Paid Advertising
web application security lab

Archive for the 'General News' Category

TJX Whistle Blower

Thursday, May 22nd, 2008

I had some very disturbing news today from one of the forum users - he had just been fired by TJX for whistle blowing on their security issues. CrYpTiC_MauleR, who’s posts on TJX can be found here was fired today by TJX for talking about the company’s security flaws. This is the same company who recently lost millions of credit card numbers, for those of you who don’t recall. They tracked him down by IP (we’re still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him.

I completely understand why a company would want to reduce their risk, but this doesn’t bode well for future would-be whistle blowers, or for the future state of security for TJX. CrYpTiC_MauleR has been a long time poster on and has made a lot of contributions. I, for one, feel terrible about what happened, and I implore the community to reach out to him on, especially if you are looking for someone to help out in any open positions you might have. I think the best possible outcome of this would be that he gets a better job for caring about consumer security at large. Only time will tell.

But as a side note, I must caution everyone who prefers full disclosure as a rule, to be particularly cautious when posting that information, especially when it’s under your own name or a name you use elsewhere that may be tied back to you. Many of the largest companies on earth post to or read this site regularly, and no doubt someone will take personal offense at your actions, so I encourage everyone by way of example to please protect yourself - especially from those who would claim to care about security. Only actions matter in this world.

State of Affairs

Monday, May 19th, 2008

This post is a few months overdue but here it is. I’ve been heavily involved in the security industry in one respect or another for well over a decade, and until recently, I had the luxury of being able to talk about whatever I pleased, especially when I got myself out of a few handcuffs that I was bound by a few years ago (around the time I started this blog). I had a lot to say and henceforth you had this website in all it’s glory. However, since I started my own company, I’ve had the fortune or mis-fortune, however you want to look at it, of being exposed to a lot of things I wouldn’t have been able to see otherwise.

That means, I am now under contract with lots of the same companies I have talked about in the past. These same companies I have talked about in positive and negative ways both. Clearly I’m not out to screw anyone, the negative stuff was mostly about my feelings regarding certain technologies. If you have seen me suspiciously not talking about things, it’s probably because I’m either too busy to talk about it or I have a reason I’m not talking about it. Long ago I used to say that I talk about 1/3 of what I know. Another 1/3rd was stuff that could only hurt people with no positive gain and the last 1/3rd was stuff that was just too theoretical or too out there for people to understand since it wasn’t yet provable. Unfortunately, the first 1/3rd (the stuff I can talk about) has been shrinking rapidly and being replaced by a fairly large percentage of things I cannot discuss. That means I’m less fun to read in blog posts, in interviews and at parties.

Rest assured, my knowledge has increased a lot since starting this website due in large part to how much more I have had the privilege of being exposed to. So the irony is, I know more but I can talk about less than ever before. Jeremiah and I were talking about this exact thing last week - he had the same feelings. Which means this blog is going to get more and more watered down with time, and there’s just nothing I can reasonably do about that, save quit and take up writing full time and I know how poorly writers get paid. ;)

That’s the down-side. The up side is that I am not going to stop blogging, but it might not look like it has in the past, if you read my earlier posts. I thought this was an important distinction that I make public, just as I did when I told everyone that I was starting my own company so I could no longer be considered an unbiased source of information.

I started this site because of my family. I wanted a chance to make the Internet a safe place for them to interact with. What better way than to scream from the mountain top that is about the issues I see on a daily basis? I can, with lots of quantifiable evidence, say that things are worse now than they were when I started this site. But at least now people are finally aware of the problems, enough to carry that torch without my direct input. The topic of Webappsec was esoteric and lame to most people even two years ago, but now it’s finally come into it’s own, and not just because I decry it, but because there are dozens of websites and many companies devoted to the topic now. My hope is that maybe one of the readers of this site will pick up where I left off and do what I have I as of this moment been incapable of doing - make the Internet a safe place for all our families. I will continue to do the same with a slightly diminished vocal profile than before.

I apologize if this post seems like any sort of betrayal, as that’s sincerely the last thing I would want. But in the spirit of full disclosure, I wanted to at least let you know why things may seem a lot slower now than they did even a year ago. Although I can’t tell you what I know, I will tell you this - things are far worse than they appear, and there are no shortages of extremely vulnerable applications out there as I find zero-day vulnerabilities regularly. It’s simply amazing how bad things really are.

Lastly, I will talk about this more in the coming months, but I am writing a book that will probably be one of the few highly technical documents I put out to the public for a while. Even though it might appear that I’m writing less than ever, in actuality, I’m writing more. O’Reilly has tentatively agreed to publish it (contracts are not yet signed so no promises yet) and I’m really looking forward to getting it out into the hands of the people who do want to make a positive change towards the security of the Internet. If you’re one of those people I invite you to read the book when it’s finished. I’ll give more details at a later date.

