Just a quick post to let you know Beautiful Security from O’Reilly is now available at Amazon as well as directly from O’Reilly. Chapter Five – Beautiful Trade: Rethinking Ecommerce, is my personal favorite, but I may be a little biased :-).
All author proceeds will be donated to charity, so buy an extra copy for the kids!
/shameless self-promo
Well March has been a BUSY month but I just wanted to post a bit of info out here about what’s been going on and what’s coming up.
First off thanks to David Campbell, Kathy Thaxton and Eric Duprey for inviting me out to SnowFROC in Denver! I had a great time and just like last year, there was a lot of interesting talks on Web Application Security. Also thanks, to Bill Brenner and Lafe Low at CxO Media, for getting me involved in their CSO Data Loss Prevention seminar in Chicago. You can find the lineup of presentations with video for SnowFROC posted here and the CSO Seminar presentations posted here. Bill Brenner wrote a good piece on my presentation here.
Today I had the pleasure of participating in a lunch time podcast for the Society of Payment Security Professionals (SPSP) with Michael Dahn and Anton Chuvakin. We talked about the current and possible future state of payment security, how or if risk management plays into this as well as the “security first” vs. “compliance first” mindset. Thanks to Michael Dahn for having me on. I will update this post with a link to the podcast once it’s up.
For those of you not aware, I also serve on the Board of Advisors to the SPSP and work with Trey Ford and others on their Application Security Working Group. You should check out more about them here and reach out to me if you’re interested in participating in the AppSec Working Group. The Working Group is currently working on a DRAFT Playbook for PCI 6.6 Requirements. Get involved.
Bill Brenner over at CSO online has also been so kind as to let me participate on the CSO Online blogs section of the site. That should give me more motivation to post more often. Warning – I may end up double posting at times here or linking directly to the new CSO blog.
Thanks to the guys over at Matasano Security for putting on a great TechTalk at Orbitz. Thomas Ptacek and Mike Tracey came on site to give their 7 Deadly Features of Web Applications to a good crowd. A good presentation covered by a couple of very smart guys. If I am able to get both internal and Matasano approval, I may post the video of the presentation here later.
I’m a little late on the news here but both the BSIMM (Building Security In Maturity Model) as well as OpenSAMM (Open Software Assurance Maturity Model) have been released. The latter is now an OWASP project. I am just now getting around to reading through these and hope to have some thoughts put around this topic soon.
Finally, I am scheduled to speak at the next OWASP Chicago chapter meeting, pulling out my SnowFROC presentation for those who were not able to come out. The Chicago OWASP meeting is tentatively scheduled for April 29th. You can subscribe to the OWASP Chicago mailing list here if you don’t already do so.
Just a quick post to let you know of two events I’ll be participating in next month.
On March 5th, OWASP SnowFROC is holding it’s second annual application security conference in Denver, Colorado. This promises to be a great event with a ton of good content and speakers. I’m honored to participate in this again and I’d like to thank David, Kathy and all the organizers for including me. The conference itself is free thanks to the sponsors, so no excuse for you not to attend. SecTwits, break out the RV and come on out!
I hope to shed some light on some of the vulnerability management automation I’ve been working on. Good things to come. Check out the lineup here.
Three weeks later on March 26th, I’ll be giving a presentation at CSO Online’s DLP event at the Palmer House Hilton here in Chicago. My talk is first up (Note to Self: Extra Coffee!) on the use of penetration testing in a large web based environment. Should be pretty fun given all the “pen testing is dead” meme’s going around the net in the past couple months.
Thanks to Bill Brenner and Lafe Low for the invite and coordination of the event.
The lineup for the CSO event can be found here. You can register for it here.
Hope to see you next month!
UPDATE: A decent round o
f commentary going on about this on the PCI Answers blog. I’ve added my two cents within the comments. You can read through the discussion here.
I have been lurking in a lot of the usual places lately listening and reading to all the commentary about payment security thanks to the Heartland Payment Systems incident. I’m not going to comment on the incident here, there’s already plenty of people offering up their opinions.
