Cybercroissant Podcast Episode

While I was at DevSecCon earlier this year I had a chance to record a podcast episode with Cybercroissant. You can find it on their site.

During the conversation I brought up a parallel between magic tricks and hacking. That idea is perhaps better described in the introduction to my last book, which I’ve excerpted below.

Welcome to the fourth edition of the Anti-Hacker Tool Kit. This is a book about the tools that hackers use to attack and defend systems. Knowing how to conduct advanced configuration for an operating system is a step toward being a hacker. Knowing how to infiltrate a system is a step along the same path. Knowing how to monitor an attacker’s activity and defend a system are more points on the path to hacking. In other words, hacking is more about knowledge and creativity than it is about having a collection of tools.

Computer technology solves some problems; it creates others. When it solves a problem, technology may seem wonderful. Yet it doesn’t have to be wondrous in the sense that you have no idea how it works. In fact, this book aims to reveal how easy it is to run the kinds of tools that hackers, security professionals, and hobbyists alike use.

A good magic trick amazes an audience. As the audience, we might guess at whether the magician is performing some sleight of hand or relying on a carefully crafted prop. The magician evokes delight through a combination of skill that appears effortless and misdirection that remains overlooked. A trick works not because the audience lacks knowledge of some secret, but because the magician has presented a sort of story, however brief, with a surprise at the end. Even when an audience knows the mechanics of a trick, a skilled magician may still delight them.

The tools in this book aren’t magical; and simply having them on your laptop won’t make you a hacker. But this book will demystify many aspects of information security. You’ll build a collection of tools by following through each chapter. More importantly, you’ll build the knowledge of how and why these tools work. And that’s the knowledge that lays the foundation for being creative with scripting, for combining attacks in clever ways, and for thinking of yourself as a hacker.

I chose magic as a metaphor for hacking because it resonates with creative thinking and combining mundane elements to achieve extraordinary effects. Hacking (in the sense of information security) requires knowing how protocols and programs are put together, and the tools to analyze or attack them. I don’t have a precise definition of a hacker because one isn’t necessary. Consider it a title to be claimed or conferred.

Another reason the definition is nebulous is that information security spans many domains. You might be an expert in one, or a dabbler in all. In this book you’ll find background information and tools for most of those topics. Skip around to chapters that interest you.

The Anti- prefix of the title originated from the first edition’s bias towards forensics and equating Hacker with Attacker. It didn’t make sense to change the title for a book that’s made its way into a fourth edition over a decade later. (Plus I wanted to keep the skull theme cover.) Instead, consider the prefix as an antidote to the ego-driven, self-proclaimed hacker who thinks knowing how to run canned exploits out of Metasploit makes them an expert. They just know how to perform a trick. Hacking is better thought of as understanding how a trick is put together, or being able to create new tricks on your own.

Each chapter should set you up with some of that knowledge. And even if you don’t recognize a magical allusion to Hermione, Tenar, or Gaius Helen Mohiam, there should be plenty of technical content to keep you entertained along the way. I hope you enjoy the book.

The Twelve Web Security Falsehoods

Today marks the one year anniversary of Hacking Web Apps. The book is an updated and greatly expanded version of my prior one that had been part of the Seven Deadliest series. HWA explains the concepts behind securing and breaking web applications. It also represents the longest time I’ve ever spent writing an exploit.

Since then I’ve supplemented the book with examples, techniques, and commentary on web security here on the blog. (And I have enough notes to continue for quite a while, not to mention material for a potential new edition.)

The book and the blog have covered all kinds of facts and true stories about web security. Including situations where something true needs to be false. Or a dozen fundamental truths that everyone should know, even though many developers remain unaware of security.

So, in the spirit of self-reflection and contrariness, here are the Twelve Web Security Falsehoods:

  1. The app you designed matches the app you deployed.
  2. HTML5 makes your site less secure.
  3. Web programming languages lack APIs for securely constructing SQL queries.
  4. HTTPS fixes spoofing, framing, and phishing attacks.
  5. Native mobile apps don’t need to use HTTPS or verify server certificates because they aren’t browsers.
  6. Flash and Java are worthwhile, secure plugins for your browser.
  7. HTML injection flaws that you can’t exploit are flaws that no one can exploit.
  8. Blacklisting “alert” and “script” prevents HTML injection.
  9. A site that protects the security of your data consequently protects the privacy of your data.
  10. Iterated hashing protects users who have chosen weak passwords.
  11. You only need to follow a Top 10 list to secure a web site.
  12. This list is complete.

