Miscellaneous Security

Reading time: 3 – 4 minutes

Photo: B.G. Lewandowski

Why did you just click that link? Most likely you have came to this site by clicking a link from another site. Why did you do that? Did you trust the person who sent you the link? Did you click a link from Twitter, Facebook, or an email someone sent you?

When you click a link, you are telling your browser, “I trust this person.” However, this is not the way we use the Internet. We click on links all the time. We click on links from “untrusted” sources. We click links from people we don’t know and we even click on URL’s that have been modified. On Twitter, a person is much more inclined to click the shortened link http://bit.ly/5hXRW then they are to click http://somewherebank.com/transfer.jsp?amount=1000&to_account=56777564. Even though the shortened link could redirect to the somwherebank.com site.

But, why would someone trick you into clicking a cleverly disguised link? The site that you are redirected to may seem harmless. It could also be extremely malicious.

What happens if this page, (the one you are currently viewing), was filled with Cross-Site Request Forgery (CSRF) links? This web page could be setup with all types of malicious intent. However, you didn’t know that when clicking the link. Now, it is too late.

If this site did have Cross-Site Requests, I could do things such as:

• Change the password on your Facebook account
• Transfer the money from your on-line bank account to another account
• Enact trades from a financial institution such as E*Trade

The sites that I exploit would have to be vulnerable to CSRF. But researchers, such as Mike Bailey and Russ McRee, are constantly finding CSRF vulnerabilities in web applications.

An example of how clicking links from untrusted sources is never good was demonstrated in Billy Rios and Nitesh Dhanjani, Bad Sushi talk. In their presentation they described sending phishers a word document stating their account numbers were inside. They sent this email to 25 known phishers. 10 of the phishers opened the word document and were presented with this. In addition, there was another link that said, “Actually, my account information is here.” 3 of the 10 clicked on that link. Even the phishers click links they shouldn’t.

What should be done? Who knows. It is human nature to trust people and we can’t get things done if every time someone sends us a link we open up a VMware image to view a link. So continue using the Internet the way you have been and remember, “These aren’t the droids your looking for.”

Reading time: 3 – 4 minutes

Photo: Noël Zia Lee

Compliance is not a new buzzword, in fact in other industries compliance has been around a long time. During the RSA conference, every vendor had the word compliance on their cardboard bulletin board, an adult version of a diorama. [1]

What are the different types of compliance?

In computer security, compliance began with the government. This is where all good ideas come from (sarcasm). Over time compliance regulations evolved into something that was “needed” by the industry to make sure that corporations took steps to protect their user’s data. It is sad that corporations need an intervening body to tell them that they should secure their data. However, this is why HIPPA and SOX came about. Why should a hospital spend money to protect patient’s records? That is crazy talk!

I have been in the security community for a long time and I hate to tell you but companies will never care about security. They will do the minimum thing required in order to satisfy the masses. In the U.S. the only thing that matters is the bottom line. Companies pay for Cost-Benefit analysis on things to determine what the corporate strategy should be. Corporations don’t do this because they care about the result, they do it to save money, thus being profitable for their shareholders.

If the only thing that matters is the bottom line, you need independent regulatory agencies to mandate certain rules for the greater good.

As long as consumers believe that the products they buy are safe, they will continue to buy them.

Let’s take the protection on a container of Tylenol. In 1982, a bunch of people were poisoned in Chicago because someone decided to put potassium cyanide in random bottles of Tylenol. What was the result of this? The market share of Tylenol dropped from 35% to 8%. It took an entire year for Johnson & Johnson to grab the market share again. They did this by creating a triple-sealed package and dropped their cost to be more competitive. After this Johnson & Johnson grabbed more market share than they had before!

In this example, the consumer stopped trusting that Tylenol was safe and subsequently stopped buying Tylenol. They didn’t stop buying medicine just Tylenol. The attacker could of poisoned other bottles too, but that didn’t matter. What the customer cared about was the safety of a product. When the consumer felt good about Tylenol again, they begin buying the product again.

The purpose of compliance is to make the consumer feel safe. The government needed to step in and mandate in order to have the people feel protected.

Does compliance work?

It depends on who you ask. Mike Bailey doesn’t think so. However, others do. For instance, Companies that make profit from compliance defiantly think it works.

Why is compliance so often talked about?

Companies that do cost-benefit analysis like the ones above need to be compliant. They will comply the cheapest way they can, thus keeping their operating costs low. Companies will continue to offer cheaper and cheaper compliance products. Just remember, they get what they pay for.