Earlier this month I had the honor of speaking with information security students at Kennesaw State University in Georgia thanks to Dr. Herbert Mattord. It is a very diverse class with both traditional students and more mature students who are switching careers. Most of the students had little or no professional software development experience so I view these talks as extra critical because infosec professionals play an important role in this by working with developers and thus need to know something about how software is made.
It’s been a few months and I wish I had shared the link with you sooner. Back on August 29, 2016, I was the guest of Joe Gray’s Advanced Persistent Security Podcast’s Intro To App Sec Episode.
We talked about application security and the news. Give it a listen!
Tim Kadlec has written a fantastic blog post that you should read right away at https://snyk.io/blog/mongodb-hack-and-secure-defaults.
It starts with: “If you have a MongoDB installation, now would be the time to verify that it is secure. Since just before Christmas, over 28,000 public MongoDB installs have been hacked. The attackers are holding the hacked data ransom, demanding companies pay using Bitcoins to get their data back. From the looks of it, at least 20 companies have given in and paid the ransom so far. This post explains the hack, how to protect yourself, and what we can learn from it.”
This is a topic that I’ve found to be important in my work with clients. I’ve written about it privately and even Tweeted along these lines. Hats off to Mr. Kadlec for publishing this. One of my friends, Bennie, had found a great analogy for the Mongo situation saying that “as is true in many cases with everything, it is pilot error! The big difference is people are able to ‘fly’ software without giving proof they’ve had ‘flying’ lessons!”
Before Christmas, I posted some new videos up at https://rietta.com/learning/appsec. Namely the first two lessons in a new series of security in software development. Start to learn how developers can help prevent a data breach and the roles of blue, red, and purple teams in software development.
One Last Thing
Please let me know your application security questions and I will do my best to answer, possibly by video!
As a fun little experiment, I ran the same CPU benchmark on a few processors that I have around my home office that come from various generations. The Raspberry Pi was predictably beaten by even the nine year old AMD Athlon processor, but considering its from factor and power usage it is a remarkably versatile little system on a chip.
Today marks the 28th anniversary of the Morris Worm, which devastated large portions of the nascent Internet on November 2, 1988. Even though it was unleashed nearly three decades ago, it was more advanced than the Mirai worm that compromised hundreds of thousands of IoT devices in recent weeks.
I originally started drafting this post on January 14, 2012, but it sat unpublished since then. Its fun to look back at ones journey, 1743 days ago. In 2012, I was relatively new to the Ruby on Rails platform after having worked in PHP and SQL for years, as well as a little .NET. The platform has been a good choice that I enjoy working with still to this day. I was working in Rails 3 at the time and had completed at least three client websites in Rails in 2011.
Anyway, let’s take a look at the little lesson that I had started to write about over 4 years ago.
How to Handle Maximum Lengths for User Supplied Input
Stop annoying users by appearing to allow more text in a field than supported!
The default length of a string in an ActiveRecord model is 255 characters. By default the text_field helper will allow the user to enter more. As a user, one is incorrectly to think that he or she can enter more text than is allowed and it is silently truncated by the web app. Stop it, seriously.
Do it by two easy steps:
- Set the maxlength and size attributes on your one-line text fields.
- Validate the length of the text fields in your model.
In the View:
In the Model:
1 2 3 4 5
Even today in 2016, many Rails developers leave maximum length validation out of their Rails models. This is a mistake. If you are using PostgreSQL, then validating that a string is no more than 255 is even more important because a string that is longer will cause the model to be reported as valid and yet PostgreSQL will raise an exception on save. This will lead to data loss and the dreaded “Something Went Wrong” 500 error page for your users unless you handle the length validation properly.
The 2016 Verizon DBIR report is out and is available for download. Among the findings is the prevalence of data breaches that are attributable to stolen authorization credentials.
According to the report “63% of confirmed data breaches involved weak, default or stolen passwords” (page 20). This is an increase from 2015, when the stat was that 51% of web application breaches were attributable to stolen credentials. If anything is clear, it’s that the lowly credential theft is a clear and present danger in information security. It is responsible for more incidents than all the other exotic, technically interesting attacks combined.
The continued calls for the U.S. Congress to ban effective encryption despite the current computer security crisis in which data breaches are regular news is dangerous, shortsighted, and destined to harm all Americans. The two most effective tools that we have capable of helping prevent data breaches are encryption and reducing the attack surface of computer systems that handle sensitive or private data. Under the proposed legal framework, both will be sacrificed for a false sense of safety.
The latest installment of Congressional hearings was held by the Energy and Commerce Committee on April 19, 2016, and was titled Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives. The calls for Congress to ban effective encryption are repeated with little variance from the past. Some Members of Congress are expressing frustration that the debate is repeating itself without law enforcement suggesting any particular middle ground that would be workable for the tech community. But what is most chilling is that those in law enforcement continue to demand exceptional access despite years of back and forth and the parade of high profile data breaches both within government and the private sector. We’re losing the cybersecurity battle and the government is calling for a ban on one of the most effective tools that computer science has at its disposal.
The anticipated Feinstein-Burr Compliance with Court Orders Act, an anti-security bill, would require the provision of data in an intelligible format to a government pursuant to a court order (scribd.com). A draft copy was uploaded by The Hill reporter Cory Bennett, though whether it has been submitted officially within the Senate is not yet clear (vice.com).
This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to. It is the legal culmination of what the FBI has been lobbying Congress for years. If Feinstein-Burr becomes law, it will be illegal to deploy strong encryption without key escrow maintained by each company. Cryptographers and computer scientists near-unanimously assert key backup systems are insecure at scale.
Crypto War II, the first crypto war having taken place in the 90s with the clipper chip, is in full swing with hostilities started back up a few years ago when FBI Director James Comey and others started lobbying congress and giving public speeches about how being unable to unlock some devices and communications makes it hard to do their job. It has been an unrelenting full public relations assault on practical strong encryption.
Ultimately FBI Director James Comey wants a future where it is illegal or impractical to deploy strong encryption without key escrow, which is a key backup system that the great consensus of cryptographers and computer scientists assert is insecure at scale. As a statesman he never comes out and says this directly, but it is the only conceivable outcome to what he is demanding of tech companies before congress and the actions that the FBI has taken in court.