limited use in the purchasing area, since most online stores require you to give them your credit card number before you can buy anything. However, an attacker can use it to get more “impressions” and click-throughs and fraudulent ad money for example – or increase their popularity.

How does it work?

Hansen and Grossman use nice pretty pictures to explain the process, and I can’t really do any better, but I can give a summary. The basic idea is that an attacker uses an i-frame to place a transparent page (or button) on top of the page you really intend to view. When you click on a “button” on the page you can see, you are really clicking the button on the page the attacker has made “invisible” to you.

What can you do to prevent it?

Microsoft, Apple and Google Chrome pay attention to the X-FRAME-OPTIONS header, but that depends on the server and application author to set those headers. Frame-busting scripts that are common in many web pages can be used to ensure that your application is not displayed in a frame, and helps to ensure that the clickjacking is at least visible. NoScript for Firefox can prevent you from clicking on an invisible page. However, expect the attackers to get more and more crafty now that there are ways around the attack.

So you think penetration testing might be a fun and valuable skill to pick up. You read some books on the subject and spend a good few evenings poring over the man pages of some common tools, what now? Chances are you set up a couple of unpatched or otherwise vulnerable machines and test out your skills. Next thing you know Metasploit has a system shell. Are you a pentester now? Chances are the experience left you somewhat unsatisfied; you did after all know the vulnerabilities ahead of time. To be a real pentester, you will have to start from scratch with little or no knowledge of the network at hand. So what now?

No doubt there are plenty of vulnerable boxes out there on the internet just waiting to be pillaged, but jail time doesn’t exactly seem like the best way to start a career. My colleague Tim recently posted about vulnerable WebApp scenarios that are definitely worth checking out. I’d like to point you in the direction of some additional resources at heorot.net. The de-ice penetration testing livecds are ideal for taking that next step in your penetration testing training. Multiple levels are provided as you progress and hints are provided if you get stuck. Here again, you know these hosts are vulnerable, but you certainly don’t know how. To successfully complete them, you will need to develop the critical thinking skills as well as mastering the tools of the trade. These livecds also come prepackaged with Thomas Wilhelm‘s book Professional Penetration Testing available from Syngress which I would also recommend picking up to aid your study of the exciting world of pentesting.

Last weekend, people from all corners of the technology converged on Austin, Texas for the 2010 South By Southwest Interactive (SXSWi) conference. Much of the coverage has echoed the focus of an old real estate mantra: Location, location, location. In a rivalry dubbed the “geolocation wars,” mobile start-ups Foursquare and Gowalla competed for attention as attendees used GPS-enabled phones to record electronic check-ins at various conference events. And while these two players often come up in reports on location-aware social networking, Twitter has begun letting users record where they tweet (giving new meaning to the word “follow”), and sources indicate Facebook will be rolling out a similar feature soon.

Across the Web, sites are adding features that will quite literally put them on the map. And while letting the online world know where you are offline can certainly offer benefits, the sudden overlap raises fresh privacy concerns. One tongue-in-cheek response, aptly named “Please Rob Me,” drew attention to Foursquare users who publicly broadcasted when they were not at home. From a security perspective, problems have been observed on several platforms. An early flaw in Google Buzz risked exposing private location data. One researcher has noted that Gowalla’s API can apparently override privacy settings, then demonstrated location spoofing. Foursquare does not verify location, making fake check-ins trivial. But Foursquare also uses HTTP Basic authentication, meaning an attacker could steal logins sent over open Wi-Fi connections.

Of course, trailblazing applications are not the only ways people can share their location. Facebook users often leave a trail of event RSVPs that show past places visited. But even on the real-time Web, data can leak accidentally. A study of posts on Twitpic, a Twitter-based photo-sharing service, found that some pictures’ EXIF data included GPS information. In one case, an iPhone snapshot even included compass and accelerometer metrics.

All of these ways to track users, particularly when combined with other content, can create real risks for companies seeking to shield sensitive transactions or avoid corporate espionage. Similarly, those using company-owned devices with GPS capabilities ought to be aware of how such functions are used. With the online world increasingly intersecting the real world through geolocation services, it’s time to figure out what place they have in a secure business environment.

