Started because of the following twitter from tqbf
STRIDE is the dumbest acronym in security.
There are two kinds of dumb:
- dumb == harmful
- dumb == pathetic
STRIDE has a little bit of both in it, it’s pretty high on the dumb scale.
I’m taking votes for either. What’s the overall dumbest term in security (acronym or not)?
I’ll start: the dumbest (#2) thing I had to learn for the CISSP was “salami slicing.” The concept is OK, but the name makes me shake my head in shame. I shudder using this term to actually describe something to someone else.
EDIT: Ok, it might be “superzapper.”
In an earlier post to my personal blog as well as to this blog, I enthusiastically recommended the Synology CS407 NAS as a data storage/backup platform. I am now taking that recommendation back.
Let me just say this: it seemed like a good choice at the time, and, if I could have trusted the vendor to deploy the software on it properly, it might still be. Here is a short summary of some of the issues I found:
You can skip to the full report here: A Security Audit of the Synology Disk Station Manager (DSM) v2.0-0590 Firmware.
What follows is a complete retelling of how I got here, sort of a lesson in vulnerability disclosure (not so much discovery, you’ll see why). It’s not pretty, I didn’t do all the right things, and it’s kind of long.
Continue reading ‘Multiple Vulnerabilities in ALL Synology Products’
ISIS lab alumni, Mike Aiello, will be on CBS National News @ 6pm on Sunday, April 6th talking about RFID security. Mike runs DIFRWear, a company that makes RFID-blocking apparel.
This is a short rant prompted by another student’s observation that Yelp actually asks for your Gmail password as part of their signup process…
Have you encountered a website that asks for the username and password to your e-mail provider? I’m talking about this:
Continue reading ‘We promise we won’t store your password’
Single Site Browsers [to be uploaded later]
It’s an interesting idea and I can’t disagree with the concept (<3 <3 separation of privilege) but I think it’s missing a few things. Here are some observations I made about it.
- They acknowledge that SSB’s do nothing against malware.
- It solves the problem of webpages bringing in resources from all over pretty nicely. Since the organization pushing the SSB knows whats on their own website they can easily publish a whitelist of allowed domains/content or even change their own site to be simpler in that regard.
- I think this might come down to a social problem. If I’ve got one general purpose browser I use every day (IE, Firefox, Safari) and I have it open right now, what is going to convince me to close my browser and open a new app just to get to a website that I already have bookmarked? There needs to be some incentive besides security tied into the SSB to get people to perform the above action or companies need to disable functionality on their public websites.
- I think the SSB idea is really just a crutch because people can’t implement robust security policies in a browser. Think “IE Zones” on steroids or even GreenBorder (wow when did they get bought out???).
Still, it’s kind of cool.
Late last year in an article titled “In Zombies We Trust,” Dan Geer suggested that there are two types of users — those who blindly say yes to everything and are probably infected with a dozen viruses and those who say no to most everything and likely escape most virus problems — and that it could be a legitimate practice for websites to further scrutinize the actions of those who always say yes to prevent them from getting into trouble while using their site. The premise is that these virus-infected users end up costing the businesses they frequent a significant amount of money by being such persistent problems.
A member of our lab (I’ll leave it to him to take credit for this idea) suggested last week that maybe this should be taken a step further. If I know that one customer of mine is more likely to be infected with a virus (or has a higher susceptibility to phishing, pick your threat) now or in the future, is it reasonable for me to completely deny him my business?
This can be easily tested using either Dan Geer’s test or by sending my customers random phishing messages for my own business (there’s even a phishing appliance to do it for you!). Ie., Paypal sends you a phishing email for themselves (sent from another domain, self-signed certificate, graphics copied incorrectly, differently formatted e-mail, whatever) and if you fall for it, they calculate your future profitability and weigh it against the costs you’ll incur if you actually do get phished in the future. If you’ve got a negative balance after this calculation, your account will be canceled and PayPal will have saved money.
The observation was also made that this is standard practice in other industries. Insurance and, regrettably, healthcare come to mind. Would this be a bad thing for web services?
Loading ...
-3 days: ISIS Labs is bringing 6 of its finest to compete in the North-East Collegiate Cyber Defense Competition (NECCDC) in Rochester, NY this weekend. Wish us luck!
I’ll try and keep you informed as to how the contest is going, what it’s like to compete in one of these things, and if we are winning by live-blogging the event from our hotel room each night. I don’t see that banned in any of the dozens of rules we’ve been made aware of so far! Continue reading ‘Blogging the NECCDC’
There’s been a bit of a back and forth discussion on one of our mailing lists regarding Ed Felten’s recent cold-booting attacks on software FDE (BitLocker, FileVault, dm-crypt etc.). I thought it might be worthwhile to collect some of the potential software-only modifications that would protect against his attacks.
Continue reading ‘Countermeasures to Cold Booting Attacks’
Seriously.
I had a very, very quick talk with someone at NYSec tonight and we highlighted the Social Responsibility panel at Shmoocon that wrapped it up as one of the biggest letdowns of the weekend. It’s a panel that should symbolize all the hopes and dreams our entire community wants to accomplish but instead time was wasted debating the meaning of the word ‘hacker’ and what constitutes “our” “community”. I think Toby summed it up best when he threw a Shmoo Ball and said (paraphrasing) “We’ve debated what the word hacker means for 20 years and we’ll do it 20 more. We need to move on to talk about more important topics.”
Toby is exactly right, but his comments didn’t prevent the conversation from getting derailed again just a few short minutes later…
Continue reading ‘NYSec > ShmooCon’
I just wanted to give a shout-out to some new friends that ISIS has made over the last few days through ShmooCon, NYSec, and elsewhere: Hello Matteo, AJ, Dino, Erik, Mike, Kees, and the NYCResistor Hacker Space! It was nice meeting all of you, keep in touch and call me if you want to grab a beer!
ShmooCon has taken a nosedive. I don’t know where it went wrong, maybe this year was just a horrendously bad year, but the presentations did not meet my expectations. I can’t wait for the videos to go online in 60 days so I can watch myself hitting Simple Nomad in the face with a Shmoo Ball and being the first one to call him out on the poor quality of his presentation or the small businesses talk where Strat and I took turns dismantling all the presenter’s points.
This is the second time I’ve felt like this (the last time was after HOPE). I can’t sit here and complain anymore. If I disliked the presentations so much at ShmooCon, then I should present something myself to make up for it.
Who’s with me? HOPE/ISIS Con ‘08!
At ShmooCon ‘08 Simple Nomad heavily advertised the cause of forensiclicensing.com. Unknown to me and many others, many states are requiring that all practitioners of computer forensics become licensed, in this case by becoming a licensed Private Investigator. Simple Nomad described this as one of the greatest threats currently facing our community, however, I contend that this is not necessarily such a bad thing.
Continue reading ‘Forensic licensing isn’t that bad’
I think it’s safe to say that 99% of the security community believes that developing exploits and then selling them to security vendors is a Bad Thing, yet, to me, no one seems concerned enough about this activity to develop a viable, alternative model. Application developers hate it when you won’t tell them what’s wrong with their product. Application users (ie. the general public) hate that they can’t fix their software even if they wanted to. Of course, every single user of technology on the planet could just subscribe to 15+ security vendors product lines to get notice of these things… The entire idea seems antithetical to our purpose for existence, if we had one, namely to help secure every technology on the planet so that people can extend and build new ones.
Continue reading ‘A manifesto for fixing vulnerability disclosure’
Here is a set of interesting references regarding Breach Laws in the United States. I especially like the interactive map that CSO Magazine made, but I can see where having a textual list might be more useful :-).
Breach Laws Charts (updated)
This might be good information for any of the students taking Information Security Management this semester to include in their work.
Jeremiah Grossman has posted his Top 10 Web Hacks of 2007 to his blog. It collects the state of the art in one short, simple blog post. Highly suggested reading if you’re into webapp-sec.
Recent Comments