Infosec Myths, Mistakes, and Misconceptions – Adrian Sanabria – ASW #279
Full Audio
View Show IndexSegments
1. Infosec Myths, Mistakes, and Misconceptions – Adrian Sanabria – ASW #279
Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less secure.
Segment resources:
Announcements
Google has announced that they will be shutting down the Google Podcasts platform in mid-2024. To ensure that you don't lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
Get ready for an electrifying experience at the 15th annual Identiverse! Join 3,000+ identity professionals at the ARIA Resort & Casino in Vegas on May 28-31, 2024, for 4 days packed with dynamic learning & collaboration. Don't miss out on keynote speakers including Denee Defiore, CSIO of United Airlines; Tucker Bryant, Entrepreneur and Former Googler; George Roberts, Director of Identity and Access Engineering at McDonald's and many more!
As a community member, receive 25% off your Identiverse 2024 tickets using code IDV24-SW25!
Register today: securityweekly.com/idv2024
Guest
Adrian is an outspoken researcher that doesn’t shy away from uncomfortable truths. He loves to write about the security industry, tell stories, and still sees the glass as half full.
Hosts
2. Top 10’s First Update, Metasploit’s Second Update, PHP Prepares Statements, RSA & MS – ASW #279
The OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more!
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
We’d like to invite our listeners to be part of our prestigious 2024 SC Awards! Entries are officially open.
The SC Awards continue to serve as a beacon of excellence, recognizing the industry’s best solutions, organizations, and people that are advancing information security. This year, there are 34 categories, many updated to reflect trends in artificial intelligence, cloud security and continuous threat exposure management. This is your chance to shine among the brightest in the cybersecurity world.
Take advantage of the early bird rate by April 12! Visit securityweekly.com/scawards to submit your entries by May 31st!
Hosts
- 1. The Ten Most Critical Web Application Security Vulnerabilities
About a year after OWASP released the first version of the OWASP Top 10, they have an update for it. It's mostly a tweak of titles, although they folded "Remote Administration Flaws" into "Broken Access Control" in order to create a new category for "Denial of Service".
I'm still disappointed that path traversal is buried under that A2 "Broken Access Control". Even though it's been three years since Nimda, a lot of vulnerable IIS servers are still out there. Plus, path traversal is also about normalization and security boundaries -- something that doesn't get mentioned in the doc.
The list is still a good start. Now that it's drawing attention to XSS and SQL injection (as part of the more general "Injection Flaws"), we should see those types of vulns die out in a few years.
- 2. Metasploit Framework 2.0 Released!
H.D. Moore has rewritten Metasploit again! (Although it's still in Perl. Sigh...)
This version "...includes 18 exploits and 27 payloads…" A lot of the payloads are understandably against IIS and some other Microsoft vulns, but there's an exploit for the RealServer vuln on Linux and another for Solaris. Although sort of surprising there's not more Solaris considering how much it still crops up in so many datacenters.
The code is all open source. There's still a lot of misgivings from some corners of the infosec community about making a hacking tool -- especially exploit generation -- so easily accessible. But the better point is that tools like this are only going to become more prevalent. Plus, orgs shouldn't be basing their cybersecurity decisions on whether they're going to be attacked, they should be working to keep software patched, systems monitored, and users strongly authenticated.
- 3. PHP 5 Is Coming!
Last year (Feb. 2003) PHP started work on a mysqli module. It'll be part of PHP 5.0, which will be out of beta any time now.
The cool thing about this module is that it "...includes an object-oriented interface in addition to a traditional interface; as well as support for many of MySQL's new features, such as prepared statements."
There's some other coverage on this. Although, to be fair, PostgreSQL has had prepared statements for a while now, too.
In any case, between this new feature for PHP devs and the first update to the OWASP Top 10, the lifetime for SQL injection vulns has probably dropped to single digits.
- 4. Gates Details Security-Related Technology Investments and Innovations At RSA Conference 2004
We're a few months late catching up on all the announcements from this year's RSA Conference.
Bill Gates gave the keynote, which was a chance to see just how much security change there's been inside Microsoft since the Trustworthy Computing push. It hasn't quite been a year of Patch Tuesdays yet (October 2003 was just six months ago), but having a predictable cadence seems to make the process of patch management easier for admins. After all, so many systems are still lagging behind patch levels that something helpful needs to be tried.
One of the things I wanted to highlight from Gate's speech was the move away from passwords. As the article notes, Gates demonstrated the "...Microsoft Tamper Resistant Biometric ID Card, a cryptographically tamper-resistant identification card that can be easily deployed using simple, low-cost hardware and regular paper.” Here's another article about it.
It'll be cool to see a future where web apps can rely on hardware-backed authentication. That'd be a lot better than web apps coming up with weird rules about how users should compose their passwords.
- 5. Security in the spotlight at RSA show – CNET
Here's the other article I wanted to share from this year's RSA. It has a lot of links to additional coverage.
I mentioned the new Patch Tuesday experiment from Microsoft in the previous article. This one explains a bit more Microsoft's "...quest to convince customers to regularly patch to secure software had largely failed." That's what led them to "...limit the release of fixes to once a month, and augment the upgrades with several other security initiatives..."
Another topic was Microsoft's partnership with VeriSign about OATH and their work on physical tokens for user authentication. That's the part that makes it sound like the death of passwords might actually be possible within the next few years.
- 6. New round of releases extends Mozilla project’s standards based open source offerings
There's not too much web app security in this one, but of course web app security testing spends most of its time in the browser. This is really just about getting used to calling it Firefox instead of Firebird.
Still, it's nice to have alternatives to IE. Between the newly minted Firefox and Apple releasing Safari last year, there's a nice trend in having choices about what browser to use.
That's what's nice about web app security, all you need is a browser and Paros Proxy to start finding XSS, SQL injection, and -- don't forget! -- path traversal vulns. (And maybe a few more. There's a top 10 of them after all.)
