Where do we go from here

Posted on April 5, 2011 by John

There has been a lot of news coverage in recent weeks on high profile data breaches across a variety of organizations.  The two that stick out perhaps more than others (if for nothing other than the sheer volume of news about them) are the breaches at RSA and Epsilon.

Data breaches are a serious matter, regardless of what data was gleaned in the breach.  Even innocuous things such as name and email address are serious losses that could have a high potential damages,  and when you get into trade secrets and sensitive data around a massively deployed strong two-factor authentication scheme the ramifications are far reaching indeed.

Working in the AppSec space in infosec I am frequently asked how things like this can happen?  Is it that the companies themselves are lazy, complacent  – or worse – negligent?

No.

Nobody* wants to see data lost, least of all the company whose systems become compromised.  That’s a worst case nightmare scenario that keep us up at night.  Except in some rare cases, I wouldn’t consider these organizations negligent.  As RSA proved – you can have some of the best perimeter security in the world,  but that won’t necessarily protect you should you become a target.  The weakest link in the security chain has moved from the infrastructure to the people,  and attackers will almost invariably attack the weakest link.   Spear phishing and clever social engineering are two of the most serious threats facing businesses today – and recent news reports are showing why.

So, where do we go from here?   We learn.  We improve. We teach.

Much can be learned by everyone from these breaches.  As we learn more details about how these breaches occurred we can improve our security to protect against these new attack vectors.   Newer and better controls can be added to our applications and services which can help mitigate these new threats.  We can – and should – educate our employees about the dangers of social engineering and spear phishing.  We can use this opportunity to increase and refresh their security knowledge.

What we shouldn’t do is point fingers,  ridicule, or otherwise blast these vendors (at least with regards to the fact that they got hacked – their PR handling of the incident is open to criticism, should you feel the need).  Instead – lets learn from the mistakes made.  Let’s collectively improve.

We can do better.  We should do better.  Let’s take this opportunity to do so.

 

* Obviously the attacker does want to see data lost.  They don’t count :-)

 

Posted in Personal | 2 Comments

Beware: Major PGP WDE issue on Sandy Bridge architecture. Show Stopper.

Posted on April 2, 2011 by John

I’ve written on here before about major bugs in the PGP platform for whole disk encryption.  Fairly recently it was discovered that there exists a bug with the latest version of PGP Desktop (specifically, whole disk encryption), with machines that are running the new Intel Sandy Bridge architecture with certain hard drives.  On the new 2011 Macbook Pro’s this manifests itself after the drive is instrumented and encryption started.  If you happen to reboot the machine (even after a full encrypt) you can get past the boot guard, only to be faced with a hung system at the Apple logo.  Decrypting the drive (using target disk mode) does not resolve the issue, and running fsck shows the catalog file to be corrupted and unrecoverable.

Initially we thought this issue to be specific to the Mac platform, however further testing has shown this to be a problem with ANY platform running Sandy Bridge.  Specifically, I’ve seen this issue on Macbook Pro 8,2 models with the 750GB hard drives as well as with SSD’s as well as with new Dell laptops running Sandy Bridge and equipped with SSD’s.

For the Mac side of the house, a solid week of testing has allowed me to find two workarounds.  It would appear that forcing the OS to boot into 32 bit mode (perpetually), then installing PGP and encrypting, resolves the issue.  Unfortunately you also lose the benefit of running in native 64 bit mode.  This is less than ideal.   For Mac’s that are running with the Apple provided SSD’s you can also resolve this by placing a jumper on the left two jumper pins on the right side of the rear of the drive (there are four pins, they should be obvious), then doing a fresh install of the OS.  At the moment I do not know specifically what that jumper configuration does (I can’t get a straight answer out of Toshiba), but I do know that it fixes the issue and allows for encryption to work.  I’ve been running this configuration in my Sandy Bridge MBP 15″ for a few days now, fully encrypted, without any issues.

To date I do not have a workaround for the Dells. This is a major issue and Symantec has not made a widespread announcement on their encryption blog warning consumers.  I have been in contact with Symantec regarding this issue (including working with one of their developers to perform testing and help narrow down where the problem exists), but as of yet have not heard a definitive answer as to what the cause is.

I will post updated information as it becomes available.

 

 

Posted in News | Tagged , , , , | 8 Comments

Two hops over the pond

Posted on March 29, 2011 by John

Last week I had the awesome opportunity to visit the ExactTarget Global headquarters in London. A project I have been working on required someone to be physically present in our office over there and I was picked to be that someone. This was cool for several reasons – first and foremost being that it was my first international trip and second being that I got to meet some pretty great people who work in our London office.

The trip is considered a success – the project work was done without incident and was quite productive. I won’t go into detail as to what that involved, but suffice to say we’re all happy with the results. My coworkers in London made the trip even better than I had expected – welcoming me both to their office and to their country. They were all very friendly and I really enjoyed getting to meet them all and enjoy a few pints with them as well. My friend and coworker, Ashraf, made sure to take me to Bodeans BBQ for lunch. He had me try the Soho Special and… it was amazing. If you like BBQ you owe it to yourself to give this sandwich a try – it’s fantastic.

Sadly – I did not get much time to play tourist. It’s definitely sad that I didn’t get to get out and see the (many!) sights and visit the many wonderful museums, but it gives me something to look forward to for my next trip across the pond. I definitely want to take Ann and go be tourists for a while.

The trip was fantastic, but I am definitely glad to be back home. There’s just no substitute for sleeping in my own bed.

Posted in Personal | Tagged , | 3 Comments

It’s going to be a long night…

Posted on March 21, 2011 by John

I sit here in Newark waiting (im)patiently for the announcement that my flight is ready to board.  I’ve got another hour and a half until the scheduled boarding time, and I’m really hopeful for an on-time departure.

Those of you who follow me on Twitter know I’m embarking on a journey across the pond to visit the ExactTarget Global headquarters in London.  A project I’m working on requires my presence in London to meet with a vendor, which I really can’t say is such a bad thing.

This is, however, my first international trip.  Ever. I’d be lying if I said I wasn’t a bit nervous for this very reason.

I’ve asked advice from lots of people and have made all of the arrangements (several of them thanks to the WONDERFUL people in our London office who helped out!) needed to make it a smooth trip.  I’m as ready for this trip as one man can be.  I’m still nervous.

I’ll have loads of fun I’m sure, and I consider myself lucky to get a free trip to London.  That certainly doesn’t happen every day – I will take advantage of it.

Any advice on things I should definitely do when I have some free time?

 

Posted in Personal | Tagged , , | 1 Comment

You had me at XSS

Posted on March 9, 2011 by John

As I deal with Application Security issues, I’ve found that quite a few people don’t fully understand the dangers of attack vectors like SQL injection and Cross Site Scripting (XSS).  It’s at least somewhat easy to illustrate the dangers of SQL injection – just point them to this XKCD strip.  Far more difficult to explain to someone who doesn’t understand is the risk involved in XSS.

A lot of folks downplay the potential risk, choosing instead to believe that the risk is low because they mark their session cookies as http only, so “document.cookie” won’t get you anything worthwhile.  A challenge for those in AppSec is how to educate them about the true dangers of even a single XSS vulnerability.

While looking for a way to do exactly that I stumbled on (no, not using StumbleUpon) XSS-Track, a project which aims to demonstrate how a single XSS vulnerability can enable tracking of a user across an entire website (not just the page with the vulnerability), and even intercept files that are uploaded by that user.   The capabilities are almost limitless if enough time and effort is put in.

With luck – examples such as the one provided by XSS-Track can be used to entice organizations to reduce the window of vulnerability on XSS (and other) vulnerabilities found in their web apps.  It certainly is a powerful tool for expressing the magnitude of damage possible from XSS.

 

 

Posted in Personal | Tagged , | Leave a comment