You care more about getting out there. Style and performance. Being a security wonk doesn&#x2019;t do anything to improve the probability that your project will be successful in the marketplace...
...just ask Zed...
...or Dr. Bernstein...
Companies like 37signals have the right idea.
Security guys telling you not to care that much about security? There isn&#x2019;t much you can tell *us* that will make us feel better about running what you write.
If you find a 0day in wordpress, you have the opportunity to own 99.99% of the mac development community and make literally tens of dollars.
It&#x2019;s like 10,000 spoons when all you need is one spoon.
Even developers working within a decades old security model deliver vulnerable apps.
If you understand these two things, you&#x2019;re 90% of the way there.
Security wonks are the audience for the average Blackhat talk. Trying to understand inside baseball (granted with a pretty good fantasy lineup) will only confuse you.
Nate recently gave a blackhat talk that demonstrates the idea. If you understand that you shouldn&#x2019;t trust user-controlled content and you have a plan, you don&#x2019;t need the details.
If you look REALLY closely&#x2026; you&#x2019;ll see that there is absolutely NOTHING wrong with this image&#x2026;
Now&#x2026; THIS image is a little different&#x2026; This image is a GIFAR. It renders PERFECTLY with image rendering software, YET retains all the properties of a Java JAR
This is the HEADER of the file shown in the previous slide. Notice how of the header if fully intact.
Here is the footer of the same file. This is where things get interesting. Notice the PK, indicating a Zip format. Java JARs are essentially a zip file. This is an old skool stego trick.
These are the &#x201C;7 deadly sins&#x201D; of application development. If you avoid these, you&#x2019;re ahead of just about everyone. Don&#x2019;t try to do them correctly, DON&#x2019;T DO THEM.
Things that make applications *appear* more secure but don&#x2019;t actually do anything to improve security. Absolutely do these things. They&#x2019;re easy to do. Don&#x2019;t believe they improve the security of your application.
Attackers sniffing the backbone aren&#x2019;t your threat model. Worry about them getting in the middle of your connections.
But chumming the water is a bad idea. Some things attract attention and attackers go right after them.
If you write a fuzzer and fix what it finds, you&#x2019;re taking the &#x201C;pole position&#x201D;.
For whatever environment you&#x2019;re developing in, there&#x2019;s a fuzzer out there for you to build on.
Ruckus is ours.
Our favorite tool for testing web applications is Burp. Buy Burp. Seriously. Go do it right now.
The current state of the art of reverse engineering means that trying to hide things in the binaries you deliver is a lost cause.
Pedram Amini was sent back from the future to destroy you one disassembly at a time.
Security outreach is the number one thing you can do to improve the security of your products.
There&#x2019;s only one person on this list that cares if you actually fix the issue (and they are paying you to do just that).
Semantics are important. Phrases like &#x201C;...not exploitable...&#x201D; and &#x201C;...not severe...&#x201D; show up in the press all the time, just long enough for the guy living in mom&#x2019;s basement to publish exploit code.
SDLC is a great buzzword if you&#x2019;re selling software to an enterprise and Microsoft is great at it. It doesn&#x2019;t really help indie developers secure their apps.
Include these 4 things in your daily life and the 5th one is free.
a sucker’s bet
“my UTU protocol uses ISO IEC 48798783 without the Helsinki
a sucker’s bet
“Only two remote holes in the default install”.
a sucker’s bet
10 years, no exploitable ﬂaws in a top-5 mail server. UNPOSSIBLE!
in it for the girlies and the
actually jason fried
(not to scale)
• The guy in the rated R movie. So money!
• Not bad at security. Just not awesome. FTW!
why I care?
⌘ I’m Paranoid
⌘ What could you tell me to make me feel
better about running Adium?
why I care?
⌘ How to make literally tens of dollars
• Moveable Type
• John Gruber == target rich environment
• 99.99% of Mac devs
is your blog pwned?
