Jeremiah Grossman, WhiteHat Security

Lessons Learned From the Gawker Hack

By Jeremiah Grossman, CTO, WhiteHat SecurityEveryone sounded the alarms at the Gawker Media attack, which included a security breach of websites such as Gizmodo, Lifehacker, Kotaku, io9, and others. The numbers were impressive: 1.3 million user accounts exposed, 405 megabytes of source code lost, and perhaps more important to some, the identity of those leaving anonymous comments potentially revealed. For Gawker, there is a loss of trust that will be difficult to regain. Users are already clamoring for the ability to delete their accounts. And, on the technical side, all Gawker’s systems will need to painstakingly audited or rebuilt entirely from scratch to prevent the same thing from happening again. Happy Holidays indeed.

The Web Won’t Be Safe, Let Alone Secure, Unless We Break It

By Jeremiah GrossmanThere are several security issues affecting all major Web browsers that
have remained unaddressed for years (probably because the bad guys
haven’t leveraged them aggressively enough, but the potential is
there). The problem is that the only known ways to fix these issues
(adequately) is to “break the Web” — i.e. negatively impact the
usability of a significant and unacceptable percentage of websites.
Doing so is a non-starter for any browser vendor looking to grow market
share. The choice is clear for most vendors: Be less secure and adopted, rather than secure and obscure. This is what the choice comes down to. This is a topic deserving of further exploration.

Web site security needs a strategy

By Jeremiah Grossman, White Hat Security
Someone begins watching a basketball game and asks who is winning. You might helpfully answer, “Lakers up 76 to 64.” Imagine if instead you said, “The Lakers are 60% from the field, have 12 rebounds, are 8 of 10 from the line, and the average height of the starting lineup is 6’7.” Sure, these are important statistics, but they certainly do not answer the question. (Inspired by Richard Bejtlich) The person listening would probably think you were trying to be funny, a jerk, or perhaps both.
Yet, this is how the Web security industry responds when businesses ask about the security of their websites. “We identified 21 security defects including eight Cross-Site Scripting and four SQL Injection, we are improving our SDL processes, and most of our programmers have been through security training.” Again, important metrics, but still not answering the most important question — how well defended is a website from getting hacked.