Not Obvious |
Intended to be Interesting, Intriguing & Insightful. Most Likely Mundane. |
I pulled out the (to me) relevant fields of the HHS "Breaches Affecting 500 or More Individuals" from the HHS breach site and posted it to Google Docs in the event folks would like to work with more structured data. I removed the institution and normalized it to State-level and removed the "associated party" field.
If folks want the other fields, I'll add them. Just ping me.
In the event you don't also follow the personal blog, I've switched ecosystems and abandoned my iPhone in favor of an Android mobile device (the HTC Incredible). While I may continue to tinker in iPhone OS development, I'm diving into Android 2 development in the little free time I have and picked up Professional Android 2 Application Development (Wrox Programmer to Programmer)
While I was enjoying a freshly made americano this morning, I started to peruse the near-boilerplate first few chapters when I came across the following precious nugget:
If you have images disabled, the text reads:
"For reasons of clarity and simplicity, many of the examples in this book take a fairly relaxed approach to security. When you're creating your own applications, particularly ones you plan to distribute, this is an area that should not be overlooked."
I posted a quick tweet about it, but felt the need to expand upon it in a post.
For starters, I find it difficult to even continue reading the material given that I would expect a book about "professional" development techniques to absolutely include security concepts throughout the topics being presented - even at the "Hello, world!"-level examples. Given the current state of digital security and privacy, I believe it to be highly irresponsible by the publisher of the book (Wrox) to release a title such as this without security being baked into the finished product. I would not be as critical if the title was "Just Checking Out Android 2 SDK Basics". Adding the word "professional" should mean that it provides all the fundamental tools and techniques to make solid & secure Android apps.
While I have yet to progress further into the text, if it does not thoroughly cover at least the need for comprehensive input validation and local and in-transit encryption techniques, I would highly recommend budding Android programmers to avoid this book and find a forum where you can learn the ins-and-outs of this SDK with a security hat firmly in place. The Android platform puts too much power into the hands of the applications to not code responsibly.
Take a side-step over to Rugged Software site and make a promise to yourself - and your users/customers - to stay true the manifesto and carve out a moment or two to review some core security concerns on the Android platform from ReadWriteWeb's Sarah Perez.
A recent PCWorld article by Ellen Messmer on the topic of browser cache-poisoning (as discussed by Mike Kershaw) led me to pondering a "solution" to the problem
"What is the problem?", you ask? To re-state it as simply as possible, when you jump on a public wireless network, anything you do over that network can be - at a minimum - captured and viewed by miscreants intent on prying into your affairs and, perhaps, absconding with some of your secrets. Kershaw's remarks pointed out that these malcontents can also do far worse and actually inject their own data into, say, your web-browsing activities. While such activity has many negative possibilities, Mike focused on one called "cache poisoning".
Whenever you visit a web site, your browser - unless you have specifically configured it not to - will attempt to cache (store) anything it can to help speed up your browsing experience and reduce bandwidth usage. This cache can be "poisoned" by an attacker injecting his/her own content into, say a javascript or css file and modifying the server responses to indicate that your browser should not bother trying to re-get those resources for a very long time. This will have the effect of your browser pulling the content from your local cache the next time it is asked for and will then activate the malicious bits along with the expected payload (so you think nothing is wrong).
Apart from always running with the cache off, you can clear the cache manually after you disconnect from a public access point. Most people will not know how to do the former (or just not want to do it) and - for the latter - I would ask you when was the last time you cleared your cache...at all? If you have cleared it, the reason was probably to fix a problem or clear up a page rendering issue.
My "solution" entails writing a small Windows service or OS X event watcher that:
I've already built the framework for both the Windows service and an OS X process and plan to post both the code and binaries as soon as I get them tied up in a nice, neat bow. However, I wanted to point out some of the complexities involved while they are fresh on my mind.
Focusing on OS X, the default browser - Safari - stores cached data in a sqlite database in ~/Library/Caches/com.apple.Safari/Cache.db. The schema is very basic and the SQL to remove all elements after a given TIMESTAMP is trivial. But, I would wager that most intrepid readers are not aware that any app that makes use of WebKit will get their own Cache.db. With a browser-to-app tool such as Fluid, this means each created app will have its own cache database (and be vulnerable to the poisoning).
