Miscellaneous Security

Reading time: 3 – 4 minutes

BsidesSF was an amazing event, and I congratulate Mike Dahn for putting together an event that ran super smooth.

All of the presentations at BsidesSF were cutting edge and highly informational. There were two presentations, that in my opinion, clearly stood out.

Gunter Ollman – Your Computer is Worth 30 Cents

Gunter Ollman’s presentation explained how botnets and malware has changed the state of penetration tests.

Penetration tests are sometimes misunderstood and it is important to understand what a “real” penetration test is. Pen tests are supposed to replicate real attacks that an attacker would use to penetrate your network.

Gunter explains how these penetration tests have evolved over time:

In 2000, the easiest way to break into a network was to submit a job application, get the job, plug into the network, own it, and never show up the next day.

In 2005, the easiest way was to hand out USB drives in the parking lot that called home.

Now, the easiest way is to purchase machines inside of the corporation that already belong to a botnet.

I think this was a very eye opening presentation and although we have seen startup companies focused on  protecting your corporate assets from becoming part of these botnets, I think we will begin to see startup companies focused on removing your corporate assets from botnets.

Tim Keanini – Computing Risk without Numbers: A Semantic Approach to Risk Metrics

The other talk that was very ground-breaking was presented by Tim Keanini, CTO of Ncircle. TK presented on identifying risk through the use of semantic language. This is an alternative and interesting approach to risk management, that uses semantic language to rate the risk of assets to a network.

After the presentation most people explained they would need to watch TK’s presentation three or four times to extract all of the information out of it. I completely agree and am thankful that all of the presentations have been archived.

Reading time: 2 – 3 minutes

I recently had the opportunity to speak at BsidesSF last week. This was an awesome experience and I highly suggest everyone attend one of the next Bsides coming up at Boston, Austin, or Las Vegas.

I presented, “Security? Who Cares!” This talk focuses on the way the security community views their beliefs and how privacy is dying. Feel free to leave your comments after viewing it. It takes about 25 minutes to watch.

Reading time: 3 – 4 minutes

Photo: jurvetson

While recently using Basecamp, a 37Signals product, I was writing a collaborative document using Writeboard and noticed that I could insert greater than (<) and less than ( > ) tags in the document.

Writeboard uses a simpler form of editing, similar to wiki’s. If you want to make the line bold, you can use *bold* instead of standard HTML, <b>bold</b>. However, Writeboard allows the user to markup the text either way. Well, this was a product that I needed to QA. I quickly inserted a script source tag, saved the Writeboard, and to my surprise, the script src tag fired.

Upon identifying this I then attempted Cross-Site Scripting 101: <script> alert (123) </script>

That also was successful! I was rather blown away that a product who is used by, Adidas, National Geographic, Kellogg, and USA Today, has never tested (or accidental) found this functionality.

I reached out to the security team at 37Signals, and the issue has been fixed and I have been given a nice shout out on the security page.

I initially thought, “This is what happens when start-ups attempt to rush products to market without doing sanity checking on what they are doing.”

However, upon further research, I read the excellent “book” Get Real by Jason Fried the Founder of 37Signals.  These essays explained why this type of vulnerability lived in this system. 37Signals follows a process of quick deployment, development, with fast subsequent revisions. Their concept is get a product out that people can immediately begin using.

Cross-Site Scripting in 37Signals

While I agree, this is a great way to develop SaaS products, it is difficult to see how security can come into play with this type of software delivery model. In one essay, Fried, explains the necessity of getting well rounded individuals (generalists) and avoid hiring specialists. Does this mean more software developers should be interested in security?

This is yet to be seen, and I think it is dependent upon your product. There is something however that other companies can learn from 37Signals.

37 Signals did the following when it came to me finding this bug:

• I initially reached out to Jason Fried on Twitter, and he got back to me in less than an hour.
• They had a simple way for me to contact them.
• After reaching out to them, they immediately acknowledged the receiving of my message.
• They fixed the issue in 4 days.

I commend 37Signals for fixing the issue as fast as they did. Typically, when these issues are reported to companies, they are typically forwarded to the trash.