spoonfork

quick question: if a security bug has a low likelihood of occuring, has low impact, but high severity if it is able to be executed, is it still a security vulnerability? to be more specific, exploiting it is almost impossible: so, is it worth the resource in fixing it?

let me explain in detail so that you all get a gist of what i'm trying to point out here. but first of all, let's just acknowledged the fact that i've developed software before, and that i am very familiar with software development methodology and lifecycle. and yes, i do know the thought process of a programmer without any security trainings or secure coding education because i've been one before.

the bug that i found has a low likelihood of being exploited. in fact, the probability that an attacker can exploit it almost 0. since this has been proven, it is safe to say that the finding has no effect on security. in fact, the finding should not be in the final report to the client.

the bug exist in a variable that is automatically generated by the asp.net framework, much like php's $_POST, $_REQUEST or $_GET global variables, but not quite. this variable contains values that are pertinent to the requested page - i.e. the back-end application will take it, process it and display them in a nice html page. the values are initially retrieved from database or soap servers. this variable, and its values are never re-inserted in the database or sent back to the soap servers - they are non-persistent.

so, as an attacker, even if i manipulate the values of the magic asp.net variable there is nothing much that i can do. this has been the basis of arguments between me and the vendor - they refuse to adopt one of the best practices in secure coding - "filter inputs that are sent to and from the application" simply because the values are non persistent. fine.

wearing my programmer hat (a fresh graduate without exposure to secure coding practices), i know a gazillion ways how this magic variable can be abused. assuming i have another script that processes the same information - i don't have to repeatedly retrieve the values from the database.i just have to use that magic variable! save a few lines of codes and i can play world of warcraft later. even worse: what if the database needs updating? fine i just put them back into the database!

so, you are right in saying that no fixing needs to be done, but you're wrong in assuming that. programmers are lazy, and the lazy ones produce insecure codes. your application is complex, and complex application contains complex codes, and complex codes are insecure.

I don't know what NISER (National ICT Security & Emergency Response Centre) is preaching these days. I downloaded their 2nd quarter newsletter and decided to figure what they're preaching. This edition contains a few topics, ranging from general article about first generation honeypots, introduction to computer forensic, a few bits about worms, viruses, trojan horse, adware and spyware, tips to secure your personal PC, and others. Included in this edition is the usual MyCERT quarterly summary.

To me, the MyCERT quarterly report section is of no use because of few reasons:

• the accompanying graphs are of little value since the images are all blur. in fact, most of the images in the newsletter are blur.


• the statistics itself is questionable. reading through section "Significant Drop on Intrusion Incidents", it mentioned defacements due to IIS Unicode traversal attack. this is bewildering since unicode traversal attacks were discovered and in 2000, and patch were available since then. 5 years on, and we're getting a newsletter from NISER informing us about unicode traversal. this makes me wonder wether the statistics that NISER get is based on real and successful attacks or just statistics massaged from IDS logs. i think that these statistics were based on IDS logs since it is highly likely that things like unicode traversal are generated by scanners, such as Nikto.
  


• Under the section "High Surge in 445/TCP Port Scanning", the graph and statistics do not mean anything because it only tell me the the scanning frequency for each port, but other metrics that will make the data more useful are missing. for example, how many host were scanned for port 445? how many unique source IPs were scanning the port? with this information missing, or an explanation of how the data were gathered, i may very well deduce that the statistics is from a single machine, and i can interpret it as "for this quarter, our Windows 2000 server which has port 445 opened to the public internet has been scanned up to a total of 3500 times".
  

A few articles caught my attention. One of this is WLAN Security. Towards the end of the article, the author writes the first criteria to decide on WLAN security is based on the type of data that needs to travel in it, and then decide on authentication and encryption system for security. Oh please! Does this mean that if an organization decides to pasang a wireless AP, they don't have to bother securing it, let alone implementing some kind of authentication, simply because data that traverse in it is just inane chatter? If this is the case, then Siti, Rupi and Ah Mei, whose interest is not in the data or the organization, can hook into the wireless network, and use that network to launch attacks against other network.

NISER, what are you preaching?

I browsed through most of the articles, but the last article is just ridiculously useless. In Tips on Protecting Your Personal Computer (which is a series as the introduction say) the author touches on user accounts, and user accounts only! To be frank, if you want to produce article about securing personal PC, don't make it into a series, especially if your newsletter is published like, 4 times a year. If you really want to help the general public secure their PC, write an article that will at least, if the reader decides to follow your advice, her PC will be secured hopefully until your next newsletter comes out!

