Preparing some curricula on web security

Among the other cool things I'm doing this summer is working as a teaching assistant for 1.5 days worth of tutorials on the subject of web security. This is part of my national research group's "summer school" program where we try to give our graduate students more background into other areas of security. I'm working up a list of potential topics so we can get our teaching materials together.

So... What would you want to learn in a short course on web security? What do you wish other people knew about web security?

Here's my brainstorming list, to be updated as new things occur to me:

Attacks

• Overview of the OWASP top 10 / WASC threat classification
  
• XSS (incl. filter evasion techniques and a variety of ways to use XSS for defacement through to more subtle modifications, password/data theft, etc.)
  
• CSRF
  
• SQL Injection
  
• Clickjacking
  

Defenses

• Best coding practices
  
• Web Application Firewalls
  
• Web Vulnerability Scanners
  
• Tainting
  
• Mashup solutions (e.g. MashupOS, OMash)
  
• Policies (e.g. SOMA, BEEP, CSP)
  
• Penetration testing techniques
  

Notes: The tentative plan is to separate things into a hands-on lab tutorial (probably using webgoat) and a set of lectures, mostly running simultaneously. We're going to have some top-notch students here, since we're drawing from a pool of smart security researchers to start, so we can cover a lot of ground and go much further in depth than we might teaching developers with no security background.

A crash course in the social media equivalent of defensive driving

How can you stay safe and keep things private while still taking part in online life? I'm a web security researcher, so I get asked this fairly frequently.  And it's easy to see how people get overwhelmed by all the news stories, the marketing blurbs, and the constantly changing policies.

Why I'm not telling you to quit Facebook

Let's say you're worried about your risk of getting into a car accident.  Do you sell your car and refuse to get into any moving vehicle?  No.  Refusing to use a car might make you safer, but it would be quite isolating and, depending on where and how you live, very difficult.  Just like many people live without cars, you can live without social networking, but it there are some significant costs to refusing to participate.  Many people's need or desire to participate is much stronger that the risks they face.

If you're worried about car accidents, you've got other options to manage your risks than giving up your car.  You can learn to drive defensively.  You can make sure you wear your seatbelt.  You can learn about the safety ratings and use cars that perform better in safety tests.  You can refuse to drive places that are dangerous.

So what I'm hoping to do here is give you a crash course in the social media equivalent of defensive driving.

The web is not a safe place

When I learned to drive, my driving instructor often reminded me that I had to treat every car on the road as if it were being driven by a moron who might swerve into my lane at any time.   It might seem like a very negative point of view, but it's a very practical one that's helped me avoid accidents on numerous occasions simply because I was expecting it.

My blog is called Web Insecurity for a reason.  Nearly 2/3 of web pages currently have a serious vulnerability.  So that means no matter what the policy is, how careful you are, or how careful your friends are... there's a good chance you are going to view some code controlled by a bad guy, and they could get information about you that you don't want them to have.  It's often very easy to exploit these vulnerable parts of a website.  75% of websites with malicious code are legitimate sites.   

You may be thinking, "sure, but no one's going to care about my data."  And you may be right.  But if a bad guy is trying to make a company look terrible, one way to do so is to expose information about all of their users.  You can definitely wind up as collateral damage.

Learn your legal protections

Learning about legal stuff can be time-consuming and confusing, and frankly companies may violate laws anyhow.  But it's still worth learning a bit about your rights. The EFF has quite an impressive body of work covering free speech, privacy, intellectual property and other important issues, and they do a great job of translating legal speak into clear, comprehensible articles.   You might also consider reading bloggers like Michael Geist, and your country may have great resources like the Office of the Privacy Commissioner of Canada.

Remember that things that may seem similar often have very different legal protections.  For example, if my credit card number is stolen, there are laws that limit my liability to $50.   But that's not true about all money transactions online:  Debit/bank cards have no such legal protection.  Some modern credit cards that require a PIN have no such protection even though these cards aren't actually safe. You may have no legal protection from your bank if you don't follow their security procedure to the letter, and those security requirements of online banks can be pretty crazy: Do you reboot your computer every time you bank?  No?  You might be on the hook if someone compromises your account!

