Sunday 31 January 2010

Security Digest #5

This is The Padlock, returning from its New Year celebrations, a little late, eyes red-rimmed, but brimming with security-related news. Happy New Security Strategy!


MSF for Agile + SDL Process Template

We first featured Microsoft's new SDL-Agile Process in November, and now happily return to it in order to welcome the first public beta of the new “MSF-A+SDL”, or to give it its full Sunday appellation, the MSF for Agile Software Development plus SDL Process Template for VSTS 2008 (see glossary for an explanation of "MSF").

This is a template which helps teams integrate secure development processes directly into their Visual Studio Team System environment, in a way similar to last year's SDL Process Template for VSTS, only this time, with added agility!

There are also some completely new features in the MSF-A+SDL, when compared with the previous SDL Process Template offering.

One useful addition is the automatic generation of new SDL task work items whenever a user adds a new iteration. This is particularly helpful because many projects, and especially agile projects such web applications or cloud services with no defined “end date”, can run indefinitely, and so need periodically to re-complete SDL requirements (as defined in the SDL-Agile process).

Similarly, whenever new code, such as a new Visual Studio project or a web site, is checked in to an MSF-A+SDL project’s source control repository, the template can intelligently generate new SDL requirements appropriate to that particular project type. One example of this is given on the SDL blog: when a new C# web site is added to the repo, the template adds requirements such as disabling ASP.NET tracing, and applying the AntiXss library. Good boy!


Simple Implementations of Microsoft's SDL

2010's news from the Microsoft Security Development Lifecycle group continues with the announcement of a new "white paper" illustrating the core concepts of the SDL, and discussing the individual security activities that should be performed in order to claim compliance with the SDL process:


The 771KB PDF includes:
  • A brief overview of the Microsoft SDL
  • An overview of the Microsoft SDL Optimization Model
  • Discussion of Microsoft security development practices
  • Individual roles and responsibilities in the development process
  • Mandatory and Optional security activities
  • The application security verification process
The document outlines a "minimum threshold", staying true to the core attributes of the SDL, and providing a model for building an effective security development lifecycle - particularly in smaller organizations. By explaining how the SDL can be implemented with limited resources, and applied to any platform, the "Simplified SDL" white paper helps address certain common misconceptions about the Microsoft SDL. Like the one saying that you have to be an organization the size of Microsoft in order to be able to implement it, or that it is only appropriate for Microsoft languages on Microsoft platforms, and you need some alternative methodology "... if you’re writing code with Ruby for OS X."


Black Hat

Black Hat DC 2010 has just started, and on Wednesday, SDL's Bryan Sullivan is due to give a talk about “Agile Security; or, How to Defend Applications with Five-Day-Long Release Cycles”, demonstrating the use of MSF-A+SDL. So there should soon be much more available, by way of information and resources, on the subject of the new VSTS template.

Meanwhile, the rest of January's security-related items (beautiful security, ugly passwords) already having escaped into their own dedicated articles, it's goodnight from me.

Thursday 21 January 2010

Your Password Sucks

2Shrt+2Smpl

Imperva's Application Defense Center (ADC) recently published their analysis of last month's incident at social application site Rockyou.com, in which full details of more than 32 million user accounts were exposed in plain text. The attack was a face-palmingly trivial SQL injection one, and the exposed account data - everything having been stored in the clear - included user credentials, ie names and passwords, for social networks and other partner sites, such as MySpace, and webmail accounts. Nik Cubrilovic wrote about it then, in a TechCrunch article calling the RockYou platform "a Swiss cheese of security vulnerabilities and poor practices", and going on to enumerate the whys; it's a great exposé of its kind.

Anyway, back to this month, and the Imperva study. This analysed the full set of exposed passwords, 32 million and change. Previous studies have been confined to surveys; this is the first time such a large number of real-world passwords has been made available. Some of their main findings are:
  • 30% use 6 characters or less;
  • 50% are names, slang words, dictionary words, or otherwise trivial;
  • 60% use a limited set of alphanumerics.
What is most striking about their analysis, though perhaps unsurprising, is that none of their findings or conclusions are in any way new. A look at one of those earlier studies, dealing with Unix password security some twenty years ago, reveals that little has changed between then and now, when it comes to strength of passwords and their susceptibility to brute force attack. Ten years ago, hacked Hotmail passwords told the same story.

So here's the latest, top ten hottest passwords, as used on the Rockyou.com site:
  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123
Imperva's ADC uses NASA's recommendations as a framework to analyse the exposed password set, presenting their results as a couple of tasty pie charts, a table, and a bar graph, before going on to suggest the familiar recommendations to both users (strong passwords, different for all sites, and kept secret) and administrators (enforce strong password and password change policies, use HTTPS for login, and so on). This weight of evidence strongly suggests that the way to a solution, if there is ever to be one, is in the hands of those administrators.

The full report can be read here:


Hat tip to my colleague Chris, aka Scale This!, for pointing me at this study.

Monday 18 January 2010

Blair's Death Rain

The Last Heat of 2009

Sunday morning, up with the lark. Think we'll take a ... run to Byres Road. Hey hey hey, there's a Waitrose there now!

Not brand new, but just two months old. On the way over, Linda diverted and introduced me to Lupe Pinto's, Great Western Road, wherein they sell the shop's hot dry air, scented with the volatile vapours of capsicum, for a fiver a pint. The first one, the acrid gas, the raw chili throat catching essence that mugs you at the door, that one's free.

Last year, we'd grown a whole shed load of chili peppers in the greenhouse. More accurately, we bought a bunch of plants, and okay my father actually grew them, in his greenhouse. Whatever! We'd visit every week or so, leaving with a paper bag full of the new hotness. Occasionally to share with a very few select others, but usually, just to see how many peppers we could pile on to - almost anything we were cooking - without leaving big ends smouldering on the starting line. The answer was generally about half a dozen. Seeds and all; and yes, there was smouldering.


In fact Linda rarely goes near a raw chili. Even when she cooks with them, I get to wash and chop and add those little devils myself. So when she took me into Lupe Pinto's, and the raw chili dust air slapped us upside the head and back out into the street, even before the door had fully opened, it could only be because (the last of 2009's peppers now being nought but a sweet and multiply-painful memory) she figured I must be in need of a fix.

Scovilles By The Googol

We spent some time in the shop, planning a Hot Food Night for a little family get together some time soon - Little Niece in particular is no stranger to a tube of Wasabi Pringles. Deciding to do the shopping for that another time, we left with a bottle of hot sauce. No, not Smack My Ass & Call Me Sally, which apparently I "almost" got on my birthday! Oh, and we also bagged two bags of these:


Man, are they hot. We'd picked up lunch at Waitrose - just a sandwich - and headed off to Balloch. During that lunch, I was twelve types of grateful for Linda picking up a couple of Happy Eggs (hens' eggs, hard boiled), not to mention a brace of egg custard tarts. When my egg mayo sandwich balm ran out, the Happy Egg served as temporary tongue relief, while I fidgeted, panicked and tore to get both those egg custard tarts out of the packaging, and on to my brightly glowing, traumatised taste buds.

If you ever decide to try Blair's Death Rain Habaneros, I recommend that you first purchase one of those car first aid kits from Halfords, empty it of its eye patches and bandannas, and refill with two of every hard boiled egg product sold in your town. Then at least you might be equipped to survive their third-degree excesses, until you reach a health care professional.

Wife Almost Eats Own Foot

Balloch was scenic, ducks were photographed, fondly remembered day trips and weekends away together - some of these decades past - were reminisced upon. Luss was beautiful too; even though darkness had fallen when we arrived, judicious stop adjustment allowed Linda to continue with her photography. Hooray for the bucket brigade! Once little more than an analog sound delay processing solution, the now ubiquitous charge-coupled device has found its true niche, comradeship and happiness, as the millionth part of a mega pixel.

The journey home was extended as an accident closed the eastbound M8 for about seven hours. Sitting in that effective car park, we joked about how there was nothing but that second bag of Blair's Death Rain Habanero in the boot to sustain us. "Well, enjoy it, been nice knowing you!" said Linda, while I reminded her that according to The Daily Mash, Davina McCall, recently stuck while driving in snow, had been forced to tweet about eating her own foot.

The giant conga-line of M8 out-of-towners, diverted by the closure down to the Edinburgh Road, mistook the Glesga weekday peak-time bus lane for an Embra full-timer, studiously avoiding it. And quite annoyingly, refusing to allow anyone with the sheer temerity to drive upon its sacred surface, to change lane from there! For clearly, such must be sinners and transgressors. Nevertheless, their lifelong quest for a clue left us more savvy local types free to wheech home, on our own private road network.

Thursday 7 January 2010

Horizon: A Return To Form?

The Secret Life of Dogs

Last night's Horizon programme on BBC2 was a pleasant surprise.

As someone who doesn't need words like "history" or "phenomenology" to be erased from a title, or replaced by the now ubiquitous "secret life", I thought I'd more or less stopped watching this once brilliant documentary series, following its embarrassing dalliance in co-productions with The Discovery Channel, the consequent and inevitable "dumbing-down" (incidentally, an ugly and contemptible Americanism; what has this to do with speech impairment?), and the stripping out of any vestige of science, to be replaced by sensationalist, physically incorrect graphics, and equally inaccurate drone overs.

But having recently lost my super smart (so sue me!) Border Collie, I was irresistibly drawn in by yesterday's preview footage of "Betsy", the Austrian BC who knows over 340 words:

Betsy (photo copyright © BBC 2009)

She can fetch any object in her repertoire by name. She can also fetch it when shown a different, smaller version of it. Or even a photograph, or a drawing of it. None of this, of course, came as any surprise to the Border Collie lovers in this house! But it did make the evening's Horizon compulsory viewing.

Return of the Couch Potato

Pass those Doritos, baby! What was great about this documentary? I could sit watching TV for an hour, and feel that I'd learned at least a good half dozen things I hadn't known.

For example, dogs read human faces exactly as we do, viz. with right side bias. Dogs do not read other dogs in this way; it's an adaptation geared exclusively around interpreting their human owners' expressions. Dogs can also respond correctly to pointing, something that even our nearest relatives in the primate group do not learn. In fact, they can respond correctly to only a glance in a particular direction, just as if it were a direct command.

Barking is another revelation, once you're reminded that wild dogs, and the grey wolves they're descended from, don't actually bark very much at all. In fact, domesticated dogs seem to use some half dozen or more quite distinct barks as an inter special language to communicate various messages to us, and we correctly interpret these (e.g. from audio recordings) as "Get off of my lawn", "Great to see you", "So throw the bloody ball then", and so on.

Using blood samples from both, petting is found to be correlated with oxytocin releases in dog and owner, leading to reductions in their heart rates and blood pressures, and ultimately, stress levels.

Dogs are also now thought to have had an indispensable role to play in our species' transition from hunting and gathering, to animal husbandry and agriculture. Recent research suggests they may have started to cohabit and co-evolve with us much earlier than previously thought, perhaps up to 100,000 years ago.

Most of these "discoveries" are between one and many years old, and are of course multiply reported elsewhere. The health benefits of animal petting, for example, have been recognised by health care professionals for some time.

But what Horizon has done so brilliantly in the past, and so memorably, in areas such as standard model physics, or the microprocessor revolution, and what it now seems capable of doing once again, is this: drawing together the threads of recent research in an interdisciplinary and international context, throwing into focus a startling image of the current state of our knowledge in some area of science or technology. Like this week's...

Special Guest Star: Genetics

Domestication, and not socialization, emerges as the key to our unique relationship with dogs. In other words, nature and not nurture; the selected genetic blueprint, and not experience. This was proved in well-designed experiments to socialize wolf cubs, which regardless of their environment, reverted inexorably to aggression as they matured.

We saw the famous large scale fox breeding programme in Siberia, where in 1959, Soviet scientists began their attempts to domesticate silver foxes, selected from local fur farms. Those experiments continue to this day, but one of their earliest and most striking results was that within three generations (three years) of selecting that one percent of foxes who exhibited neither fear nor aggression, and successively allowing these to interbreed, the resultant population emerged as almost uniformly tame, fear and aggression having been all but eliminated. Within eight generations, as soon as they opened their eyes and began to crawl, these foxes sought out contact with humans, showing affection to them. And just as with the wolf cubs, cross-fostering, giving aggressive cubs to tame mothers and vice-versa, has no effect; aggressive cubs retain their aggression, and tame ones their tameness. In fact, even embryo transplant fails to break this genetic disposition.

