Friday, May 16, 2008

Security In The Education Process

I recently read a couple of Blog posts about Security in the education process.

Catching them early ... build security in to the psyche - Dinesh O'Bareja
Can Security be incorporated in the Computer Science & IT courses? - Dharmesh M Mehta

Both Dinesh and Dharmesh have a similar idea, i.e. integrating IT Security practices into the education process. However as much as I would like to see this happen, I think it would be an impractical idea in the current education system for India.

Most engineers and information technology professionals that are employed by the vast IT industry have a weak hold on programming languages and methodologies as they walk out of college. Most of what they know is learned on the job or in the pre-placement trainings. A lot of those brought into Systems Engineer or Developer positions are those that even lack an IT background.

Further to make this an even harder task to achieve; the syllabus is already lacking and outdated. Its hard to teach security in the education process; when we are teaching students to use Visual C++ 6.0 and Visual Basic 6.0 instead of .NET.

In my opinion, the first step to introducing Security in the education process is to educate the educators. To ensure that the teaching staff is well educated with Security Best Practices. When this happens; security practices will start trickling into their teaching methods and automatically show up in the students.

I believe that instead of teaching security practices to students, we eliminate the insecure practices being taught to them. This way when students walk out with an engineer degree, they have only been taught secure coding for the last 4 years.

At Security Brigade, we are working on many training solutions, from implementing entire Security courses to Security for the educators. We will also be holding a few ethical hacking trainings in the next few months, possibly one in Mumbai in the last week of May.

Thursday, May 15, 2008

Trust you plugins? Think again

Over the last weekend, Armando Romeo and I spent some time discussing the attack vectors possible by inserting "backdoor" code into the Firefox (Mozilla) browser through Extensions, Themes and Language Packs.

Romeo has the proof-of-concepts ready for two scenarios - In-browser keylogger and Download and save executable. Two very dangerous scenarios for your "Mac OS X for FF Theme" to be playing with. It would be possible for this vulnerability to be used to map the network and carry out many other dangerous attacks on the intranet.

Just as we went about playing with the fact that the same POCs worked well with Thunderbird and other Mozilla products, we found this. Turns out there were others in the wild who had already explored this concept and put it to work to compromise 10000s of people.

This whole Mozilla incident brings me to a larger point: Do you trust your plugins?

Not just Mozilla; with a few minutes of Googling I was able to identify the following applications that allow plugins:
  1. Internet Explorer
  2. Miranda IM
  3. Wordpress
  4. Total Commander
  5. Joomla
  6. Ad-aware
  7. Virtual-DJ
  8. ........
There are 1000s of applications out there that blindly trust third party plugins/addons.

The concerning part of such attacks that can occur from plugins is that in most cases they would be missed by traditional control mechanisms such as Anti-viruses, Firewalls etc.

I havn't had the time to play with each of these scenarios as of yet, but would definitely like to sometime soon. As for now, disabling javascript on your browser is no longer enough. You will need a source code audit on every extension/theme/language pack you install in Firefox or any other application. Until Mozilla fixes the issue, I recommend running Firefox from Sandboxie.