tisdag 4 november 2008

04/11 -08 Intervjuserie - RSnake

“REPORTER, n. A writer who guesses his
way to the truth and dispels it with a tempest of words." -Barson Maith


Jag drar härmed igång en intervjuserie och startar med en klackspark genom att publicera denna intervju jag gjorde för ett tag sedan med RSnake, en av internetsäkerhetsvärldens största gurus.
Jag har länge varit intresserad av internetsäkerhet (eller brist därav) och kan lugnt säga att jag flörtat lite med hela hackerprylen. Jag stötte först på RSnake på hans säkerhetsforum sla.ckers.org där han och många andra finniga datornördar diskuterar systemfel och datorintrång. God läsning!

Tell me a little bit about yourself?

I probably don't fit the mold of the hacker stereotype actually, and I don't think I really ever did. I'm pretty much always dressed up as I end up going to a lot of customer meetings, which is funny because I end up going to technical meetings with tech guys who take one look at me and decide I'm the marketing/sales droid. Then I end up having to school them on their own technology. It can be fun to break the mold though. I spent seven years in product management (doing technical architecture most of the time) for some huge companies, so I always had to walk the walk and talk the talk in terms of business, but technology has always kept my primary interest.

I got started in web security (CGI security back then) in 1995, when I got my first Unix account at school, and built my first web page. We had a 5 megabyte quota back then, which is laughably small by today's standards. I worked for some huge companies and finally started my own in late 2006 doing consulting work. I never took orders very well, so it's nice to be finally working for myself.


How did you get interested in computers, and more importantly, web
application security?

I've been interested in security since I was in high school but college was the big one. Of course my first example of web security was HTML theft. It was really fascinating that it was so easy to do. Back then my friends and I were finding lots of exploits in Netscape that we weren't disclosing. Although Bugtraq existed, it wasn't really our goal to become famous, plus I think I was pretty intimidated by the caliber of the people on there since I was new to the whole thing and not particularly interested in buffer overflows and system level security at the time. I think the first site I found my way into was in 1996. We found that we could break into merchant accounts at a big online processing company because the default passwords were so weak. We never did anything with that information but it was still amazing to me how easy it was. We also built some top100 sites and I was impressed at some of the subversive click techniques out there, which I later took to a banner advertising company and helped them fix a lot of their click fraud problems. I guess I learned by watching the best of the attackers out there. Who better to teach me? It was never a honeypot, but I definitely encouraged their nefarious activities to learn more.


What do you think are the main problems with the security on the internet
today?


At the moment, I think there are two fundamental problems on the Internet that are causing almost everything else to be broken. Most people haven't read my post to Dark Reading called The Internet's Original Sin http://www.darkreading.com/document.asp?doc_id=118848 but the primary problem we have today is that the web was simply never designed to be secure. Everything we have now is an add on, that does very little to fix that original problem. That pretty much includes everything you can imagine, authentication, same origin policies, man in the middle attacks, etc... All of which have been vaguely solved by add ons, but none of it should be considered case closed. More and more people are demanding web2.0 applications, mashups and tools that are highly custom to their experience. That means more and more sensitive information is placed on the websites and the browser must become more and more flexible - which makes writing threat models almost impossible. The browser companies have toyed with the idea of making a secure browser for transactions, but I think that's a long ways off.

The other major problem is that while the barrier to entry to coding is decreasing there is no such thing as a secure programming language. All languages suffer from some level of insecurity, and they are getting easier and easier to program in. I love to hate PHP. I've seen more badly coded PHP applications than any other language, and the reason for that is that it's not a secure language to begin with, allowing newbies to make mistakes all over the place, and the code itself is ridiculously easy to write and modify. That's a fatal combination, where you have less and less proficient people writing more and more critical applications that people put their personal information into. Not to bash on PHP specifically, because all modern languages are going that route. Until we start having out of the box secure code, it's not going to change. APIs are a great idea, but since they aren't part of base packages, it's never going to have the kind of impact that it needs to have.


Do you think people are aware of the security issues related to web
applications that are commonly used?


Absolutely not. People are aware of bigger issues like viruses, phishing and maybe the concept of hackers in general breaking into websites, but to them it's all a magic show. They don't get it, and they don't know the warning signs. I have a fairly large cache of non-technical people that I regularly poll for information to see where their brains are. It really helps me to understand what does and doesn't work from a consumer education standpoint. While it's not entirely empirical, it's a good barometer that rarely fails me. Part of the problem is that we give them incorrect or dumb messages, like "look for the lock". Does this look like a SSL protected site to you? http://ha.ckers.org/weird/ssl-lock.html


On a scale from one to ten, how secure is the average website?

The average website doesn't do much. The vast majority of sites out there are brochure-ware sites or default install sites. So I don't think that's a good case study to answer the real question I think you're getting at, which is how secure is the average website a consumer would interact with on any level. And unfortunately the stats aren't good. According to WhiteHat Security 80% of sites have a critical vulnerability in them. That's just terrible odds. All it takes is one vulnerability to compromise a user, and unfortunately consumers tend to use the same passwords over and over again, so even a tiny exploit can cause major problems for a platform. I wrote a case study about that exact topic: http://ha.ckers.org/deathby1000cuts/

I guess to answer your question really you have to ask how important is the target to the attacker, how likely is it to get exploited, and how damaging is it, which is really the typical Microsoft DREAD rating. If you look at it on average I'd say the average site ranks at about a 5. Still a failure, but most exploits are difficult to find or difficult to exploit. Now, if you tie in the network vulnerabilities with that, it drops pretty rapidly on average. Maybe 2 or 3 out of 10. That's due to the fact that even a decade after everyone realized they needed a firewall, it still turns out that no one knows how to configure them properly. DNS is often messed up, extraneous services, out dated patches, etc...

And we're not even talking about physical security, or social engineering. In that case we are talking about 1 out of 10. I haven't yet met a site that I think is completely invulnerable to something. That's the exploitation potential, but the value of the asset may never justify that kind of work, so really, it's probably higher than that, but if the only reason why a site is secure is because the data it holds isn't valuable enough to attack or that there aren't enough bad guys out there to attack it and everything else that's easier, that's not a very comforting feeling.


When we get right down to the core of this thing, how easy can it be for an
experienced hacker to gain control over a website?


Given infinite resources and time I believe any site can be compromised by the right group of people. Let me bring back a quote from 1997, "You bring me a select group of 10 hackers and within 90 days, I'll bring this country to its knees." - Jim Settle, Former Director, FBI Computer Crime Squad. I don't think every site is vulnerable to a specific class of vulnerability, but I do believe that with enough work any site can be compromised, at least from a certain perspective (EG, pharming/MITM attacks, etc...).


There are a few terms floating around describing different types of hackers,
notably white and black hats, care to explain?


I've heard some pretty interesting descriptions of both. Probably my favorite and hardest to wrap my brain around is one from a friend of mine. His theory was that whitehats disclose, and blackhats do not. Pretty simple in concept but it gets more confusing. Most people think that damaging a website's brand is fairly blackhat or grey at best, but his theory is that it's actually more white hat than doing responsible disclosure by informing the website that they are vulnerable. Striking up secret agreements with companies to get their stuff patched responsibly while the public suffers with their vulnerabilities is actually more greyhat than white. I think most people would totally disagree with those statements, saying that responsible disclosure is the best kind of whitehat, while full disclosure is greyhat or even blackhat in some cases. I'd love to think that life was that simple, but unfortunately I don't.

My personal opinion is that a whitehat is someone who does something not for themselves but for the greater good. Not for monetary gain, not for personal promotion, but for the greater good, even if that means it might hurt in the process. Think about the heros in the wild west. Sometimes they'd get shot trying to bring down a corrupt land owner. I don't think all businesses are corrupt and evil (like our favorite advertising giant Google), but I do think there are a fair amount of situations that warrant full disclosure as a greater good, to raise awareness of the issues. Other times I think full disclosure is simply irresponsible and dangerous because it has no benefit to the community, only the attackers. Blackhats are the simplest to define, as they take information and horde it either for personal gain, but they are unlikely to ever disclose the issues.

I think I fit squarely in the greyhat box. I certainly don't disclose everything I find, and I definitely work with vendors to fix issues when I think it's worthwhile to go through that process. I even disclose things to Google, despite how totally irresponsible they have been to their consumers, historically: http://ha.ckers.org/blog/20071119/google-gadgets-gaffe/ and
http://ha.ckers.org/blog/20070307/wall-street-journal-article-on-google-desktop/

How large would you suppose the hacker community is?


I would guess the best barometer is DefCon. It's somewhere around five thousand people, and probably one out of twenty hackers end up going to it in the USA and maybe one out of one hundred elsewhere in the world can make it. Keeping in mind that only about half the the people who show up to DefCon are actually hard core security people. So it's probably around the 50,000-100,000 range who consider themselves to be highly interested in the security scene, and probably about 2,000-4,000 who are actually good at it (lots of them are private individuals with no ties to or interest in the "scene").


What is your opinion on internet security companies like Hacker-Safe and
VeriSign?


I actually don't have as big of a problem with these companies and most people would guess. Yes, they are both selling snake oil (ScanAlert sells the Hacker Safe logo on sites and Verisign sells EV-SSL certs) but I think they are both doing exactly what the industry demands of them. Industry is demanding cheaper and better security, without actually defining and studying what that means. There's no regulation or control over the terrible ideas we end up with, and even the studies that prove that people actually react negatively to EV certs won't stop companies from buying into it. Hacker safe logos are an even trickier beast as they can help improve the amount of revenue a site makes by 14% (according to ScanAlert). You'd be stupid not to do that if you were a business owner - pass your PCI and get more money at the same time. Likewise, bad guys would be stupid not to start putting the same looking certs on their phishing sites too.

Inga kommentarer: