Okay, I can bet I’m going to get a lot of flack for this post, so before I start, this is only my opinion and is not at all based on actual numbers. The only reason I’m putting a graph here is because I think it’s easier to visually explain. No numbers. Got it? Just opinion. Don’t get all excited here. Okay. Calm yet? Okay, now don’t start reading this post unless you intend to read the whole thing. Ready? Now you may continue reading the post.

The last post I made was describing just a small smattering of some of my personal Firefox woes around the add-ons that I use to personally secure myself from attacks that either I have helped create, or have seen in the wild. Now, truth be told, I use Firefox every day, due to the add-ons that it supports and the ease of testing webapps. And it’s with that that I’m disheartened by my sense of helplessness around updates.

So here’s what I feel is happening over time for security people (not for the regular every day casual web surfer, but indeed, hardcore security folks, like most of the people who read this site). Over time there are upgrades. Those upgrades fix a number holes, and introduce a few others. They also break the add-ons. Those add-ons help fix the broken browser security model. Therefore, for the likes of me and the vulns I actually am affected by, my security is reduced with each new major revision of the browser, making it look something like this:

Sure, the overall security is trending up with time, but there are major gaps in my perceived security while developers catch up to the new codebase. While the numbers and timelines may be way off, the concept (for me at least) is right. I don’t personally see any immediate major benefit from the browser changes - only negative. With time, sure, things get better, but I happen to be in a particularly bad security slump at the moment right there on the right hand side of the graph. The exploit code that I may have been at risk of, for the most part, is neutered by the add-ons, until they stop working. So which is it? Am I trusting the browser to evolve faster than the add-ons or vice versa?

Firefox’s model has always been, “Feel free to contribute, it’s open source!” While this is great in theory, a) My programming skills get me by and not much more - you don’t want my code in your browser holding the Internet together, trust me b) I don’t have access to all the security bugs - most of the worst of which are hidden from view on bugzilla for only a very small select few people to view and c) there are very few people who have the ability to commit code let alone to fix other people’s add-ons.

It’s tempting to get overwhelmed by the helplessness of it all, but then I just remember that none of these plugins fix things like CSRF which helps me ignore that particular issue. So then I just go home and cry myself to sleep. Okay, now rant away, but if you mis-quote me or fail to read everything before commenting, so help me, I’ll make fun of you senselessly.

So my lovely gfnd’s co-worker enrolled her pet Chihuahua into a contest to rate the dog against others of the same breed in the local area. Vaguely amused, I took a look at the web application and sure enough, it pretty much sucked. The developers had used a client side code in Flash to make it so that you couldn’t submit twice, but in re-loading the app you could (and that’s how the newbs in her office were cheating). I, however, looked at what data it was sending and sure enough I could send votes by bypassing the client side app entirely. I took the cheating to a whole new level.

So I gave the dog 100 votes just for good measure. My gfnd and her office mates were amused and asked me to up it to 1000. Sure, no sweat. The next closest Chihuahua was in the 50-60 range, which I found by writing a quick scanner to dump all the results for all the other dogs. So I figured we pretty much had this whole thing sewn up. With the 700 votes all of her co-workers had managed to generate, plus my 1000, we were an order of magnitude higher than the next competitor. I could see it already - my gfnd’s co-worker’s Chihuahua would be named Chihuahua supreme, there would be dancing in the streets, songs would be written…. The whole nine yards.

Little did I know how fierce this whole Chihuahua community is, and right before midnight on the night that the contest closed some other hacker did the exact same thing - but took the number one spot above my pick. Alas, had I checked the scores leading up to the closing moments of the contest my Chihuahua could have easily won that contest. I guess if I cared more about Chihuahua contests, I might have put more thought into it. But in the end it’s just another amusing story. Props go to whomever managed to out haXor my Chihuahua contest haXoring!

I think we all can see how similar high profile and more important contests (or elections) could be tampered with. Maybe Chihuahua contests don’t rank high on your visibility scale, nor mine typically, but despite the silly consequences of tampering with Chihuahua contests, it’s a small window into a much more dangerous issue. I hope everyone had a good 4th and Canada day!

I got forwarded this link today from businesswire about how Google and Yahoo are now going to be armed with the information necessary to look at and extract information out of SWF files. Ho-boy, here we go. The link was sent to me with the “bad juju” caveat, and I’m pretty sure I agree.

The problem is, like anything, if the search engines start pulling down rich applications that actually interact with the web application, there is untold issues that could arise. For instance, Flash applications have quite a bit of rich features in them, and some of that could be dangerous if they interact with back end applications. Also, if the word “test” appears in a Flash movie, does that mean it should get indexed? Or is it a frame that’s not visible, or off the side of the page, or whatever? What if it takes ten minutes to find that particular line of text or dozens of sub-menus? Are people really going to sit for that?

Do people really want to load a Flash movie when they query for things? I know I sure don’t! I’m already annoyed when I get linked to PDF files or .docx files. I think this just takes searching to a new level where people don’t actually want to go. Instead of crawling deeper and refining their search, the search engines are going to new mediums to stave off the people (like myself) who have argued that Flash isn’t a good medium for accessibility, usability and SEO. SEO is going to be off the table soon enough, leaving accessibility and usability.

But seriously, what’s next? Are the search engines going to decompile Java applets looking for text? As a side note, this should, at least in the short term, lead to a new round of Flash hacking, once it goes live. I’ll give a tee-shirt to the first person who writes a Google dork for internal Flash text that leads to exploitation.

I’m with Bruce Schneier. I never really spent enough time on airplanes to be particularly annoyed by the entire process until last year. I actually wrote the majority of this on a flight to Las Vegas for the SANS conference today as a matter of fact. While cumbersome and obnoxious in many ways, I’ve managed to isolate myself from the majority of those annoyances with things like off line email (won’t off line enabled JS apps rock your world - you’ll be able to hack as you fly!), mp3s and noise canceling headphones. Further, packing light (see onebag.com) makes my life just a lot easier.

But, and here comes the big but, why in this day and age are we still turning off portable electronic devices as we take off and land? The stewardess was making a joke that that includes wristwatches, pace makers and hearing aids. I’ve inadvertantly left my cell phone on during a flight last year, we must have narrowly escaped our death on that one. Somehow the terrorists haven’t figured out this critical weakness in our security yet though, thankfully. Anyway sarcasm aside, I’m with Bruce.

Some of these rules and security precautions are just complete nonsense. A knife that’s 3 1/2 inches is fine, but four inches and you’re a terrorist! Thankfully, I don’t really look like a trouble maker, if you could even articulate what a trouble maker did look like. So in all but one occasion I have managed to escape the involuntary TSA rub-down. All they’re missing is the oil and the sleazy seventies music!

Anyway, I’m speaking at SANS in Vegas then flying to Orlando for GFIRST/US-CERT and then to Denver for OWASP. I’ll get plenty of chances to be annoyed by the safety threat that I present by using noise canceling headphones between now and then I’m sure.

I’m not exactly sure why, but this reminds me of when I was doing a speech for the OWASP chapter in Minnesota. It was on a University campus. Being nice enough to host the event they also gave us an AV person. The AV person decided that I was an idiot upon only looking at me and made it clear that I shouldn’t touch her computers, yet she didn’t have anything installed despite the fact that she said she had MS office, the projector was having problems and it was clear she was pretty clueless. Yet she was still obviously annoyed at my gentle questioning. My friend was ready to rip her head off and was surprised I didn’t tell her who I was and where to shove her attitude. Sometimes it’s better to let people think they know what they are doing until they prove it to themselves that they don’t. She eventually gave up and let me do it myself (my own laptop and a non faulty cable later and we were up and running). I’m still waiting on the airline industry to come to the same conclusion as our beloved AV maiden.

