Friday, December 28, 2007

10 Maui fun facts

Rather than share all my vacation details, which would likely make my readers jealous who are suffering through the cold of winter, I’ll instead post a few fun facts about Maui. Things visitors are unlikely to read in any guidebook.

1) Temperature changes with elevation rather than with the seasons. At sea level its 80-90F, 500-5000ft its 65-80F, and if above that you are probably going to the top of the Haleakala volcano (10,000ft). Snow/frost has been known to happen from time to time at the peak. I heard on the big island (larger island to the south) this winter someone surfed in the morning and snowboarded during the afternoon. I don’t know if there is any other place in the world other than Hawaii where you can do that.

2) Seasons only impact the waves. In the winter the waves are on the north and west shores and in the summer, the south. Freaks swells happen from time to time, but not often. And speaking of waves - lifeguards are almost nowhere to be found. If they are there normally they are there for the surfers, not the tourists, who get towed back by jet ski. The surfers are usually the ones who pull out drowning tourists and get upset when they have to because it means they missed a nice set.

3) Tourists can be found on either the west or south shores as these are the dryer and warmer sides of the island. Lots of hotels, resorts, shopping, and golf courses. I don’t recall many residents who actually golfed so that must be primarily a visitor thing. The rest of us are on the beach on the north shore.

4) 99% of the thousands of people who move to Maui every year catch something called rock fever whose symptoms cause them to move back within the first 12 months. You see, Maui is a small place with not a lot to do for most mainlanders. There are no pro/college sports games, theme parks, nightclubs, or anything like that. Those who are not REALLY outdoorsy who enjoy the beach, hiking, fishing, hunting, and a lot of the same everyday will catch the fever. Their stay on Maui will have been just an extended vacation.

5) Maui residents culturally don’t understand the concept of a 2-week vacation. - you know, where you go somewhere to get away from it all. I had no idea what it was when I got my first job in California when I was 19. Accruing time off? WTF!? No one from Maui really does that. I mean, when you’re from Maui, where are you really going to go? Oh right, Vegas, but that’ll be a very special trip and only once in a great while. When employees need time off it probably means the waves are up and they are not going to show up anyway.

6) Dressed up is considered closed toe shoes instead of slippahs (sandals), button down (aloha) shirt rather than of a faded T, and unripped jeans or pants of some kind versus surf shorts. And that attire you probably only where to a wedding, funeral, or hmmm, not much else. The rest is natural wherever you are or what your are doing. I don’t think anyone on the whole island actually owns a suit except for maybe the lawyers and then only worn in court.

7) A good car is one that runs and is street legal - the rest is basically luxury items. If a car doesn’t have any rust or dents, that’s considered mint. Lifted pickup trucks, hatchbacks, and minivans are the vehicles or choice. And driving distance is always measured in time, never miles. As it could take you 3 hours to go 15 miles depending on where you are.

8) Local food is NOT Hawaii food – BIG difference. Local food is an odd fusion of ingredients inspired by the Portuguese, Japanese, Chinese, Filipinos, and of course the Hawaiians. Consist of a lot of spam, sausage, chicken, and steak which has been breaded and deep-fried or baked in pools of teriyaki sauce and covered in gravy then served with tons of white rice and macaroni salad. These dishes are referred to as plate lunched and yes this stuff will kill you, but slowly and it’ll taste good. :). Hawaiian food, which I’m never been fond of includes poi, Lau Lau, and kalua pig & cabbage.

9) Lingo, Maui – well Hawaii – has it own very unique dialect. Anything on the east side of the island is referred to as “upcountry”, unless on the extreme backside which is called “hana-side”. When going to “town”, that’s almost always Kahului. Town names are rarely spoken and travel plans are typically described directionally. For example “going to the south, west, or north shore.” And when one side of the island, to travel to the other, you are going to the “other side”. When some one yells at you and says “Eh Brah”, that’s the equivalent of “hey man”. And when someone asks you if you want to go “grind”, they’re not asking you to dance provocatively, but instead if you are hungry and want to eat – a lot. Oh, and don't try to blend in by trying to speak like the locals, it'll just make you look really dumb.

10) Yes, Hawaii is a state. This is for those so many people across the U.S. that I had to convince that my Hawaii drivers license was valid and not a fake. Trying renting a car in Alabama with one of these, I dare you.

So what did I miss?

