Tuesday, April 29, 2008

The Dubai Experience

I had some ideas of what Dubai would be like before going. I’d heard they had a lot of money and were building the country at an extremely fast pace. Well, let me tell you they weren’t kidding! The scale of what’s going on there is extremely difficult to describe. I’ll do my best to capture the opulence, glamour, and pride that seem to define all aspects of the country.

My first clue was the Dubai airport itself, which resembled a 5-star mall rather than a terminal. Everything was high-end and immaculate top to bottom. If you wanted something they probably had it somewhere in there, including a McArabia (flatbread and falafel) at the McDonalds. Any notion that you are smack dab in the middle of a desert is immediately shattered. That was until a brief moment where I stepped out of the cab at the hotel at experienced the heat. OMG.

The discomfort was short lived because the Sheraton Dubai Creek (HiTB venue) is a stunning hotel in every respect. I was whisked in by the doormen and immediately taken care of. Lavish rooms and extremely attentive staff were just the start. Parked outside my room window lining the Dubai Creek, great for morning walks, were about a dozen expensive looking yachts. I got to have a look around.



Spent the weekend walking around the city, including in some areas I probably should not have been in. All the locals were staring because I’m guessing I was on streets where tourists aren’t normally found. Or maybe because I look Pakistani and was dressed in american garb. Who knows. I mentioned it was HOT right? I don’t know what the mercury read, but I was concerned that my bright orange Phil Zimmerman fan boy shirt might spontaneously combust. Hawaii ain’t got nothing on this place when it comes to heat. Air conditioning is more for life support than comfort.



The picture is of me in front of the self-proclaimed worlds only 7-star hotel. I didn’t find the time to go in, but from what I’ve heard about it, it would be hard to disagree with their assessment. I mean they have a bay carved out so if you want to roll up in your yacht you can. Or maybe you have a helicopter that brought you from the airport so they have landing pad outcropping. Convenient. It’s quite clear that they exist at a whole other level in this place. Can this actually be sustained?



The beach was VERY nice, probably one the best outside of Hawaii I’ve been to. Bermuda was kick ass as well. Warm water (a little salty), white sand, and they even had heated showers - a first for me. To bad there aren’t any waves to be spoken of, but I wasn’t complaining. Getting a chance to chill and swim around in the ocean has been all too rare for me lately. I could have stayed for days. Dang, skimboarding would have been awesome. Next time.



One of the things I had to do was a desert safari. So I spent the latter half of a day bashing around the dunes in a 4x4 (WAY COOL), did a little light sandboarding, and finished the night in an encampment eating BBQ (Mmmmm), watching belly dancing, and puffing on a hookah (apple flavor). I even got the chance to ride a camel for a little while, interesting. :) Sometime during the night a few big black scorpions invaded the campsite and all the drivers scurried around trying to kill them. That added some excitement. I really enjoyed being out in the desert, it was quite and peaceful and something I’d definitely do again.



Before I talk about the Emirates Mall, let me tell about the freeway getting there. We’re talking an eight lane freeway in the middle of the desert lined by I kid you not, probably 50 new giant high rises simultaneously in construction. Then the cab driver says, “Oh by the way, the tallest building in the world just over there.” All I was thinking was the heck do you construct any building on top of SAND!? Before I forget, the cabbies over there drive crazy. If there were rules of the road, I couldn’t tell.

The Emirates Mall must have had every store and restaurant in there I have ever seen or heard about, including hotel every bit as nice as the one I stayed in built in. 3 levels, hundreds of stores, and even a gigantic indoor ski slope. I really wanted to give it a shot, but it appeared to be more like a kids thing and I just couldn’t bring myself to jump in and make a fool of myself. Something which I normally I have no problem doing. I’ll work up the courage for next time.



The best way I can describe Dubai to Americans is imagine Las Vegas, where money is ABSOLUTELY no object, and trying to be built by next year. It seems if Vegas is where Americans go to play, Dubai is where the Europeans go. I overheard so many different languages being spoken, no way I could even pick them out. Americans were few and far between. At the end though, I was ready to get out of there. It’s an amazing cool place to visit and spend a week.

