- Culture
- Design
- General
- Marketing
- Networking/Systems
- Open Source
- phpSprockets
- Productivity
- Security
- Software
- April 2011
- November 2010
- August 2010
- March 2010
- February 2010
- December 2009
- September 2009
- July 2009
- June 2009
- April 2009
- March 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- Coding Horror
- Innova @ Flickr
- Joel on Software
- Lifehacker
- phpSprockets on Google Code
- Smashing Magazine
Security PHP Security Presentation
I gave an hour-long presentation at the Columbus OWASP chapter meeting today concerning PHP Security. The slides might not be super-useful on their own, since I’m not standing in front of them to provide context and bad jokes, but people asked for them, so they’re available.
Download the slides (4.8MB PDF)
This is the PDF version that was shown at the OWASP presentation (including the OWASP chapter introduction), with the following changes:
- HIPPA spelling corrected to HIPAA (yes, I work in this field).
- OWASP’s PHP ESAPI (Enterprise Security API) link added near the end of the presentation.
Since I’m horrible at remembering names and faces, I can’t actually give credit for these fixes. If that was you: let me know, and I’m sorry.
Important Note: There’s an example of how to implement a Random Form Token to help prevent against CSRF attacks. This is a very naive implementation — in particular, since the token is generated from the current timestamp, someone could (with the proper tools) guess the correct token, which defeats the purpose of having the token at all. This was all covered during the talk.
The presentation (at least my part) was developed in Keynote, and I have the source files available if anyone thinks they’d be useful.
General, Networking/Systems, Security The New York State Cyber Security Conference, Day 2
My second day of the New York State Cyber Security Conference was equally as engaging as the first – dare I say thrilling at times. Before I share some of the meat, I’d like to again compliment the conference staff on an excellent program. What an absolute gem and a bargain ($50 public, $150, private). If you’re into information security I highly recommend a visit, June 9-10 2010 have already been set aside. You’ll see me there.
Our keynote to start the day was delivered by Raphael Perl, Head of the Action Against Terrorism Unit, Organization for Security and Co-operation in Europe (what’s with these titles? sheesh) who discussed global cybersecurity challenges for practitioners as well as the emerging threats and tactics of terrorism in cyberspace.
One of the items I thought most interesting was the explanation of overall approach on a political and military level. From a political perspective, it’s becoming understood and accepted that security is a global challenge requiring international information sharing. But the military is resisting, instead preferring to stay separate and secretive. As I pointed out on day 1, Philip Reitinger and others plainly state the biggest issue we face is hackers and other baddies becoming much more organized and globally sharing information at a rate the good guys can’t match. It would seem to me the military approach is destined for failure, and Raphael Perl made it clear he believes the same. Here’s a few other interesting points or facts from the discussion:
- Last June, 1 billion PC’s were in use worldwide. By 2012 this will double to 2 billion.
- 200 billion email messages are sent every day, Cisco estimates 90% of them are SPAM.
- There are currently 3-5000 active websites run by terrorists or are terrorist affiliated.
- In a non-scientific poll of sales at a major computer store, 10% of home users bought antivirus software with a new PC purchase. Business users bought it 90% of the time.
He devoted a lot of time to discussing the potential threat to cyberspace by terrorists. He believes terrorists are actively planning to disrupt the Internet, and will launch an attack in conjunction with a real attack or a major national disaster. The goal is interrupting services right when many need it most. He believes the information sharing and readily-available tools by hackers will help facilitate these attacks, as any cyberattack can be easily copied by terrorists. However, it was also made clear that not all experts agree with his opinion. Overall I found the discussion very intriguing and certainly worthy of deep future interest.
Day 2 tracks were Five Common Mistakes in Securing Web Applications, Are you Googling Your Privacy Away?, Are You Prepared for Data Loss, and PII (personally identifiable information): Taming the Beast (AKA how to discover and secure PII). Just like yesterday, they were all engaging and very well presented. The Google talk was particularly thrilling – yea I said thrilling. It’s incredible how much private information we give away to Google in exchange for their services. If you know me, you know I’m not afraid of talking about how much Google scares me. When it’s all laid out for you in a short presentation it’s even more resonating.
- Google is better than everyone else at screwing you and your privacy.
- Their cookies auto-renew every time you use any service.
- They’ve essentially built the best surveillance system ever created. You are a GUID (Google User ID), everything you do with them maps to this GUID, and it will follow you until you die. They aim to have a GUID for every person in the world.
- You readily give Google (and other social networking sites) vastly more information than the police can ask you.
- GMAIL really is email for life. According to the ECPA your data is only protected for 180 days, on day 181 Google can give it to law enforcement without a warrant, barely with a formal request. Our DOJ is working on depreciating the 180 day rule.
- Google has only indexed 20% of the internet.
- If you use Google Desktop with remote access, everything you have indexed is stored in the Googlesphere. You’re violating HIPAA, PCI, SOX, and most other compliance specifications (oops!).
- When using Chrome, Google knows every keystroke you type into the browser. Even fields you backspace/delete.
- They don’t have to ever delete anything you tell/ask them to. Google’s file system is designed not to delete.
- Does your phone run Andriod? They know everyone you talk to, where you are, where you’ve been.
- Goog411 is a slick, free 411 service, right? Actually, you’re training their voice recognition software.
- Google probably knows much more about you than any government agency.
- Remember that HIPAA, PCI, and SOX violation stuff? Hope you’re not using GMAIL since it’s stored (and indexed) in the Googlesphere.
- Google probably knows much more about you than any government agency.
- Yes, they can filter via your GUID and/or IP address and find all of your search terms.
I could go on, and the presentation was less than an hour. It’s freaking scary. Here’s the rest of my juicy tidbits from the day:
- 60% of top 100 websites had hosted or or were involved in malicious activity in 2008.
- Of all 2008 vulnerabilities, 58% were from web applications.
- From the 2008 total, 73% of those classed “easily exploitable” were web applications.
- Dear developers: Most hackers don’t use browsers to exploit web applications, client-side anything is fail.
- 80% of internet traffic crosses a Verizon network.
- In the vast majority of cases when a breach occurred due to a known software vulnerability, the patch was released for over a year.
- Top three types of malware are keyloggers, back doors, and capture-and-store programs.
- The majority of these are plain, un-customized and easily detectable by most antivirus programs.
- 49% of breaches go undiscovered for months.
- VerizonBusiness’ assessment of breach events over three years revealed 82% of organizations captured the attack(s) in logs, but the logs were either too complex or they lacked the tools to filter the data into a useful view.
- In this period, 69% of breaches were detected by a third party. 24% were detected internally passively (stumbling on), and 7% were detected actively.
- Over 260 million SSN’s have been leaked since 2005.
- There are a few open source tools for scanning/identifying PII.
- According to solution methodology, 89% of breaches could have been solved by data-at-rest protection (identification and removal or encryption, etc.)
I have 21 pages of notes and a large list of ideas/tasks taken over those two days. So let me say again what a fantastic event this conference was.
Chris
Culture, Networking/Systems, Security Greetings from the New York State Cyber Security Conference, Day 1
On the road again for the sake of security. This trip brings me to Albany for the New York State Cyber Security Conference. This two day conference is geared primarily toward the public sector, but welcoming private industry and packed full of great topics from both public and private organizations.
The morning began with welcoming remarks and an animated hacking demonstration themed around X-Men, which consisted of using a Linux distro to disable an NT password, Internet-mining to find information about an individual, and WireShark to sniff packets. Wasn’t exactly technically deep, but certainly not boring powerpoint stuff and if anything was pretty entertaining (Indian guy in a Wolverine wig, nice).
The keynote was delivered by Philip Reitinger, National Protection and Programs Directorate for the U.S. Department of Homeland Security (what a mouthful). Without powerpoint (bonus!), he discussed quite a bit on the 60-day Review(pdf) and where DHS is challenged with cybersecurity. He also candidly highlighted some of the largest challenges facing security professionals:
- Hackers getting better not just at hacking but with sharing information at a rate security professionals cannot match.
- Defenses not keeping pace with threats.
- Cybersecurity as an issue of national security (which the president recently accepted responsibility for, a great first step).
- Fostering public-private information sharing.
- Establishing reasonable metrics.
Overall a thoroughly interesting and engaging discussion. He also pushed pretty hard for good IT people, (my boss stop reading here) if you’re interested in moving into the Federal space, now might be a great time.
The three tracks I chose were Ensuring Network Protection While Meeting Compliance (PII, HIPAA, etc.), Computer Network Simulators, and Motivating People to Adopt Security Practices. You’d think these would be horribly boring, but I have to say how impressed I am not only with the conference organization but with the quality of the talks. Yes, really, I stayed engaged all day. Let me share a few tidbits of info I found particularly interesting throughout the day:
- Information Security Officers must be allowed a seat at the executive table and involved in business decisions. (there is a heavy push to remove the “wall” of security as a sub-position of IT or an afterthought)
- 35.7 million records potentially breached in 2008 *reported* – imagine what the actual number is. Dizzying.
- In 2008, missing or stolen equipment accounted for 42% of reported breach events – the second highest was employee negligence at 16%.
- Heathrow airport in England averages 900 unclaimed laptops per week – and after reasonable time unclaimed are auctioned off.
- 1 in 10 people click through SPAM and become infected with malware. On the surface, that’s not much. But think of an organization with 1000 or more people.
- There are 500,000 different variants of malware currently, 20,000 new ones are created every day.
- Personal observation: Most admins don’t have a clue how base32 encoded data looks (scary).
- People will not embrace security policies if they reduce their productivity, feel threatened, or are negatively reinforced. [Innovaites, take special note here, I listened well to this one
]
Overall I’ve found the conference very well organized, technically awesome, and the people very welcoming. I also had a few great conversations with some of the sponsoring vendors. So far a great experience, and I’m looking forward to tomorrow. Until then, cheers from the Albany Pump House and my beer sampler.
P.S. I’ve been tweeting some of the conference, feel free to follow me.
Chris
Security OWASP AppSec 2008: Last Day
The last day of the 2008 OWASP AppSec conference in New York City has passed!
Chris and I saw some excellent talks, including one that introduced a tool that actually scared Chris with its effectiveness – but I’ll let him tell that story. One of my favorites was “Agile Development and Security” which predictably talked about how to develop securely while using the Agile methodology. Innova isn’t specifically an “Agile” shop, the talk was still extremely helpful.
Overall, the whole conference was a smashing success! Aside from NYC, which is just plain awesome, the training and various speakers got Chris and I in a security-conscious mindset. The training, for me at least, reinforced a lot I already knew and taught me plenty that I didn’t. The speakers I saw outlined how attackers think, and how to implement the various things we’ve learned in real production environments where everything isn’t milk and honey. We’re identifying places where we can implement these things, and trying to come up with a good presentation to give to the Innova crew and the local OWASP chapter that covers everything.
Tomorrow we’re just going to tour the parts of Manhattan that we haven’t walked around yet, and I’ll be back in town late Friday night! NYC is awesome, and I’ll damn well miss it, but I’m looking forward to the comforts of home!
Security OWASP AppSec 2008 Day 2
Final day of training for me! While the first day focussed pretty heavily on the effects of not sanitizing input and not properly encoding output (80% of attacks can be stopped with intelligent application of both), day two focussed on other things:
- audit logging: what to log and when to log it
- unintentionally leaking information
- programmatic checks (think
assert()) - authentication and authorization
- session/state management
- cross-site request forgery detection and mitigation
- cryptography
- keeping sensitive information in software (specifically: not doing that)
- operational security
- configuration of applications and environments
- code signing (yeah, nobody does it)
So, much more extensive than day one. There’s a lot to go over in our presentation once we get back to the office, but even without that this conference is pretty awesome for just getting Chris and I in a security-conscious mindset.
Speaking of, Chris’ management course was only a one-day affair so he spent the day wandering around Manhattan: I think his total trip odometer for the day was around 12 miles, not counting the touristy stuff we did after I finished my course up. How he isn’t dead I’ll never know. He’s barely tired! After that we wandered around Little Italy and had a great meal at another Chinese restaurant: New Green Bo! Scallion pancakes are delicious!
And with that, we close on a second fabulous day in NYC! Tomorrow the conference proper starts, and we’re both pretty jazzed to see how that’s going to turn out!