So yeah.  It's a bit of work, but it's worth it to at least learn about the issues that affect you.

Learn the controls

It may seem a bit silly, given that I've already told you that websites can easily be compromised, but if you're managing risks you should learn to use your privacy controls, choose good passwords and security questions, and keep those things private.  Again, it's about managing your risks: even if these controls can't make you 100% safe, they might make you safer.


Companies are not your friends

For many companies online, you are not really their primary customer: your time and your personal information are assets the company sells to their advertisers.  You have to expect to be treated accordingly. You have to treat every company or organization you interact with online as potential hazards.   Many companies intentionally or unintentionally violate privacy laws and even violate their own privacy rules.  And privacy rules change, sometimes because the company itself changed them, sometimes because they get bought out by another company.  Your guarantee when you signed up for the site is unlikely to hold a year from now, but it may be nigh impossible to remove your data from the system when it changes.

And that's just the "legitimate" problems that could affect you: there's a good chance any company's sites could be attacked and your data exposed as a result -- it happens to fully legitimate companies all the time, no matter how good their intentions towards you and your data.

Choose your friends wisely

You wouldn't tell all your secrets to the office gossip, but online your friends may be "forced" to become gossips either through malicious software or through changing policies.  It sounds like some crazy super-spy movie: trust no one!  Your friends could be compromised!  But once again, just like I'm not telling you to delete your facebook account, I'm not going to tell you not to share, just to be defensive.

For example, I have a couple of friends who really enjoy Facebook games.  They seem to install every new thing that comes along and invite me to join.  Nothing wrong with that, right?  I mean, if I don't want to join, I just don't, and that's the end of it.  Except that it's not: my friends have all these games and thus all these extra ways that someone might break in to their accounts.  And indeed, these are the folk who wind up with compromised accounts more often than most.   So while these are great people who I'd be happy to share job concerns or relationship woes with in real life... It's too risky for me to share private stuff with them online.  They are the office gossips, whether they mean to be or not.  They're not the only ones who put me at risk (any friend can end up on the wrong end of a broken website) but they're the riskiest.

Choose what you want to share

The biggest part of managing your risk is choosing what you want to share online.  Here's a few questions you might want to ask yourself:

1. Will this embarrass me if it gets out?
2. Will this affect my safety?
3. Will this affect my employment?
4. Will this affect my family/friends?

If your job requires you to be a role model, you may have to be a role model even in your off-hours. Maybe it shouldn't be that way, but let's be pragmatic: you have to assume that it is that way.  

You have to assume that anything you share online could become public knowledge.  You can't trust the companies, you can't assume their sites are safe, and you can't even trust your friends because of unsafe websites.  

Think before you share.

Using a pen name

One other way to manage risk is to use a pen name or pseudonym.  Lots of people do this to give them a layer of privacy, especially when trying out something new like starting a silly blog, or when engaging in discussion that could be sensitive such as online political debate.  Sometimes it's even an open secret that so-and-so goes by a nickname online, and the only reason they do is to make it harder for potential employers to come up with a list of everything they do online when searching their legal name and given email address.

This is a great tool if you want some more freedom to speak, but people sometimes will do the legwork necessary to figure out who you are, especially if you're high-profile or saying something unpopular.  So pen names are great, but do remember that they're not 100% guaranteed to keep you safe.  Again, it's another way to manage risks.

No matter what you do, everything may become public

I've said this a bunch of different ways, but this is the real take-home message here: No matter how careful you are, anything you do online can become public knowledge.   It's up to you to manage your risks accordingly.

But don't despair -- it may sound stupidly hard, but you're already handling issues of trust and privacy every time you choose to tell a story to a friend or complain about work at a party.  You might have to pretend you're in a spy movie and trust no one, or you might decide some things are perfectly fine to share with the world.  Just try to make an informed decision.

No Website Left Behind: Are We Making Web Security Only For The Elite?

This is an annotated version of my presentation at W2SP 2010, since I realized my slides by themselves are missing a lot of the story. The full paper is available from the conference website and I should be putting up an HTML version shortly.



Hi, I'm Terri, and I'm here to talk about whether we're excluding some very important people when it comes to web security.

The first thing you need to know is that...



And of course you knew that, because we all know the Internet is actually run by cats.



... and we all know that cats aren't programmers; they're artists.



Seriously, though, many of the people who do web design professionally are artists, not programmers. You can see this through the job titles used and other services offered by many web design firms.



And then there's all the people who make pages but aren't professionals. Cat blogs, community sports team sites, small church websites, etc. are often made by non-professionals.



And in many ways, it's fantastic that all these people can make web pages. Web 2.0! Sharing! Communication! But the problem is that web security is designed for programmers.



So, for the purposes of visualization, let's pretend that a web page is like a car...



Thus we can imagine web security issues like cross-site scripting and cross-site request forgery are sort of like getting gremlins in your engine.



With this analogy in mind, let's look at some of the best tools we have for fixing websites:



The big one is safer programming practices. You take your existing website, and replace it with a new, gremlin-proof one. This is pretty programming-intensive, much like you'd need some serious mechanic skills to replace your entire car engine.

Then there's tainting or data flow analysis, which allows you to trace the path of the gremlins through your engine...



But once you've done that, you still have to patch the code so that the gremlins can't cause problems. Programming!



We've got known exploit detection, such as web application vulnerability scanners and web application firewalls. They tell you exactly where and what kind of gremlins you have.



But while they might protect you for a time, best practice still says you should fix your code.



And then there's the cool mashup protections which help you fix your code to provide isolation between components so that the gremlins can't breed in your engine. But they mostly involve a lot of coding to implement.



Even the language of security is heavily oriented towards programmers. The documentation for Mozilla CSP even includes set theory notation! Not exactly friendly for artists.



Some of the organizations that do the best job of communicating (web) security flaws tend to be intimidating to non-programmers, and really send the message “If you're not a programmer, this isn't for you.” This is not the message we want to send!



Because non-programmers really do need security.



The web is a big target, and attackers aren't limiting themselves to big sites – automated attacks make it worthwhile to compromise even smaller targets. Lots of attackers are interested in sending spam, SEO, evading blacklists, etc. all of which can utilize smaller sites. And the attacks aren't always where you'd expect: Did you know your Facebook account is currently worth more on the black market than your credit card?



But if you're thinking “So, we just let the designers design and handle security at the programming layer below,” you're missing two important points:

First, smaller sites may not have anyone who can handle security, period.

And second, the design of a page actually affects the security of a page. For example, if you put an advertisement on a page with a form, you've just given that advertiser or advertising server access to your user's data. Programming under the hood can't fix that; it's done on the client side. A lot of “small” sites will use a variety of cut-and-paste code that they found elsewhere, increasing their risks even though they may not realize it.



So... that's not terribly good. What can we do about it?



Before we propose any solutions, we need to keep in mind that the cost/benefit ratio for smaller sites may be very different from what we expect. Users will reject security advice if it's more costly to implement than their risks are. And for non-technical site creators, the cost of learning security may be months of additional time, personnel, and money spent on training. Whereas how much risk is there of your community sports team website getting compromised? It may not be clear, and it may not be easy to translate into dollars.



So the first thing we can do is provide a more secure environment. The same origin policy already provides some basic protection to websites, and it's something designers just accept as part of the web infrastructure.

When I put together these slides, I didn't have any other ideas of what to do, but I've now seen a presentation that suggested some security restrictions that would have minimal impact on the top 100,000 websites but could improve security. (The paper is titled “On the Incoherencies in Web Browser Access Control Policies”)

It'd be really handy if graphical tools like Dreamweaver could generate secure mashups. I even talked to some students from the University of Virginia who are working on small policy additions to Ruby on Rails that could provide security – we need more work like this!



Education is also a big deal: people won't bother with better security if they don't understand the risks, and they won't fix problems correctly if they don't understand the solutions. But we have to be really careful to provide materials that make sense to the target audience of designers, and that are sufficiently short that they don't cause the costs of learning to exceed the risks.

You know how the EFF has done a great job distilling the complex privacy issues in Facebook and explaining them to the general public? We need materials like that for web security as well as privacy.



Another way we can help is by providing something akin to website first aid. If you fall and skin your knee, you know enough to wash out the wound, maybe put a bandage on it. You don't need to be a doctor to help your daughter if she trips in the playground. But right now you need to be a website surgeon to handle any security!

There's already some neat things out there: The Origin: header provides protections against XSRF with minimal effort. I worked on a system called SOMA which provided additional controls over includes in websites. But the risk is in letting these minimal interventions get too huge to be useful for average websites. I'm not a huge fan of Mozilla CSP because it's getting just too big for a quick fix. We need to put a lot of thought into optimizing policy and other solutions use for common cases and less into flexibility for unlikely edge issues.



And of course, it'd make our lives a lot easier if we could provide more separation between security and design so that design choices wouldn't necessarily compromise your security.



If we had more separation between security and design of web pages, we could offload security to others. For example, the person in an organization who may care most about security are your systems administrators, because they're the ones who get woken at 4am if something goes wrong, and they're the ones who have to clean up the mess.

We may even want to consider offloading security to the users: they're the ones whose data is most at risk, and they're willing to install virus scanners and even NoScript to try to protect themselves: surely we could do better there.

And finally, there's always the option of hiring outside security experts. The costs currently are prohibitive for smaller sites, but if basic security were easier, maybe we could make this more reasonable.

One thing I've been working on is a visual system for defining security policy, so it can be integrated with design tools and so security can be articulated in a language designers already understand. I'd be happy to talk more about it if you're curious.

In conclusion, while we're doing some good work in web security, we're really limiting our impact if we don't reach out to the broader range of folk who create web pages. Making web security all sound complex, time consuming and hard at all levels may be great for our job security, but it isn't the best way to go about actually making the web safer for the world!



Edit: Although I was unaware of this when I wrote the paper whose title is used in this blog post, apparently "No Website Left Behind" is trademarked by Cenzic.

Subverting Ajax

I write this on 9/15/08 but never published it for some reason. The paper I'm discussing is still interesting, though, so here's the post, years late!

Today's paper is Subverting Ajax which was published in December 2006 at the 23rd Chaos Communication Congress. It is, as one might expect from the title, an overview of ways in which Ajax (Asynchronous JavaScript And XML) can be compromised.

You might think that since this paper was from 2006, many of these flaws would be closed, but sadly, the paper seems to retain its relevancy even in 2008.

Although the focus of this paper is on Ajax, particularly the case in which an attacker has placed another layer of communication "between" the browser and the server, it also covers a number of techniques that can be used in any JavaScript based attack. For example, the wrapper used around the built-in XMLHttpRequest could potentially be used to subvert any built-in JavaScript object. Also clever is the use of proxies and iframes. To be honest, the attacks I've seen in the wild have not been this complex, but if we ever close the obvious holes we can expect that more subtle attacks would happen, and it's good to understand them in advance.

The one downside to this paper is that it is clear the the authors are not native English speakers, and I'm sorry to admit that there were places where I found their use of language distracting.

Overall, I'll have to recommend the paper, as it was recommended to me, but I have high hopes that owasp.org will produce easier to read documentation on Ajax-specific threats one of these days.

Will privacy issues herald the end for Facebook?

escape!
by dev null.

I've been seeing a lot of people talking about deleting their facebook accounts over the privacy issues. At first, I chalked it up to my twitter contacts being more aware of security issues than average (I do follow a lot of security folk), but I'm starting to see retweets from outside my own network that imply a lot of people are jumping ship:

@tonyakay: "I deleted my Facebook" is the new "I don't own a TV"

Which really probably sums it up. It's a bit pretentious and holier than thou to announce your lack of Facebook, and it's kind of a techno-elite status marker. When Wired called for an open alternative to Facebook I figured I was right on the money, and it was just a thing for tech nerds to do.

