Thursday, August 12, 2010

XFS 101: Cross-Frame Scripting Explained

Cross-Frame Scripting (XFS) is an attack related to cross-site scripting (XSS) and is commonly misunderstood from both offensive and defensive standpoints. This blog’s aim is to clear up confusion regarding what it means, what vulnerability it is exploiting, and a survey of suggested fixes available.

XFS exploits a bug in specific browsers that allows a parent frame to be exposed to events in an embedded iFrame inside of it. The exposure is limited to events only, and does not give full JavaScript cross domain access. Several examples exist illustrating the sniffing of keystrokes from an embedded iFrame (usually a login page) to an attacker controlled resource such as a remote Web server using an XML HttpRequest (XHR) surreptitiously in the background. This effectively provides a means to silently steal credentials being typed into the embedded iFrame by the victim. This attack in no way allows full JavaScript execution despite being similar to XSS.

Read more!

Tuesday, August 10, 2010

Information Security Policies and Procedures, Part 2

This is part of an ongoing series on documentation development. Please be sure to read the previous posts in this series.

Part 1 , Part 3 , Part 4 , Part 5 , Part 6

Knowing which policies are necessary in your environment can be a challenge. Most organizations will have at least some formalized policies. Many of these are in response to legal requirements (HR policies) or specific incidents. After someone leaves their laptop in the car trunk for 6 hours on a 100 degree day, a policy on the care of equipment is generally issued.

With policies and procedures, it is essential to be proactive rather than reactive. In the case of the melted laptop, it would be far better to have instituted a policy regarding equipment care prior to the incident. That may be a simplistic scenario where the company is out a thousand dollars for a laptop, but it illustrates a point. This proactive posture becomes far more important when applied to more complex situations. What if, instead of being out a thousand dollars for a laptop, you were instead out tens or hundreds of thousands of dollars in fines after a cardholder data breach? Or worse, in the case of HIPAA, you find yourself with tremendous legal bills or in jail. (I am aware that is an extreme case, but it is illustrative of my point.)

As far as information security, every organization will have a unique set of foundational policies. Although there will be many that are common to all organizations, the unique qualities of each organization call for custom policies. How then, do we determine what basic policies we need? I have found that one of the simplest ways to determine which policies are essential is to look at all applicable regulations, laws, standards, and contracts and perform a gap assessment. For example, if you are subject to the PCI DSS, a good way to start is to take a copy of the standard and identify every place where a policy or procedure is required. PCI requires a policy on visitors to your facilities. As such, part of being compliant with PCI will be developing a visitor policy per the specific requirements of the standard. An important caveat: having a policy in place does not equal compliance.

An auditor will not only look for the policy, they will also look for evidence that the policy is enforced. So, for our example of a visitor policy, the auditor will want to see associated visitor logs and will check to see if they are issued a visitor badge per the policy. Careful readers will note that I slipped in mention of another document, the visitor log. In many cases, documentation leads to more documents. In this case, you will also likely need to develop training and awareness programs. Procedures for the receptionist to follow will help ensure that they are correctly logging visitors. An awareness program allows employees to understand that the policy exists as well as the rationale behind the policy.

As you move through the standard or regulation identifying where documentation is necessary, keep a list of what policies address which sections. At the conclusion of the gap assessment of the applicable regulations and compliances, you will have a firm understanding of what policies and related documentation are necessary. Keep in mind that in addition, it is important to review contractual obligations. These contractual obligations generally exist between you and your clients, vendors, and other service providers. Involving your legal department is always recommended.

In the next part of this series we will cover some of the pitfalls to avoid.

Read more!

Monday, August 9, 2010

A Week of Security in Vegas: Black Hat, Bsides, & Defcon

Towards the end of summer each year the information security world descends on Las Vegas for a week of training, discussion and the disclosure of a year’s worth of quiet research. I’ve been attending off and on for years, and was joined this year by several of my new SecureState co-workers from Profiling and Risk Management.

The week started off with the biggest, and most expensive of the 3 events: Black Hat Las Vegas. This is the original and largest of the Black Hat events held around the world each year, and it has often been a forum for disclosing some of the most cutting-edge and impactful research within Information Security. The biggest talk this year hands down was Barnaby Jack’s presentation on compromising Automatic Teller Machines. Barnaby had attempted to give a similar presentation in 2009, but his employer pulled the presentation after pressure was applied from some unnamed ATM manufacturers. After changing employers and adding several new ATM machines to his collection, Barnaby was back this year to give a live demo of local and remote compromise of two different ATMs.

Read more!