Monday, April 28, 2008

(IN)SECURE Magazine #16

(IN)SECURE Magazine #16 has been released. For those unfamiliar, its a PDF with no DRM, and always has excellent infosec content. Definitely my favorite online mag and always well worth the read.

Wednesday, April 23, 2008

YES WE CAN - get XSSed

By now you’ve probably already seen that some prankster XSS’ed U.S. presidential candidate Barack Obama's community blog redirecting visitors to political rival Hillary Clinton. Fortunately, for whom I’m not quite sure, the hack wasn’t terribly malicious in nature as it could have easily been. The mind can easily wander about what could have been done. Hi-jack login sessions, usernames and passwords, disrupt donations are organization efforts, and possibly even monetize some of the traffic. Hello SE0Wn3D!!1. You know XSS has hit the mainstream when it reaches this level of visibility.

UTorrent + CSRF = STALLOWN3D!1

Ouch. I’m going to have to agree with Billy Rios on this one, I’ve also never CSRF used to own a box. Each week CSRF attacks are sure to get worse with all the interest on the subject. CSRF issues are everywhere, easy to pull off, and powerful because everything is web-enabled. Check out Rob Carter’s clever 3-step process:

1) Turn on move completed downloads
2) Change the path to where downloads are placed, line windows start up.
3) Force the download of a attacker controlled batch file

wait for reboot.

Clever stuff! Be mindful of your plugins boys and girls.

The value of Security Theater

During HiTB Dubai (2008) I attended Bruce Schneier’s keynote speech based on his "The Feeling and Reality of Security" post. The fundamental premise is, “You can feel secure even though you're not, and you can be secure even though you don't feel it.” Most of the time in the infosec industry we’re transfixed on what activities truly make things more secure and tend to ignore/ridicule what provides the latter, commonly known as “security theater”. We argue over what solutions should fall into which bucket.

There was a particular point in Bruce’s speech that peeked my interest in that there really is value in learning how to create good security theatre. For example, most of us are familiar with the comedy that is airport security. Flying by all measurable factors is much safer than others forms of transportation such as driving, but we expect certain precautions to be taken even though they really don’t reduce security risk. So we consent to metal detector searches, X-rays, pat downs, shoe and laptop removal, ID check points, etc. Because if we didn’t the general public would not “feel” safe enough to fly.

As I was discussing with Bruce over lunch afterwards, security theater does in fact add a lot value to the business and consumer by helping people make the right risk decisions albeit for the wrong reasons. People will feel safe enough even though they are not and go about their daily lives. I wasn’t expecting Bruce to agree with this characterization, but he did. This was further enforced by another story example he gave of tamper-proof bottle caps.

Apparently some time ago there was an incident where pill bottle were secretly opened, poisoned, and placed back on the store shelf. People died and a lot of news resulted (because it was rare) causing a state of fear. While the odds of anyone meeting an untimely death in this way in astronomically low, people stayed away because they no longer felt safe and sales dropped. Something had to be done.

To combat the situation the bottle manufactures introduced something called the tamper-proof cap. The way it was marketed, because they now have this new innovative secure design, this type of thing could never happen again. Despite a number of ways the tamper proof cap could be defeated, a syringe being one, people felt safe and went back to buying even though “real” security did not change. Amazing.

I then began to think what really makes for good security theater. Can a generic strategy or methodology be developed? We need something describing the fundamental aspects that must be in place to influence people to feel safe while behind the scenes we g about implementing the truly effective solutions. Something like th 7 strategies of effective security theater. Maybe this has already been written and I just missed it. If so, let me know. If not, we should be aware and familiar with these technique as it might make us more valuable overall.

Tuesday, April 22, 2008

Finally finally PCI 6.6 clarification!

May merchants and vendors all rejoice. The PCI Standard Council has issued press release and a supplement document nicely clarifying most of the ambiguous points we were left to speculate on in section 6.6. Fortunately my analysis of Bob Russo’s SearchSecurity interview comments was WAY off. Trey Ford of WhiteHat Security and PCI extraordinaire provides his insights on the most frequently asked web application security questions. Good stuff.

As we know/knew 6.6 itself has two halves, “code review” (the act of finding/fixing for vulnerabilities) and “application firewalls” (device designed to thwart website attacks) are options that merchants may choose between. Setting aside the fact that these two options should not be perceived as competitive, rather complementary, the Council is giving merchants the choice acknowledging budget constraints. I guess that’s fair.

On the code review side, just about all forms of testing options are still on the table. Black and white box, with or without automated scanning assistance, and that kind of flexibility is a good thing. The catch is the person/firm doing the testing “must have the proper skills and experience to understand the source code and/or web application, know how to evaluate each for vulnerabilities, and understand the findings.” This goes for tool use as well. That’s going to be the little bit fuzzy part since our industry is new and doesn’t really have formalized certification or education processes. So it’ll be up to the merchant to prove the case to their auditor or bank.

As for Web application firewalls, the Council also did an excellent job describing what these devices are, what they should do, how they can be deployed, and how they should be configured (a nice resource in its own right). And the list they provided is quite detailed and extensive requiring a sophisticated product, no marginal network security device with a few webappsec checks is going to cut it here. Hello WAFEC. Of course the catch here is the device must be configured to “block” the attacks, not just alert on them. That’s going to be the most challenging part in my estimation as this is not a trivial process.

While late in coming we'll take it and this is good work on the Councils behalf. In the coming weeks and months I’ll be keen on hearing the experiences of merchants when going through the compliance process. Its from those comments we’ll know where things are headed.

Hack in the Box (Dubai) 2008

Hack in the Box (Dubai) 2008 reminded me of the early Black Hat shows -- intimate, deeply technical, and a whole lot of geeky fun. HiTB is run by a small crew (from Malaysia), all passionately involved, and super cool to hang out with. *I got a kick out of their accent, its like a cross between Jamaican and Vietnamese*. Leader of the pack was Dhillon Andrew Kannabhiran, who did a masterful job pulling together a successful event. Proceedings were organized, guests/speakers treated exceptionally well (thanks Belinda and Amy), and the content offered something for everyone. Even the venue was seriously posh. Photos posted.


I found time to attend several talks, a rarity for me, and learned some cool stuff in the process. The standouts were Token Kidnapping (Cesar Ceurrudo), Cracking into Embedded Devices and Beyond! (Adrian ‘pagvac’ Pastor), and Hacking ‘Second Life’ (Michael Thumann). Elite stuff. Smaller events are cool because hallway conversations tend to be better and more meaningful - not rushed. I really enjoyed getting to meet various people from the region, learning about the issues they’re trying to overcome, and how mature their environment is relative to the U.S. Plus getting time to hang out with pdp, Shreeraj Shah, Adrian, and Dhillon was fantastic as well.

I hear the KL HiTB is their main conference and I’m going to do everything I can to make it down there. From what I’ve been told it sounds like a blast. I only get to do a couple of international trips per year so I have to be very select on which ones. So far, I’m sold. :)


The Keynote
I’m not ashamed to admit that I was nervous about delivering a keynote. Not only did I have to compare against InfoSec icon Bruce Schneier, but the presentation (w/ notes) was all brand new and I had no idea how the audience would respond. Still I took a chance on something fresh, attempting to be insightful and forward thinking, though high level enough to be considered a keynote. I felt this was an opportunity to openly state some of my own personal thoughts on the infosec industry – the good and the bad.

I decided to leverage statistics cobbled from around the industry and apply them to the “Did you know?” meme. I called entitled it "Hacks Happen" (HiTB download). From where I sit most of us are mired down in our day-to-day jobs and don't have the time or cause to look up and consider where we are headed. These days it seems we have a lot more experts and less expertise. More products and less coverage. More best practices and less security. More news and less information. This type of environment I think is why hacks happen every minute of every hour of every day. And its my opinion we need to take a second look at what we know, reconsider what we think we know, and possibly come to a new set of assumptions.

Upon sharing my slides ahead of time with Robert E. Lee for feedback, he found me the follow text that captured the essence of my presentation:

"There is a proverb that illustrates the way to quickly determine whether or not someone is sane. The individual is shown a river flowing into a pond. He is given a bucket and asked to drain the pond. If he walks to the stream to dam the inflow into the pond he will be considered sane. If, instead, he decides to empty the pond with his bucket without first stopping the in-flow then he would be considered insane."

By looking even at the limited metrics we currently have, I personally believe way the industry perceives and responds to information security matters is insane. When you looking at the statistics and extrapolations in the slides you’ll get a better idea why. Please keep in the mind that some of the cited statistics in the presentation are stronger than others and overall material is a complete work in process. If anyone has better numbers, different ways of looking at the data, or feedback… I’m all ears. Enjoy.

I’ll cover Dubai itself in another post.

Monday, April 21, 2008

Risky Business interview on Blackhat CSRF

While at Hack in the Box (Dubai) I took some time out speak with Patrick Gray of Risky Business, the host of a nicely popular security podcast in Australia. Risky Business is good stuff if you haven’t already taken a listen, he always has good guests, and timely topics. Plus his style is entertaining. :) Coincidentally a year ago I was Patrick’s first guest ever where I talked some about CSRF and predicted it was only a matter of time before the bad guys caught on. Well, here we are. Doing what I can to raise awareness of the issue across the board, its time we all did. Please feel free to pass the podcast along to developers or managers who might appreciate a simple way to get introduced to CSRF.

CSRF DDoS, skeleton in the closet

Before getting into the focus of the post I’d like to provide some background:

CSRF, like XSS, is one of web application security industries skeletons in the closet. Over the years only a precious few industry insiders were aware of CSRF and appreciated its significance. The larger infosec industry discounted CSRF (and XSS) because it wasn’t “elite” enough for their taste as it didn’t enable “root” access. All attention was instead placed on various types of buffer overflows, which is important, but not exclusively so. Web security experts on the other hand tend not to care about getting root on boxes because all the value is now within the browser walls. Why hack someone’s machine when its easier to go after a Web bank/email/brokerage directly?

Even today on this very blog are comments saying, “XSS is not hacking, get some real exploits”, and I’m sure most readers here have encountered similar attitudes elsewhere. It’s this type arrogance and closed mindedness that got us into this mess and why maybe 20% of infosec conference audiences have even heard of CSRF. Developer audiences it’s lesser still. As a result we’re faced with a situation where millions of websites are already built (and vulnerable) where developers never considered CSRF protection because they didn’t know it existed. Browser vendor are trying to figure out what to do and likely years off from meaningful results. And now the bad guys have recently caught on and beginning to cause real damage.

It’s with this context in mind that I share my thoughts about DDoS attacks carried out by way of CSRF. Also, I take no credit for the novelty of this attack as its been rumored around in various circles for years. I’m merely drawing attention to the issue. Here’s the basic exploit code that a bad guy would need:

<* IMG SRC=”http://victim/” >

Simple enough? All the bad guy needs to do is post the HTML snippet to a large number of public websites where other users would come in contact with it. These websites could be message boards, guest books, WebMail, blog comments, social networks, chat rooms, and so on. All the types of websites quite popular, free to sign-up, and easy to automate (save for CAPTCHA). The code instructs a users browser to make an HTTP request to an arbitrary location (victim) invisibly and behind the scenes with connections originating from all over. This makes the attack difficult to stop and obviously the more frequented the websites are the more effective it is.

Want increase the number of connections per user? Just multiply the number of injections per page, probably maxing out right around 10 or so per user. I’ve tested this across a dozen websites simultaneously reaching about 200 requests per second on the target web server. Something more automated and advanced could easily surpass what I was able to accomplish.

