Book Review : 19 Deadly Sins of Software Security

Security is a pretty hot topic these days. Problems range from zombie computers acquired through viral attacks, to targeted intrusion of high-visibility targets. In many cases, insecure software is to blame for the security breach. With the increasing complexity of today’s software and the increased presence of criminals online, security is of the utmost importance.

19 Deadly Sins of Software Security was written by a trio of security researchers and software developers. The original list of 19 sins was developed by John Viega at the behest of Amit Yoran who was the Director of the Department of Homeland Security’s National Cyber Security Division. The list details 19 of the most common security flaws that exist in computer software.

The book details each flaw and the potential security risks posed when the flaw exists in your code. Examples of flawed software are presented to provide an insight into the seriousness of these flaws. The authors also detail ways to find these flaws in your code, and steps to prevent the problem in the future.

Overall the book covers most of the commonly known security flaws. These include SQL Injection, Cross Site Scripting, and Buffer Overruns. There are also a few lesser known flaws such as Integer Overflows and Format String problems.

The authors recognize that software flaws can also consist of conceptual and usability errors. For instance, one of the sins covered is the failure to protect network traffic. While the book goes into greater detail, this flaw generally means that the designer did not take into account the open network and failed to encrypt important data.

The last chapter covers usability. The authors detail how many applications leave too many options open for the user while making dialogs cryptic in nature. Default settings are either set too loose for proper security, or the fallback mechanisms used in the event of a failure cause more harm than good. As the Microsoft Security Response Center put it, “Security only works if the secure way also happens to be the easy way.”

This book is great for both novice and seasoned developers. As with most security books, it covers much of the same material, but is presented in new ways. Continual reminders about security can only help developers produce more secure code.

[Other References]

10 Immutable Laws of Security Administration

10 Immutable Laws of Security

Michael Howard’s Weblog

John Viega’s HomePage

the squirrels are nice here…

I ran across an article over at Slashdot about a recent incident involving a Republican aide, and members of attrition.org. For those that don’t know, attrition.org is a computer security oriented website that attempts to expose industry fraud and misinformation. This particular story finally made it to the “traditional” media yesterday.

So, on to the story. Apparently a Republican aide, Todd Shriber, decided that he wanted to have his college grades modified slightly because he didn’t do to well. So Mr. Shriber contacts attrition.org, having read some of the postings on the site and thinking that they were hackers. His initial email was sent on August 9, 2006.

Jericho and Lyger from attrition.org quickly begin leading the aide on and gathering the “information” that they will need in order to pull off the job. The information included the usual stuff like name, student id, date of birth, pigeon and squirrel pictures… Wait, pigeon and squirrel pictures? Yes, you read that correctly.. Jericho asked Mr. Shriber to forward him “A picture of a squirrel or pigeon on your campus”.

This request for pictures should have thrown up red flags all over the place, but apparently not for savvy Mr. Shriber. Instead, he continues on his quest, providing all of the necessary information with what appears to be eagerness. The pictures and initial information needed to access his grades was provided in exactly one week. This included a message to Lyger, the “hacker”, with a special code phrase in the subject to let Lyger know who he was.

Over the following 11 days Lyger continued to lead Mr. Shriber on providing technical details about his activities. From 768-bit encrypted databases to shutting down systems with smurfs, Lyger explained that he was now ready to “hole-shot this once the hashes match.”

But then disaster struck. “todd… no more.. omfg we are SO busted..” Lyger explained that the noc had run reverse udp traceroutes and caught him. They had everything, the logs, the rot-26 stuff, and everything pointed back to Mr. Shriber’s login. Ah well, so much for that.. Lyger even told him to stay away from attrition.org since they were checking web logs.. And so the charade was over. After less than a month, Mr. Shriber’s chances for good grades were shot.

Mr. Shriber, however, was relieved. In a follow-up message to Lyger he explained that he was getting cold feet anyway and was ready to abort. Oh, and by the way, “As a gesture of good faith, I was hoping you guys would remove our correspondence from your web site. Isn’t that risky for all of us to have it up there?”

Duh…

Modchips

I stumbled upon a blog entry on Ozymandias about Modchips. Ozymandias is the blog for Andre Vrignaud, an XBox Team Member. I found his comments to be interesting, but I disagree on a few points.

Andre cites three “main” reasons used to defend modchips :

 

  • the ability to copy and play pirated games
  • the ability to play import games
  • the ability to add new functionality (such as running homebrew software)

Like Andre, I’ll comment on these one at a time.

 

 

Pirated games… What can be said about this? Piracy is, in the end, wrong. There are a number of reasons given for piracy ranging from the pure view of “I want it and I don’t want to pay for it”, to the almost forgivable, “I need it to survive but I can’t afford it.” The former is just pure piracy and is akin to stealing a physical object. There are arguments that software is a different beast because stealing a copy doesn’t mean there is one less copy in the world, but, in fact, that there is one more. But, in general terms, I can agree that this is stealing.

The latter excuse is more interesting. There are several instances of people pirating software for the simple reason that they need it to produce a viable product. However, they don’t have the up-front money to pay for the pirated software. In some cases, they purchase the pirated software after they’ve earned the money to do so. This excuse is becoming less viable at time goes on, however. With the advent of Open Source software, there are numerous OSS packages that can produce results similar to commercial products. One has to be careful, however, since some of these OSS products include licenses to prevent commercialization.

Regardless of the reasons for piracy though, I agree with Andre. If you’re modding your console for the express reason of pirating games, then you’re wrong. This is probably the main reason Modchips get such a bad name. Those who know what modchips are think you’re doing it to pirate games, not to unlock features or make homebrew a reality.

 

Next up is imports. Imports are a bit of a wierd beast. In the not too distant past, consoles were able to play any game, import or local. The main reasons for importing a game were to get something that wasn’t available on the local market. The downside was that you usually needed to learn a new language to play the game! Unfortunately, my Japanese is basically nonexistant, so playing imports is tough.

More recently, however, console manufacturers have “region locked” their consoles rendering imports useless. There are a number of reasons for region locking such as different release dates across countries, preventing illegal content in certain countries, and increased revenue due to pricing differences between countries. Vendors feel pretty strongly about these points and even have the backing of the US Government in the form of the much hated Digital Millenium Copyright Act (DMCA). The DMCA has a specific clause that restricts circumventing these protections.

With the exception of preventing illegal content from entering certain countries, this all appears to be about money. The vendor can region lock a game or movie, and sell that title at varying prices depending on where in the world they are. Obviously this allows them to maximize their profits by taking advantage of the local market.

However, there is a slight problem with this. Some people enjoy watching foreign films, or playing imported games. For some, it may even be a means to stem the tide of homesickness. For others, it’s a chance to play something that won’t be released in their home region. I see this as a perfectly valid reason for wanting to mod your console. You paid for the console, you paid for the movie/game, why can’t you just use the two together? Andre states the following :

But sometimes companies have good reasons to either not release a title into a region or release it at different dates. It may be because of the time and cost of localization, marketing plans, ad buys, cultural considerations, or perhaps even because of the impact of piracy in the region. Whatever the case, it’s safe to assume the publisher has thought about it.

First of all, if I’m importing a game, there’s a good chance I know it hasn’t been localized. And for a lot of people, that’s the point. So concerns about time and money for localization are moot. As for piracy, I’m not sure what to say there. Because of possible piracy in a region, a company is unwilling to allow anyone at all to purchase the title? Give me a break, money is money. I can understand that they don’t want to localize and market the product, but if it’s been localized and marketed elsewhere, why prevent anyone in that region from buying and using it? It just doesn’t make sense to me. If they want to pirate it, they likely have modded consoles anyways, so the argument is pointless.

I’m quite sure the publisher has thought it through though. If you weigh the cost vs revenue it makes sense to not bother marketing some areas. For instance, there are a large number of games that are popular in Japan that just don’t have a chance in the US. So it makes sense for them to skip localization and marketing for the US. But, if I happen to speak and read Japanese, and I have an interest in the game, why would they want to prevent me from handing over my hard earned money to purchase it? In fact, that’s extra, unforseen revenue. Isn’t that a good thing?

 

The last item Andre cites is the desire for homebrew. I can definitely identify with this desire. I own a PSP and I’ve been looking long and hard at the Undiluted Platinum PSP Modchip. This chip allows the user to switch between 2 versions of firmware on the PSP, allowing you to stick with version 1.5 for homebrew, or the latest version for compatibility with the latest games. Of course, this means you need to alter the PSP, void the warranty, etc. And who knows, maybe Sony will come up with a workaround to disable it. But the desire to be able to do this is pretty strong.

