Posts
... "some modicum of security was required to prevent fun-loving students from spoofing routers by sending them false routing information."
- Andrew S. Tanenbaum regarding OSPF in Computer Networks (4th ed.)
Showing posts with label can't make an omelette without breaking some eggs. Show all posts
Showing posts with label can't make an omelette without breaking some eggs. Show all posts
Tuesday, February 7, 2012
Andrew Tanenbaum on Security vs Fun-Loving Students
- Andrew S. Tanenbaum regarding OSPF in Computer Networks (4th ed.)
Friday, June 24, 2011
I admit, I laughed: LulzSec as popular as orgasms?
LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.
While I often joke that web security is an oxymoron, they demonstrate it in the funniest ways they can find. As a web security researcher, I have to admit that their antics often make me laugh... and kinda make me wish I was allowed to use stolen data for research -- all those passwords! Data was always hard to come by when I did my spam immune system work so that much just makes me salivate a little, even if I'm pretty sure our ethics committee wouldn't let me touch it. And it's not like I do authentication research. But still! Data! I hope someone's doing cool things with it.
But here's a bit of meta-lulz: LulzSec scam discovered on Facebook - but it's not what you think. The excellent Graham Cluley discovers a Facebook scam that purports to have a picture of a LulzSec suspect, and then he sleuths out that the pixelated bait picture is, in fact, of another hacker arrested in 2008.
This means that LulzSec is apparently now so newsworthy that potential pictures of them can be used as bait for Facebook scams. They're up there with Obama, celebrity sex tapes and the ever-popular dislike button.
I don't know about you, but I got a great chuckle out of the thought that LulzSec might be as popular as orgasms... at least when it comes to scam bait.
And to end with more lulz, here's my favourite LulzSec tweet of today, which came in the midst of explaining what they had and hadn't actually hacked as the media attributes everything and anything to them:
Wednesday, October 27, 2010
Quick Hit: Firesheep
By now, probably everyone's already heard of firesheep, the nice user-friendly way to use cookies to do session hijacking. Want to be logged in as someone else on Facebook? No problem.
It's nothing spectacular on a technical level, since it's been easy enough to use other people's cookies for quite some time, but it's a pretty impressive social hacking tool. It's making it clear to a lot of people (and media) that this is a real problem, and that it's an exploit anyone can do now.
I'm actually sort of surprised that I haven't seen this earlier: it used to be a bit of a game in the undergrad lounge to see what one could sniff off the network, with people using some tool whose name I've forgotten to show any images that came up from users surfing on the wireless. Hacking session cookies would have been a fun addition to our childish games -- and I'll bet plenty of college kids are using it for just that. Or for checking out their ex-boyfriends/girlfriends...
It's nothing spectacular on a technical level, since it's been easy enough to use other people's cookies for quite some time, but it's a pretty impressive social hacking tool. It's making it clear to a lot of people (and media) that this is a real problem, and that it's an exploit anyone can do now.
I'm actually sort of surprised that I haven't seen this earlier: it used to be a bit of a game in the undergrad lounge to see what one could sniff off the network, with people using some tool whose name I've forgotten to show any images that came up from users surfing on the wireless. Hacking session cookies would have been a fun addition to our childish games -- and I'll bet plenty of college kids are using it for just that. Or for checking out their ex-boyfriends/girlfriends...
Friday, July 9, 2010
Preparing some curricula on web security
Among the other cool things I'm doing this summer is working as a teaching assistant for 1.5 days worth of tutorials on the subject of web security. This is part of my national research group's "summer school" program where we try to give our graduate students more background into other areas of security. I'm working up a list of potential topics so we can get our teaching materials together.
So... What would you want to learn in a short course on web security? What do you wish other people knew about web security?
Here's my brainstorming list, to be updated as new things occur to me:
Notes: The tentative plan is to separate things into a hands-on lab tutorial (probably using webgoat) and a set of lectures, mostly running simultaneously. We're going to have some top-notch students here, since we're drawing from a pool of smart security researchers to start, so we can cover a lot of ground and go much further in depth than we might teaching developers with no security background.
So... What would you want to learn in a short course on web security? What do you wish other people knew about web security?
Here's my brainstorming list, to be updated as new things occur to me:
Attacks
- Overview of the OWASP top 10 / WASC threat classification
- XSS (incl. filter evasion techniques and a variety of ways to use XSS for defacement through to more subtle modifications, password/data theft, etc.)