Extending this a bit further, many users will have multiple browsers installed (Chrome, Firefox, Opera, etc). Each has their own method of dealing with web caches, and there really is no way to be confident which ones should be cleared without tracking application usage as well. This is also true on the Windows platform and made even a bit worse by the fact that you can customize where IE and other browsers store their cached data (on almost any platform).
It turns out this is one case where the Windows .NET API trumps OS X/Cocoa in that I can easily watch for WLAN adapter disassociation events and then act upon them. On OS X, it takes a bit more work arrive at the disassociation conclusion, but - once you have the event - the cleaning process code is very similar.
As the article points out:
The few defenses Kershaw suggested were continuously manually clearing the cache, or using private-browser mode. "Who knows how to clear the browser cache in an iPhone?" he asked.
I thought of also adding an option to prompt the user to switch to "private mode" browsing when the program detects association with an unknown or public access point. If you want to know how to clear the Mobile Safari cache, just follow Apple's directions.
I will (hopefully) have some time to finish up a rough beta version of each service and get it out for review. In the interim, I would love to hear thoughts on the approaches and suggestions for new/alternate ones.
Fellow Security Twit @innismir asked for input on places to go on the web - besides Google - to test the security efficacy of URLs. Here's a short list (stole one from @ABCSecurity) of places you can copy/paste links into:
Would love to know of more sources if you have them. Just drop a note in the comments and I'll add to the main post as they come in.
Nick Wangler (@SweetTea023) asked me why people hate Flash (no doubt referred to me by @Wygle or one of my Seattle cohorts). The answer is far more than 140 and has been answered posited and pondered by many more qualified than me. I will, however, endeavour to round out the corners of the various arguments against it and be as non-duplicative as possible.
Security
A very quick search on NVD shows 77 vulnerabilities for "Flash Player". Flash is an add-on for your browser; an expansion that you install (or have installed for you by an OS distribution or computer manufacturer) in addition to the base components. By default, that creates yet-another vector for attackers and even levels the playing field a bit for them since they can target multiple platforms and multiple browser configurations with roughly the same exploit. Believe me, Microsoft & Apple do not need any more help making their browsers or their systems more vulnerable to attack and we certainly do not need to give the malware writers more soft targets.
Flash is also one of the few items on my system (yes, I have it installed despite loathing it) where I actually need to hit an external site to configure it. If you've never been to one of those settings screens, they've been around in one form or another since ~2004. Even those settings could not stop a pretty nasty attack vector that Adobe had to close by removing functionality (that it should never had added in the first place).
From an enterprise perspective (the whole world does not revolve around home users), it is a royal pain to manage Flash versions across even a moderate large user-base, especially since Adobe has removed or munged functionality enough that some divisons or workgroups actually need to keep older versions installed. That means I have vulnerable target systems that I have to account for when I do a risk/threat profile. If such an institution is, say, a bank, that unpatched endpoint becomes one means for the "bad guys" to get to your data. (And, if you think that isn't likely, you have never been employed by a large financial institution).
Performance
Before I start this section I need to do a full disclosure: I am primarily an OS X user but have two Windows 7 boxes, a Windows 7 VM, a dedicated linux server at home, a linux VPS in Cali and countless linux VMs). I have to do that because - invariably - I will get the "you're just a whining Mac user" comment.
Flash browser performance - in general - sucks, just like Java applet performance - in general - sucks. This is primarily due to bad programming If Adobe (and before them, Macromedia) asks me to extend my browser, the least they could do would be to provide tools and a deployment process to ensure that inept programmers have to pass some sort of test before crashing my browsers (well, not Chrome, thanks to the process model Google uses, which I'll bet is due - in part - to Flash).
I know when Flash kicks in on a site because my fans start whirring, the CPU starts spiking and the batter starts draining much faster. Most Flash-heavy sites are even a dog on my Mini 9 with 2GB of RAM running Windows 7! And, forget about full-screen Flash video on linux. Adobe will swear it's not their problem, but they should have either not lowered the entry bar or figured out a way to truly optimize their code. They chose to make the plug-in and it not the responsibility of the OS builders to help them out.
Design
For those who have been around this Internet of ours for a while will understand the following: Flash is the modern equivalent of the <blink> tag and animated gifs. The minute I see Flash content (on a non-dedicated gaming site [kongregate/armor games] or non-dedicated movie site [hulu/youtube]), here's what goes through my head:
Not exactly two things I'd want associated with my site.
