Doing Threat Modeling properly will help your teams to create a bit more secure products.

Categories Security, Uncategorized

I created something beautiful, and I want to give the knowledge to you.

How did it start?

While analyzing the SDLC in a company I worked for, I realized a few dangerous gaps in our threat modeling process. I also talked with my network of professionals in other companies and understood that they have the same or similar gaps. 

I decided to fix those gaps by creating a miniature product that I released under a creative commons license.

What were the gaps?

Traditional Thread Modeling approaches widely used today provide a false sense of security, leading to products and services that attacker personas can easily exploit. 

I identified four gaps and will share two of them with you:

Gap 1: Limited Exposure 

Most of the time, threat modeling is made by a single user because they have the most knowledge of the system or compete with others to get some company incentive.

A dialog is a key to establishing the common understandings that lead to value, while documents record those understandings and enable measurement.

The framework’s goal is to make sure everyone has a chance to participate in the exercise – to raise the entire team’s security posture and strengthen the product lines in general. 

The other benefit is that this could be adopted as an internal standard for all the team inside the company and make sure we do the threat analysis with the proper attention and using the same techniques.

Gap 2: Not aligned with the way we deliver software.

The current approach to Threat Modeling is close to a Waterfall model, and it’s far away from the dynamicity of the modern (Agile) way of doing software.

Threat modeling must align with an organization’s development practices and follow design changes in scoped iterations to manageable portions of the system.

We do the modeling in the beginning, and no one is updating them iteratively. Protecto engages the team regularly to repeat the exercise and focus on the most critical security issues first.

How do I fix this?

Protecto contains three main items:

  • A set of concept and visual tools to use with your team to make threat modeling a fun and helpful exercise.
  • A process to follow to make sure your team skills are applied where they will be most beneficial.
  • A 90-min workshop containing two modules and it starts with a beer tap protection exercise to help you and your team understand the process and the tools.

Where can you learn more?

If you want to improve your threat modeling practices and start developing more secure products with Protecto, there are two options:

Want to stop the attackers? Could you not give them something to attack?

The future of passwords is bright

Categories Privacy, Security

I see the future. I see it so clear to see one message you will receive a few years from now.

“Dear Customer, 

The BlahBlah monitoring system has noticed suspicious attempts to log in to multiple users’ accounts (an AI brute-force technique). Your account has been recognized with potentially weak security settings.

Therefore, to prevent unauthorized access, your account password has been regenerated automatically.

To restore access and ensure the security of your account, please complete the following step:

Reset a new strong password(At least 58 characters, including at least 3 uppercase, 7 lowercase letters, 9 numbers, and at least 7 special characters, e.g., ! @ # ? ])…”

The future BlahBlah security team

I like this feature. Why? People are lazy, and we tend to learn less and less and watch TV every day instead of reading books, solving math problems, thinking about space, dreaming big.

Imagine how your brain will work if you need to remember your new 58 characters password for your fresh 58 new services you will subscribe to deliver food to your home.

The future is bright! Embrace it. Please change your password to 58 characters now, and don’t write them down. Train your brain!

Threat modeling framework under Creative Commons license.

Categories Privacy, Security

I am so happy that Citrix allowed me to release under Creative Commons license the threat modeling framework I developed in the last four months.

What was the challenge?

Doing threat modeling is one of the main requirements for almost any Agile organization. Most of the teams are doing it wrong, and as an award, they receive a false sense of security, which leads to products and services that attacker personas can easily exploit.

What’s the solution?

I created an agile visual threat modeling framework (code name: Protecto)

  • Set of tools and a 90-min workshop to start with it, and build much more secure products! 
  • A step by step guide to making the modeling together, often and with fun, for maximum efficiency.
  • A learning path that is fixing the four main flaws in our current way of doing threat modeling to build much more secure products!
  • It’s a way of working through a threat model.

It all starts with a yard, a beer tap, and a bunch of attackers.  If you are thirsty for knowledge – click here to read more…

Steganography API at your service.

Categories Open Technologies, Privacy, Security
API

Steganography is the art and science of embedding secret messages in a cover message so that no one, apart from the sender and intended recipient, suspects the existence of the message. 

The most common example is to hide a message in an image file without compromising how the image looks. The majority of the people are using the photos to share a fantastic moment or two and don’t know that they can contain a secret message.

What could be the use-case?

Someone can hack your phone and embed your text messages in the pictures you take and share in, say, Instagram. 

A not so happy employee can post a picture on your blog with a secret message embedded in it to share some trade secrets with your competitors. 

Another person can embed an exploit in a PNG ads image; JavaScript code would parse the PNG image, extract the malicious code, and redirect the user to the exploit kit landing page.

Steganography also is a well know method for exchanging information between spies. 

Even if it sounds like science fiction, this is a very viable threat against your systems and you.

Steganography Protector API

I have created a small API (as a Proof of concept) that could discover a secret message hidden in any image file.  

The end-point is here:

https://sapigate.herokuapp.com/steg

It accepts POST requests only. 

The input should be JSON encoded, and it should consist of a binary stream of your image.

Here is a Python example.

import requests
url = 'https://sapigate.herokuapp.com/steg' 
my_img = {'image': open('secret.png', 'rb')}
r = requests.post(url, files=my_img) 
print(r.json())  

The result of the command can be:

{'message': 'Secret Message', 'status': 'sucess'}

I am planning to extend the API by adding more use-cases and documentation, but if you are free to start using it right away.

If you have any questions about it or it seems down, contact me via Twitter – @bogomep

A practical use

You could read all of your images from your blog and via the API to check whether they contain a secret message or not or to check for hidden traces of your last Instagram image.

If you are looking for a picture with a secret message inside – why don’t you test this one: