Friday, December 4, 2009

SQL Injection Flush

The proliferation of SQL injection attacks should come is as shocking as it is preventable. I find it amazing these attacks continue unabashed despite the fact that they can be greatly reduced by following some basic security practices. By adopting secure coding practices, reducing the possible attack area, maintaining proper patching...the article listed plenty of straightforward guidelines that if followed would go a long way in preventing further attacks. Since SQL injections are often a gateway for larger, more serious attacks they need to be dealt with a greater sense of urgency.

SQL injection attacks take advantage of an application not validating input (like on Twitter), or input into a form, such as a site search. The user's input is then incorrectly executed by the backend database server. One of the more common examples is entering a single quote (') into a search box or login form. The attack basically lets the bad guys bypass authentication into the website, and consequently grants them the capability to manipulate the database to disclose large amounts of data, or access and control the database server.

Without delving into the nitty-gritty programming details here's some simple tips to lower your risk of being subject to SQL injection attacks:

The first step should be to filter SQL statements out of the input so that middleware cannot send them to the database. This alone would help to cut these attacks drastically. Developers should instead be using prepared SQL statements that take the user's input as parameters, thereby preventing an attacker from modifying the functionality of the SQL statement.

Escaping all user input will help to solidify your defence against injection attacks. This approach can be implemented quite easily within existing applications. Above all, have your developers adhere to good secure application coding practices and ensure that the principle of least privilege access is strictly enforced.

I found all of these tips (and more) within the OWASP (Open Web Application Security Project) and look for the "SQL Injection Prevention Cheat Sheet".

Thursday, November 26, 2009

Fool's Paradise

The Apple community has always touted that their software and various products (iMacs, iPhones, iAnything...I'm not sure if that last one is an actual product or not) are inherently more secure than that of their competitors (ie. Microsoft). Although Apple's wide suite of techie gear has arguably had the upper-hand when it came to usablity and innovation, the unfounded false sense of security has always been a pipe dream.

I've always been troubled with Apple's argument that few vulnerabilities exist for their products. Arguing that your software/hardware is more secure because such few vulnerabilities have been found is a flawed argument. I could make the same argument that the applications I made during university are the most secure on Earth on the basis that no vulnerability has ever been found. Well, that's because very few (if any) people use it, therefore from the bad guy's perspective, it's not worth the time to try and attack it and there will be little revenue to be found. Remember: just because vulnerabilities haven't been found, doesn't mean that they aren't there.

Malicious attacks are always going to be targeted to the most popular (in terms of market share) devices/systems. As the market changes so do the targets for attack. For the better part of a decade (and more) this has been Microsoft Windows and Office Suite. Don't get me wrong, Microsoft has developed their fair share of insecure and unstable detritus over the years. However due to the fact that the vast majority of attacks until now have been squarely aimed at their stuff, this has given the illusion that Microsoft's products are inferior from a security perspective. While this judgement isn't entirely fair, I would argue that the constant bombardment of attacks has actually been beneficial to the boys in Redmond. The top executives realized that they needed to adopt more secure coding practices and even developed the secure development lifecycle for their new products. As a result, a strong security culture has since formed within the organization and it has become a top priority for future releases. 

As I alluded to earlier, there has been a noticeable market shift in the consumer industry. The younger generations (of which I am a proud member) are adopting iMacs/iPhones/iPods etc. as their system(s) of choice. Over the course of the next decade, the number of mobile devices (most of which of Apple related) will swell in the consumer marketplace (whether or not Mac OS X will ever make inroads in the corporate world remains to be seen), the number of malicious attacks aimed at Apple will increase exponentially. As I mentioned earlier, the bad guys aim their attacks at the most popular systems/applications/devices. It is becoming more apparent that the most popular venue of attack will be aimed squarely at Apple. I could be all wrong, maybe the notoriously secret company that is Apple really does make incredibly secure products, only time will tell.

Microsoft's been through the gauntlet and came out stronger as a result. As Apple will soon find out, it's one thing to talk smack from the sidelines; it's quite another to be jawing off on the field. The day of reckoning will come at Apple and the world will witness whether or not Apple devices are truly more secure than Microsoft's products or whether they've been living in a fool's paradise all this time.

Tuesday, November 24, 2009

The Flavours of Security

In the corporate world user security awareness programs seem to come in a variety of flavours. Two flavours in particular plain vanilla or neapolitan (these analogies will make more sense in a minute) merit further study. Businesses either invest heavily in technical solutions such as firewalls, intrusion detection systems, data leakage prevention or they adopt a layered approach in which people, processes, and technology all play critical roles. Hopefully, it's apparent that the plain old vanilla approach (invest heavily in technology) pales in overall effectiveness and cost compared to the vanilla, chocolate, strawberry approach of investing in people, processes, and technology (which I like to refer to as neapolitan).    

Companies that rely mostly on expensive state-of-the-art technological solutions to protect their corporate kingdom are at a higher risk of exposure or breach compared to businesses that follow a more balanced approach. It does not matter how much or what technologies have been implemented for security's sake; without the proper investment in improving end users' security awareness or developing incident response processes the technical aspects are worthless.

A million dollar investment in security infrastructure can be shattered in a second when an uninformed user sends his/her domain credentials in response to a phishing email. If you're going to invest so heavily in technology at least protect your investment by keeping your end users informed of current security threats (in words that are relatable to them, not techie speak). If you could protect a million dollar investment by spending an extra couple of bucks wouldn't you do it? Think of it as an insurance policy. End user security awareness and applicable processes are the insurance on the expensive technology purchases.  

The benefits of deploying user security awareness programs are numerous. They are inexpensive, not very time consuming, and deliver a high return-on-investment. It is important to not adopt a cookie-cutter approach when constructing the program as different areas of the business each view and use corporate data and technology in different ways. By customizing security awareness programs for different divisions/sections of a company, this increases the effectiveness of the program as end users are morely likely to understand (in their own terms) how their "computer" behaviour (online, data sharing, connecting to unknown networks) at work not only affects the corporation but themselves as well.

Scare tactics should never be used because they cultivate a culture of fear rather than one based on collective responsibility and accountability. Users that operate in fear are much less productive than those that have a collective identity and a sense of co-ownership with their employer.

Neglect end user security awareness at your own risk. Remember: the fate and security of any organization lies in the hands of its employees. Now will that be one or two scoops of neapolitan?

Friday, November 20, 2009

BotnetMania: Symptom or Disease?

The rise to power of the botnets has forced many security professionals to find innovative ways to combat the threat that these menacing botnets pose to organizations, businesses, and the whole internet ecosystem. However, most if not all of the solutions being brought forward are technical and are not addressing the true cause. In fact, I would argue that botnets are not even the problem; they are a symptom of a disease that has plagued our society for far too long: organized crime.

The mob exists for a single reason: to make huge monetary gains through illict means. Over time as societal needs shift so too do the gangsters' tactics. Case in point, during the prohibition era, the most common tactic was the smuggling of alcohol. Fast-forward today and it's obvious that there is no money to be had in smuggled booze. Wherever the biggest and fastest buck can be made that's where you'll find them.

The main point is that the cat-and-mouse game that is playing out with botnets be fought not only with technical security defence tactics but that the underlying problem be corrected. As with any other disease, you need to treat the cause not the symptoms. While we as information security professionals need to focus our energies on keeping the botnet symptoms under control it is important not to lose sight of what's causing these symptoms to occur in the first place.

In addition to using "good" technology to combat the symptoms there needs to be international collaboration (and cooperation) on the law enforcement front. A people problem needs a people solution. The best way to undermine the physical criminal networks is through good old fashioned police-detective work; only then will we start to gain control of the perpetual situation.

While we may eventually stumble upon a technical fix that solves the botnet problem; the "bad" guys will merely change tactical gears and try to exploit something else for monetary gain. So the problem really isn't gone, it's just changed appearance.

Technology alone never solves a problem (it is simply a tool that is used by people and processes). At its core, botnets are just one of the tactics employed by organized crime syndicates to achieve their strategic goals. Pure and simple, ridding the world of organized crime has always been a people problem and therefore "good" people need to be part of the solution. We likely will win the botnet battle but like all the past battles with the mob, they will follow the money onto the next battlefield and the raging war will continue indefinitely.

Tuesday, November 17, 2009

Privacy Shuffle

The surge in popularity and the integration into everyday life of social networking sites such as Facebook, LinkedIn, and Twitter has caused many to wonder why some many people are willingly descreasing their privacy. Let's think about that statement critically for a moment. Are people actually giving up their privacy or are we using an outdated and out-of-touch definition of privacy?

I would argue that the answer is closer to the latter. The downside of living in a society where the technological rate of change is soastronomically high is that our societal norms and values cannot keep pace with these rapid technology advances. While society as a whole maybe technologically advanced compared to 500+ years ago but some would argue that our core beliefs and value systems as a whole have not advanced at nearly the same pace.

Furthermore, there are obvious generational gaps in what privacy means and how it is perceived. The majority of people under thirty (who grew up with the Internet and home PCs) would give little pause in posting pictures, statistics, or other information about themselves online (few would consider it a breach of their personal privacy). Compare that with older generations and you would be lucky to find many people that would voluntarily post personal info on the social networking sites.

As a society we need to redefine "privacy." Young people are more at ease in showing the world who they actually are. I would argue that this promotes a more open and accountable society. If we all knew and understood each other a little better we would be less likely to go war or be prejudiced against one another. Kramer may have been onto something when he began posting pictures of all the tenants living in his building.

It's important to remember that we are all human and that by definition humans are not perfect; we do make mistakes. I have more respect and admiration for someone who is open, accountable, and genuinely remorseful for their actions compared to someone who hides their transgressions behind a veiled screen of privacy.

Needless to say, it is still vital that we protect our personally identifiable information (such as social security and credit-card number, passwords to online banking sites etc). This is crucial in a protecting your personal identity (not your privacy). It does not make much sense to use outdated social values and norms with 21st century technology. It's time to redefine our society's privacy filter.