30. December 2011 · Comments Off on XSS and Verizon DBIR; PCI DSS and anti-malware · Categories: blog · Tags: , , ,

Alex’s post, Web Application Security – from the start: XSS and Verizon DBIR suggests a conclusion that since the Verizon 2010 DBIR, released in April, 2011, shows that only 1% of breaches are a result of XSS, OWASP is putting too high a priority on XSS.

Here are my thoughts based on my review of the Verizon 2010 DBIR:

  1. Table 2 shows that of the 761 analyzed breaches, only 163 were from companies with 1,001 or more employees. over 70% (522 of 761) had fewer than 101 or an unknown number of employees. It’s been my experience that there is a huge disparity in deployed security controls between small and large companies, which, it seems to me, might alter the conclusions you could draw from the report.
  2. Figure 33 shows that the number of records stolen in the report is only 3.9 million. The previous five years the numbers ranged from 104M to 361M. I find this odd. This may reflect the high number of small companies in the report. Also, the number of records lost may not be the best indicator of breach severity. If Coca Cola lost only one record, but it was the Coke formula, the breach would be severe indeed.
  3. This report is heavily tied to Verizon’s PCI DSS practice. Table 15 shows that 96% of stolen records are Payment card numbers/data. We have seen very serious breaches where email addresses were the main data lost. See Epsilon where some estimate that 250 million email addresses were breached.
  4. Another indicator of the heavy PCI DSS orientation is that for each company examined they do a PCI DSS analysis. And (Table 16) shows the low percentage of these 761 companies that met basic PCI DSS security requirements. These percentages are not surprising given the large number of small companies in the report.

Of course, the conclusion they draw is the significant value of PCI DSS compliance in reducing breaches.

However, there is something else in the report that is worth noting that might refute the value of limiting your security goals to complying with PCI DSS. Figure 15 shows that 49% of the breaches involved Malware, representing 79% of the records breached. Of the malware analyzed, 63% (Figure 21) was custom! Could one conclude then that traditional anti-virus controls are not sufficient?

So what does the PCI DSS standard have to say about this? Requirement 5 is all about anti-virus. In fact, the recommend testing procedures are simply to “verify that anti-virus software is deployed,” and “verify that automatic updates and periodic scans are enabled.” So, based on PCI DSS one might conclude that as long as you have anti-virus deployed, you are safe from malware. However, since most of the malware that results in breaches is custom, and traditional anti-virus is not sufficient, then one could conclude that PCI DSS compliance is not a sufficient goal for mitigating malware risk.

I am not saying that PCI DSS does not have any value in risk reduction. But I am saying that in the all-important anti-malware area, PCI DSS is insufficient. Cymbel’s 12 Best Practices for mitigating the risks of modern malware is much more comprehensive and is aimed at larger organizations with more to protect than just credit card data.

03. March 2011 · Comments Off on Content Security Policy · Categories: blog · Tags: , ,

W3C today released a draft specification for a method to detect and block XSS-type attacks:

The purpose of this specification is to provide a method for web applications to broadly address a large class of vulnerabilities known as content injection which is the primary focus of Content Security Policy. Other threats, such as cross-site request forgery, are not a focus of this specification.

Content Security Policy is a declarative policy framework that enables web authors and server administrators to specify the permitted sources of content in their web applications and to restrict the capabilities of that content. Content Security Policy mitigates and detects content injection attacks such as cross-site scripting (XSS).

Content Security Policy is not intended to be a fool-proof security system, but it is intended to provide an effective layer of security that will dovetail with any site’s existing web application security program.

Content Security Policy is an opt-in mechanism which requires that servers explicitly declare a security policy in order to receive any of the protection described in this document. Content Security Policies are applied by the user-agent on a per resource basis, so servers must emit a security policy with each resource that the server wants protected.

via Content Security Policy.

22. November 2009 · Comments Off on Microsoft IE8 XSS prevention feature enables XSS attacks · Categories: Application Security · Tags: , , , , ,

Dan Goodin at The Register reports that Microsoft's IE 8's Cross Site Scripting prevention feature can be used to create an XSS attack.

IE8 attempts to block XSS attacks by modifying the response, i.e. the content of the web page generated by the web server coming to the browser in response to a request. The NoScript Firefox add-on, takes the opposite approach by modifying the content of the request from the browser to the web server. Here is more information. It appears that this vulnerability is not easily fixed because it's a design flaw rather than a coding flaw.

BTW, NoScript is the second most popular Firefox Privacy & Security add-on.

30. September 2009 · Comments Off on Popular social news site infected with XSS exploit · Categories: Application Security, Breaches, Malware, Secure Browsing · Tags: , , ,

The popular social news site Reddit was breached with an XSS exploit. Of course, the article does not indicate what, if any, protection methods Reddit was using to prevent this most popular of web site exploits. I wonder how they would do if an auditor showed up tomorrow using CSIS's Twenty Critical Cyber Security Controls (I previously posted) as a reference.

06. September 2009 · Comments Off on Browser vendors add innovative security features · Categories: Risk Management, Secure Browsing, Security Management · Tags: , , ,

The browser vendors are adding innovative security features to help protect users against web-based attacks. Here are some examples:

  • Firefox 3.5.3 will check your Adobe Flash add-in and warn you if it's not current. It is believed that as many as 80% of browser users are using older versions of Adobe that contain vulnerabilities that are fixed in new versions.
  • Internet Explorer 8 added a raft of security features including URL filtering, Cross Site Scripting (XSS) filtering, click-jack prevention, domain highlighting, and data execution prevention (requires Vista SP1). The Cross Site Scripting filter is very impressive. Here is a detailed explanation of XSS and how the IE8 filter works. XSS attacks are particularly nasty because it can
    happen through no fault of yours. All you have to do is go to a site
    that has been successfully exploited. Details on the other features are here.
  • Opera 10, just now shipping, also includes URL filtering.
  • Safari 4, when running on Windows, will integrate with your Windows anti-virus software to check any files, images, or other items you are downloading via Safari. It also has URL filtering watching for phishing sites and sites known to harbor malware.
  • Chrome 2.0.172.43 was released on August 25, 2009 and fixed several high severity issues.

Firefox has long benefited from third party security and privacy add-ons. NoScript is one of the more popular add-ons that blocks javascript and let's you selectively turn on javascript per content source.

While I have not personally checked these security features, assuming they all work as advertised,  Microsoft's Internet Explorer 8 leads the way in security innovation.