Maui was a lot of fun, but more on that later. Today I got to get back to digital reality - wade through mountains of email, unread RSS feeds, and unplayed voicemail. Looks like while I was away there was a lot of chatter about PCI section 6.6 and WAFs, which make sense since the compliance date is only about six months away. Gary McGraw (DarkReading) and Joel Dubin (SearchSecurity) had some sage advice, but it was Ryan Barnett’s words that really spoke to me. Ryan discusses vulnerability REMEDIATION with respect to PCI, which is all too often overlooked, and highlights some interesting verbiage. And since Ryan works closely with ModSecurity, it’s fitting to pass along that Ivan Ristic just announced the RC for version 2.5 and it has with some slick sounding features.

Google’s social network Orkut also took its turn having to deal with the relatively new phenomena of Web Worms. This worm spread to a reported 650,000 users, short of Samy’s 1 million, but still enough to turn some heads. There was a lot of media and blog coverage, source code was made available for analysis. Amazing what a few lines of JavaScript can accomplish. What’s still surprising to me in all of this is the relatively infrequency of these attacks and that Web Worms have yet to see a malicious payload. Enjoy it while you can it won’t last forever.

Ironically while at the beach, I made Slashdot by sharing my personal “Web” surfing habits and discussing how to defend against CSRF attacks. Nah nah :) – this was the result of an interview I did some weeks back with Sarah D. Scalet of CSO and it was just recently posted. Gotta hand it to the Slashdot crowd for their consistency in NOT reading the story before commenting. The first person actually asks “How exactly is this strategy going to protect you from a keylogger?” and then the conversations degrades for there. Seesh. But Marcin (TSSCI) posted a nice little trick I haven’t tested out yet to simultaneously run multiple Firefox profiles, which should have nearly the same effect I was going for.

And while and are outing vulnerable websites, other websites suffered some Web security related incidents. Hundreds of MD Web Hosting customers websites were SE0wN3d, F-Secure Forum was defaced by a Turkish group, adult-entertainment hoster Too Much Media Corp who supports thousands of websites was compromised, an Ohio court website was penetrated using Credential/Session Prediction where several victim suffered identity theft, and the Tuscon police department website is having their fill of SQL Injection as well. All fun and games in webappsec land.

Friday, December 07, 2007

Maui Vacation 2007

We made it! 2007 was a busy year to say the least. 40 public appearances, 200 blog posts, about a dozen published articles, a book, 7468 sent emails, and who knows how many airline miles. This year has been fun with many memories, but also extremely tiring. Having just gotten back from Texas (*mmm, ribs*) and New York (*brrr*), my last business trip of the year, its time to turn off the techno-stuff and vacation a little.

On Monday I’ll be heading back home to Maui for a couple weeks with the family as we do every year. During that time there will be no blog posts, email responses, or communication of any kind. Because you know I’ll be busy at the beach (surfing the winter swell), playing with the kids, having a few BBQs, maybe jumping off a few waterfalls, and working in some Brazilian Jiu-Jitsu – the usual stuff. And if I can get rid of this pasty white complexion, that’ll be good to. ;)

Merry Christmas everyone!

Tuesday, December 04, 2007

Full Disclosure is dead

Businesses must realize that full disclosure is dead, a contributed article I wrote for SC Magazine. This is nothing like my usual webappsec banter, nor is it the stereotypical FD talking points everyone has heard and debated a million times before. Instead I tried to articulate my current views on the subject of vulnerability disclosure, which are probably very different than most, and where I believe the industry is heading.

“Full Disclosure is dead. Let me explain why. The information security world has changed, even if some don't see it or are unwilling to accept it. Vulnerability disclosure discussions based upon ethics are morally antiquated and na├»ve at best considering today's cyber-security climate...”

One thing I forgot to mention is that the many software vendors will try to capitalize on the fact that less vulnerabilities will get reported and say it's result of "more secure software".

Tools, tools, and more tools

People love tools. For a guy a freshly released pen-test tool can be a lot like getting your hands on a shiny brand-new toolset, even better if they’re powered in some way. Hint, Christmas is coming soon. :) They’re something you just can’t wait to rip open the box on and start playing around with. So it’s in this spirit that I point out a couple new tools with some features that sound like a lot of fun.

1) PortSwigger released a new version of Burp Suite, the same great stuff plus a whole lot more. The new stuff includes the ability to analyze session token randomness, manual and intelligent decoding and encoding of application data, a utility for performing a visual diff of any two data items, and more. Nice!

2) Stefano Di Paola, of Minded Security, released SWFIntruder. SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime. Most of us have been using odd types of decompilers for a while, but nothing purpose built for the task. For a first release, this one sounds like it has promise.

* And if you are looking for a resource that describes a whole lot more of the web application pen-test tools out there, look no further than Andre “dre” Gironda’s post on “Why crawling doesn’t matter.” He intended the post to educate for a different purpose, but the content is a veritable encyclopedia of pen-testing tools and their capabilities. Many of which I hadn’t even heard of that sound cool as well.