I got sent this link today and I actually laughed out loud when I saw it - Todd Davis (CEO of LifeLock) had his identity stolen. I completely understand and can feel for the poor CEO who probably genuinely thought that his company could protect from all forms of identity theft, but the harsh reality is it didn’t. My favorite quote from the article:

“There’s nothing to indicate my identity has been successfully compromised other than the one instance.”

Other than the one instance, that is, but it was just that once. Annnyway, the biggest problem I have is with the $1,000,000 protection they have, which, unfortunately has absolutely nothing to do with the kind of thing that Davis faced. It has to do with technology breakdowns in the system - a far less likely occurrence.

Our service guarantee is simple, but it is limited. We will pay up to $1,000,000 to cure the failure or defect in our service…

Not only that but on their site it’s highly deceptive:

What LifeLock doesn’t stop, they fix at their expense up to $1,000,000.

Nooo… what Lifelock doesn’t stop you are on your own for. It’s too bad, because I really wish this company were squeaky clean. There are so many people who actually could benefit from it. Maybe if Davis just hadn’t plastered his information all over the place…

A few weeks ago at RSACon I sat down with Amit Klein and asked him one question that I’ve wanted to ask for a long time. I wanted to know if there was one defining moment in his past that suddenly opened his eyes. More specifically, some event that made him realize that he had stumbled upon knowledge that would lead him down a path that only a very select few would ever travel. I wanted to know that one cathartic event that made him realize the web was extremely vulnerable. I wanted to know this because I wanted to know if there was a common thread between him and some of the other experts in the field.

Amit took his sweet time thinking of a good answer, of course telling me all the while that there was no single defining moment and that the question was harder than it sounds. Yes, yes, Amit, but out with it! He finally began to tell me the first time he messed with a binary. He went in with an editor and changed one word. Expecting it not to work, he ran it, and sure enough it did. To him that was totally amazing that it would work, and suddenly, he realized that there were probably a lot of exploitable things out there similar to that. He also told another story about how he had read the HTTP spec and realized you could put a newline in front of the first line of the HTTP request, which in the future would eventually lead to exploitation.

So then I asked the same question of Dinis Cruz:

I can probably point to three key moments:

- the first was when I was a CTO of an university and one of campus’ IT guys showed me how he was able to access (over the internet) another campus internal network (via a remote shell delivered via one of the earlier IIS exploits)
- the 2nd was when I read back to back the first Hacking Exposed book and really got an understanding of network and application exploitation
- the 3rd was when I realized that my programming background (ZX Spectrum generation, Assembly programming on Amiga/x86, etc..) really allowed me to ‘understand’ Application security (vs network security) AND to write exploits

Jeremiah Grossman also gave his story:

For myself it started almost immediately when I began developing web applications many years ago. I read all the books, walk through the examples, and built websites. Being the natural prankster that I am I immediately saw how others could potentially screw around with the way my application worked, post offense stuff, and just generally cause a poor user experience. At the time I didn’t know to even to call it "security", it was just something that could be done to a webapp. The AHA moment came when I got the feeling that my code was no better or worse than anyone elses.

As I just passed my 800 blog post mark, I realized I had never talked about my moment either, and what better way to talk about it than to talk about other people’s moments as well. Mine was a very vivid point in time in my memory. I had read the HTTP spec and knew the basic principles of how it worked, but one day I followed some guide and telnetted to port 80 for the first time and started typing in commands. The first time I saw a flood of headers fly by my screen was like getting hit in the face with a brick. I just couldn’t deny how powerful that knowledge was and how broken everything must be if it was that simple. I know most people look at HTTP and kinda shrug their shoulders, but for me it was an awakening that made me realize that there is almost no end to the potential and danger that it allows.

I don’t know that I can point to any one particular thread between these experts, but I do know that the net effect was the same. The realization that everything is vulnerable is a pretty profound concept. So? What’s your story?

