Tuesday, 9 August 2011

Sending spoofed emails using O2 (why does this still work in 2011?)

I just blogged today about a simple but powerful O2 script that allows the sending of Spoofed emails by sending emails using SMTP: http://o2platform.wordpress.com/2011/08/09/o2-script-to-send-spoofed-emails-using-direct-smtp-connections (check out the API and GUI)

These emails are sent using an STMP API, and there are a number of variations/conner-cases that we will need to solve. For example:
  • Sending an email to a owasp-o2-platform@lists.owasp.org throws: No MX record found for the domain "lists.owasp.org". Check that the domain is correct and exists or specify a DNS server
  • On another server I got the following error (which could be solved by manipulating the provided hostname): ...failed : 504 5.5.2 <WIN-DR8DS3BT4V1>: Helo command rejected: need fully-qualified hostname
The key is to start mapping: :
  • the exact scenarios where it is still possible (in 2011) to send Spoofed emails,
  • the case where it is NOT possible, and
  • what mitigations work
I have to say that I have been surprised at the places where this still works. One of the scary scenarios is the case where one sends an spoofed email 'to email X' , 'from email Y' , 'both at company Z' (and if Y is X's boss, there is no way X will not read it and click on a provided link)

I would like to start a list of locations where this is still possible, for example it works for Gmail. So let me know if it works for you, and if you have any ideas on how/where to start mapping the data collected. On the topic of mapping this data, is there an online service to find if a email host/provider is vulnerable to this? (i.e. allow the easy spoofing of emails)

Final Question: What are the mitigations and where in OWASP should be put this information? (I could only find https://www.owasp.org/index.php/Phishing which is not 100% relevant)

Saturday, 6 August 2011

Injecting O2 into an .NET Process, in this case IBM Rational AppScan standard

Here is another example of how to inject O2 into an .NET Application and be able to control its GUI:
The 'pink' example came about because in the group I was having dinner yesterday, there was a female AppScan user. I was explaining to her, that once we can run O2 scripts inside AppScan, there are very few limitations of what can be done, and nothing showed that better than a Pink version of AppScan :)

Wednesday, 3 August 2011

OWASP O2 platform, the history so far (Sep 2008 till Aug 2011)

For the past couple years I have been using this personal blog to document O2 Platform's history.

Here are the most important blog posts, ordered chronologically and with some additional comments (made in August 2011).

Monday, 1 August 2011

Joining Security Innovation (SI) as a Employee

Today (1st August 2011) marks a new period of my career, I'm joining SI (Security Innovation) as an employee.

This is quite a departure for me, since I have been an 'independent consultant' for the past 10+ years and even when I had a contract with OunceLabs and ABN Amro, I was a contractor and not an employee.

I'm very excited to join SI, so far it has been a perfect match. I really like the SI setup, the people are amazing and they seem genuinely happy to support:
  • what I want to do,
  • how I want to do it, and
  • what I have been doing (namely the O2 Platform).

Although I've known SI for a while (I was a big fan of their Holodeck product) I never really thought of them as an Application Security company, so, it was with some surprise that I started a thread with Ed and Jason about OWASP Certification.

At the time I outlined what was the OWASP position (see this post for more details) and was expecting them (as others before) to give up, and not try to do anything about it.

To my surprise , they kept coming back, and the bigger the 'curve ball' I would send on their direction, the better they responded.

Cutting a long story short, SI:

Since there was an obvious synergy between us, after the Summit I talked with Jason and Ed and we come up with a first way of working together (see my blog post Working with SI on Team Mentor and OWASP projects ).

What started as a 'lets make some bug fixes' to TeamMentor, became a major redesign, where the new version (3.0) is almost a complete rewrite of the existing version of TeamMentor's backend and frontend.

It was this process that really allowed me to see what SI was like. I basically kept coming back to Jason with requests to improve/redesign TeamMentor's backend/frontend, and he kept trusting me and allowing me to go on the direction that I felt was more suitable for TeamMentor.

I'm glad he let me do that, since the new version is heavily based on JQuery, is fully driven by WebServices and has an File-based-Xml data store (i.e no SqlServer). Of course I used O2 to help with the development of TeamMentor :) and there are LOTs and LOTs of goodies and tools in there that I will be blogging about next.

In some ways, it's the little things that I like about SI:
  • The way that Jason and Ed understand the added value of playing the 'open' game at OWASP where everybody benefits
  • Jason's (CTO) Free Range family and lifestyle
  • The hard-core geek squad at the Seattle office (one of the authors of Firesheep is part of SI :) ), which is VERY strong in Application Security
  • The very mature SDL process and Application Security review that they 'try' to get the clients to use :)
  • The large component of training and e-learning (which has always been a passion of mine)
  • The voice and type of discussion that occurs in the internal mailing lists
  • The fact that Jason is happy for me to blog about what I am doing with TeamMentor (see http://teammentordevelopment.wordpress.com)
  • The way the marketing department is trying to do the right thing for OWASP
  • The fact they SI tag line is 'The Software Security Company' - which is exactly what I want to do :)
So let's see what happens next. I know that I'm now going to be viewed as a 'vendor' and my 'independence' is going to be questioned. I hope that my actions in the next months/years, will show that my heart is still in the right place and that I'm still 100% focused on solving the 'Application Security' problem (i.e. helping developers to create secure applications).

FYI, my new title is 'Principle Security Engineer' and here is a direct quote from my contract:
  1. Continue development on TeamMentor. Particularly finish v3.0 and post-release work with .... as well as customers and prospects to ID use cases, promote adoption, and spec new features for future releases.
  2. Deliver SI professional services and training, with a focus on European clients. This can include ILT, app pen testing, code reviews, threat modeling, and SDLC consulting.
  3. Serve as SME for SI eLearning courses, with a focus on web/OWASP content. This may entail reviewing content and storyboards, and sourcing/adapting existing content from OWASP sources that can be built into our commercial eLearning products.
  4. Serve as “outreach” – a public face of SI to help elevate our stature and presence in the industry. This would include everything from your blog to speaking engagements at conferences to interacting with the press and our PR firm.
Btw, if you have any questions or issues about SI, feel free to contact me.