Thank you to everyone who’s visited the site or purchased a book!

You might be interested in my next book coming out this November, the fourth edition of The Anti-Hacker Toolkit — a nearly complete rewrite that covers modern hacking tools beyond the field of web security.

If you’ve enjoyed this blog, consider buying a book. Or give a shout-out on Twitter and share this site with some friends. There’s always more content on the way!

The Resurrected Skull

It’s been seven hours and fifteen days.

No. Wait. It’s been seven years and much more than fifteen days.

But nothing compares to the relief of finishing the 4th edition of The Anti-Hacker Toolkit. The book with the skull on its cover. A few final edits need to be wrangled, but they’re minor compared to the major rewrite this project entailed.

AHT 1st Edition

The final word count comes in around 200,000. That’s slightly over twice the length of Hacking Web Apps. (Or roughly 13,000 Tweets or 200 blog posts.) Those numbers are just trivia associated with the mechanics of writing. The reward of writing is the creative process and the (eventual…) final product.

In retrospect (and through the magnfying lens of self-criticism), some of the writing in the previous edition was awful. Some of it was just inconsistent with terminology and notation. Some of it was unduly sprinkled with empty phrases or sentences that should have been more concise. Fortunately, it apparently avoided terrible cliches (all cliches are terrible, I just wanted to emphasize my distaste for them).

Many tools have been excised; others have been added. A few pleaded to remain despite their questionable relevance (I’m looking at you, wardialers). But such content was trimmed to make way for the modern era of computers without modems or floppy drives.

The previous edition had a few quaint remarks, such as a reminder to save files to a floppy disk, references to COM ports, and astonishment at file sizes that weighed in at a few dozen megabytes. The word zombie appeared three times, although none of the instances were as threatening as the one that appeared in my last book.

Over the next few weeks I’ll post more about this new edition and introduce you to its supporting web site. This will give you a flavor for what the book contains better than any book-jacket marketing dazzle.

In spite of the time dedicated to the book, I’ve added 17 new posts this year. Five of them have broken into the most-read posts since January. So, while I take some down time from writing, check out the archives for items you may have missed.

And if you enjoy reading content here, please share it! Twitter has proven to be the best mechanism for gathering eyeballs. Also, consider pre-ordering the new 4th edition or checking out my current book on web security. In any case, thanks for stopping by.

Meanwhile, I’ll be relaxing to music. I’ve put Sinéad O’Connor in the queue; it’s a beautiful piece. (And a cover of a Prince song, which reminds me to put some Purple Rain in the queue, too). Then it’s on to a long set of Sisters of Mercy, Wumpscut, Skinny Puppy, and anything else that makes it feel like every day is Halloween.


Last year 30 new posts crept onto this site in spite of the majority of my time co-opted by writing the Hacking Web Apps book. I mostly avoided microblogging outlets like Twitter and Tumblr. Instead, I stuck with something a billion times better: kiloblogging at 1,000 words per post.

It’s not that microblogging isn’t unappealing (there’s a jumble of negations). When I was brainstorming Twitter handles I thought I’d try a name with 139 characters. It would have been the perfect Denial of Annoyance attack: tweet without care, but anyone responding directly would run out of characters once they added the @ sign. But Twitter’s a really useful communications medium, so I opted for CodexWebSecurum in acknowledgement of my Harry Potter-esque knowledge of Latin and affection for Roman history (as learned through role-playing games).

My microblogging output remains accordingly measured in the millionths, especially compared to international standards like the Wheaton (@wilw).

We’ve had “blogging” since the start of the web. Before “web log” became truncated to “blog” we had Geocities. (And those annoying ads that followed the page as you scrolled up and down.) It’s the term that’s stuck. We never descended to other types of “web” writing, like barticles or bentries. Contrary to truncation trends, “web books” are “e-books” instead of “books”. We have webcasts in place of broadcasts, but thankfully no one has tried webivision or the webephone.1

Kiloblog: Something with a thousand words. Like a picture. (Is that what an Instagram measures?) Since the content here mostly covers security and computing, I suppose the official word count for a kiloblog should be measured in a power of two, which would require 1,024 words. But I prefer Imperial measures such as the proper pint or (in the vein of Duke Leto) stockpiles of spice, so I’ll stick with 1,000 word units.

If those 30 posts were a kilo each (I haven’t counted), they’d equal about a third of Hacking Web Apps. WordPress keeps stats like that, just as it keeps a year-end summary of a site’s activity. In order to focus on attracting more readers, I reviewed the least visited posts of the year. The results weren’t too surprising. It makes sense that entries from 2008 (or reposted from even further back) would gather dust in the short-term memory of Internet history. But I’m still looking for copies of NCSA httpd’s earliest source code. And though you may not be interested in completely unrelated topics like my thoughts on John Wyndham’s novels, you might find the books themselves entertaining.

I’ve been giving those least popular articles plenty of thought. Some of them will be edited to fix egregious writing or make them more topical. Even so, I haven’t forsaken the topics that attracted the most attention. Here’s a self-imposed challenge of topics to hit for 2013. Make your bets now to see if next year’s WordPress summary reflects what’s (supposed to be) forthcoming.

  • More HTML Injection and cross-site scripting (XSS) examples, from the basics to advanced. (Of course, the book has this info, too…)
  • More posts about HTML5 features
  • Revisit my JavaScript-based parser for .NET’s ViewState
  • SQL injection tutorials
  • Expanded info for presentations to be given at security conferences this year
  • Web scanner concepts, evaluations, and expectations
  • Notes, examples, and code to keep in mind for a second edition

Or drop a note in the comments if there’s a topic you’d like to see.

This entry falls short of an official kiloblog measure, but that’s because I need to get back to yet another secret writing project. More on that soon.

1 Dangling citation here. I’ve lost the reference to the linguist who inspired commentary on those words. I thought it was on Language Log, but can’t find the post.

Malware Is Software

My article on trends in malware has finally appeared on the Safari Books Online blog.

Malware is a nasty threat to everyone, whether you’re trying to enrich Uranium with fancy centrifuges in Iran or enrich your bank account with fancy craft projects on Etsy. The really menacing examples are named like characters lifted from fan fiction based on William Gibson books or The Matrix: Flame, Stuxnet, Duqu, Gauss.

I’ll use this post to fill out some background for the original article. For example, there’s good reason to believe that anti-virus is less useful against malware authors who spend a little effort to evade detection (or attack the AV itself). We can’t even get web sites to deploy HTTPS everywhere, but malware authors are smart enough to use encrypted channels to successfully evade analysis. Malware is rife in mobile applications. But even “safe” applications are poorly written — I made the observation in my book (and here, slides 37 & 38) how few apps bother to actually verify the certificate used for an HTTPS connection.

The point is that good software design should reduce the kinds of vulnerabilities that malware exploits, but there’s nothing preventing malware authors from adopting those same design principles — leading to better malware that’s more difficult to analyze. And poor software design (e.g. not verifying certs) makes an app insecure in the first place.

I’ll plug my book again, mostly because you should be looking at Hacking Web Apps (HWA) instead of Seven Deadliest Web Application Attacks that’s mentioned at the end of the article. HWA is the updated, expanded version. There’s no point in purchasing the other unless you like collecting whole sets. The other titles focus on malware and will give you better insight into that world of software.

Hacking Web Apps: Detecting and Preventing Web Application Security Problems
Malware Forensics: Investigating and Analyzing Malicious Code
Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides
Mobile Malware Attacks and Defense

Carborundum Saw

It’s entertaining to come across references to computer security in fiction. Sometimes the reference may be grating, infused with hyperbole or laughably flawed. Sometimes it may seem surprisingly prescient, falling somewhere along a spectrum of precision and detail.

Even more rewarding is to encounter such a quote within a good book. Few readers who venture outside of modern bestsellers, science-fiction or otherwise, may recognize the author Stanisław Lem, but they may be familiar with the movie based on his book of the same name: Solaris. Lem has written several books, two of my favorites being The Cyberiad and Fiasco.