Okay, I waited long enough to tell this story, but it’s funny enough that it’s worth it. At SOURCE Boston, Jeremiah, Mark Kranack and I were sitting around talking and apparently at one point long ago he had started a religion. The religion was simple, all you had to do was accept Mark as your god and that’s that. No fees, no prayers, no nothing, just accept him as your god. You don’t even have to do it on purpose, one guy joined by accident as a matter of fact by inadvertantly saying that Mark was his god as he described it. There’s no way to get kicked out of his religion and nothing really special about it in any way beyond the religious leader, of course. You can still find a reference to it on the internet archive.

Then we got to talking and laughing and ultimately came up with a CSRF joke of all time. We could get tens of thousands, maybe hundreds of thousands, or even millions of people to join through CSRF via images to forms on MySpace, or what have you. You see, there is a bit of a bug in the acceptance program of Kraynackism. You don’t have to necessarily “say” that Mark is your God it turns out, you just have to somehow indicate it to him, either intentionally or inadvertantly as we saw with his friend. We could turn Kraynackism into the fastest growing religion the world has ever seen! You could be a member right now and you wouldn’t even know it!

It’s funny but it’s less funny when you talk about getting people arrested in China as we talked about a long time ago or of course going to jail for child porn, etc… Funny and scary all at the same time.

I was having our weekly cigar meeting with the local security guys when we stumbled across a pretty funny thought. There’s a pretty good paper put out by Cybersource about trends for 2008 in which it had a graph showing that as a percentage of online transactions fraud was dropping. Whoah! That’s not what I expected to hear. But then in closer examination that’s a red herring, because total fraud is still increasing at the same rate it always has. Not so good after-all, it just means consumer spending is out pacing the bad guys. That makes it worth being in the business of online retailing, but spending will eventually taper off with population growth.

The funny part of the story is what if all the consumers finally hit a tipping point where they just decided to go home and stop using the Internet completely? What if we just had bad guys trying to phish bad guys, and spammers just trying to spam other spammers? What would the Internet be when every page was a scam and every person on it was desperate for money because all the people who they wanted to scam went outside to go play in the grass? A funny thought! Hey, we were having cigars, sue us for getting a little off topic!

Well, it was a long Sunday. I was planning on going and hitting some balls on the golf course, but no, instead I spent the better part of the day dealing with a DDoS attack. Before it was completely killed 73 IPs were used to perform a flood of GET requests against sla.ckers.org. Thankfully we were able to thwart the attack by writing some tricky software to detect the attack and firewall it. But it was still the better part of a day dealing with it.

The end result was we found the attacker (the owner of www.au-p2p.info who apparently was made fun of at some point a year ago on the board). When pride goes too far, eesh! More on this user here. Cyberhacker665 is in at least some way affiliated with or owns evilzone.org. The attacker did a vanity search for himself before initiating the attack. The original IP was tracked back to the attacker’s ISP, who was sent an abuse email and now the user is offline for the time being. We effectively DoSed the DDoSer. It’s too bad, I had long forgotten about that post - apparently he hasn’t.

This wasn’t the first high volume traffic incident we’ve received (we’ve been slashdotted several times, and reached the front page of Digg and Reddit as well) and we get tons of attacks per day. But this was probably one of the worst. Just another day on ckers.org… Golfing would have been better use of a Sunday, even if I suck at it.

Anurag is the man behind a new web application security certification. Offered as a joint WASC/SANS cert, it’s aiming to be the de-facto web application certification program for people in our field. Regulating the industry may not be all that bad of an idea, given that I see more bad security people than good. But beyond that it’s cool to see the industry growing up where it needs full fledged certification.

Anyway, if you want to have some input on things that you’d like to see in the cert, now’s your chance. Click the link above and go to his surveymonkey link and spend a few minutes filling it out if this is at all interesting to you. Speak now or forever hold your peace.

Now the real question is, I wonder if I’ll pass this cert. Hey, Anurag, can I get some sort of an exemption? I never was very good at test taking!