blogs at romab.com
You can go directly to Andreas, Tobias, or Robert's blogs.
Latest blogs from all of us is the page below.
2010/06/24Lots of activity in the world of DNSSec
The last weeks alot of things have happened in the DNSSec part of the world. The root (.) was signed last wednesday in a formal key signing cermony. Lots of people involved, among others Anne-Marie Eklund-Löwinder, Jakob Schlyter and Fredrik Ljunggren. Fredrik and Jakob have been seminal to make this all happen! And AMEL is one of the selected few to become a Chief Crypto Officer - thats way cool! Jakob have written a good article what this means for top level domains, now we have a signed root. There is even a video of the key signing cermony.
EurID, the registry for the .EU domain have announced that it have signed its zone and that it will be able to allow customers to use DNSSec in .EU. The maintainers of .ORG also say that they've enabled DNSSec, and one of the major news was that the organisation ISOC - internet society, was the first domain to be signed in the .ORG zone.
Get more information on the signed DNS root zone, or on DNSSec itself
IronSuite: IronFox 0.6.2 + IronAdium 0.2 released
We have release updated versions of our sandbox protected internet tools - IronFox (firefox 3.6.*) and IronAdium (Adium 1.3), collectivly called IronSuite.
Now, there is alot more documentation online as well, describing the Design philosophy and one rather extensive compilation of Frequently Asked Questions - FAQ as well as the web's first more complete description of the SandBox Policy Language - SBPL.
OWASP AppSec Research, day #2
The keynote for day #2 where Steve Lippner from Microsoft. He started out with a quick overview over the history of computer security from the 70's and onward, described how PC's and Internet changed the rules, before reaching the "Secure Windows Initiative" at 1999. During the Microsoft Security push era they did alot, besides the day-to-day work trying to secure the products, they tried to do some more strategic work including implementing the "security science" as an in-house research area. He described that the executive buy-in was surprisingly easy to get, when thinking about it in retrospective. Getting executive in, is essential if you gonna launch a programme that affects 30,000 developers in a large organization.
One of the most interesting things that described was that several thing in the initial SDL book didnt really work well in reality. They have reiterate and come up with several updates and have a programme where there are annual major updates of the method. The version 4.1 came out 2009, a version 5 came out early 2010, and version 5.1 of the SDL is planned to go live in october 2010. Other interesting news that Mr Lippner talked about was the "Simplified SDL" which focus on how to implement SDL in new organisations, and the refocusing of SDL to work better in Agile environment. I'm really thankful to Microsoft to beeing so openminded to make the SDL method non-proprietary and platform agnostic. Mr Lippner described that Adobe was one of the organizations that have adopted SDL. One of the questions from the public was "why does Adobe then have a really bad track record at security?". Mr Lippner's answer, which I see as honest and well balanced, was that Microsoft started to implement SDL in the beginning of 2000, but still was struck by code red and alot of more attacks - it was a long time from starting the initiative and harvesting the fruits from the labour. Comparing with Adobe, they just started in 2009, so they have a long road ahead.
One can read more on the SDL on the Microsoft on their SDL portal, MSDN description of the SDL process, or the SDL blog, a more in-depth description of the Simplified SDL
Pravir Chandra from Fortify software had an interesting presentation entitled "The Anatomy of Real-World Software Security Programs" on different secure development processes. Besides describing some of the step any security officer have to do to be able to sucessfully implement a program, he had some interesting comparisons on different models like Software Assurance Maturity Model - OpenSAMM, Microsoft's SDL, and the Building Security In Maturity Model BSIMM2
Some other guy managed to have a network sniffer running for the whole conference. Again, its really amazing to hear how much sensitive data that gets captured at a SECURITY conference......
AppSec Research, Stockholm
OWASP, the group that focus on security at the programming and implementation stage of software engineering, is holding a 2 day conference in a sunny Stockholm. Its held at the University of Stockholm in their new Aula Manga. Its a beutiful place, but it is built with one major drawback - no; NO! outlets anywhere in that humongous room....
The keynote where delivered by 2 people from Google: Chris Evans and Ian Fette. The keynote was entitled "Cross-Domain Theft and the Future of Browser Security". They talked about malware detection and protection with the Google blacklist initiative, and more interesting for us - they spend alot of time talking about sandboxing as a good security mechanism, how sandboxing is part of chrome, etc. Google seem to focus alot of their attention for protecting the client environment by sandboxing the render process in Chrome. The problem with this approach is that add-ons and extensions still might be unprotected.
The 2 most interesting other talks I attended during the day where Ivan Ristic talk called "How to Render SSL Useless" and Steve Ocepek and Wendel Henrique's talk entitled "Owning Oracle: Sessions and Credentials". Istvan describe 10 basic errors many sites have - many problems which errodes the trust that SSL/TLS is suppose to create for you.
The Oracle session was quite interesting, since they focused alot on demoing their attacks. They showed their home brewed tool "thicknet" and "vamp" to do some session hijacking. This is of course not something new in general - tools like hunt, juggernaut, ettercap, etc, have been doing this things for ages. The interesting part here is the decoding of the TNS, SQLNet and similar. The different cases they demoed included injecting SQL statements, downgrade attacks that forced old type DES encrypted passwords beeing sent and sniffed, and sniffing of windows challenge-response that got captured and cracked with your standard windows password cracker.
Ocepek and Henrique's tool, thicknet, can be found here
2010/04/21More ironfox modules.
Ironfox now supports a few new modules, which allow for kerberos/spnego auth and the propriatry 1passwd plugin. Nexus personal support is also in the works, and will most likely be included in the 0.4 release. Another idea is to add a gui for configuration instead of allowing all functionality. This would most likely include some sort of menu for configuring which plugins that are to be allowed. Ironfox now supports (besides basic firefox functionality) java, flash, kerberos & 1passwd. If i can find any site besides apple.com that uses quicktime, it will most likely be added aswell.