[SecurityRatty] tag: van

Senator Obama's security concerns

Fri, 29 Aug 2008 14:42:00 +0000

It appears as if the authorities in Colorado are trying to down play the reported assassination plot of Senator Obama. Question is; how real was it?

It would certainly appear that the suspects were preparing for something out of the ordinary as they were reported as having a bullet proof vest and a high powered rifle with telescopic scope in their possession when apprehended. The fact that one of the them was described by his cohort as a "white supremist" who did not believe that a man of color could be the President of the U.S.A. is surely telling.

These three criminals were caught in much the same manner as the domestic terrorist, Timothy McVeigh. A dilgent policeman was doing his duty and pulled over the first suspect on a traffic stop. Some may call that luck, but having been a former Law Enforcement officer, I look upon it as good Police work. Many others might have not noticed the one little sign that made that officer suspicious and prompted him to check out the driver of the van.

That is why security can never rest. Whether it is foiling a potential terrorist plot or finding a child who has been abducted, we must always remain vigilant. It is a shame that there are those who believe a man is inferior based upon the color of his skin. It is even more terrible to realize that such a person would be willing to kill another based on racial hatred.

Unfortunately, this is a sad fact of life and steps need to be taken to thwart those disturbed individuals. Was this latest episode a non-event or by dismissing it are we attempting to sweep the shame of racism under the carpet? I for one, don't think that we should take these warnings lightly. Afterall, it has been 45 years and people still debate the assassination of JFK. We still hear it being said that Lee Harvey Oswald was incapable of carrying out the killing himself.

I recently watched a documentary on the assassination of Robert Kennedy, produced on the 40th anniversary of his death. When interviewed, the brother of the asssassin claims that his brother was too nice a guy to do something so awful. The fact of the matter however, is that both Kennedys were brutally gunned down. I am sure it is something that nobody ever wants to see repeated.

Let us hope that whomever succeeds as President in November has a long and healthy Presidency and helps to allevitae the problems that have been piling up.

Building Secure Web Applications Training in Minneapolis

Tue, 26 Aug 2008 17:43:59 +0000

I am very excited to announce that I am co-teaching a public software security class with Ken van Wyk, in Minneapolis, the class runs September 30 - October 2. Ken co-wrote a great book called Secure Coding, and has trained folks in software security all across the globe. I am really looking forward to doing this class with Ken, I wanted to make sure we got Ken up here before the weather got too cold! The summary is below, if you would like more info please let me know. More details to follow.

Building Secure Web Applications in Java/J2EE

Course Description

This course teaches the students how to develop secure applications from the web front end through the middle tier and data and integration layers for today’s complex internetworked environment. Students will receive a deep and thorough understanding of the most prevalent and dangerous security defects in today’s applications, and what to do about them. Additionally, they will learn practical and actionable guidelines on how to remediate against these common defects in Java/J2EE and Web Services frameworks and how to test for them in their own applications.

This class starts with a description of the security problems faced by today's software developer, as well as a detailed description of the Open Web Application Security Project’s (OWASP) “Top 10” security defects. These defects are studied in instructor-lead sessions as well as in hands-on lab exercises in which each student learns how to actually exploit the defects to “break into” a real web application. (The labs are performed in safe test environments.)

Remediation techniques and strategies are then studied for each defect. Practical guidelines on how to integrate secure development practices into the software development process are then presented and discussed. Bring the concepts and hands on learning together, the class uses a case study to show how to design and architect security services for a real world application.

Intended Audience

The ideal student for this tutorial is a hands-on web application developer or architect who is looking for a fundamental understanding of today's best practices in secure software development.

Speaking of Security Podcast #119

Sun, 24 Aug 2008 20:00:00 +0000

Click to Download/Listen (06:46)

Paul Davilman from RSA’s Compliance and Solutions team sits down with Amanda Van Veen to talk about the North American Electric Reliability Corporation (NERC) Cyber Security Standards and how these standards will impact IT security in the utility industries. Please note that due to the U.S. Labor Day holiday, we'll be back in two weeks (on September 8) with a new show.

Speaking of Security Podcast #118

Sun, 17 Aug 2008 20:00:00 +0000

Click to Download/Listen (11:27)

This week, Amanda Van Veen speaks with analyst Rod Nelsestuen from the TowerGroup. Rod covers key issues affecting several financial industry segments including emerging markets and trend, security, and risk management matters and in this segment, talks with Amanda about the evolution of business continuity planning and security’s increasing role.

Speaking of Security Podcast #114

Mon, 21 Jul 2008 13:00:00 +0000

Click to Download/Listen (05:51)

New co-host Amanda Van Veen interviews Linda Lynch, RSA® Conference Europe Manager, about this year's Conference in October. Learn about the early bird registration special as well as other helpful travel hints and session highlights. Register today: www.rsaconference.com/2008/europe.

Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security

Tue, 01 Jul 2008 15:03:10 +0000

In this interview, cloudsecurity.org talks to Guido van Rossum about Python, Google App Engine and security.

Guido is the creator of the Python programming language and more recently, Google App Engine team member. His involvement with the App Engine project was pretty late - the code “was almost ready for release” when he get involved. The security architect of App Engine was primarily project lead, Kevin Gibbs, supported by the rest of the App Engine crew and the Google Security Team.

The Interview

cloudsecurity.org: What security principles did you follow for App Engine?

GvR: While I can’t share any specifics on what we’re doing to secure App Engine, I can say that the main principle we’ve followed could be called “defense in depth”. We’re not relying exclusively on a secure interpreter, or any other single security layer, to protect our users.

cloudsecurity.org: Please provide some examples of how those principles played out in terms of the current implementation?

GvR: Sorry, we don’t divulge such information.

cloudsecurity.org: What criteria did you apply to Python module selection?

GvR: We first looked for modules that were useful and straightforward to audit. If a module was large or complex, we’d only audit it (fixing things we found) if it was deemed essential or at least useful for a large number of users; otherwise we’d exclude it.

cloudsecurity.org: What do you see as the security risks inherent in exposing an interpreter runtime in a shared environment?

GvR: I presume you’re asking about risks to users, like providing accidental access to data belonging to another app. We’ve taken extensive measures to isolate different apps from each other. For example, each app runs in a separate process, and the datastore prevents an app from accessing data belonging to other apps.

cloudsecurity.org: I recently attended a fascinating talk by Justin Ferguson (a Seattle based security consultant) at eusecwest in London. He gave a great talk exploring security vulnerabilities in language interpreters and specifically highlighted some security weaknesses in Python App Engine. What are your thoughts on his research and specifically the Python issues he highlighted? When do you anticipate they will get fixed?

GvR: We’ve anticipated all of the possibilities raised in Justin’s talk, and took measures to protect our users. Justin highlighted weaknesses in Python, but not in App Engine. Furthermore, our security model does not rely solely upon protections within the Python interpreter; there are additional protections that these external analyses have missed.

cloudsecurity.org: How do you contain an attacker that exploits bugs in App Engine from exploiting the underlying OS and potentially interfering with other users processes or attacking backend systems?

GvR: You are correct that there are strong measures in place, but I’m not at liberty to discuss details.

cloudsecurity.org: Python was the first language to get the App Engine treatment, what language is next and what are some of the language specific security challenges the team has had to deal with?

GvR: Although I can’t comment on what language is next, we are working on this, and have gotten a lot of great feedback from our developers. As far as language-specific security challenges, they stemmed mostly from the complexity of the Python interpreter. We spent a lot of time auditing this, and did a great deal more than just identifying buffer overflows. I can also add that Google is actively researching the security of interpreted languages. Google engineers routinely contribute security fixes to open source projects, including but not limited to Python.

cloudsecurity.org: How does the team decide when ‘enough is enough’ in terms of hardening the interpreter?

GvR: That’s not really how we approach it. We realize that security is an ongoing effort, and try to stay ahead of threats through continuous monitoring and testing.

cloudsecurity.org: Some commentators have suggested that perhaps the difficulty of auditing the implementation led to some modules being more heavily restricted than perhaps necessary. What are your thoughts on that and what plans, if any, are there to bring back code objects/functions that were eliminated in the initial release? (with the benefit of hindsight).

GvR: The only thing we are likely to put back is the _ast module, which was not audited based upon an underestimation of its usefulness (see my answer to question #3 above). We will also put back some dummy functions and other objects whose absence currently prevents some popular frameworks from being loaded without modifications. For example, some harmless functionality in the imp module will come back. We’re also looking into making urllib2 work (to some extent), though that’s not really a security issue but merely a matter of API adjustment.

cloudsecurity.org: It is reported that Google encourages small groups to go off and create. How involved were the Google security team with App Engine in terms of design and implementation review/testing? Given the dynamics, is it possible to have a meaningful security process that shadows the development process?

GvR: The Google Security team is involved in everything we do. They have been extremely helpful.

cloudsecurity.org: How can people report security weaknesses they discover in App Engine? What commitment does Google give in terms of dealing vulnerability reports?

GvR: There is a standard process for submitting security issues. See http://www.google.com/corporate/security.html. Google moves very fast to protect its users when a verifiable security vulnerability is reported.

cloudsecurity.org: One concern is the potential misuse of App Engine to exploit security vulnerabilities in visitors browsers. This is not a new problem per se, shared hosting providers know all about this. But with Google and other Cloud providers, the scalability potential is much higher. What are your thoughts on this and what pro-active steps is Google taking to detect and terminate evil apps?

GvR: This is high on our list of concerns. We deal with this through a combination of restrictions on what you can do (e.g. certain HTTP headers and ports are off-limits) and, again, monitoring.

cloudsecurity.org: Beyond App Engine, what role do you think Python will play in the Cloud both now and in the future?

GvR: Sorry, I’m not prone to philosophizing about the future.

cloudsecurity.org: Trust is often cited as a barrier to enterprise adoption of Cloud Computing. What role do you personally think Google can play in building that trust?

GvR: I think trust is built up over a long period of experience. Our actions in terms of being open to our users will be the most important factor in establishing trust. Of course, Google’s reputation also helps: everybody understands that Google doesn’t want its name associated with a bad product.

cloudsecurity.org: Looking at the Cloud Computing landscape beyond Google, what are your thoughts on the current state of Cloud Computing and Security?

GvR: It’s obvious that Cloud Computing is only just taking off. The next few years will be very exciting.

cloudsecurity.org: Lastly, what are some of your favourite App Engine apps?

GvR: There are too many to enumerate. If you insist on a highlight, well, I like Rietveld (http://codereview.appspot.com), a tool for collaborative code review which I (largely) wrote myself. It is open source and includes some essential components from Mondrian, a similar internal tool which I created before I joined the App Engine team.

Thanks

My thanks to Guido for his time and sharing his views.

Parents can't afford to let their guard down when it comes to their children's safety

Fri, 23 May 2008 00:35:00 +0000

I was very fortunate last night to have been able to attend a presentation in Richmond by the well known Criminal and Behavioral Profiler, Dr. Clinton Van Zandt.
Dr. Van Zandt adressed a dinner which was organized by the Private Investigators Association of Virgina. Attendees were kept spell bound by inside sories involving the Jon Bennet Ramsey murder, The Unibomber, The Beltway Snipers and more.

Last month I was also fortunate to have been able to hear Col. Dave Grossman speak eloquently and passionately about the tragic school shootings in which he has been called in to assist educators and parents understand. One thing is clear from listening to both men, parents need to be ever mindful of the fact that they are their children's protectors. They are the sheepdogs, ever on the lookout for marauding wolves.

If you are a parent, or an educator or a security professional, I strongly urge you to read up on the teachings of these learned men and jump at the opportunity to hear them live if at all possible. I personally guarantee you that you will not be disappointed.

McAfee Partner isn't McAfee Secure either

Tue, 20 May 2008 17:04:00 +0000

Winferno.com is an authorized distributor of McAfee Software. OK.
They use Verisign 128-bit SSL to secure your transaction. Can't take issue with that.
All good so far...but wait!
Shouldn't a McAfee Partner be McAfee Secure?
Apparently not, and being one wouldn't have cured the XSS blues anyway.
Next in our video series, a supposedly secure shopping cart that is far from.

Here's an IFRAME.
Here's the cookie.
As well we know, coughing up the cookie counts as a really bad thing for any shopping cart, let alone an SSL protected shopping cart that happens to be a McAfee Partner and authorized distributor of McAfee Software. But lest we forget, McAfee doesn't count XSS as concerning.
Here's the video.
Huge props to Ronald van den Heetkamp for starting this whole debate years ago, and for exposing Brett Oliphant for the fraud that he is.
Fraud is the key word here. Hacker Safe was fraudulent, McAfee Secure is fraudulent, and buying from Winferno puts consumers at risk for being defrauded, not only due to horrendous site code, but perhaps bad business practices as well.
I won't even ask if McAfee has any standards, we already know the answer.
Their standards have left the building.

del.icio.us | digg

Can Azulstar Make WiMax Work without Buying Spectrum?

Fri, 09 May 2008 06:58:59 +0000

Azulstar once pinned its fortunes on city-wide Wi-Fi, but now looks to a special licensed spectrum band to make WiMax work where Wi-Fi failed: Azulstar has been the also-ran in Wi-Fi for some years, I'll just state bluntly and upfront. They built a network in Grand Haven, Mich., in 2003 that's one of--if not the--longest running metro-scale Wi-Fi networks in the world designed for public access. The mayor of Grand Haven since 2003, Roger Bergman, told me, "I got on board personally right away, and I am still on."

Azulstar soon answered several RFPs and partnered up with major firms to bring Wi-Fi to Rio Rancho, N.M., Winston-Salem, N.C., Sacramento, Calif., and most notably Silicon Valley--a set of dozens of cities along with county government and private enterprise all wanting some kind of tiered Wi-Fi across 1,500 sq mi.

While EarthLink, MetroFi, and even Kite Networks (with their extensive Arizona buildout in Tempe launched a bit before any other large competiting network) seized the headlines, and later made news about their stalls, failures, and exits, Azulstar seemed quietly to sink into the sand. The Wireless Silicon Valley deal fell apart, as did Sacramento after efforts to get stakeholder and outside investment seemed to fail to materialize, and the marquee partners--Cisco, IBM, and Intel--just wouldn't step up to the plate to make the project move forward. Azulstar was the lead techology firm, but the money just didn't come. (Both California projects are moving forward with a different set of partners and expectations now.)

Rio Rancho was perhaps one of the biggest letdowns. City manager Jim Payne explained in an interview a few weeks ago, "They had a number of things that were going against them from the start, and they did make an attempt to meet the requirements of the contract." But Rio Rancho voted to not just terminate the contract after years of attempts to make the network work, but rejected a proposal from Azulstar a few weeks ago to switch over equipment on the poles. Azulstar now has to remove all its devices.

All of this might make the typical company head a bit depressed about his firm's future, and less than sanguine about the potential for wireless broadband to work at all. Not so for Tyler van Houwelingen, Azulstar's chief, and I have to admit that he convinced me that the wireless provider has a fighting chance, due to a good combination of timing, spectrum policy, and a large dollop of can-do spirit.

Cyber attacks on NGOs

Wed, 07 May 2008 12:42:00 +0000

Maarten Van Horenbeek is a computer security researcher who is studying cyber attacks launched against humanitarian organizations (he wrote the article recently mentioned in this blog on electronic attacks against pro-Tibetan groups).

If you suspect your organization has been targeted, or you know of an organization that has, Maarten would like to hear from you. He's interested in attack methodologies and can help with analysis. (It's important to note that at times these attacks may not appear to be direct, and can easily be mistaken for a random virus or generic hacker activity).

Contact Maarten at: maarten @ daemon.be