Monday, December 29, 2014

Security Forensics Holiday Humor

What the hell is security forensics holiday humor?  If your up for a distraction, you need to see for yourself.  The following information comes from Kyle Wilhoit (Twitter: @lowcalspam).

Do the following and watch the results.

On *nix or OS X...
traceroute xmas.futile.net

On Windows...
tracert xmas.futile.net

The photo (shown) shows part of the output.  Enjoy!

Monday, November 24, 2014

Friday, November 21, 2014

More Improvements to DeepViolet


Continuing work on the SSL\TLS introspection effort.  If your interested in the background check out my previous post.  I will be checking in changes to GitHub over next few days or if your really itchy for the changes let me know and I will send them to you directly.

Summary of changes

  • New section added for HTTP response headers.  See the various cookies exchanged on the home page.  Not comprehensive but it's somewhat insightful.
  • Code for the supported cipher suites section has been reworked.  Previously I was calling a HTTPSURLConnection.  The section is visible similar but the code has been modified to open socket and negotiate the HTTPS connection manually.  Manual negotiation opens up more opportunity to test for other vulnerabilities like Heartbleed.  The code is based upon code and suggestions by Thomas Pornin <pornin@bolet.org> http://www.bolet.org/TestSSLServer/.
  • Server analysis.  This section is available to provide area to communicate future analysis.
More improvements to come in the future as time and interests allow.  Many things to do, test for more vulns like Heartbleed, add headless capability for shell script support, print warnings for any certificates in the chain about to expire, etc.  I have highlighted the changes in blue.  Following is an updated anonymized sample report.


[Report run information]
DeepViolet V0.2
Report generated on Fri Nov 21 16:09:09 PST 2014
Target url https://www.company.com/

[Host information]
host=www.company.com [192.168.2.40], canonical=192.168.2.40
host=www.company.com [192.168.2.39], canonical=192.168.2.39

[HTTP(S) response headers]
<null> : HTTP/1.1 200 OK
Cache-Control : no-cache
Etag : "d96a82aa2cf7938c128047c07723239926e6091a"
Server : nginx
Connection : keep-alive
Set-Cookie : _xsrf=7a11255d19254540a9ae32d66814d585; Path=/; secure
Last-Modified : Thu, 20 Nov 2014 21:30:37 GMT
P3P : CP="CAO PSA OUR"
Content-Length : 125273
Date : Sat, 22 Nov 2014 00:09:11 GMT
Content-Type : text/html; charset=utf-8

[Connection characteristics]
SO_KEEPALIVE=false
SO_RECBUF=131400
SO_LINGER=-1
SO_TIMEOUT=0
Traffic Class=0
Client Auth Required=false
SO_REUSEADDR=false
TCP_NODELAY=false

[Host supported server cipher suites]
SSLv3
 - RSA_WITH_RC4_128_SHA(0x5) (STRONG)
 - RSA_WITH_IDEA_CBC_SHA(0x7) (STRONG)
 - RSA_WITH_AES_128_CBC_SHA(0x2f) (STRONG)
 - RSA_WITH_AES_256_CBC_SHA(0x35) (STRONG)
 - RSA_WITH_CAMELLIA_128_CBC_SHA(0x41) (STRONG)
 - RSA_WITH_CAMELLIA_256_CBC_SHA(0x84) (STRONG)
 - TLS_RSA_WITH_SEED_CBC_SHA(0x96) (STRONG)
 - TLS_ECDHE_RSA_WITH_RC4_128_SHA(0xc011) (STRONG)
 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xc013) (STRONG)
 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xc014) (STRONG)
 - TLS_ECDH_anon_WITH_RC4_128_SHA(0xc016) (STRONG)
 - TLS_ECDH_anon_WITH_AES_128_CBC_SHA(0xc018) (STRONG)
 - TLS_ECDH_anon_WITH_AES_256_CBC_SHA(0xc019) (STRONG)
TLSv1.2
 - RSA_WITH_RC4_128_SHA(0x5) (STRONG)
 - RSA_WITH_IDEA_CBC_SHA(0x7) (STRONG)
 - RSA_WITH_AES_128_CBC_SHA(0x2f) (STRONG)
 - RSA_WITH_AES_256_CBC_SHA(0x35) (STRONG)
 - RSA_WITH_AES_128_CBC_SHA256(0x3c) (STRONG)
 - RSA_WITH_AES_256_CBC_SHA256(0x3d) (STRONG)
 - RSA_WITH_CAMELLIA_128_CBC_SHA(0x41) (STRONG)
 - RSA_WITH_CAMELLIA_256_CBC_SHA(0x84) (STRONG)
 - TLS_RSA_WITH_SEED_CBC_SHA(0x96) (STRONG)
 - TLS_RSA_WITH_AES_128_GCM_SHA256(0x9c) (STRONG)
 - TLS_RSA_WITH_AES_256_GCM_SHA384(0x9d) (STRONG)
 - TLS_ECDHE_RSA_WITH_RC4_128_SHA(0xc011) (STRONG)
 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xc013) (STRONG)
 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xc014) (STRONG)
 - TLS_ECDH_anon_WITH_RC4_128_SHA(0xc016) (STRONG)
 - TLS_ECDH_anon_WITH_AES_128_CBC_SHA(0xc018) (STRONG)
 - TLS_ECDH_anon_WITH_AES_256_CBC_SHA(0xc019) (STRONG)
 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xc027) (STRONG)
 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xc028) (STRONG)
 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xc02f) (STRONG)
 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xc030) (STRONG)
TLSv1.1
 - No Ciphers ()
TLSv1.0
 - No Ciphers ()

[Server certificate information]
Trusted Status=TRUSTED
Validity Status= VALID.  Certificate valid between Mon Mar 18 17:00:00 PDT 2013 and Thu May 21 05:00:00 PDT 2015
SubjectDN=CN=www.company.com, OU=Operations, O="company, Inc.", L=New York, ST=New York, C=US
IssuerDN=CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial Number=17294881921818988019291918345699297521
Signature Algorithm=SHA1withRSA
Signature Algorithm OID=1.2.840.113549.1.1.5
Certificate Version =3
SHA1 Fingerprint=0x81:23:3F:98:93:0D:4E:B4:C9:38:D1:8D:E0:18:12:E5:01:A1:51:40
MD5 Fingerprint=0xEE:63:BE:4B:8E:57:8A:12:17:22:33:62:EE:78:6E:E6
Non-critical OIDs
  -AuthorityInfoAccess(1.3.6.1.5.5.7.1.1) = [ocsp=http://ocsp.digicert.com | caIssuers=http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt ]
  -SubjectKeyIdentifier(2.5.29.14) = <UNSUPPORTED>
  -SubjectAlternativeName(2.5.29.17) = [www.company.com | www.www.company.com ]
  -CRLDistributionPoints(2.5.29.31) = [http://crl3.digicert.com/ca9-g00.crl | http://crl4.digicert.com/ca9-g22.crl ]
  -CertificatePolicies(2.5.29.32) = [2.16.840.1.114412.1.1=qualifierID=https://www.digicert.com/CPS ]
  -AuthorityKeyIdentifier(2.5.29.35) = <UNSUPPORTED>
  -ExtendedKeyUsages(2.5.29.37) = [serverauth clientauth ]
Critical OIDs
  -KeyUsage(2.5.29.15) = [keycertsign ]
  -BasicConstraints(2.5.29.19) = []

[Server certificate chain]
Chain Summary, leaf --> root
|
|
End-Entity Certificate--->CN=www.company.com, OU=Operations, O="company, Inc.", L=New York, ST=New York, C=US
   |
   |
   Intermediate CA--->CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
      |
      |
      Self-Signed Root--->CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

[Chain details]
Validity Status= VALID.  Certificate valid between Mon Mar 18 17:00:00 PDT 2013 and Thu May 21 05:00:00 PDT 2015
SubjectDN=CN=www.company.com, OU=Operations, O="company, Inc.", L=New York, ST=New York, C=US
IssuerDN=CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial Number=17294881921818988019291918345699297521
Signature Algorithm=SHA1withRSA
Signature Algorithm OID=1.2.840.113549.1.1.5
Certificate Version =3
SHA1 Fingerprint=0x81:23:3F:98:93:0D:4E:B4:C9:38:D1:8D:E0:18:12:E5:01:A1:51:40
MD5 Fingerprint=0xEE:63:BE:4B:8E:57:8A:12:17:22:33:62:EE:78:6E:E6
Non-critical OIDs
  -AuthorityInfoAccess(1.3.6.1.5.5.7.1.1) = [ocsp=http://ocsp.digicert.com | caIssuers=http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt ]
  -SubjectKeyIdentifier(2.5.29.14) = <UNSUPPORTED>
  -SubjectAlternativeName(2.5.29.17) = [www.company.com | www.company.com ]
  -CRLDistributionPoints(2.5.29.31) = [http://crl3.digicert.com/ca9-g00.crl | http://crl4.digicert.com/ca9-g22.crl ]
  -CertificatePolicies(2.5.29.32) = [2.16.840.1.114412.1.1=qualifierID=https://www.digicert.com/CPS ]
  -AuthorityKeyIdentifier(2.5.29.35) = <UNSUPPORTED>
  -ExtendedKeyUsages(2.5.29.37) = [serverauth clientauth ]
Critical OIDs
  -KeyUsage(2.5.29.15) = [keycertsign ]
  -BasicConstraints(2.5.29.19) = []

Validity Status= VALID.  Certificate valid between Wed Apr 02 05:00:00 PDT 2008 and Sat Apr 02 17:00:00 PDT 2022
SubjectDN=CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
IssuerDN=CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial Number=13785899061980321600472330812886105915
Signature Algorithm=SHA1withRSA
Signature Algorithm OID=1.2.840.113549.1.1.5
Certificate Version =3
SHA1 Fingerprint=0x42:85:78:55:FB:0E:A4:3F:54:C9:91:1E:30:E7:79:1D:8C:E8:27:05
MD5 Fingerprint=0xC6:8B:99:30:C8:57:8D:41:6F:8C:09:4E:6A:DB:0C:90
Non-critical OIDs
  -AuthorityInfoAccess(1.3.6.1.5.5.7.1.1) = [ocsp=http://ocsp.digicert.com ]
  -SubjectKeyIdentifier(2.5.29.14) = <UNSUPPORTED>
  -CRLDistributionPoints(2.5.29.31) = [http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl ]
  -CertificatePolicies(2.5.29.32) = [2.16.840.1.114412.1.3.0.2=qualifierID=http://www.digicert.com/ssl-cps-repository.htm 1.3.6.1.5.5.7.2.2=Unhandled type, see log ]
  -AuthorityKeyIdentifier(2.5.29.35) = <UNSUPPORTED>
Critical OIDs
  -KeyUsage(2.5.29.15) = [nonrepudiation keyencipherment ]
  -BasicConstraints(2.5.29.19) = [TRUE 0 ]

Validity Status= VALID.  Certificate valid between Thu Nov 09 16:00:00 PST 2006 and Sun Nov 09 16:00:00 PST 2031
SubjectDN=CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
IssuerDN=CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial Number=3553400076410547919724730734378100087
Signature Algorithm=SHA1withRSA
Signature Algorithm OID=1.2.840.113549.1.1.5
Certificate Version =3
SHA1 Fingerprint=0x5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25
MD5 Fingerprint=0xD4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
Non-critical OIDs
  -SubjectKeyIdentifier(2.5.29.14) = <UNSUPPORTED>
  -AuthorityKeyIdentifier(2.5.29.35) = <UNSUPPORTED>
Critical OIDs
  -KeyUsage(2.5.29.15) = [nonrepudiation keyencipherment ]
  -BasicConstraints(2.5.29.19) = [TRUE ]

[Server analysis]
ACHIEVABLE_ENCRYPTION_STRENGTH=strong encryption (96-bit or more)
CRIME_VULNERABLE=protected
MINIMAL_ENCRYPTION_STRENGTH=strong encryption (96-bit or more)
BEAST_VULNERABLE=vulnerable

The analysis for Beast and Crime is based on Pornin's code.  It's always possible I got something wrong somewhere.  Hopefully that's the case or this anonymized site owner may be helping to spread some malware goodness (ouch).