Want to increase the per request CPU processing of the target? Target the search application using several keywords separated “AND” operators, like so:

<* IMG SRC=”http://victim/search?q=TERM1+AND+TERM2+AND+TERM3 …” >

Want suck up a lot more bandwidth? Try URLs that are 2K or so in size:

<* IMG SRC=”http://victim/AAA…” >

Want to scrub the referers from the requests? There are tricks for that to. Anyway, you get the idea. Anyone have any bright ideas on what a defense might be?

Tuesday, April 15, 2008

from the desert oasis

Right now I’m hanging out with the Hack in the Box crew in Dubai, sipping tea, and enjoying some conversation. Yah life is hard, what can I say. :) I’ll post some pictures and entries when I get home in a week or so, but let me just say that this place is simply amazing. It’s hard to find the right words or even order them appropriately to capture what exactly is going on in this place. They roll at a whole other level, literally, a Mercedes-Benz SLR McLaren just rolled up out front. In the meantime, I thought I’d drop some links.

1) In addition to click-a-link-go-to-jail, it looks like there’s another yet another way to turn someone into a sex offender. This time Oklahoma state’s Sexual and Violent Offender database is vulnerable to SQL Injection. Apparently not only can you pull of various forms of personal information, you can add put to the roster as well. Evil.

2) Many of us have discussed various forms of BlackHat SEO because several of the tricks they’re using are borrowed directly from webappsec. Unfortunately we only get a cursory and rumored view of the landscape. Recently through Scott Berinato of CSO took a deep look at BlackHat SEO industry and wrote a content rich and compelling expose’. In the 2-part article he takes a look at the players, what they’re up to, and how much money they’re making. Plus is funny to me that my SEOwN3d!!1 is getting wider use. :)

3) Aung Khant (AK) has been working hard on a new website project he calls the “Ultimate Hacker Web Directory (HWD)”. Basically this is a giant directory of links related to the infosec/hacking field. AK is going to need help with more links to make the system ever more complete. The more links the more useful it becomes. For those interested, submit.

Monday, April 14, 2008

Introducing Trey Ford on PCI, What is a Web-Facing Application?

Trey Ford, WhiteHat Security's new Director of Solutions Architecture, has recently joined the blogosphere. Trey, among many other technical/business things, serves as our resident PCI-DSS expert. We desperately needed a person of his caliber on staff as we’re fielding PCI webappsec related questions daily so we’re delighted to have him on board. Trey has a lot of experience in the space as he was a QSA for 4 years and knows the ins and outs.

In his first post he attempts to shed light one of the more common and seemingly simple sounding questions, "What is a Web-Facing Application?” Like everything PCI, nothing is exactly clear-cut, but he does provide some very helpful insights.

Sunday, April 13, 2008

Interview with Learn Security Online

Chris Gates of Learn Security Online offered me the opportunity to participate in an email interview that’s been recently posted. When I consented I did so on the precondition that the questions would be engaging and not generic boring template type all too often used. When reading other peoples interviews I prefer seeing compelling answers to thoughtful questions and I think Chris did a great job.

During the interview I dive into a fair bit of detail about my past, how and why I founded WhiteHat Security, thoughts on the maturation of web application security, guidance on how others can get started, my views on the state of the industry, and finally where I think things are headed. We covered a lot of ground and discussed many of the important issues. Here’s a snippet:

# LSO #

Say I want to get into web security, it HUGE, where do i start?


# JG #

At the beginning! No seriously. If I had to start again, the first thing I’d do is pick up a programming language like Java or C# and develop my own super simple Web applications to get the basic concepts. Then, I’d seek to understand how the Web is architecturally put together from the ground up. That means learning everything I could about TCP/IP, HTTP, DNS, SSL, and general encryption. I’d make my own Web servers and Web browsers, create little tools to create packets in the various protocol layers, and basically play around with all the technology till I felt really comfortable. Then, I’d work my way back up the stack learning HTML, JavaScript, and the DOM, all the while making little applications to keep my interest. But, what you’re probably asking at this point is “where is the security,” right?


