BlackHat Without The Drama

Well another BlackHat is in the books and another round of vulnerabilities have been disclosed and bantered about. I was fortunate enough to be able to attend this year as a panelist on the Laws of Vulnerabilities 2.0 discussion. While I was happy and honored to be invited, I wanted to draw some attention to another talk.

No, I’m not talking about the SSL issues presented by Dan Kaminsky or Moxie Marlinspike. Nor am I referring to the mobile SMS exploits. Each year you can count on BlackHat and Defcon for presentations and displays in lots of interesting security research and incredibly sexy vulnerabilities and exploits. Every year attendees walk away with that sinking feeling that the end of the internet is nigh and we have little hope of diverting it’s destruction. But, despite this, we have not shut down the internet and we manage to continue to chug along and develop new applications and infrastructure on top of it.

I was able to attend a session on Thursday that explained and theorized about why this all works out the way it does. It was the final session of the conference and unfortunately was opposite Bruce Schneier, which meant a lot of people that should have seen this, didn’t. Of course, Bruce is a great speaker and I’m sure I missed out as well, but hey that’s what the video is for.

David Mortman and Alex Hutton presented a risk management session on BlackHat vulnerabilities and ran them through the “Mortman/Hutton” risk model – clever name indeed. They included a couple of real-world practitioners and ran through how these newly disclosed vulnerabilities may or may not affect us over the coming weeks and months. They were able to quantify why some vulnerabilities have a greater affect and at what point in time they reach a tipping point where a majority of users of a given technology should address.

David and Alex are regular writers on the New School of Information Security blog and will be posting their model in full with hopes of continuing to debate, evolve and improve it. Any of these new security vulnerabilities concern you? Go check out the model and see where they stand.

Note: This post was originally published on CSO Online.

Crowdsourcing Payment Security

In my inaugural post to this blog, I wrote about many of the religious wars that break out today regarding payment security and specifically PCI. In the post I mentioned the OWASP PCI project, which is a solid step in the right direction, but to be clear, payment security encompasses a lot more than just PCI. PCI does a decent job at setting an audit bar for merchants and service providers, but now I’d like to focus on the broader topic of card not present security.

Recently, I was lucky enough to participate and contribute to a new O’Reilly book, Beautiful Security. While I’d love to tell you my chapter out-shined them all, in reality Mark Curphey’s contribution on Tomorrow’s Security Cogs and Levers was brilliant. Since the publishing, I have been speaking to a lot of people on the topic of payment card security and what I felt were some of its fundamental flaws that needed to be addressed. In my view, the root cause of many of the security pains around online payments is the reliance on a shared secret that is ultimately shared with hundreds or even thousands of parties within the life of a card. If there is a security crack in the armor within even a single organization of these thousands of handlers, the card account may become breached. Within my chapter, I laid out seven fundamental requirements for a new payment security model. They are:

1. The consumer must be authenticated
2. The merchant must be authenticated
3. The transaction must be authorized
4. Authentication data should not be shared outside of authenticator and authenticatee
5. The process must not rely solely on shared secrets
6. Authentication should be portable
7. The confidentiality and integrity of data and transactions must be maintained

OK, so none of these are a revelation, you knew this already. Well that’s why I am posting this here. I have since converted my Beautiful Security contribution into a wiki found here. My original writing is a high level design and we now want to take this to the next step. I am certainly not foolish enough to believe there are no flaws within it, nor is it detailed enough yet to implement. This is where the security and payments folks come in. This a call to action to read through the wiki, update it, and begin to flash out the details that could turn this into an actionable payment security system that could be implemented. There’s a quick summary of the goals on the wiki home page to address where we are heading. But hey, this is a wiki, so those can change too! If you have some expertise in online payments or information security (I know you do, that’s why you’re here), please take the time to help out and contribute.

Note: This post originally published on CSO Online.

OpenID Publishes Security Best Practices

A set of security best practices were recently published via wiki for users, providers, and relying parties of OpenID. Someone had recently asked me about a specific application that sits on top of OpenID and what I had thought of the security behind it. In the process of digging through it, I came across this newly developed Security Best Practices wiki.

Let me first apologize to my friend for getting a bit side-tracked off of his original question, but having written about OpenID about a year and a half ago, I felt the need to go through this and find out if any of the original concerns I had expressed had been addressed.

After going through the wiki, it’s mainly common sense security controls you would expect organized by audience for end users, OpenID providers and relying parties. That said, one thing really struck my eye:

“Relying Parties should not use OpenID Assertions to authorize transactions of monetary value if the assertion contains a PAPE message indicating that the user authenticated with Assurance Level NIST Level 0.”