The programme featured Cornell geneticist Dr Anna Kukekova, who has travelled over 5000 miles to study these foxes, discussing a "biology of tameness", but there was no sensationalist, tabloid attempt to leap to unwarranted conclusions about other species. There is, we are told, "not one gene, but a complex orchestra of them" at work here.

We saw the curious secondary juvenile characteristics that selection for tameness brings out: varied coat colours and patterns, floppy ears, shorter curly tails, shorter limbs. "What this shows, is that when you select against aggression, you get almost all the same suite of changes that you see when you compare dogs to wolves" - Duke University anthropologist Prof Brian Hare, another visitor to the Siberian breeding programme.

The programme ended with a survey of gene mutation research into diseases common between people and dogs. The comparatively narrow gene pool within a particular dog breed, combined with the known map of the dog genome (in 2005), makes the pinpointing of such mutations far easier to achieve, and even to automate in a genotyping machine, than in human populations.

Welcome back, Horizon. More of this quality please.

Available on iPlayer until 7th April 2010: http://bbc.co.uk/i/pssgh/

Saturday 2 January 2010

Book Review: Beautiful Security

Leading Security Experts Explain How They Think

Andy Oram & John Viega (editors)

Nineteen experts in the field contribute sixteen chapters, comprising a far-reaching discussion of the techniques, technology, ethics, and laws at the centre of the present network security revolution. It's a thought-provoking anthology of the bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. These writers are the selfsame people who have found unusual solutions for writing secure code, designing secure applications, and addressing modern challenges such as wireless security and Internet vulnerabilities - then hacking into them.

The book covers the new and more aggressive security measures being contemplated and utilised today, and what they are leading to. Examples include: "rewiring" the expectations and assumptions of the organization, regarding its security; evolution and new projects in Web of Trust; legal sanctions to enforce security precautions; security as a design requirement; an encryption/hash system to protect user data; attack detection; and the criminal market for stolen information. Or as the back cover has it,
Beautiful Security explores this challenging subject with insightful essays and analysis on topics that include:
  • The underground economy for personal information: how it works, the relationships among criminals, and some of the new ways they pounce on their prey;
  • How social networking, cloud computing, and other popular trends help or hurt our online security;
  • How metrics, requirements gathering, design and law can take security to a higher level;
  • The real, little-publicized history of PGP.
That last item, incidentally occurring about halfway through the book, is one of the best, and the most technically and historically accurate, short-form accounts of the origin and evolution of the Web of Trust on record. Also beautifully illustrated (with added XKCD!), it's a true gem.

The following comprises a more detailed review of the first half of the book, in terms of number of pages, chapters, and contributing authors.

Chapters and Authors

Logically enough, Peiter "Mudge" Zatko (blog), ex-leader of the hacker think tank known as The L0pht, ex-Cult of the Dead Cow, the inventor of the buffer overflow exploit (and the man who once told the U.S. Senate that he could take down the internet in 30 minutes), provides the first chapter dealing with broad security and related matters, including sociology and psychology, while asking where vulnerabilities emerge from. Examples of the exploits which are examined include of course the notorious LANMAN hash legacy cockup, that led to Microsoft enabling the L0phtCrack (although there is certainly sufficient balancing material implicating other systems and organisations: Unix, Apple).

Jim Stickley follows up with a piece on the special vulnerability of wireless networks, pointing out the various ways in which Wi-Fi undermines organizational security. TJX gets its first mention here, as that leak of between 36 million and 200 million credit card numbers was wholly facilitated by unprotected wireless access points. Jim also notes that a least nine other organizations succumbed to the same hack (see TJX Hacker ‘Will Never Commit Any Crime Again’ in Wired magazine for a fairly recent update and some fascinating background on those cases).

Then, Dr Elizabeth A. "Betsy" Nichols takes up the story of security metrics, again using that TJX example, but also adding in those of Barings Bank, and of the more general phenomenon of ATM fraud, to demonstrate surgically how the careful application of such metrics can lead to prevention and/or early detection in such cases. An enlightening demonstration of the judicious application of hindsight in security process and strategy improvement, this chapter alone is worth the cost of the book. Required reading, Dr Nichols's contribution - double the average chapter length of 15 pages - stands out as a learned introduction to a brand new, interdisciplinary field of academic study.

