DeadBeefCafe

RSA, as many of you may have heard in other blogs was a silly rehash of vague promises of ’securing your enterprise’ and ‘vertical security’ without anyone actually being willing to put on their material what their products did and didn’t do. I don’t like it when I look at a booth and I see nothing that indicates what technology or technologies are being sold. If you’re a VPN product, tell me you’re a VPN product, don’t advertise as “securing your remote users”. It’s way too vague, and on top of that, it’s probably not true.

Tomorrow I depart for Blackhat and defcon. I expect to see no fluff, no vague promises of security as a service, or other over-generalized hogwash as an attempt to lure me in and waste my time on a product space that either I’ve already bought, already discarded, or have been told I have no budget to purchase. I do expect some vendors, providing parties (yay!) and useful information about their products. I expect some excellent talks (anyone that hasn’t heard that Dan Kaminsky will be talking about the DNS flaws at blackhat has been living under a rock for too long) on a wide range of topics, some of which will not be of interest and some of which will undoubtedly be way over my head (but I like the feeling of drowning in information technology overload).

For the first time, one of my co-workers will be in attendance, and my boss. Oh joy.

My plan is to post some highlights of things that especially catch my attention. Hopefully you’ll find them as interesting as I do or did when I see them. (What is the correct tense when talking about things in the future that will be in the past when you will be talking about them?)

I was perusing some job descriptions recently, and ran across the interesting phrase “robust programming”.

The manner in which it was in the job description seemed to indicate that it was likely more than my immediate thought on the topic. Robust meaning that it has a quality of being sturdy and able to withstand change, I took this to mean that it was a form of fail-safe programming. That it was the concepts that you program to gracefully and properly handle errors, and try to write programs in a fashion that they were difficult to break. Being curious, I went out into that great big research resource (aka The Internet) and did a couple searches to see if I could find more information.

Of course, I did.

First stop, wikipedia:

In computing terms, robustness is the resilience of the system under stress or when confronted with invalid input. It is the ability of the software system to maintain function even with the changes in internal structure or external environment. For example, an operating system is considered robust if it operates correctly when it is starved of memory or disk storage space, or when confronted with an application that has bugs or is behaving in an “illegal” manner, such as trying to access memory or storage belonging to other tasks in a multitasking system.

Ages ago, when I was learning object oriented programming for the first time, I recall learning about Parnas’ Principle which states:

The developer of a software component must provide the intended user with all the information needed to make effective use of the services provided by the component, and should provide no other information.

The developer of a software component must be provided with all the information necessary to carry out the given responsibilities assigned to the component, and should be provided with no other information.

So, both sides of an object, a function, a method, a procedure, a program, etc. should give the other side all the information they need to take the expected action, and only the information needed. This fits in very well with security models, only tell them what they need to know to do what they are supposed to do, and only accept the information that is necessary for the action but only the information needed for the action.

In my searching, I ran into what seems like a very thorough covering of the topic of robust programming by Matt Bishop at UCDavis

It’s interesting reading, and makes you realize how fragile the typical programming really is. One thing that I hadn’t thought about previously, when you get a data structure as part of an interface to a library, how much can you mangle the structure by filling it with inappropriate values and get ‘unexpected results’ which can be used to your advantage.

Hopefully, with more use of test-driven developement, pair programming, robust programming, and people focusing on writing bomb-proof code, we will see fewer security issues in software.

Honestly, I’m not holding my breath because everyone seems to think that their code is either invulnerable, or not important enough for someone to care about how secure it is.

A couple years ago Blackhat (http://www.blackhat.com) was embroiled in a legal battle between Cisco Systems and Mike Lynn about a presentation he was giving on breaking into Cisco’s IOS. We won’t go into the details about that here but you can go read Jennifer Granick’s journal for the details.

And now Blackhat looks like it might be in the middle again. InfoWorld report that HID, the proximity RFID card maker may be going up against IOActive, Inc. to stop a similar presentation that targets their technology, as well as similar technology from other vendors in the same field.

What really gets to me in this case is a quote attributed to HID from InfoWorld:

“These systems are installed all over the place. It’s not just HID, but lots of companies, and there hasn’t been a problem. Now we’ve got a person who’s saying let’s get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where’s the sense of responsibility?” Carroll said.

Where is the responsibility in a security company selling a product that they know has a vulnerability in it? That their customers might be susceptible to an attack which is mostly public already? That apparently one researcher took less than a month to put together?

I’m tired of this, I’m tired of hearing about security companies that fail in some major aspect of securing their own devices, working with customers to alleviate or understand problems with the technology they are selling or have sold. Security in a black box of “trust us this will work” is worthless to the customer. Why am I tired of this? Because I see to many examples of it, including:

Default installations of security web applications that leave themselves open to the world.
Security appliances that converse via SSL that you can’t update the certificate.
Security appliances that offer no secured communications channel for device management.

I think, if you’re are selling or creating any security device you need to at least hold yourself to a higher standard for protecting it and protecting your customers. Though I hate to create new legislation, perhaps we need some in this arena. I envision something where a researcher that finds a flaw is protected by whistleblower style legislation (even if they don’t work at the company) and the company must to a notification to customers affected by the problem.

Can I get a hell yeah?

– decaf out (poor editing and writing attributed to my current fever)

RSnake over at ha.ckers.org has posted a really cool cross site scripting (XSS) cheat sheet. It includes a variety of techniques for testing for the presence of a XSS vulnerability complete with tags for which browsers it works with. A great tool to add to one’s toolbox.

I was talking with a friend who works in a large segmented organization, where administration is done ad-hoc in each segment with some infrastructure that covers the entire organization. They were having issues with one of the systems administrators after an outbreak of some virii in the administrators area. After having dealt with the issues in some highly non-professional manners, the administrator came up with the following:

“We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems.” [1]

The number of things that are so wrong about this statement are astounding. The fact that the people for whom the adminstrator maintains systems for bought this line is even more astounding.

Let’s break this down on where the security problems exist, and how this proposed solution helps with them.

If it’s the fact that the Mac traditionally used Motorola processors instead Intel based processors and that’s why they don’t have security problems, then by going with Mac Mini’s isn’t going to help since they’re Intel based machines (otherwise it would be pretty difficult to do what we’re going to look at next, run Windows on them).

If it’s the fact that Windows has a number of vulnerabilities, especially if it’s not properly maintained and protected with firewalls then changing the operating system would be an acceptable alteration. But we’re not, we’re going to load Windows onto the Mac Minis.

The reason that the Macs currently are less of a security risk is that there are fewer exploits and known vulnerabilities out there for Mac OS X (and previous versions of MacOS as well). Personally, I expect that to slowly change as Mac OS X gains in popularity. But in this instance, that’s not the method we’re choosing to make these systems more secure.

So we’re left with the best security method I’ve heard of: A different case! By affixing an Apple logo onto the host, we’ve made it more secure, because Macs aren’t subject to the same security problems.

– decaf out

[1] Unfortunately while this quote is as close as I can get to the spirit of what was said, it may not be accurate as I didn’t hear the person say it.

UPDATE:  Since this has been linked to by a couple places now I thought I’d add a quick note to clarify.  It’s not the entire organization that is making this change, just one small (but important) group out of the entire organization.  Probably less than 1% of the people and hosts that exist in the organization.