For more information about DeepViolet see my original post, SSL\TLS Introspection or a more recent update on DeepViolet, DeepViolet Improvements for 2015.

--Milton

Monday, October 27, 2014

Banshee Chapter: Oculus Rift Edition

If your lucky enough to own an Oculus Rift, Jamwix announced a  free feature length movie you can download.  Wish I could say more but I don't own an Oculus Rift.

--Milton

Wednesday, October 15, 2014

Quick Information About POODLE SSLv3 Attack


Information about this breaking SSL attack is coming in from a variety of sources.  I will share some better links.

A couple of articles to get you started sent to me via Jan Schaumann (Twitter: @jschauma).  The Errata article describes browser settings you can apply to stop POODLE's dead in their tracks.

Errata Security: Some POODLE Notes
Matthew Green: Attack of the Week, POODLE

Next, a link from Oona Räisänen (Twitter: @windyoona) for a POODLE test tool to check if your browser is vulnerable.

POODLE Test

For OS X users who would like to run Chrome or Firefox with command line options from the desktop read-on.

To easily click an open from your desktop, create a bash script, like the following.  Use VI, TextEdit, TextMate, TextWrangler, or your favorite text editor.

#!/bin/bash
#
open -a "Google Chrome" --args --ssl-version-min=tls1 &

Save the preceding to a file named, chrometls.command.  Open the directory where chrometls.command is stored, on my system I store scripts in ~/bin.   Next you need to make sure chometls.command is executable, run the following.

chmod +x chrometls.command

Now open up Finder and drop a copy of chrometls.command you created on your desktop.  Double-click this file on your desktop and OS X you will launch Chrome - bada bing, bada boom, your done!

If the terminated shell is messing with your OCD there is an option to automatically close shell windows once the command or script terminates.  Open a Terminal, from the Terminal preferences on the profile tab you will see a set of drop down options, "When the shell exits".  Change the value to be, "close if the shell exited cleanly".  After you launch the browse the shell will close automagically.  I write some shell scripts on occasion but not usually under OS X so I thought I would pass this along for those in need.

When I run Chrome in this way I see the Springfield Terrier, indicating I'm not vulnerable, the command line arguments from Errata work for me.


--Milton


Friday, October 10, 2014

TED: Glenn Greenwald, Why Privacy Matters

At the TEDGlobal 2014 conference Glenn Greenwald (THE//INTERCEPT) provides his views on privacy in his session, VIDEO:Why Privacy Matters.  A focal point of Greenwald's session is a key viewpoint held by many Americans - privacy is only important for those with something to hide.

Post Edward Snowden revelations, we know that since the 9/11 terrorist attacks the government expanded the scope of it's warrantless surveillance operations to include average Americans (e.g., bulk surveillance).  When the news broke there were two sharply divided camps, those strongly opposed and a much larger group of the public generally apathetic.  Most of those who are apathetic believe privacy is only important for those with something to hide.  The hold, bad people, are people who plot terrorist attacks,  engage in criminal acts, and have a reason to hide their activities.  Good people, are people who go to work, raise children, watch television, use the Internet to read the news, find recipes, or plan kids Little League games, etc.  These good people, are doing nothing wrong and have nothing to hide and therefore no reason to fear government monitoring.  Greenwald explains most of these people have sharply defined world views and deprecate themselves.

"The people who say that, that privacy is not really important, they don't actually believe it", Glenn Greenwald


Greenwald continues to explain how noteworthy tech industry figures like Eric Schmidt (Google, Chief Executive Chairman) and Mark Zuckerberg (Facebook, CEO) tell the public privacy is only for those with something to hide yet they take strong personal measures to safeguard their own privacy, a seeming double standard.  Returning back to the apathetic point of view on privacy, Greenwald explains an approach to uncover how people truly feel about privacy.  To uncover these feelings, Greenwald tells people provide their user ids and passwords to all their email accounts, including the secret ones, and other applications.  Greenwald then says he will open each account to find information of interest that he may decide to publish later.  In all the people Greenwald has spoken with none have taken him up on his offer.  His point is that everyone has at least some information they don't want to share publicly.  While most of us say we don't have much to hide, we don't desire to be completely open either.  Since we have always had the expectation of privacy (4th Amendment) it's difficult to know how privacy could be valuable when we no longer have it.

Greenwald goes on to explain a design for prisons called the Panopticon.  The salient point of the panopticon design is that it's not possible for prison inmates to know when those in control are observing inmates and when they are not.  The effect is that, behavior options are reduced, and inmate behavior is altered.  A virtual prison within the mind of the inmate.  Greenwald says a similar situation has occurred on the Internet.  A combination of the lack of anonymity and constant surveillance create an environment where the public self-censors or polices their own Internet online behavior, a powerful virtual prison, like inmates in a panopticon.

--Milton

Thursday, October 9, 2014

PIN Number Analysis

Interesting article by Data Genetics on PIN Analysis sent via Bruno Borges (Twitter: @brunoborges).  I included one of their tables (photo to left).  As an example,  if an adversary chooses pin "1234" they will be correct about about 11% of the time.  This implies, if they steal 100 ATM cards and try 1234 for the pin number they will likely be successful on 11 cards.  Furthermore, 26.83% of all pins could be guessed choosing only numbers from the table - better odds than Vegas.  Readers will also learn how to choose better pin numbers among other interesting pin factoids.

--Milton

Wednesday, October 8, 2014

Admin: Testing out a Wider Format

Looks like everyone is using higher resolution these days so I'm experimenting with a wider format.  Send me a ping if the wider format is causing you some trouble.
--Milton 

Rare Footage of The 1914 Martian Conflict


Great martian war from PLAZMA on Vimeo.

I don't want to set off any War of Worlds hysteria, this video is total fabrication but entertaining and realistic looking.  Rare footage of the 1914 Marian conflict, from the History Channel, via Cory Doctorow and Boing Boing.  See Doctorow's article for background.  Enjoy!

--Milton

Book: Spam Nation by Brian Krebs

Brian Krebs (Twitter: @briankrebs) of krebsonsecurity.com releases a new cyber security book, Spam Nation, on November 18, 2014 .  Bloomberg Businessweek provides an interesting teaser on the book's Amazon page.  I don't have the inside track or advanced copy on this book but Krebs is an talented writer, investigator, and presenter.  I'm sure it will make a great security book.  I have already pre-ordered my copy.

--Milton

Tuesday, October 7, 2014

CBS 60 Minutes: FBI Director On Threat of ISIS, Cybercrime

FBI Director James Comey goes on the record with Scott Pelley of CBS 60 Minutes show in a  video interview.  I gathered a few of Comey's remarks and provide some of my own commentary.  Security is like religion or politics, everyone has an opinion and if you would like to share yours leave a comment at the bottom of the article.

"Cyber crime is becoming everything in crime"
Strongly agree, why?  Severity and tempo of security incidents continues to build momentum, Target 40 million credit cards stolen, Home Depot 56 million cards, and finally JP Morgan Chase ringing the bell at 76 million customers.  Cyber crime is where the money is, is the saying.  Large as these heists are the largest to my knowledge is Heartland at around 100 million cards in 2009.

"Chinese hackers are like drunk burglars"
The point made is that Chinese hackers are not necessarily the best hackers but they are pervasive and invading businesses with significant intellectual property to loose.  Considering security from the attacker perspective, why spend $100 million dollars to develop a product, technology, or service when you can steal it for $1 million or maybe even far less?  The goals and funding for businesses and nation states are far different.  Corporate budgeting is a profit and loss game and there are constraints around what a security program can achieve.  Whereas funding for nation state security programs almost certainly exceeds most software engineering budgets for an entire company.  Few corporate cyber defenses can withstand a direct assault by even moderately funded state programs.

"Cost of cyber crime in the billions"
I'm sure this is true but since the cost is spread over an entire economy it's difficult to justify funding the war on data by individual businesses or organizations.  Governments must protect our cyber boarders as well as our physical borders since businesses are poorly equipped to do so.  We don't expect businesses to defend their properties with armed guards against invasion by other nations.  We should not expect business to defend their cyber boarders from foreign invaders.  It's simply too much to expect from companies trying to make a profit and it's not their job anyway.  National defense is a government responsibility, it always has been.

(security is in a) "much better place than 13 years ago"
I don't believe popular news reports support this conclusion.  In Comey's own words, cyber crime is now the only crime and  I doubt 13 years ago he would have made this same claim.  I agree, everyone has learned much more about security in the last 13 years but so too have our adversaries.  Comey mentioned we are not perfect and we have more work to do which I can not agree more.  There is a need to be encouraging but declaring the past 13 years a security victory is redonkulous.  Attackers are more emboldened and motivated then ever before.

"Apple's iPhone may be a threat to national security"
Don't believe it.  Washington is quick to sacrifice individual privacy rights in the name of business revenues or national security but they are unwilling to demonstrate the tiniest shred of transparency in the name of their own credibility.  Complete secrecy around information security programs is so important to the government they are willing to sacrifice revenues of American businesses.  For instance, post Snowden era revelations it's now well-known that the NSA tampered with Cisco Internet hardware to achieve their electronic surveillance objectives.  Further, government surveillance activities impacts confidence in American businesses in other countries and ultimately harmed revenues according to Cisco.  Other company's have reported similar impacts but precise industry impact figures are elusive.  It's also known that the NSA pressured Yahoo with a $250,000 per day fine for it's refusal to release user data in 2007.  Now Yahoo and other tech giants are taking proactive measures like securing data between data centers to discourage warrantless searches and improve confidence abroad.  Most large companies complete in a global market place so confidence and integrity of American products in other nations is very important to revenues.  Now Apple continues a similar trend to lock down warrantless iPhone searches in a bold move that accompanies some scrutiny by Washington.  Most US companies would rather not take sides on personal privacy issues but they do so since lack of public confidence in product and service offerings impacts revenues.  American companies learned a valuable lesson, acquiescing to government demands may or may not be in the best interest of the people but it's certainly not good for businesses competing in a global marketplace.

--Milton

TinyScreen .96" 16-Bit Color OLED Display on Kickstarter

.96" OLED project display with 16-bit color on Kickstarter, TinyScreen.   Makes a great screen for your next Ninja hardware security project.

--Milton

Movie: Blackhat

Official site for the Blackhat movie, www.blackhatthemovie.com, sent via Twitter: @DonaldOJDK.  Trailer is available on the movie site.  Please send any security or privacy movies to me.

--Milton

Monday, October 6, 2014

JavaOne 2014 USA, Security Track Amazeballs!

JavaOne 2014 USA concluded October 2, 2014 in San Francisco, California.  The war on security is sometimes takes it toll on all of us.  This year, whenever I feel depressed I pull out my Nerf Duke, give him a squeeze, and reflect upon what we all did at JavaOne 2014.  The JavaOne security track was, hands down, amazeballs!

"JavaOne is the first developer conference to dedicate an entire track to security." Frank Kim SANS Institute


During the Call for Proposals (CFP) the submissions for the security track stalled until the very last week.  I was really wondering if I would have to give up on the security track.  Teammates told me not to worry since it's normal for submissions to come in late.  The idea of throwing in the towel on the security track was depressing.  According to Frank Kim of SANS Institute, "JavaOne is the first developer conference to dedicate an entire track to security".  The last week of the CFP more than three quarters of the submissions for the security track rolled in.  The moral of the story?  Unless you want this track leader to have a heart attack get your submissions in early ;o)
Photo: JavaOne 2014 keynote

Photo: Oracle Customer Appreciation Event
This year security was highlighted early at JavaOne.  In fact, security made it to the JavaOne keynote presentation provided by Georges Saab (Twitter: @gsaab).  In his slides (photo on right) Georges is noting facts about the security track at JavaOne.  In particular, my security track opening presentation and the new web appsec book I finished with Manico (Twitter: @manicode) and Detlefsen (Twitter: @codemagi).  A little birdie told me, Georges was surprised how many comments and retweets he received on all this security stuff, lol.  Well it's because me, all my friends, and many others live, breath, and eat security day and night.  A slide or two on security at a developer keynote is a huge positive and just the right level of attention on web application security.  Sorry we Tweet slammed you Georges but much appreciated!

On Wednesday Oracle held the Customer Appreciation Event.  How was it?  Fan-freaking-tastic, is the word that comes immediately to mind.  Employees are not generally invited to customer event.  I received two tickets in a odd quirk of fate.  A quick call to my wife and she arrived a few hours later and we were off to see the event.

Photo: book signing event at Oracle book store
The appreciation event was incredible.  Aerosmith was great.  I checked Wikipedia and it reported Steve Tyler's age as 66.  Phew, I hope I could perform at such levels at age 66.  Likewise, Macklemore was great.  I recognized a few of their songs and enjoyed their music.

The appreciation event left me with about 3hrs of sleep and there was lots happening on Thursday.  I had to arrive at the conference early, lots to do.  No sleeping in for me.  I downed a Starbucks Venti Pike Place, a Red Bull, and another Starbucks coffee when I arrived at the hotel.  I would do it all over again the event was great.
Photo: NEC biometrics at Open World
This month was the release of our new web application security book Iron-Clad Java.  The Iron-Clad Java team, Manico, Detlefsen, and Me, had a book signing over at the Moscone center.  Unfortunately, it was a bit of a bust for book signing.  The book signing was scheduled in the wrong venue at Oracle Open World.  We signed a few books but honestly everyone who would like our book was attending JavaOne, two blocks away.  Oracle reminds me of my Marine Corps days, requisition 1000 roles of toilet paper and receive 1000 lightbulbs.  As long as you receive 1000 of something delivered on time then the Logistics organization never cared.  I wanted to rest on the couches and chat with friends anyway.

While over in the Open World vicinity, I later headed to the vendor floor to visit my friend Beau Broker at NEC.  Beau showed me some pretty interesting facial recognition software by his company.  In the photo (on left) you can see how it recognizes Beau's face after he's registered with the system.  It's pretty interesting technology.  It's also available on mobile and tablet devices.  The technology is multi-purpose and may be used to unlock a desktop or recognize unauthorized individuals in a crowd.

Finally, I will finish up with a selfie photo of the crowd at my security track opening session.  This is my view from the podium.  It's amazing in a short time how far the security track has come.  My first year I presented at JavaOne there was no security track and something like 47 people attended my session and most found their way to my session purely by accident.  No credit to me attendees are interested to learn security.  Now we are filling security sessions with developers cross across the security track.  All these bright minds eager to learn about Java security gives me hope.  Message to Me and Oracle, developers care about security.  Hat tip to Oracle for taking a chance on a security track like in one of the world most expensive conference venues in the world.  Bringing a security track directly to a developers conference is innovative, has a tremendous impact on developers, and I challenge more developers conferences to do the same.


--Milton







Saturday, October 4, 2014

Worlds Most Interesting Java Developer on Web Application Security

Yes, indeed, I know this is totally a shameless plug for friends but I did make you laugh, right?  Iron-Clad Java

--Milton

Thursday, September 25, 2014

Null Search Term

Take a look at these Google search terms people use to locate my site.  Securitycurmudgeon.com, is appropriate.  Traffic lights, makes sense since I had an article about hacking traffic lights.  Think outside the keyboard, getting colder.  Null, freezing cold.  People searching for null find my site?  Seems more believable it's a Google search or Blogger bug.  Hum, what can we do with this?

--Milton 

Forbes: People With Bad Credit Get Surveilled Cars With Remote-Kill Switches

Interesting article, "People With Bad Credit Get Surveilled Cars With Remote-Kill Switches", by Kashmir Hill of Forbes describes new techniques creditors use to creatively secure their debt.  Technology impacts us in ways that are difficult to predict or imagine.  I would not be surprised to see a kill switch legislated into every new car someday in the future.  California has already done so with smart phones.

--Milton

Tuesday, September 23, 2014

Securitycurmudgeon.com: Two years and One-Hundred Posts Later

I have been blogging for about two years now and written one-hundred published posts on all matter of security and privacy subjects.  In fact, this is post one-hundred.  I enjoy writing on the side so I took up blogging mostly as an experiment.  If your interested to learn more about my experiences security blogging please read on.

