It turns out that Green Dam, the censorware that China want’s installed on all machines sold within its borders, is crap. The security researchers who wrote the article in that link found many major vulnerabilities within twelve hours of examining the software. First, it has buffer overlows, which can be exploited just by getting a user to go to a site with a long URL. It captures the URL from the browser and compares it to a black list – the buffer it holds a URL in is apparently fixed length, and less than the maximum length of a URL. Good to know that the developers apparently haven’t learned anything from a decade of widespread C++ exploitation. Also, it’s update mechnism allows arbitrary code execution by design.

The sad thing is that the software itself is pointless. Client software, on a client machine, can be defeated easily by the client. In fact, it has an uninstaller that appears to actually work, so the user doesn’t have to jump through the hoops that most malware would make them. On top of that, if it uses black lists to restrict the habits of would be surfers then its effectiveness is limited. In essance what China has done is mandate that a large number of their users expose their computers to exploitation while not seriously impeding those that want to view objectionable content. All this is going to get them is the ill will of their own citizens.

~ Joshbw

So here is a hypothetical -

Say a small real-estate agency is using a simple PostNuke website (which is out of date) to gather rental applications – applications with all of the information necessary to both verify (and apply for) credit as well as history of passed residences. In other words, say they were collecting all of the information necessary to completely ruin someone’s life should the information be disclosed, to tie the would be applicant up in years of financial pain and legal hardship as they try to clear the ID theft from their record.

Now say that the version of PostNuke was woefully out of date and moreover nothing was over SSL.

Hypothetically a security minded person sees this and tries to fire off an email, but gets no response. Then calls the agency up and tries to explain in person how UTTERLY HORRIBLE this practice is, but it is filled with luddites that have no place running a website that collects this information and they just don’t get it (either the technical ramifications no matter how simple they are explained, or the ramifications to the applicants). Those fancy sort of attacks only happen in the movies after all. At that point, how does the would be Samaritan lawfully get the problem addressed, as the agency is an active security risk to every person who has ever provided information to it?

On the larger topic, man is our society screwed. A person can completely have their credit destroyed (and thus many years of their life since living in the US without credit has some major implications – no car or house loan for you. No credit card, which you need if you ever want to rent a car, etc) because some podunk mom and pop website decided they needed a credit application and had no idea how to securely handle the data they collect. We seriously need a better mechanism for asserting our identity than a bunch of easily disclosed historical data but there seems to be absolutely no pressure to move to that (probably because the big 3 credit bureaus are terrified of losing some of their power).

~ Joshbw

From Acidus on Curiouser and Curioser – USPA 0090132950 – IBM’s patent on input validation:

The present invention discloses a system for providing real-time validation of text input fields in a Web page during text entry. Such a system can include a validation-enhanced text input element and an input text validator. The validation-enhanced text input element can be configured to contain a validation expression for a text field in a Web page. The validation-enhanced text input element can be contained in the source code document that corresponds to the Web page. The input text validator can be configured to validate a character entered into the text field against the validation expression in real-time. Characters determined as invalid can be visually indicated by the input text validator in the text field.

Hurray for our busted ass patent system. As Acidus says, IBM, go fuck yourself. It may not be a patent on all forms of input validation (notice the reference to “real-time” – this seems to suggest an AJAX powered system to validate input fields as the user is typing), but really any patent on input validation is a freaking mistake by the patent office.

~ Joshbw

Hey Everyone, did you hear- WebGoat is full of security holes. Way to go FullDisclosure, you really nailed that one, though you did miss severl dozen vulnerabilities in the software (it is almost like it was designed to be vulnerable…), for example little trivial things like command injection. Did you hear from the vendor to see if they have a timetable to fix the flaws?

~ Joshbw

It is a truism in the application security world (or really any security) that in order to have an effective Security Program you need executive buyoff and executive support. To many this means that you need executives to care about security, be willing to fund it, and be willing to stand behind their security personel. This is certainly true, but there is a precursor step that is necessary for many development organization to move to truly institute effective Application Security – they need to mature as a software organization and embrace process.

