Interview with GenApple founder

After the first article on the GenApple site - which promotes itself as the first information brokerage, Shortinfosec secured an interview with the founder of GenApple - Mr. Mark Hanson.

In a summary, the service will need polishing, and GenApple will need to tweak procedures and operating rules as they go along.

There may be security and privacy concerns - we are sure that the law enforcement agencies will be very interested to peek into the information being traded, as well as who is trading it. Also, on the other side of the coin - the information brokerage may be a place where illegal information is traded, so GenApple will have to be very careful to walk the thin line between trading of illegal material and the pressure of law enforcement to know everything.

Read the full interview with Mark Hanson - GenApple's founder. For Shortinfosec, the interview was done by Bozidar Spirovski

Bozidar: Let's start with the person behind the idea - As I saw from your linkedin profile, you are just 4 years out of university. Is this your first venture?
Mark John Hanson: Yes. This is my first start-up venture. But I had the idea for this site about a year and a half ago, and have been developing it since then. We're very excited about it: The team has been working very hard and we hope to deliver a quality service that people can use, enjoy and learn.

Bozidar: Could you describe the concept a bit more, of course in layman's terms - at first glance it sounds like e-bay but for bits and bytes
Mark John Hanson: Sure: what we aspire to be is a place where people simply can buy and sell information and knowledge. At first glance, why would people pay for information or knowledge? The Internet is filled with free information, from search engines, to answer portals, to e-learning portals. However, something is missing - every person throughout their years acquire a lot of knowledge, some of it has little to no value. But every person has knowledge that they possess that another person may want---in real life to gain this knowledge there might have to be a personal relation. But with our site; we seek to create a marketplace where people for the first time can sell knowledge and information that another party may want and pay for.

Bozidar: So what you are promoting is compensation for knowledge that someone has and others require?
Mark John Hanson: exactly---right now there's lots of knowledge that is not being disclosed on the Internet because people feel it has value. For instance, there are things you are willing to blog about for free---you write about security issues. However, you're a businessman and there are many other things that you have acquired over the course of your life that you know that has real value. We seek a place where you can sell such knowledge, both privately, if you want and securely.
Yes there are many answer site, forums, etc and for many many questions, a free answer forum is good enough. However, we're not just an answer forum, we hope to be a place where a broad amount of knowledge is shared

Bozidar: You touch an excellent subject with the forums - There are commercial forums that offer some form of expert knowledge when you subscribe. These are usually quite technical and with specific target groups in mind. What is your target group?
Mark John Hanson: at the end---we hope to be the destination for any or all type of knowledge; however, starting out, we'll focus on three verticals and expand from there
  • (1) stock tips and financial knowledge, we want to have a monetary focus when we start so people who have knowledge or advice about investment strategies can share. Because of US securities regulation, we'll active monitor these listings to make sure that inside information is not disclosed or sold
  • (2) news freelance --- because of the nature of journalism in the US there are many reporters who are currently unemployed or underemployed. What we want is for people who are journalists, citizen journalists and so on to have a place where they can sell news stories that they'll write and the news organ
  • (3) celebrity gossip and information---we wanted to have a fun and interesting vertical so people will check our site out and follow what is being disclosed on our launch.

Bozidar: The exchange of information will go through GenApple. I'll try to summarize the process as I understood it:
  1. The seller offers a commodity (information) on the exchange
  2. The seller deposits the commodity in the information vault
  3. The buyer and seller agree on a price and transfer funds
  4. The buyer pulls the commodity out of the vault
  5. The buyer receives the funds after a cool down period for disputes

Mark John Hanson: Exactly: there's obviously more detail and I'll be happy to provide you with our animation intro that explains this, users can also view our "how it works" area. You are concerned with security, and this is utterly important for a business like this. Thus our website has been developed that each information vault is protected from hackers and people with bad intent. We are certified by McAfee---we also use a SSL certificate from Verisign, so immediately when people are on our site, all transactions, from a simple search are secure.
We feel that as an "information brokerage" we should treat our customers as if they're dealing with a bank or financial institution---information and knowledge is valuable. Moreover, when people sell information, they want to keep their identity private because of the nature of transaction---to us privacy is a form of security. We want people to know that if they use this site, their identity is kept safe and will not be disclose to anyone, period.

: You use a very strong statement there "protected from hackers". In the world in which I live, something hasn't been hacked only because a hacker still hasn't found the vulnerability to exploit or the interest in exploiting it. So for argument's sake, let's say that a hacker manages to break in and he/she/they steal information or redirect funds. Do you accept any responsibility for the damages caused to the parties involved?
Mark John Hanson: I do have confidence in our site's security and McAfee secure---we will do our utmost to protect the information that people have disclosed from us---as to your question, our user agreement discloses precisely what responsibilities each party undertakes.
Bozidar: So on this particular site it is very wise to read the agreement, not just click the I Agree button?
Mark John Hanson: What we want is for every use to read the user agreement and privacy policy before they sign up---we have links to these agreements in the registration page. The reason for this is that the user knows what to expect from us and also what we expect from every user. This marketplace depends on GenApple to create a safe, easy, secure place to do a transaction.

Bozidar: In your first target group vertical you mention US regulation. On my attempt to register I saw that the registration address can only be a US address. Does this mean that every user of GenApple needs to be under US jurisdiction?
Mark John Hanson: For right now we're limiting it to the United States; however probably very soon we'll open it up to many different countries---this is party based on how we pay - we have two payment methods to pay sellers (1) PayPal and (2) a bank check mailed directly to a user's home. PayPal is not available to every country and a bank check is limited to North America.

Bozidar: Not quite - google mails checks all over the planet
Mark John Hanson: Google as a business does this---I'm not aware of a payment service that they have; however we prefer to use a Bank so our users are confident that the check they receive will be cashed. In the future---we could mail checks to users around the globe---if we reach that point, we'll be happy to provide that service

Bozidar: Let's talk a bit about the actual commodity - information what type of physical information can be stored in the data vault - text files, excel spreadsheets, images, encrypted files there a limitation? and of course, to what size?
Mark John Hanson: No limitation as to the type of files---we are looking at limitation right now---we also provide a textual entry area for people to disclose their information if it's just a short sentence. So we're still trying to set a balance and when we launch, we'll note file size limitation within the information vault.

Bozidar: Well, since basically the actual information can be any type of file, you may be faced with a very unpleasant situation - the buyer agrees with the seller, transfers the funds and receives nothing useful so he disputes - or a far worse scenario: the buyer got what he requested, but he/she still wants to cheat and disputes nevertheless. How are you planning on coping with 'fraudsters' on both the selling and the buying side
Mark John Hanson: Very good point---hence our business model: as we note up front, we are an "information brokerage" --- we are dealing with the intangible unlike eBay or many site that sell tangible products---it's much harder to police fraud when dealing with the intangible. The buyer wants to know that he or she is getting what he or she is paying for and the seller want to know they're getting paid. Hence as a brokerage, we assist in every transaction, as the user agreement says, we are not a part of a transaction, but we do the following:
  • (1) in every listing, potential buyers can ask the seller questions directly before they buy
  • 2) the buyer can look at the seller's feedback rating and take that into consideration--with more positive feedback being good
  • (3) besides the summary, there is the veracity statement, which is where the seller can state how he or she came to acquire such information or knowledge
Mark John Hanson: So up front, we want to give the buyer as many opportunities as possible to make an informed purchase. However, we go to your point--what if the seller's information is bad or the buyer unfairly disputes a transaction, hence our dispute system, which is noted in our user agreement---we take a look at the positions of the buyer and seller---and we make the final decision for them. This is a high standard, which we use to discourage buyer who unfairly file disputes. We want to protect our buyer's as much as possible, and if it seems that fraud exists, then we'll issue a full refund. Each dispute is a case by case basis---but each party agrees not to appeal GenApple's final decision.

Bozidar: A bit more on the content of information - if it is encrypted, then you may be facilitating transactions involving exchange of illegal information: like access passwords, or industrial secrets, plans to make bombs.
Mark John Hanson: yes---all valid points---this goes into our privacy policy, You certainly know the concept of a safety deposit box. We treat every information vault as a safety deposit box. If we as a service look into those vaults, then seller's may feel insecure from the get go, when people deposit into a safety deposit box, they want privacy. To combat possible illegal activities our best courage of action is thus to be diligent---any listing that we see that's suspicious (sp) will be deleted. We have on every listing page a report listing function, which any user can immediately file a report if such listing looks bad. If there is a dispute or an illegal transaction, as per the user agreement, we'll comply with governmental authorities

Bozidar: So I'll speak the lingering question on every body's mind on your launch: Will the law enforcement and intelligence agencies get full access to all information vaults? I know that your policy states that you'll supply law enforcement with information in case of investigation; But what about the broad view?
Mark John Hanson: What we're trying to do a strike a balance, which could change as the site matures. As per our user agreement, all vault are secure from us and the public unless there is a dispute or request from a law enforcement agency. We will not under any circumstance turn over private information or information vault unless forced to do so---we can only promise to take each instance as a case, and that's all I can say at this point that's not already disclosed in our user agreement, but you have a balance, seller's must be confident in a privacy transaction.

Bozidar: You gave a good argument that you as an information broker actually cannot know what all transactions are - thus you are not responsible for any wrongdoing of the users. But still, the similar argument applied to Napster and the Pirate Bay - and yet, they got sued for facilitating illegal exchange of information.
Mark John Hanson: We'll in our user agreement, if someone does do something illegal, they are liable for our defence costs. But you are correct, there might be people who do illegal things. We'll do our very best to create the best marketplace possible.

Bozidar: Are you actually worried that it may come to GenApple being sued for situations similar to Pirate Bay? They did claim plausible deniability but are now in prison.
Mark John Hanson: All I can say is that we drafted our user agreement with your question(s) in mind, but I cannot speculate what'll happen in the future---no one knows

Bozidar: Mark, i want to thank you for all the information we got on this interview. One last question - what does GenApple stand for?
Mark John Hanson: Yes--hehe--every Internet company needs a name that's short and memorable--the root "Apple" comes from the fruit of the tree of knowledge of good and evil. I was looking for adjectives because obviously Apple is taken. I did find the "gen" is British slang for information, hence the word genapple.

Do you like this product? What security concerns might you have on GenApple? Please add your 2 cents in the comments.

Related posts
GenApple - First Glance at the First Information Brokerage

Tutorial - Breaking Weak Encryption With Excel

The importance of a good encryption algorithm is essential to functional security. And yet there are a lot of misguided initiatives to use an 'internal', 'trusted' and 'secret' algorithm. Obscurity IS NOT Security and an algorithm that hasn't passed external scrutiny may be fundamentally flawed. If you go down that road you may even find your encryptions hacked by non-programmers.

Here is a tutorial on how easy it is to crack an encryption that is not properly designed.
For this tutorial, We are going to work with a really simple and weak algorithm - XECryption.

Here is a narrative summary of the algorithm:

  • The password the user chose is first used to produce a number by adding the ASCII value of every character in the password to produce one large total. This number is used as the encryption key.
  • The message is encrypted by adding the password key is added to the ASCII value of each letter in the message, then it is divided by three. A random number between -10 and 10 is added to this new number. This becomes the first number in the series, and is repeated to produce the second number. The third number is the difference between the first two final numbers and the original ASCII value plus the password key. At the end, every letter in the encrypted message takes on the following format: ".193.144.164".
  • When decrypting, the password key is found in the same way that it's encrypted. Each triplet is added together, and then the password key is subtracted. This is the ASCII value of the letter.

So in summary, an XECryption encrypted message represents each letter in number triplets. Here is a sample XECryption encrypted message for your exercise.

Most readers have already noticed that there are a lot of flaws to the algorithm. Here are some which we will use:
  1. There are multiple decryption passwords - there are a lot of combinations of characters that will produce the same number which is used to create the encrypted message. In essence
  2. Also,the encryption number/key is contained within the message.
  3. It is extremely easy to bruteforce this algorithm.
Here is how to approach this crack, and you won't even need to program anything:
  1. First, we need to remember that each total of the triplets contains the encryption number, and since it needs to be subtracted from the total, the resulting number needs to be positive. So your password is contained even in the lowest total of any triplet in the message.
  2. Once you find the lowest triplet total, you can just attempt all numbers starting from the lowest total down to zero as a possible encryption number - in essence, just bruteforce the text.
  3. If you use a program to do the bruteforcing, you need to program a logic which will be able to identify that the bruteforced result is the real solution. This is usually done by counting how many of the bruteforce calculated ASCII codes are codes for letters, numbers and punctuation marks. If the percentage is large, it is a possible solution.
  4. If you use Excel, the pattern matching will be done by your brain - a human can easily identify words and discover the solution.
  5. To utilize this approach, simply place the encrypted text into an excel sheet, and create sums of every three numbers. These numbers are the triplet totals that need to be decrypted.
  6. Place the triplet totals sequence on row 1 of a sheet, and on column 1 find the minimum total of the sequence. Starting from this minimum simply fill the rows in column 1 with every number from the minimum down to 1
  7. Then in the cells from row 2 and in all columns which have triplet total in row 1 use the following function - CHAR(Row1,ColumnX - RowX,Column1).
  8. Start reading the text in the rows and find your solution. Here is an excel file example of a decryption - the word 'hello' encrypted with a password 'hi'

Once you discover your most probable solution, just use the encryption number on the start of the row and the encrypted message on this site to check.

So, go ahead and try the described methodology - and post the identified source (author and book) of the encrypted text.
Every successful identification gets an honorable mention and a link in the followup article!

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop
Windows 7 Full Disk Encryption with Truecrypt
Tutorial - Hidden Operating System with Truecrypt
Tutorial - A Poor Man's Secure USB
Hardware Security Module for Dummies

GenApple - First Glance at the First Information Brokerage

Internet has become a transfer medium for a lot of new business models, some of which have failed and others which are thriving. In this environment, there is new service called GenApple, which boasts to be the 'first information brokerage in the world'

With a business model similar to E-bay, GenApple facilitates the selling and buying of information. A seller of information offers some information either at a fixed price or a via an auction. The difference from E-bay is that GenApple will act as an Escrow - a third impartial party trusted by both seller and buyer:

  1. GenApple will hold the offered information in a special 'vault' until the trade is concluded, and then let the buyer obtain it from the 'vault'.
  2. Similarly, GenApple will hold the payment money for the seller until the dispute period has passed, in order to facilitate refund in case of a dispute.
This new service opens a whole set of questions and possible security issues - since it deals with a commodity with different characteristics that physical objects:
  1. Information can be abstracted from physical location
  2. Information can be ideally copied many times without any loss and without any evidence that it has been copied
  3. Information can be sniffed during transfer
  4. Information can be accessed/destroyed/corrupted by a malicious attacker
  5. Information can be instrumental to performing illegal activities while never physically being part of the illegal activity
  6. The quality of information can be disputed or misunderstood
GenApple is still in beta, and is currently available for registration only for US based users - an interesting choice which may or may not have to do with US law enforcement agencies being fully capable of prosecuting users in case of trading of confidential information.

Still, the Pandora's box of trading in information is open, and the security community needs to follow the development of this and other similar services with great attention.

GenApple has scheduled it's launch for Monday - 30Th of November 2009. Just before the scheduled launch - on Sunday I'll be talking to Mark Hanson - the founder and CEO of GenApple.

So while GenApple launches, tune in to Shortinfosec for the full transcript of the interview which will be focusing on fraud, encryption and external security!

Talkback and comments are most welcome

Related posts
Interview with GenApple founder
Whisperbot - No thanks, I'll use e-mail
No Privacy - Saw You Cheating on Image Search

How To - Malicious Web SIte Analysis Environment

There are numerous sites and web-server side scripts which perform malicious attacks or simply unpleasant problems to their visitors.

The latest one that gained prominence, is the although not really causing much harm is the "Want 2 C Something Hot?". It is an elegant CSRF (Cross-site request forgery) which just shares itself on the facebook profile of the visitor.

The careful visitor will simply steer away from such links. The careful but curious visitor would want to see what such code does, but in a safe environment. So, here is a sample environment for a safe preliminary analysis of a malicious web site:

  1. The analysis computer - a Cleanly installed VMware Windows XP SP3 guest OS. The guest OS should be configured with a bridged networking. Configure your host OS firewall to block all communication from the guest OS IP address to the host OS IP address.
  2. The protective shielding - The guest OS should have a latest updated antivirus software. We recommend AVIRA, with active heuristics scanning. Also, include an anti-malware software, like Spybot - Search and Destroy.
  3. The analysis tools - Now is the time to fire up your arsenal:
    • Wireshark/Ethereal - all traffic should be captured with a network sniffer, so if the application level tools miss something, you can always revert to the packet capture. Set the sniffer to automatic saving of packet capture to disk, and start the sniffer before you start surfing!
    • Latest Firefox with Firebug Add-In - all request/reply communication will be tracked through the Firebug. This is the application tool that will help you start dissecting the communication to and from the browser, and what is actually received.
The results of a the "Want 2 C something hot?" through firebug is seen on the next image. From there you can start dissecting each request and reply to fully understand the sequence of events.

Please note that the results are not magical, and that by only using this toolset you won't become an instant securuty analyst or a hacker. This is just a safe environment for analysis of web sites.

Talkback and comments are most welcome

Related posts
Google's Ratproxy Web Security Tool for Windows
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Checking web site security - the quick approach

Database Admin Hacking his Ex Firm - Is It All His Fault?

Data Breaches has just published information about a Former GEXA employee pleads guilty to computer intrusion

According to the article, here is what happened

Kim remotely accessed the GEXA Energy computer network and the GEXA Energy Management System (GEMS) database. While connected to the GEXA Energy computer network, Kim recklessly caused damage by, among other things, issuing various Oracle database commands which created a new data table in the GEMS production database which, when copied to the GEMS staging database, caused the automated script to fail thus impairing the availability of data.

As a result of the Kim’s intrusion into their protected computer system, GEXA Energy incurred a loss of at least $100,000, the costs associated with troubleshooting, securing and repairing the GEXA Energy computer network and the GEMS database. Kim was indicted in June 2009.

We quite agree that the access of the former employee is illegal, and he did probably cause a lot of sleepless nights for the admins, security officers and a lot of stress for the GEXA management.

But GEXA blames the ex-DBA for some wrong reasons. Let us break down the stated loss amount of $100,000:

  • Troubleshooting the issue - the problems were actually caused once the production system was copied into staging, so it is quite probable that the production was not impaired - at least not in any significant way. So troubleshooting was a couple of man-days, and by any salary standards could not cost more then $4,000
  • Securing the computer network and GEXA systems and network- the incident was caused by the inadequate levels of security measures on the procedural, network and database levels. So any costs incurred by GEXA to beef up and revise security would have to be spent, regardless of the incident. In my opinion, these costs should be incurred by the GEXA Information Security Officer, the Head of Internal Audit, the HR Officer and the last external auditor of the computer systems.
  • Repairing the GEXA GEMS database and computer network - this part was mostly a witch hunt for rootkits, trojans and breach of integrity - one that has to be performed after any breach. This part is really the only segment that the Ex-DBA should be accountable for.
In conclusion, GEXA did suffer a lot of grief from this incident, and we commend them on the success in identifying the attacker.

But in reality, the incident is caused by a HUGE lack in security procedures and controls, items for which people at GEXA are accountable for. So a deep look inward is also in order.

Talkback and comments are most welcome

Related posts
San Francisco WAN Lockout - Pointing Fingers at Everyone Responsible
Control Delegated Responsibility

HTTPS Data Exposure - GET vs POST

Here is a quick chart showing the data exposure when considering GET vs POST and also HTTP vs HTTPS.

  • URL arguments refer to arguments in the URL for GET or POST (e.g.
  • Body arguments refer to data communicated via POST paramaters in the HTTP request body.
NOTE: This chart does not address client side caching of temporary files. Caching is a separate issue from the protocol selection and should be addressed with appropriate cache-control headers.

A quick conclusion
: The secure choice for transmission of any sensitive data is to use POST statements over SSL/TLS. Any other option will expose data at some point in the communication.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
OWASP Publishes Top 10 Web App Security Risks for 2010
Creating Your Own Web Server
Web Site that is not Easy to hack - Part 2 HOWTO
Web Site that is not that easy to hack - Part 1 HOWTO
Tutorial - Secure Web Based Job Application

How to Trust Cloud Computing

Cloud Computing is becoming more and more the buzzword of every conference, meeting and article. Yet it is still in it's inception, and there are multitude of issues and problems. Cloud services are springing up like mushrooms after rain, and all the big players want a piece of the pie.

Dark Reading discusses Quelling 7 Cloud Computing Fears in which it touches the issue of trust and security. The author recommends that the cloud computing providers be proactive in gaining the trust of their users and potential users.

How do we decide when we trust the cloud?
Here are the mechanisms by which we can approach the level of trust that we have in our infrastructure for the cloud. But bear in mind, that each approach can have it's own pitfall!

  1. Encryption - Most readers will immediately start to think about encryption. Yes, it is a good idea, but is it enough? In encryption, regardless of the algorithm used, you are always dependent on the actual implementation of the algorithm. If the implementation is flawed, there can be back doors into your data. And you can't control or check the implementation - it's in the cloud
  2. Certification to Security Standards - A logical industry choice - if you are certified to a security standard, you are all good and well. But tread very lightly and be very careful about this: most security standards are quite flexible - you can choose to certify only a subset of your operations. So a security certificate of the data transfer subsystem won't do you much good when you are using the cloud for storing your customer database - the data storage and processing subsystem may not even be up to the security level of your home PC!
  3. Compensating Penalties (Contractual and via Litigation) - You can try to define penalties for breach of security within the service contract. But the cloud provider will limit such penalties to a limit which may be far below what you estimate to be your financial impact, and simply refuse to offer the service if you insist on full penalties. And unless you have an army of international lawyers on your payroll, don't even try to go into litigation - you'll end up loosing even more money in the trial.
  4. Insurance - Transferring the financial impact of the failure can be an elegant solution. But the insurance company will start asking the same questions about trusting the cloud provider and can quite easily deliver a significant premium charge on your insurance.

There is no magic wand that will make the users suddenly increase their trust in the cloud computing services. But agreeing on a common standard for what is required to be met in terms of Confidentiality and Integrity is a step in the right direction.

We recommend that the minimal requirement should be:
  • Always insist on the cloud provider having a valid Security Standard Certificate which covers the entire scope of services that you plan on using.
  • Contractual penalties should be in place for everything that can be quantified. This means that you'll even need to quantify loss of every byte of data.
  • If possible based on the cloud computing service that you use, encryption should be implemented for the data stored/processed in the cloud.

Talkback and comments are most welcome

Related posts
Cloud Computing - Premature murder of the datacenter
Datacenter Physical Security Blueprint

IT Risks vs. Information Risks

As an Information Security professional I think it is increasingly important to understand the difference between IT Risk and Information Risks. You should also understand the advantages in enabling business strategies by ensuring that you brand each one of these risks accordingly.

Here are my high level definitions:

  • IT Risks - The probability that a vulnerability of an information technology solution or asset will be exploited and the likely damage from the exploitation.
  • Information Risks - The probability that information/data can be exploited and the likely damage from the exploitation.

While these may seem similar to the layman, they should clearly be viewed and positioned differently by the Information Security professional. Here's why:

  • IT Risks should have a focus on technology, while
  • Information Risks should not have a focus on technology

By clearly positioning the two as different, it is easier to delineate responsibilities when partnering with the business on managing risks. Knowing who owns what always increases your chances of being successful. IT risks given their technology orientation, will rightfully so land more on the plate of IT professionals plate to manage vs. the business. Information Risks should accordingly land more so on the business side. When I say "land" from a responsibility standpoint, I mean from a custodianship standpoint, not who is ultimately (final review /approval) accountable. The business is always ultimately accountable for managing risks.

By leveraging these two definitions, not only are you able to better delineate responsibility, it ensures that vulnerabilities in non-technology related areas are more effectively addressed through the lens of "Information Risk". For example, if one solely focuses on IT Risks related to privacy breach you can too often over look the many vulnerabilities related to privacy risk on things like supervisors approving inappropriate access to personal information or poor physical security to offices containing personal information.

You may encounter different terminology for the above two risks. Don't get hung up in terminology. You can call these two things anything you want. Some call IT Risks -(Technology Risks), some call Information Risks - (Data Risks), some even call Information Risks - (IT Risks). Just know that one of these deals with the risk associated with technology being exploited, which of course can have an impact on information, but also on a lot of other things. The other is focused solely on the information and data, and should not be solely tied to technology factors.

This is a guest post by Mark Brooks, a consultant and leader in the field of global information risk, security, and compliance.

