15 April 2014


Posts relating to the category tag "threats" are listed below.

28 December 2013

Industrial Control Systems and CERTs

Related to my previous post about Stuxnet, European Union Agency for Network and Information Security (ENISA) published related guidance for computer emergency response teams (CERTs) earlier in December.

One of the diagrams from ENISA's report 'Good Practice Guide for CERTs in the area of Industrial Control Systems' illustrating how ICS-CERTs typically also provide other CERT services as well

The Good Practice Guide for CERTs in the area of Industrial Control Systems (ICS) describes mandates for ICS-CERTs, and the recommended technical and operational capabilities. It also recommends the development of good cooperation with parters nationally and internationally.

A list of CERTs across Europe is maintained by ENISA. Currently 222 such organisations are identified, including 22 in the United Kingdom.

ENISA also announced a related report about alternative controls during the window of exposure between vulnerabilities being identified and patches being applied in Supervisory Control and Data Acquisition (SCADA) systems.

Posted on: 28 December 2013 at 12:08 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 December 2013

Considerations for Defences in Light of Stuxnet

A new paper by Ralph Langner describes comprehensive research into Stuxnet malware, in the cyber-physical attack against Iran's nuclear processing facilities at the Natanz Fuel Enrichment Plant.

While the attack was highly specific, attack tactics and technology are not; they are generic and can be used against other targets as well.

To Kill a Centrifuge describes the two different attack vectors attempted, both which used manipulation of industrial control systems to achieve physical damage. The first attempted to over-pressurise the centrifuges, the second to over speed the centrifuge rotors.

The paper begins with a clear explanation of the process technologies, limitations and mitigations used by Iran to cater with using an obsolete stolen centrifuge design. This s vital to understanding the attacks. It moves on to discuss the possible motives, methods and difficulties with the two variants, and then discusses what attackers and defenders can learn from Stuxnet.

The final section describing what technical security controls might have detected or prevented the attacks is enlightening.

Posted on: 23 December 2013 at 21:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 December 2013

Building Secure Software at OWASP London

The next OWASP London event will be on Thursday 12th of December 2013, at 18:00 for 18:30 hrs at Morgan Stanley in Canary Wharf.

Photograph of an office block under construction in the City of London

I am speaking, but I am particularly looking forward to Ofer Maor's presentation about Interactive Application Security Testing (IAST). The presentations are:

  • IAST: Runtime Code & Data Security Analysis - Beyond SAST/DAST
    Ofer Maor

    Until recently, Static and Dynamic Application Security Testing (SAST/DAST) dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...
  • OWASP Cornucopia
    Colin Watson

    Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project

So, there will be a broad mix of information suitable for a wide range of developers, testers, and verifiers - of whatever skill level. My own presentation will be similar to the one I gave in June during the OWASP EU Tour, but it has been specially updated for this event. There will also be news about next year's AppSec Europe being held in Cambridge. I imagine we will move to a local bar/pub at around 20:30 hrs to continue the discussion.

Further details are available on the chapter's page. Free registration is required for access to the host's building (Morgan Stanley, 25 Cabot Square, E14 4QA). Registration closes when all spaces are booked, or the evening before, whichever is soonest.

Posted on: 03 December 2013 at 08:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 December 2013

Guide to Drupal Security

Drupal is a popular content management system. Like other frameworks, Drupal requires security configuration, together with that of associated system components, during initial setup and during operation.

One of the pages from the new Drupal security guidance document 'Drupal Security Best Practices  - A Guide for Governments and Nonprofits'

The Drupal Security Best Practices - A Guide for Governments and Nonprofits provides guidance server, PHP, database and Drupal configuration guidance, but also describes the need for separate environments, and activities for regular maintenance. This is helpful resource and the additional Drupal security resources listed in section "L" on page 30 of the guide should also be read.

The guide can be downloaded free of charge, but the registration form can be used to be kept informed about updates. Contributions to the guide are encouraged.

Posted on: 02 December 2013 at 09:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 November 2013

AppSensor at AppSec USA in New York

OWASP AppSec USA 2013 is in three weeks time from 18th to 21st November. This is expected to be the largest application security conference in the world ever.

Photograph of the Manhattan skyline with the Statue of Liberty in the foreground

OWASP AppSensor Project describes and provides demonstration code, for real-time application-specific attack detection and real-time response. The two primary AppSensor events during AppSec USA are being led by project leaders John Melton and Dennis Groves, and there is also a chance to contribute to the upcoming new AppSensor Guide:

  • AppSensor 2.0 Hackathon code writing, John Melton, Monday 18th November at 1:00pm - 5:00pm (Sky Lounge, 16th floor)
  • Writing and Documentation Review Session for documentation projects including AppSensor, Michael Hidalgo and Samantha Groves, Wednesday 20th November at 9.00am - 1.00pm (Sky Lounge, 16th Floor)
  • AppSensor Project presentation, Dennis Groves, Thursday 21st November at 2.00pm - 3.00pm (Edison Room, 5th Floor)

The first, part of the conference's OWASP Project Summit 2013, will be an opportunity to work with John to help write code for the AppSensor 2.0 services model (REST and SOAP). Further details of the summit here and here. Dennis will be providing an inspirational introduction to using AppSensor, and the technical and business benefits achievable.

Additionally, core contributor Ryan Barnett is providing a closely related training class about using ModSecurity for web application defence:

Training at OWASP conferences is always to a high standard, but the courses get booked up very quickly.

Along with John, Dennis and Ryan, most of the other core project contributors, including myself, will be in New York for the conference, so if you want to ask any questions, please just track one of us down. Ask at the conference support desk where to find us.

Regardless of your interest in AppSensor, there are another 120 application security sessions available during the week. If you haven't already booked for the training or conference, you can still register, but don't leave it too late.

Update 11th November 2013: Documentation writing and review session added.

Posted on: 01 November 2013 at 15:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

22 October 2013

OWASP London Chapter Meeting - This Thursday

The next OWASP London event will be on Thursday, 24th of October 2013 between 18:30 and 20:30 hrs.

Photograph of a light sculpture displayed during the Kinetica Museum exhibition in London

The event is kindly being hosted by Expedia Inc at the Angel Building, 407 St John Street, London, EC1V 4EX. The nearest tube station is Angel of course.

The presentations will be:

  • Using the O2 Platform, Zap and AppSensor to protect and test applications (Dinis Cruz)
  • OWASP Mobile Top 10 (Justin Clarke)

There will also be an update about next year's AppSec Europe being held in Cambridge. Further details are available on the chapter's page. Please arrive from 18:00 for a prompt start at 18:30 hrs.

Free registration is required for access to the host's building. Registration closes on Wednesday 23rd (tomorrow).

Posted on: 22 October 2013 at 07:04 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 October 2013

Application-Layer Denial of Service Attacks

We often hear about infrastructure denial of service (DoS) attacks, but traditionally there has not been much data available on application-layer DoS.

One of the charts from the Q2 2013 DDos Attack Report

The Prolexic Distributed DoS (DDos) attack reports includes a comprehensive analysis of data from their own networks. Application-layer attacks against their clients accounted for 25% of attacks, with the remainder against infrastructure (OSI layers 3 and 4). For the infrastructure attacks, SYN floods accounted for almost half of all attacks (the report's text says 31.22 of infrastructure, but the data in Figure 3 suggests it is 31.22 of all attacks).

The number of attacks has risen by a third, but it is not clear whether this is due to the company having more clients, or because the were more attacks against each client. The points I found of most interest:

  • Compromised web servers are now the preferred method of attack, not a botnet of home PCs
  • An average attacks lasts less than two days
  • The average bandwidth is almost 50 Gbps, but half are less than 5Gbps, and a fifth are less than 1Gbps
  • GET floods account for the majority of application-layer DDoS attacks
  • Many low-volume attacks are easy to launch without significant skill
  • Amplification attacks where the attacker spoofs their identity to be that of the ultimate target and are sent to intermediary victim servers, are favoured due to the additional impact and source obfuscation.

The reports are free to download after registration.

See also previous posts on Denial of Service Attack Defences and Distributed Denial of Service Attacks.

Posted on: 11 October 2013 at 08:14 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 September 2013

AppSecEU Research 2013 Part 3

... Continued from Part 2. As I was speaking in the afternoon, I did not attend quite so many presentations on this second day of AppSecEU 2013.

Photograph taken during OWASP AppSec EU Research 2013 showing one of the conference rooms

For the first hour and half, I attended the OWASP Project Leaders' Workshop, organised by Simon Bennetts, OWASP ZAP Project leader, and Abraham Aranguren, OWASP OWTF Project leader. The meeting was used to share ideas and problems, relating to managing projects, engaging and supporting contributors, code/file repositories, sharing and coordinating approaches. I found the meeting very useful and it was good to meet some active contributors face-to-face.

Photograph taken during OWASP AppSec EU Research 2013 showing Erlend Oftedal presenting on securing a modern JavaScript based single page web application

Erlend Oftedal described how logic is shifting from the server into JavaScript, and how this approach is used in single web page applications where the JavaScript loads data and templates, and allows navigation without page reload. He discussed common issues on the client, and also the backed server resources such as promiscuous web services. He presented q number of recommendations for security such applications. [video]

I took a short break to meet with other delegates and also do a final run-through check of my presentation for the afternoon.

Photograph taken during OWASP AppSec EU Research 2013 showing Stefano Di Paula

Just prior to lunch, I went back to the main auditorium to listen to Stefano Di Paula discussing anti-clickjacking measures, and problems with common JavaScript libraries such as jQuery and YUI. Stefano's deep knowledge on these subjects shone through and lead to some very specific questions from the audience. [video]

After lunch the theme of click-jacking protection continued with a presentation by Martin Johns. He presented the common approaches used to today, pros and cons of these, and discussed alternative techniques. He also outlined another protection approach which he his working on with others, which was debated with other knowledgeable delegates in the audience. [video]

Photograph taken during OWASP AppSec EU Research 2013 showing a view of the Hamburg skyline from the conference venue

Mid-way through the afternoon, I presented my own talk about OWASP AppSensor - In Theory, In Practice and In Print. I provided a brief overview of application-specific attack detection and real-time response, and discussed the new guidebook currently in review and provided a link to the latest version. I then went on to demonstrate how it is possible to apply AppSensor-like capabilities to a third-party application with minimal changes to application, but yet will achieve a significant degree of protection. [video]

Immediately afterwards I stayed in the same conference room to hear Sahba Kazerooni outline the new draft OWASP Application Security Verification Standard v2. I provided some feedback on an earlier draft and it was good to hear how the beta release has moved forwards. This will be a large improvement in this already highly mature project and the team are looking for feedback before the final version is released. [video]

The final keynote was provided by Prof Dieter Gollman of TU Hamburg who discussed a generalised view of access control for web systems. [video]

Photograph taken during OWASP AppSec EU Research 2013 showing the organising team during the closing ceremony

In the closing ceremony Dirk Wetter presented awards for the capture the flag competition, and passed on thanks to all the sponsors, volunteers and OWASP staff who had helped make the conference happen. Sarah Baso stood up to provide thanks to Dirk, and his family, for all their input over the last year and to provide a small gift in OWASP's appreciation. [video]

It was truly a very useful and well organised conference, and despite having some worries about the split-floor venue, really that didn't seem to matter at all. It was a fantastic knowledge-rich event and I am so pleased I attended. The recordings of all the other sessions I was unable to attend are also available online, free of charge and without registration, and the slide decks will be available shortly too.

If you want to attend something similar, the next global ApSec conferences are in Latin America (Lima, Peru) in October and North America (New York, USA) in November.

The next AppSecEU event will be held in Cambridge, UK, on 23-26 June 2014.

Posted on: 06 September 2013 at 10:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 September 2013

AppSecEU Research 2013 Part 2

... Continued from Part 1. As usual with these types of events, in AppSecEU 2013 I had already missed a number of talks on other tracks on fascinating and useful topics by great presenters.

Photograph taken during OWASP AppSec EU Research 2013 showing Roberto Suggi Liverani presenting

I continued the first day by listening to Roberto Suggi Liverani discuss using browser automation frameworks and web proxy APIs to assist the assessment of client-side applications. He demonstrated the use of an extension for Burp Suite called the CSJ extension that combines the use of Crawljax JUnit and Selenium web driver. [video]

Photograph taken during OWASP AppSec EU Research 2013 showing a view of Hamburg taken from the conference venue

With the unfortunate absence of Gareth Heyes, Erlend Oftedal stepped in to provide a presentation about implementing and testing RESTful web services. He described common difficulties such as session timeout, third party authentication, anti CSRF tokens, cryptography, access control, replay attacks, and XML attacks. He presented a series of recommendations to avoid common pitfalls. [video]

Photograph taken during OWASP AppSec EU Research 2013 showing a flip chart used during one of the Open Source Showcase discussions

Throughout both conference days an open source security showcase was running, with each project having a dedicated room and expert available for discussion, assistance and hands-on demonstration. These proved to be very popular due to the quality of the topics and facilitators.

Florian Stahl and Johannes Stroeher jointly presented a methodical approach for texting mobile applications that included information gathering, threat modelling, enumeration, code and component review and dynamic testing. [video]

Photograph taken during OWASP AppSec EU Research 2013 of one of the break-out areas

Two locations were provided for refreshment and food breaks, one on each conference level. These were heavily used by the delegates and were also where there was an opportunity to meet with the various conference sponsors and other supporters.

To conclude the first day, I listened to the final talk on the HackPra track by the track's enigmatic co-organiser Mario Heiderich. He discussed XSS attacks and how it is normally possible to bypass any form of filtering, especially when there are bugs in the web browsers themselves, unless strict whitelist approach is utilised. He reiterated that it is important to be extremely wary of user-generated CSS. [video]

On the Thursday evening, we were treated to the conference dinner on board the museum cargo ship Cap San Diego. And some beers. Pre-dinner drinks were available on the deck, dinner was on two levels within the extensive cargo hold, and there was an opportunity to have a guided tour of the vessel afterwards with one of the former sailors.

Photograph taken during OWASP AppSec EU Research 2013

Continues in Part 3...

Posted on: 06 September 2013 at 10:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 September 2013

AppSecEU Research 2013 Part 1

I have been unable to make time to write up my notes from AppSecEU 2013 until today. Apologies for the delay, but I hope they are still of use. I have included links to the high-resolution videos of each talk mentioned which were published immediately after the event.

Photograph taken during OWASP AppSec EU Research 2013 showing the evening event held at Hamburg City Beach Club

The schedule had looked very enticing, and I had some ideas about what I would listen to and participate in. I arrived in Hamburg late on Wednesday afternoon just as the training courses were ending for the day. It seems the training had been a huge success with 120 attendees. After a quick refresh, I headed down to the Hamburg City Beach Club where OWASP had arranged a place for trainees, trainers, conference delegates, speakers and organisers to meet, network and socialise. It seems that apart from a real working port, Hamburg also has a sandy beach. It was a good place to catch up with friends, colleagues and a few new contacts, and have some beers.

On Thursday morning, the conference began with a welcome from Dirk Wetter, Conference Chair for the event. He welcomed the 400 delegates and explained arrangements, the layout of the split-level conference (on floor levels -2 and +23), and some special tips about not inadvertently activating the fire detection systems.

Photograph taken during OWASP AppSec EU Research 2013 showing Angela Sasse giving the conference keynote

The first keynote, provided by Angela Sasse, was a brilliant start to the conference. Angela described how software designers can make a huge difference to security by not trying to force users to change their behaviour. She suggested a top ten list of why users don't follow security advice, and concluded that designers must respect users time and effort, since complexity is the enemy. As an example she used the example of authentication where the objective should be "012": zero effort, one step, two factor. She finished here presentation with the suggestion that "Security measures that waste users' time" should be considered for inclusion in the OWASP Top Ten Web Application Security Risks. [video]

PHotograph taken during OWASP AppSec EU Research 2013 showing Michael Coates and Sarah Baso from OWASP

Following this, the Michael Coates, chair of the OWASP Board and Sarah Baso, Executive Director, provided an introduction to OWASP and how volunteering adds value to the community, the individuals themselves and their employers. Everything OWASP produces is free and open. It currently has 198 local chapters in 140 countries, with 36,000 mailing list participants. It is referenced by scores of government and industry standards, guidance and codes of practice. Sarah went on to describe current initiatives, described the sources of income and expenses and announced the candidates for this year's board elections. She also explained there would be an OWASP Project Leaders' workshop the following day first thing in the morning. [video]

Jörg Schwenk provided the second keynote on the topic of cryptography in web applications. He discussed a number of misconceptions and why for example signing and encrypting cookies do not help. [video]

Photograph taken during OWASP AppSec EU Research 2013 showing Michael Orru' presenting inter protocol exploitation

After the first break of the day, I joined the HackPra Track to hear Michele Orru', co-maintainer of the BeEF project, explain how web vulnerabilities can be used to directly exploit other protocols such as IMAP, SMTP, POP, SIP and IRC using just HTTP requests. Strange but true.[video]

Photograph taken during OWASP AppSec EU Research 2013 showing Paul Stone presenting Precision Timing

Paul Stone described the previously fixed browser CSS history attacks and went on to explain and demonstrate how it is possible to use the Window.requestAnimationFrame() method in a timing attack to determine the contents of pages by examining the source code pixel-by-pixel. Not only did Paul provide a very clear explanation of the method, he illustrated how the attack was optimised in a series of incremental steps to increase confidence in the results and speed up the determination of textual content. He demonstrated how it was possible to extract credentials included in the source code of a page from another domain for example. [video]

Photograph taken during OWASP AppSec EU Research 2013 showing Nicholas Grégoire

After the extensive buffet lunch, I listed to Nicholas Grégoire speaking about tips and tricks for those who use the HTML proxy Burp Suite Pro. He discussed visualisation of XML and AMF data and extensions for JSON and JavaScript, GUI navigation, contextual buttons, hot keys, history sorting, custom payloads, managing state, the curlit extension, custom iterators, and using Burp with mobile devices. [video]

Continues in Part 2...

Posted on: 06 September 2013 at 10:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Threats : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Monday, 21 April 2014 at 15:40 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com