When most software organizations start out they often embrace a seat of the pants development style, something often mistaken this as agile development, which has three very simple steps – Have Idea, Code Idea, Market Idea. As they mature they might realize that they should decide if they can sell the idea before they try to code it, rather than figure that out after the fact, and they decide they need to bring in testers to verify that they actually did code the idea. As a dev org matures they get to a platue were they have developed some process, but it resides on either side of the developers- they actually do analysis of an idea to see if it is worth the development costs, and they do testing and customer acceptance verification to make sure that the idea was implemented in a way that will meet customer’s needs, but at the end of the day all they expect developers to do is write code and testers to make sure the code does what it is supposed to.

The problem is, that is an arrangement that will not consistently produce robust code- security wise or otherwise. Verifying functionality only finds average use case flaws, but does not verify proper behavior across all concievable uses, and simply writing code without discipline will produce unmaintainable, fragile, redundant code. It is in this state that organizations start to care about security, but they aren’t willing to make real commitments to the changes necessary to see it happen. At this point they need to decide whether or not they are willing to change their development and test culture, and this is a very difficult decision to make and enforce.

If the decision is not made, the organization will trap themselves into an entirely reactive model to security threats- Problems are found by vulnerability assessment or customer reporting and fixed- tribal knowledge is gained among some developers and there is a short term downtick in that specific type of vulnerability among those specific developers- long term the org hasn’t learned much, and the information is not sustained. Almost no prevention will occur. This is because a preventitive model would require changes to how the code is written and verified.

If the decision is made, then the development team needs process placed on them and accountability to following that process. They can’t just write code anymore- they need coding standards detailing how they can write code and they need to get used to writing documentation. Developers hate writing documentation, but it is one of the most important things they can do- with documentation they can fully think through how they will code a feature before they start doing so (we don’t start pouring foundation before we decide on the blueprints for a house after all) spotting shortcomings of a particular method before they have spent a couple of days implementing it and they will provide something were the design itself can be tested rather than just the implementation. On the topic of testing, the dev org needs to get in the habit of hiring testers who are very skilled at thinking in terms of finding problems, rather than testers who are little more than stupid users that can determine whether a feature either works or doesn’t. Skilled testers are worth as much as a skilled developers, as effectively finding technical problems is just as hard as effectively coding solutions (one of the best interview test questions I have ever heard was “What do you think of your cell phone?”- a true tester may describe a couple of things they like, but then proceed to talk about the myriad of things that they wish were done better. A true tester is someone who perpetually sees the flaws in something, no matter how good it is). The testers also need to be given a strong voice- they are the verification for the developers and if their voice is not strong, then they can’t serve their purpose.

Doing this will give the security team a framework to then build in security controls into the development process. They need an actual process in place, otherwise they have no foundation to build off of. An existing and well defined development process is an input into any effective secure development lifecylce, and an SDL is ultimately the path to a preventitive approach to security. The problem is that it is very hard to change a development culture and it requires commitment from the top. Developers hate process, and they are going to be very resistant to implementing it. Executives need to make it abundandly clear that conforming to the process is the developers’ job- it is what they will be paid to do, and if they don’t do it they will not be paid. This will make no friends among the developers. That is why it is the hardest decision that a maturing development organization can make.

Incidentally, the same thing is true for OSS as for proprietary, however it is even more difficult to implement and enforce in an open distributed development environment. The payoff for either software is much more than just security- the overall quality of the product will improve as a result and the code will be easier to maintain as their will be documentation to refer to and a level of code quality enforced.

~ Joshbw

Vipin and Nitin Kumar have apparently released a proof of concept for their Vbootkit 2.0 attack against Win7 based machines. I’ve talke about the attack previously, as it is incorrectly labeled a Windows 7 attack- it is an attack against insecure boot process that then compromises Windows 7. Anyway, their rationale is -

The Kumars are concerned that the attack approach against Windows 7 they have unearthed might be modified by skilled miscreants to develop remote attacks, hence the decision to give white hat security researchers a leg up in developing defences. They also want to make the case to Microsoft that it ought to make improved security features available across all versions of Windows 7, not just the higher-end versions.

Apparently taking issue with the fact that BitLocker is only available on Enterprise and Ultimate versions of Windows. I’m not a huge fan of the tiered versions of Windows, but then again I have an alumni account at the MS company store so I don’t really mind paying $50 for Ultimate. At the same time, I think it is a bit crazy to expect bitlocker to be available for all users- the support costs associated with that idea are pretty high. Regardless, all of that is ignoring that a technical control is not ideal for their attack vector.

What leads to their VBootkit 2.0 being run is physical access to the machine- the ultimate enabler is that they are actually at the hardware. Technical solutions are an inherently poor mitigation to a physical problem. Physical controls are much more appropriate. In data centers simply putting the machine in a sufficiently designed locking server cabinent has neutered this attack, since the attacker would need to first break into the cabinent. For desktop users having a good locking, tamper proof case, the boot sequence set to boot from hard disk first, a BIOS password to protect the boot sequence, and a motherboard that isn’t prone to fail into bios when the keyboard buffer is full will prevent all but the most determined attackers. Physical controls for physical problems, technological controls for technological problems, and so forth.

Most of us are techies and immediately look for some nifty code that solves a problem, but enterprise security is only partially a tech problem. Some times a pad lock is better security than a strong password.

~ Joshbw

The blogosuare is atwitter with news of an unfixable Windows 7 Hack being shown off at Hack in the Box by Vipin and Nitin Kumar. The exploit, VBootkit 2.0, sequal to VBootkit 1.0, is reasonably sophisticated. It boots off of removable media, reads the MBR, and then loads the OS, compromising OS files in memory to do all sorts of nefarious stuff. I haven’t found the whitepaper to 2.0 yet, but you can read the whitepaper to 1.0 here. 1.0 essentially targetted Vista, while 2.0 goes after Windows 7.

Now this is a pretty clever little exploit, but it isn’t an OS exploit. It targets one of the great maxims of computer security- if the system is compromised before your code runs, you cannot definitively restore integrity, or put another way, he whose code runs first wins. Windows code does not have an exploitable vulnerability, other than the assumption that the system booted securely, an assumption that *has* to be made. The Kumars deserve recognition for very effectively exploiting this assumption, but their actual attack vector is nothing novel.

We can continue to increase the pre-boot integrity controls and increase the sophistication necessary to access the machine, but physical access is still one of the easier ways to gain access to a box. That isn’t going to be a problem solved soon.

~ Joshbw

Ogio Metro

This is a wonderful bag. The price is a bit on the high end (though nowhere near a Timbuk2), but so is the bag. Right off the bat a number of things are noticeable about its design. The outer material is a fairly rugged cloth, but it has a plastic coating applied to the inside of the fabric to weatherproof it (good ol’ Scotch Guard will help even more). The zippers are similarly weatherproofed, as is the audio port to run a headphone cable through. The bag exudes compartments, with an externally accessible laptop compartment that is well padded and very easy to access (easily holds a 15″ or smaller machine, 17″ may be possible but check the dimensions), a side compartment for an umbrella on one side, and two smaller compartments on the other (I keep my travel mouse in one, and my Zune, DS, and phone chargers in the other), a nice compartment on the bottom that I use for power bricks, two pouches at the top that both have access to the audio port (one is for a cd player, the other a smaller mp3 player- I use the cd player pouch for sync cables and other miscellaneous stuff), a large compartment for books and the such, and a smaller front compartment for pens, sterno pads, paperbacks, and other smaller things. This is a bag where organization is easy.

It is, however, huge. You can hold a lot of books in it, great for college students toting around many textbooks. I found the main compartment very accommodating for a second laptop in a sleeve, a computer book, and magazines. My wife now uses the bag and thoroughly pushes how much it can hold (she is a grad student, so has her laptop, her own textbooks, folders of student work and tests that needs to be graded, stacks of scientific papers she is reviewing, a brick of a TI-86, etc). So far the bag has not been bested by her.

The shoulder straps are well padded and there is a sternum strap between them. After a good deal of heavy use (I bought mine while still at MS, so several years ago), the bag shows almost no wear. It may retail for around $80, but it will last you a good deal of time. There is a padded grab handle at the top, which makes it convenient to carry.

