Wednesday, November 13, 2013

Mozilla Firefox Lightbeam

Lightbeam is a new add-on for Firefox. It provides a light (pun intended) on what third party companies you interact with when visiting web sites. Lightbeam works by recording all tracking cookies saved on your computer through the Firefox browser to see which advertisers or other third parties are connected to which cookies. Amazedly it can differentiate between “behavioral” tracking cookies (those which record specific actions on a site) and other tracking cookies. The data can be viewed visually and in text format.

I visited one the large brick-and-mortar companies that also has a decent e-commerce web site. Below is what I found out. I tried to organization the cookie data the best I could. Some of the companies are familiar to all of us like DoubleClick. But al lot of these companies I had no clue about most of these companies until I looked them up.

I would recommend that your turn on Lightbeam for a day and use Firefox exclusively. At the end of the day you will be amazed by how many companies are tracking you. Of course don’t be too surprise, the top companies in the tracking space bring in over 39 billion in revenue. This is big business. Don’t get me wrong I depend of these companies to profit by seeing what I do online. I don’t want to pay to use Google, Yahoo, or Bing to search the web. I like having services like Hotmail, Gmail for free. I want to have Amazon recommend books to me based on prior buys and searches. 

I also want to have a say into who is tracking me, what I do, how the information can be used and by who. The issue now is how big and powerful these business has gotten without anyone really realizing it. Now add that with powerful behavioral software and we are facing a monster. Like Pogo said, “we have met the enemy and he is us”. Privacy and the need for it are still valid in our connected world. How much of our privacy we keep is going to be decided on how much we are willing to get involved and learn what and who are behind the curtain. I would say right now we are facing an uphill battle.

Tag Management: 

Brand Management/Protection 

Ad content providers: 
* Tribal Fusion is a global online advertising provider. 
* Amazon CloudFront is a content delivery web service. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end-users with low latency; high data transfer speeds, and no commitments. 
* apad’s proprietary technologies, advertisers can now employ consistent ads across multiple platforms: home computers, tablets, smartphones, and now even smart televisions

Tracking Management. (Technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web.) 
* is a domain used by Doubleclick. 
* is a domain used by AOL Advertising. 
* is a domain used by MediaMath. 
* s a domain used by Lotame. 
* is a domain used by Google Adsense. 
* s a domain used by ValueClick Media. 
* is a domain used by SpecificClick. 
* ATDMT is a tracking cookie served by Microsoft subsidiary Atlas Solutions. 
* A Google Company.

SEO Services. 
* GoogleLeadServices (not connected with Google Inc.) provides SEO services.

Big Data/Market analytics. 
* Ecommerce connecting customers to sales. 
* big data marketing platform. 
* is run by AppNexus, a company that provides technology, data and analytics to help companies buy and sell online display advertising. 
* market analytics.

Consumer profiling/preference/psychology software. 
* Liveclicker is there to provide all the tools necessary to create one-of-kind interactive shopping experiences. 
* Inventory check based on buying preferences on web site visitor. 
* Tumri, an interactive ad platform. With their new technology, ads dynamically change based on geography, demographics, psychographics, media type, sites, etc.

Saturday, November 2, 2013

Secure SDLC Processes

 I was reading about the differences between weak and strong typed computer languages and I came across the following sentence in Wikipedia “Programming languages are often colloquially referred to as strongly typed or weakly typed. In general, these terms do not have a precise definition”. This got me to thinking about a recent conversation I had about Software Development Life Cycle (SDLC) and mentoring. 

The terms SDLC and mentoring are used often in conversations but like strongly typed or weakly typed languages both terms do not have a precise definitions, worse is the definitions between organizations both commercial and academia can differ vastly. 

Mentoring is more than just answering occasional questions or providing ad hoc help. It is about an ongoing relationship of learning, dialogue, and challenge. Often it is the senior person given the responsibility to mentor the junior person. To begin this conversation lets settle on a broad definition of mentoring…. A relationship in which a more experienced person helps to guide a less experienced. However, true mentoring is more than just answering occasional questions or providing ad hoc help. It is about an ongoing relationship of learning, dialogue, and challenge.

How do we mentor secure coding/development to an organization? Who do we need to mentor? Upper management to add development time and cost to make sure the delivered product is secure for the organization, users both internal and external. With upper management we certainty need to use formal and informal transmission of knowledge and social capital. But we are hardly in a true mentoring relationship.

Peers, Peers have their eyes set on the goal of getting their projects into production. Most project incentives are based of development cost, meeting timelines, getting thru QA and getting user acceptance, not on being secure. Add all those pressures together and trying to throw secure coding into the mix except a few points about sql injections usually falls of to the floor while more pressing issues to ship the product take front stage. 

Let’s move off mentoring for a moment and move to SDLC. With SDLC, we have XP, Agile, JAD, RAD to mention a few. But now with Secure Software Development Life Cycle we can add OWASP’s OpenSAMM, Microsofts SDL, CIGITAL BSIMM just to name a few. To make matters worse every organization I have every been associated with takes various pieces of each SDLC and uses the methods they like best and even within those methods they not fully use the entire method as it was defined. To further muddy the waters most development organizations add their own brand of project management to their SDLC processes.

So how do we have a meaningful conversation on these? Maybe we don’t. Do we have each party give out a fully disclosed document on their definitions? Are our definitions only related to each other past experience or a combination of experience and professional research and training? Or at best muddle thru hoping each person understands the other.

I know I really don’t have an answer but the conversations are always fun. Maybe that is part of the answer instead of looking for the right answers lets talk about what strategies have work for us and what in the past did not work and where we want to go. 

What strategies do you use in your organization? Do mentoring and SDLC and security come together or is each item separate? Can you write down what your organization definition of the SDLC is? The steps it follows and where it defers from the published guidelines for that SDLC? If not is your organization using an ingrown ad-hoc SDLC that is documented and does your organization follow that document to the tee or a partial implementation? Remember seat of the pants is not really the way to go. No matter what S-SDLC you use, a plan is better than no plan at all. 

Tim Rains of Microsoft just release a blog post on developers using secure SDLC. Microsoft’s survey showed “security wasn’t considered a “top priority” when building software by 42% of developers worldwide.” His blog post goes on to say “While security development processes have been shown to reduce the number and severity of vulnerabilities found in software, almost half of all developers (44%) don’t use a secure application program/process today.”

I am speaking at APPSECUSA 2013. Nov 18-2013.

Sunday, October 6, 2013

Sql Injection, OWASP AppSec 2013, Free Training, Published Bad Code

Since 2003, SQL injections have remained in the top 10 list of CVE (Common Vulnerabilities and Exposures dictionary) vulnerabilities. Injection vulnerabilities is the OWASP (Open Web Application Security Project) number one vulnerability. 

The Verizon Business Data Breach Investigations Report 2013, SQL Injection was identified as the single largest attack vector responsible for data theft. The Verizon Business Data Breach reported, “60% of SQL injection attacks in the 2011 dataset were single-event incidents, meaning they exfiltrated data (or otherwise caused an incident) in the initial compromise and didn’t continue beyond that. Single-event incidents are often over and done in a matter of seconds or even milliseconds.”

Yet remarkable SQL injection is one of the low hanging fruits that can be resolved without much effort by any organization. So how is it that we still have SQL injection as a top ten vulnerability after 14 years; developer training, need to evangelize IT management, IT tools, code reviews? All of these can help in reducing the SQL injection. This blog I am going over some great resources for developer training.

Invest in your developers training. The payback is worth it. 

**APPSEC USA 2013** is a great place for developers to get together to learn how to defend their applications. This year APPSEC USA 2013 is in New York, November 18-21.

Jim Manico , VP of Security Architecture at WhiteHat Security and Board member of OWASP, gave a shout out to SafeCode is a very well funded non-profit secure coding organization. They are in the process of releasing a large inventory of secure coding training that is fairly high quality.
Check it out.

**Published example demo code**
But please be aware not everything out there is of the quality that it should be. Code Magazine – A leading independent developer publication that has a good emphasis on .Net development had two articles in its May/June 2013 issue, which showed examples of how SQL injection creeps into applications. Both authors should know better even for a demo article not to use dynamic SQL.

The first article “Creating Collections of Entity Objects” show sql statement. 

   1:  da = New SqlDataAdapter(“SELECT * FROM Product”, _
   2:      “Server=Localhost;Database=Sandbox; Integrated Security=Yes”)

Not good at all. I can just see someone reading this article downloading the code and making it work for his or her needs and adding a software vulnerability that a cyber criminal can exploit. The average data breach cost any organization about $300.00 per record. TJ Max’s data breach cost exceeded over $250 million in 2007. 

A quick fix, 

   1:  SqlDataAdapter myCommand = new SqlDataAdapter("GetProductsStoredProcedure”,
   2:  myConnection);

The next article “Creating a Robust Web Application with PHP and CodeIgniter” in this example we read things like…

   1:  strQuery = “INSERT INTO logs “& _
   2:  “(custername, cevent, computer) “ _
   3:  Values (‘” & strUserName & “’,’” _
   4:  & strEvent & “’, ‘” & _
   5:  strComputerName & “’)”

However we should have read code like this from the author.

   1:  $name = $_GET['username'];
   2:  $event = $_GET['event'];
   3:  $computerName = $_GET['ComputerName'];
   6:  if ($stmt = $mysqli->prepare("INSERT INTO logs (custername,cevent,computer) VALUES (?, ?,?)")) {
   7:  $stmt->bind_param("ss", $name, $event, $computerName); // Bind the variables to the parameter as strings.
   8:  $stmt->execute(); // Execute the statement.
   9:  $stmt->close(); // Close the prepared statement.}

Don’t forget about another great resource OWASP has Cheat Sheets.

SQL-injection Infographic
 SQL Injection Tutorial Infographic


Saturday, August 3, 2013

How unique are you? Your Zip code knows.

When I am out shopping and ready to checkout the clerk asks me for my Zip code. My family readily gives out such information and often apologizes to the clerk when I refuse to give out my Zip code. When I respond with that is personal information my reply is just eyes rolling with your just being grumpy. Of couse there is some truth in that. But still we have the question is how much information can they(retail store) get by knowing my Zip code? The answer is a lot.

Famed Harvard Professor Latanya Sweeney who has done pioneering work on data privacy has a web site where you can now test your uniqueness. Her site asks for your gender, birthdate and Zip Code. Remember the retail store has an advantage because they have your name and Zip code. Give it a try. You might find that you not as unique as you think you are and using your Zip code really can help identify you and in most cases with 100% accuracy.

Dr. Sweeney explains that “365 days in a year x 100 years x 2 genders = 73,000 unique combinations, and because most postal code have fewer people, the surprise fades”.

Here is a sample output using a made up person…
74012 (pop. 57526) Male Birthdate 12/13/1987 Easily identifiable by birthdate (about 1) Birth Year 1987 Lots with your birth year (about 378) Range 1987 to 1991 Wow! There are lots of people in your age range (about 1894)

A lot of retailers today use services like GeoCapture. This service produced by Harte-Hanks ( simply captures your name from your credit card and with the clerk entering your Zip code into the POS during the transaction. Using the GeoCapture service your store matches the collected information to a comprehensive consumer database to return an address.

Beside your address GeoCapture can…

  • Identify customers, understand purchase behavior, and follow up with dynamic, personalized marketing.
  • Provides customer contact information and purchase history.
  • Extensive, proprietary matching logic and nickname tables identify customers easily with accuracy rates close to 100%.
  • Can be used in conjunction with Reverse E-mail Append for customer identification.

Here is the PDF from Harte-Hanks that describes services offered to retail stores. Of course if you shop in your own Zip code and the clerk enters the store Zip code. They got you.

Ok here are some simple proven ways to help protect your privacy.

  • 1. Sign out of online accounts when not using them, Hotmail, Facebook, etc. (This is becoming more difficult with always on mobile apps).
  • 2. Don’t give out personal information when shopping.
  • 3. Encrypt your hard drive on your computer.
  • 4. Turn on 2-step authencation for all app that provide this. Gmail does.
  • 5. Pay cash for embarrassing things.
  • 6. Change your Facebook settings to Friends Only.
  • 7. Clear your browser history and cookies on a regular basis.
  • 8. Use an IP masker.
  • 9. Set and use your passcode on all of your wireless devices.
  • 10. Remember everyone now carries a phone with a camera. If you do some something stupid it is very likely someone took a picture of it and posted it on the Internet.

I thought this was a cool site and I wanted to share it with you. Smile your on camera, maybe.

Sunday, July 28, 2013

Cost of a Data Breach and Information collected about you on the Internet.

While we wait, talk and complain about our governments intrusion into our private lives we do very little about the professional criminal who is breaking into our web sites stealing our data. Curious isn't it?

The Real Cost of a Data Breach

Ok, now about all that data that we make freely available so we don't have to pay for services like google, youtube, hotmail, etc. Remember when your mom and dad said there was no such thing like a free lunch? They weren't wrong.