One Human Minute, from 1986, isn’t about computers in particular. The story is presented as a book review of an imagined tome that describes one minute of the entire Earth’s population. It also has this fun gem:

Meanwhile, computer crime has moved from fantasy into reality. A bank can indeed be robbed by remote control, with electronic impulses that break or fool security codes, much as a safecracker uses a skeleton key, crowbar, or carborundum saw. Presumably, banks suffer serious losses in this way, but here One Human Minute is silent, because — again, presumably — the world of High Finance does not want to make such losses public, fearing to expose this new Achille’s heel: the electronic sabotage of automated bookkeeping.1

Carborundum saw would also make a great name for a hacking tool.

1 Lem, Stanisław. One Human Minute. Trans. Catherine S. Leach. San Diego: Harvest Book, 1986. 34.

Electric Skillet

Of John Brunner‘s novels, I recommend reading Stand on Zanzibar first; it’s a well-known classic. Follow that with The Sheep Look Up. If you’re interested in novelty, Squares of the City has the peculiar attribute of being written to the rules of a chess game (the book’s appendix maps each character’s role to its relevant piece).

Two of Brunner’s books contain computer security concepts and activities. The first one, Shockwave Rider, was written in 1975 and is largely responsible for generating the concept of a worm. A character, Sandy, explains:

What you need is a worm with a completely different structure. The type they call a replicating phage.

The character continues with a short history of replicating phages, including one developed at a facility called Electric Skillet:

…and its function is to shut the net down and prevent it being exploited by a conquering army. They think the job would be complete in thirty seconds.

The main character, Nick Halflinger, creates a variant of the self-replicating phage. Instead of devouring its way towards to the destruction of the net, the program grows off data as a virtual parthenogenetic tapeworm. Nick is a smart computer sabotage consultant (among other things); his creation “won’t expand to indefinite size and clog the net for other use. It has built-in limits.” No spoilers, but the tapeworm has a very specific purpose.

In this 1988 novel, Children of the Thunder, Brunner mentions a logic bomb as he introduces a freelance writer who had been covering a computer security conference. Brunner didn’t coin this term, though. Malicious insiders were creating logic bombs at least since 1985 [1], famously described by a computer scientist in 1984, and known in the late 70s [2] (including a U.S. law covering cybercrime in 1979).

The history of the term is almost beside the point because the whimsical nature of the fictional version deserves note [3]:

Two months ago a logic bomb had burst in a computer at British Gas, planted, no doubt, by an employee disgruntled about the performance of his or her shares, which resulted in each of its customers in the London area being sent the bill intended for the next person on the list — whereupon all record of the sums due had been erased.

A paragraph later we’re treated to a sly commentary embedded in the description of the newspaper who hired the journalist:

The paper…was in effect a news digest, aimed at people with intellectual pretensions but whose attention span was conditioned by the brevity of radio and TV bulletins, and what the [editor] wanted was a string of sensational snippets about his readers’ privacy being infringed, bent programmers blackmailing famous corporations, saboteurs worming their way into GCHQ and the Ministry of Defense…”

The fictional newspaper is called the Comet, but it sounds like an ancestor to the dear El Reg (with the addition of pervasive typos and suggestive puns). It’s amusing to see commentary on the attenuation of attention spans due to radio and TV in 1988. It provides a multi-decade precursor to contemporary screeds against Twitter, texting, and Facebook.

Should you have attention left to continue reading, I encourage you to try one or more of these books.

[1] “Man Guilty in `Logic Bomb’ Case.” Los Angeles Times 4 July 1985, Southland ed., Metro; 2; Metro Desk sec.: 3. “[Dennis Lee Williams], who could face up to three years in prison when sentenced by Los Angeles Superior Court Judge Kathleen Parker on July 31, was convicted of setting up the program designed to shut down important data files.”
[2] Communications of the ACM: Volume 22. 1979. “…logic bomb (programmed functions triggered to execute upon occurrence of future events)…”
[3] Brunner, John. Children of the Thunder. New York: Ballantine, 1989. 8-9.