According to Andre, the industry currently uses a razor/razor blade model. In short, this means that they sell the console at a loss with the hope that the end user will buy enough games and peripherals to make up the cost. Not a bad model for something like a razor. Chances are you’re going to buy blades in order to use that razor. Though, as one person commented, you can always use them to prop open windows…

So the argument is that since the console manufacturers sell at a loss, we should be locked into using the console to their specifications and no others. Is it my fault that the vendor decided to sell at a loss? Did I make some sort of deal with them stating that if they sold the console at a loss, I would make up the difference in games/movies and peripherals? They’re right that the lower cost is an incentive to buy. If the PSP was twice it’s current price, I probably wouldn’t have purchased it. And Andre hits on that point :

Some folks point to the fact that they bought the hardware and believe they should be able to do anything they wish with it. Unfortunately, this argument ignores the fact that they’re buying that hardware at below cost, and it’s the razor/razor blade model that makes it even possible to buy at that price. The other solution would be to sell the hardware at a price that covers cost and also includes a profit margin so that selling the console alone (with no game/peripheral/service sales) could be a stand-alone business.

And he goes on to state some problems with this reasoning :

Problem is A) this model already exists (it’s called a PC), and B) selling a console at PC prices (especially with the capabilities the console has in it) would simply be too expensive and no one would buy it. At the end of the day, the cost difference needs to be made up somewhere, and that’s why we need to you buy those razor blades.

So, reason number one is that the PC already exists. Well, it does, but is it portable? Does everyone have the same exact PC as you? The same reasons for creating content on a console are relevant to the desire for homebrew as well. It’s often much easier to develop for a single static platform than it is for a platform that varies from unit to unit. You also need to keep in mind that most, if not all, of the users desiring the ability to create homebrew software already own a PC. It’s the desire to work on a different platform that drives us.

Andre’s second reason is cost. And here I have to agree slightly. If they were to sell the console at cost, then it may be to expensive. Or would it? How much are these companies losing per console? I’ve heard varying numbers, but I think the vendor is the only one who knows for certain.

So, yes, the difference should be made up with peripherals. Hrm. A thought has occured to me. Maybe they could sell a software development kit! And the necessary hardware to copy code from the PC to the console! Couldn’t that make up a portion of the cost? Yes, I’m aware that they already have development kits for the console, but I can’t afford it, can you? If they released a slimmed down version of the software, minus all of the specialty hardware that usually ships with the SDK (commonly because the actual console has yet to exist prior to them shipping the SDK), then the cost can be reduced quite a bit. Don’t offer support for the SDK, just release it to the public and the public will create the support. Don’t believe me? How about ps2dev which supports both PS2 and PSP development? There are hundreds of site on the internet that support PSP development. And hundreds more that support XBox, Gamecube, Gameboy, etc. And none of those console manufactureres has, to my knowledge, released any development code at all. It’s everyday hackers like you and I that are creating the SDKs from scratch and releasing them to the public.

 

So in short, I don’t see a problem with Modchips in general. There are those people who will use them to pirate and steal, but in all honesty, the Modchip isn’t the reason for that. Pirates are out there to pirate for the pure reason that they can make money doing it. And regardless of the existance of a Modchip, the pirate will continue. Perhaps the need for a Modchip can be reduced if the console manufacturers would give up on this idea of region locking, and open up the consoles to the masses. Let the little guys take a crack at coding. Are you afraid they might create something better than what you have to offer?

Whois Query Fun

network

I ran across a really neat way to use the whois tool in Linux the other day. There is apparently a lot more information available than I knew about! Check out the full article for more.

Basically, in addition to the normal owner/tech contact data that you can get from the standard whois servers, and the IP block assignment information you can get from ARIN, there’s also some additional IP information you can get from Cymru. Specifically, you can run queries against ‘whois.cymru.com’ to determine what ISP hosts/owns the netblock. Check it out :

[user@localhost ~]$ whois -h whois.cymru.com 204.10.167.1

[Querying whois.cymru.com]
[whois.cymru.com]
AS | IP | AS Name

33241 | 204.10.167.1 | EMCS-AS – Endless Mountain Cyb

In addition to that, you can also check another server, ‘v4-peer.whois.cymru.com’ to check for upstream peers. Extremely useful for determining how “connected” a provider is when you’re looking for new service. Or, for determining what providers you need to talk to for help in blocking possible attacks. Check it out :

[user@localhost ~]$ whois -h v4-peer.whois.cymru.com 204.10.167.1


[Querying v4-peer.whois.cymru.com]
[v4-peer.whois.cymru.com]
PEER_AS | IP | AS Name
3593 | 204.10.167.1 | EPIX – EPIX
3737 | 204.10.167.1 | PTD-AS – PenTeleData Inc.

Overall, I find this to be quite useful and I’ll definitely be using it! I hope you find it just as useful…