Saturday, January 30, 2010

How Attacks Are Being Done Today

I was going to write my next post about XSS as it is such a prevalent attack that opens the door to other attacks, but I had to post about what I just read instead. I'll hit XSS soon.

An article in darkreading.com1 was saying that Mandiant researched attacks over the last seven years and found that APT attacks (Advanced Persistent Threat), besides seeming to have Chinese ties (I won't go there as I don't think it matters where they come from, just that we stop them from any location, including our own companies), are so nasty that security software was able to detect only 24% of the malware used in the attacks!

So these attacks are going on right now undetected...

In addition, there are seven stages of APT attacks:
  1. Reconnaissance - checkin' you out and getting a lay of the land
  2. Intrusion into the network - finding the hole and getting in
  3. Establishing a backdoor -- a piece of wood to hold the door open
  4. Obtaining user credentials -- social networking and electronic means
  5. Installing multiple utilities -- remember the door you left open in #2 and #3?
  6. Privilege escalation, lateral movement, and data exfiltration -- taking over via open door
  7. Maintaining persistence -- making sure you can't delete it

Two things I note here -- 1) you have seven opportunities to catch them and stop them and this isn't happening, 2) YOU as a developer can stop them at #2, thus stopping the whole thing. Don't you see it now? If developers did their job to their best ability, the holes would not exist as much as they do. Would holes be found? Sure. Can we plug everything? I don't think so. But these are prevalent attacks, over seven years! Devs, get over it and learn how to code securely!!

I can't tell you how many devs think they don't need to learn security coding because they simply do intranet programming. See #6 above...they are in and using those loose security intranet apps to take over your organization. How cozy do you feel behind your firewall now? Come on gang! Learn the easy stuff and stop them!

Yes, stopping these attacks is easy...I'll show you how to stop XSS next and you will be that much more protected. Stop making excuses and do what you have to do to protect your organization and your customers!


Wednesday, January 20, 2010

No More Excuses!

Hey, you're a web application developer. I know you have deadlines looming, looming angst about your web site's security, and heirloom code you have to maintain. Get over it. This blog is all about helping you, and me, stay on top of security. Headlines scream about simple development mistakes costing 170 million credit card numbers. Some of those people lost money. You ever have someone wipe your card out? Painful and time/energy-consuming to correct. Someone's simple mistake(s) caused that to happen. People can blame the company, or the semi-clueless (at the time) CEO, or the guile of hackers. But guess what...someone programmed that code and either was not understanding what they were coding, or were flat out negligent.

To me, it is their fault.

Part of the blame has to go to the company execs and programming managers of a company that stakes its reputation on protecting and delivering peoples' credit card data. But the programmers also work for them and have to understand what their work affects every day they come in and sit down with a cup of coffee and a freshly booted PC.

I know, I know. Deadlines, budgets, tight time schedules, someone else promising you will deliver on an impossible schedule...all causing security to get baked in later if at all.

You know what? Get Over It.

This blog will hopefully educate, entertain and help us all out. This will be a no holds barred look at web app security, from an ASP.NET standpoint mostly. PHP guys/gals...get over it. (See a theme here? ) The stuff on this site will hopefully apply to you too, and you can go figure out how to code those things I put in as ASP.NET logic. I will try to keep things as language agnostic as possible, since I would prefer all web devs have the knowledge, but there will be days when I post ASP.NET or IIS specific things, whether exploits or fixes.

So no more excuses! You can learn this stuff pretty quickly and stop many many attacks dead. You can be the hero.

I will start my next post talking about XSS. Never heard of it? Please tell me you don't build websites...