• Choose strong administrator password


• Disable guest account


• Install anti virus. AVG Free Edition is a good one.


• If you're using Windows XP, update it to SP2


• Install Microsoft AntiSpyware


• Update your PC regularly


• Use alternative web browser, such as firefox

Assuming the main points above, is it really necessary to split the articles into series?

In my opinion, NISER is not doing a good job as a so-called national ICT security & emergency response centre. This newsletter shows the level of competencies and expertise of their staff. You decide.

I think the haze is clouding the eyes of some government ministers:

The government will not declare a state of emergency so long as the Air Pollutant Index (API) does not reach the 500 level, Minister of Natural Resources and the Environment Datuk Seri Adenan Satem said.

"If the IPU exceeds 500, we will declare it (an emergency)," he told a press conference at the Ministry of Health, here Wednesday.

Health Minister Datuk Chua Soi Lek was also present at the press conference.

He said so far, only Port Klang was badly affected by the haze, with the API touching 410.

He said the Education Ministry had been asked to issue a directive to schools in the area to close.

Via Bernama.

So what 500 is? The air pollutant index are:

• 50 Good


• 51-100 Moderate


• 101-200 Unhealthy


• 201-300 Very Unhealthy


• 301-500 Hazardous

The Air Pollutant Index (API) is obtained from the measurement offine dust less than 10 microns and a few types of gases which are harzadous to health such as carbon monoxide, sulphur dioxide, nitrogendioxide and ozone.

In today's TheStar, the API for a few places are:

• Kuala Lumpur - 181


• Petaling Jaya - 204


• Kuala Selangor - 327


• Shah Alam - 316


• Putrajaya - 224.

As you can see, except for Kuala Lumpur, the other places' API is labeled as Very Unhealthy.

To the Minister: How About, Don't Be A Moron, and Go Outside and Check the Air for Yourself?

In Position applied : System Administrator cum Secretary cum on your face... the great old uncle Alphademon posted samples of funny stuff that people write in their resumes. And no, he was not joking. In fact those are real excerpts or real resumes of real people that applied for a system administration job. The excerpts are in their original form, mistakes, spellings, grammars.

I for one, could not help laughing out loud when reading the resumes. I don't mean to be mean cause I don't mean to be mean cos I am not mean, but those are just plain bizarre.

So I went through 150 resumes applying for the job of system administrator, and here are the things that I found so wrong about the resumes, and the applicants. Yes, the applicants included because we all know that resume is a representative of your self - regardless of wether you are lying about your qualications and experience or not. Just think of resume as your personal PR.

• Using long sentences to describe experience and responsibilities. This is one of the most common problem that I've encountered. What is your resume? Your life-story? When describing your experience or responsibilities, use consice and clear words to construct consice and clear sentences that will convey to the reader exactly what you mean else the reader will have diffrent things in his mind like thinking of fish and carrots doing naughty things with rabbits and panda bear. Get what I mean? For example: responsible for designing, coding, and implementing invoice module.


• Poor grammar. Enough said.


• Including irrelevent experience in the resume. OK, so you did worked at McDonald's one summer in college seven years ago. So what does that have to do with the job of system administration that you are applying for now? Are you telling me that you are a good communicator? That you are good at customer service? Dude, the only good customer service that you will ever give to your prospective employee is your resume!


• Applying for jobs that does not match qualification/and or jobs that you have no previous experience at all. Again - I am not kidding. I've seen resumes of temporary English and Mathematics teachers applying for the position of System Administrator - and they don't have the experience at all. I've seen resumes of MCSEs who handled Windongs for the past two years but applying for a job where the skills required are Linux/*BSD and Open Source! Is the job market really bad out there? Are people really fed up with their current job/company and that they are applying for jobs that they nary have a chance of getting? No, they are just plain click-happy. They see the application, and click on Apply without a second thought.


• Applying for the same position from the same company but your damned application was rejected before. Yes - this happened. You see - if you are a HR manager using Jobstreet's SiVA engine, it has this feature where it can tell you wether this fella had applied and rejected before. And I encountered a few of those. *Sigh*.

There are tons of resume mistakes out there. These are just a few that I can highlight. Now, whoever's sending their resume to me, get a friend to review it for you. A bad resume, regardless or your experience, can cause you the dream job that you've been looking for.