I looked at my Google feedfetcher stat today in my logs - over 3,800 subscribers on Google news alone with over 7,000 total subscribers through various feed readers alone! For those of you who have followed this blog for the two years or so since I started it or for any substantial time, I really appreciate your readership. Thank you, everyone. I mean it! You’re like family to me - you know, like that close-talking crazy aunt that no one likes, who has all those cats. ;)

Scanless PCI

Tuesday, April 1st, 2008

Well, today is the day. We can finally stop having discussions about the value of PCI, because there is a new product on the market that solves all the business needs without the pesky problems of wishy washy compliance regulations. It’s called Scanless PCI. The premise is pretty simple, go to the website, grab the code, throw it on your website and poof. You’re PCI certified. No fuss, no muss.

The beauty of this system is that everyone gets what they want. Awareness, certification, and of course, protection from PCI fines. We don’t have to sit around spinning yarns about what is and isn’t a secure web site, or what the definition of PCI 6.6 means or what have you. No more! I’m glad we can finally put this entire thing to bed. Not that I take credit cards, but I might just get it myself. It’s so easy!

Click A Link, Go To Jail

Thursday, March 20th, 2008

Whelp, we’ve talked about it, but now it’s finally possible. CSRF can now cause jail time. The FBI has begun arresting people who click on links to supposed child pornography. Now, I understand the noble pursuit, but there’s a fairly huge flaw in the old logic. I can force users to click on links anytime I want. Now here comes some interesting CSRF technology grey area. The authorities might reasonably say, “The referrer doesn’t match.” Okay, well that’s what our good friend META refresh is for. I can force you to click on things without leaving a referring URL at all.

So now the real question is would a user with no referring URL be worthy of investigation? Is this the newest wave in reasons to turn off referring URLs? I mean, seriously, what if the browser pre-fetches, or if an attacker puts a hovering iframe beneath the mouse, or they are using an older browser/plugin that allows spoofed referring URLs. Eesh. Again, I’m all for the noble pursuit, but seriously - this seems a little dangerous to me. Is clicking a link evidence enough of guilt? If so, can I now take search engines to court for trying SQL injection against me or for spidering and caching illicit content? And now have we given people plausible deniability, “I knew it was fake before I clicked on it” or “I was just seeing if it was an FBI site or not” etc….

<sarcasm> Be the first kid on the block to surprise your friend with an illegal version of a Rick-roll. </sarcasm> The act of clicking a link as evidence of guilt is almost certainly asking for trouble and abuse.

Sample code on how easy it is to not send a referring URL: <META HTTP-EQUIV="refresh" CONTENT="0;url=http://child-porn-site">

WASC Meetup at RSACon2008

Tuesday, March 18th, 2008

If you haven’t been to RSACon and are into the whole schmoozing aspect of the security industry, you need to book your flight right now. RSACon is basically a bazaar of vendors from all over the world, promoting their tools. There’s no substitute for it. I wouldn’t expect to go to it and learn anything from the talks, but it is cool walking around talking to the vendors, seeing the new terminology that they’ll be stuck with for the next 12 months, and getting the pitches. I personally love that con for the sellout aspect if nothing else. But wait, that’s not all…

For the last few years Jeremiah has been putting on the RSACon WASC meetup. It’s just a few hours for everyone to get together who’s interested in webappsec. The first year it was just a few of us. The next year it was around 100 people. It’s no doubt going to be even bigger. It just shows how big this industry is getting! So if you are interested, check out the details on Jer’s blog. If you happen to be in town, even if you’re not coming to the conference please drop by. I’m always up to meet webappsec people!

DoSing the DDoSer

Tuesday, March 4th, 2008

Well, it was a long Sunday. I was planning on going and hitting some balls on the golf course, but no, instead I spent the better part of the day dealing with a DDoS attack. Before it was completely killed 73 IPs were used to perform a flood of GET requests against Thankfully we were able to thwart the attack by writing some tricky software to detect the attack and firewall it. But it was still the better part of a day dealing with it.

The end result was we found the attacker (the owner of who apparently was made fun of at some point a year ago on the board). When pride goes too far, eesh! More on this user here. Cyberhacker665 is in at least some way affiliated with or owns The attacker did a vanity search for himself before initiating the attack. The original IP was tracked back to the attacker’s ISP, who was sent an abuse email and now the user is offline for the time being. We effectively DoSed the DDoSer. It’s too bad, I had long forgotten about that post - apparently he hasn’t.