I know this post is a bit delayed, but this is a good opportunity to take advantage of the fact that the 2010 RSA Conference Keynote addresses have been posted online.  You can view an interactive webcast, view the video, or even listen/download audio-only podcasts of the keynote presentations.  Some of my favorites from this past RSA conference included:

• Art Coviello’s keynote continued on his theme from last year for the increasing need of companies and competitors to work together to secure the cloud,  He made an initial announcement of the collaboration between EMC (including RSA and newly acquired Archer), Intel, and VMWare to provide mechanisms to trust (and therefore help meet compliance requirements) the physical and virtual hardware elements of a cloud-based computing infrastructure. He also brought up an extremely good point: the transition to cloud-based computing is inevitable, and rather than wringing our hands about how difficult it will be to secure, we should see this transition as an opportunity to change the way security is performed and delivered.  It was a traditional type of message for Mr. Coviello, but one that resonated with me better than his keynotes in previous years.
• Scott Charney’s keynote was focused on what Microsoft is doing to help us achieve end-to-end trust.  It was interesting to hear that Scott has been at Microsoft for eight years which is about the exact same amount of time since Bill Gates’ trustworthy computing initiative was started. While Microsoft has often been hammered for making mistakes with security, it is clear that the last eight years have seen terrific improvement.  He similarly delivered a message including some new efforts Microsoft is involved in, and indicated that collaboration was the key to success in the security arena.  A great quote from that presentation:

And every now and then I juxtapose my four and a half year old with my 80-year old mother, in part because they behave so much alike it just astounds me. But let me tell you one way they also behave alike. My four and a half year old has learned to navigate with a mouse, and it’s just great to watch. He navigates to the mouse, up pops this security dialogue. He can’t read. He doesn’t understand it. He clicks okay.Then I go to my mom. She’s got a PhD in education. She gets the dialogue box. She can read, she doesn’t understand it, and she clicks okay. Okay? We can’t do it that way anymore.

• The Cryptographer’s Panel included a new member this year, Brian Snow from the NSA.  If you watch nothing else, you should watch this for the broad scope of education, information, and entertainment it provides. Having the perspective of the NSA added is an interesting one, and it is clear from the ensuing discussion that neither the academic community (represented best by Ron Rivest and Adi Shamir) still doesn’t trust the NSA, and the NSA believes it still has a leg up on everyone when it comes to cryptographic advances.
• Some brief remarks from Howard Schmidt, White House CyberSecurity Coordinator. He gave a powerful analogy between how cybersecurity is evolving compared to how firefighting evolved.  He also provided some updates about what the current administration is doing in the area of cybersecurity, building on the presentation by Melissa Hathaway last year.

Overall the 2010 keynote presentations were among the better first day of keynotes in all the 10 RSA conferences I’ve attended.  The above presentations were my favorites, and I hope you can spend some time to watch them!

As you may already know, I’m attending the 2010 RSA Conference in San Francisco, CA.  I’ve been spending so much time talking with vendors, going to keynote talks and going to track sessions I haven’t had much time to finish writing and editing any full blog posts yet.  Rather than rush to publish, I want to take my time and write up my thoughts and experiences fully.  As a result, there will probably be a number of delayed posts in the coming days and weeks about my experiences here.  For now, I’ll leave you with these teasers from my first day at RSA:

• Art Coviello (RSA) believes that the emergence of cloud computing will be our opportunity as an industry to turn the way security is delivered inside out.
• Paul Maritz (VMWare) thinks the formula for embracing cloud computing is simple: improve efficiency, improve agility, improve security.
• Mark Benioff (salesforce.com) stated Lotus Notes was conceived before Mark Zuckerberg was; enterprise software needs to change, and become more like Facebook.
• As evidenced by having Brian Snow, NSA on the Cryptographers Panel: the commercial and academic communities still have a lot of distrust and suspicion of the NSA.

Other items I’ll be writing about: a lunch I had with F-Secure’s Mikko Hypponen where he discussed cyber crime, and a session I attended called “Winnovation- Security Zen through Disruptive Innovation and Cloud Computing”.  Stay tuned!