Grok Computer Security

Dawning of the Age of Caprica: Software-defined Security

noreply@blogger.com (Anonymous) — Wed, 17 Oct 2012 14:13:00 +0000

I'm giving this talk live at 11:00 PT, Today. Please attend live, or watch it anytime.

A BrightTALK Channel

--Michael

Key Properties of Security Virtualization for Virtualization Infrastructure

noreply@blogger.com (Anonymous) — Tue, 09 Oct 2012 05:57:00 +0000

Independence from security hardware

This is an extension of the everything is software model inherent within virtualization. This creates several operational advantages:

Simplifies data center resiliency and failover
Reduces upgrade costs
Enables "designed-in" security across data center fabric
Scaling enhanced due to elimination of architectural constraints
Hardware refresh cycle and technology advance is accelerated due to shortened engineering cycle
CPU resource pool remains uniform

Faithful reproduction of the physical network security model in the virtual space, including security for both physical and virtual workloads

There's a lot of room for argument here, mainly because we don't necessarily have broad agreement on the physical network security model. I'll assert the following requirements:

Defense in depth
Segmentation of data
Access control
Separation of duties
Deliver at least the top five controls from the SANS top-20:

Inventory of Authorized and Unauthorized Devices
Inventory of Authorized and Unauthorized Software
Secure Configurations for Hardware and Software
Continuous Vulnerability Assessment and Remediation
Malware Defenses

Additionally, these must all be applied to the network, software objects, management tools, and APIs within the virtualized data center

Follow the operational model of compute virtualization

Security Virtualization must enable scaling, elasticity, mobility, and seamless disaster recovery. It also requires the conversion of security tools into software objects and the creation of new tools and capabilities for deployment, automation, and recovery of security capabilities. These are obvious capabilities for virtualization architects but rather new for security. Until recently we could not have a conversation about the auto-deployment or orchestration of security tools, now there are COTS products ready to do this. This operational model challenges the "security way" of doing things and impacts the culture of security within IT. This requires the transition of security professionals into new operational roles that are more flexible than existing silos within typical large IT organizations.

Compatible with any hypervisor platform

Security virtualization must be platform independent and ultimately it must be capable of protecting virtualized workloads in any data center. While it's not clear how many platforms will be in common use, I assert that there will be at least four:

VMware
RHEV (KVM)
HyperV
Mobile (ultimately there will be more than one here)

Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms.

Logical isolation of virtualized workloads, audit and security for control plane elements

At the hypervisor layer or above, everything is software. Logical isolation, rather than some form of physical segmentation, enables diverse workloads of differing sensitivity to run anywhere. Workloads will then run most efficiently when allowed to be run within common resource pools for CPU, Memory, Storage, and Networking. For example, fire walling must control access at the virtual NIC and be configured by policies that are not required to identify layer 3 or 4 attributes. This allows network segmentation of systems that share a single software switch, VLAN, or Host. In addition to isolation, security virtualization must also audit and protect the management objects, tools, and APIs that are utilized to provision, modify, or delete workloads, objects, and resources. In the ideal case, logical isolation enables multi-compartment zoning of workloads with the requisite capabilities for cross-domain security in both private or public clouds. This requires sophisticated capabilities for delineating a zone of trust that both isolates systems and applies common security policies within each specific trust zone, even when this zone spans multiple data centers.

Cloud performance and scale

Large-scale compute clouds are composed of thousands to millions of hypervisor instances. Security virtualization must enable resilient and protected operations at this scale. Security management tools, incident response, control automation, and event analysis must all be modified. This will require new security management architectures, analytics, and closed-loop controls that operate across millions of security objects in multiple locations. Additionally, cloud performance is not just IOPS or CPU cycles, it is also the capability to provision, modify, and decommissions hundreds or more systems with minutes or seconds. Security virtualization also enables security to accelerate operationally.

Open, programmatic security provisioning and control

Security virtualization must be integrated with provisioning, management, and operations of the data center. This must be a set of APIs that will fit into the management stacks developed and developing for each hypervisor platform. Security virtualization vendors will be able to differentiate on performance, complexity, completeness of solution, etc. However, each vendor must be able to interoperate with a common protocol like SCAP and must support their own orchestration by 3rd party or platform tools and management platforms. Specifically the API must, at minimum, support

create/modify/delete for security policy elements
create/modify/delete of security zones
bidirectional updates of inventory attributes
bidirectional event communication
integration with workflow and incident escalation systems

In closing

Security virtualization has the potential to drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities. As with hardware virtualization, the most effective use of security virtualization will require changes to IT staffing, processes, and procedures. This will be disruptive to the way security "has always been doing it" -- something that is both necessary and good because the way we have been doing it has not been effective.