This wasn’t the first high volume traffic incident we’ve received (we’ve been slashdotted several times, and reached the front page of Digg and Reddit as well) and we get tons of attacks per day. But this was probably one of the worst. Just another day on… Golfing would have been better use of a Sunday, even if I suck at it.

Res Timing File Enumeration Without JavaScript in IE7.0

Wednesday, February 27th, 2008

I’ve been meaning to post this since Blackhat last year, but I just finally got around to posting a working example. Using David Byrne’s res:// timing trick and a hybrid of Jeremiah’s META refresh blocking I was able to do the same thing David was but without JavaScript. Oh how funky it is though!

Here’s the demo (only works in IE7.0). The timing is large enough so that you can actually see a difference (varies between a 5 and 15 second difference for me per link - for reasons I am still unsure of). But it’s a big enough difference that it should be possible to measure the file’s presence. The hard part is keeping it going without a user noticing that their browser locked up on them for the many seconds required to run. Pretty funky demo, and normally I’d probably set a cookie to keep the data but I got bored of writing the demo since I don’t think it’s especially practical. But you get the idea.

In other news, I should also mention that I got back from the Minnesota OWASP meeting. I was really surprised to see how many people came out to see me (probably 75 or so). All really nice people and I was impressed by Kuai and the entire setup. Very nicely done. I think my slides will be posted today or tomorrow. I guess Bruce Schneier spoke there the month before I did, so these guys definitely have got their eye on the heavy hitters for those of you on the speaking circuit. I also spoke on Minnesota Public Radio as well, which was kinda fun. I hope it continues to grow!

I missed Schmoocon and DC Blackhat but here is the unofficial list of my upcoming cons: Source Boston (leading a panel), RSACon 2008 (just visiting), TRISC (speaking), Secure360 (speaking - unconfirmed), Super Secret SANS Conference to be talked about at a later date (speaking), OWASP Denver (speaking - unconfirmed), World OWASP NYC 2008 (speaking). So yah, busy busy busy…

The Austin Project

Monday, January 21st, 2008

Two days ago I found myself reading something written by one of my readers about something I had written. Unfortunately, it not only completely missed the point of what I had talked about, but some dramatic and ultimately incorrect assumptions were drawn due to complete lack of technical understanding on this reader’s part. I’m not going to out this person, because I don’t think it’s productive. But it was pretty upsetting to me, because I do want people like this person to be able to learn from this site. This site is super tricky to run. On one hand I have some of the most technically competent people in the web security community visiting regularly. For them, some of the most complex topics I cover make perfect sense, and there is very little confusion. For the non-techies the technical posts are either misread or left unread. Either way, that’s not good for the sake of learning.

A huge chunk of why I started this site was for my own testing. I wanted to learn on a site that I controlled completely. That works great if you’re a guy like me, who’s already been in the web space for well over a decade. But for people who are either new, or are shifting their interests from some other area of security, the web space is highly complex and deep. So herein lies the second reason I started this site. I wanted a place where I could teach people what I know. Call it altruism, call it wanting a sanity check on my own thoughts, but here we are, 2 years and 20,000 visitors a day later and things have changed.

I’m ultimately troubled by the fact that there are so many people out there who are in every way smart but are only in web application security because they have fallen into it, for whatever reason, and now are trying to play catch up with guys like us. I feel like there is a huge gap of knowledge out there, and I feel like there is a lot that I could share with people given enough time. A one hour speech isn’t enough time. It’s barely enough time to gloss over a topic, let alone go down to any level of detail that would allow someone to think they are proficient in a topic. I really feel like I could share a lot more of what I know to a willing participant if we made it a week long course. So that’s what I did.

I’m going to be offering a week long course that I am dubbing The Austin Project. The goal of the project is to get a group of likeminded people who are interested in talking about and learning more about web application security from yours truly. Honestly, I just feel like there’s a lot more I can talk about in a week’s time than I could ever cover in a series of blog posts, especially because in an intimate class it is far easier to communicate.

So I will be inviting five people to fly in and stay for five days. No cell phones, no computers, no distractions - just talking webappsec. I attended an invite only conference of this format before and it worked great, where the only open computer was the one operating the projector. Being off the grid really helps people focus. Everyone will sign non disclosure agreements so people can talk freely about problems they are concerned with without having to worry about it getting out. There will be eventual outputs from the classes, but they will be discussed only with people who attend. Days will be spent talking about webappsec, nights will be spent with me in downtown Austin, visiting the local nightlife and probably talking about webappsec some more. My goal is not to make myself the grand leader of a group of five people who are webappsec gods, but rather, build a collaborative group of people who change their way of thinking and come out of it with the knowledge on how to fix their little slice of the Internet.

