Monday, December 3, 2007

Security tidbits from the past month...

Web applications and Microsoft Office are the current major pain-points:

"Developers aren't using secure coding techniques to create Web applications, giving hackers an opportunity to tap the rich databases of information connected to them, according to SANS, a computer training and security organization."

The TJX hack just keeps getting worse:

Update: TJX Victim Tally Rises to 94M
"In an affidavit, the bankers said that "TJX continues to downplay the seriousness of the situation."

Details emerge on TJX breach
"Spokespeople for Visa and MasterCard said they wouldn't comment on the matter, or on a Visa official's estimate of losses to banks that issued cards to be between $68 million to $83 million."

"Visa fined TJX's card processor $880,000 last summer, and said it would continue to fine the retailer's card processor $100,000/month, for TJX's role in the worst data breach in the payment industry's history, according to documents filed in federal court Oct. 26."

VISA Fined TJX Processor for Security Breach,1895,2208927,00.asp
TJX IT staff knew about the vulnerabilities, but continued to ignore them because they wanted to save money...

TJX violated nine of 12 PCI controls at time of breach, court filings say
"these additional facts materially support the claim that TJX's
conduct generally" violated laws governing unfair trade practices,
they said.

Court filing: TJX was warned about lax security before massive breach

Thursday, October 18, 2007

It's completely online!

Dear Readers in the Blog-o-sphere,

Over the past few years, I have been helping Stanford build a hands-on advanced secuirty certification program to arm new and existing software engineers with what they need to know to mitigate cyberattacks. Today, Stanford announced that they have made the entire program available online, whereas students typically had to come to campus to complete the program.

The certification program provides hands-on training to geographically distributed engineering and IT staff to help them defend their companies against the changing landscape of Internet threats. More information and the press release are available at:

Specific topics covered in the certification program include:
  • emerging threats such as botnets and phishing and defenses against them,
  • the most recent growing web vulnerabilities, such as cross-site
    scripting, SQL injection attacks, and distributed denial-of-service
    (DDoS), and
  • traditional topics such as buffer overflows, dictionary attacks,
    authentication, access control, data integrity, symmetric encryption,
    public-key cryptography, and much, much more.
Please feel free to contact Eve Byer ( for more information about the program!


-- Neil

My new book, "Foundations of Security: What Every Programmer Needs To Know" is available at

Learn more about security from Stanford's Advanced Computer Security Certificate Program-- click on for more information.

Sunday, August 19, 2007

What does Neil work on at Google?

Hi Folks,

Some of you have complained that I don't tell you about what I work on at Google... well, I certainly can't tell you about everything that I work on, but here is some info about a "launch" that I contributed to...

Google launched the "ad traffic quality" center late last week featuring articles by yours truly:

More articles about the launch are at:

So, please... no more complaints! You now know something about what I work on!


-- Neil

My new book, "Foundations of Security: What Every Programmer Needs To Know" is available at

Learn more about security from Stanford's Advanced Computer Security Certificate Program-- click on for more information.

Monday, July 23, 2007

The iPhone has been hacked!

It was only a matter of time, I guess-- a buffer overflow vulnerability has been found against the iPhone:

From the article, the researchers were able to "get access to the log of SMS messages, the address book, the call history, and the voicemail data" by sending an attack string to the iPhone via a wireless access point, a web site, or an SMS message. If you have an iPhone:

  • Only visit sites you trust. If you don't visit attackers' sites, you give them one less attack vector.
  • Only use WiFi networks you trust. If attackers have control of your Internet connection, they have the ability to insert exploits into any website you visit.
  • Don't open web links from emails. Many current viruses send links to malicious sites in emails that look like they are from trusted contacts."

Monday, June 18, 2007

Recent Security Events

It has been a while since I last wrote a blog entry, so I'll summarize some recent events:

* It was revealed that the TJX / Marshalls hack involving over 45 million credit card numbers occurred due to the fact that they were using WEP, a protocol that the security community has been known to be broken since 2001 (see page 219 of my book, and Slashdot for more info). Don't forget to get credit monitoring if you have ever shopped at a TJ Maxx or Marshalls department store! A group of banks has organized a class-action lawsuit against TJX, the criminals have gone on million dollar shopping sprees, and the FTC investigation is in progress.

* In Bruce Schneier's May CRYPTO-GRAM, he asked the question of whether or not we should have a security industry. While this might sound odd at first, if hardware and software products were designed correctly (securely), we perhaps wouldn't need additional hardware and software to secure our systems, nor an industry that produces such additional hardware and software. Applying his argument to programmers, writing secure code could be part of every programmer's job, and we hopefully shouldn't need so many "software security" experts in some hopefully not-too-far future. The goal would be to, as per Bruce's suggestion, "make IT products and services naturally secure out of the box." Of course, we may potentially need a few specialists to advance the "state-of-the-art," but largely I'd love to see safety and security be a regular part of every software engineer's job. "Foundations of Security: What Every Programmer Needs To Know" makes a contribution to move the world in that direction by making security part of every programmer's job.

* I helped co-author and publish a paper entitled "The Anatomy of Clickbot.A." (The paper is mentioned on Google's Blog and also got some press coverage.) It is a good read if you want to learn more about botnets.

Sunday, April 8, 2007

TJ Maxx, Marshalls, and other dept. stores hacked!

In Chapter 8 of my book, I discussed what was the largest cyberattack at the time of its writing. That attack was against CardSystems, a credit card payment processor, in 2005 in which 43 million credit card numbers were exposed to attackers (but only about 263,000 were stolen). In late March of this year, the TJX group of retail department store companies (which includes TJ Maxx, Marshalls, HomeGoods, A.J. Wright, and Bob's Stores, etc.) announced they were the victim of what is being called by some as the largest cyberattack of all time in which over 45.7 million credit and debit card numbers was actually stolen.

The attack against the TJX group of companies reminds us that security vulnerabilities are still very prevalent, and the attacks due to them are getting worse because of systems with security design and implementation flaws. From my reading of various articles and TJX's SEC filing on the issue, it seems that there wasn't just a single flaw that resulted in the security breach, but that there were many flaws in TJX's security practices, which together resulted in such a spectacular attack. The data stolen even dates back to transactions from 2002. In the coming months, a Federal Trade Commission investigation will take place. If you ever shopped at any of these retail chains, you may want to consider keeping an eye on your credit report and credit/debit card statements to watch out for fraud and identity theft.

Sunday, March 25, 2007

How much security is enough security?

For most businesses, it is important for security to be "good enough" and to make sure that you are investing enough to mitigate risk.

Of course, for some companies, such as those in the payment and financial spaces, just one exploited security vulnerability could severely impact customer confidence and result in loss of business. In 2005, for instance, CardSystems, a credit card payment processor, got hit with a SQL injection attack that allowed the bad guys to steal 263,000 credit card numbers over a period of six months, and a total of 43 million unencrypted credit card numbers were exposed to the attack. Visa and Mastercard canceled their contracts with the company, the incident was investigated by the FTC and Congress, and CardSystems' assets were sold off.

There is debate as to whether or not CardSystems was compliant with all of the existing VISA and Mastercard data security requirements prior to the attack. After the attack, the requirements for such compliance were beefed up, but it also demonstrates that compliance, certifications, and audits may have limited value. There is a significant difference between being able to pass an audit and having "real" security. In layman's terms, it is sometimes easier to "talk the talk" than it is to "walk the walk." ;-)

Help Secure The Internet!

Hi Everyone,

Welcome to my blog! From time to time, I'll post interesting tidbits of info and/or opinions. For now, check out the new book that I have co-authored with Christoph Kern and Anita Kesavan entitled "Foundations of Security: What Every Programmer Needs To Know" (now available at Amazon at:

or at your local bookstore).

*** If you know or work with programmers, please let them know about it. ***

Summary of the Book

The book teaches new and current software professionals state-of-the-art software security design principles, methodology, and concrete programming techniques they need to build secure software systems – making them highly marketable to companies and employers.

Why Security Is So Critical

Chances are that unless we all learn something about security, the Internet will continue to be a very vulnerable place in which cybercriminals thrive.

* The number of security vulnerabilities reported to the federally-funded Computer Emergency Response Team (CERT) at Carnegie-Mellon University climbed from 5,990 in 2005 to 8,064 in 2006.

* According to IBM's Internet Security Systems division, 88.4 percent of all 2006 vulnerabilities could be exploited remotely, and over half the vulnerabilities would allow an attacker to gain access to the host (e.g., your computer) after successful exploitation.

Many of these vulnerabilities are used by cyberthieves to commit identity theft, steal credit card numbers, and launch online attacks using malware and botnets. That's really bad. So bad that popular technology websites like C|net dedicate an entire section of their sites to high-profile threat announcements, and they are filled with new articles every single day.

What's the Root Cause of Security Failures?

Software. Software with security design flaws and software with implementation bugs. As a technologist, given my love for software and my embarrassment at the current state of the world, I worked with the Stanford Center for Professional Development (SCPD) near the tail end of my PhD to help create a Computer Security Certification program ( that has to-date helped many companies and software professionals mitigate security flaws in software.

The courses that make up the certification program became the basis for the material in this book. Given the importance of the material in this book to the security of the future of the Internet, I was extremely honored to have Dr. Vint Cerf, often called one of the "Fathers of the Internet" (due to his work on the original design of the TCP/IP protocols) and a recipient of the Presidential Medal of Freedom, write the foreword to this book.

Detailed Information About the Book

This book takes a principled approach to helping you design and implement your applications to be secure from the ground up, and illustrates these principles using running examples of web applications throughout the book. Just as you might use object-oriented design principles to achieve extensibility and code-reuse, you need to learn about security design principles, such as the principle of least privilege, fail-safe stance, and securing the weakest link to achieve security, all of which is covered in this book. This book does not just focus on merely teaching you "tips" and "tricks" that allow you to "band-aid" the security of your systems. Instead, it illustrates how security principles can be employed to prevent some of the most significant, current day attack types such as SQL injection and cross-site scripting (XSS) as well as more traditional attack types such as buffer overflows. We also cover session and password management, and show you how you can use cryptography to help achieve various security goals.

How to Get Your Copy

To help aggressively disseminate knowledge about the techniques and practices that programmers need to know to achieve security, I have worked with the publisher to provide this book to the market at a low price of $40 retail, or only $26 on Amazon. If you are a teacher or an IT decision maker potentially interested in buying copies for your students or your organization, respectively, I would be more than happy to have the publisher provide you with a free evaluation copy of the book. The book's web site ( provides slides and source code that you are free to use for your own courses and needs. Also, those who enroll in the SCPD Advanced Security Certification ( will receive the book for free.

I look forward to your help in making the Internet more secure such that it can continue to transform global commerce, communication, and entertainment. Please feel free to let me know if you have any questions or feedback by dropping me an email at, and I look forward to working together with you to continue to secure the Internet!


Neil Daswani, PhD