Following are some of my top articles over the last two years, some figures related to readership, and some lessons learned along the way you may find useful for your blogging.  Feel free to send me any of your lessons learned or ideas for improvement.  Any lessons I don't have to learn painfully on my own are welcome, i'm serious.

Top 5 Pageviews

Following are the top blog articles with the highest number of pageviews and a small synopsis for those interested.

1) Tracking Aircraft on Raspberry PI
Hardware and software project combining Raspberry Pi micro-controller, RLT software defined radio, and dump1090 software into an ADS-B commercial aircraft receiver

2) So You Want to be a Security Professional?
Information about the security profession those exploring a new career in security.  Various roles in security and challenges common throughout the profession are covered

3) The Most Difficult Thing About Raspberry Pi
My experience building a Raspberry Pi micro-controller with 2.8" TFT

4) Measuring Internet Connection Throughput
Java program to measure Internet connection bandwidth over time

5) Google Hacking -- Blast from the Past
Use of Advanced Google commands to find information of interest.  Has helpful implications in day to day searching but I also provide some thoughts and examples what Internet adversaries can do.
Chart: securitycurmudgeon.com pageviews per\mo

Monthly Pageviews

The chart (on left) shows the pagesviews since July 2010.  I think the chart is not entirely accurate for a few reasons, 1) I didn't start blogging about security until a couple of years ago, 2) I moved the site to Wordpress for a short period (gap in coverage), 3) pagesviews in last 30-days top almost 6000.  Still it's useful to get some idea for an overall trend.


Lessons Learned

There are many lessons learned about building an operating a web site and I will share some of them.

Link Allergies
Readers don't like to navigate too deeply for content.  The lesson learned, if you want readers to see something then place all the content on a single page.  Pageviews drop precipitously with each degree of separation from the primary post.

Cross-Referencing Related Content
Often readers may not know about other related content.  Including a link or two to other related articles or follow-ups is sometimes helpful to readers.  Everything must be considered from the readers perspective.

Small Posts Published Regularly
Most people prefer small regular posts as opposed to massive multi-page articles.  It makes sense given the amount of competition for reader attention.  Sometimes a post of only a few sentences at the right moment in time can have tremendous positive impact.

More Posts = More Views = More Readers
You may think that readers read only the new content but you would be surprised.  Readers also read older content.  With search engines, readers can land on any of your posts and often do.  Each post developed is one more reason readers have to visit your site.  Consider each post an asset with a long shelf life.

Do Something
Personal opinion is great but reader attention is a precious commodity.  Readers like news, technical articles, projects that have practical value or at least interesting to them.  Some amount of personal opinion provides style for your site but too much is perceived as fluffy, not useful, and perhaps even a waste of reader time.

SEO & Promotion
Promotion sucks but it's unfortunately absolutely essential.  Without some promotion even the best articles in the world will go completely unnoticed.  Promotion is messy business, especially self-promotion, since it's a complete turn-off to readers.  Expanding your reach by providing presentations, articles, and books is an investment since content may be long lasting and boost pageviews to your blog.  You need to be concerned with SEO or the search engines will forget about your site.  Yoast makes a SEO plugin for Wordpress but they also provide some information information about SEO in general.  It's worth educating yourself.

If you have a passion for security and like to write then blogging is a powerful tool.  If your mostly interested in fame and fortune and driving Ad revenue to pay your bills you will need to choose a subject with broader appeal or at least it would be safer bet to do so.

At almost 6000 pageviews per month and growing, securitycurmudgeon.com is far better than I ever expected for a defensive blog on application security.  Outside of the world largest security conferences like RSA, Blackhat, DEFCON, Gartner, etc.  Many security conferences have less than 2000 attendees and many even less than that.  I try to image everyone at a conference like that reading this blog, phew, crazy.  Of course, pageviews is not the same thing as number of readers.  Some readers read more than a single page so the 6000 pageviews is definitely less readers.  Still even if number of monthly readers is half the number of pageviews it's far more readers than I ever thought would be interested in security and privacy.

The only reason I care about pageviews is that it's a rough gauge of reader interest in securitycurmudgeon.com.  It's every writers desire to craft content readers find interesting and relevant.  Security and privacy is a passion of mine and likely yours if your reading.  Thanks for following along over the years and I look forward to continue for many more.  It's been a pleasure to write for you, sincerely!

--Milton

OWASP AppSec 2014 USA in the Rear View Mirror

This years OWASP AppSec 2014 USA was held in Denver, Colorado.  The downtown Denver metro was a great location.  Plenty of stores, restaurants, and great evening walks for the adventurous.

In one of the conference sessions, Static Analysis for Dynamic Assessments presented by Greg Patton with HP Fortify, he describes a new process for reviewing dynamic web app data with static analysis tools.  Patton developed a security tool, RIPSA, which he uses for downloading dynamic web site content.  Tools like SiteSucker have been around for awhile but they are limited usefulness when working with dynamic content.  RIPSA bridges the gap and allows downloading dynamic content to a local working directory.  Once the content dynamic content is downloaded traditional static analysis tools may be leveraged.

Patton mentions the top vulnerability they usually find with the approach is DOM based XSS.  I don't think RIPSA tool is necessarily too special but the idea of using static analysis on dynamic content is impressive and opens up a completely new way to use static analysis tools.  Apologize in advance, I don't have a RIPSA link.  I contacted Patton but he did not respond in time for this post.  Patton's approach is creative, rock on!

Another session, Reverse Engineering a Web App, described the process of reverse engineering web applications and perimeter WAF detection techniques.  The session was more or less what I would expect except a tool was presented that was new to me, OSSEC.  OSSEC is open source host IDS.  If you are in need you may wish to investigate.  I always like new tools.

Photo: Skycure threats for San Jose, CA
At the event, Skycure provided an innovative product demonstration.  The following photo shows a real-time display of threats from their web site.  There is also a companion application that runs on the mobile device and likely uploads intelligence data to their central service.  Skycure describes the overall advantages for customers broadly as: seamless, cross-platform, built for enterprise, visibility, device protection, and crowd wisdom.  The web site is a little short on technical detail so it's not clear exactly which threats are included in the analysis or mitigated but I'm assuming rogue AP's at a minimum.

Photo: Iron-Clad Java book
Signing my first copy of Iron-Clad Java at the conference was a reality moment for me.  The only time my autograph was previously requested is signing Visa receipts at the cash register.  At the conference we discussed and agreed to start another book project.  The new Iron-Clad book project team is Jim Manico (Twitter: @manicode), August Detlefsen (Twitter: @codemagi), Eoin Keary (Twitter: @EoinKeary), and myself.

We all enjoyed working together on the last project and thought Eoin would make an interesting addition to the team.  No idea about publisher or content still working out the details.  More on that later.

Now that AppSec USA is past it's back to JavaOne.  JavaOne starts next week.

--Milton








Monday, September 22, 2014

The New York Times: Ex-Employees Say Home Depot Left Data Vulnerable

In my post, The Home Depot Letter of Shame, I mentioned the, "I told you so's" we would hear from former employees.  It's unusual I receive such instant gratification after I post an article but nevertheless following is a report from the The New York Times,  Ex-Employees Say Home Depot Left Data Vulnerable.
"But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees."
Apparently Home Depot ex-employees had a wealth of information,
"Some members of its [The Home Depot] security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores."
Ignored warnings from security staff was also noted in the Target incident.  Target ex-security staff warned management long in advance but management refused to acknowledge concerns.  In both these cases, the companies had advanced knowledge security weaknesses existed, willfully refused to improve, and even ousted outspoken security staffers to the peril of cardholders.

--Milton

The Home Depot Letter of Shame

The letter sent by The Home Depot to customers (on left, click to enlarge) about their recent security incident.  I can only think of 56 million reasons why this letter is unacceptable.  Offering free identity services is helpful but it's entirely irrelevant to the top concern - poor security.  A more satisfying plan would be additional transparency around security efforts, communicate an improvement plan, and regular public reports of progress against the plan.  In testimony to Congress Target provided several assurances and the first item on the list,

"First, we are undertaking an end-to-end review of our entire network and will make security
enhancements, as appropriate."  [Target to Congress]


The Home Depot seems to be following Target's game plan.  However, due to the lack of transparency at the The Home Depot it's not clear the actions taken address the security concerns.  Perhaps as the investigation progresses more communications are forthcoming.

I'm seeing a trend, a public weary of excuses around poor security and lack luster responses.  If this incident takes a similar trajectory to the Target incident, I would not be surprised to to see some executive turn over, finger pointing, and "I told you so's" from ex-security staffers, in the coming months.  Given the magnitude of this incident, we may even see renewed enthusiasm from Congress on security.

--Milton

Tuesday, September 16, 2014

Password Managers Gain Traction on iTunes

1Password from AgileBits is climbing the charts in the iTunes store.  It's awesome to see the public gives a damn about keeping their passwords safe and is hauling out their wallets to do it.  1Password, a security app, beat out Photoshop redonkulous!

Incidentally, a Password Manager keeps your passwords in an encrypted database accessible only to you.  Historically, people keep passwords under keyboards, written in notebooks, sticky notes, or in Excel spreadsheets.  This is not secure at all.  Most people have several passwords to remember.  If your in the technology business like me, you may have hundreds of passwords to remember.  Keeping them secure and easily accessible is where password managers are helpful.  Other password manager options are available like Robo Form, LastPass, KeePass, and Password Safe.  A few of them are free if your on a budget.

I use 1Password on OS X and Windows and love it.  I have both Windows and OS X computers so it's handy for me.  I store my password database on a Google Drive so I have access my passwords from any computer.  If my computer crashes, all data is backed up by Google and I never loose access.

A final note, no program is perfect and password managers are no exception.  Sometimes auto-completes for web page credentials do not work as expected.  There have also been some security issues from time to time.  Overall these guys are serious about security, it's their business and livelihood, and password managers are overall very useful tools.

--Milton


Monday, September 15, 2014

Power-Leveling Your Computer Security Career


You did the impossible and landed a job in the high tech world of computer security.  Now you have a few years in the security profession and some days security is like mission impossible.  Leadership is cutting the security budget, engineering has little regard for security, compliance always takes top priority, engineers endlessly debate whether a bug is a security concern, even when they agree security bugs are a concern they are placed at the bottom of the pile.  Is anyone listening to you?  Does this sound like you?  Wondering how to show some success and take your career to the next level?  If your just getting started in security then I recommend a previous post, "So You Want to be a Security Professional"?

First thing is first, take a deep breath, now let it out, and congratulate yourself - your a security professional.  Computer security is a really tough job and it does not take a computer security professional to figure that out.  There's hardly a week that passes without a new security headline in the popular media.  Somewhere in the middle of all this conflict is you - trying to get some work done.  I will share a few observations along the way you may find helpful in your career.

Be positive
This point is somewhat a generalization of all the following points but I don't want this important message to get muddled - be positive.  Unless your selling security products, security is a business where bad news abounds.  A challenge with communicating negative news is that most people have a very limited attention span for bad news.  Once you cross the limit, they disengage.  If news is frequently negative and delivered with copious emotion people have a natural defensive mechanism to marginalize the concerns.  We all do this.  The point is don't alienate yourself since it does not help your mission.  Fear is a motivator but fear mongering will get you ignored.

Don't be overbearing
Often new security professionals learn quickly the true state of security and when they do it terrifies them.  The problem is that while your security concerns for the company may be justified, if you come across continuously overbearing people will avoid you.  If your continually communicating your requests by sending down lightning bolts from Mount Olympus sooner or later people stop paying attention.  This takes us to the next point.

Let your words matter
When you communicate don't communicate too many issues at once, be brief, and tightly focused.  This is especially important if you communicate up ranks to superiors.  It's likely your superiors receive many more emails than you so control your communications.  Don't include any information that does not support your points.  Don't include individuals in your email distribution that are unnecessary or not supportive to your topic.  Big distributions generate more opportunity for distraction and further communications that may take many follow-up emails to resolve.  Extraneous communication is exhausting for you and a poor use of the time for others.  Consider alternative ways to communicate if it's faster and generates less questions, quick phone conversation, 15 min or 1/2hr face to face.  Unless your communicating with colleagues of many years, don't include emotion, humor, or irony in your communications since it's easily misinterpreted by others.  When you tightly manage your communications, communicate only your top priorities, wordsmith every word, people will start paying attention to what you say.

Be accurate
Often people conflate facts, hearsay, and emotion when they communicate.  Part of making your words matter is that when you communicate your always right.  If you make a statement, try to include facts so your managers understand your thought process.  Help them arrive at your same conclusions.  Interestingly, if you are wrong others will usually share why and you will learn.  There's more room for unsubstantiated personal opinion as you build your expertise but until the day when you become the expert, quoting them occasionally will not hurt you cause.

Be a good listener
When your contributing in group discussion, meeting individually, or reviewing email pay attention to ever word communicated.  Then think about the information not being communicated to you.  What's missing?  How is the information being communicated to you?  Is the discussion evoking some passion?  You can learn much about how people feel on a topic or what they know simply by being a good listener.  Don't be the one in the room that is thinking of the next thing they are going say or add to the conversation.  Instead give the speaker your full attention.  Similarly, if your reviewing technical documents for security approval think about the design being presented and also what may be missing.  It's often the information that is missing, purposely suppressed, or refactored into something more pleasing, that is most pertinent.

Know your place within the organization ecosystem
Your job in computer security is to defend the business as a trusted business partner.  The goal is not necessarily to reduce risk to zero.  Understand your threat landscape.  Any unreviewed areas of software code and supporting infrastructure are a huge risk since they have not been properly quantified.  You need to understand the threat landscape.  Use some creative thinking, there are often ways to mitigate risk or perhaps accept the risk for a short-time while more systemic remediation is applied.  Do some horse trading with IT staff.  If you have "No Powers" or veto authority use them very sparingly.  Keep in mind, if you use your veto authority be prepared to defend yourself to top leadership.  They will think creatively so it's better if you explore all the options prior to any escalations.  If you think security's only job is to point out all the flaws in the datacenter and applications then you have a lot to learn.  Own and assume some of the risk, help others make the best decisions for the business and you will earn respect.  Be a problem solver, not the problem.

Education and self-improvement
Education is somewhat like financial credit.  You can't get credit unless you have a credit history but how do you get started?  Likewise, business requires employees skilled in technology areas that are applicable to the business but seldom do businesses allocate regularly scheduled technical training sessions.  Companies are trying to save money everywhere and education is no exception.  Conference budgets, book budgets, in-house classes are greatly curtailed and sometimes none are available at all.  Often employees in the trenches, who need training most, don't receive it.

Some of my best training comes from "brown bag" lunch sessions where employees bring a lunch, setup a projector in a conference room, and watch some training videos while everyone eats.  Most of us eat every day so you would be surprised how much you can learn after a few months.  I learned the basics of Java programming at brown bag lunches years ago.  My advice is take some responsibility for training on your own.  Dedicate at least some time each week to education and self-improvement.  It's in your best interest to invest in yourself.

Job commitment
If you want to be a 9am to 5pm worker there's a place for you but it's not a the top.  The higher you climb up the corporate ladder the more dedicated you must become.  Life at the top comes with privileges but you might not like what you need to do to earn those privileges.  In my experience, top leaders are very dedicated and work many hours.  This is especially true for people and projects that require management across global boundaries.  If you see your manager skipping out of the office early at 3pm on a Friday make sure you pay attention to after hours meetings with overseas teams, mid-night calls when production servers crash, emergency off hours budget approval to get critical business accomplished, and your last minute vacation requests.  If you want to be in your managers position make sure you consider all the duties of the role not only the perks before you make a choice or criticize.  Being honest with yourself and understanding what is important to you will keep you happy on the job and pleasure for everyone else to work with.

Separate success of security from your personal success
I know it seems like an oxymoron but let me explain, security is like medicine and your role in security is much like a doctor. Many people smoke and lead unhealthy lifestyles.  When the doctor meets these individuals they treat their conditions and encourage good health.  Sometimes a condition is not always curable but doctors often make life more comfortable.  The doctor never shoots the patient dead because the patient is too sick.  The doctor always does their best, with a professional attitude, and encourages the patient.  Doctors make good role models for security professionals.  People will not remember your personal challenges or how demanding they were on you.  They will remember how you treated them and addressed their concerns.  Don't let your passion for security or doing things correctly jeopardize how people feel about you.  Sometimes in security there are forces in an organization that are beyond your ability to influence to a successful outcome.  Do your best, and if you fail, do what doctors do, move on and save another patient since there are many.

To say security is challenging is an understatement.  It's a profession ripe with conflict and challenges.  Moving beyond security professionals in the crowd requires tools to communicate with top leaders.  Top leaders are creative problem solvers, accept responsibility, they know when and where to speak and to whom to speak, they choose their words carefully, they stay on top of the news and educate themselves, they are committed, and they get results.  You will need to become more like your managers to enter into their ranks.

Changing your environment around you is tough but you always have the power to change yourself.  I admit it's not easy to change yourself but to the measure you do you will become more respected, well liked, and win more supporters which will only help you.

--Milton


Share It!