Railsgoat! July OWASP Austin Chapter with Ken Johnson - with link to recording

Ken Johnson travelled to Austin for the July OWASP meeting.  No thanks to US Airways! Remember, last meeting Ken and Mike McCabe were supposed to present, and US Airways deprived us of their presence. Vern Williams jumped in heroically to give a talk, but Ken and Mike spent most of a day trapped in Raleigh, subjected to several layers of lies from the airline.

Here's the recorded presentation http://vimeo.com/channels/owaspaustin

This month Ken made it!  Nice crowd on hand:

Ruby & Rails was an interesting topic - it seems like a lot of people using those technologies are startups trying to build apps as quick as they can, and Enterprises trying to pretend they're startups.  Both of these scenarios tend to "forget" about security and can lead to nasty problems.  It can be downright scary to security folks.

Given this state of security worries, chapter priorities included a Happy Hour, as usual:

We might have a recording of the presentation coming soon - if so I'll post it as a comment.

The slides are here http://prezi.com/5zo5lxs82lr7/railsgoat/

follow Ken @cktricky and Mike @mccabe615

Austin OWASP Chapter Meeting: Learn to Fight Wounded

Vern Williams presented at the Austin OWASP chapter meeting today on "Process and Architecture" in software development.  He advocates an engineering approach to security in software and systems, and suggests "engineering better management in." rather than reacting later.

In terms of software, architecture means designing something that meets the needs of the customer, but is also resilient, robust (resistant to failure) and secure.  This means that even when the system does fail, it will be gradual rather than catastrophic, and recovery will be rapid when something bad happens.

Vern also spoke about users and the importance of training.  He suggested warning users to notice when there are problems and alert IT.  Then again, it has been said that a user and his mouse can be viewed as a "malicious rodent on the desktop."









Vern also spoke about defense-in-depth, and used a few examples from his days in the navy, working on nuclear subs.  He described life about the nuclear sub as "the only place people run toward fires."

To the audience of mainly application developers, pen testers and security professional, Vern made a very interesting observation: We need to learn how to fight wounded.  Everyone in the audience agreed that it is foolish to assume that your company is impenetrable.  The best thing to do is figure out how to architect your systems and applications  in a way that is attack-resistant.

Never Underestimate the Power of the Little Raspberry Pi

The Raspberry Pi is fascinating a diverse set of people – from technophiles, to security researchers, to security practitioners, to Penetration Testers, to adventurers, to problem solvers, to kids, and to bad guys too.  This Raspberry Pi is a lot like Lego – you can literally build anything, do anything, with this affordable and diminutive device.  Unlike the smart phone, the Pi is basically disposable.

Tiny is the Pi’s power. Its size and unexpected power makes it interesting.  Applications for the Pi seem to be limited only by your imagination.

You can plant the Pi behind a power junction switch, put it in a Dell power brick, put it in a FedEx delivery envelope or put it on a drone – it’s also a great platform for remote attacks.  You can use it to send covert signals to nearby receivers using specific frequencies, and it’s so small it’s virtually invisible.

The Pi can support a camera, drive your TV video display, sense temperature and GPS location and even sense the opening and closing of doors.  This little critter can be programmed to really freak people out, by providing you all this information remotely. 

OK, back to task!  Branden Williams presented at the Austin OWASP chapter on 4/29/14, sharing his enthusiasm about the Raspberry Pi and its applications in security.  As Branden pointed out, the $35 Raspberry Pi is a full computer – the size of an Altoid tin and basically disposable given its price point. 

There was an in-person audience of about 50, and some online viewers.   One of the first things Branden asked of the audience was "Who is a ham radio operator?"  Amazingly, there were about 8 in the audience that were.  High percentage.  Let's think about why this might be the case. 

Security people understand some things quite well: they favor the path the attacker will ignore, or be unable to attack successfully.  Security people think about things like minimizing attack surfaces.  They are aware that attackers care about ROI and attack targets of value.  Ham radio appeals to the OWASP audience for these and other reasons.

To see and hear Branden’s talk, please go here and advance about 10 minutes to skip the OWASP meeting portion 

Branden’s slides are here 

For another example of the cool things the Pi can do: here’s a whitepaper Branden provided me that tells you how to configure and run a Raspberry Pi for Wireless Analysis.

Used to be, it was hard to acquire a Raspberry Pi.  No more.  Look on Amazon, there are some really nice kits with everything you need, for less than a dinner for two.   

SecurityBrew LLC Provides Security Product Marketing Consultancy

This is my shortest and most delightful blog post ever.  I've incorporated and SecurityBrew LLC is now offering IT security product marketing consulting.  Loving it, very busy, but would consider new clients after Q1.

Selling to IT security professionals is different - they demand timely information, education and facts, not marketing fluff.

View from one of my client's offices, in Austin, Texas

Shhh Files, Security Hunters and Malware Writers, Oh My!

I attended Michael Gough and Ian Robertson’s training on Friday, entitled “From Joe to Pro – Finding Malware in Your Environment,” sponsored by our local ISSA Capital of Texas chapter, BSides Austin, Critical Start and SourceFire.  I know from previous software employers  who have paid ransoms that there are dirty secrets called Shhh! in security.  While it isn't publicized, companies pay handsome ransoms to prevent exploits found from being made public.  Government agencies do, too.  In the case of software companies, it’s self preservation.  In the case of government agencies, might be something tasty they want to let play out, for their own reasons.

First, accolades to Michael and Ian for their service to the security community.  They’re active in ISSA, InfraGard, ISACA and Bsides.  They take time out of their busy days to share security intelligence and their findings as security practitioners with the community.  Great blog about security hunters versus gatherers here http://hackerhurricane.blogspot.com/2013/11/like-natives-infosec-needs-to-become.html 

Caveat, IMHO: grassroots security training, effective patch management, compliance efforts and ongoing security monitoring using conventional means might be called “gathering” -  while not sexy, these measures can monitor or alert on  many security issues without drama.  That being said, compliance is, by its nature, not very effective against dynamically changing security attacks.

For sure, malware writers have the attacker’s advantage.  They have test labs equipped with available security software.  They are not inclined to release malware that won’t work against common countermeasures.  They choose when and where to release their malware.  Defenders are at a distinct disadvantage. 

The training was great, and enjoyed by a full house of security professionals!  One of the many perks of living in Austin is the community of security practitioners.

The Mysterious Case of ATM Denial of Service: Help Us Figure Out Who Dunnit

A security-conscious friend of mine recently received an automated call telling him that his ATM card was being cancelled due to a data breach.  The robo call said a new card was in the mail, asked him to monitor the account for suspicious activity and not to use the card – hence the denial of service.

He felt there may be more to the story, being an infosec professional – so he immediately called the bank to get more clues.  He found the keyword to getting intelligent insights from the bank was to use the word “fraud”, which got him to a knowledgeable customer service rep quickly.

The bank’s story:

The bank indicated that they had received a call from VISA specifying the ATM card number “might” have been compromised.  The key thing to understand is that there was apparently a data breach – his ATM number must have been in a breached database, ostensibly a 3^rd party database.  Remember, he only used this ATM card at bank-approved ATM machines, not for anything else.  According to the bank, VISA did not tell them which 3^rd party or database had been compromised.   

So it’s not a typical data breach, as he had only used the ATM card in question at bank location ATMs.  So how did the ATM number end up in a 3^rd party database?  There are a limited number of ways immediately obvious:

1. The bank sold the ATM number
2. The bank’s ATM network was compromised and this card number was sold
3. The fraud alert was a fake by VISA or someone masquerading as VISA, designed to cost the bank money to re-issue the ATM cards and to increase consumer fear that their debit transactions are not safe  

Scenario 1 is highly unlikely as it would be a huge GLBA violation for the bank to sell an ATM number, and the bank is liable for any fraud.

Scenario 2 is also unlikely since there were no fraudulent charges and the alert came from VISA, implying the card was used somewhere

That leaves Scenario 3, which is pretty darned stinky.  VISA does make more money on credit cards than debit cards.  Also, in the words of Sherlock Holmes, "when you have eliminated the impossible, whatever remains, however improbable, must be the truth." 

So you have the clues - what do you think really happened?  Who dunnit?  Is there another explanation?   

Katie Moussouris - Mother of Microsoft Security Bounties - at ISSA Capital of Texas Chapter meeting

Katie Moussouris, Senior Security Strategist at the Microsoft Security Response Center, and Mother of Microsoft bounty programs, presented at our ISSA Capital of Texas Chapter meeting today.   Katie is refreshingly unabashed, putting a fresh new face and positive attitude on Microsoft and security.  She’s absolutely not a stodgy, arrogant guy in an ugly suit being indignant about being a target. It more looks like she is a part of the solution.

Quick version: Microsoft bounty programs are now paying real and significant dollars to ethical hackers who want to do the right thing, which is to use their talents to let the vendor fix security problems before criminals have the pleasure of exploiting them.  Katie described Black Market, Grey Market and White Market approaches.   Enlightened technology providers understand all three, and provide ways for smart hackers to “do the right thing.”  Microsoft is proving itself to be enlightened on this count, with this bounty program.  Good bounty programs scare out targeted attacks out faster, sparing law-abiding users from being hurt.

A few details:

• Companies like Microsoft have target dominance.   If nobody cares about your company, you’re not a target.  If you are a market leading target, consider a bounty program.  Such a program will benefit your users in flushing out weaknesses and vulnerabilities before they can hurt your users.
• Bounty programs will not tend to attract bad guys, because they know they will make more money with the Black Market.  Well of course.  However, most smart programmers are intrinsically good, wanting to solve problems and foil the bad guys – hence bounty programs are just good business.
• Bounty programs can’t take the place of good security programming practices.  Sure, it’s great ad-hoc penetration testing, but it doesn’t take the place of investing in security.

All of that, plus Katie wore boots in Texas style!