- CSRF
- SQL Injection
- Clickjacking
Defenses
- Best coding practices
- Web Application Firewalls
- Web Vulnerability Scanners
- Tainting
- Mashup solutions (e.g. MashupOS, OMash)
- Policies (e.g. SOMA, BEEP, CSP)
- Penetration testing techniques
Notes: The tentative plan is to separate things into a hands-on lab tutorial (probably using webgoat) and a set of lectures, mostly running simultaneously. We're going to have some top-notch students here, since we're drawing from a pool of smart security researchers to start, so we can cover a lot of ground and go much further in depth than we might teaching developers with no security background.
Tuesday, June 29, 2010
A crash course in the social media equivalent of defensive driving
How can you stay safe and keep things private while still taking part in online life? I'm a web security researcher, so I get asked this fairly frequently. And it's easy to see how people get overwhelmed by all the news stories, the marketing blurbs, and the constantly changing policies.
If you're worried about car accidents, you've got other options to manage your risks than giving up your car. You can learn to drive defensively. You can make sure you wear your seatbelt. You can learn about the safety ratings and use cars that perform better in safety tests. You can refuse to drive places that are dangerous.
So what I'm hoping to do here is give you a crash course in the social media equivalent of defensive driving.
Companies are not your friends
For many companies online, you are not really their primary customer: your time and your personal information are assets the company sells to their advertisers. You have to expect to be treated accordingly. You have to treat every company or organization you interact with online as potential hazards. Many companies intentionally or unintentionally violate privacy laws and even violate their own privacy rules. And privacy rules change, sometimes because the company itself changed them, sometimes because they get bought out by another company. Your guarantee when you signed up for the site is unlikely to hold a year from now, but it may be nigh impossible to remove your data from the system when it changes.
And that's just the "legitimate" problems that could affect you: there's a good chance any company's sites could be attacked and your data exposed as a result -- it happens to fully legitimate companies all the time, no matter how good their intentions towards you and your data.
The biggest part of managing your risk is choosing what you want to share online. Here's a few questions you might want to ask yourself:
Think before you share.
Why I'm not telling you to quit Facebook
Let's say you're worried about your risk of getting into a car accident. Do you sell your car and refuse to get into any moving vehicle? No. Refusing to use a car might make you safer, but it would be quite isolating and, depending on where and how you live, very difficult. Just like many people live without cars, you can live without social networking, but it there are some significant costs to refusing to participate. Many people's need or desire to participate is much stronger that the risks they face.If you're worried about car accidents, you've got other options to manage your risks than giving up your car. You can learn to drive defensively. You can make sure you wear your seatbelt. You can learn about the safety ratings and use cars that perform better in safety tests. You can refuse to drive places that are dangerous.
So what I'm hoping to do here is give you a crash course in the social media equivalent of defensive driving.
The web is not a safe place
When I learned to drive, my driving instructor often reminded me that I had to treat every car on the road as if it were being driven by a moron who might swerve into my lane at any time. It might seem like a very negative point of view, but it's a very practical one that's helped me avoid accidents on numerous occasions simply because I was expecting it.
My blog is called Web Insecurity for a reason. Nearly 2/3 of web pages currently have a serious vulnerability. So that means no matter what the policy is, how careful you are, or how careful your friends are... there's a good chance you are going to view some code controlled by a bad guy, and they could get information about you that you don't want them to have. It's often very easy to exploit these vulnerable parts of a website. 75% of websites with malicious code are legitimate sites.
You may be thinking, "sure, but no one's going to care about my data." And you may be right. But if a bad guy is trying to make a company look terrible, one way to do so is to expose information about all of their users. You can definitely wind up as collateral damage.
Learn your legal protections
Learning about legal stuff can be time-consuming and confusing, and frankly companies may violate laws anyhow. But it's still worth learning a bit about your rights. The EFF has quite an impressive body of work covering free speech, privacy, intellectual property and other important issues, and they do a great job of translating legal speak into clear, comprehensible articles. You might also consider reading bloggers like Michael Geist, and your country may have great resources like the Office of the Privacy Commissioner of Canada.
Remember that things that may seem similar often have very different legal protections. For example, if my credit card number is stolen, there are laws that limit my liability to $50. But that's not true about all money transactions online: Debit/bank cards have no such legal protection. Some modern credit cards that require a PIN have no such protection even though these cards aren't actually safe. You may have no legal protection from your bank if you don't follow their security procedure to the letter, and those security requirements of online banks can be pretty crazy: Do you reboot your computer every time you bank? No? You might be on the hook if someone compromises your account!
So yeah. It's a bit of work, but it's worth it to at least learn about the issues that affect you.
Learn the controls
It may seem a bit silly, given that I've already told you that websites can easily be compromised, but if you're managing risks you should learn to use your privacy controls, choose good passwords and security questions, and keep those things private. Again, it's about managing your risks: even if these controls can't make you 100% safe, they might make you safer.Companies are not your friends
For many companies online, you are not really their primary customer: your time and your personal information are assets the company sells to their advertisers. You have to expect to be treated accordingly. You have to treat every company or organization you interact with online as potential hazards. Many companies intentionally or unintentionally violate privacy laws and even violate their own privacy rules. And privacy rules change, sometimes because the company itself changed them, sometimes because they get bought out by another company. Your guarantee when you signed up for the site is unlikely to hold a year from now, but it may be nigh impossible to remove your data from the system when it changes.
And that's just the "legitimate" problems that could affect you: there's a good chance any company's sites could be attacked and your data exposed as a result -- it happens to fully legitimate companies all the time, no matter how good their intentions towards you and your data.
Choose your friends wisely
You wouldn't tell all your secrets to the office gossip, but online your friends may be "forced" to become gossips either through malicious software or through changing policies. It sounds like some crazy super-spy movie: trust no one! Your friends could be compromised! But once again, just like I'm not telling you to delete your facebook account, I'm not going to tell you not to share, just to be defensive.
For example, I have a couple of friends who really enjoy Facebook games. They seem to install every new thing that comes along and invite me to join. Nothing wrong with that, right? I mean, if I don't want to join, I just don't, and that's the end of it. Except that it's not: my friends have all these games and thus all these extra ways that someone might break in to their accounts. And indeed, these are the folk who wind up with compromised accounts more often than most. So while these are great people who I'd be happy to share job concerns or relationship woes with in real life... It's too risky for me to share private stuff with them online. They are the office gossips, whether they mean to be or not. They're not the only ones who put me at risk (any friend can end up on the wrong end of a broken website) but they're the riskiest.
Choose what you want to share
The biggest part of managing your risk is choosing what you want to share online. Here's a few questions you might want to ask yourself:
- Will this embarrass me if it gets out?
- Will this affect my safety?
- Will this affect my employment?
- Will this affect my family/friends?
If your job requires you to be a role model, you may have to be a role model even in your off-hours. Maybe it shouldn't be that way, but let's be pragmatic: you have to assume that it is that way.
You have to assume that anything you share online could become public knowledge. You can't trust the companies, you can't assume their sites are safe, and you can't even trust your friends because of unsafe websites.
Think before you share.
Using a pen name
One other way to manage risk is to use a pen name or pseudonym. Lots of people do this to give them a layer of privacy, especially when trying out something new like starting a silly blog, or when engaging in discussion that could be sensitive such as online political debate. Sometimes it's even an open secret that so-and-so goes by a nickname online, and the only reason they do is to make it harder for potential employers to come up with a list of everything they do online when searching their legal name and given email address.
This is a great tool if you want some more freedom to speak, but people sometimes will do the legwork necessary to figure out who you are, especially if you're high-profile or saying something unpopular. So pen names are great, but do remember that they're not 100% guaranteed to keep you safe. Again, it's another way to manage risks.
Using a pen name
No matter what you do, everything may become public
I've said this a bunch of different ways, but this is the real take-home message here: No matter how careful you are, anything you do online can become public knowledge. It's up to you to manage your risks accordingly.
But don't despair -- it may sound stupidly hard, but you're already handling issues of trust and privacy every time you choose to tell a story to a friend or complain about work at a party. You might have to pretend you're in a spy movie and trust no one, or you might decide some things are perfectly fine to share with the world. Just try to make an informed decision.
But don't despair -- it may sound stupidly hard, but you're already handling issues of trust and privacy every time you choose to tell a story to a friend or complain about work at a party. You might have to pretend you're in a spy movie and trust no one, or you might decide some things are perfectly fine to share with the world. Just try to make an informed decision.
Friday, February 15, 2008
Wait, did that look like that before?
Wait a second... In a previous post, I noted that gmail just quietly downgraded to HTML if you didn't have JavaScript turned on. But today, I noticed this message:
They could use a small fix to their formatting (ie: don't let the poor text jam into the side of the box like that -- I had to grab some of the surrounding window so this screenshot would be legible) but this is strangely more helpful than it was before.
Why the difference?
Well, much as I like to believe someone at Google saw my comments and made the change, I'm not quite arrogant enough to believe that's true. Although I suppose it could be -- there's a lot of Google people out there, and for all I know they've got something that scans Blogger for mentions of their products. It would be a clever, if time-consuming, way to find out what the public really thinks.
Err, I digress. Self-centred worldviews aside, I'd guess it more likely that this message has always been there, and I just missed it last time because of my NoScript configuration.
Why do I find this interesting? Well, I'm currently working on a theory that users will be more safe if they can disable JavaScript that they don't really need to run the page. This is the theory underlying NoScript, and it has some face validity. But if users start running only some JavaScript, what is this going to do to the usability of the web? My current answer is that if you leave JavaScript off entirely, you're going to turn some pages into a usability nightmare, where things will just not work (more on this later). But these different error messages based on my various setups indicate to me that you may have these usability problems even if you have partial JavaScript. In fact, the usability problems may be much worse because the page won't know to generate an appropriate error message!
I don't know how to solve this problem yet, but I guess that's what makes this research!
They could use a small fix to their formatting (ie: don't let the poor text jam into the side of the box like that -- I had to grab some of the surrounding window so this screenshot would be legible) but this is strangely more helpful than it was before.
Why the difference?
Well, much as I like to believe someone at Google saw my comments and made the change, I'm not quite arrogant enough to believe that's true. Although I suppose it could be -- there's a lot of Google people out there, and for all I know they've got something that scans Blogger for mentions of their products. It would be a clever, if time-consuming, way to find out what the public really thinks.
Err, I digress. Self-centred worldviews aside, I'd guess it more likely that this message has always been there, and I just missed it last time because of my NoScript configuration.
Why do I find this interesting? Well, I'm currently working on a theory that users will be more safe if they can disable JavaScript that they don't really need to run the page. This is the theory underlying NoScript, and it has some face validity. But if users start running only some JavaScript, what is this going to do to the usability of the web? My current answer is that if you leave JavaScript off entirely, you're going to turn some pages into a usability nightmare, where things will just not work (more on this later). But these different error messages based on my various setups indicate to me that you may have these usability problems even if you have partial JavaScript. In fact, the usability problems may be much worse because the page won't know to generate an appropriate error message!
I don't know how to solve this problem yet, but I guess that's what makes this research!
Saturday, February 9, 2008
The web without JavaScript. Part 2: Black Holes and Revelations
As I implied in Part 1, while sites do sometimes provide helpful error messages related to JavaScript, often as not they just behave strangely.
Perhaps the most common issue I've seen is missing content. The things I notice most often are missing ads and missing video. Sometimes, it's nice and obvious that there's a missing element on the page:
Many pages leave very obvious spaces for their ads, and when they're filled with blank space, it's fairly obvious that there's a problem.
The videos are less obvious, however:
There's a video in there. Really. Normally, it would appear right below the header, so the page would look more like this:
There you can see the video loading in the big black box. But how would you tell that the previous page had anything missing? The page has nicely moved the text up, leaving no trace that there should be something there. In the case of the missing video, there are usually only a few clues:
Usually, the winning clue is #2, since a friend will send me a link and mention that it's a video, or the comments on the page will talk about the video, or sometimes the text itself will tip me off by what it says.
And often, you'll see both missing spaces and the lack thereof on the same page. The page featured below would normally have both an ad and a video:
Could you tell there was a video on this page? You can see the blank space for an advertisement, but the text automatically moves up so you can't tell that the page with the video looks like this:
That's the video in bright yellow at the bottom there.
But it gets even more fun when you've changed which sites are JavaScript disabled in NoScript. Check out that same site with all the JavaScript disabled:
They're pretty smart! If they can tell that JavaScript is disabled (ie: I've disabled it for the main site) then they both provide the helpful error text AND they provide a ad, showing that you don't really need JavaScript to do it. Unfortunately, my weird way of disabling some JavaScript but not others had limited their ability to do damage control on the page I was trying to break. Interesting...
Next up in this series: Sites that have more than a few holes, and sites that just don't work without their JavaScript!
Perhaps the most common issue I've seen is missing content. The things I notice most often are missing ads and missing video. Sometimes, it's nice and obvious that there's a missing element on the page:
Many pages leave very obvious spaces for their ads, and when they're filled with blank space, it's fairly obvious that there's a problem.
The videos are less obvious, however:
There's a video in there. Really. Normally, it would appear right below the header, so the page would look more like this:
There you can see the video loading in the big black box. But how would you tell that the previous page had anything missing? The page has nicely moved the text up, leaving no trace that there should be something there. In the case of the missing video, there are usually only a few clues:
- The page looks abnormally short (there isn't much text)
- I'm expecting a video on the page, and it's not there.