This is big. Did I overlook these assurance levels contained within PAPE messages last year? I essentially had two gripes about OpenID, one being there are a lot of OpenID providers but not nearly enough relying parties (this is still the case IMHO), and two; setting up a relying party required you trust the authentication levels of the OpenID providers. While authentication control details are not revealed to the relying party (this is probably a good thing), this gives the relying party some level of assurance and the ability to pick and choose which OpenID providers they trust  to authenticate their users. I had previously complained that any site falling within a scope of a number of regulations wouldn’t really have the option of becoming a relying party, this may change that. As an example, if my application requires two factor authentication, as a relying party I know at a minimum the PAPE message must contain an Assurance Level of 3 or higher to meet my criteria. Here’s a link with more details to the various NIST assurance levels.

What do you think? Does this make OpenID more viable beyond the social media sites? Why? Why not?

UPDATE: Originally posted on CSOonline.

Beautiful Writing

UPDATE: A decent round of commentary going on about this on the PCI Answers blog. I’ve added my two cents within the comments. You can read through the discussion here.

I have been lurking in a lot of the usual places lately listening and reading to all the commentary about payment security thanks to the Heartland Payment Systems incident. I’m not going to comment on the incident here, there’s already plenty of people offering up their opinions.

What do I want to mention about all this chatter? You are having the wrong debate! So many people in security are talking about what this means for PCI. Is PCI effective? Was their an issue with the assessment? To this I say “it doesn’t matter”. None of this is the root cause.

Jeremiah Grossman has a really good post on aligning incentives here. This is getting much closer to the real issues in payment security. Want to know more? Well this is where my shameless and disgusting self promotion comes in. 🙂

I have had the privilege of participating in writing a new book for O’Reilly, Beautiful Security. For those of you not familiar with the series, this is a follow-up to Beautiful Code and Beautiful Architecture. It’s a compilation where each author contributes a single chapter on a security topic, mine being securing ecommerce transactions. Below is the product description as found on Amazon:

“Product Description
In this thought-provoking anthology, today’s security experts describe bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. Beautiful Security features a collection of essays and insightful analyses by leaders such as Ben Edelman, Grant Geyer, John McManus, and a dozen others who have found unusual solutions for writing secure code, designing secure applications, addressing modern challenges such as wireless security and Internet vulnerabilities, and much more.

Among the book’s wide-ranging topics, you’ll learn how new and more aggressive security measures work — and where they will lead us. Topics include:

• Rewiring the expectations and assumptions of organizations regarding security
• Security as a design requirement
• Evolution and new projects in Web of Trust
• Legal sanctions to enforce security precautions
• An encryption/hash system for protecting user data
• The criminal economy for stolen information
• Detecting attacks through context

Go beyond the headlines, hype, and hearsay. With Beautiful Security, you’ll delve into the techniques, technology, ethics, and laws at the center of the biggest revolution in the history of network security. It’s a useful and far-reaching discussion you can’t afford to miss.”

Special thanks to Mark Curphey and John Viega for involving me in this project. Lots of other authors much smarter than I such as Anton Chuvakin, Mudge, and others. All author proceeds are being donated to charity (IETF), another fantastic reason to pickup a copy!

Let’s stop arguing about how to build a better band-aid. It’s time to start talking more about addressing the root cause issues, and spend less time on the religious churn and debate around specific compliance requirements.

Heads Up!

Well I haven’t posted anything here in quite a while, but I really do have a good excuse this time. Not the usual been busy with work, life, etc. Watch for a follow-up post in the near future discussing some of the stuff I have been busy working on. In the meantime, there are a couple of items I just wanted to throw up here to make everyone aware.

1. This Thursday, November 13, is the Chicago OWASP meeting. Scott Stender from iSec Partners will be presenting on Concurrency Attacks in Web Applications, and Thomas Ptacek from Matasano Security will be talking about The Seven Deadly Features of Web Applications. You can find all the details on the where, when, and who here. I plan on attending and hope to see everyone there.
2. The 8th Annual Workshop on Economics of Information Security recently put out their call for papers. Next year’s conference will be held at University College London. More details on the conference here and great resources on the topic of economics in information security can be found here.

Apologies for the link dumping. I will follow this up very soon with some more interesting news.

OWASP Chicago

Just a quick post to remind all of you in and around Chicago that the local OWASP meeting is this Thursday, 6pm local. Two really good speakers will be there, Jeremiah Grossman from WhiteHat Security and Rohyt Belani from the Intrepedus Group. You can find out more at the OWASP Chicago chapter page here as well as RSVP.

Here are the presentation extracts and bios. I hope to see everyone there, it should be a good turn out.

Bad Cocktail: Spear Phishing + Application Hacks

Site takedown services, anti-phishing filters, and millions of dollars worth of protective technologies…..and the spear phishers are still successful! This presentation will discuss why this is the case. Today, phishing is a key component in a “hackers” repertoire. Phishers are combining social engineering with application security flaws in well known websites to make automated detection of targeted phishing attacks almost impossible. The result – hijacked online brokerage accounts, stolen identities and e-bank robberies. During this talk, I will present the techniques used by attackers to execute such spear phishing attacks, and real-world cases that I have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS and Carnegie Mellon University.