I’m just not scalable, and while the blog has been a great conduit for sharing some of my ideas, it’s clear to me that people just aren’t getting the value out of it that they could in another format (I guess you get what you pay for, as this site is free!). It turns out I just have a lot more to say than I put on this site. That became apparent today when I started chatting with someone about a specific web application flow. It took me ten minutes to explain some of the esoteric nuances to watch out for and I suddenly realized I had never talked about it before on the site, and I probably never would have because I ultimately consider a lot of that stuff to be “the basics” (even though apparently not a lot of people know about it). I usually try to skirt around the basics as to avoid alienating the experts who frequent this site. How would anyone know about the esoteric gotchas if I didn’t talk about it? Well, now is your chance to come ask me. Not that I will just be covering basics - oh no, why come to me for the basics? But this will be your chance to get me to slow down and explain things to you in a virtually one on one environment.

My goal isn’t to get the best of the best and put them in a room together (although if I wind up with a bunch of people who are experts I will build a class specifically for them). The main goal of The Austin Project is to get people who want to learn but are otherwise starved for information. I want to help those people and bring them to the next level, so that they go off and eventually help others and so on. I firmly believe education at this level will help our industry, help us start developing better applications, better strategies, and ultimately will make all our lives better.

This isn’t like most training. There will be no CPE credits (although I’m sure you could convince someone it should count), no class of 40 people, no canned demonstrations. This is just a chance for you to sit with me for a week and talk about whatever it is you want to talk about in an collaborative environment. I don’t want five people from the same company showing up. That’s not the goal here. The goal is for you to meet other people with other problems and work through them together as much as it is to hear from me. Why? Because other people have interesting problems that relate to our industry that you should think about too! I want to facilitate the correct thought process, which is so much more important than me just solving your problems for you. I want to make people into the big thinkers (not just technologists) that this industry needs. I want the participants to build relationships that they can use to better themselves and their careers. Big goals for such a little class!

Anyway, if we wind up with way more than five people who are interested, we can separate the classes into groups, but I have no idea how many people will be interested. I don’t want to go over five people and I don’t want it smaller than that or it would defeat the goal of building a team, so I may actually turn people away if we don’t hit a critical mass. This is just as much an experiment for me as it is for anyone who would attend. I also may turn people away if I think they couldn’t benefit from this - which is why I’ll be asking for a resume from each of the people who are interested. If you have no experience, this isn’t the class for you. If you have been doing this longer than I have, this isn’t the class for you. If you just want to come to the class to heckle me, well, it’s an expensive prank, but it’s your money. ;) So if you are at all interested, check out The Austin Project web-page for the specifics and send your contact information through the form.

Okay to Spam, Bad to Fight it in North Dakota

Thursday, January 17th, 2008

I saw this article today and I just thought it was just too amazing. So it turns out that in North Dakota one very technologically impaired judge felt that running a zone transfer, among other things, is illegal. David Ritz was attempting to shut down a spammer, using the normal tactics to find out who was running the server that you’d expect, like looking at whois info, traceroute etc…. Oh no, not in North Dakota you don’t! He’s facing possible jail time for attempting to fight spam. Now there’s a twist for you! Isn’t there some sort of oversight for technically challenged judges? Or maybe a “I don’t know anything about this stuff, perhaps you should talk to Judge Bob about this instead, since he does” type system?

While Cynthia Rothe-Seeger (the district judge on this case) opinions are obviously technically questionable given that many of these tools are written specifically to find public information (that means available for anyone, including anti-spam organizations) this could set a legal precedent that enables spammers to operate with near legal impunity out of North Dakota. Great. So if you or someone you are investigating is based out of North Dakota - I’d watch this lawsuit until this is settled. Talk about taking one giant leap backwards for mankind. So fierce is off limits to you North Dakotans!

Fortify Documentary

Friday, January 11th, 2008

You may have already read about this on Jeremiah’s site but the rumors about me being in a documentary are true. It’s a short one (only 20 something minutes, I think) but nevertheless. You can see a preview of it here. It’s trying to describe how serious the dangers of internet insecurity is to global economy. I thought it was really well done actually.

One thing I thought was hilariously ironic was a quote by Howard Schmitt (ex cyber security czar for the United States, who replaced Richard Clarke), “We should never ever ever be so arrogant to think that we’re not a potential victim or our data has not been compromised or that there’s not some adversary out there that’s just as smart if not smarter than we are who won’t be able to compromise that data.” Then the camera flashes back to me as he’s finishing his sentence. The irony being that I’ve actually briefly worked with Howard before. This industry is just too small sometimes! So there’s some funny editing work in there to point to me as the bad guy, but I’m not offended. Someone has to be the antagonist. Fortify is showing the documentary in three places around the world (SF, NY and London). It was fun!