But then I started seeing things like this:

@thesixthbaron Was told by a student this morning that not having a Facebook account is now cool. #abouttime

The Great Escape
by Hryck..

Facebook's biggest strength is in the network effect. The more people you know who use Facebook, the more useful it becomes. Everyone says, "Oh, I have to keep my account because $some_friend_or_family_group still uses it to communicate." But if Facebook is starting to be uncool the way myspace became less cool, then there aren't going to be as many people worth keeping an account for.

It's not just the people that keep users on Facebook. No one says, "I'm too addicted to FarmVille to leave." But I'm guessing that's an issue for some. However, it turns out the games may be jumping ship too. (And if you don't want to admit you're leaving because of the games, you're probably going to say the problem was privacy, because that's what the cool kids are saying.)

So now you have fewer friends on Facebook, and you have fewer new games... will you stay, or will you find you're spending most of your time elsewhere and encouraging your friends to do the same? People will keep their accounts in case Joe from highschool wants to chat, but they'll use them less and less.

We're starting to see suggestions that the facebook ecosystem actually could collapse, not just that some tech people wish it would.

Escape
by just.Luc.

Privacy is a big deal and countries are starting to care. Those are big players, but a mass exodus of actual users now shows that it's more than a few policy-makers and the techno-elite who care: privacy may actually be a selling point for future social networks because it seems that the market is demanding it.

The question for Facebook is "at what point will enough people leave?" and the answer right now may be, "when they have somewhere else to go." And that next big thing may have to provide some pretty strong privacy guarantees to woo over enough audience. Is it possible? Yes. Will it happen? That remains to be seen.

The advertising social contract vs malvertisements: how can online advertisers earn your eyes?

I'd like to draw three related things to your attention.

First: Avast released a study on malicious advertisements in February, and the media's had some fun reporting on "malvertising" while seasoned professionals tried not to roll their eyes at yet another buzzword. (Tired of malvertising? Try "badvertisements!") Malvertising is one way legit sites get hosed: estimates say 75% of sites with malicious code are legit sites that got compromised.

Second: Back in March, Ars Technica posted a rant, "Why Ad Blocking is devastating to the sites you love." That they felt ad blocking was impacting revenue and asked people not to do it. (Note that this argument spawned rebuttals.)

Third: I went to a talk by Terry O'Reilly and Mike Tennant, as part of their book tour for The Age of Persuasion: How Marketing Ate Our Culture. (I recommend their radio show.) Among the things they talked about the advertising social contract: In exchange for your attention, advertisers give you something in return. TV advertisements subsidize programming, so they're honouring the contract. Billboards don't really give anything back to the consumer, so they're breaking it.

----

So here's where we put it all together:

Using ad blockers breaks a social contract with advertisers: namely, you get free stuff (content) in exchange for those eyes. If you're taking without exposure to the advertisements, you're "stealing."

But advertisers are breaking the contract in even worse ways with malvertising. They're basically stealing from viewers. It might not be intentional, but it's probably the equivalent of having advertisements on the TV that blare so loud that they cause hearing damage. Could you blame people for turning those off?

Ad blockers do more than keep you from seeing advertisements: they may actually make you safer.

So what to do? The advertisers can try to woo people away from ad blockers by giving more. Terry O'Reilly and Mike Tennant talked about how they like to make their ads funny: so you're giving more in terms of entertainment. What can advertisers do to give back when it comes to security and privacy?

One answer I've seen on that front comes from a surprising source: Facebook. Although Facebook isn't known for getting privacy right at all, but they are doing their darnedest to put a nice spin on their privacy violations. Sure, maybe you didn't want to share with those Facebook connect apps... but isn't is awfully convenient how other sites already know your preferences?

