Monday, January 25, 2010

Good summary of Web Security Vulnerabilities

Nice article in Smashing Magazine summarizing all the different web security vulnerabilities: cross-site scripting, path transversal, sql injection, cross-site request forgery, etc. (via Bruce Schneier)

Thursday, January 14, 2010

Mikey Hicks, 8, Can’t Get Off U.S. Terror Watch List - NYTimes.com

Mikey Hicks, 8, Can’t Get Off U.S. Terror Watch List - NYTimes.com: "At some point, someone named Michael Hicks made the Department of Homeland Security suspicious..."

A problem with identity in the real world is that it's hard to uniquely identify someone. A name is rarely unique enough (even for me, with a rather unique name, there are at least two other people in the U.S. with the same name). Adding the middle name certainly helps, but is not full-proof.

Adding other attributes, like a street address, certainly helps, but those attributes tend to change often, so you have to have a history of them which complicates things greatly. It's hard to determine this is the John Smith who used to live at 123 Main Street.

The other option is biometrics: fingerprints or even just a photo. But now you need online databases, software and readers which are expensive (and what do you do when they break?). Plus you have to worry about privacy and theft of the data.

Sunday, January 3, 2010

Moxie Marlinspike SSL video

Happy New Year! I'm catching up on some of the material I wanted to blog about last year, but just didn't get to. This post is about a talk which is definitely more advanced and for someone interested in learning about cybersecurity, specifically secure web browsing, in more depth.

One of the security vulnerabilities that made news in 2009 was a hacker/security researcher, going by the name Moxie Marlinspike, who found an interesting vulnerability in how we have implemented PKI, which provides identities for SSL/TLS, which provides the security for HTTPS. Whew, that's a lot of acronyms, sorry, the short version would be "how we do secure web browsing".

While the exploit has largely been dealt with at this point, Moxie's talk is posted online and is interesting to watch from an educational perspective because it gives a good overview of HTTPs, PKI and the fundamentals of secure web browsing.

The exploit itself is also interesting it that it shows how a seemingly innocuous thing (how we choose to encode strings) can come back to bite us. Moxie also touches on how this exploit could be used to attack OCSP and automatic software updates. It's a good example of how a little thing can be extended to attack complicated systems.

The video is about an hour long. It does include one use of adult language (sh*t).


Enjoy.