Proper vulnerability analysis is critical to delivering secure software. It is equally important if you find yourself in the middle of a major motion picture too. Consider the following:
- If you only had one single vulnerability, wouldn’t you commit pretty much any and all resources you had available toward ensuring that said vulnerability was impossible to exploit? Sauron let his top soldiers, the Nazgul, run all over Middle Earth, getting involved in what amounted to turf battles. A smarter strategy would have been to completely fortify Mount Doom, and THEN start worrying about taking over the rest of Middle Earth. Having a firewall is not sufficient. You need to record and monitor activities at both the perimeter of a network and close to its most-valuable assets.
- If you have an application that hosts valuable data from an attacker’s perspective, you need to ensure that all inputs are validated and appropriately sanitized. The most comprehensive physical security out there can be rendered irrelevant by failing to perform validation on even one input. You need look no further than “Snatch” and its diamond heist as proof of this. Criminals, posing as buyers, bypass the security by posing as expected input and are not screened completely.
- Sandboxes, whether for virtual servers or VM’s for code, need to be completely isolated from the host operating system. If someone can leave the sandbox and touch the underlying host, it is possible for the host to be compromised. In “The Matrix”, Neo broke out of the sandbox, rooted the host, and then corrupted the processes running in the sandbox.
- If you must have a trusted subsystem that is allowed to perform low-level actions against high-value assets in an unauthenticated manner, then you need to make sure that authentication and authorization to your trusted subsystem is extremely strong. Having an authorized process share its authorization token with a malicious process will allow the malicious process to access the assets. In “Brazil”, Minister Helpmann shares his password with Sam, who then uses it to access the master systems and “delete” all records of the existence of an individual.
- When mapping out the security roles in an application, always consider following the principle of least privilege. If a user doesn’t need access to an action or asset to perform their authorized duties, they shouldn’t be allowed access. If a system is improperly modeled, and a user can access low-level or administrative functionality, it can be used to exploit an application. In Star Trek’s “Best of Both Worlds”, Data issued the “Sleep” command to all members of the collective, forcing them to go to sleep. Clearly, this command should only have been made available to a small set of super-users or administrators.
While planning the redesign of an enterprise application at my employer, we’re using the Microsoft patterns & practices Application Architecture Guide as one of our design guides.
We started by baselining the current application against the guide, and found it deficient in every single outlined quality attribute. Specifically, the quality attributes outlined are availability, conceptual integrity, flexibility, interoperability, maintainability, manageability, performance, reliability, reusability, scalability, security, supportability, testability, and usability. Unfortunately, these deficiencies are what lead to the biggest pain points, both for the business and the technologists trying their level best to deliver the optimal solution to it.
Obviously, there are tradeoffs inherent in these quality attributes. One obvious tradeoff is security versus performance and usability. All three are important in nearly every application, but depending upon the threat profile of the application, security may take precedence over nearly every other attribute.
According to the document, during the design process, the following guidelines should be considered:
- Quality attributes are system properties that are separate from the functionality of the system.
- From a technical perspective, implementing quality attributes can differentiate a good system from a bad one.
- There are two types of quality attributes: those that are measured at run-time, and those that can only be estimated through inspection.
- Analyze the tradeoffs between quality attributes.
Some of the questions from the guide include:
- What are the key quality attributes required for your application? Identify them as part of the design process.
- What are the key requirements for addressing these attributes? Are they actually quantifiable?
- What are the acceptance criteria that will indicate you have met the requirements?
TFS gives you some powerful, but somewhat obscure, functionality for undoing users’ checkouts, deleting workspaces, and more. As a TFS admin, you run into cases where a user’s workspace has become irretrievable, whether due to the user no longer being available to the project or a loss of data on the part of the user. The command for this (covered in MSDN) is:
tf workspace /delete hisworkspace;DOMAIN\OtherUser
If you want something a little more granular, you can undo the lock on a checkout, but not lose the change. This command (also covered in MSDN) is:
tf lock /lock:none $/project/path/filetounlock.cs
If you truly want to undo a checkout, losing the change, you can use this command:
tf undo /workspace:OtherUserWorkspace;DOMAIN\OtherUser $/project/path/filetowhack.cs
If the developer has moved on, whether to another project, another company, or it was their gear that moved on and took their project with it, deleting the workspace will likely work best. You don’t have to worry about unlocking their files, and you don’t have to wander all over your source tree taking care of files individually.
In response to November 2007’s loss of some seven million individuals’ banking information, Top Gear host Jeremy Clarkson wrote
“Back in November, the Government lost two computer discs containing half the population’s bank details,” he said. “Everyone worked themselves into a right old lather about the mistake but I argued we should all calm down because the details in question are to be found on every cheque we hand out every day to every Tom, Dick and cash and carry.
Jeremy then proceeded to publish his banking details, as well as information about the car he drives and where to find his address. In a thoroughly unsurprising turn of events, he found himself the victim of identity theft, donating £500 through a non-signature debit to the British Diabetic Association.
Now, with the pain of identity theft having been personalized, he has changed his tune.
“Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”
I presented a few days ago at Cleveland’s Information Security Summit. My topic was originally to be about Threat Modeling, using a system-centric approach to analyzing the threats, assets, and vulnerabilities of an application. Because there was another session being presented on threat modeling, I wanted to offer something unique. To that end, I reworked the presentation to include a section about the Security Development Lifecycle and how threat modeling fits within it.
While the slide deck won’t give you all the information from the session, it will provide you with the highlights. The PDF version can be found here.
Charges were filed today against eleven people who stole 40 million debit and credit cards from several stores, including the infamous TJX breach. Other affected companies include BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc.
Whew, that’s a lot of data leakage. If only there were some standard that companies processing credit cards were to be held to…
Remember that prescreening frequent fliers could subject themselves to which would allow them to breeze through airport checkpoints? It turns out the data for some 33,000 travelers may have been exposed after the laptop was misplaced in San Francisco’s airport.
The thing is, the laptop was lost, and subsequently found, in the same locked room in which it had been left. They are now claiming, contrary to initial reports, that the data is secured by two levels of password protection. Now, if those levels are BIOS password and Windows login, yes, it is protected by two levels of protections, both of which are easily circumvented.
So, it seems that the awaited fix to the mono sound issue for GHIII on the Wii has been announced. Having already been through the process, I can tell you what to expect.
If you call (866) 780-8286 and ask to pre-register, you’ll give up your name, address, phone number, and email address. Within 10-14 days, you’ll receive a postage-paid mailer. You send this mailer off with your GHIII disc, and 10-14 days later, you’ll receive your new GHIII disc with non-crippled sound. 20-28 days round trip, half of which you’ll spend without use of your game.
So, what’s wrong with this? Well, the first thing that comes to mind is that you’ll be deprived of the use of your game for a week or two. The law talking guys usually call this cause of action. Never mind that Activision already had to open up Pandora’s box of fraud with the whole Dolby Digital logo on the box with monaural sound inside. Now, in order to fix their wrong, they’re forcing customers to give up use of their game for “ten to fourteen days” (any bets on how long it takes this wait to stretch into six or eight weeks?). If they’re trying to make plaintiff counsel’s job easy in the class action lawsuit over the fraud case, this is it.
What they SHOULD do, in addition to this, is allow for folks to purchase the upgrade (say $40 or $50, to minimize ebay arbitrage), provide a mailer for the old disc, and upon receipt of the old disc, credit all or a substantial portion of the purchase price. What they’re doing is pushing folks to keep a substandard product, or explore alternatives that allow for playing games off of “backup” copies of discs.
A settlement has been proposed between TJX and the lead plaintiffs for consumers who were affected. Divided into two classes are those whose financial details were exposed and those whose identity information was exposed. If you lost money, you can collect up to two $30 gift certificates, provided you can document the loss, including your wasted time at a princely $10 per hour. If you returned something without a receipt, and gave your driver’s license, you can collect three years of credit monitoring too. Oh, and they’re going to have a sale sometime in 2008 where you can get 15% off.
So, if a company implements shoddy security practices and causes mass card cancellation, as well as untold identity theft and consumer fraud, instead of quietly burying it, you turn it into a marketing event. Got it.
I have an $80 charge from 11/05 against a card that was used at TJX during the period that thieves had open access to the credit card details. Needless to say, FCRA’s 60 day dispute period is long gone, so a lawsuit against TJX may be my only reasonable recourse. Treble damages, court fees, time lost, and identity monitoring and theft protection come up to a tidy sum. Even if I accepted the class action settlement, I’d get, at most, $60 in gift certificates for my lost $80.
In this Information Week article, it is reported that TJ Maxx, poster child for the mother of all data disclosures, is being sued by banks. If you remember, they let loose some 45 million credit and debit cards. Figuring $25 cost for each exposed card incurred by a bank to void and reissue the card in question, you come up with somewhere north of a billion dollars as the cost of cleanup. Banks are not primarily in the “spending money out of the goodness of our hearts” business, and will want to collect on their costs, thus coming after the responsible party. Enter the class action suit, covering some 300 banks.
Prediction: This is just the first wave in this type of lawsuit. No longer will admonishment by the FTC or a “mea culpa” sent to customers be the biggest driver behind keeping data on lockdown. Now, private recovery costs will be the biggest stick in the game.
0
Back to top