Unfortunately, I (and many others) don't WANT creepy customization. So in the end what they're trying to do doesn't really help with their end of the social contract at all. It may even hurt for many people. Let's just hope that later attempts are a little more generous on their side of the bargain.

You know who did it better? Burger King. Their Whopper Sacrifice where you defriended 10 people for a whopper was quite the hit. In exchange for ditching your friends and giving up some privacy, you could get a free burger. And lots of people did.

I'm not sure I'd give up more privacy and security for a burger, but I'm curious to see how the more creative advertising folk handle this challenge. If users become more aware of malicious advertising, will it even be possible to overcome this challenge and still use banner advertisements, or will we be seeing advertising in new ways?

Why Facebook is like your psycho ex

There's been lots of really interesting articles about the privacy changes in Facebook. My personal favourite is Matt McKeon's excellent infographic showing your (private) data spreading out further and further. (See left for mini version.)

The thing that I don't quite get is how upset every one seems to be about this.

No, hear me out. I'm not just being a smug security researcher.

I caught the 6 o'clock news on TV a few weeks ago, and tried in vain not to laugh during the segment on THE DANGERS OF TEEN SEXTING. Basically, for those of you who haven't heard, sexting is the practice of sending sexually-charged text messages and photos. According to the news segment, it is a plague upon our youth, who are too foolish to realize that those naked pictures they sent to their significant others might eventually wind up on The Internet. The segment was so over-the-top that it was begging to be parodied by some comedy group, but the take home message wasn't wrong: anything you send can be shared, so don't send stuff you don't want shared.

So, when we're seeing news where smug adults talk about how teenagers don't know any better about protecting their data (or at least their naked breasts) from public scrutiny, I'm not really sure how adults can justify being horrified and shocked that their Facebook data isn't as private as they thought it was. Tell your children not to record anything they don't want available for all time, but OMG FACEBOOK IS SHARING MY DATA?!!!

I hope teenagers everywhere are laughing.

So here's what I recommend: Treat web sites much like you would potential ex-boyfriends or ex-girlfriends. You may want to trust them now, but you can never be sure when they might go psycho and write your number in bathroom stalls and share your naked pictures with the Internet. It is, of course, safest to never share anything... but we're not wired that way. People like sharing! It'd be a bit of a lonely life if you never shared anything, and nowadays sharing includes sharing online.

But websites are about as trustworthy as the worst psycho ex: you never know when policies will change, the website will get bought out by someone who has different policies and now controls your data, or someone will exploit a security hole in the website. At least ex-friends aren't usually bought by megacorps who profit from selling all their mementos of your relationship. And probably, unlike websites, 64% of your friends don't have a security flaw.

My sister has a funny story about doing a security check for a previous job that went something like this:

The guy who was doing my clearance was old enough to have children my age, and I sort of think he might have because he was getting increasingly uncomfortable about the questions he had to ask me. When he got down to ones like, "have you ever had a threesome?" he reminded me that, "you don't have to tell me if you aren't embarrassed about it. We only care if you can be blackmailed. If you're not embarrassed, it doesn't matter."

So there you have it: As long as you're not embarrassed by the stuff you share online, it doesn't matter if it gets out.

Or if you prefer dramatic news segment style: SHARE BUT BEWARE. ;)

How Foursquare can help people steal your stuff. PS - Want to buy some privacy insurance?

Thief by daveknapik.
by daveknapik.

When I first got access to the Internet, my parents were quite paranoid about me talking about when we'd be going on vacation, and when people weren't home. I'm not sure if they're still paranoid about it, but I admit I think about their concerns every time I mention that I'm in another city on Twitter.

However, I've never seen anyone get that point across so nicely as pleaserobme.com which uses Foursquare and Twitter to build a nice list of people who aren't home right now. Combine that with a little extra observation to find out where their homes are, and I bet you'll probably also find a wealth of other information about the things they own that are worth stealing. Handy for all your thieving needs!

I wonder how many people will rethink using Foursquare after seeing this. I'm guessing not actually that many, though. Just like Facebook, a few people will be appalled, but more will be thinking "eh, that'll never happen to me." My supervisor asserts that people will only really care about privacy when someone from Google goes completely bonkers and uses the information at their disposal to kill someone. But I am not sure even that would be enough: they're already risking people's safety with gaffes in new products, and while that gets people upset, I know I haven't closed my Google accounts or turned off the phone that's transmitting my location data to them all the time...

Mind you, I know how easy it is to break in to my house and I haven't upgraded my locks either, just bought insurance and backed up my digital assets off-site. I know how insecure my credit card is, yet I'm counting on the law to keep me from being liable if it's abused. And you can buy insurance on top of that for identity theft.

So sure, I'm happy to hear that the Canadian privacy commission wants to know more about Google Buzz. But what I'm really wondering is how to sell insurance for privacy. I'd make a killing in this market!

(Addendum: If only I could figure out how to make that work... Can't you just imagine a team of lawyers descending upon your mother to do damage control when your friends' drunken antics get leaked through Facebook?)

Bank being sued for teaching customers bad security habits

After mentioning in a previous post that banks are now suing customers who get robbed, here's a lawsuit going the other way: Comerica Phish Foiled 2-Factor Protection.

A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

The short version is that the bank regularly sent customers emails where they were required to click a link and then enter their password on that site in order to update a security certificate. Unfortunately, priming people to do this also makes them easy marks for phishing attacks which often... have users click a link to go somewhere that looks like their bank site, then enter their password. Awkward.

Read the details here (or scroll down on that site to see the lawsuit and initial response from the bank).

Amex thinks shorter passwords without special characters are more secure

slash
by TheTruthAbout....

I was working on a background section of my thesis proposal and was talking about how some misconceptions regarding security policies can result in web sites being a lot less secure. But American Express takes security misconceptions to a new low:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.

And it gets worse!

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Uh, no guys. Just no.

Also, the former magazine editor in me is going, "softwares? softwares?!" but that's another problem entirely.

Read the rest of what American Express said and see the screenshot here.

Barcodes for breaches

Barcode: <script>alert("test")</script>

I'm highly amused by the XSS, SQL Injection and Fuzzing Barcode Cheat Sheet. Who knew security attacks could look almost... pretty? It's just standard XSS and SQL injection test code translated to bar codes, so they could be used as injection vectors. I know I've scanned codes to grab an app I want faster on my phone, and I'm seeing codes popping up in the free daily papers, which I find somewhat interesting given that early attempts to get people to use barcodes have met with commercial failure and ridicule. Oh well, it's all ok now that we have smartphones, right?

Anyhow. This is still an entertaining attack vector. Maybe governments (such as my own!) will ban bar codes as hacking tools next?

Credit card companies covering their asse(t)s

Exactly whose security does your credit card company have in mind? Here's a hint: It's probably not yours.

I often use Mastercard SecureCode as an example of a usability failure in online security: in order to order plane tickets where SecureCode is used, I found I had to disable many of the browser security measures I have in place for regular browsing. So, that time when I'm making an expensive transaction is thus the time when I'm at most risk... Not exactly trust-inspiring, is it?

But Steven J. Murdoch and Ross Anderson of Cambridge do more than just complain about "Verified by VISA” and “MasterCard SecureCode.” They presented a detailed analysis of the '3-D Secure' card protocol. Check out the abstract:

Abstract. Banks worldwide are starting to authenticate online card transactions using the ‘3-D Secure’ protocol, which is branded as Verified by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and elsewhere. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics. While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants and customers – given a gentle regulatory nudge.

So, basically, 3-D Secure provides economic security rather than technical security -- but not for you, the customer. It's providing extra security for the banks by passing the buck.

This is hardly the only way in which the banks protect themselves above the consumer. Take a look at Security and Usability: The Gap in Real-World Online Banking for some fascinating insight into what your bank thinks you should do to be secure online, and how few people do these things in practice. And this is especially worrisome now that, as Mannan anticipated in that paper in 2007, banks have started suing their customers when breaches occur.

I'll be really curious to see if this paper about 3-D Secure manages to make changes in industry or government legislation. Amusingly, this paper about how insecure they are makes me feel more secure -- at least if a bank sues me because someone's stolen my money, I'll have more evidence to claim in court that the bank wasn't trying hard enough to protect me.

My favourite story of today (April First)

From Netcraft: Deluge of Browser Security Issues Drives Mass Migration

Financial institutions have noted that the Lynx browser is particularly suitable for online banking, as it supports the latest cryptographic ciphers used in ecommerce, and is immune to attacks via JavaScript, Flash and other multimedia content. Lynx's algorithms for dealing with such threats are so comprehensive, it is just as safe as if the multimedia content was not there.

[Read More]

Spamalytics Show Spam Doesn't Pay

SPAM!
Originally uploaded by cursedthing

This is the second in my series of posts about talks I enjoyed at ACM CCS. The first was here.

As some of you may know, my master's thesis involved creation of a spam-detector based on the workings of the human immune system. Forgoing modesty, I'll say that my system was pretty cool (I even got slashdotted) but I couldn't see myself doing spam research forever -- there's only so many times you really want to stand up in front of a room full of academics and try not to make viagra jokes.

I digress. But when I saw the paper entitled "Spamalytics: An Empirical Analysis of Spam Marketing Conversion" on the program, I knew which track to choose for that session.

They wanted to get some numbers showing click-through rates on spam, to see how much money spammers really are making nowadays, and how many people were seeing those emails. Obviously, the spam kings aren't inclined to be cooperative on this front, so they had to get creative. How they got the numbers is somewhat interesting in and of itself: They broke in to the Storm botnet and subverted some Storm controllers so a number of the bots would send out spam altered to use links they could track. The text for these email advertising campaigns remained the same; they only changed the links.

The question did come up as to whether this was ethical, as the test did involve unwitting human subjects, but they asserted that these people would have gotten the spam anyhow, and at least their links were malware-free.

Three campaigns were chosen as the focus of their study: one was a standard pharmaceutical campaign. I'm sure you're all familiar with those. The second and third were postcard and April fools' messages designed to infect more computers with the botnet software. Self-propagation for Storm.

I highly recommend you check out their paper for the detailed results, but the things I found most interesting were as follows:

(1) Very little mail actually got through to the recipients.

Using dummy addresses on popular webmail servers and an email hidden behind the popular Barracuda spam-filtering appliance, they found that less than 0.005% of mail got through in most cases. Messages were either dumped into a spam folder, or 75% of messages appeared to be dropped by the servers before delivery was even completed. This is likely due to blacklisting at the server level.

(2) Very few users visited the sites in question

(3) Some people did "infect" themselves by clicking the postcard/april fools site

(4) Many fewer people ordered pharmaceuticals. In fact, so few people did that it's unlikely that the campaign could have made money!

The final conclusion was really the most fascinating one: they gauge it as highly unlikely that the pharmacy site could have made any money given the costs of renting the botnet to send spam. In fact, they guess that spam sending would have to be 20 times cheaper for the pharmacy site to make a profit!

Could it be that spam doesn't pay?

The authors suggest that the pharmaceutical spams must be sent by the owners of the botnets (who thus wouldn't have to pay the rental cost), but I propose an alternate theory: that the only people making money from spam are the people who get paid to run the botnets. Those renting don't know that they won't make money, and the botnet owners sure aren't going to tell them. No, they'll just keep sending low-profit spam to keep up illusions that there are fantastic profits to be made (otherwise why would people send them, right?).

Maybe if I'm lucky, I'm right, and eventually the would-be spam senders will notice and stop paying exorbitant prices for botnets. But I'm afraid I don't hold out too much hope. Still, a very interesting paper, with some very interesting results!

Web Insecurity.net

Web Insecurity.net just got a facelift!

Hope you like the new design. There's a few quirks to be ironed out with the blogger template, but things are definitely looking shiny and new over here!