What do I want to mention about all this chatter? You are having the wrong debate! So many people in security are talking about what this means for PCI. Is PCI effective? Was their an issue with the assessment? To this I say “it doesn’t matter”. None of this is the root cause.
Jeremiah Grossman has a really good post on aligning incentives here. This is getting much closer to the real issues in payment security. Want to know more? Well this is where my shameless and disgusting self promotion comes in. 🙂
I have had the privilege of participating in writing a new book for O’Reilly, Beautiful Security. For those of you not familiar with the series, this is a follow-up to Beautiful Code and Beautiful Architecture. It’s a compilation where each author contributes a single chapter on a security topic, mine being securing ecommerce transactions. Below is the product description as found on Amazon:
“Product Description
In this thought-provoking anthology, today’s security experts describe bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. Beautiful Security features a collection of essays and insightful analyses by leaders such as Ben Edelman, Grant Geyer, John McManus, and a dozen others who have found unusual solutions for writing secure code, designing secure applications, addressing modern challenges such as wireless security and Internet vulnerabilities, and much more.
Among the book’s wide-ranging topics, you’ll learn how new and more aggressive security measures work — and where they will lead us. Topics include:
Go beyond the headlines, hype, and hearsay. With Beautiful Security, you’ll delve into the techniques, technology, ethics, and laws at the center of the biggest revolution in the history of network security. It’s a useful and far-reaching discussion you can’t afford to miss.”
Special thanks to Mark Curphey and John Viega for involving me in this project. Lots of other authors much smarter than I such as Anton Chuvakin, Mudge, and others. All author proceeds are being donated to charity (IETF), another fantastic reason to pickup a copy!
Let’s stop arguing about how to build a better band-aid. It’s time to start talking more about addressing the root cause issues, and spend less time on the religious churn and debate around specific compliance requirements.
Well I haven’t posted anything here in quite a while, but I really do have a good excuse this time. Not the usual been busy with work, life, etc. Watch for a follow-up post in the near future discussing some of the stuff I have been busy working on. In the meantime, there are a couple of items I just wanted to throw up here to make everyone aware.
Apologies for the link dumping. I will follow this up very soon with some more interesting news.
Just a quick post to remind all of you in and around Chicago that the local OWASP meeting is this Thursday, 6pm local. Two really good speakers will be there, Jeremiah Grossman from WhiteHat Security and Rohyt Belani from the Intrepedus Group. You can find out more at the OWASP Chicago chapter page here as well as RSVP.
Here are the presentation extracts and bios. I hope to see everyone there, it should be a good turn out.
Bad Cocktail: Spear Phishing + Application Hacks
Site takedown services, anti-phishing filters, and millions of dollars worth of protective technologies…..and the spear phishers are still successful! This presentation will discuss why this is the case. Today, phishing is a key component in a “hackers” repertoire. Phishers are combining social engineering with application security flaws in well known websites to make automated detection of targeted phishing attacks almost impossible. The result – hijacked online brokerage accounts, stolen identities and e-bank robberies. During this talk, I will present the techniques used by attackers to execute such spear phishing attacks, and real-world cases that I have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS and Carnegie Mellon University.
Rohyt Belani is a Managing Partner and co-founder of the Intrepidus Group and Adjunct Professor at Carnegie Mellon University. Prior to starting the Intrepidus Group, Mr. Belani has held the positions of Managing Director at Mandiant, Principal Consultant at Foundstone and Researcher at the US-CERT.
He is a contributing author for Osborne’s Hack Notes – Network Security, as well as Addison Wesley’s Extrusion Detection: Security Monitoring for Internal Intrusions.
Mr. Belani is a regular speaker at various industry conferences including Black Hat, OWASP, ASIS, SecTOR, Hack in the Box, Infosec World, DallasCon, CPM, ISSA meetings, and several forums catering to the FBI, US Secret Service, and US Military.
He has written technical articles and columns for online publications like Securityfocus and SC magazine, and has been interviewed by BBC Radio, Forbes magazine, TechNewsWorld, InformationWeek, Information Today, IndustryWeek, E-Commerce Times, SmartMoney, and Hacker Japan.
Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He currently leads the OWASP Java Project a world-wide consortium of Java security experts.
Get Rich or Die Trying – Making Money on The Web, The Black Hat Way
Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills — all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.
You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.
Bio: Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and named to InfoWorld’s Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, HiTB, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, CNet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!
UPDATE: Rsnake tells me I got the “90” right. Unfortunately, it was minutes and not seconds. Still an impressive response, but not quite Light Speed Remediation.
In a recent post I talked about how Twitter was being used for customer service and public relations by various companies with a few real world success stories. I mentioned in the post some of the talk around Twitters up time, which it seems anyone associated with the service has talked about in some form. They have certainly had their share of recent problems.There’s even been a sub-culture created around the infamous “Fail Whale”.
Well, here’s a Twitter story with a much more positive twist. Yesterday, I received one of Twitters standard “following” messages regarding a new follower:
Taken out of context, this could be a frightening message 🙂 . Having met him, it was actually a good thing. But, of course, having @Rsnake join Twitter can only mean one thing: Twitters vulnerabilities are about to be found out. And this is exactly what happened.
The next few minutes went like this:
Yes, that’s right, it took about 2 hours to identify and exploit a XSS vulnerability on Umusic which in turn was a trusted domain by Twitter. Handy work indeed. But what actually impressed me more, was the response from Twitter:
OK, this was a pretty straight forward, simple fix, but nonetheless this is still impressive. Quick work made of security, something I love to see. To Recap: Rsnake signs up for Twitter, adds a bunch of friends and finds a reflective cross site scripting vulnerability with proof of concept in about 2 hours. The good folks at Twitter see Rsnake’s post, respond and close the vulnerability in about 90 seconds! Nice job by all involved.
I wish it was always this pleasant and smooth.
I have been neglecting this blog a bit lately as I have been completely swamped with other things. But I did want to quickly promote a couple of local security events here in Chicago. This week is ChiSec 19. An informal gathering of a bunch of like minded security people. I am hoping to make it out Wednesday to experience this for myself. If you plan on going let me know. This weeks ChiSec is at the Hop Haus and details can be found here.
Also after all the hype that is Black Hat and DefCon settle down, the Chicago OWASP chapter will be having their quarterly meetup on August 21st. Rohyt Belani of phishme.com fame will be presenting on mixing spear phishing with application security vulnerabilities. Also, Jeremiah Grossman of all things web app security fame, will be giving his Black Hat presentation “Get Rich or Die Trying – Making Money on The Web, The Black Hat Way”. This event will definitely be worth attending and a great chance to meet a lot of people dealing with these types of issues every day. All the details on the OWASP meetup including RSVP contacts can be found here. Oh yeah, and both of these events are of course FREE.
Hope you can make it out to these events if you’re in town. Mention this post, and your first drink is on me. 😉
I was recently invited to participate on the advisory board for the Society of Payment Security Professionals which I happily accepted. The site explains the society best:
“The Society of Payment Security Professionals’ objective is to provide individuals and organizations involved in payment security with an online community to share information and access education and certification opportunities. Society members come from a variety of businesses including card brands, merchants, acquirers, issuers, ISOs, and more. Though their organizations may vary, they all share one purpose: to protect consumer data using the most current, viable technologies and processes.”
They also offer a certification, Certified Payment-Card Industry Security Manager (CPISM). Mike Dahn writes about the SPSP as well the certification on his blog here, here, and here.
We are now in the process of forming a working group on application security. If you have expertise on the topic and are interested in participating you can send me an email or leave a comment here. We’re open to any and all comers. It should be noted this is NOT about PCI but rather payment security in it’s entirety.
Looking forward to my new role on the AB as well as working with the Application Security Working Group.
Should be [IN]SECURE magazine. And best of all it’s free and online. This has quickly become one of my favorite regular reads.The new issue (Issue 17) is out and you can get it here.
Officially Unofficially endorsed by ClearText (what a ringing endorsement!). Check it out and let me know what you think.
Subscribe in a reader
Ed Bellis - ClearText 
You must be logged in to post a comment.