  1. Google Street View has collected over 5,000,000 miles of images 
  2. 58% of people are unaware of how data is gathered and shared online by advertisers 
  3. Facebook collects over 500 terabytes of data from its users each day 
  4. 50% of iOS apps track your location 
  5. Free apps are more than 4x as likely to access contact lists 
  6.  87% of US adults can be tracked via their mobile device

  7. Internet Privacy: How Much Data Does the Net Hold on You?

Monday, June 17, 2013

Eric Snowden and OWASP Hashing & Salt

Sorry for being dark so long. I am being pulled in several directions at once. My main priorities right now is…

  • Work. They pay the bills.
  • OWASP Code Review Guide. I am the co-leader and project support of this project. It is one of OWASP Flag Ship products. 
  • Tulsa .Net Users Group. This year we are doing a coding contest every quarter sponsor by Inceed ( see ( I am the contest master who comes up with the contest objectives, rules, etc. with some help from friends.

On OWASP Code Review Guide 2.0 we are re-vamping the book published in 2008 to refresh it, expand on it and build on the great platform created by the first book.

OWASP is a great organization that is always looking for good people to volunteer some effort on many great projects, like the Code Review Guide. Anyone intested???

The Code Review Guide are wiki articles.  Authors post these articles to OWASP main wiki. Once we have the content needed we will combine these articles into a book, with review process being done by OWASP and professional editor. I am also going to post some of the articles here in my blog. This article is one I wrote on Hashing and Salting. Interesting enough Bruce Schneier in his monthly crypto-gram newsletter has an article on password cracking which I though fitted nicely with my article on hashing and salting.  You can read his newsletter on the web at…
<> I have written on this subject before in my blog but I feel this is the type on information that can and should be repeated. See also ( )

Eric Snowden
One point I would like to make before we get into the Hashing stuff is Mr.Schneier comments and essay on whistleblowers like Eric Snowden. My question to Mr. Schneier is "How does the whistleblower know if they are exposing a true abuse in power or hurting our national security?". I am in favor of whistleblowers exposing abuse in power by our government or any government official but I am also not in favor of hurting our national security. I also don't want to give up every freedom I have to be "safe" but I realize the governments need to keep secrets. The discussion I would like to see out of this mess is a clear-cut understandable checks and balance on our government in the context private/personal information gathering. How they can be held liable and what are the limits on how intrusive they can be into our private lives and communications. How do we know they are staying in those limit and who are the gatekeepers? Sorry Eric, Manning and Julian Assange but I want better then the three of you.

Code review Guide – Hashing and Salting
A cryptographic hash algorithm; also called a hash "function" is a computer algorithm designed to provide a random mapping from an arbitrary block of data (string of binary data) and return a fixed-size bit string known as a “message digest” and achieve certain security.
Cryptographic hashing functions are used to create digital signatures, message authentication codes (MACs), other forms of authentication and many other security applications in the information infrastructure. They are also used to store user passwords in databases instead of storing the password in clear text and help prevent data leakage in session management for web applications. The actual algorithm used to create a cryptology function varies per implementation (SHA-256, SHA-512, etc.)

The code reviewer needs to be aware of three main things when reviewing code that uses cryptographic hashing functions.

* Legality of the cryptographic hashing functions if the source code is being exported to another country.

* The life cycle of the cryptographic hashing function being used.

* Basic programming of cryptographic hashing functions.

In the United States in 2000, the department of Commerce Bureau of Export revised encryption export regulations. The results of the new export regulations it that the regulations have been greatly relaxed. However if the code is to be exported outside of the source country current export laws for the export and import counties should be reviewed for compliance.

Case in point is if the entire message is hashed instead of a digital signature of the of message the National Security Agency (NSA) considers this a quasi-encryption and State controls would apply.

It is always a valid choice to seek legal advice within the organization that the code review is being done to ensure legal compliance.

With security nothing is secure forever. This is especially true with cryptographic hashing functions.  Some hashing algorithms such as Windows LanMan hashes are considered completely broken. The code reviewer needs to understand the weaknesses of obsolete hashing functions as well as the current best practices for the choice of cryptographic algorithms.

The most common programmatic issue with hashing is not using a salt value or if using a salt the salt value is too short and or the same salt value is used in multiple hashes. The purpose of a salt is to make it harder for an attacker to perform pre-computed hashing attack (e.g., using rainbow tables) but other benefits of a salt can include making it difficult for an attacker to perform even password guessing attacks by obfuscating the hashed value.

