Thursday, April 10, 2008

Interview with Jeremiah Grossman on LearnSecurityOnline.com


Originally published on LearnSecurityOnline.com

http://learnsecurityonline.com/index.php?option=com_content&task=view&id=297&Itemid=0

# LSO #
How about some background about yourself, who you are? What you do? Who you work for? Location?

# JG #
I started out as a graphic designer; turned to a Web developer then UNIX admin, then Web security guy. Today, I’m founder and CTO of WhiteHat Security, a leading provider of website vulnerability management services headquartered in Santa Clara, Ca.

I was raised in Maui, Hawaii and grew up in Silicon Valley. I’ve been commonly referred to as one of the top Web security experts, recognized as one of InfoWorld 2007 Top 25 CTOs, and all that sort of fluffy stuff. Personally, I prefer engineer and entrepreneur. My daily job consists of delivering presentations, R&D for future products and services, speaking with a lot of companies and learning about their Web security challenges, and helping out with the Web Application Security Consortium (WASC). I write a lot too. Blog, books, articles, interviews. :-)

# LSO #
How did you get into the security business (your specific field)?

# JG #
While working at Yahoo pen-testing websites, I found I had far too much work and not enough time to do it. If every one of the 600 websites took 40 hours to assess for vulnerabilities, it would take me roughly 11.5 years to finish. Unless we hired a team of 10, no solution available was going to meet our needs. This was not a problem unique to Yahoo: Many companies across the industry were experiencing the same dilemma. They know they have vulnerabilities needing to be fixed and no idea where they’re located. I saw a market opportunity, set out to build a better solution, and jumped in with both feet. WhiteHat’s executive staff envisioned a highly scalable vulnerability assessment Software-as-a-Service solution incorporating proprietary, automated scanning with expert analysis. Six years later here we are. Now, how I got my Job at Yahoo is a whole other story. ;)

http://jeremiahgrossman.blogspot.com/2007/04/how-i-got-my-start.html

# LSO #
You are considered to be on of the forerunners of Web Security. I remember seeing your talks at Blackhat in 2002 when you released the WhiteHat Arsenal and being totally blown away at what you could do with a web browser and the browser has only become more and more powerful over the years. In your opinion, Are we past the worst of web vulnerabilities, there now, or is the worst yet to come?

# JG #
Wow, has it been that long? On the positive side, unless someone finds a truly new attack technique, the number of vulnerabilities in the average website will likely slowly decline in the years to come. The downside is the attackers will have a lot of green field to exploit and they haven’t even really begun to hack. Unfortunately the worst is yet to come and we’ve already seen some fairly bad stuff happen to date.

# LSO #
Web 2.0 and Ajax. Is it the end of the world as we know it? or just another technology in the mix?

# JG #
Y2K didn’t end the world, so why should Web 2.0 and Ajax? Web 2.0 is the way we’re using the Web, and Ajax is a set of technologies developers used to build it. Others don’t share my view, but I don’t think either Web 2.0 or Ajax makes a website more susceptible to attack. They all have the same problems in the same ways, just a lot faster and easier to make mistakes. What has changed though is our capacity to find vulnerabilities in Ajax-laced websites. You see, the bad guys really don’t need or use scanners to hack websites because they only need to find one issue; and, it’s faster to do it by hand. The good guys on the other hand have to find all issues and protect against them all - all the time. That means the good guys need scanners to keep up. The problem with scanners though is they’ve shown to be severely lacking in Ajax support despite the marketing claims. Not to mention the volume of false positives they generate.

# LSO #
How do you think technical aspects of web hacking have changed over time and how does one keep up with the current advances?

# JG #
The basics have been the same for quite a while, but the advanced stuff is getting fairly large, sophisticated, and constantly evolving. The nuances of Web security takes a while to learn if you start from zero. The only way I’m personally able to keep up is by reading a tremendous amount and communicating as often as I can with others. So, I read white papers, mailing lists, blogs, news stories, etc. I also attend conferences, contribute to community projects, and utilize email quite heavily.

# LSO #
Say I want to get into web security, it HUGE, where do i start?

# JG #
At the beginning! No seriously. If I had to start again, the first thing I’d do is pick up a programming language like Java or C# and develop my own super simple Web applications to get the basic concepts. Then, I’d seek to understand how the Web is architecturally put together from the ground up. That means learning everything I could about TCP/IP, HTTP, DNS, SSL, and general encryption. I’d make my own Web servers and Web browsers, create little tools to create packets in the various protocol layers, and basically play around with all the technology till I felt really comfortable. Then, I’d work my way back up the stack learning HTML, JavaScript, and the DOM, all the while making little applications to keep my interest. But, what you’re probably asking at this point is “where is the security,” right?

From my point of view, security is a state of mind more than anything else. I’ve always felt that if I understood all aspects of the technology to an intimate degree, then “security” portions became super easy. If I knew how everything worked, was meant to work, then I could proceed to test if I could make it work in ways other than intended.

Some early books on my bookshelf:

The Protocols (TCP/IP Illustrated, Volume 1)
http://www.amazon.com/Protocols-TCP-IP-Illustrated/dp/0201633469/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682211&sr=8-1


TCP/IP Network Administration (3rd Edition; O'Reilly Networking)
http://www.amazon.com/TCP-Network-Administration-OReilly-Networking/dp/0596002971
/ref=pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682225&sr=8-1

UNIX System Administration Handbook (3rd Edition)
http://www.amazon.com/UNIX-System-Administration-Handbook-3rd/dp/0130206016/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682255&sr=8-1


Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682281&sr=8-1


DNS and BIND
http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574/ref=pd_bbs_2/104-1693213-7738351?
ie=UTF8&s=books&qid=1193682300&sr=8-2

Mastering Regular Expressions
http://www.amazon.com/Mastering-Regular-Expressions-Jeffrey-Friedl/dp/0596528124/ref=pd_bbs_sr_
1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682314&sr=8-1


JavaScript: The Definitive Guide
http://www.amazon.com/JavaScript-Definitive-Guide-David-Flanagan/dp/0596101996/ref=
pd_bbs_sr_1/104-1693213-7738351?ie=UTF8&s=books&qid=1193682325&sr=8-1


# LSO #
You mention in your interview with Colleen Frye about the disclosure dilemma. What are your thoughts on disclosure? I think its a double edged sword because, let's face it, 0-days and worms keep system admin, network managers, pen-testers, and consultants in business but it seems alot of vendors are pushing the no-disclosure (or only to us) route.

# JG #
For the most part, I’m in the non-disclosure camp. Meaning: I only privately disclose vulnerabilities when I have a good working relationship with the other party. And, if I release something publicly, it’s only because I feel the attack technique is new and has further implications that would benefit by public research. Be mindful though that I would not recommend people blindly follow my philosophy. Instead, they should find a system that works within their personal code of ethics, morals, professionalism, and level of risk acceptance. Because let’s face it, the industry is not what it used to be 10 to 15 years ago and already has pushed much of the research underground.

# LSO #
do you think that's good for the industry? is it good to push all that research underground?

# JG #
I take a pragmatic approach to security and I feel that business owners and software vendors have a responsibility for the data they protect and the products they sell. We all must take into consideration the environment around us, and understand that it’s hostile. We should have no expectation that anyone is going to share any vulnerability information ahead of time. We can hope they will before going public. But, do not depend on it and frankly it’s hopeless to demand it.

# LSO #
on a similar note, what are your thoughts on the German anti-hacking laws and what do you think would happen to security industry if the US went that route?

# JG #
I don’t think we have to wait for that to happen; it’s probably already here and just haven’t realized. When considering our current political climate and recent legal changes in the U.S., it seems to me that any one of us could easily be accused of committing an illegal act and be held to account. All that really has to happen is for a few more high profile prosecutions to impact security researchers to have a nasty and lasting side effect. What I do think is coming is export controls placed on vulnerability information (0-days), just like they do on encryption - because of their potential impact on national security. It’s a brave new world.

# LSO #
Do you think JavaScript is the new shellcode? If so why?

# JG #
Yes, definitely, because Cross-Site Scripting in the new buffer overflow. ;)

# LSO #
Tell us what you think of the future of network enumeration via JavaScript. What are the attacks that we should look for in the coming years from JavaScript?

# JG #
It’s difficult predicting the future in security, but if I had to guess, I could see phishers using XSS a lot more. The malware guys will continue defacing highly trafficked and trusted websites to exploit their visitors’ Web browsers. And the high-end espionage attack types will go for the Intranet hacking stuff using JavaScript malware. It’s the latter that’ll be hard to track, measure, and defend.

# LSO #
Can you compare/rate the criticality of XSS, XSRF, SQLI?

# JG #
Unfortunately no. It’s hard to generalize their severity, criticality, threat, etc. For the most part, website vulnerabilities have to be rated individually, while taking into consideration the value of the website, the data it contains, and the sophistication of the attack required.

# LSO #
Have you or anyone you are aware of made any progress on your non-JavaScript port scanning idea that you posted here at:
(http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html)

# JG #
Ilia Alshanetsky certainly took the next step by improving the speed of my original designs, but I think I’ve personally taken that concept about as far as I need to. The Intranet zone has been breached and the rest just seems to be adding insult to injury. No need to make exploitation easy for the bad guys. It’s the browser vendors turn to remediate the problem architecturally.