...

Saturday, April 12, 2008

Intranet hack targeting AT&T 2Wire DSL modems

Not long after the Web browser intranet hacking incident targeting DSL users in Mexico comes another DNS-pharming attack exploiting AT&T 2Wire DSL modems. Check out how simple these two sample URLs are for CSRFing victims:

http://192.168.1.254/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin
http://192.168.1.254/xslt?PAGE=A02_POST&PASSWORD=admin&THISPAGE=J38&NEXTPAGE=J38_SET&ADDR=127.0.0.1&NAME=ww.example.com


First URL appears to set the users password to “admin”, probably if none exists (I didn’t double check). The second takes over a domain name by hard coding in an arbitrary IP Address. The attacker could easily put in a ton of these for the websites of banks, webmail, retailers, payment gateways, social networks, etc. and all your traffic would flow to them. Talk about owned. Pure CSRF, doesn’t even require XSS or JavaScript malware.

This type of intranet CSRF hack is super easy to pull off since you only need to place specially-crafted URLs inside of an HTML image tag and post it to any public website. MySpace, WebMail, blogs, message boards, etc. all would make great avenues for snare the unsuspecting. Who knows where the victims in this case were originally exploited. The first person to notice only did so by using ping and spotted an odd IP address.

If we get a third event in rapid succession, I’d say that’s the start of a trend. Perhaps we should start advocating a new best practice, host-based egress rules. Little Snitch works great on OS X. In fact, I’ve already started implicitly blocking intranet connections from my browser specifically to my DSL router IP. Hopefully the browser vendors will give the remaining 99.99% something soon by default.

Hacking Sprint accounts online made easy

I’ve posted before about my disdain for password recovery systems that use Secret Questions. Secret Questions are just like another password, ugh, but based on your personal information. Not only that they are often easily broken. This post on Flawed Security Lets Sprint Accounts Get Easily Hijacked serves as a perfect example of Weak Password Recovery Validation. In this case all you need to hijack someone’s account was/is their “cellphone number, just a smidge about them, and have half a brain.” Then let the privacy invasion and fraudulent charges game begin! This reminds me of the Paris Hilton cell phone hack.

There’s a funny snippet at the bottom:

“Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you've described;”

And why would Sprint notice? In the logs it wouldn't look like some kind of whacked out XSS or SQLi attack, it’ll appear just like legit traffic, so no one is really going to notice anyway. If an account got hi-jacked what are the odds it would be chalked up to either the user giving up their password, choosing a weak one, sniffed by some form of malware, or whatever -- anything except the exploitation of a website vulnerability. For an attacker that’s the beauty of business logic flaws, chalk up another example to use in my presentations.

Friday, April 11, 2008

CSRF presentation at RSA 2008

My RSA 2008 presentation on Cross-Site Request Forgery, “The Sleeping Giant of Website Vulnerabilities”, attracted a nice sized crowd. Somewhere around 200-300 packed the room all eager to learn about this strange and new CSRF thing they’ve only recently heard of. My goals was to explain what CSRF means to them personally and as a website owner or developer. For those just starting out, CSRF can easily appear FUD like, but fortunately once it clicks, everyone gets the potential impact immediately – especially when exposed to the proper examples. That’s key.

For those already in the know, the best guess is the prevalence of CSRF is equal to or greater than that of XSS, statistically the most widespread vulnerability we’re currently aware of. Its also just as dangerous (or more so), extremely difficult to scan for (so we don't really know how bad it is out there), painful and time consuming to fix, and wouldn’t ya now it…all solutions easily bypassed by XSS exploits. My challenge was making the presentation informative and easy to follow for the newly initiated, representing 90% of the audience, yet compelling enough to keep the deep technical folks engaged. A tough balancing act.

