[SecurityRatty] tag: senior

Web Services and XML Security Training at OWASP

Thu, 28 Aug 2008 04:55:59 +0000

I am teaching Web Services and XML Security training at OWASP's AppSec conference in NYC, Sept 22-23. Web services provide the backbone that integrates many things in the enterprise from application servers, databases, ERP, and CRM. Increasingly we are seeing Web services in more B2C roles with Rest, Federation and other technologies. The class looks at how Web services applications are built, what are common threats and vulnerabilities in Web services, and how to build your Web services application to defend against them.

I have often said that OWASP conferences are my favorite ones because they are in depth technically and very practical. I always look forward to teaching at OWASP and the speaker lineup for this conference looks excellent.

Here is a quick list of tools we have used in past classes

Web Services frameworks
Apache CXF - very interesting open source Web services framework with support for JMS, SOAP, and Rest
Apache Axis & Axis2
.Net
Metro - interesting framework from Sun for interop with WCF

Identity
PingFederate - leading federation tool, we'll look at browser based SSO with SAML
PingFederate Web Services - we'll look at how to implement a STS in Web services
Bandit - Cardspace, authorization, and auditing

Security Services
VordelSecure - XML gateway, comprehensive web services security policy creation and enforcement, deploying decentralized security services
Apache Ramparts
modecurity

Testing
Soapbox - web services security testing
WebScarab - web services fuzzing

Static Analysis
Fortify SCA - how to scan your web services code for security bugs *before* you deploy

This is just a quick list, new tools are added periodically. If you are using tools of these types in your company you may find it interesting to attend.

Testimontials on past classes

"High quality detailed overview of SOA security standards and approaches. Well thought-out and structured presentation."
- Sr. IT Architect, Fortune 10 enterprise

"The knowledge and transfer was a great baseline and with the additional resources Gunnar made available, made this one of the best one day classes I've taken."
- IT Security Lead, Fortune 10 enterprise

"This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas. This class provided me with actionable tasks that I took back to my project teams the very next day!"
-Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

"The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
-Brad Sillman, Director IT Security, Deluxe Corp.

"Anyone who wants up-to-date information on SOA Security, security standards and best practices should take this class."
-Kevin Beam, Senior Systems Engineer, Union Pacific Railroad

"Good comprehensive overview of subject, standards, and threats"
- Sr.Security Consultant, Ubizen

"The class helped me get my head around what "SOA" and WS-Security is really all about"
- Mike Zusman, Independent consultant

"Topics addressed are timely and relevant. Labs are hands-on and help see concepts in action"
- Jerry Tan, Systems Analyst, DTCC

"This class was concise and covered a majority of the problem set my company is looking at and dealing with."
- Steve Reilley, Technical consultant, Commerce Insurance

"Excellent two day overview of security topics as related to Web Services."
- Daniel Reznick, Information Security, ADP

"Issue affecting most of us today & for those that don't - will soon. Very necessary education and technology."
Aaron Delashmutt

"Great class! Effective and relevant teaching in an area without much guidance."
- Mark DiSabato, Senior Information Security Architect, Roche

"The class cut through jargon to communicate concepts and implementation details."
- Developer, Fortune 100 insurance company

"Good overview regarding SOA Security. Contains new technology like AMQP and REST"
- Lars Loland, Statoil

"The course covered what I had to learn about Web services"
- Sven Vetsch, Dreamlab Technologies

"Very good, eye opening especially for websecurity noob."
-Michael Brandon

"Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
- Security consultant, ING

"Good to learn where our application is vulnerable to attacks and how we can avoid them."
- Application Development Programmer Lead, Fortune 100 Insurance company

"Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
- Technical consultant Contextis

"Gave a good overview of the Web services security environment"
- Francesco Degrassi, Emaze Networks

"A great entry point for securing your web services"
- Stig Kluver

"Lots of good technical information about an emerging area that's very useful"
- Rory McClune, HBOS PLC

"This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being 'behind the firewall' is an outdated concept."
-Senior Support Engineer, Software Security vendor

"The area of SOA Security is complicated and youg. A course such as this helps bring it into focus."
-Jayme Frye, System Engineer, Union Pacific Railroad

"Web services security class provided application security concepts valuable for applications audits."
- Mary Ma, IT Auditor, DTCC

"Very knowledgeable coverage of security requirements for Web services."
- David Libershal, Network Security Engineer, Johns Hopkins University Applied Physics Laboratory

"WS/XML security is not a "black art", but you do need to know about it to be able to take it into consideration."
- Applications Specialist, Global 500 manufacturer

"Good overview of techniques worth considering when planning secure apps"
- EAI Specialist, Leading Mobility company

"Brought concepts in very easily understood terms."
-Glenn Bernard, Systems Engineer

"Gives ideas about the latest Web services security standards in the industry"
- Security Coordinator, Global 500 manufacturer

"Class cleared up various WS-* standards and gave great concrete examples of how to build a message using each standard. Very good general thoughts on security groups' role in IT."
- Matt Kasselman, UP Systems Engineering

"I found this very useful as an IT architect in a "security critical environment"."
- Mika Pullinen, IT Architect, Finnish Defense Forces

"Lots of useful information packed in a small amount of time. Good overall picture."
- Jari Pirhonen, Security Director, Samlink

"Gunnar is very knowledgeable about security topics and has a great ability to explain complex ideas using simple, appropriate, and amusing language and analogies."
- Scott Redd, Sr. Project Engineer, Union Pacific

"Excellent instructor who had a good pace to go through the presentation"
- Anna Vaahtokan, Specialist, Nordea

"Good application security principles."
- Tuomas Kivinen, IT Security Specialist, Nordea

"I liked the class quite a bit. I took it in a "survey mode" where I wanted to learn about topics at a high level, and this was accomplished. It was good to listen to those in the class that were much more familiar with SAO than I."
- John Glazeski, Senior Systems Engineer

The Growing Security Skills Shortage

Tue, 19 Aug 2008 05:02:06 +0000

We are regularly hearing from our security clients about their difficulties finding people with the right skills – or when they do finally find them, these people are too costly to employ because their skills are in such demand.

Indeed, the “unavailability of people with the right skills” was cited as a top challenge for security groups in both our enterprise and SMB surveys.

In comparing need for talent across 25 different IT roles, Forrester analysts came to the conclusion that information security experts are among the hottest roles in IT, sharing the top spot with information/data architects.

The skills shortage is likely to get worse before it gets better. We’re unlikely to see a significant spike in security experts’ salaries to attract those we need to hire: large changes in compensation for senior security personnel would run against the current of economic belt-tightening. Another typical approach to offsetting the shortage would be to train up: foster the career development and advancement of existing security personnel on our payroll. However, with all the outsourcing that is going on – and which will increasingly occur – there is a shrinking pool from which to find people with “the right stuff” worth championing their advancement.

We could look outside of security to others in IT, or even to co-workers in other departments or business groups. But given how poor a job IT Security does of marketing its value proposition, I don’t hold much hope for attracting non-security people.

What do you think? Are we about to hit a very big wall when it comes to skills and staffing? Are you presently feeling the pain of a skills shortage? Do you see such a shortage looming? What measures are you taking to acquire and nurture talent? Which ones are successful and why?

I welcome your thoughts on the topic.

Corporate Identity Theft

Sat, 16 Aug 2008 05:58:30 +0000

I remember a talk by the value investor Mason Hawkins (Longleaf Funds) where someone asked him about investing overseas. He answered that he does, but mainly in places where the British flag flew at some point, where there is a rule of law. Here is one example of what he is worried about and why investing in places where your assets have no legal protection does not give the investor a margin of safety.

Hermitage Fund was until recently the largest fund in Russia. From the Business Week story "Hijacking the Hermitage Fund"

Corruption, intimidation, robbery, violent assault, forgery, large-scale fraud. No, not the subject of the latest John Grisham novel, but sensational allegations, made public Apr. 4 by Hermitage Capital Management -- until recently the largest foreign portfolio investor in Russia. In a detailed and damning report, titled Criminal Justice -- Russian-Style, Hermitage alleges the fund's Russian subsidiaries have fallen victim to an elaborate con designed to defraud the fund of hundreds of millions of dollars.

The most sensational part of Hermitage's allegations is that the attempted larceny was carried out with the direct connivance of officials in the Russian police. Hermitage alleges the police seized documents and equipment that were instrumental to the attempted fraud, which involved bogus court cases based on forged documents, the aim of which was to sue Hermitage subsidiaries for hundreds of millions of dollars. "The most shocking thing is not that there are corporate raiders in Russia who attempt to steal your shares," says Jamison Firestone, managing partner of Firestone Duncan, Hermitage's law firm. "The shocking thing is that the police worked hand-in-hand with them, and actually performed the theft of the documents so that the corporate raiders could then do their work."

From the most recent Hermitage Fund letter, here is the current state:

So the two-pronged scam worked in one area and failed in another. The perpetrators weren’t able to steal the assets from us based on the fake court claims, but they were able to steal $230 million from the Russian government by filing amended tax returns on behalf of our stolen companies. What makes this story even more shocking is that we filed six 255-page criminal complaints with the Russian authorities in December last year, one month before the tax fraud took place, and they did nothing to stop it. Two complaints were sent to the Russian General Prosecutor, two to the Russian State Investigative Committee and two to the Internal Affairs Department of the Interior Ministry. There was enough information to prevent the fraud and indict a number of people behind it if the government had acted.
Instead of doing anything to save the Russian state from this highly sophisticated and organized looting, two of our complaints were thrown out immediately; two were returned to the same Interior Ministry official we were complaining about (essentially, he was being asked to “investigate himself”); and one was thrown out for “lack of any crime committed.” Only one complaint was taken seriously. It was taken up by the Russian State Investigative Committee in early February, but before it could get any traction, the case was lowered to the South region of the Moscow district of the State Investigative Committee (the lowest level of the Committee) and by June, another senior Interior Ministry official whom we had named in our complaint had joined the “investigation” team (again, to “investigate himself”). To this day there has been no serious response by the Russian authorities to this massive fraud against the Russian state.
As we described in our April letter, the problem of corporate “raiding” is now so endemic in Russia that President Medvedev speaks about it as one of the biggest problems faced by Russian businesses. In this case, raiders have taken this problem to a new and absurd extreme by “raiding” the Russian state itself and so far getting away with it. Together with HSBC, we will shortly be filing new criminal complaints with the Russian General Prosecutor and Russian State Investigative Committee as well as with many law enforcement authorities outside of Russia. It is hard to predict what will happen next in this unfolding and unbelievable saga, but as always we will keep you updated on any further developments as they arise.

Of course we see individual identity theft on a regular basis (actually as Ross Anderson points out its not really identity theft but poor controls on the bank's parts using SSNs as secrets and so on), but you dont see a major corporation stolen every day.

Follow Windows 7 Engineering

Thu, 14 Aug 2008 16:54:49 +0000

Seeking to promote "an open and honest, and two-way, discussion about how we balance all of these interests and deliver software on the scale of Windows," Microsoft has launched the Engineering Windows 7 blog, hosted by two senior Microsoft stars, Jon DeVaan and Steven Sinofsky. A two-way discussion probably doesn't mean they are taking orders for features, but they will listen to concerns of the technical community and respond to them publicly. They specifically ask for topic suggestions (I've already sent one in). Not too many years ago this sort of thing was unthinkable at Microsoft, but it's been moving steadily in this direction.

Digital Cash in Iraq

Mon, 11 Aug 2008 08:53:52 +0000

Smart cards have still never quite taken off across the US, and at this point its fair to wonder if they will or if they will be eclipsed by phones or some such, but smart cards sure are big outside the US. One of the most interesting applications is of course digital cash and transaction processing. Net1 UEPS (ticker: UEPS) out of South Africa appears to be the leader here having built a $1.2B business out of this model. there are lots of regions in the world where people are underbanked or unbanked altogether and where its dangerous to have too much cash. I blogged about this earlier on Beer, Shotguns and Digital Cash.

Now Net1 UEPS is in Iraq as well:

The first UEPS transaction was performed on Sunday, August 3, 2008, in Baghdad, Iraq, during the official launch of the UEPS smart card technology with the two state banks namely, Rafidain Bank and Rasheed Bank.

The official launch, attended by invitees from Rafidain Bank, Rasheed Bank, the Iraqi Government, War Victim Ministry and Martyrdom Ministry, demonstrated smart card registration, biometric enrolment and issuing of UEPS cards, offline loading of wage payments and government grants to the UEPS cards and dispensing of cash.

The pilot project involving 100,000 beneficiaries is now ready for implementation across selected bank branches and will enable the distribution and payment of government grants to war victims and martyrdom beneficiaries, as well as salary and wage distribution and payment to employees of the two state banks.

Brenda Stewart, Net1 Senior Vice President Sales and Marketing, said, "From the entire team at Net1, we congratulate the Iraqi consortium on this historic achievement and look forward to the successful implementation of the various projects already identified for implementation, as well as the projects currently in business development. Net1 is proud that the development of its core technology, from which it creates end-user products that satisfy the requirements of its customers, can change the way business is conducted leading to the improvement of people's lives. We share the belief of our Iraqi partners that our technology can play a fundamental role in the upliftment of the economy. The success of any technology should be measured, not only by the profits it generates for its inventors, suppliers and users, but also by the difference that it makes to the lives of people," Stewart concluded.

I think there are lessons to be learned here wrt data and message level security. Net1 UEPS is a good example a of system carrying valuable assets across hostile terrain, web security architecture can learn a lot from this model.

P.S. If you are a Joel Greenblatt geek - UEPS is a magic formula stock (meaning they make cash and are priced cheaply) last time I checked.

Automated Spim on Microblogging Site Via MSN Messenger

Thu, 07 Aug 2008 17:12:09 +0000

There's been a fair amount of Twitter coverage recently, but it's worth noting that other countries have their own versions of Twittering and some of them have seem to be a little easier to use in conjunction with Instant Messaging, whereas Twitter still seems to have a need for third party services, add-ins and other tools to get the job done if the service used is something other than Google Talk, Livejournal Chat or Jabber (if it's now more straightforward for other clients too, please let me know!)

Either way, the below illustrates why adding Instant Messaging features to services such as Twitter can cause problems in the long run and needs to be considered carefully.

We were alerted to the fact that a large amount of Spam seemed to be coming out of China in the last day or two (indeed, one contact mentioned to me that this particular message had been sent to their Honeypot around 29,000+ times, which is a lot of spamming for one URL however you look at it). The spam in question seemed to have been sent via a Spambot, and the only mentions of this URL so far in search engines seems to be related to China - shall we take a look?

The URL in question (with part of it redacted) is

http: //5834******/ ;)

You'll notice the spam is short, snappy and also includes a little smiley-face thing at the end. In fact, it looks a little bit like the kind of link people send to their contacts on Twitter, doesn't it?

Well, let's see - a quick search and we find this:

Click to Enlarge

A page from Fanfou.com, which I believe is a Chinese site "inspired" by Twitter with much of the same features and functionality. In fact, it has one feature working straight off the bat that Twitter users previously had to rely on plugins for - the ability to send messages to their page via MSN Messenger updates.

http: //5834****** doesn't actually resolve anywhere - however, a quick Ping to that address and we have an IP:

Click to Enlarge

Type the IP address into the browser, and via some geolocational technology, you'll see a region specific version of the following dating website:

Click to Enlarge

Go back to the page on Fanfou.com, scroll down and select any of the clickable links and surprise - the same page appears. This particular account on Fanfou has something like 30+ pages devoted to endless Spim links via MSN. They link to placeholder pages, sites that look as though they've been suspended and / or deleted with no way to determine what content was there previously - all interspersed with "Twitter" style messages throughout such as this:

Again, note everything is coming via MSN. By this point, you're probably wondering exactly how they allow you to send messages to their Twitter-style pages. Well, the solution is quite clever - check out the IM page. You enter your MSN address, and when you login to your MSN account, you'll suddenly find you have a new IM buddy who wants to be a contact:

Add it, and whenever you want to put a message on your page, send it an instant message and, lo and behold, your Tweet-style message has appeared on your page:

Click to Enlarge

In conclusion, the steps here appear to be

1) Create a Spambot that infects users via MSN Messenger
2) Tailor the messages it sends to be short and sweet, just like a Twitter-style message
3) Set up an account on a service such as Fanfou.com that makes it easy to send messages to your page via MSN Messenger (or other IM services affected by your bot)
4) Infect the PC running your MSN Messenger account then watch as it spams the userpage with whatever messages you want it to send.

Of course, the links can be anything from dating sites and ringtone adverts to infection files and exploits - all made so much more easier (and far less time consuming than manually typing in URLs to your userpage) by the functionality built into the site you happen to be using. It's also worth noting that the accounts sending the Spim don't have to be set up by the spammer - they could be compromised accounts that had been hijacked when clicking a rogue IM link, which is a great way of filling out the spamming ranks very quickly.

This is definitely something Twitter - and any other site out there involved in microblogging - need to keep an eye out for, and consider carefully when thinking of adding integration with popular Instant Messaging clients.

We detect the file sending the weblinks via MSN as Foubot.

Research and Writeup: Christopher Boyd, Director of Malware Research
Additional Research: Chris Mannon, Senior Threat Researcher

Speaking of Security Podcast #116

Tue, 05 Aug 2008 20:00:00 +0000

The Importance of Strong Authentication for Business Continuity

New Speaking of Security co-host, Amanda VanVeen, meets with Jeff Carpenter, Senior Product Marketing Manager at RSA, to discuss how the latest release of RSA Aughtentication Manager supports organizations focusing on business continuity. When natural or man-made disasters hit, it's important that employees be able to quickly and easily access network resources, but it's equally important to know just who those new remote workers are.

What it's like to work overseas for CIA IT group

Tue, 05 Aug 2008 20:00:00 +0000

"I have a million stories to tell," says the senior CIA IT person, staring at me through the CIA's videoconferencing system. Unfortunately, he can't share any with me. (He cites national security reasons, of course.)

Reminder: WebEx Seminar on Risk Analysis

Tue, 29 Jul 2008 13:56:58 +0000

Hey everybody! Quick post this morning to remind you guys that Cisco has been kind enough to let us give a follow on WebEx presentation on July 31, 2008 at 11:30 a.m. EDT. The link to sign up is <<>>. There are only about 40 slots left. It looks like it’s going to be a good crowd.

We’re calling this part II - and it’s being advertised as:

“How to conduct a risk analysis and produce a high impact deliverable to senior management.”

With topics:

The life-cycle of a quantitative risk analysis
Key control opportunities against targeted attacks
Getting senior management to understand the risk posed to the business

I got to do the Q&A backchannel on the last presentation, and there were great questions asked. I think this presentation will be even more exciting, as it’ll cover both analyst and management considerations.

If you’re a regular reader of the blog, I don’t think you’ll have to have attended the last one for this one to be worth your while.

REPEAT PERFORMANCES OF THE FIRST WEBEX ARE AVAILABLE

And if you missed it the first time, the playback of the first preso is here, and the slides are here.

Speaking of Security Podcast #115

Sun, 27 Jul 2008 20:00:00 +0000

Click to Download/Listen (10:36)

A couple of weeks ago, Paul Joyal interviewed RSA’s Phil Marshall about Knowledge-based Authentication, or KBA. This week, we present a conversation on the same topic that Phil had with Tom Wills, Senior Analyst for Risk, Security & Fraud with Javelin Strategy and Research.