Granted, there are exceptions (I've seen some brilliant data visualizations in the New York Times and other sources), but in general, Flash == ugly and is there only in a pathetic attempt to grab my attention away from what I really want to see on a site (hence the continued growth of ClickToFlash usage by OS X Safari users).
Gatekeepers
While there may be some open source means of cranking out Flash, expensive Adobe tools are the primary means to develop these beasts and I am not fond of gatekeepers (I promise to not turn this into an iPad rant). In my infrequent programming ventures, I really shy away from closed frameworks because I do not want to be locked in. Until they made .NET a tad more open (e.g. the Mono project), this was the primary reason I stopped trying to make Windows software. While I consider myself a semi-proficient OS X developer, I loathe the fact my apps cannot run on any other platform (except the iPhone...and talk about gate-keeping!). At least Apple's tools are relatively free (I do pay for the OS, which is fine since I'm getting a much better experience than desktop linux). I can even make first-rate apps with relatively free (though a bit more expensive than Apple) Microsoft tools (SharpDevelop & IronPython).
While the majority of end-users do not care, I do and I refuse to learn Adobe's insidious incantations just to make bits fly about in a browser window. It's the same reason folks do not just make PDFs of their Word documents and put them up as web pages (and this is coming from someone who used to code PostScript by hand). Generally speaking, we want the freedom to express our creativity without lock-in which is one reason I'm really looking forward to ubiquitous implementation of HTML 5.
Concluding
It turns out I ranted a bit and did, in fact, re-hash some well-worn arguments. Just as it's applet, tag and animated counterparts, Flash had it's day and will - hopefully - be a fading memory as open standards start to become more rich and versatile. Until then, I will enjoy my Flash-placeholder-boxes in Safari and the blue Lego block of ambiguity on my iPhone.
Quick summary - it protects you from:
Grab it via auto-update or from Apple's site
Looks like you can duplicate the Chrome behaviour with Safari if you disable the "Open 'safe' files after downloading" setting in Safari's preferences.
Archive (.zip) files will not be expanded by Safari but will maintain the quarantine attribute. However, when you expand them in the Finder (which uses Archive Utility.app by default), they lose the quarantine attribute. Both Safari and Chrome clearly set the quarantine attribute on the zip file:
com.apple.quarantine: 0000;4b4d39a6;Safari.app;A8F6FF8E-0888-4B64-895E-4F18381EB478|com.apple.Safari
com.apple.quarantine: 0000;4b4d3931;Google\x20Chrome.app;6B67D0BE-0127-48CC-9823-2AEC2677A68F|com.google.Chrome
There is not much value in the attribute setting if it will not carry it through (inherit?) to the expansion operation, but I understand why it does (I deliberately chose to uncompress the archive). Since I am hesitant to modify the Info.plist for the Archive Utility.app as it is tucked neatly away in /System/Library/CoreServices/,an alternate solution is to disable the auto-open in Safari and make a folder action in the Downloads folder to use a modified Stuffit Expander (just tweak the quarantine setting) to open archive files when they appear in that location. I verified that it does what it should (keep the quarantine setting).
Yes, that is actual work to force one more click, but it keeps the expansion behaviour automatic and gives me one more opportunity to verify that I really want to open the file.
UPDATE: Here's what's going on
Most users are no doubt familiar with the file quarantine dialog they receive when downloading files from Safari and trying to open or execute them (only if Apple believes there is the potential for the content of the file to be malicious). While some have vilified this behaviour and others have just worked diligently to disable it completely, I find it a good cross between the overt nag dialogs of Vista and a complete lack of awareness of what is happening on my system (especially if a trusted site had been hacked and was telling Safari to do something without my knowledge). I have even blogged about it before.
Given that I expect this behaviour to be part of my regular experience, I noticed something odd when I was checking out the latest improvements in Vienna and downloaded the app using Google Chrome. Despite Google following the rules and having the proper setting for enabling file quarantine:
I was able to save and execute Vienna with no quarantine prompt. I attempted the same thing from Safari and did receive the prompt.
I tried it with a few more apps and saw the same "problem".
Astute readers may be aware that Chrome uses a "helper" app (Google Chrome Helper.app) to manage the process-per-tab functionality:
and may be thinking that the helper app does not have the property list entry set correctly. Unfortunately, this is not the case (it is set just like the main Chrome app).
I will keep digging to see why the expected behaviour is not what is happening in real life, but wonder if anyone else out there is experiencing the same issue.
A landing zone for infosec, tech & OS X bits