# LSO #
How real of an attack vector is DNS-Rebinding? How prevalent do you think it is in the wild?

# JG #
DNS-Rebinding (Anti-DNS Pinning) spent several years in the realm of the theoretical obscurity, but that changed recently when more researchers demonstrated creative Proof of Concepts. It’s a very powerful attack vector with a lot of potential damage. Worse still is that I think the browser vendors are at a loss for how to deal with the problem. It’s also difficult to tell if the bad guys are using this in the wild maliciously. Unfortunately, we’ll know when the side effects get really bad and we’ll find the attack being used in a piece of malware.

# LSO #
Are people really vulnerability scanning internal networks with Nessus/Metasploit through a socks proxy?

# JG #
Not that I’m aware of.

# LSO #
Can you tell us a little bit about WhiteHat Sentinel? Have appliances taking the human out of the network security and web security loop (minus the people writing the checks for the appliances)?

# JG #
Nah, human expertise will be a vital part of any comprehensive Web application vulnerability assessment process, forever. Unless of course someone solves the halting problem or websites magically become “secure enough”, but I doubt it.

WhiteHat Sentinel is a website vulnerability assessment and management service that is customer controlled and expert managed. Without the marketing-fu, that means our customers websites receive a complete vulnerability assessment whenever they’d like or as often as their website changes, with the security of knowing they have the expertise of WhiteHat engineers as support. Presently, we’re performing hundreds of vulnerability assessments each week, many orders of magnitude above anyone else, with the significant added benefit of the false positives weeded out. To deliver this type of service is no small task and it’s really our SaaS technology that enables WhiteHat to have this incredibly efficient process. Our remotely hosted vulnerability scanning infrastructure does all the heavy lifting and also allows us to configure custom tests for each website to identify those pesky business logic flaws.

# LSO #
What can i do to keep mom and dad safe on the net? Or anyone who gives you the "huh" when you go into phishing, hacking, XSS, CRSF, malware, etc?

# JG #
The most effective way to keep them safe is to switch them to a Mac. Sorry Windows people, but your operating system is target #1. And, for the same reason swap out Internet Explorer for Firefox, Mozilla, or Opera. These two acts alone will significantly reduce the likelihood of their machine getting hacked. Then, disable Active X, java, and unless they really complain about it, flash to. And, for good measure, install SafeHistory and Adblock Plus. To keep them from getting phished, teach them to be skeptical of any email from someone they don’t know, especially the ones with links and/or attachments. Instead of clicking on links in their email, set up a list of bookmarks to select for their bank and other important business oriented websites.

# LSO #
How important do you feel that programming is for this field, specifically how do you feel about Web Language programming? If yes, what language(s) do people need to know well?

# JG #
The best Web security experts in my experience have Web development background. Most any Web language works just fine, since we’re all niche practitioners anyway. HTML/JavaScript are a must no matter what. But if you had to start now. .Net and Java and their development frameworks are what you need to know to an intimate degree.

# LSO #
What tools need to be in every web application pen-tester's toolkit?

# JG #
Three different Web browsers (at least), a proxy or two, and some text encoders and decoders.

# LSO #
What are the basics that you think every security person should know?

# JG #
For me, the key things that I’ve come to appreciate are that technology skills can be learned over time, but for many it’s difficult to grasp certain fundamental information security concepts. That security is a state of mind, that it is a process and not a product, and that it is our responsibility to mitigate risk. Anyone can spend a bit of time to learn how to properly configure a firewall, but do they know why they are doing it? What are the attacks they hope to thwart or don’t address? What business challenges crop up as a result of firewall implementation?

The point is we have to question our assumptions, our conventional wisdom, and constantly check to ensure they still hold true. Often they do not.

# LSO #
Any suggestions on breaking into the security field? Or someone considering security for a career?

# JG #
Get involved in anyway and at any level you can. This could be an entry-level job, contributing to a community effort, or participating in a mailing list discussion. Read everything (white papers, articles, blogs, etc). Email the authors and ask tough questions. Attend conferences and local chapter meetings.

The whole idea is to meet people, build relationships, and learn everything you can by helping out. This also demonstrates your passion and value to those you interact with. Nothing says more to an employer (or a recruiter) than personal initiative and self-motivation.

# LSO #
Jeremiah, thanks tons for all your work in the industry and for agreeing to the interview.

Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Book: XSS Attacks: Cross Site Scripting Attacks and Defense
CG

1 comment:

CG said...

this was on dave aitel's twitter page...

http://twitter.com/daveaitel/statuses/786854520


AKA, Cross Site Scripting is not the new buffer overflow. The new buffer overflow is the buffer overflow.

08:24 PM April 10, 2008 from im