I started off by going through a basic CSRF bank transfer example, some Amazon 1-click scamming, Google Search History fun, onto a Gmail email theft, followed by intranet and printer hacking (plus the DNS-pharming attacks found in the wild), then how XSS can be used to bypass CSRF protections using the Samy Worm as a case study, and finally tossed in a little bit of theoretical CSRF click-a-link-go-to-jail for good measure. The flow felt solid, but I plan to make some adjustments. There were several occasions of pin-drop audience silence where I had to stop and ask if people were “getting it” or simply scared by what they saw. From what I gathered it was the later because the hacks all seemed too easy, and they really are.

Judging from the 15 minutes of questions at the end, the dozens people that came up afterwards, not to mention the volumes of people voicing their appreciation to me on the expo show floor -- I’d say the presentation was a success. What more could a speaker hope for.
Over the next 12 months it’s going to be really important that the industry experts keep spreading the word about the importance of CSRF. For those that couldn’t make it to RSA or the presentation, here my CSRF slides complete with references. Thank you everyone reading who was able to attend and I’ll see you next year!

Was PCI 6.6 Clarification just leaked?

I have a love-hate relationship with PCI-DSS. Love it because it provides IT Security a firm lever to do something about web application security. Hate it because the way the process has been implemented. No matter what though I remain generally optimistic and eager to read whatever clarification the council offers as to the ambiguity of section 6.6. We all know the deadline is right around the corner. So when Standards Council General Manager Bob Russo took the time to comment about section 6.6 in a recent Information Security magazine article, I was keenly interested because customers ask me questions daily about it.

The first thing we’re told is a draft (1.2 or 2.0) will be out for review in August with the official version slated for September. Fortunately Bob revealed the industry wouldn’t be left hanging without official guidance prior to the June 30 deadline passing. They are going to, “clarify a lot of this stuff”, and the sooner they do better. One can only hope they do a good job because so far there is no authoritative clue to be had that I can find. BUT… here comes the kicker, check out the last snippet:

"Personally, I'd love to see everyone go through on OWASP-based source-code review, but certainly, that's not going to happen," Russo said, referring to the expensive and time-consuming process of manual code reviews.”

Whoa, that’s HUGE and should send a lot of people reeling. Bob Russo comes right out and says 6.6a is “source-code review”, contrary to some beliefs that black box scanning/analysis may fit the bill. Typo/misquote? Unknown for sure. Secondly, and more astonishing, his candor that the OWASP-based testing process (what's that?) is not possible anyway. I can only think that the council did the math as I have that the source-code review method is simply too cost prohibitive at internet-wide scale. We're talking potentially billions in cost, not mention too many vulnerabilities to fix anyway. The next bombshell…

"So the application firewall is probably the best thing to do, but there needs to be some clarification around what it needs to do.”

To me this basically sounds like a WAF endorsement and a dream come true to all the vendors out there. I can almost here the PR machines gearing up for a marketing blitz on this one before the impending “clarification” imposes any doubt. Good thing I've been getting well educated in this space and familiarizing myself with the players technology. Everyone said I was crazy a year ago exploring this route, but here we are.

WASC Meet-Up @ RSA 2008

Update 04.11.2008: Garrett Gee and Anurag Agarwal added some great photos!


It’s going to take a few posts to fully cover all the notable RSA events, but definitely one of the highlights for me was the WASC meet-up sponsored my company WhiteHat Security. A 100+ people came from all over including those from Mozilla, Microsoft, Google, Kaiser, eBay/PayPal, HP, IBM, Stanford, Intel and dozens of others I’m missing to share some food and drink (really good by the way). A lot of new people in the industry turned up as well that I had the opportunity to meet and chat with. It’s great to hear about their ideas and experiences and about the things they are working on. These are really important conversations we need to share to keep webappsec growing and maturing. It looked like everyone had a great time, our main goal for the event. Garrett Gee was one of the guys taking a lot of pictures and I expect those to be posted soon, I'll update when that happens. Thanks again to everyone who came and made the meet-up a success. See ya next year!