- I happen to check the JavaScript list from NoScript and notice something that looks like video.* or sounds like a domain that might host video.
Usually, the winning clue is #2, since a friend will send me a link and mention that it's a video, or the comments on the page will talk about the video, or sometimes the text itself will tip me off by what it says.
And often, you'll see both missing spaces and the lack thereof on the same page. The page featured below would normally have both an ad and a video:
Could you tell there was a video on this page? You can see the blank space for an advertisement, but the text automatically moves up so you can't tell that the page with the video looks like this:
That's the video in bright yellow at the bottom there.
But it gets even more fun when you've changed which sites are JavaScript disabled in NoScript. Check out that same site with all the JavaScript disabled:
They're pretty smart! If they can tell that JavaScript is disabled (ie: I've disabled it for the main site) then they both provide the helpful error text AND they provide a ad, showing that you don't really need JavaScript to do it. Unfortunately, my weird way of disabling some JavaScript but not others had limited their ability to do damage control on the page I was trying to break. Interesting...Next up in this series: Sites that have more than a few holes, and sites that just don't work without their JavaScript!
Friday, February 1, 2008
Want to be safe from malicious web scripts?
Want to be safe from malicious web scripts? The solution, apparently, is to disable JavaScript.
It's always that last line of the security bulletin, the reminder that if we just didn't run this code, we'd be safe from the latest Facebook abuse, bad mojo in Yahoo, or whatever the (bad) flavour of the week is. But really, you might as well tell people that the only way to protect their computer is turn it off, lock it in a dark bunker disconnected from the world, and throw away the key. Sure, that'll keep it from getting the latest piece of web crud, but the machine won't do you very much good.
Think I'm exaggerating? Try turning off JavaScript and see how long you last before you need to turn it back on. The first time I tried it, I lasted half a day before I needed to change some configuration on my router and found that the settings pages wouldn't even load properly with JavaScript disabled.
However, I was raised by scientists. My parents are the sort of people who, when the stove clock broke, gave it to me and my brother, showed us how to use some screwdrivers and other hand tools, then let us experiment on the remains. I'd love to claim we somehow fixed it, but no, we just found new ways to break it and put parts of it back together in weird ways. But my parents are smart people: taking things apart and breaking them does teach you a fair bit about them. And now that we're older, we can put them back together as well as take them apart.
So with that thought in mind, I realised that if I was going to build a safer web, I needed to know how to take it apart and put it back together. In the "breaking things" phase, I decided I needed a nicer way to turn JavaScript on and off on a whim so I could see what else didn't work. Thankfully, Firefox has a lovely little add-on called NoScript which lets me disable or enable JavaScript on a per domain basis. I wouldn't recommend it to novices, but I'm a trained professional, so I set out to learn some stuff.
With that tool, I was ready to start breaking my web.
It's always that last line of the security bulletin, the reminder that if we just didn't run this code, we'd be safe from the latest Facebook abuse, bad mojo in Yahoo, or whatever the (bad) flavour of the week is. But really, you might as well tell people that the only way to protect their computer is turn it off, lock it in a dark bunker disconnected from the world, and throw away the key. Sure, that'll keep it from getting the latest piece of web crud, but the machine won't do you very much good.
Think I'm exaggerating? Try turning off JavaScript and see how long you last before you need to turn it back on. The first time I tried it, I lasted half a day before I needed to change some configuration on my router and found that the settings pages wouldn't even load properly with JavaScript disabled.
However, I was raised by scientists. My parents are the sort of people who, when the stove clock broke, gave it to me and my brother, showed us how to use some screwdrivers and other hand tools, then let us experiment on the remains. I'd love to claim we somehow fixed it, but no, we just found new ways to break it and put parts of it back together in weird ways. But my parents are smart people: taking things apart and breaking them does teach you a fair bit about them. And now that we're older, we can put them back together as well as take them apart.
So with that thought in mind, I realised that if I was going to build a safer web, I needed to know how to take it apart and put it back together. In the "breaking things" phase, I decided I needed a nicer way to turn JavaScript on and off on a whim so I could see what else didn't work. Thankfully, Firefox has a lovely little add-on called NoScript which lets me disable or enable JavaScript on a per domain basis. I wouldn't recommend it to novices, but I'm a trained professional, so I set out to learn some stuff.
With that tool, I was ready to start breaking my web.
Subscribe to:
Posts (Atom)