The original text is published on IT Security Blog. Mitigating Risks. Enabling Business Strategies

Related Posts

Role of Information Security Manager
Template - Corporate Information Security Policy
Risk Assessment with Microsoft Threat Assessment & Modeling
Example Risk Assessment of Exchange 2007 with MS TAM

Information Security and Strategy Carnival - issue #5

For the fifth issue of the Information Security and Strategy Carnival, I am pleased to present the following texts:

Please send submissions by the 25th each month to e-mail:shortinfosec _at_ gmail dot com

Related posts
Information Security and Strategy Carnival - Issue #1
Information Security and Strategy Carnival - Issue #2
Information Security and Strategy Carnival - Issue #3
Information Security and Strategy Carnival - Issue #4

OWASP Publishes Top 10 Web App Security Risks for 2010

Last night the OWASP project published the 2010 issue of their Top 10 Web Application Security Risks. The list is still in Release Candidate status, so it may change. The difference from the previous lists according to the statement by OWASP

A significant change for this update will be that the OWASP Top 10 will be focused on the Top 10 Risks to Web Applications, not just the most common vulnerabilities. At the conference will be the debut of the release candidate of the new Top 10, which will open up a 60 day comment period.

As a summary, the top 10 risks to your Web Apps are:
  1. Injection flaws
  2. Cross Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Failure to Restrict URL Access
  8. Unvalidated Redirects and Forwards
  9. Insecure Cryptographic Storage
  10. Insufficient Transport Layer Protection
It is evident that OWASP hasn't invented the wheel all over again, and that this list has already been discussed for years. Yet it still falls on deaf ear for many developers - even large development companies.

You can download the full list document here, with detailed explanation of each risk.

Talkback and comments are most welcome

Related posts
SANS Announced Top 25 Programming Errors

Analysis of Windows Security Logs with MS Log Parser

When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.

Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!

The tool
The tool in question is Microsoft Log parser. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.

You can query remote computers on the network, as long as the credentials that Log parser is running under can access the data sources on the remote computers.

For Security Log, you need to run Log Parser as administrator
Note that this tool doesn't collect data from multiple computers, it just analyzes data in a single file/single computer repository.

The improved interface
In it's original form, Log Parser is a command line tool, so it is not the most user friendly tool in the world. Also, it has no way of saving/storing your prepared queries so you can invoke them later. But a promising developer named Dimce Kuzmanov created a free frontend to Log parser called Log Parser Lizard.

Log Parser Lizard enables you to store the prepared queries, and organizes them by type of data source on which you wish to do an analysis. It also includes the ability to export results to Excel, autogenerates charts on the result of the executed query, or ability to export the queried subset into the original format from which the analysis was performed.

Analyzing the Security Log with Log Parser Lizard
Using Log Parser Lizard for Security Log analysis is very simple. Choose the Queries button and select the Event Logs category, then create the queries that you need for your analysis. Here are some examples:

  • SELECT * FROM SECURITY - simple dump all data from the security log
  • SELECT EVENTID, COUNT(*) FROM SECURITY GROUP BY EVENTID - analyze what types of events appear in the security log and in what quantity
  • SELECT * FROM SECURITY WHERE EVENTID='517' - find whether the security log was cleared in Win2000/XP/2003
After you create the query, choose the apropriate category, then click the 'Generate' button to execute the query. You can also graph the results by choosing the Chart->Visible option.

Analyzing the Security Log is always a useful approach to security controls, so you need to include it in your routine operations. And until you buy a SIEM system which will run an automatic and scheduled analysis, you should adopt a simple tool like Log Parser and Log Parser Lizard.

Talkback and comments are most welcome

Related posts
Tutorial - Mail Header Analysis for Spoof Protection
Reminder Tutorial - Enable Auditing on Windows 7
Windows 7 Full Disk Encryption with Truecrypt

Role of Information Security Manager

As the Information Security Manager you will take responsibility for developing, maintaining monitoring compliance of all information security policy and procedures.

The successful Information Security Manager will perform

  • security risk analysis and risk management,
  • perform security tests
  • manage internal audits on information security processes, controls and systems.
You will take responsibility for developing and maintaining the organization's project disaster recovery and business continuity plans for information systems and monitors changes in legislation and accreditation standards that affect information security.

You will provide guidance and consultation on projects for IT Security related risks and issues.

The successful Information Security Manager must be qualified to Degree level in a numerate subject (e.g. Computer Science, maths, engineering) and possess professional level Information Security Certification such as CISA/CISM/CISSP/SSCP. Will possess a minimum of 5 years experience in Information Security Management and be well versed with ISO 27001 accreditation.

This is a guest post by Venu Potumudi, an Information Security Manager. The orignal text is published on Making of ISM

Reminder Tutorial - Enable Auditing on Windows 7

Auditing is a one of the major tools used in detecting system intrusions or malicious activity on systems and network. And yet, even in the 'secure by design' incarnation - Windows 7, the Microsoft Client OS log event entries in the security log out of the box.

So here is another reminder on how to enable auditing on your system.To enable auditing on a computer running Windows 7, use the same old approach used in every standalone Windows OS starting from Windows 2000 Pro:

  1. Open the Control Panel.
  2. In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
  3. In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit.

We recommend that you audit the following events with the types of audited events specified in the parentheses:
  • Audit account logon events (Success, Failure) - This setting determines whether the OS audits each time this computer validates an account’s credentials.
  • Audit account management (Success, Failure) - This setting determines whether to audit each event of account management on a computer.
  • Audit directory service access (Failure) - This setting determines whether the OS audits user attempts to access Active Directory objects.
  • Audit logon events (Success, Failure) - This setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.
  • Audit object access (Failure) - This setting determines whether the OS audits user attempts to access non-Active Directory objects.
  • Audit policy change (Success, Failure) - This setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy.
  • Audit system events (Success, Failure) - This setting determines whether the OS audits any of the following events: Attempted system time change; Attempted security system startup or shutdown; Attempt to load extensible authentication components; Loss of audited events due to auditing system failure; Security log size exceeding a configurable warning threshold level.

To view the resulting audit events, start Event Viewer and choose Windows Logs -> Security.

Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop
TrueCrypt Full Disk Encryption Review
5 Minute Security Assessment

200 Posts on Shortinfosec

We are celebrating the 200 posts on Shortinfosec

Here are some statistics:

  1. Active for 1 year and 9 monts - Shortinfosec started on 15 February 2008
  2. 200 original posts written
  3. 60,151 visits since it's active
  4. 3 changes of design
  5. 2 periods of author's inactivity (very bad form!)
Keep reading, a lot of new content will be arriving soon!

Digital Forensics Framework - A Perspective Forensics Tool

After Helix Forensic went commercial, the open source Computer Forensics is missing a tool that integrates required forensic techniques as well as Helix did.

The tool
A group which calls themselves ArxSys have developed a Python based Forensic Analysis Tool, which they call Digital Forensics Framework (DFF).

DFF can be installed on Linux and Windows, and is functional even under Windows 7. The general architecture of the tool is to create a central contained program in which different forensic functions can be added as building blocks to create a fully integrated forensic environment.
In comparison, most current open source tools are merely wrappers for a whole myriad of standalone tools.
While this architecture is a visionary one, it's strength is also it' weakness: all functions need to be written for this framework, which will slow down development of the DFF as a full solution. At it's current state of development, DFF can handle disk dumps in FAT, but not NTFS nor memory dumps.

Another very important drawback is that DFF has no functionality for Forensic Acquisition, so the forensic investigator still needs additional tools.

Digital Forensics Framework is still a very 'young' product. It is focusing only on forensic analysis, with no initiative on forensic acquisition and documentation. The strong sides of the product are the flexibility and ease with which new python scripts can be added.
At this moment, it's not the first choice for a Forensic Investigators tool-chest, but we will follow on the development of the product.

Talback and comments are most welcome

Related posts
Tutorial - Computer Forensics Process for Beginners
Tutorial - Computer Forensics Evidence Collection
Competition - Computer Forensic Investigation

Example Risk Assessment of Exchange 2007 with MS TAM

In our previous post, we discussed the process of risk assessment assisted with Microsoft Threat Analysis and Modeling. While that post was purely theoretical, we are following up with a sample risk assessment of an IT service - Exchange 2007 infrastructure.

The Assessment is based on the prototype design of Microsoft Exchange Infrastructure, and all Exchange roles are treated as separate component/server. An Active Directory domain controller is added to the infrastructure since Exchange is integrated with it. Also, we added a Mailbox database role, just as an example that we can dissect the roles to the depth that we need.

The elements
The analysis contains the following components. Add them to the appropriate container within the MS TAM
User roles

  • Exchange Admins - all administrators of the infrastructure
  • Exchange Users - users of all Exchange services
  • Exchange OWA Users - users of Online Web Access (webmail users)
  • External mail users - users of other mail servers on the internet
Components with Service Roles
  • Mailbox Server with Mailbox Server Service Role
  • Hub Transport Server with Hub Transport Service Role
  • Edge Transport Server with Edge Transport Service Role
  • Client Access Server with Client Access Service Role
  • Mailbox Database with Mailbox Database Service Role
  • AD Domain Controller with Domain Controller Service Role
External dependencies
  • External Mail Servers
The data processed within this infrastructure is the following
  • E-mail message - the main target, the incoming and outgoing e-mail messages.
  • Exchange address - your e-mail address
  • Exchange Configuration - All Exchange Roles Configuration - Stored within Domain Controller
  • Login Credentials - username/password

Use cases

We have limited the use cases to the most basic and essential activities within this infrastructure. For each use case you will need to include the necessary calls to make it functional.
  • Receive External E-mail
  • Read E-mail Via POP3 /IMAP/OWA
  • Send E-mail To Exchange User
  • Exchange Admins Manages Exchange Accounts
  • Send E-mail to External Address
Also, the assessment has additional relevancies
  • Component utilizes Power Supply - The component is susceptible to power failures
  • Component utilizes Communication Links - The component is dependent on functional LAN/WAN links to perform it's function
  • Component utilizes Disk Capacity - The component stores data, and relies on disk storage, thus it can lose data of the disk fails, or it's capacity is filled.
  • Component is a Physical Object - Component is a Physical Object and can be physically accessed, stolen or tampered with, or ultimately, it can fail

The analysis
After setting up these elements, you click the Tools->Generate Threats. Choose Generate Threats based on all of your calls, and use Intelligent Append.
The resulting set of risks can be confusing, since they are autogenerated and have generic names. You will need to read through them, and possibly merge one or more into one, since they can be addressing the same risk.

After you have finished the filtering, you need to define Probablity and Impact of the risk, and select the Risk Response as well as countermeasures from the offered set. This task is very time consuming and often difficult. You should always employ the assistance of a subject matter expert which can give you valuable input.

When you do this for every risk, you have finished the risk assessment The Report As we pointed out in the previous post, the most useful report template for risk analysis does not exist in the predefined reports, but can be downloaded here.
The final risk analysis report for this infrastructure can be downloaded here.
Also, you may benefit from the Comprehensive Report, which is included in the templates of MS TAM.

We hope that this example will help you to in the everyday use of MS TAM as a risk assessment tool.
We are also publishing the entire ACE Threat Model file of this example for download and use.
Please do not hesitate to contact Shortinfosec if you have any questions or issues

Talkback and comments are most welcome

Related posts
Risk Assessment with Microsoft Threat Assessment & Modeling
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions

Risk Assessment with Microsoft Threat Assessment & Modeling

Every organization has some form of Information Security Risk assessment. Some perform a formal risk assessment, others simply use their practical experience. Whatever method is chosen, it always help to use a tool which will assist the organization in performing the risk assessment in a controlled and reproducible manner.

The tool
There aren't that many tools that assist the organization in performing risk assessment. The most widely used one is Excel, but it is far from a good choice. Microsoft has also created MS Threat Assessment and Modeling - a tool that although designed for a slightly different purpose, can easily be used for Risk Assessment.

The process
Performing risk assessment with MS TAM is easy once you understand the components and the process.
Components of the MS TAM Analysis

  • Roles – Functional Identities involved in the assessed process/system; these can include both service identities and human identities
  • Components – System elements used in the involved in the assessed process/system – most commonly servers or subsystems
  • Data – Data stored and processed in the involved in the assessed process/system – in effect ANYTHING THAT TRAVERSES THE components
  • External Dependencies – Any external elements including data, components or roles from other processes or systems
  • Use Cases – the steps involved in operating the system/performing the process
  • Relevancies – characteristics attributed to any component that relevant to the components method of operation and open a possible vector of attack
  • Attacks – methods of compromising or destroying a component via misuse of characteristics of one or several relevancy attributed to the component
  • Threats - the assessed threats to the system. This component will be used to generate and assess the risks

The process consists of the steps/phases
  • Step 0 – Before starting anything, know your system/process/company. You will need to simulate and configure all relevant elements of the assessed system/process/company.
  • Step 1 – Define Roles - Define the logical groups of users involved in the system/process/company that is assessed
  • Step 2 – Define Components and Data - These are the building blocks of the system/process. Data traverses components and is accessed by users and components
  • Step 3 – Update and Define Relevancies - Create or update relevant attributes that define behavior of a component. For instance, a relevancy is that a component uses power supply, therefore it is susceptible to the risk of power failure. Add new relevancies for your specific components
  • Step 4 – Update attacks - Attacks are methods of misusing relevancies. Update the current attacks with specific ones - if you have them. If you have created new relevancies, create the attacks that compromise them. For each attack, include countermeasures that mitigate this attack. For instance, if the attack is power supply brownout, one possible countermeasure is an in-line UPS that acts as a voltage stabilizer.
  • Step 5Define Use Cases and Calls- The Use cases are the steps in the process, or the way a system is operated/used. Without the use cases, the risk assessment cannot be performed. For instance, one use case for a mail server system is the reception of an e-mail from an external mail server (from the Internet).
  • Step 6 – Model Risks - After you have modeled your system, generate the Threats, and analyze them one by one to assess frequency and impact, and define countermeasures from the offered possibilities. At the end of the process, the finalized threats are the risks to your system.

NOTE: It’s very important to be very meticulous about the relevancies – the attributes of the components. Choosing well in this step allows good modeling of attacks and the more automated risk model is created

The results
After completing the process, the end result is the report set. The MS TAM has a predefined set of reports. Since MS TAM is primarily targeted at software development, the generic reports may be found to be lacking. The most useful report is the comprehensive report, which includes nearly all information. But it is still lacking a report which summarizes the risk assessment parameters:
  1. Impact
  2. Probability
  3. Risk Rating
  4. Risk Response
  5. Countermeasures
To address this, Shortinfosec has created a custom report for MS TAM 2.1 which can be downloaded here. Just place the file in the MS_TAM_INSTALL_FOLDER\Graphics\Reports\Custom and choose Custom Reports, risk_report.xslt

MS Threat Assessment and Modeling 2.1.2 may not be the best tool for Risk Assessment. It may not match your Risk assessment methodology to the letter, nor does it deliver the final result out of the box. But unless you have a better tool, it is very usable, since it controls the process, and with MS TAM you will always follow the mindset of risks, threats and impact.
And of course, until you have a better product, use the one that is readily available!

If anyone encounters a problem or has a question with using MS TAM, just leave a comment, or send me an e-mail

Talkback and comments are most welcome

Related posts
Example Risk Assessment of Exchange 2007 with MS TAM
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions

Designed by Posicionamiento Web