If you store, transmit or process credit card data, PCI applies.

How can OWASP help you with PCI compliance?

Credit card data:

• Primary Account Number (PAN): Can store it, but protection required.
• Can never store the CVD 3 digit number or mag stripe

Card data attacks have been increasing in sophistication.

PCI-DSS affects anyone who transmits, processes or stores payment card data. E.g. merchants, service providers (e.g. Paymark, DPS).

Look at 12 requirements of PCI-DSS (firewalls, storage etc)

Protecting stored data:

You must not store sensitive authentication data. Principle: if you don't need it, don't store it. Consider outsourcing, truncation, tokenisation.

Tokenisation: Replace PAN with a unique identifier "token"

Truncation: don't store all the data (e.g. first 4, last 4 digits)

Encryption: Encrypt at point of capture, only decrypt when required, use industry standard encryption, protect your keys.

Developing secure applications / Test app was built securely / Use secure coding guidelines:

Standard OWASP guidelines

Annual risk assessment:

Every year, new threats will affect your site. Go and re-assess against the new threats.

Fixing legacy systems: make sure no old data is lying around.

Real life example: it's very easy to mess up (example of reverting to old code)

Parting thoughts: achieve, maintain and validate compliance. Secure development is a key activity. OWASP is a good source. Reduce storage of PAN data.

Bug chaining - an idea that hasn't really propagated yet.

How do we rate how severe a bug is? Consider how easy it is to exploit, where it is accessible from (client-side, server-side, internet, local, mass exploitable, targeted exploit, etc).

Audience attempted to rate the severity of a couple of bugs:

• SQL injection on authenticated site -> medium/high
• File upload php files on authenticated site -> high/critical
• Local file disclosure -> medium/high
• XSS - reflective, authenticated -> low/medium

Is attacker considered 'authenticated' once there is an XSS attack? Any subsequent attacks can be treated as authenticated.

When you join together the XSS bug with the file upload bug, then it's critical!

Bug chaining: taking multiple bugs and chaining them together to create exploitable vulnerabilities. Instead of looking at each individual bug, look at how they can be combined together.

There are now frameworks to help chain together exploits - and this is how a lot of worms now work.

Recent examples of chaining exploits: PHPMyAdmin <= 3.1.3; SugarCRM <= 5.2.0e - compromise server through 3 bugs together.

How to deal with this? CVSSv2:

• Common Vulnerability Scoring System v2.0
• Scoring system for assessing bugs
• Considers exploit complexity, application location, authentication, target likelihood etc
• Can be very complex, time consuming, difficult to follow

"You can explain this stuff all day, but when network admins actually see you do it, that's when they understand" Brett Moore

VtigerCRM - large open-source CRM system which fixed problems with a security patch, but don't link to the fix (and haven't installed it themselves!).

He wrote a BeEf module for VtigerCRM that can run as an auto-run module (took less than 2 hours to write):

• Chains file upload and XSS bug to upload a malicious PHP script to start a command shell
• Connection is from server to the attackers machine, so user doesn't need to stay connected

Summary:

Don't look at severity of individual bugs - need to look at how bugs can be joined together.

Understand the bugs.

Follow the OWASP coding and testing guidelines.

Tools:

• BeEf - command console for an attacker to run script on the client computer. Modular list of exploits, and control multiple victims. Autorun modules to automatically execute modules within 1.5-2 seconds.

Firefox extensions: They're just software, like ActiveX. Extend, modify and control the browser.

Firefox extension points:

• XUL: XML user interface language
• XBL: XML Binding Language - logical behaviour of widgets
• XPCOM: Reusable components, interface to file system etc.
• XPConnect: Allows Javascript to connect to XPCOM
• Chrome: Special browser zone that is fully trusted by firefox - code is fully trusted, has access to filesystem, user passwords etc.

Mozilla security extension model is non-existent. All extensions are fully trusted by Firefox - no boundaries between extensions, they can modify each other without the user knowing. Can be coded in C++ and subject to memory corruption etc.

Extensions are very popular (billion downloads) and can be found everywhere - social networks, search engines, software packages (skype, anti-virus), anti-phishing toolbars.

Biggest problem is the human side of things - Addins.mozilla.org recommend extensions and add a 'recommended' icon next to them. Extension source code isn't read by third parties ("It's not the linux kernel").

There's no protection from an extension with a security problem, it will bypass any other phishing / malware protection extensions.

Extensions aren't signed (even the Mozilla ones), so we can't rely on people checking signatures.

If an extension is originally trusted, then subsequent updates won't go through the same review process.

No current guidelines for testing a Firefox extension, so security-assessement.com havce come up with their own methodology (whitepaper to be released this year, early next year):

• Isolated testing: Only test one extension at a time, on different OSes with different Firefox versions.
• Information gathering: How does the extension work, how is it installed? Look inside the extension package (a zip file) and look for malicious files (e.g. .exe, .msi etc)
• Look for XPInstall API functions that are dangerous (e.g. executing code on install)
• Look for suspicious files in the extension folder (e.g. softlinks to other directories)
• Look inside install.rdf - some tags can hide extensions so they don't appear in the addon manager
• Extensions can have the same description as other installed extensions, so two appear in addon manager
• Does the extension try to trick the user into thinking it's verified?
• Look for pointers outside the extension, or flags that expose the extension object or content to untrusted code (e.g. contentaccessible=yes or xpcnativewrappers=no)
• Extensions can be merged into the firefox UI - e.g. top toolbar, bottom status bar. They can also modify existing buttons e.g. Reload, Back, Forward or Home button.
• Use the extension. Check the DOM of a test page with the extension loaded (they used mozreply to do this)
• Debugging: can set breakpoints using Javascript debugger.
• Sandbox: can be sidestepped by replacing code inside the sandbox or evaluating it from outside
• XPCOM components: .dll or .so - compiled code that the extension may ship with, or may use existing components on the machine. May need to review source code or decompile. A bunch of components to watch out for.
• wrappedJSObject: removes the protection of the XPComComponent, so they are avoiding the firefox protection.
• Watch out for callback functions, which may be replaced / modified
• window.OpenDialog: Opens any URI with elevated chrome privileges
• Auth: Some expose credentials in plain text, e.g. GET or basic auth
• Auth: Some expose functionality via javascript that can side-step normal process
• Skype extension - a javascript call that any web page can use to start dialing your skype to any
• XSS: Watch out for XSS issues - can execute in the chrome zone from DOM events, embedded XSS, recursive iframes
• XSS: Extensions loading external scripts

They have applied their methodology to different extensions, and some responses have been slow or non-existent!

Here are some extensions that were demoed and had problems. They are all common or Mozilla recommended (all these have been fixed):

• FireFTP: Could include malicious code in the welcome method of an FTP server, and the browser would execute it. Showed a proof of concept sending the contents of win.ini to a different server, and using BeEf to control client.
• CoolPreviews: Susceptible to XSS if a data:// URI is used. Showed a remote code execution when right-clicking on a link and previewing it with CoolPreviews.
• WizzRSS: HTML and Javascript in the <description> tag of RSS feeds is executed in the chrome zone. Showed a reverse shell onto the Windows machine from a malicious users machine.

Extension developers and vendors haven't got a security disclosure process yet - they don't know how to deal with the issues yet. Some extensions don't even publish an email address for the author.

Tools:

• Firebug
• MozRepl
• BeEf - command console for an attacker to run script on the client computer.

With shift to web services, where we are relying on client to secure stuff, we have to remember not to trust the client.

Gave a methodology for testing web services:

• Service discovery:
• Look for WSDL or similar files that contain service info, using search engines, site spidering or looking at app behaviour
• Method discovery:
• Look inside the WSDL to see what methods are available, or if there isn't one, you can brute force the webservice with common method names to find ones that exist.
• OWASP top 10. These still all apply to web service calls, including:
• Malicious file execution, insecure direct object reference,
• CSRF with AJAX clients
• Information leakage
• Broken auth and session mgmt
• Insecure crypto storage
• Insecure communications - SSL is important
• Failure to restrict URL access - protect admin etc web services from anonymous access
• Web service specific tests:
• XML issues (external entities, malformed XML, recursive XML, XML entity expansion, XML attribute blowup, overlarge XML and CDATA injection)
• Can find out details inside the secure network, and CSRF etc machines in there.
• WS-Routing issues
• WS-Security is not a panacea - secures the method integrity and confidentiality, but doesn't stop bad stuff coming through.

Tools shown:

• SIFT web method search tool - brute force the web service to find out which methods are supported.
• Foundstone WS Digger - automate attacks against web services (XSS, SQL, Xpath etc)
• Webscarab - to modify XML posted to web services and try connecting to external entities

If you don't own the 3 OWASP books, you've failed.

We're still facing the same vulnerabilities we already have, because we are doing something wrong. Maybe it's security professionals that are doing something wrong, by not educating developers properly.

Big security companies still having problems with their websites.

Most vulnerabilities are well known.

Security people don't write code. developers do. They don't "get" security:

• Don't fix the root cause
• Don't understand the threat
• Most have never seen a vulnerability exploited

Sitting down with developers and stepping them through a vulnerability helps show them the light and they understand and think about vulnerabilities.

Talk today designed to show developers exploits in action.

Tools showed:

• Burp - proxy tool for intercepting requests
• A custom sitemap tool that Insomnia uses
• An MS-SQL Enumeration tool that takes a vulnerable url and pulls out all the DB info using the master db to enumerate tables
• ASPX Spy - if you can get this ASP.NET file up on to a server and run, it provides a UI for playing around with the OS.
• SQL Map - an automatic SQL injection tool - can enumerate the DB, even if the data is not displayed by inferring the state of the db based on the page output.

Problems shown:

• Robots.txt is not a place to list parts of your site that you don't want people to know about :)
• Buying -1 quantity of a $1000 book leads to the users credit on the shopping site increasing by $1000 :)
• XML parsing vulnerability that allows external entities to be referenced in the XML provided to a web service - which can pull the contents of a file off the server.
• Query string parameters passed to the command interpreter, and used for file names.
• PHP include let's you include PHP source from another web server (looks like you need to disable URL fopen wrappers).
• Only securing GET requests to an admin directory.
• Showed a fake version of the CCIP website with multiple problems.
• Admin interface for a website is exposed to the internet.

Open questions:

• Who owns server configuration? Architects, developers, system administrators? If server or framework config changes, then we're insecure.
• Is it security professionals job to make sure problems are corrected?

Paul raised the question: "Is internet security getting better or worse?"

By 2004 we had bought lots of security products, and now only port 80 is the only open port (default DENY). Hackers started hacking web apps instead.

Classic ASP was easy to hack. until in 2005 when vendors started releasing safer technology frameworks (2005? We were using it in 2002)

Note: ASP.NET doesn't have XSS protection built in, unless you leave ValidateRequest on (which no-one does), as controls only sporadically escape their output.

Paul looked at Security-Assessment's old pen-test projects and compared their vulnerabilities to those run recently.

"In 2003-2005, web application developers were F$%^&* bad"

"Developers fail at anything to do with files"

But the situations hasn't got much better lately. Admin sections are still accessible, SQL injection still found, but less common, file uploads allowing directory traversal.

When developers use framework security controls, they're okay. If they use custom security code, they mess it up.

"Less vulnerabilities in 2009 resulted in a shell"

"Security only works flawlessly when it's already implemented in the framework" - when developers build their own code, they normally mess it up.

Summary: The internet is getting more secure, but we're not there yet! Only need one bug to get in to a system.

Deleting your POP3 mailbox using telnet, since Gmail doesn't do it properly :)

I'm using Gmail to check and download my Paradise (ISP) email. This means I can read (almost) all of my personal email in one place.

Gmail appears to only have one option for deleting mail: "Leave a copy of retrieved messages on the server". If you set this option it immediately deletes your mail from the POP server after downloading it to Gmail, which means that you can't check it with an alternate client.

Other mail clients allow you to leave mail on your mail server for a number of days, so I normally set this to 7 days so that if I need to fire up a different client or use my ISP's mail, then I can see recent email. Gmail doesn't have this option, which means if you don't delete mail from your POP account, it will eventually fill up.

For completeness, the sequence of commands to type into telnet to delete a bunch of your mail:

> telnet pop3.paradise.net.nz 110

USER <username>  // Your POP username
PASS <password>  // Your POP password

STAT                        // Lists the number of messages (e.g. +OK 1108 19255723, which means 1108 messages)

// Then for each message
DELE 1
DELE 2
...                         // I used a spreadsheet to quickly generate a list of DELE's from 1 to 1108)

Mission accomplished. An empty POP mailbox without installing (or writing) any extra code :)

Kirk

Well done to the SilverStripe team for getting into the new Microsoft Web Platform installer:

The installer helps people get web applications up and running in a flash, and it's great to see SilverStripe alongside 9 other big-named web apps. This should be great for the initial out-of-the-box experience for their users, and for exposure to new users.

See Nigel's blog for more details.

http://creativefreedom.org.nz/blackout.html

Join The New Zealand Internet Blackout to protest against the Guilt Upon Accusation law 'Section 92A' that calls for internet disconnection based on accusations of copyright infringement without a trial and without any evidence held up to court scrutiny. This is due to come into effect on February 28th unless immediate action is taken by the National Party

It's not about downloading illegal content. Copyright laws exist for a reason, and protect creators of content (and even users of GPL software). It's about laws that have been drafted foolishly and that reduce our rights.

Kirk

Developer survey from Microsoft. Each answer you put in displays a different cartoon reflecting your choice. Fill in the survey here.

A story told through links to web2.0 sites that you know and love: http://blueful.com/

A clever way to tell a story, although it's a bit weird not having the urls hyperlinked.

(via the O'Reilly Radar)

[Update: Ooops! I should check the links that I paste into my blog posts!]

On the Flickr devt blog they've got some interesting experiences when building their IPhone version of the site that apply to building any light version of a website:

• Don’t Use a JavaScript Library or CSS Framework - roll your own
• Load Page Fragments Instead of Full Pages - ajax in the changed content, rather than reloading the whole page
• Don’t Build for Just One Device - all the world is not an iPhone :)
• Optimize Everything - trim file sizes and compress content
• Tell the user what is happening - load indicators

Read more on the Fickr blog.

I spent some time browsing the Givealittle site while eating my lunch today, and I'm struck by how great an idea it is.

JD from Mindscape posted about how they built the site, which is of course how I ended up there :)

When I've donated money in the past, or wanted to give a gift of donation for a wedding, birthday or Christmas, I've always spent ages on Google trying to find the project that 'fit' with the recipient (Are they religious? Do they like animals? etc). Givealittle lets you browse a whole bunch of charities on one site, and even give vouchers which let people choose charities of their choosing.

There's other features of Givealittle which are good news for givers and charities too, reduced costs of transactions, transparency over where the money is spent, collation of all your receipts so that tax time is easier and more.

A fantastic idea, and a site that I plan to use this Christmas.

Kirk

I was pleasantly surprised by this.

I'm kind-of addicted to buying books from Fishpond. Part of it is because they're the best online bookstore in NZ that I've found, and part of it is all of these annoyingly good specials that they email me.

At the bottom of the latest shipping notification email (for my Framework Design Guidelines book, yay!), was this:

I was feeling happy at the book being shipped, so I thought I'd follow the link :)

At the end of the link was an extremely simple evaluation form:

Only one click to answer, either Yes or No, no big survey.

Following that, this:

A $5 voucher, for a single click. That's a good way to say thank-you for helping them improve their service, and really shows that they value the feedback.

Pleasantly surprised :)

Kirk

I had a fun time presenting my talk at the Christchurch Code Camp yesterday. I only fell off the stage once!

A collection of urls:

• Subscribe to my blog: http://pageofwords.com
• The Classifieds web site starter kit
• The Microsoft Anti-XSS Library (use instead of HttpUtility.Encode)
• Which ASP.NET Controls Automatically Encode?
• Clickjacking video
• Framebusting:
  http://pageofwords.com/blog/2008/10/06/FrameBustingInJavascript.aspx
• Security Runtime Engine (coming, will help with ASP.NET controls)
• OWASP – The Open Web Application Security Project – http://www.owasp.org

Here's the sanitised version of my slides:

Ponoko is a pretty unique concept - an online shop for individualised goods, where you search a market place or upload designs to have something manufactured just for you.

It's pretty cool for geeks - you can create line art of where you want the laser to cut or etch, and they will cut your design from flat sheets of wood, acrylic or other materials. I have made a one-of-a-kind picture frame for my daughter, and toyed around with a bunch of interesting ideas that I haven't yet followed through with.

If you want a more free-style approach, you can even get them to cut based on your hand drawn sketch - all automatically (Photomake).

Anyway... the interesting news today is that they have broadened their set of materials to include bamboo, felt and plain old cardboard, which should lead to some more variety in the products people can make.

Kirk

Some of the common hacks use an inner frame to host your site, while the attacker controls the surrounding frame.

Using the following Javascript code, you can make sure your site is running the top frame in the browser:

        <script type="text/javascript">
          
          if (parent.frames.length > 0) {
            parent.location.replace(self.document.location);
          }
          
        </script>

The code will reload the current page in the parent window if it is within a frameset.

Kirk

I'm always underwhelmed by the 4 cent per litre discount vouchers offered by the supermarkets.

On our fill up yesterday, we saved the whopping total of $2.04 on our $100.94 petrol purchase, thanks to a supermarket voucher.

Dick Smiths have gone a bit higher with their discount - 49 cents per litre:

I've been using Fuelly for the past few months to track our fuel spending. I don't know that it's providing a lot of value, but it is cathartic to process my receipts as if it's somehow helping :)

Kirk

It just struck me while playing around with Chrome that I have been using Gmail for more than 4 years.

At the time, I thought "I'll never use up 1 gig of mail storage", but luckily, Google has been steadily adding to my quota - faster than the rate I'm using it up.

I primarily use my Gmail account for mailing list subscriptions, as it is really fast for scanning and reading mailing list posts, and still has the nicest interface for reading conversation threads that I have seen. As most of my mailing list subscriptions are "read only" (I lurk, without posting), Gmail is my own private little search engine over the mailing lists I subscribe to.

Fears of instability, data lock-in or data loss have so far been unfounded. There have been occasional issues accessing Gmail, but none that have caused me undue distress.

All in all, I'd say a pretty good 4 years.

Dear Apple,

When you create your annoying marketing emails, please remember to edit them after copying the great American deals and converting them to less-great NZ deals.

This one came today. In my inbox it says June 15. After loading images, Sept 7:

This...

...Became this

That wasn't too bad -- after all, who cares if Apple don't know when Fathers Day is? (Apart from fathers who want gifts :)

But this one from a few months ago was more annoying:

This...

...Became this

Now that's a bit more annoying. When I viewed the email in my inbox (with images turned off), I thought I was being offered a special deal of $49. But no, switching on images showed that actually it wasn't such a special deal at $75.

So, dear Apple. When you copy and paste the excellent US deals into an email, don't forget to change the ALT text of the images after you replace them -- it gets shown in peoples email clients if they have images turned off, or they hover over the image with their mouse.

Kirk

No Cruising Zone
Motorists passing the traffic control point 2 or more times in 4 hours are subject to citation

Sometimes your website is dead. Really dead. Designing a user experience can be hard, because there may be no way to gracefully recover.

Google Mail today:

Okay, so I tried again straight away (30 seconds is waaay too long to wait!):

I like the second message. It reassures me that my data is secure, and lets me know that I won't be able to use the site until it's fixed.

TelstraClear's error message from a while ago made me chuckle enough to save it to disk:

Thanks for the offer, but I'm finding it hard to enjoy the rest of the site when I'm in a popup window that has an error. I love the page title too: "Error (TelstraClear - Together, A better way)". Talk about empowerment! I don't think we did that error together.

• Homeless James Bond (and part 2)
• Operation Kitten Calendar (with companion website)
• And of course, Mr Sprinkles (parts 2, 3, 4, 5, 6, 7, 8)
  

Dare has a good writeup of the keynote from the Seattle Conference on Scalability. It sounds like a pretty interesting conference, with presentations from Google, Amazon, Verisign and more.

The Google talk covered the three big, gutsy parts of Google's architecture: GFS, BigTable and MapReduce. By building their systems from scratch, Google is able to scale to the phenomenal size it is now.

Technologies like these are how Google can handle millions of different search phrases -- amazingly, one in four queries to their search engine have never been seen before.

Google hires smart people and lets them work in small teams of 3 to 5 people. They can get away with teams being that small because they have the benefit of an infrastructure that takes care of all the hard problems so devs can focus on building interesting, innovative apps.

Reading Dare Obasanjo's blog, I saw reference to this email (jpg) that is linked from Marc Andreessen'sAnalyzing the Facebook Platform, three weeks in:

"Do you know anybody that may have excess servers we could borrow for the next 5-7 days while we buy new servers of our own?"
Ali Partovi from Ilike, a day after launching on Facebook

Scale problems like this are good to have -- you have lots of customers after all. But, it must be hard to see all your hardware melting as quickly as you add it!

This is another reason why it's good to live in Wellington:

Yet More Speed for TelstraClear Internet Customers
The company will offer customers speeds of up to 25 Mbps downstream by the end of the year. This is an increase on the company’s fastest existing plan which offers speeds of up to 10 Mbps.
http://www.telstraclear.co.nz/companyinfo/media_release_detail.cfm?newsid=275

TelstraClear is already the fastest and most reliable home broadband in New Zealand, and they're getting faster. It's a pity that their cable network is only available in parts of Wellington and Christchurch, and that they only have 30,000ish cable modem customers.

When we bought a new house, one of the criteria for choosing which street and suburb to live in was whether we could get TelstraClear cable. I'm glad we persisted with that now -- even though it meant many phone calls to TelstraClear asking if addresses had cable coverage.

It seems like powerful presentations aren't done using Powerpoint any more. I don't know, maybe they never were...

Edward Tufte (the original Powerpoint detractor) has a new book out: Beautiful Evidence. An article in the New York Mag (via SVN) introduces Tufte and some of his work. He has lead a crusade against Powerpoint (his essay The Cognitive Style of Powerpoint has a good collection of the worst offenders), and his ideas have been absorbed by many designers around the world.

The new style of "multimedia"¹ presentations move from slide-based to "flow"-based. Two that I have seen recently deserve mention:

"Le Grand Content"
(via Mark Fowler)

Quite funny, answers the questions of the universe with quasi-logic and witticisms:

There are three types of virgins:
a) Virgins by choice
b) Virgins by way of poor social skills
c) People who should be in group B, but who claim otherwise for reasons of prestige

Prometeus - The Media Revolution
(via Nic Wise)

The future of media and information dissemination. A little more serious...

These presentations really engage the user through zooming images, flowcharts and synchronising speech with animations.

I wonder how long before this type of presentation becomes the norm? How long until we see presentation software that supports the creation of them as easily as a standard deck of slides in Powerpoint?

And how long before people realise that although they're more engaging, they're still hiding and distorting the truth, just in different ways?

¹ How weird does it feel to use that word in 2007?

Exec summary: Create a little eco-system per mashup, perform some setup while you have trust, and then reduce your trust before running the mashup code.

• document.domain = "foo.com", which allows javascript to consent to communication by other frames that set the same document.domain

• a communicating object which is passed in to a frame before it changes it's security context with the document.domain call