Tuesday, November 24, 2009

OWASP 2009 India Notes

I was at the OWASP Asia AppSec conference last week, it was awesome, great speakers and great crowd.

It was my first application security conference, it had a good mix of application security topics and other information security and privacy related stuff.

I also found a good mix of attendees, both developers and core information security folks. I was particularly impressed not only by the sheer number of people from the development community who attended this conference but by the amount of knowledge and understanding this group possessed in the field of information security. I have blogged about the need to make applications more secure and the need for secure development and testing, it was great to see the support and understanding, I think it is an extremely good sign for India and Indian companies.

There was not much vendor booths, I am not sure if it was intentional, did not get a chance to ask this to the organizers.

SANS had a booth and it was great to hear that they are going to start some of their courses in India in coming months,they already had 3 courses as part of this conference. Suresh, who is the MD for Asia Pacific, told me that they are going to have two courses in Bangalore in February, 2010.

Here are the notes from some of the talks I attended.

How to Blackbox test almost anything - Aviram Jenik

  • Majority of today's vulnerability discovery is through blackbox testing, also known as fuzzing
  • Blackbox testing is about testing inputs
  • Inputs are the biggest problem and mostly ignored by the developers
  • Testing proper inputs solves majority of the problems
Threat modeling - Varun Sharma

  • Threat modeling is a repeatable process to find and address all threats to a product.
  • The best time to identify threats and remediate them is at the design stage.
  • Create a data flow diagram first and update it when changes are made.
  • For mitigation, use standard and common mitigation steps.
  • Validate thoroughly.
  • SDL threat modeling tool is one of the tools provided by Microsoft to help identify threats and mitigation steps
Privacy in Security - Dr. PK

I thought this was the best talk, I am biased because of "privacy" being one of my favorite and also because of the tools that he discussed in the talk being familiar to me, I had blogged about one of them, the phishing game back in October. Dr. PK talked about some of the privacy concerns and specifically about the non availability of empirical data on privacy losses in India. He also talked about both human side and technology side of phishing and discussed some of the tools that were part of his research.

Ten things web developers still aren't doing - Frank Kim

Frank talked about some of the common web programming techniques that can easily be implemented. Some of his tips were:
  • Use well known validation code such as OWASP ESAPI
  • Perform proper canonicalization
  • Perform output encoding and escaping
  • Employ strong password
  • Use CSRF guard from OWASP

Friday, November 20, 2009


OWASP has released the release candidate of the new version of Top 10, it is now moving from a vulnerability based to risk based rating system. Instead of identifying the vulnerabilities, it tries to portray the attack vectors, the security weaknesses, and the real impact. Once we have all these relevant details, the missing piece to identify the organization's specific risk is the value of the asset.  

One of the changes that I wanted to see, configuration weakness has been included in this. It is one of the most prevalent issue today, organizations may have a very secure code but if you allow insecure HTTP methods like DELETE or MKCOL in IIS, then it is a welcome message to the hackers.  

This release added "unvalidatedredirects", which is a redirection of pages. Even though it is a considerable risk, it is difficult to exploit, I would have kept the "improper error handling" right there.  

Major changes are given below.  

1)We clarified that the Top 10 is about the Top 10 Risks, not the Top 10 most common weaknesses. See the details on the "Understanding Application Security Risk" page below. 2)We changed our ranking methodology to estimate risk, instead of relying solely on the frequency of the associated weakness. This affects the ordering of the Top 10 somewhat, as you can see in the table below. 3)We replaced two items on the list with two new items: +ADDED: A6 -Security Misconfiguration. This issue was A10 in the Top 10 from 2004: Insecure Configuration Management, but was dropped because it wasn't thought of as a software issue. However, from an organizational risk and prevalence perspective, it clearly merits re-inclusion in the Top 10, and so now it's back. +ADDED: A8 -UnvalidatedRedirects and Forwards. This issue is making its debut in the Top 10. The evidence shows that this relatively unknown issue is widespread and can cause significant damage. -REMOVED: A3 -Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications with this problem. PHP is now shipped with more default security, lowering the prevalence of this problem. -REMOVED: A6 -Information Leakage and Improper Error Handling. This issue is extremely prevalent, but the impact of disclosing stack trace and error message information is typically minimal.  

Note that this is only a release candidate and you are welcome to submit your comments to the OWASP team.

Sunday, November 15, 2009

Information Security Conferences in India

After moving to India last year, one of my priorities has been to look for networking opportunities and conferences in the information security space. I will have my first opportunity this week when I attend OWASP AppSec conference in Gurgaon, near Delhi. The AppSec India consists of two day conference, which covers various topics and two days training. SANS conducts 3 separate training tracks , two in the development track and one in the audit track.

If any of the blog readers are going to be attending, I hope to meet you there.

Another conference that is coming up in November is the NASSCOM DSCI Information Security Summit 2009. 

From time to time I will post other conferences and networking opportunities that come along in my inbox.

Saturday, November 14, 2009

SMB zero day affecting Win 2K3, XP, Vista, 7, and 2K8

Laurent Gaffie, a security researcher identified a DoS vulnerability affecting SMB protocol. This is basically a DoS vulnerability, it causes the target machine to freeze and unresponsive. Reboot is the only way to recover from this. Read more about this from his blog.

Microsoft came up with an advisory, the advisory states the workaround as blocking port TCP 139 and TCP 445 at the perimeter Firewalls. Microsoft also confirmed that this vulnerability cannot be used to take control or install malicious software.

SANS handlers also tested this vulnerability, read about it here

Friday, November 13, 2009

Another Microsoft software testing tool

I wrote about the CAT.NET tools earlier in a blog entry, which performs static analysis of .NET code. The signature used in the code checks against various parameters in the .NET code. Microsoft released another tool to check the web applications using the same set of signatures. This new tool, WACA CTP, can be used to scan the web applications, the signature consists of around 100 IIS, ASP.NET and SQL Server settings.

Microsoft has developed a variety of tools to help developers and testers to identify vulnerabilities, it is up to the organizations and the application development team to take the lead and implement secure coding and testing practices. There is no excuse not to do it.

Wednesday, November 11, 2009

First iPhone worm

This week's big news was about the iPhone worm, which changes the iPhone's wallpaper. It affects only the "jail-broken" iPhones, it may not be dangerous worm but the same technique could be used for various malicious purposed including data leak.

What is the vulnerability?

Jail-broken iPhones have the SSH daemon enabled by default and these phones have a default root password. So, the jail-broken phones with an unchanged root password is vulnerable to this.

How does the worm spread?

The worm spreads by scanning other iPhones in the local IP address change, the scan looks for SSH daemon and if it finds any, it tries to login using the default password. Post compromise, it copies an image file to replace the default wallpaper image. Note that the sam attack vector can be used to leak out data, planting other program, etc.

How to remediate this vulnerability?

If you have a jail-broken iPhone, change the password immediately, follow the instructions provided in this article.

Sunday, November 1, 2009

FTC extends Red Flag Rules deadline

The US Federal Trade Commission (FTC) has extended the enforcement deadline of the "Red Flag Rules" until June 1, 2010. 

Red Flags Rule requires all creditors and financial institutions that have “covered accounts” to have an identity theft prevention program to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. According to FTC, A "covered account" is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. "Covered accounts" include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

If your organization has not started the compliance efforts, this is a good time to start.


The how-to guide is available here http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf