Security

The Northern California chapter of the American Civil Liberties Union has put out a campaign designed to raise awareness of the privacy implications of Facebook's developer platform. It's focusing specifically on the popular "quiz" applications, like "Which Cocktail Best Suits Your Personality?" and "Which Wes Anderson Movie Character Are You?" These are largely one-time-use apps that many a Facebook user clicks on and tries out with little concern.

According to the ACLU chapter, "millions of people on Facebook who use third-party applications on the site, including the popular quizzes, do not realize the extent to which developers of quizzes and other applications have access to personal information. Facebook's default privacy settings allow nearly unfettered access to a user's profile information, including religion, sexual orientation, political affiliation, photos, events, notes, wall posts, and groups." For the promotion, it's put together a quiz about how much you know about Facebook-based quizzes.

Side note: Creating a Facebook quiz app to draw attention to the pratfalls of Facebook quiz apps is very meta.

"It's time for Facebook to upgrade its privacy controls so that quizzes can only see what people want them to see," Chris Conley, technology and civil liberties fellow at the ACLU of Northern California, said in a release. "Users need stronger protections than Facebook currently provides."

So are the ACLU-NC's claims legitimate? The most damning one asserts that "regardless of whether a user's Facebook profile is 'private,' by taking a quiz the user allows its developer to gain access to the user's profile information...by Facebook default, every time one of a user's friends takes a quiz, the quiz has access to that user's profile information." That could have particularly alarming security implications if an app turns out to be malicious.

Facebook does not deny this, but notes that "sensitive" information like contact details are not available to third-party apps, and that Facebook has settings for users to tweak exactly how much their friends' apps can see.

Last month, the company modified its privacy settings to make them more user-friendly.

The ACLU chapter recommends that Facebook make it an opt-in, rather than opt-out process for apps to access a user's friends' data and require that apps list the specific profile data fields that they will be accessing.

"We generally agree with (the ACLU's) recommendations and have already made public announcements about relevant changes that are under way," Facebook spokesman Barry Schnitt said in an e-mail. "Specifically, we recently disabled hundreds of applications, including quiz applications, that were inconsistent with Facebook Platform policies...We've also had productive discussions with the Canadian Privacy Commissioner about improving user data controls on Platform. We'd be glad to also have productive discussions with the ACLU and generally catch them up, if they want to give us a call."

The office of the Canadian Privacy Commissioner, which has taken issue with Facebook's privacy policies, is holding a press conference on Thursday to address the subject, and Facebook plans to hold a conference call with reporters in response.

A security hole in OAuth, the open-source protocol that acts as a "valet key" for users' log-in information, has led services like Twitter and Yahoo to temporarily pull their support, CNET News has learned.

Some developers were dismayed when Twitter pulled its support for OAuth, which it had only recently started to implement: blogger Jesse Stay wrote in a post about other restrictions to Twitter's developer API that its removal of OAuth is one of a number of recent examples of how the microblogging service has "pulled the rug out from under its developers."

In the interest of online safety, CNET News has chosen not to make the details of the security hole public. Here are the basics: The hole makes it possible for a hacker to use social-engineering tactics to trick users into exposing their data. The OAuth protocol itself requires tweaking to remove the vulnerability, and a source close to OAuth's development team said that there have been no known violations, that it has been aware of it for a few days now, and has been coordinating responses with vendors. A solution should be announced soon.

This is a particularly big deal for Twitter, as OAuth prevents users of a service from having to hand over their passwords to third-party services that use that service's application program interface (API), and Twitter relies heavily on developer-created enhancements to the service from clients like Twhirl and TweetDeck to statistics and analytics applications.

"OAuth is still in beta, for what it's worth," Twitter API lead Alex Payne said in (of course) a Twitter message on Wednesday. "We should have the current issue with it resolved soon."

Eran Hammer-Lahav, the OAuth community coordinator for this specific threat, spoke to CNET News later on Wednesday afternoon. "We have been aware of this threat for about a week now, and we have been coordinating with all known providers to help them understand the threat and deploy whatever mitigating factors they can," Hammer-Lahav said, adding that full details will be made available on the OAuth Web site at midnight Pacific time on Thursday. "There are no known exploits of this, so there are no reported attacks and the providers have either already deployed matters to address this or are doing it right now."

He highlighted Twitter's role in helping to keep things on the down-low at its own expense; when the service disabled OAuth, it did not mention that there was a security hole at its root.

"The community is extremely grateful to Twitter, despite the fact that they have been standing alone in the line of fire and taking the heat for this threat as if it was their own issue," Hammer-Lahav explained. "They basically took the PR hit in order to allow other companies to address it. They were doing it not to protect themselves, but to protect other companies."

Twitter co-founder Biz Stone responded to the threat on the company blog: "We take security seriously and felt the responsible thing to do was temporarily disable OAuth while this matter was sorted out. Yahoo and others made similar decisions," Stone wrote. "The developers working on Twitter projects that are in our beta test group felt this disruption the hardest and their patience is extremely appreciated."

This post was last expanded at 1:36 p.m. PT.

With the Conficker worm still hot and Microsoft patching multiple software vulnerabilities last week, it might be reasonable to assume the bad guys are winning the battle to get control over Internet-connected computers.

That's not necessarily the case. Developers are increasingly equipped with tools to shore up their products and vendors are collaborating in unprecedented ways to not only close holes in software, but also make sure they aren't in there in the first place, according to security experts.

"I think the industry as a whole is definitely getting better, but the spread between the best and the worst is widening," said Dan Geer, a risk management specialist and chief information security officer for In-Q-Tel, a nonprofit venture capital firm that invests in security technology.

"Conficker did far less damage in 2009 than it would have done in 2003," said Dan Kaminsky, director of penetration testing at IOActive. "Windows used to be a lot easier to blow up."

But on the eve of RSA, the world's largest security conference, which starts on Monday, experts say the hunt is on for the elusive Holy Grail of computer security-vulnerability-free software.

At RSA shows in years past, Microsoft was roundly criticized for releasing software full of security holes. In 2002, the company launched its Trustworthy Computing initiative, vowing to make security a top priority. Seven years later, the move is bearing fruit. The company reports that there are far fewer security holes in newer versions of its products and weaknesses in its operating system overall have dropped. Web applications have become the security bad boys of software.

In the second half of 2008, the proportion of Microsoft vulnerabilities on Vista-based machines accounted for just 5.5 percent of the total, Microsoft says. Machines running Vista were found to have 60 percent fewer infections than those running Windows XP, the company said in a recent report.

Microsoft went from being the vendor responsible for the greatest proportion of vulnerabilities to being third, with 2.5 percent share, according to research last year from IBM's X-Force. The lion's share of the vulnerabilities come from start-ups racing to be the next Facebook, and 70 percent of them are doing the security testing and review after they release the product, Microsoft says.

"Security is an inherently hard problem. It's difficult to get to perfection for any company," said Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group. "What we are seeing is the percentage of vulnerabilities coming out of major software organizations is dropping as a percentage of the total of vulnerabilities reported."

Better tools, fewer mistakes
The company has turned its Security Development Lifecycle (SDL) process into a pseudo-religion for other companies to follow. Last year, Microsoft began offering free SDL tools so outside developers can assess their practices and analyze their software designs to look for security weaknesses.

The tools for writing secure code are getting better, so developers are less likely to make mistakes, said Johannes Ullrich, chief security researcher at the SANS Institute security organization.

Microsoft isn't alone in providing help to the developer community. HP is offering a free tool that helps find holes in Flash applications, and last week announced tools that nonsecurity professionals can use to do security testing. IBM sells a tool for Flash and Ajax developers, and last week the CERT Coordination Center at Carnegie Mellon released an open-source tool for testing ActiveX code.

In particular, Microsoft's recent release of an open-source tool called "!exploitable Crash Analyzer," which simplifies the process of identifying exploitable vulnerabilities during application development, is a "game changer," said Kaminsky.

"I don't think it's ever been quite so easy for non-security developers to recognize when they have vulnerabilities, when they have a flaw that could be used by a bad guy," he said.

Despite the recession, the software security market is growing significantly, accounting for more than $450 million in revenue in the U.S., Gary McGraw, chief technology officer at software security consulting firm Cigital, wrote in an article last week.

The challenge for developers
McGraw recently got a peek at the secure development processes at Microsoft, Google, Adobe, Wells Fargo, The Depository Trust & Clearing Corp., and four other leading companies, and released a report card of sorts (although grades are confidential) that other companies can use to gauge their level of progress. The Building Security in Maturity Model is "an objective yardstick" for development of products that are secure, McGraw said.

"In my view, software security is getting more and more important every single day," he said. "The good news is we are actually making some progress." The tools are out there, but the problem is developers often aren't trained, experts said.

A Forrester survey commissioned by Veracode and released last week found that only 34 percent of companies have a comprehensive software development lifecycle process that integrates application security and 57 percent of organizations don't have systematic application security training programs for developers.

Ullrich advocates a concept he called "software security street fighting"--where developers avoid complex techniques in which holes are more easily created.

"Developers, to some extent, can't really win," Ullrich said. "They have to be right every single time, while an attacker only has to be right once." ... Read more

HP is set to announce on Monday a free tool that developers can use to check for holes in the Flash applications they write, which can lead to data leaks and other security problems on Web sites.

HP SWFScan decompiles Flash applications and searches the code for vulnerabilities and violations of Adobe's best security practices guidelines, said Billy Hoffman, manager of HP's Web Security Research Group. The tool works with all versions of Flash.

With the Flash Player installed on more than 98 percent of Internet-connected computers globally, Flash applications are a popular target for attackers. HP analyzed nearly 4,000 Web apps developed with the Flash platform and found that 35 percent violate Adobe's security best practices.

For example, encryption keys and other sensitive data have been found inside client-side Flash code, Hoffman said.

Flash, traditionally used for creating animation and games, has been increasingly used for Web 2.0 apps destined for enterprise use, for which tighter security measures are required, he said.

Hoffman explains how a Flash app vulnerability can be exploited in this video.

This isn't the first tool aimed at Flash developers. IBM last month announced its Rational AppScan, which automatically scans Flash and Ajax-based applications for security defects. The standard version of that product costs $17,550 for a one-year license.

Last year, HP was called upon by Microsoft to develop a free tool, Scrawlr, that developers can use to test for SQL injection vulnerabilities in apps on Microsoft's ASP platform, according to Hoffman.

While developers are striving to write more secure Flash apps, Adobe occasionally is forced to deal with security holes in the Flash Player itself. For instance, Adobe recently issued a patch for a hole in the player that could allow an attacker to remotely take control of a computer.

Back in 2002, Microsoft executives realized they had a serious problem at hand. As the primary target of a growing global community of amateur hackers and professional cybercriminals, Microsoft knew it had to do something to improve the security of its code or it was likely to become a party pooper at the online fiesta. The Bill Gates Trustworthy Computing e-mail of January 2002 got lots of PR focus, but Microsoft's real security work horse was a new development process called the Security Development Lifecycle (SDL).

Since 2004, all new Internet-facing software developed by Microsoft has gone through SDL. Microsoft says that SDL has really helped to decrease the number of software vulnerabilities and lower the cost of fixing insecure code.

SDL always seemed like a hidden treasure that Microsoft should bring to the masses. Redmond finally externalized SDL last month with a series of tools, services, and programs. Great stuff until you realize what you are up against. Software developers are trained and paid to write business logic as quickly as they can. Few know anything about secure development. Even Microsoft needs help.

Redmond found these secure development skills in a number of partners, including a small Massachusetts company named Security Innovation. Never heard of 'em? You are not alone. In the esoteric overlapping worlds of security and software development, Security Innovation may stand alone. The company offers a portfolio of training, testing, and tools. Don't know anything about secure development processes? Security Innovation can teach you. Want to figure out how secure (or insecure) your code is? Security Innovation can tell you which way the security winds are blowing. Security Innovation can even certify code that passes its tests and meets certain metrics.

I am fairly convinced that large organizations will require specific secure software development processes and certifications as part of their Request for Purchase (RFPs) with technology vendors in the near future. Microsoft also anticipates this, which is one reason why the company continues to evangelize and offer its SDL to the market.

Ultimately, however, secure software development depends upon expertise and guidance, not just models and testing tools. Given this, companies like Security Innovation transform from geeky niche security players to critical service providers to a broad market. Microsoft, for one, is betting on this secure development metamorphosis.