Research

Ah yes, as spring approaches, so does Sundance for Ugly People (as a friend likes to call the RSA Security Conference). We will, of course, be there. But unlike other years we have a little surprise brewing. Schedule-wise I’m giving one track session, and participating in 3 panels: Tuesday at 1:30 PM: Discover, Protect, and Securely Share Sensitive Corporate Data (panel on DLP/DRM/etc.). Tuesday at 4:10 PM: “Groundhog Day” – History Repeats Itself (with Rothman, McKeay, Mortman and Ron Woerner- my favorite panel). Thursday at 9:20 AM (those bastards, 9am?): Which Security Tools Take Priority in a Challenging Economic Climate? (panel with Shimel, Rothman, and… okay, sorry to leave someone off). Should be a hoot. Friday at 10:10 AM: Disruptive Innovation and the Future of Security (With The Hoff. Flat out, this session is going to rock, and it’s worth changing your flight to stay for). We’re still figuring out our schedule for non-official speaking slots. Priority goes to the paying clients (since we are totally… “professionals”… and need to pay for our post RSA rehab trip). We have a few slots open, but also some things on the table and are hoping to lock it down by next week (breakfast/lunch/mid-day stuff only, evenings are all tied up already). Like many of you, we plan to fully participate in all the evening activities. If you’ve been to RSA before, you also know that comes at a price to be extracted the following morning. To ease your pain, on Wednesday we are sponsoring the Securosis Recovery Breakfast. For a few hours we’ll have an open buffet with all the required recovery tools (aspirin, Tums, activated charcoal administered by an expired paramedic). No presentations, subdued lighting, and loud noises prohibited. We’ll be posting more details on it next week, and highly encourage you to RSVP so we can make sure we have enough food. The location will be extremely convenient, and we should have it locked down in the next couple of days. And that’s it! We look forward to seeing everyone there, and if you want to meet, please hit us up as soon as possible so we can coordinate schedules. Share:

Brian Krebs posted last week that Sprint is claiming an employee has stolen customer data, including pin numbers and the “security question” you can use to recover a password. This is a vendor I have been following for a long time, and I’m surprised we have not seen this type of activity before. From Brian’s blog: “It appears this employee may have provided customer information to a third party in violation of Sprint policy and state law. We have terminated this employee. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number, the answer to your security question, and the name of the authorized point of contact on your account.” I wonder if they ever managed to remove the customer’s social security number as the primary key for their customer care database? It would appear that they did at least remove CC# and SSN# from the customer care application UI, which was my primary beef with them: “We implemented a billing platform about a year ago that has advanced security features designed to catch things like an employee accessing information that they shouldn’t be,” Sullivan said. “That platform limits information that employees can access, such as Social Security numbers, and any sort of payment information.” I have always considered Sprint lax in regards to their data security practices. They exposed my information before any breach notification laws were in effect, with my personal and billing information going to a third party. Worse, the person who obtained the data called customer care and was subsequently provided my SSN# and was able to shut off my account. Not sure what these “advanced security features” are exactly, but I would need to concede that the improvement must be working if the credit card numbers that they require for account creation were not stolen as well. I really do wonder if (hope) this will prompt some form of internal investigation, and I always wonder if Sprint could be considered a contributor in this breach case if they provided employees far more data that was necessary to do their jobs. Think of it this way: If it was “thousands” of accounts, clearly the employee must have had access and been able to copy them electronically. Share:

Hi everyone, Just a quick note that tomorrow we’ll be giving a webcast about our research behind The Business Justification for Data Security paper we recently released. For those of you with too much ADD to read all 30+ pages, we’ll be covering all the core material and walking through an example case. The webcast starts at 1pm ET, is with the SANS Institute, and is sponsored by McAfee; you can sign up here. We’ll also have some time for Q&A, so this is your chance to dig in a little deeper with us. On another note, we are very close to putting up the new version of the Securosis site- yes Virginia, pretty soon we’ll have more than a default WordPress template. As a consequence, our blog posts might be a little light this week. Don’t worry, the new site will make up for it. Share:

Hi everyone, With me adapting to the new baby and holding the fort here at Securosis Central, and Adrian out at the Source conference, I wasn’t able to get our usual weekly summary together. But not to worry- we have a ton of news and announcements for next week, and some very big announcements over the next 2 weeks. On that note, I’ll let you all get back to Happy Hour as I finish working on a presentation. Share:

No, we don’t mean vote for your favorite geriatric patriarch or matriarch, but for your favorite security blog. While I’m a little late posting this (I blame being distracted by the impending, then final, arrival of my incredibly cute daughter), there’s still plenty of time to vote. The awards are all part of the Security Blogger’s Meetup, which started as a little gathering put together by Martin and myself 3 years ago, and is now a pretty big & impressive event, with an actual budget. At least I think it’s impressive- it’s hard to remember after all the free booze. The Social Security Awards were an idea Alan Shimel came up with to recognize the best security bloggers out there and continue to build our community. You can vote in the following categories: Best Security Podcast Best Technical Security Blog Best Corporate Security Blog Best Non-Technical Security Blog Most Entertaining Security Blog We’ll tabulate the votes, and then the final winners will be selected by our all-star panel of tech journalists. We’ll be having an awards ceremony at the meetup, and giving out prizes courtesy of Seagate (encrypted hard drives, of course). Those of us on the organizing committee are excluded from the awards, so please don’t vote for me. Really, it wouldn’t be fair to all the other bloggers if I were competing anyway. So go vote. Now. I know how many of you are out there reading, and if you don’t vote I’ll tell your mom. Also, special thanks to Jennifer Leggio for doing nearly all the hard work putting this together. Share:

Adrian and I are proud to release our latest whitepaper: Building a Web Application Security Program. For those of you who followed along with the blog series, this is a compilation of that content, but it’s been updated to reflect all the comments we received, with additional research, and the entire report was professionally edited. We even added a couple pretty pictures! We’re very excited to get this one out, since we haven’t really seen anyone else show you how to approach web application security as a comprehensive program, rather than a collection of technologies and one-off projects. One of our main goals was to approach web application security as a business problem, not just an isolated technology issue. We want to especially thank our sponsors, Core Security Technologies and Imperva. Without them, we couldn’t produce free research like this. As with all our papers, the content was developed independently and completely out in the open using our Totally Transparent Research process. In support of that, we also want to thank the individuals who affected the end report through their comments on the Securosis blog: Marcin Wielgoszewski, Andre Gironda, Scott Klebe, Sharon Besser, Mike Andrews, and ds (we only reveal the names they list as public in their comments). This is version 1.0 of the document, and we will continue to update it (and acknowledge new contributions) over time, so keep coming with the comments if you think we’ve missed anything or gotten something wrong. Share:

With Rich pretty much out of commission this week and my very last minute preparation for Source Boston underway, this week’s post with be a short one. Plus I need to install the current Mac OS X patches and reboot all of the computers in the house. That little bouncing icon is finally going to get it’s way. On that note, has anyone out there ever looked at the viability of polluting the Apple downloads? Every time I click one of these I am always uncertain why I trust it or how I could verify the contents if I really wanted to. But at the moment, that sounds like too much work to investigate. Perhaps I should simply remain happy and ignorant of the process. Webcasts, Podcasts, Outside Writing, and Conferences: Nothing. Nada. We have been oddly absent. Favorite Securosis Posts: Rich: Pass. (No, his favorite post this week is, of course, The Nugget Has Landed.) Adrian: While it is really too long to be a blog post, My Perspective on Data Security and the US Government is my favorite of the week. Favorite Outside Posts: Adrian: Thank goodness Mike Rothman wrote this, with typical humor and eloquence, to capture the essence of the recent Visa press releases and associated Network World article. We are all trying to decipher what exactly they are telling us, and speculating that there is a lot they are not telling us. No way I could have been this fair and even-handed. Rich: Pass. Top News and Posts: What? Greeks invade Malta? Oh, sorry, no, just a Trojan on a Server. In what is probably a non-news event, Cisco launched email security delivered as SaaS. Most of their major competitors are hosted or a service, but not both, so technically this is an advantage. My feeling is it provides the right migration path for current customers, but the real question is will they care? Is this really compelling enough for new customers to adopt? Firefox security patches available. Gmail CSRF attack: How big of a threat, really? More stock worries. Twitter Security Hole. Again? Wow. The largest financial institution in the world is now a penny stock. One of the funniest commentaries on “financial news” I have seen in a long time. Everywhere I go on line, there seems to be huge buzz being generated for Beatles Rock Band. Blog Comment of the Week from Stiennon: One question: Is she a Parrot Head? Congrats Rich and Sharon! She will be … we have tickets to go next weekend! Share:

Yesterday morning I read the article on The Tech Herald about the demonstration of a CSRF flaw for ‘Change Password’ in Google Mail. While the vulnerability report has been known for some time, this is the first public proof of concept I am aware of. “An attacker can create a page that includes requests to the “Change Password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker,” the ISecAuditors advisory adds. The Google response? “We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user’s password within the period that the user is visiting a potential attacker’s site. We haven’t received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this.” Uh, maybe, maybe not. Last I checked, people still visit malicious sites either willingly or by being fooled into it. Now take just a handful of the most common passwords and try them against 300 million accounts and see what happens. How does that game go? Rock beats scissors, scissors beat paper, and weaponized exploit beats corporate rhetoric? I think that’s it. Share:

I am going to be in Boston Tuesday through Friday at the Source Boston event that runs March 11th through the 13th. I am presenting on Encryption and Enterprise Data Security on Thursday afternoon right after Jeremiah Grossman. This is my first Source Boston event, so I am looking forward to it. Let me know if you are going to be in town! I imagine that things will be fairly quiet on the blog next week. With Riley conducting an aggressive sleep deprivation campaign against Rich, I don’t think we are going to see or hear much from him, but I will continue to post on what I hear from the conference. Share:

Via Slashdot, I just ran across Didier Stevens post on how to automate the JBIG2decode vulnerability in PDF documents. There is a video on the site where he runs through three scenarios to exercise the vulnerability – Manually starting up Reader, viewing a thumbnail PDF, and then automatic execution by simply visiting the page with the malicious document through Windows Explorer Shell Extensions, and shows you the results in the debugger. It’s worth the view. When you install Adobe Acrobat Reader, a Column Handler Shell Extension is installed. A column handler is a special program (a COM object) that will provide Windows Explorer with additional data to display (in extra columns) for the file types the column handler supports. The PDF column handler adds a few extra columns, like the Title. When a PDF document is listed in a Windows Explorer windows, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info, like the Title, Author. I also ran across another technical analysis here. As you don’t need to do anything other that drop onto an infected site, this is a pretty serious issue. There is supposed to be a patch available later this month. The more I look at this, the more I think it may be a good idea to disable Reader until there is a patch. There are some instructions on how to do this on the PC Mag site, and some additional information you might find helpful as well. Share: