Sunday, September 30, 2007

Taipei in 36 hours

I wasn’t in Taipei, Taiwan long, but I did get a chance to see a little bit of the city. I sampled the cuisine, visited the world’s tallest building (Taipei 101), and attended an infosec conference. The temperature felt similar to Florida, a little on the warm side (81 F) and a tad bit humid. I enjoyed it though as it felt close to home on Maui. The Taiwanese people were extremely nice, and as Matt Huang from Armorize said, “just about everyone in fluent in broken English.” I tested the theory during some late night exploration, since my internal clock was shot, and I found he was mostly right. :) I also got a few copies of my face in Taiwanese newspaper article, no idea what is said, I’m hoping its good stuff. Heh.

Now I normally have little appreciation or taste for art or architecture of any kind. I simply don’t understand it or why many find it so compelling. My wife thinks I’m sort of broken in that way. So came as quite a shock to me that I was completely awe inspired by the Taipei 101 building. 101 floors and 1,670 feet high. I couldn’t take my eyes off it anytime I was around it, it was amazing and a true engineering marvel. I guess the best way to describe my experience is that the size of it was simply confusing as it literally reached into the clouds moving through the needle at the top. To be near it was that it simply occupied the entire field of view. Plus the taking the world’s fastest elevator to the top, which made your ears pop, wasn’t too shabby either.

I really enjoyed the food too and sampled a lot of strange stuff. Jelly pork cubes, sea cucumber, pickled eel, etc. Nothing was off limits, except the stinky fermented tofu as even I have my limits from time to time. Then we also tired the regular stuff like kung pao chicken, several dim sum dishes, and 10 different kinds of soup I can’t recall. Yummy! A lot of the dishes I found fairly similar to the Chinese food we can get here in the bay area.

OWASP Asia Conference 2007

A capacity audience of over 600 people attended the half-day OWASP Asia Conference 2007. Must be a record for any web application security event anywhere in the world. This goes to show how much the industry has matured in recent years as truly a global interest. Everything was extremely well organized. The venue was simply stellar (TaiWan Information Security Center), professional branding d├ęcor everywhere, the media in force, top-notch speakers (from the U.S. and Taiwan), and fantastic content (discussed below). Wayne Huang (CEO) and the entire Armorize Technologies (makers of source code review software) team did an amazing job pulling it all together. I’ll link to the pictures when they’re made available. It’s going to be a tough act to follow for the OWASP & WASC AppSec 2007 in November.

From my (too) short stay the impression I got from the Taiwanese people is they have a deep sense of national pride, the security community possesses an eager thirst for knowledge, and they’re excited to share what they’ve learned with others. Let me tell you, the Taiwan cyber crime environment is MUCH different and WAY more serious than anything I’ve ever been exposed to in the U.S or elsewhere. My job experience thus far has everything to do with criminals attempting to monetize. In Taiwan it’s an environment of true military supported cyber warfare as a result of an intense political climate with China. Both sides are extremely well organized, funded, motivated, their actions unrestricted.

Consider for a moment daily computing life filled with 0-days, single person target rootkits, trojan horses, malware-laced spam, and attacks designed not to monetize or embarrass but for militaristic espionage with command and control goals. They view their exploit code more like weapons and munitions than anything else. Imagine an environment of being able to hack anything you want, which is seemingly culturally encouraged, and offenses rarely prosecuted. The private and government sectors are in close, open, and bi-directional communication. This might have something to do with their mandatory military service so relationships between the two are more natural. It was an amazing contrast to our environment in the U.S.

I attended two presentations where I’m not exactly sure how much I’m free to reveal. The organizers requested the audience to turn off all recording devices and refrain from taking photos of the sensitive intelligence research gathered about the Chinese NetArmy. The speakers definitely knew their stuff and supposedly one of them is blocked from entering the U.S. because of past associations. Apparently he wanted to speak at Black Hat last year and couldn’t. The speeches covered what forms of military-grade malware are in the wild, methods of propagation, capabilities, progression, etc. They went over how the NetArmy is trained and organized and how courses in Military Cyber Warfare are being institutionalized. Imagine instead of getting a degree in Information Security, you get one in Military Cyber Warfare. Talk about a bold new world.

My subject matter was all about Business Logic Flaws, to coincide with my white paper release, which I felt would be fresh and new for the audience since so a lot of emphasis is already being placed on XSS, SQLi, and CSRF. Judging from the questions and the feedback it was very well received. The undertone was we need to take a holistic approach in web application security since there is no silver bullet solution. Big surprise huh. Just like network security they have a mixture of solutions in place and we need to mature to the same level for website security. Vulnerability assessment, security in the SDLC, Web Application Firewalls, Security configurations, etc are all steps in the right direction. It’s the only way to effectively reduce risk of compromise.

It occurred to me on the trip back that if I wasn’t already on the Taiwanese and Chinese government cyber security watch list, I certainly am now. Great. :/ As Anurag has said, comes with the job I guess. I’m actually wondering now that I’ve spoken at a Taiwan computer security event, if they’ll let me into China now, let alone speak at a conference there. Hard to know ahead of time I guess. Personally I was just flattered to be invited to the event and proud to be a part of its beginnings. I’m sure it’ll get even bigger next year. Bringing the importance of web application security to a larger world and helping to get more people involved is what its all about.

Thursday, September 27, 2007

Showing up in Chicago and Atlanta

WhiteHat Security is hosting a pair of lunchtime events coming up soon in the Chicago (Oct 2.) and Atlanta (Oct 9). Stephanie Fohn (CEO) will open discussing the business challenges associated with effective identification and remediation of website vulnerabilities. I’ll be going over real world examples of Business Logic Flaws, the content from the white paper post. And it’s also my great pleasure say that we have two very special guests, Anurag Agarwal (application security architect for a financial services organization) and Allen Stone (Senior Security Specialist, E-Trade Financial) speaking in Chicago and Altanta respectively. They will be describing their first-hand experiences managing website security and conducting vulnerability management for some extremely large and popular Web properties.

All the content is designed for those responsible for enterprise website security and want to hear more about latest trends and important issues. Plus many peers will also be in the room as well. Attendance is free, but you have to register. If you want to come, please do it soon because there is only a couple dozen seats available per venue. See ya there!

Date: October 2, 2007 (11:30 AM - 1:30 PM)
Location: Omni Chicago Hotel
676 North Michigan Ave.

Date: October 9, 2007 (11:30 AM - 1:30 PM)
Location: Four Seasons Hotel Atlanta
75 Fourteenth Street, Atlanta, GA 30309

Wednesday, September 26, 2007

Business Logic Flaws, freshly minted White Paper

While the industry is buzzing with XSS, SQLi, CSRF, browser insecurities, etc., Business Logic Flaws (pdf) is the website security dark horse no one talks much about. You know those all to common issues where you can jump into someone else’s online accounts or access confidential data with a normal looking request simply by flipping a few characters. Business Logic Flaws are challenging to discuss, prevent or even fix generically for that matter because they’re extremely website specific. We recently released a white paper that’s all real-world-example driven to help people begin thinking out of the box about their own websites. Snippet:

"Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Hardly a winning trifecta. Plus, the more sophisticated and Web 2.0 feature rich a website, the more prone it is to have flaws in business logic due to the complexities involved."

Examples I use:

1) Winning an Online Auction
2) “Interactive” T.V.
3) See Steve Jobs up close
4) Day trading contest for $1,000,000
5) The house almost always wins
6) Password Recovery
7) Making millions by trading on semi-public information


Tuesday, September 25, 2007

StillSecure Podcast Interview with and RSnake and Jeremiah

Alan Shimel and Mitchell Ashley invited us onto the show last week to talk about, well you know, web application security stuff. Doncha just hate when you get pigeon holed. :)

Anyway, the conversation started off nicely with a few easy questions, but then they had to go and ask RSnake to comment about Google. He spouted his usual grandstanding on how they’re the evilest of the evil empires and how CEO Eric Schmidt wants to read the brainwaves Alan’s kids or something like that. I don’t know for sure because I wasn’t paying that close attention seeing how as I was on JetBlue flight to who knows where and playing Street Fighter at the time.

Alan and Mitchell softballed me with a few buzzword compliant question including the impact of Ajax, Web 2.0, a flat world, yaddah yaddah. I bushed those off quickly as irrelevant, but they then blindsided me with some browser security questions. They must have know I couldn’t help but lay terse words into the browser vendors and eventually whine incessantly like a child about the lack of content restrictions. When asked if the industry is making any “progress”, I quickly raise the FUD flag to ensure my long-term livelihood.

OK, OK, I kid, I kid. In all seriousness, Alan and Mitchell are really funny and great guys to spend time with. The interview was fun and we covered a lot of ground and interesting topics along the way.

Read someone’s Gmail, made simple

I’m currently in Taiwan attending the OWASP Asia 2007 conference in large part due to generosity and coordination of Armorize Technologies. I plan to post more about the experience, but in the meantime I wanted to break blog silence to point out PDP’s ingenious Gmail CSRF attack technique where the details were partially disclosed. I haven’t verified this attack personally, but I see absolutely nothing preventing this type of attack from working exactly as advertised.

Essentially an evil website forces a logged-in Google user to create a new email filter (CSRF) which forwards out there email to any remote address of the hackers choosing. A current or incoming email arrives and poof is silently forward on its way, which would be extremely hard for anyone to spot. Simple, silent, and extremely clever. I also see why this technique could be easily applied to any other WebMail provider if they had a similar filtering technique in place.

This is especially scary because as I said WebMail accounts are in many ways more valuable than a banking accounts because they maintain access to many other online account (blog, banking, shopping, etc etc.). Check out Brian Kreb’s Washington Post article where he covers a situation where a hacker is extorting a user by locking off access to their WebMail.

Friday, September 14, 2007

Leaving on a Jet Plane

Posts have been slow due to an insane travel/speaking schedule - see below if you’re interested. One of these days I’ll get back to my desk to focus more on R&D type stuff. Arian, Bill, and the operations team get to have all the fun. Fortunately I have been able to squeeze in some time to work on one particular project I’m really excited about. I’ll be able to talk more about it once I get it working properly.

In the meantime I still read a tremendous amount and a pair of excellent posts stood out from the rest. The posts discussed essentially the same issue, security metrics, but from different angles. For many security metrics is an incredibly boring topic, for others its contentious subject and a way of life. The rest of us fall somewhere in the middle.

1) Chris Hoff interviewed Andy Jaquith (Analyst, Yankee Group) who shared some fascinating insights about warehouse operations and how it contrasts to security operations metrics. It sounds odd I know, but he's got some really interesting stories to tell.

2) RSnake then talks about how new security safeguards mitigate risk temporarily because they incentivize attackers to target someone else because it’s easier. This effect remains in place only until the solution becomes standard across the market in which time the risk mitigation value of the solution decreases because everyone then becomes the same.

Speaking Schedule
9/10 ISACA Network Security (Las Vegas, NV)
9/12 InfoSecurity (New York, NY)
9/17 IT Security World (San Francisco, CA)
9/20 OWASP Chapter (Boulder, Co.)
9/24 OWASP Conference (Taiwan)
10/2 WhiteHat Chicago regional event
10/9, WhiteHat Atlanta regional event
10/10 OWASP Chapter (Houston, TX)
10/11 OWASP Chapter (San Antonio, TX)
10/16 ISSA Symposium (Long Beach, CA)
10/18 ISSA (Portland, OR)

Tuesday, September 04, 2007

WASC/BaySec Meet-Up (Bay Area)

Lots of local Bay Area events going on this year....

WASC is organizing another Meet-Up during the IT Security World Conference (Sep 17-18) in San Francisco @ O'Neills). As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Baysec is also organizing a meetup during that time and we are hoping to meet other security professionals from Bay Area. Everyone is welcome and it should be a really fun time!

Please RSVP by email ASAP, if you haven't done so already, so we can make the proper reservations: (anurag.agarwal _ _ _ _ a t _ _

Time: Monday, Sep. 17 @ 7:00pm


O’Neills Irish Pub
747 3rd StSan Francisco,
CA 94107
Phone: (415) 777-1177

OWASP & WASC AppSec 2007 conference

The OWASP/WASC Black Hat cocktail party was so successful it only made sense to join forces again, this for an upcoming conference. OWASP & WASC AppSec 2007 is scheduled for Nov 12 – 15 @ eBay campus in San Jose, California. This will be an entire conference dedicated to web application security and something not to be missed. In fact, we’re a little nervous because the venue might not be able to fit everyone (300 max) wanting to attend.

Currently we’re busy formalizing the agenda and coordinating the logistics with parties and events. If the wish list pans out, we’ll have an amazing speaker/topic line-up, a ton of industry experts in attendance, security professionals from all over silicon valley, and a hopefully a few surprises to go with it. The official announcement is below and I'll update the blog with new developments.

FYI: There are plenty of sponsorship opportunities for interested organizations.

OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of the industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers to get up to speed on the latest and greatest attack techniques, defense strategies, and industry trends in an atmosphere of peers. The conference format and venue is also perfect for networking and sharing experiences with others that are down in the trenches. AppSec 2007 expects to exceed all attendance records from the previously years, making space extremely limited. There's only room for approximately 300 attendees. So if you're planning to come, please register soon.

For more details and registration:

The conference also features:

1) Two full days of tutorials on a wide variety of web application security topics.

2) A web services security track

3) Vendor services and technology expo

Conference Location:

The AppSec 2007 Conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

Training Days: Novermber 12th-13th

Main Conference: November 14th-15th

Rolling Reviews: N-Stalker

Jordan Wiens of Network Computing released his review of N-Stalker and OUCH! Normally reviews contrasts a products strong points against the weaker ones, but this one was basically all bad. Good for Jordan in telling it like it is. He did highlight an interesting feature though, scanning integrated with log analysis. If the product had found a vuln the theory is you could see if someone had been trying to exploit it. Nice.

Next up is the last major scan Watchfire's AppScan. I'll be watching close on how well they handle Ajax since no one has faired well at all. It might be time to call BS on the "we support Ajax claims". Personally, I don't think the use of Ajax causes a website to be any more or less secure, but I do think it makes it harder to find vulnerabilities. The reviews are proving that much.

Of course, WhiteHat Security will have to take its turn under Jordan's firing squad in due time.