Wednesday, January 18, 2012

Stop Internet Censorship / SOPA and PIPA

To those browsing the web today, you may notice some changes if you are a user of Wikipedia or Google you will notice that their pages have "gone black". This is due to their opposition of the "Stop Online Piracy Act" and the "Protect IP Act".

What are they?

Wikipedia defines the situation as follows:

SOPA and PIPA represent two bills in the United States House of Representatives and the United States Senate respectively. SOPA is short for the "Stop Online Piracy Act," and PIPA is an acronym for the "Protect IP Act." ("IP" stands for "intellectual property.") In short, these bills are efforts to stop copyright infringement committed by foreign web sites, but, in our opinion, they do so in a way that actually infringes free expression while harming the Internet. Detailed information about these bills can be found in the Stop Online Piracy Act and PROTECT IP Act articles on Wikipedia, which are available during the blackout. GovTrack lets you follow both bills through the legislative process: SOPA on this page, and PIPA on this one. The EFF has summarized why these bills are simply unacceptable in a world that values an open, secure, and free Internet.

Who are the players?
While legislature is in Congress to support these acts, the legislation's supporters include the Motion Picture Association of America (MPAA), The NBA, Pfizer, Nike, L'Oreal, The Fraternal Order of Police (FOP) and others.

Diametrially opposed to these groups are organizations like Google, Yahoo!, Facebook, Twitter, ebay, Mozilla, Wikipedia and 2600, the hacker magazine.

What's the big deal?
The issue is one of 1st Amendment rights and censorship.

Although the current administration does not support these bills as written, proponents of the bills will certainly bring them or similar ones back.

There are several provisions such as The Anti-Circumvention Provision, The “Vigilante” Provision, Corporate Right of Action and Expanded Attorney General Powers, would stifle the Open Source community and cause sites (like Facebook and You Tube) to shut down due to the large cost of policing their own sites as well as forcing huge liability costs onto countless Internet companies. Small competitors of larger companies would have an unfair disadvantage.

SOPA and PIPA set up breeding ground for abuses like the prosecution of people with little, if any judicial oversight.  In general, SOPA and PIPA open up a Pandora's box for abuse and 1st Amendment rights violations.

 Read more from the EFF website, here.

What Can I Do?

Take Action Now! Visit the Electronic Frontier Foundation's action page here.

Tuesday, January 17, 2012

Book Review: A Bug Hunter's Diary

As an InfoSec professional, I frequently hear about insecure systems and vulnerabilities that are found in software packages. Bugs for software are rampant and seem to come from all sides. These bugs or errors in the coding of the programs, require proper identification in order to protect systems against and mitigate the software security vulnerabilities.

This month I read A Bug Hunter's Diary, a book published by No Starch Press and written by Tobias Klein. It provided me an often sought after, but rarely found look inside the mind and processes of a security researcher looking for software vulnerabilities.

This book made me feel like I was sitting down with Mr. Klein personally, pouring over code, gleaning the nuggets of wisdom and information that come from his in-depth understanding of software design and debugging. This book is really a diary in that one sits and shares in the experiences of Mr. Klein's entries for each chapter. Throughout the entirety, we are taken though his thought various methodologies and processes while being introduced to countless tools of the trade.

Chapter One takes you through the basics of what bug hunting is and why is is needed. Tactics, terminology and tools of the trade are discussed as a primer for those with little or no exposure to this practice.

Chapter Two introduces us to a 'stack buffer overflow' by looking at VideoLAN's VLC media player. We are taken step by step through the bug discovery process from vulnerability discovery to exploitation and then to remediation and how one should handle the knowledge of the exploit once found as well as a nice summary of lessons learned.

Chapter Three takes a different approach and looks at Operating System (OS) kernels, specifically Sun/Oracle Solaris 10 and the way that it handles error conditions. Once again, we are taken through the steps from discovery to remediation and lessons learned.

Chapter Four covers NULL pointer dereferrences from a type conversion vulnerability that affects the FFmpeg multimedia library used by various software packages such as Google Chrome and VLC media player.

Chapter Five looks at web browser add-ons, specifically WebEx and looking at cross-site scripting and ActiveX to find a stack overflow. In looking at remediating this bug, Mr. Klein show us that in addition to simply notifying the software vendor, that we have the option selling the bug to a vulnerability broker, in this case, Verisign's iDefense Lab.

Chapter Six takes a look at Microsoft Windows drivers and the possibility of finding a vulnerability there, specifically with the anti-virus software 'AWIL/avast! Professional'. The approach taken in this chapter was a little different since the source code is for the AV program is not Open Source.

In Chapter Seven we are given a chance to examine the OS X kernel, looking for an exploit and validating input data while developing a debugger on a remote Linux host connected via cross-over cable. Whew!
Chapter Eight begins by looking at the iPhone and pouring over applications and libraries that are assumed to most likely have bugs in them, including the Mobile Safari browser, the Mobile mail app and the audio libraries. Mr. Klein takes us through fuzzing (providing invalid, unexpected, or random data to the inputs of a program), to look for obvious bugs, in this case, untrusted media files.

Just when you thought that the book was over and that there was nothing left to discuss, Mr. Klein gives us three appendices that provide a plethora of valuable information. Appendix A is a handy, in-depth reference to vulnerably classes, exploitation techniques and some common issues that lead to certain bugs. Appendix B details information about debuggers and how one goes about the debugging process. Appendix C gives the reader a summary of mitigation techniques from Address Space Layout Randomization (ASLR) to Data Execution prevention (DEP). All of these appendices help to neatly tie up any loose ends that the reader may have after exhausting the resources found throughout the book.

In the reading this book, one gains ideas and insight to help to explain alternate thought processes of software vulnerabilities to others. In addition, the material contained in the book would be a good source for a series of departmental workshops within any security minded organization or their customers.

While an understanding of structured programming languages, Unix, and a sense of adventure and wonder are a must to get the most out of this book, the amount of knowledge that is contained therein is truly staggering and definitely worth the read.

Tuesday, January 10, 2012

New Year, New Opportunites

With this new year, come new challenges and new opportunities. I realize that as a person. company, etc. that you can choose to start over whenever you like, but each January provides us with a "built-in" push to try new things, take new risks, etc.

What are you going to do differently this wise? wise? wise?

This year, take the time and resolve to think more securely. How does one do that?
  1. Stay informed on news, issues and threats by subscribing to Twitter feeds, reading blogs, subscribing to mailing lists, etc.
  2. Think like an attacker. Look at your company/network like an attacker would. What is sitting out there like low hanging fruit? Where would you begin when looking at your company or network? What systems or employees are vulnerable to manipulation? Mitigate those issues now while you can
  3. Don't ignore social media and OSInt (Open Source Intelligence). There is a plethora of information that is available even if you think that your information is secure. Also, are you open to Facebook/LinkedIn profile cloning? Do you check for something like that?
  4. What else is there? The above three things are far from an exhaustive list. What else can be done?
Yes, there will be things that bit us in the but. There is always something that we could've done better, but purposing it in our minds to be better about security will go a long way towards giving you an edge.