BJJ Night at RSA 2008

Chris Hoff and I decided to take a night off during RSA and visit a local Brazilian Jiu Jitsu academy. We didn’t know what the place would be like, but Hoff said from the website the cardio looked demanding. Well, let me tell you, they weren’t kidding! My lungs felt like they were going to explode half way through the 30min section. Running, jumping jacks, sprawls, push-ups, bear crawls, and endless supplies of BJJ drills. All the travel is taking a toll on me and seriously need to get in much better shape. Hoff, judging from the fire engine red facial tone, was having a rough time of it as well. Fortunately we made it all the way through the session and got to learn a couple moves.

Next came the sparing, but first let me tell you about one of the students. Just after our arrival, a white belt came in and I kid you not, an easy 300+ lbs all nicely packaged in a 5’6” frame. Yes, the size of a small planet. Hoff, also a white belt, immediately catches sees the guy and says, “OH HELL NO!!!”, at the prospect of having to spar with him later. So right when the cardio is over, Chris relegated to the white belt section (I went with the higher belts) and wouldn’t ya know it he gets paired with the big man. AHAHA! :) From what Hoff tells me he had no choice but to pull guard, but his legs wouldn’t have fit around the guys neck, let alone his midsection. Fortunately he was able to make it out unscathed and hold his own for the rest of the night.

As for me, I knew I was in trouble right away being exhausted and lacked the ability to even think straight. Not good. I got paired with a 6-year purple belt who was about my size. As soon as we locked horns it was clear this guy was very experienced with the Gi. 1min in he swept me with something I had never seen before (mental note for later), I got mounted instantly and 1min later suffered my first tap. I was not pleased, no way I was going to let that happen again. That thought was short lived. This guy was smooth and I got hit with an arm lock and a choke before the bell rang. I learned I’m not going to be ready for purple from quite some time, gotta keep hitting the gym hard. Fortunately though I was doing well against the next few people I faced. I got tapped some, but returned the favor as well. All the students were very cool guys and made us feel welcome.

At the end of class came the battle royal, Grossman vs. Hoff. The room went silent, everyone encircled us to watch, and people started chanting. No not really, no one gave a damn. :) 30sec in, I felt immediately that Hoff had skillz, he definitely isn’t just posing in his east coast academy. The details are a little fuzzy, but I remember landing in side control for a minute or two looking for a way to tap him, but Hoff showed great poise and solid defense. So I figured I’d try something a little fancy, choking him with my own Gi. I took my lapel with my top arm, wrapped it around his neck and proceeded to flip over his body to tighten it up. Hoff’s face was like WTF is this! Very lucky for him he did a great job of off centering me just enough enough to take my back and we started giggling like a couple of little girls.

For the next several moments I managed to fight off Hoff's choke attempts, but he clearly was close a few times. Squirming like a fish, I was able to turn, but got mounted at the same time. Good move. I noticed Hoff was setting up for a choke so I took the opportunity to push him off into guard, but he went over a little too easy. What I didn’t notice he had my lapel locked and was in good position as soon as his back hit the mat. I was forced to tap due to a painful fist choke. That’s what I get for being arrogant. Nice work Hoff. I want a rematch during Black Hat! :)

Tuesday, April 01, 2008

My Blog is PCI Certified by Scanless PCI

Using a combination of fines and incentives the payment card brands have working hard to boost PCI-DSS compliance rates among merchants. Meanwhile, ASVs have been doing their part by offering their services at drastically reduced prices and curtailing the security checklist to make certification as easy as possible. Every merchant who signs up is able to get PCI certified, but it does come at a price (not including bandwidth utilization). The problem is adoption rates are still slow, but that might all change with a new entry into the space, Scanless PCI.

Scanless PCI claims they’ve found a unique (patent-pending) way to certify merchant websites with no-setup, no technology changes, and at absolutely no cost! Sounded too good to be true so I investigated their website. To my amazement I left the site completely convinced that their offering is every bit as effective at stopping hackers as other ASVs we’ve discussed here in the past. Their process was so straight forward I figured there was no excuse for my blog not to be PCI Certified as well. Check out the right side column, compliance was zip zap!

I encourage everyone to jump on board and give the service a try.