The Tablet that Tests – cut price version….

Last year I presented at Securi-Tay on using the (then) new Surface RT tablet as a platform for testing.  The substance behind it was that the iPad and Android tablets were fine to be used for consumption of content by end users – but were not too great as testing platforms because they just couldn’t run the tools we need as testers.

My conclusion at the time was that the Windows RT Surface went some way towards a ‘tablet that tests’ but couldn’t really hack it because even when jail broken – the number of apps which could run on it was restricted to things which could be recompiled for ARM and using only those libraries exposed to the RT runtime. 

So before I go any further with this – I have to say that I love the Surface RT as a concept – and I approve of a lot of the security measures built in to it – but just last week I have seen the device that will kill RT off.   It isn’t Android or iOS – ironically it is Windows 8.1 (the full fat version). 

So these are my requirements in a testing device (I mostly test applications but also do infrastructure tests).  I use lots of other software and tools but these are the absolute must haves…

Nmap

Nessus (client end so just a web browser)

Burp (so Java required)

Word – for report writing

Aside from this – an absolute requirement for a tester’s machine is the ability to unrestrictedly install software, modify system settings etc. 

RT couldn’t supply most of those requirements but I just  bought a tablet that could for less than £100.  The KingSing W8 tablet has these specs

Intel Atom Bay Trail processor, 1GB of RAM, 16GB of storage,1280 x 800 pixel IPS display with 5-point multitouch support, a 4500mAh battery, stereo speakers, a microSD card reader, 802.11n WiFi, Bluetooth 4.0  The Windows license is free on this type of small device – so it has a full fat version of Windows 8.1 on it.

I have to say I love this little tablet – in general the build quality is good, the screen is responsive, and although it doesn’t have a lot of local storage, I put a 32G SD card into it and tripled its capacity with no issues.  It runs nmap, gives me access to my Nessus server and has a proper Java environment so I can run Burp.  I’ve also installed MS Office with no problems.   It amazes me that something that weighs less that 500g can deliver this kind of access to software.  You can plug it in to a full sized monitor, attach a Bluetooth keyboard and mouse and you have a proper PC.  There are no fans, it runs very cool and the battery life seems pretty reasonable (more than eight hours anyway).

I suppose the obvious question is can Linux (not talking Android – but a full on OS with access to professional applications) be delivered on a similar spec of tablet at a similar price?  I’ll say ‘no’ at this stage because my experience of installing it on the Surface Pro was not a positive one – (see my earlier review).  Also no Word for Linux although the online version could be usable dependent on the complexity of the template and any requirement for automation (I like my VBA for automation of reports).

Anyway this particular tablet is not without its disadvantages – 1G RAM is very light for Windows 8 and I wouldn’t want to work with that on a daily basis (or try Visual Studio on it).   Doubling the RAM would greatly improve it in that respect.  But for something which doesn’t weigh much more than my phone to be able to run all the programs a tester needs on a daily basis is quite remarkable.   I would happily stick this in my bag and go out for the day with the confidence that if I need to access my scans or answer a customer query I would be able to do this.

So congratulations to KingSing on having achieved this – and a somewhat backhanded compliment to Microsoft on having made an OS that delivers it.  I suspect that in the future Windows tablets will take a huge proportion of the marketplace because of their obvious advantages over Android and iOS – but I can’t see that those tablets will be running RT.

WP_20140710_14_34_58_Pro

Lochgoilhead Gala Day

Since last year we have been based in Lochgoilhead which is a small village in rural Argyll. Today is gala day here, and ScotSTS have been happy to sponsor the event. I will be drawing the prizes down by the Loch this afternoon.

We consider ourselves privileged to be able to live and work in such a beautiful area, and we think that it is greatly beneficial to National Parks (we are in the Argyll Forest Park) that small consultancies like ours should be able to take advantage of improved technology and shifting work patterns to base themselves in areas where traditional economic activity tends to cause environmental damage. We can definitely see this being a theme over the next five years as improved internet connectivity moves testers and developers out of cities and into the countryside.

The benefits are on both sides so we are happy to help the community here and good luck with the gala day.

WP_20140710_14_34_58_Pro

OWASP AppSec EU

Rory and I just returned from OWASP AppSec EU where (for once) I was presenting but Rory wasn’t (as he was on the selection panel – though barred from reviewing my presentation!).

The quality of the talks was very high – though in my opinion there was rather too much of an emphasis on mobile this year. I know it is the exciting new area at the moment – but call me old fashioned but I would personally have liked to see more stuff on traditional web security. Perhaps (as per a talk Rory did a year or so back) it is just that there is no point of saying any more about it because no one is fixing the existing problems. I particularly enjoyed Maty Simon on HTML 5, James Kettle on Active Scan++ module for Burp and Jerry Hoff’s talk on mobile security.

We also heard Dr Richard Stallman talking about his views on ‘free’ software. I actually share more of his opinions than I would have thought – particularly around data privacy, although of course I do fundamentally disagree with him about proprietary software. I made a donation to his foundation and for a while I guess I may have been the only person in the world wearing a Microsoft T-Shirt with a GNU/Linux badge pinned on it. Anyway – I greatly respect him and his right to hold his views and I think he has stuck to his guns in a way that must cause him great personal inconvenience in the modern world.

Rory and I also attended the ‘Mobile Boot Camp Training’ as we were keen to expand Rory’s iOS and my Windows Phone knowledge into Android. It was a good course and we learnt a lot, but I have to say that the more I see of Android as a platform, the less I would be inclined to use it myself or to recommend it to others – particularly in an Enterprise environment. Be that as it may – we are now in the pretty rare position for a small consultancy of covering all the major mobile platforms.

My talk was an updated version of the Windows Store App presentation I did for Securitay back in January. There is quite a lot of new material and I seem to have managed to remove some of the annoying mannerisms from my delivery – https://www.youtube.com/watch?feature=player_detailpage&v=szKZG12XgIE#t=12509 The main new feature is ‘Store Sheep’ which I have just launched as an OWASP project. This is going to be a training app along the lines of ‘Web Goat’ which introduces testers and developers to Windows Store Apps and shows how to find and fix security issues in them. It is very much in Alpha at the moment (code word for ‘I haven’t anything like finished writing it yet’) – but I will be posting about it here as I make progress on it.

Rory at AppSec EU

Rory at AppSec EU

The picture is of Rory looking pensively at some Ruby Code while we were enjoying an excellent breakfast at ‘La Patisserie Vallerie’.

Just one other quick plug for an attraction any geek would love. We went to the Museum of Computing in Cambridge http://www.computinghistory.org.uk/index.htm They have hundreds of old computers in working order – check out Attic Attack on the Spectrum and ‘Flappy Bird’ for the ZX80. Also Altair 8800, Apple II etc. One of the best fun mornings I have had in a long time.

WP_20140628_11_16_17_Pro

Web Application Testing Workshop

We did our Workshop on testing Web Applications at Scottish Ruby Conf today. This took place at Crieff Hydro and was targeted at Ruby developers and other people who are keen on the language. It is the fifth year of the conference this year and Rory has taken part in all of them.

The workshop was a bit like the one we did at BSides London last year – only where that one dealt with a sample infrastructure, this one covered how we go about testing a Web App – including an introduction to Burp and some sample exercises from OWASP ‘RailsGoat’ (a deliberately vulnerable Web App based on Ruby on Rails). We spent all day yesterday setting it up and cloning and testing 40 VMS. The VMS went on our new mini-server ‘Rhododendron’ and two laptops – we also had three WI-FI routers and sundry cables – so not as much stuff as last year but still a fair amount (the nice thing this year being that we could stick it all in the car boot).

We had done a fair bit of work to make sure that the whole Workshop would work offline because we have been to enough conference hotels to know that the wireless connection to the internet would really suck. This proved a challenge because late on yesterday afternoon we noticed that the app uses the Google chart API and it doesn’t work offline. Lucky Rory managed to hack that part of it out and we were good to go. We got up at six to arrive at Crieff nice and early – had a good breakfast and got set up in plenty of time. We had been warned plenty of people would turn up – and sure enough – we had nearly 40.

We were bang on the money about the hotel Wi-Fi and very glad we didn’t rely on it because it was very slow and caused issues in the other workshops we attended. Then our audience arrived (95% male and 95% MAC users – not necessarily the same people though!). Everything seemed to go very well and the majority of our demos worked. One thing I would take away from it is that if we do it again we need to go over the tool setup part more slowly and allow more time for showing people stuff – we tend to forget how complex these things are as we do them every day.

But we got about 3/4 of the examples done and we were able to show SQLi, XSS and command injection actually working – I think the real and immediate impact that they have surprised some of the audience. Our presentation is attached to this post and includes some more general notes on Web Application testing. Some of the things we mentioned today… The Web Application Hacker’s Handbook we recommended and is available here :- http://www.amazon.co.uk/Web-Application-Hackers-Handbook-Exploiting-ebook/dp/B005LVQA9S/ref=sr_1_1?s=books&ie=UTF8&qid=1399909420&sr=1-1&keywords=web+application+hackers+handbook OWASP top 10 here – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project RailsGoat (sample app used) – https://github.com/OWASP/railsgoat Sample XSS vectors – http://html5sec.org/
We are happy to answer any questions from attendees at the workshop – our addresses are on this site. Great conference, nice venue (shame about the wi-fi). Hope to be back next year.

WP_20140512_12_50_32_Pro 1

Presentation from Conference

Open Source Responsibility

Unless you’ve been living under a rock for the last couple of days you will have noticed a bit of a kerfuffle about a vulnerability in OpenSSL. One of the more notable parts of this story has been the wide variety of large companies who have been seriously affected by the problem.

This led me to thinking about the fact that a lot of very large profitable corporations are essentially relying on software that they haven’t purchased and which, I doubt, many of them have good security assurance over.

* First Question how many billion dollar companies rely on OpenSSL for secure communications?

* Second question how many of those same companies have sponsored a security review of OpenSSL over the last two years?

Now I don’t know the exact answer to either of these questions, but I’m willing to wager that the first is a lot higher than the second.

The real question then becomes, should corporations who rely on open source software be taking an active part in ensuring the security of that software?

Well I’m a security guy so obviously is say yes :-) it seems obvious that if you rely on things you have an interest in the quality of that software…

House of Cards

I was reading this post and I was thinking that this is another good example of the general theme in a lot of modern business and security.

People will a lot of times neglect some of the “plumbing” of their website and not realise quite how important it is to their sites security. In the linked example it was DNS. An attacker was able to get control of the site domain name and then essentially controlled the site. That’s one way of pulling it off but there are others.

Good examples of services which are often overlooked but are critical

– Hosting services. If you use VPS or the like and the hosting service is compromised then, the attackers can likely get access to your servers too. A good example of this was the Linode hack in 2013. There the attackers didn’t even have Linode as a primary target, they were after one specific customer.
– DNS providers. If the attacker can control your DNS, they can redirect mail, carry out MITM attacks on web sites, basically make a right mess of your system. But hacks on DNS providers (either social engineering or direct) are a common theme in stories of compromise.
– E-Mail providers. Might not seem as critical, but how are most password resets done…. by E-Mail. If the attacker owns your e-mail service they can usually trigger password resets for other things like DNS or hosting.

So what makes me say these things are “neglected”? Well look at the market and it’s pretty obvious. In a lot of cases the successful providers in these areas are the cheapest/easiest to use, not the most secure. Of course there’s the usual security problem of a “market for lemons” in that all providers will say that they’re secure but I’d still recommend that if you have a system that’s important to you (and that’s true for an increasing number of companies who do business primarily on-line), then spending some time trying to find high quality “plumbing” will pay off in the long run.

Why security is getting worse

I was doing a talk for the OWASP meeting in Glasgow the other day, which covered the OWASP Top 10.  I had made the point that the Top 10 is largely the same now (in it’s 2013 iteration) as it was in it’s original iteration in 2003. Someone asked me a question based on that which (roughly) was “Why isn’t security getting better?”

Good question really and obviously one there’s not a simple answer to.  At base I do believe that the state of defensive security is going to get worse before it gets better and it comes down to a number of factors.

I’ve got a list of them below, but ultimately I think it comes down to incentives.  Good software security and good enterprise security are difficult and expensive things.  If the economic incentives aren’t there people just won’t do it.

Increasing spend/focus on offensive security

Offensive security is becoming a larger and larger industry driven by demand from governments and to a lesser extent corporates for “cyber attack tools”.  Essentially to me, this boils down to people finding exploits and creating malware to deliver them.  That focus has a couple of effects which are likely to be bad for overall security.

*    As these tools are developed they will “escape” into the wild and be re-used by criminal elements.
*    Governments have an active incentive not to rush software providers to fix critical issues, as this would destroy some of their expensive cyber weapons.
*    More security people spending their time on offence, means there’s likely to be less spending their time on defence.

Breach Fatigue

There’s been so many breaches that they’ve stopped being news.  I read a piece recently on Ars Technica where the university that the journalist had attended had a breach and a good number of records were compromised (310,000).  When he went to report this his editor essentially said that it wasn’t a big enough story to warrant reporting.

This is an example of breach fatigue, where breaches become so common that they’re not noteworthy any more.  The problem is that this removes one plank that security people use to get companies to spend on defensive security, reputational damage.  Essentially now, unless your breach is really bad or you handle it really badly, there is no reputational damage from a breach.

Another example of this was linode.  They’ve been breached a couple of times and in discussions I see regarding using their service, the security provided does not seem to be a factor.

Vulnerability Fatigue

The cousin of breach fatigue is vulnerability fatigue.  These days every large software company has had security issues and has had to fix them. Some companies handle them better than others, but again I don’t see that being a big factor in companies choosing what software to buy…

Many people in the security industry would point to Oracles poor handling of security issues at various points (slow fixing, lack of communication etc) but I don’t see that having hurt their sales figures at all.

And on the flip side you see companies who are generally considered to do security right still have breaches (e.g all the major browsers falling at this years Pwn2Own ).

So there has to be an element of some companies wondering to themselves whether it’s worth the effort to have a truly great software security programme.

No Legal Requirements For Secure Software

Realistically in most jurisdictions, there’s no requirement to produce secure software.  There may be regulations relating to it (e.g. PCI) but governments seem to be steering well clear of actually legislating that software companies have any obligations in that regard.  Personally I think this is where we’ll end up but it’ll be a hugely uphill struggle as every software company out there will fight this to the end.

FWIW I think that government legislation of this type will be a disaster for the IT industry but if nothing else works, it’s where I think we’ll end up.

Lack of developer training

Ultimately all IT security bugs come down to software or users.  We can’t fix human nature, but theoretically we could fix software security bugs. Unfortunately I don’t think this is going well.  Most people would agree that producing secure software requires that developers receive good in-depth and repeated training, but where will they get that from?

From universities? Nope – I’d be surprised if more than 10% of programming or computer science degrees have good secure coding modules throughout the degree.

From employers? Nope – A lot of companies have constrained budgets already and the idea of spending good money on proper face to face training for all their developers, isn’t likely to happen especially if they can’t see a direct correlation between that training and their bottom line profits.