Tuesday, 22 May 2012

Tuesday Top Tip - EU Cookie Directive Deadline in the UK Fast Approaching

If you are in the UK, you have four days to become (finally) compliant with the EU cookie directive. The (real) deadline is May 26th 2012. A year ago, the Information Commissioner gave you a year to comply. So what to do?

Approach 1 - Information Commissioner's Office - ICO

A relatively simple approach is to copy the approach taken by the Information Commissioner's office (ICO) itself. Go to the ICO  website and you will see the following at the top of the page.

You can click on the "I accept cookies..." button to accept cookies. If you don't click, each time you go to the site you will see that message. If you do click, then you won't see it again.

Approach 2 - BT

A more comprehensive approach comes from BT. When you go to the BT website, you will be prompted with the following window

If you click on the Change settings, you are presented with the following which allows you to set the level of cookies that you will accept using a drag bar. You then choose Save and Close.

So those are two approaches. The ICO one is more simple and might be easier to implement in the short term. The BT approach is more elegant but would take longer to implement.

Useful Links

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Saturday, 19 May 2012

2 Microsoft Research Papers to Read

Two interesting papers from Microsoft Research, both from June 2011. Interesting because they seem to go against the prevailing trend that we are all doomed as a result of poor security. They are worth reading to get an alternative point of view. You can skip over the mathematical equations if that is not your thing.

"Sex, Lies and Cyber-crime Surveys" argues that cyber crime surveys are in general pretty rubbish. It discusses the difficult of performing surveys properly, especially on relatively rare phenomena. From section 4.3:
  • "Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings."
Of particular interest to application security people is the following from the conclusion:
  • "The importance of input validation has long been recognized in security. Code injection and buffer overflow attacks account for an enormous range of vulnerabilities. You should never trust user input" says one standard text on writing secure code. It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy. A single exaggerated answer adds spurious billions to an estimate, just as a buffer overflow can allow arbitrary code to execute."

The second paper, "Where Do All The Attacks Go?" tries to answer the question "Why isn't everyone hacked everyday?" Here's the abstract:
  • "The fact that a majority of Internet users appear unharmed each year is diffcult to reconcile with a weakest-link analysis. We seek to explain this enormous gap between potential and actual harm. The answer, we find, lies in the fact that an Internet attacker, who attacks en masse, faces a sum-of-effort rather than a weakest-link defense. Large-scale attacks must be profitable in expectation, not merely in particular scenarios. For example, knowing the dog's name may open an occasional bank account, but the cost of determining one million users' dogs' names is far greater than that information is worth. The strategy that appears simple in isolation leads to bankruptcy in expectation. Many attacks cannot be made profitable, even when many profitable targets exist. We give several examples of insecure practices which should be exploited by a weakest-link attacker but are extremely difficult to turn into profitable attacks."
The main conclusion is that it is difficult to calculate risk accurately if you are basing your calculations on cyber-crime surveys. It is more useful just to concentrate on the impact of a threat.

Useful Links:

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Sunday, 6 May 2012

SDLC Quick Reference Updated

I have updated the SDLC Quick Reference. The reference is essentially a list of security related tasks which you should think about at the start of an online development.

By following these steps, you are much more likely to develop a more secure end-result.

The main change from the previous version is the first section. You should identify a list of technologies that the application will use. Then find out how to use these technologies securely, both in development and in deployment.

Useful Links:

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot