Dailies
- Beast or Buddha
- Caoine
- Echoica
- GNUCITIZEN
- Jina Bolton
- Lifehacker
- Overclockers Australia
- RiskAnalys.is
- Rory.Blog
- Schneier on Security
- Security Bloggers Network
- Security Catalyst Community
- Security Ripcord
- Securosis.com
- Slashdot
- Whirlpool
Photos
Categories
- Books
- Computers
- Family
- Forensics
- General
- GTD
- Movies
- Music
- Privacy
- Profession
- Risk
- Security
- University and Studies
- Web Development
Monthly archives
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- December 2006
- June 2006
- May 2006
- April 2006
- March 2006
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- February 2005
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
- July 2003
- June 2003
- May 2003
- April 2003
- March 2003
- February 2003
- January 2003
- December 2002
- November 2002
- October 2002
Search
It’s not a vulnerability when it’s a feature!
So I just read about Vanishd from Lifehacker, and as far as I can tell they have found a legitimate use for UI Redressing (ref to RSnake, Jeremiah Grossman and the GNUCITIZEN mob). Just.. Wow! All the conflicting thoughts and emotions. I mean finally, I’ll have some way to look at porn at work through a peep hole that will confuse my colleagues and bosses (and of course they will never ever see it on their proxy logs!).
On the other hand, who’s to say that they won’t have some layer set between mine (-2) and the fake ppt slide I’m supposedly working on (0)? At this time this is the only type of vulnerability I can think of. All I know is, no way in hell I’d be wanting to browse to any site that contains any sensitive information!
Posted by Christian 
Posted in: Privacy, Security, Web Development 
No Comments » 
19 October 2008
Backup tapes are still storing data in the clear?
I shouldn’t be surprised, I really shouldn’t be shocked at all when this popped up in my Reader from www.pogowasright.org. Yet another lost backup tape:
We recently learned that individual employees violated established procedures during a routine exercise and lost some supplier’s and other individual’s data which was contained on a system backup tape. Our investigation indicates that some of your personal information, including your Social Security number, name, and address may have been included in the lost backup tape. However, it is important to note that absolutely no customer or guest data was exposed.
The article does state that they don’t know whether or not the tapes were encrypted (read: protected), I hope that they were. Similar to my rant on utilising 2FA for online banking transactions (i.e. there are No Excuses), there is no excuse for not protecting your backup tapes when they are handed over to a third party.
I’m fairly sure that most, if not all, backup software provides an option for encryption, add to that I’m also sure that this functionality whilst providing protection, also provides compression. It’s like putting on armour that also makes you loose weight.
Another insight that I found quite interesting was the disclosure notification that was submitted to the New Hampshire AG, Kelly Ayotte. It was only 8 days ago that I read an almost identical document, also from Pogo, directed to Mrs Ayotte. It appears that in times of losing PII, apart from the identity thieves themselves the only people benefiting are those companies that offer ID protection services, such as ID Experts.
The common services that ID Experts offered in these two instances were:
- Credit monitoring
- Access to educational material
- A fraud representative that they can talk to (recovery advocate?)
- Insurance reimbursements
Does anyone know how effective these companies/services are?
Posted by Christian Posted in: Privacy, Profession, Risk, Security No Comments » 18 October 2008
Australian Gmail Link To Reader is Broke
I’ve read about this somewhere before, but it is so frustrating that the link to Reader from the Australian Google Mail doesn’t appear to work, or use the authentication token correctly or something. What’s stranger is that the localisation settings within GMail are obviously something within the app itself, because it’s not as if when I use GMail I’m accessing https://mail.google.com.au, I’m accessing just plain old https://mail.google.com(.)
I’m unsure where the fault lies but I’ve noticed the following behaviours. When I’m logged into GMail the link up the top to Reader goes to http://www.google.com.au/reader/view/?tab=my but as soon as the browser hits that URL I’m redirected to https://www.google.com/accounts/ServiceLogin?hl=en_AU&nui=1&service=reader&continue=http://www.google.com.au/reader/view/%3Ftab%3Dmy at which point I’m prompted again for my password. But, I’ve already entered my damn password Google, why!?
On the other hand if I just open https://www.google.com.au/reader/view/%3Ftab%3Dmy I get SSL Errors, at which point Chrome kindly reminds me that:
You attempted to reach www.google.com.au, but instead you actually reached a server identifying itself as www.google.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.google.com.au. You should not proceed.
So I’ve had to ungracefully add a shortcut in my browser (*gasp* who uses those in a time of Reader Notes and Delicious!?) which points to https://www.google.com/reader(.) That appears to be the only way for it to work without hassle.
Anyone in the US using GMail and Reader have any problems when they click the Reader link up the top of their GMail window?
Posted by Christian Posted in: Computers, Security, Web Development No Comments » 12 October 2008
Secure Software is Sexy
Secure software development practices excite me. Well, not physically, but mentally. And so it’s with great pleasure that I’ve been reading a couple of really good articles about secure software development. First up was the discussion about the SDL Pro Network amongst other things (SDL Optimisation Model, SDL Threat Modeling Tool 3.0).
The SDL Pro Network is:
“a group of nine industry-leading consultancies that specialize in application security and have been specially trained by Microsoft. These providers will guide and support organizations in implementing the SDL in their environments…”
This is exciting because I’ve often wondered how one would get assistance in taking the SDL torch to the developers. It’s no surprise that people come up to Dave & Co after executive briefings or TechEd asking them for guidance. Hopefully these groups will be represented well down here in Australia.
The second article was by Andrew van der Stock on the upcoming “OWASP Top 10 Coding Standard“. I’ll only list the 10 topic headlines but I definitely recommend you check out the rest of the article.
1. Secure Development Lifecycle Best Practices
2. Secure Architecture and Design
3. Authentication
4. Access Control
5. Validation and Encoding
6. Data Protection
7. Securely Accessing Services
8. Accountability
9. Debugging, Testing and Maintenance
10. Testing and Assurance
As with the SDL Pro Network, I’m excited to see how this standard pans out.
I’m a firm believer that applying security at the front instead of the end of the project life-cycle is the best way to go. You decrease cost, (potentially) decrease complexity, decrease time, and increase the control and other mitigating attributes of the application. What’s not to like?
Posted by Christian Posted in: Computers, Profession, Risk, Security, Web Development 8 Comments » 8 October 2008
Leveraging the Work of Others
When working on an information risk assessment one of the first and most important tasks is to understand what assets we’re trying to protect, and what it would cost the business if the assets had their confidentiality, integrity or availability impacted. In most circumstances these aren’t questions that can be answered by IT or by the information security people but by the business themselves. Unless the organisation is itself an IT organisation, an impact upon those assets doesn’t normally impact upon IT directly but upon the business. Impacts vary depending on the assets in question, and sometimes different assets aren’t impacted when they lose confidentiality and integrity but are heavily impacted when they are unavailable.
So apart from asking the business what they believe these impacts are what other ways can be used to gather this information? Well, if you’re fortunate enough you might be able to gather this information from other sources, such as from those fantastic people whose job it is to manage and deliver services to the business. Those same people who’s responsibility it is to monitor SLAs. If these people are monitoring service levels closely (such as transactions within a commerce application) then they will probably have metrics such as, this application performs x number of transactions per day (month, year, whatever).
All of a sudden a loss of availability isn’t just a loss of service, but a quantifiable value. If this application server goes down then you are losing x transactions per day. If each transaction provides on average $y profit then it gets even better. You get the picture. But not only do you get the picture, now your stakeholders can be given a fairly clear indication of what a loss of availability will cost them on a specific time period.
While this scenario is great for looking at the cost of impacts against availability, what does it do for loss of confidentiality or integrity? Not a lot unfortunately. I just felt like giving big-ups to those people at my work who have been doing a great job at compiling more metrics about all of our applications than I can point a finger at!
Posted by Christian Posted in: Profession, Risk 2 Comments » 3 October 2008