Chapter 4 finds Dr Chenxi Wang reflecting on the underground economy of security breaches. She analyses the players or "actors" in this community into a handful of categories or interlocking roles: malware producers, resource dealers, information dealers, criminals (including fraudsters and attack launchers), and cashiers. Each of these and its environment is then further analysed, showing the workings of this dark network of support and trade. Finally there are a few suggestions on how to encourage collaboration and combat this growing underground economy.

Orbitz Worldwide VP Ed Bellis contributes an analysis of e-commerce security, exposing its fundamental flaws, its "overly broad and ultimately unnecessary" assumptions, and the patches that have been applied to it historically, including such "weak amelioration attempts" as the CV2 security code. There follow several informative evaluations of more ambitious protocols like Visa's 3-D Secure, and Visa/MasterCard's SET Certificates, which have proven unwieldy in practice; and Virtual Cards, which recently have fared better. Ultimately though, his proposal for a completely new (yet built with familiar components), simple, efficient, effective, beautifully scalable e-commerce security model, based on solid requirements - and just to spoil you, presented pictorially - is what brings you that rewarding moment of insight.

A well-known consumer champion in the arena of online advertising, Professor Ben Edelman brings his Harvard Business School expertise to bear on "malvertisement" banner ads, click fraud, spyware and adware, showing samples of the hundreds of online advertising scams he's uncovered over the past five years, explaining their background, their operation, and what regulators and ordinary users can do about them. Uniquely, he also goes into some detail about the legitimate advertiser's vulnerabilities and concerns, including the implications of fast per-click payment, and accountability.

Phil Zimmermann (left), creator of email encryption package Pretty Good Privacy (PGP), and Jon Callas (right), cofounder and CTO of PGP Corporation, co-wrote chapter 7, which was already marked out for special mention above: The Evolution of PGP's Web of Trust. Technically detailed without being reductively mathematical, and historically accurate yet apolitical, this must be the best ever (layman's, short) introduction to the key (sorry!) concepts, definitions and derivations of public key cryptography. Infused with real drama, IP infighting, government involvement and patent wars, the chapter closes with its own self-contained lists of references and areas for further research.

Back to client exploit detection now, where scientist and information security engineer Kathy Wang is our guide to honeyclients - systems that can monitor the behaviour of potentially vulnerable client software, such as web browsers, when driven to potentially malicious websites. In keeping with this book's determination to use only the very best writers on a given subject, we are unsurprised to learn that Kathy designed the very first honeyclient prototype in 2004. She describes the evolution of the form, through 2nd gen, using VMWare hosting Windows XP in Linux, giving examples of actual operational results, and ending with analyses of these, the limitations of current designs, and future developments including P2P.

And So On...

The above material covers just over half of the book in terms of page, chapter and author count. I stop here for the rather trivial reason that the next author in sequence, while certainly an equally prominent figure on the web, is not well represented by readily available images, and so breaks my format.

Rest assured that you'll find the quality of the second half of the book equally high, and the variety of its content equally diverse and surprising.

About The Editors

The achievement of an anthology of this consistently high quality is only possible with good editors, who (1) know great writing when they see it, and (2) recognise the most contemporary material, and so know what must be included. These duties are shared and admirably carried out by Andy Oram, an author and publisher of long standing at O'Reilly, and John Viega, CTO of the SaaS Business Unit at McAfee, previously their Chief Security Architect. To the list of their successes must be added one of the most important decisions about this anthology, namely to present the various stories in a sequence providing "an engaging reading experience that unfolds new perspectives in hopefully surprising ways." This clever decision enhances enjoyment of the fascinating material even more.

Ah, One Last Thing...

All royalties from sales of this book are donated to the Internet Engineering Task Force (IETF), whose stated goal is to "Make the Internet work better". So if we were still in any doubt, this final fact should convince us that Beautiful Security is by far the best and the coolest book on this subject that has ever been assembled.

Even if, in one kaktosophobic colleague's opinion, it also has one of the ugliest of covers.

Beautiful Security
Leading Security Experts Explain How They Think
Andy Oram & John Viega (editors)
O'Reilly Media Inc
6 May 2009
ISBN-10: 0596527489
ISBN-13: 978-0596527488

Coming soon, to a coffee table near you...

Friday 1 January 2010

Tweets - December 2009

















Previous Tweets