All and all I can find very little to complain about. Almost all of my criteria are met by this beast, however I did stop using it. It is a heck of a thing to complain about, but the bag is actually a bit too big for me personally. I travel enough, and it can be a tight fit if I have to put it under an airline seat (it will fit, but your legs won’t), though it will fit fine in most overhead bins. I don’t need all of the space it offers, so I end up with needless bulk. I suspect the smaller Ogio backpacks would be better for me.

Pros

• Well made bag, great material, weatherproof, wear resistant, at a decent price
• Compartments for all your gadget needs, clearly intended for the technophile
• More room than you know what to do with
• Comfortable

Cons

• More room than you know what to do with
• Drab colors

Conclusion – Grade: A

This is a great bag, but you likely should pick a model a bit smaller unless you *really* need all of the room- my two day hiking packs have fewer cubic inches of space. Other than the size, and drab colors that may not appeal to everyone, I have nothing bad to say about this bag. It is a great Geek bag, and you can find previous year models on eBags for $40 at closeout (though usually its because the color scheme is being cancelled, often with good reason).

~Joshbw

Thinkgeek Bag of Holding

Thinkgeek Bag of Holding

This bag is true to its name. It holds a ton of stuff, a deceptively large quantity. The canvas build isn’t very bulky, so unfilled the bag seems pretty small, but the tiered comparment design allows you to put a whole lot into it. The name and front logo also give it some pretty big geek cred. The laptop compartment is reasonably padded and accessible independent of the other compartments, which makes it great for airline travel, and it easily held the Dell D820, a brick of a 15″ notebook (17″ might be a little snug). My current work laptop and personal laptop (14″ and 12″ respectively) are swallowed by the space, and there is more than enough room in the other compartments for me to carry a second laptop in a laptop sleeve.

After a year of use, build quality is holding up well. The canvas isn’t as resilient as the ballistic nylon or cordura that Timbuk2 uses, but with a couple cans of Scotch Guard it has held up well. It is a little disappointing that there isn’t protective flaps over the laptop zipper to keep moisture out, but pretty much the rest of the zippers are covered by the main flap. Unlike Timbuk2, the main flap is the sole seal for the bag, with each compartment also having a zipper, except for the very front pouch that is held by velcro. This last bit always bothered me, because it only velcros in a small spot in the very center and I was always afraid of things jostling out along the edges. The main flap is closed by two snaps rather than clips, which makes it easier to open. I was a bit afraid they may wear out, but after a year they are holding up strong.

While there are several compartments, a lot of them spacious, there isn’t a lot of organization options for smaller electronics, which was a little surprising considering the demographic that shops at Thinkgeek. I can’t imagine I am the only one that carries a DS, MP3 player, cords, chargers, and other sundry electronics in the bag- I suspect much of the Thinkgeek staff does as well- so I feel like considerations should have been made in the bag’s design. I think if one was carrying a lot of large books (generously- textbooks, realistically- game books) this bag would be great.

The strap is pretty crummy. It holds up, but isn’t very padded. What drives me insane though, is how easily it becomes unadjusted. I am not a large person, so have it adjusted pretty small. Under moderate load it slips back into a larger size pretty easily, which is annoying. It also attaches to the bag with elongated D rings, which slip out of place and get twisted up very easily.

Pros:

• Really is a bag of holding- it is deceptively spacious, but isn’t bulky
• Not a bad price, though it is made of canvas
• holds up well to use
• External access to laptop compartment

Cons

• Spacious, but not organized. Smaller items will easily be swallowed by this behemoth
• Strap sucks- it has no padding and constantly becomes unadjusted
• Canvas is less weather resistant, though Scotch Guard can rectify this

Conclusion – Grade: A-

This was my primary bag for quite a while, and it came so close to being ideal. If it had better organization for smaller items and a better strap I would likely have settled on it. I could carry around just my laptop for the day and the bag seemed pretty small, but I could also cram two laptops, my other gizmos, and a couple of days clothes in it when traveling. The canvas didn’t really bother me, and it seems to hold up fine, and the price is hard to beat. Also, by its very name it is obviously targeted as a Geek bag.

~ Joshbw