Rohyt Belani is a Managing Partner and co-founder of the Intrepidus Group and Adjunct Professor at Carnegie Mellon University. Prior to starting the Intrepidus Group, Mr. Belani has held the positions of Managing Director at Mandiant, Principal Consultant at Foundstone and Researcher at the US-CERT.

He is a contributing author for Osborne’s Hack Notes – Network Security, as well as Addison Wesley’s Extrusion Detection: Security Monitoring for Internal Intrusions.

Mr. Belani is a regular speaker at various industry conferences including Black Hat, OWASP, ASIS, SecTOR, Hack in the Box, Infosec World, DallasCon, CPM, ISSA meetings, and several forums catering to the FBI, US Secret Service, and US Military.

He has written technical articles and columns for online publications like Securityfocus and SC magazine, and has been interviewed by BBC Radio, Forbes magazine, TechNewsWorld, InformationWeek, Information Today, IndustryWeek, E-Commerce Times, SmartMoney, and Hacker Japan.

Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He currently leads the OWASP Java Project a world-wide consortium of Java security experts.

Get Rich or Die Trying – Making Money on The Web, The Black Hat Way

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills — all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.

Bio: Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and named to InfoWorld’s Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, HiTB, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, CNet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

Vulnerability Fixed in 90 Seconds!

UPDATE: Rsnake tells me I got the “90” right. Unfortunately, it was minutes and not seconds. Still an impressive response, but not quite Light Speed Remediation.

In a recent post I talked about how Twitter was being used for customer service and public relations by various companies with a few real world success stories. I mentioned in the post some of the talk around Twitters up time, which it seems anyone associated with the service has talked about in some form. They have certainly had their share of recent problems.There’s even been a sub-culture created around the infamous “Fail Whale”.

Well, here’s a Twitter story with a much more positive twist. Yesterday, I received one of Twitters standard “following” messages regarding a new follower:

Taken out of context, this could be a frightening message 🙂 . Having met him, it was actually a good thing. But, of course, having @Rsnake join Twitter can only mean one thing: Twitters vulnerabilities are about to be found out. And this is exactly what happened.

The next few minutes went like this:

Yes, that’s right, it took about 2 hours to identify and exploit a XSS vulnerability on Umusic which in turn was a trusted domain by Twitter. Handy work indeed. But what actually impressed me more, was the response from Twitter:

OK, this was a pretty straight forward, simple fix, but nonetheless this is still impressive. Quick work made of security, something I love to see. To Recap: Rsnake signs up for Twitter, adds a bunch of friends and finds a reflective cross site scripting vulnerability with proof of concept in about 2 hours. The good folks at Twitter see Rsnake’s post, respond and close the vulnerability in about 90 seconds! Nice job by all involved.

I wish it was always this pleasant and smooth.

Checking In

I have been neglecting this blog a bit lately as I have been completely swamped with other things. But I did want to quickly promote a couple of local security events here in Chicago. This week is ChiSec 19. An informal gathering of a bunch of like minded security people. I am hoping to make it out Wednesday to experience this for myself. If you plan on going let me know. This weeks ChiSec is at the Hop Haus and details can be found here.

Also after all the hype that is Black Hat and DefCon settle down, the Chicago OWASP chapter will be having their quarterly meetup on August 21st. Rohyt Belani of phishme.com fame will be presenting on mixing spear phishing with application security vulnerabilities. Also, Jeremiah Grossman of all things web app security fame, will be giving his Black Hat presentation “Get Rich or Die Trying – Making Money on The Web, The Black Hat Way”. This event will definitely be worth attending and a great chance to meet a lot of people dealing with these types of issues every day. All the details on the OWASP meetup including RSVP contacts can be found here. Oh yeah, and both of these events are of course FREE.

Hope you can make it out to these events if you’re in town. Mention this post, and your first drink is on me. 😉

Introducing SPSP

I was recently invited to participate on the advisory board for the Society of Payment Security Professionals which I happily accepted. The site explains the society best:

“The Society of Payment Security Professionals’ objective is to provide individuals and organizations involved in payment security with an online community to share information and access education and certification opportunities. Society members come from a variety of businesses including card brands, merchants, acquirers, issuers, ISOs, and more.  Though their organizations may vary, they all share one purpose:  to protect consumer data using the most current, viable technologies and processes.”

They also offer a certification, Certified Payment-Card Industry Security Manager (CPISM). Mike Dahn writes about the SPSP as well the certification on his blog here, here, and here.

We are now in the process of forming a working group on application security. If you have expertise on the topic and are interested in participating you can send me an email or leave a comment here. We’re open to any and all comers. It should be noted this is NOT about PCI but rather payment security in it’s entirety.

Looking forward to my new role on the AB as well as working with the Application Security Working Group.

Your Next Magazine Subscription

Should be [IN]SECURE magazine. And best of all it’s free and online. This has quickly become one of my favorite regular reads.The new issue (Issue 17) is out and you can get it here.

Officially Unofficially endorsed by ClearText (what a ringing endorsement!). Check it out and let me know what you think.