Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren’t making as hard as a pitch as I’m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah’s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn’t make it to as many parties as I would have liked to this year - maybe I’m getting old, or maybe I started drinking too early. Either way…

One notable quote was from Howard Schmidt who said, “There is no cyberwar,” but I don’t think he ever defined what a cyberwar would look like - so I don’t know how we’ve decided we aren’t in the midst of one. Maybe he’s absolutely right and we aren’t in the middle of anything like a war (just the low rumble of espionage), but I’d like to hear his definition one way or another so that I can know when I should start being outraged.

Click to enlarge

But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don’t. Physical security is tough, don’t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a “Diagnose Connection Problems” error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like they’re protecting the application from most classes of attacks simply by disallowing outbound network access. Let’s assume there were no way around that for a second (and I’m not convinced of that, incidentally).

Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn’t exfiltrate the data off of that machine. Oh, but it’s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people’s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant’s information. And there’s the cookies and any other tampering I might be able to do in the config options in IE. It’s definitely NOT a huge deal, but rather just another example of how it’s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable - or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they lose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you - I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

Just about every conference I speak at someone comes up to me and says, “I’ve been reading your stuff for years, but you don’t write anywhere near as much as you used to - what happened?” Alas, I actually have been writing more now than I ever have before. Just not on this blog. My latest endeavor has actually been the most ambitious writing experiment I have ever undertaken. I decided to write a new book from scratch with no outside additional authors. For those of you who’ve done it or tried it, you know what I’m talking about. I shopped the book around to a number of publishers, but in the end, I decided to pull the publishing rights back from O’Reilly (yes, it was going to be an O’Reilly book for a while) and after working with a few other potential publishers I eventually decided to simply drop the price and make it an eBook.

When I originally started writing the book it’s working title was “The First 100 Packets” because it was going to be all about what you could detect about user intentions within the first 100 packets - makes sense, right? Well, as I wrote it I started thinking that was a worse and worse title because, of course, long term user disposition is a really important and related topic (and just as interesting to me as well). So I up-ended the book and re-wrote a big chunk of it and the title became "Detecting Malice". You can check out the website for a table of contents. Now, why should you buy this book?

What if you could get the equivalent of 500 hours of my brain shoved into one big 300+ PDF book for only $39.95? What if it was written very similar to this blog, in bite sized chunks and from my own voice, so it wasn’t stuffy and boring like a lot of technical books tend to be? I’m honestly very proud of this book and I think it’ll have a lot of value for anyone who is tasked with the horrible job of trying to secure a website, as opposed to breaking into it. As such it’s also not for everyone as it was not written with offense in mind at all. This is not a book to learn how to be a better penetration tester! This is a book for people who want to know how to detect malicious users, and understand user intent through data analysis.

Anti-fraud and fraud loss prevention is an important area of security that I don’t talk about all that much on the site, mostly because security is less sexy than hacking - let’s be honest. I’ve received a lot of flak over the years for not talking about security enough from those who are on the defense side. People have told me that I focus way too much on the hacking side of things and don’t help the good guys out enough. Well, consider this my big contribution to the area of anti-fraud research! Like I said, I’m actually very proud of this book for its technical merits but feedback is always welcome as I revise it and make it better in future revisions.

Update: One more speech added for Blackhat - turns out I am speaking there after all!

DefCon is fast approaching and I have a bunch of speeches to prep for (and this doesn’t include the other non-DefCon speeches on my roster). Thankfully I’m mostly done with my prep work, but there’s never enough time is there? If you happen to be at DefCon and want to hear me speak, here are the speeches and times:

1) Wednesday at 4:45 - Unmasking You! - I’ll be co-presenting with Josh Abraham about a bunch of anti-privacy 0day as well as a major privacy leak built into a huge percentage of browsers.

2) Friday at 2PM - DefCon Security Jam (AKA Fail speech) - I’ll be speaking about a really dumb/funny browser Fail.

3) Saturday at 3PM - Hijacking Web 2.0 Sites with SSLstrip - I’ll be co-presenting with Sam Bowne regarding Slowloris.

4) Sunday at 12PM - Unmasking You - repeat of the Blackhat talk.

So yeah, I’ll be very busy while I’m there. Feel free to drop by and say hi at some point if you happen to be at the conference. I’ll be checking Twitter periodically while I’m there too if you want to message me directly. If you know about any good industry parties please message me too. You can never have too many invites!

Going down memory lane I decided to go back and look at Microsoft’s Active Agent. For those of you who aren’t familiar with this, “Clippy” might sound more familiar. Clippy actually came much later. It all started with a little bird named “Peedy” the parrot. Peedy could read text, fly around, dance, look bored, and all kinds of stuff. It was scriptable, could be instantiated through a web-page and worked well in browsers that had the agent pre-installed (which was pretty much no one).

A few companies decided to try to create business models based on it - trying to read people’s emails for them, and other similar things. All doomed to failure and internet obscurity, although all very cool in their own way. Alas, as I was going and looking back at some old links I found this:

Microsoft has decided to discontinue development of Microsoft Agent technologies. Beginning with Windows® 7, Microsoft Agent will not be included or supported in future versions of the Microsoft Windows operating system. We encourage Microsoft Agent application developers and redistributors to evaluate their activities in light of this decision.

*sigh* Even though it never took off, Peedy will always have a place in my heart. Like that time we called up Bronc’s girlfriend and read off some ransom note we had crafted using Robby the robot’s text to speech. We laughed and laughed - until she called Bronc’s cell phone. You should have seen his face, “Hi honey. Yeah, we were just screwing around.” Man, that still cracks me up and yes he was in trouble. Yeah, we were dumb kids, but boy, Peedy and the gang will be missed! Farewell…

Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous. In reality I’ve been talking about this for close to 5 years privately with the Mozilla team - back when their offices were about 2000 square feet and the entire office smelled like feet. Ahh, those were the days. Well, we are creeping very close to seeing Content Restrictions (now named Content Security Policy) in reality, finally! Thanks in huge part to Gerv and Brandon over at Mozilla.

I hear rumors that it should be released in Firefox-next (also known as 3.6 - scheduled for early to mid 2010). So give it another year or so and we should have a workable defense against XSS on pages that must allow user submitted HTML and JavaScript - think eBay, MySpace, and so on. The only trick is making sure the companies who have these problems have projects in their pipelines to use this header once it becomes live. So if you happen to know someone who works for a company who has this problem or happen to work there yourself, please make sure others are aware of this well ahead of time. I for one am very excited to see this approaching reality after all these years, and I encourage you to watch their website for updates if you are at all interested in building user submitted widgets and the like.

On a less thrilling note it also has some clickjacking defenses in it, but just like Microsoft’s X-FRAME-OPTIONS header, I think it’s really not particularly interesting, it’s an opt-in model and clickjacking is so prevalent as an avenue for attack. Opt in security models work on sites that know they’ve got a problem (like user submitted HTML and JS) not on sites that don’t know they’ve got a problem (like wireless access points and web enabled firewalls). Alas - I digress, and I don’t mean to diminish the overall positives of this solve. Indeed, I’m very excited by the future of Content Security Policy as it may make surfing “fun” sites safe again - even with JavaScript and Flash enabled! Wouldn’t that be a crazy thought?

In unrelated news, I did a podcast with Dennis Fisher over at Threatpost on some of the RFC1918 issues I discussed a few weeks back and Slowloris. If you’re interested, please feel free to have a listen!

This year’s RSAcon has been a lot of laughs. The parties were great, the people were fun, I actually learned some stuff, and took away a few new ideas for vulnerabilities. So all in all it was a great time. At one point I found my self staring face to face with a vacant Google booth. So I took it upon myself to seize the moment, especially since Google hasn’t figured out how to put computers into kiosk mode (they weren’t the only ones either, by the way - ask mubix). *sigh*

Click to enlarge

The really amusing part was when a rather dim witted Google marketing person came over after a minute or so and asked if she could help us. Then she saw the ha.ckers.org logo, to which I said, “Don’t worry, we were just playing a practical joke on you.” To which she said, “Okay.” Okay indeed.

So you’ve seen ha.ckers.org on Google’s own machines at a security conference - where there’s so much irony it hurts. But what about you guys? Where can you get ha.ckers.org to show up in places it shouldn’t be? I’ll give out some sort of special prize for the winner - I just haven’t figured out what it is yet.

RSAcon is starting today - and yes, I do plan on being there for anyone who happens to be in the bay. I also suggest checking out the WASC meetup on Wednesday at lunch. If you are excited about webappsec you should probably make the meet up. It’s grown to be huge from a few short years ago. We pretty much fill up that entire pool hall at Jillian’s. So yeah, it’s worth being there if you can make it. If you can’t, I suggest you live vicariously, 160 characters at a time via the IRC over SMS that is Twitter.

Next, for those of you who are into good causes Johnny Long sent out an email saying that the informer is back online. So if you have anything to disclose and you want to help out kids - disclose it there and let everyone know. Johnny was nice enough to send out a really nice x-mas card with the kids thanking us and lettings us know that the clickjacking article helped and a nice video etc… Johnny is a nice guy!

This isn’t like most the other posts I do on here since it’s only tangentially security related, but it was a fun experiment that we spent a few days working on over the last few weeks. We were researching “green” browsing, and found that certain client side internet technologies, like Flash and JavaScript, to name a few, were the worst in terms of power consumption. For anyone interested in this topic feel free to review the paper here.

For those of you who don’t have time to read the whole thing, the jist is that Noscript and Adblock Plus do a very good job of reducing the power consumption of the least “green” websites. Just another reason to use them! I don’t consider myself to be much in the way of a conservationist, but stuff like this fascinates me since I live so close to the browser world. I hope everyone had a good Thanksgiving, for those in the US!

What do I have in common with Magnum PI? What does id have in common with Dog the Bounty Hunter? Well in the state of Texas we all need PI licenses. That’s right, if you want to help anyone recover from an incident, investigate computer theft, or engage in any sort of investigation relating to computers whatsoever, you need to become a private investigator in Texas. We can chalk this up to lawyers legislating something they completely fail to understand.

Firstly, I highly doubt any of my customers would get any more value out of hiring Dog the Bounty Hunter to hunt through logs, or recover deleted data. Secondly, legislators are making broad statements like, “the computer industry needs cleaning up”. I’d like to make my own broad sweeping statement, “legislators who write ill-concieved laws need cleaning up.” I understand the reasoning, as poor as it might be. Proper handling of evidence, is always an important thing for convictions, but this is far more broad than that - even delving into the inner workings of private companies working to help other private companies do business.

I guess I better start waxing my chest and wearing dog tags, so I can start understanding how these darned computer thingies work.