That’s the question the Consumerist asked readers today, with a story about a Florida grand-dad whose gardener is supposedly fleecing him for over $10k / month, allegedly to help an ailing friend:

Shaun says his 80+-year old grandfather, Steve, is being scammed out of over $10,000 a month. It seems Steve recently hired a female gardener who introduced him to a “wealthy friend,” and now he’s loaning them money to pay for groceries, cable, home upkeep, and, get this, bodyguards to protect her from an ex-husband and son who to want to kill her. When the family tries to intervene, Steve says the family is trying to put him in a nursing home and steal his money. Shaun is at a loss. How can he help his grandfather, who doesn’t want to be helped?

Another question that might be relevant in the IT Security community is, are the elderly more prone to these scams, and if so why? In the tech world it’s widely assumed that the older generation just has a harder time learning and grasping how to use technology so may not understand what is risky and what isn’t.

But perhaps there’s a deeper problem, either with some form of dementia and paranoia in the older years, or just a purer vulnerability associated with being alienated from the new, cutting edge and modern world as we age, or some kind of unwillingness to be suspicious because of the need to have caring people around you?

However, the problem runs much deeper than just a lack of will among ourselves and our peers...]]> Tue, 28 Oct 2008 21:00:00 +0000 standard blame squarely hot dinners chaotic situation peers bet money britishism feet Why there's no logging standard -- it's not our fault, mate http://securityratty.com/article/0e9eda4f189c52480b99566f994beae6 http://securityratty.com/article/0e9eda4f189c52480b99566f994beae6 Click to Download/Listen (07:52)

On Monday, October 13 RSA, The Security Division of EMC, released the results of a new insider threat survey. The survey shows that employees are well aware of the restrictions placed upon them by their corporate IT departments, yet many often work around these controls in order to get their jobs done. RSA VP, Sam Curry, digs deeper into the issue in our latest podcast.


]]> Mon, 20 Oct 2008 11:52:45 +0000 insider threat survey survey sam curry digs deeper security division rsa podcast october employees Speaking of Security Podcast #125 http://securityratty.com/article/98ecd80e92097113f4263e7aaaa199fb http://securityratty.com/article/98ecd80e92097113f4263e7aaaa199fb If we only had a dollar for each spam we recieved, we could end the worlds money crisis!

clipped from www.crime-research.org 40 Trillion Spam E-mails This Year ComputerWorld did a nice story called Spam Filters: Making Them Work relying on the Ferris numbers. However, the lesson we should learn is buried deeper in the details: spam is no longer a nuisance that clogs inboxes, it’s a security issue. The majority of spam messages now try to breach security on the computer reading the message, or redirect the user to a Web site full of malware etc.

FP: And what about drilling? Republican presidential candidate Sen. John McCain, his running mate Gov. Sarah Palin, and President George W. Bush are implying that lifting environmental restrictions on drilling is the way to promote energy independence.

TF: Well, I think it’s patent nonsense. No one believes that somehow offshore, there’s enough oil in any near term and even the long term to provide us oil independence. It’s the wrong approach because in a world that’s hot, flat, and crowded, fossil fuels—and particularly crude oil—are going to be expensive and exhausting. Therefore the focus should be on the next great global industry: clean energy technology. When I hear McCain pounding the table for “drill, drill, drill,” it reminds me of someone pounding the table for IBM Selectric typewriters on the eve of the IT revolution.

I’m not against offshore drilling, by the way, because I believe the technology and the safety has improved far beyond where it was back in the 70s, 80s, and 90s, even. What I’m against is making it the centerpiece of our energy policy. If all McCain said was, “Let’s drill, but let’s also throw everything into innovating the next generation of clean-energy technologies,” I’d say, “You’ve got it exactly right, pal.”

For those of you who aren’t familiar with XSS Filter, a brief summary is that it is a client-side defense against reflected cross-site scripting (XSS) attacks.  It works by recognizing that reflected XSS attacks inject script into the string that the browser sends to the targeted web server.  If the server doesn’t neuter or strip out the injected script, it gets sent back to the browser and executed in the context of the target web page.  Bad things then happen.  At a high level, XSS Filter remembers the string that the browser sent to the server, and looks at the server’s response to see if any of the script was actually in that string.  If it was, then XSS Filter decides that it got there because it was injected by an XSS attack and blocks the script from executing.  The rest of the web page renders as usual.  This is a vastly oversimplified sketch of XSS Filter – for details, see the post by David Ross, inventor of XSS Filter on the Security Vulnerability Research and Defense blog.

So what does XSS Filter have to do with the SDL?  Well, for almost nine years, since XSS was first discovered at Microsoft, we’ve been trying to figure out effective ways to reduce vulnerability to XSS attacks.  Our focus has been on improving the ways that web page developers code their pages, and we’ve developed a lot of tools and techniques for making web content safer from XSS attacks and for detecting XSS vulnerabilities in live pages.  The SDL requires the use of many of these tools and techniques, and we’re sure we’ve prevented a lot of XSS vulnerabilities from being introduced into Microsoft web pages as a result. 

But while we identify (and the SDL requires) measures that allow developers to avoid classes of vulnerabilities, we also look to identify more sweeping solutions that can either 1) eliminate classes of vulnerabilities, 2) reduce their severity, or 3) reduce the likelihood of attacks being successful.  The process usually starts from deep understanding of a class of vulnerabilities and attacks, and then we broaden defenses from there.  In the case of XSS Filter, David’s years of work researching XSS led him to come up with an approach that blocks many of the most common vulnerabilities to reflected attacks found on the web today.  The solution is compatible with existing web pages (doesn’t “break the web”) and thus we were able to enable it by default for users of Internet Explorer 8.  Because it’s a client-side mitigation, it will help protect users from attacks even though the sites they visit may be vulnerable to XSS. 

Our work on buffer overrun defenses follows a somewhat similar pattern – we started by prescribing coding techniques, banning the use of some APIs, and building tools that detect coding constructs that look like buffer overruns.  As we gained a deeper understanding of how buffer overruns can be exploited, we enhanced the /GS compiler flag and added ASLR in a quest to cause classes of exploits to fail even if a buffer overrun remains.  We’re not yet close to eliminating the SDL requirements for use of tools and coding techniques, but the SDL also requires the use of the mitigations to reduce the severity of vulnerabilities that slip past.  Will we ever get to the point where the mitigating technologies are so strong that we can relax the coding requirements?  Maybe not, but we will continue to introduce technologies that reduce the chances of a successful attack.

Similarly, in the case of XSS, even after IE8 ships, the SDL will continue to require the use of safe web site coding practices and tools such as the Anti-XSS library both to protect users of browsers other than IE8 and to provide protection in recognition of the fact that XSS Filter is a mitigation or defense in depth rather than a complete solution.  But we’ll also be keeping our eyes open (and doing active research) in the quest for an even more effective defense – whether client or server side – that eliminates XSS for good.

This post is a little far afield from the normal content of the SDL blog, but I thought it was important to provide a picture of the role of security science and security research in defining SDL requirements and in making major improvements in software security.  You can read more about our work in security science in the Security Vulnerability Research and Defense blog.

Formalize Requirements for long-term use

Now that you are making security development a lifecycle, it is time to lock down and formalize your security requirements. At this point, you need to take what you’ve learned and begin translating your security principles into something that can apply to multiple releases and multiple levels of your development process.

At a product level, you need to use the security rules created in prior projects to define long-term security requirements. Those requirements will become your core security policies.  Then, at the version level, you should create security requirements that are version-specific and are defined by the security objectives and features you want to address in that version.

Both of these sets of requirements can be formalized in a way that makes them easier to transfer across future product cycles and to modify based on the unique features or security issues of each version.  Making these a staple of your development lifecycle will also ease adoption of these requirements as team become familiar with them over multiple releases.

I would like to touch on one topic before moving on – enforcing requirements. As your team grows and your SDL matures, there is an inherent complexity that comes with managing and enforcing your requirements. In our experience, we’ve found that it is critical to identify a security advisor. Up until now, your company has probably had someone championing security and best practices – either as a formal role or simply as a informal advocate. However, making it a feature of your lifecycle requires dedicated effort to enforce and sustain the requirements as well as monitoring the security ecosystem for changes that may add requirements to your process. The security advisor(s) are the people who will help guide the creation of the security requirements both broadly and for each product cycle; for a smaller team, this may be a single individual. For a larger organization, a team of people may be needed. The security advisor should also evaluate your security policy and apply changes where needed, ensure the product bug database is tracking security issues that can be reviewed later (I’ll get to the Final Security Review in our next post), and guide the definition and enforcement of a security “bug bar”.

Security requirements serve as the backbone of your SDL. The amount of effort you put in defining and enforcing requirements, and keeping them up to date with the current threat landscape will have a direct return on investment in the security and privacy of the product you create. Be careful to document and clearly communicate your requirements to your team, and use them as evidence when talking to your customers about how you ensure the security and privacy of your product.

Reference & Reuse Threat Modeling results & Attack Surface Reviews

Your developers and testers should have access to and be familiar with the attack surface analysis or threat model documents you have created. These documents are invaluable reference tools. Use them to perform evaluate your security from multiple angles:

·         Think about component-level architecture

·         List common pitfalls in writing code, or begin defining and building test cases.

·         Code reviewers can reference threat models and attack surface documents to verify specific attacks were addressed in the code.

·         Architects can use them to identify new areas of potential attack surface based on how new code is written or interacts with existing code.

·         Project leadership can reference threat models or attack surface documents to ensure the completed project meets all security goals.

Building a “live” library of threat models that is accessible by everyone and is designed to be easily maintained or updated is a big undertaking. Based on experience, I would strongly encourage doing this early in the evolution of your security lifecycle to avoid losing valuable data and to prevent the sheer volume of data from becoming unusable. I have heard of some companies using wiki technology as their library for threat modeling while others may use searchable documents, spreadsheets, or websites to store/sort/share the information. Whatever method you use, it is important to anticipate the accumulation of a large set of information that should be easily used and shared across the organization.

I would like to do a deeper dive on the importance of security code reviews as part of your “walk” evolution. Security code reviews focus on identifying insecure coding techniques and vulnerabilities that could lead to security issues. The goal of a review is to identify as many potential security vulnerabilities as possible before the code is deployed. The cost and effort of fixing security flaws at development time is far less than fixing them later in the product deployment cycle [from Improving Web Application Security]. You should create a process where top security developers actively review code within the context of known threats prior to deploying your code. Leveraging the existing documentation about feature design is a vital reference piece to make those security reviews successful.

Later this week, I’ll close the series with a look at final security reviews (FSRs) and how to document your work for post-release and next-release reference.

In the meantime, we’d like to hear from you:

?        How do you express your security requirements? Do you use a checklist, a whitepaper, or something else?

?        What challenges have you faced in enforcing requirements across your teams?

?        How have you implemented threat models or attack surface reviews?