Pwnie for mass 0wnage ’08: Wordpress
stupid mac bugs I have known
⌘ “The "Repair Permissions" tool in Disk
Utility makes /usr/bin/emacs setuid”
⌘ “osascript -e 'tell app "ARDAgent" to do
shell script "whoami"'”
⌘ QTPointerRef p =
h.toQTPointer(-2000000000, 10 /
⌘ install_crontab --DejaVu
if you get this, you’re 90% done
⌘ length is scary
• now you get: stack overﬂows, heap overﬂows, integer
overﬂows, integer underﬂows, uninitialized variables,
null pointer offsets.
• initialize variables, abort when malloc fails, count,
with unsigned ints, and don’t let them wrap.
• go live your life.
⌘ content is scary
• now you get: XSS, SQL injection, shell injection, xpath
• whitelist to alphanumeric and swap punctuation for
• go live your life.
but what about...?
⌘ return-based exploitation of stack
cookies leaked through stale memory
that defeat 8 bit ASLR seeding on...
⌘ internationalized best-ﬁt shift-JIS ﬁlter
evasion with union selects...
Overview of the Same Origin
• Goal is to prevent a resource loaded
from one site manipulating or
communicating with another site
• Evil.com should not be able drive
interaction on my behalf to bank.com
I mean, what do you do in Las Vegas? You gamble - and you go to strip clubs - Scott
Enter Jafar Attacks
You took too much man, too much, too much. – Benecio Del Toro
That’s GIFAR Attacks, Not Jafar
• What’s a GIFAR?
– A combination of a GIF and a JAR resulting
from the fact that a JAR keeps its relevant
data within the footer of a ﬁle, whereas GIFs
keep their relevant metadata in the header
– Allows us to create a ﬁle that is both a GIF
and a JAR
– Will load just as any image would, but will
also load as a JAR (Applet in this case)
He who makes a beast out of himself gets rid of the pain of being a man. – Hunter S.
don’t do these things.
• unless it’s openssl or gpg.
⌘ password storage
• unless it’s bcrypt.
⌘ write directly into the DOM
• thanks for making my app writeable.
• do not want another web server. cannot use.
⌘ content controlled code
• blog templates
⌘ ﬁle upload/download
rubber chicken security
⌘ little lock icons
⌘ scripting languages
the myth of the passive
⌘ it’s not 1994
⌘ the backbone sun4m doesn’t got
⌘ they have better things to do
• wiﬁ assoc
⌘ it’s all mitm now
by all means piss us off
⌘ #1 security feature: big long random
• not http://app/customer/Bob or http://app/
⌘ encode your data, but jumble the b64
⌘ encrypt your data. ﬁxed key! just
scramble the sboxes! add a round! xor
what’s a fuzzer?
⌘ ﬁgure out the protocol packets or ﬁle
formats you use.
⌘ deﬁne structures for them.
⌘ replace ﬁelds with random garbage
• long strings, high ascii, metacharacters, negative
⌘ iterate over all ﬁelds
⌘ this ﬁnds, what, 60% of all reported
be the world expert for your
⌘ writing a contact manager?
• write a vCard fuzzer
⌘ writing a calendar?
• write an iCal fuzzer
⌘ writing an IM client?
• write an OSCAR fuzzer
⌘ Run it. Every release. Fix stuff.
⌘ Publish it. Now you’re an expert.
⌘ Be a jerk: run it on your competitors.
there’s a framework for you
⌘ use python? get peach fuzzer, or sulley
⌘ use C? get spike
⌘ use Perl? try fuzzled
⌘ use ruby? here’s ruckus
for god’s sake have a security
⌘ Link on your website:
• To report a security problem, click here.
⌘ Post a GPG key.
⌘ Designate someone your security
⌘ Publish advisories.
⌘ Act like you’ve done this before.
oh the researchers you’ll meet
• want the cred, a new 360.
• want the cred.
• aren’t talking to you anyways.
• want the cred.
• want you to ﬁx it.
when they come to you...
⌘ don’t call them enhancements
⌘ don’t argue about severity