One way to generate a secure salt value is using a pseudo-random number generator. Note that a salt value does not need to possess the quality of a cryptographically secure randomness.
Best practices is to use a cryptographically function to create the salt, salt value should be created for each hash value, and a minimum value of 128 bits. The bits are not costly so don't save a few bits thinking you gain something back in performance instead use a value of 256-bit salt value. It is highly recommended.

.Net Salt
    private int minSaltSize = 8;
    private int maxSaltSize = 24;
    private int saltSize;
    private byte[] GetSalt(string input) {
            byte[] data;
            byte[] saltBytes;
            RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
            saltBytes = new byte[saltSize];
            data = Encoding.UTF8.GetBytes(input);
            byte[] dataWithSaltBytes =
                new byte[data.Length + saltBytes.Length];
            for (int i = 0; i < data.Length; i++)
                dataWithSaltBytes[i] = data[i];
            for (int i = 0; i < saltBytes.Length; i++)
                dataWithSaltBytes[data.Length + i] = saltBytes[i];
            return dataWithSaltBytes;

This method uses an agile approach to calling a hash function. It is explained below.

     private string computeHashWithSalt(HashAlgorithm myHash, string input) {
            byte[] data;
            data = myHash.ComputeHash(GetSalt(input));
            sb = new StringBuilder();
            for (int i = 0; i < data.Length; i++) {
            return sb.ToString();

Microsoft .Net Notes on Hashing
Microsoft does not recommend using MD5 or SHA-1. With .Net 3.5 and above Microsoft supports the Suite B set of cryptographic algorithms published by the National Security Agency (NSA).

The salt value does not need to be secret and can be stored along with the hash value. Some may use a combination of account details (username, user full name, ID, creation date, etc.) as the salt for hash to further obfuscate the hash computation: for example salt = (username|lastname|firstname|ID|generated_salt_value).

Best Practices
Industry leading Cryptographer’s are advising that MD5 and SHA-1 should not be used for any applications. The United State FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS) specifies seven cryptographic hash algorithms — SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256 are approved for federal use. The code reviewer should consider this standard because the FIPS is also widely adopted by the information technology industry.

The code reviewer should raise a red flag if MD5 and SHA-1 are used and a risk assessment be done to understand why these functions would be used instead of other better-suited hash functions. FIPS does allow that MD5 can be used only when used as part of an approved key transport scheme (e.g. SSL v3.1) where no security is provided by the algorithm.

FIPS disapproves the following functions DES; MD51; RC4; Blowfish; Diffie-Hellman2; Diffie-Hellman3 (key agreement); EC Diffie-Hellman2 (key agreement); AES4 (non-compliant); Diffie-Hellman5 (key agreement); EC Diffie-Hellman4 (vendor affirmed); RSA4 (key agreement); RSA2 (key wrapping).

.Net Agile Code example for hashing
App Code File:
<add key="HashMethod" value="SHA512"/>

C# Code:
   1:  preferredHash = HashAlgorithm.Create((string)ConfigurationManager.AppSettings["HashMethod"]);
   3:  hash = computeHash(preferredHash, testString);
   5:  private string computeHash(HashAlgorithm myHash, string input) {
   6:       byte[] data;
   7:       data = myHash.ComputeHash(Encoding.UTF8.GetBytes(input));
   8:       sb = new StringBuilder();
   9:       for (int i = 0; i < data.Length; i++) {
  10:           sb.Append(data[i].ToString("x2"));
  11:       }
  12:      return sb.ToString();
  13:  }

Line 1 let's us get our hashing algorithm we are going to use from the config file. If we use the machine config file our implementation would be server wide instead of application specific.
Line 3 allows us to use the config value and set it according as our choice of hashing function. ComputHash can be SHA-256 or SHA-512.

The drawback to this method is key size. I would suggest of giving yourself twice the size of the largest key of hashing algorithm you could possible use to store hash values. This means we need a varchar of 1024 if we are going to store our hash value in the database.

Lastly, never accept in a code review an algorithm created by the programmer for hashing or copy a hashing function taken from the Internet. Always use cryptographic functions that are provided by the language framework the code is written in. These functions are well vetted and well tested by experience cryptographers.

*  (Lifetimes of cryptographic hash functions)
* Ferguson and Schneier (2003) Practical Cryptography (see Chapter 6; section 6.2 Real Hash Functions)