Interesting Flame News

noreply@blogger.com (Anonymous) — Wed, 06 Jun 2012 16:50:00 +0000

It's my understanding, Flame made use of a cryptographic weakness in the certificate generation algorithm to create fraudulent certificates and then execute a MITM attack. This is discussed here.

A few thoughts:

The NSA deserves their reputation.
Further, they were willing to let the world know about this weakness. This denies them further use but also denies it to an adversary
This weakness would have allowed them to plant software on just about any Windows system
Makes you wonder what else they have up their sleeve (this is deterrence)

--Michael

The Cyber Cold War has Started

noreply@blogger.com (Anonymous) — Sun, 03 Jun 2012 03:05:00 +0000

We are engaged in a cyber cold-war. The primary adversaries are the US, China, and Russia. China has directed attacks at the US, Russia has targeted former republics, and the US striking at Iran. With respect to the great powers, Mutual Assured Destruction (MAD) is in everyone's mind. The 5th wave nations are all incredibly vulnerable to cyber-attack and as Anonymous and others have shown, no one has even a modestly effective defense.

IMHO, the MAD risk of cyber will keep the major powers in-line, just like it has done with nuclear. However, the cyber-weapon genie is 100 times more difficult to keep in the bottle. We are fast approaching an era where a cult or perhaps even a lone gunman could use Stuxnet or perhaps now Flame as the blue print for a devastating attack on critical infrastructure.

Lastly, these weapons often effect more than their target. Collateral damage, friendly-fire, and blowback are more likely with a cyber-weapon due to the nature of cyberspace and the difficulty of distinguishing friendly systems and networks from those of the adversary.

More here.

Today’s Phish

noreply@blogger.com (Anonymous) — Wed, 18 Apr 2012 00:44:00 +0000

Like everyone on the planet, I am sent free phish every day. Since I can’t turn these into loaves or wine, I usually don’t waste time on them. Today’s phish caused me to reminisce, and when I reminisce, I get curious, so I looked further. First, here is the phish:

A document was scanned and sent to you using a Hewlett-Packard JET ON4412867SSent to you by: KRYSTIN
Pages : 6
Filetype: Image (.jpeg) View

Location: NPSK1.4FL.
Device: OP218S5OD2054128Mailprint: d72e6d72-e624bbbb

A document was scanned and sent to you using a Hewlett-Packard JET ON4412867S

Sent to you by: KRYSTIN
Pages : 6
Filetype: Image (.jpeg) View http://donteverclickalinkinemail.example.com/oCzgKm43/index.html

Location: NPSK1.4FL.
Device: OP218S5OD2054128

Mailprint: d72e6d72-e624bbbb

Really, I think it's been years since I last saw this type of phish. The initial URL runs through three secondary URLs (a .com, .ro, and .ir) that in turn point to a single host (173.44.136.197). At the time of this phish all three secondaries and the host were alive and serving the scam. The payload when I research the .ro link, the payload (using curl) at 16:43 PDT. The payload reported by another blogger dynamoo. The payload now on .ir link -- note that the folks in IR appear to have now blocked the scam, or are running something else, I am leaving their CGI alone.

According to wepawet the payload contains two vulnerabilities first reported in 2010, here, and here. The Adobe Reader vulnerability applies up to 9.3 and the Microsoft applies to Win2003sp2. So that's a decent target space.

What did I learn today?

dynamoo
lastline some of the smart guys involved with wepawet and anubis

A good day.

(updated 4/23)
This phish is harder to detect on my phone, see image :

Hackers force us to make JSF more secure

noreply@blogger.com (Anonymous) — Sat, 04 Feb 2012 19:31:00 +0000

There's been some commentary on the recent article, "China's Role in JSF's Spiraling Costs." TaoSecurity (Richard Bejtlich’s) has an excellent blog on this, which follows up on a tweet by @4n6ir.

However, I have a different take:

“Before the intrusions were discovered nearly three years ago, Chinese hackers actually sat in on what were supposed to have been secure, online program-progress conferences, the officials say.”

This sounds a lot like “FBI Admits Hacker Group’s Eavesdropping.” So after at least three years we still haven’t learned how to keep our secure conference calls, well, um, actually secure – but that’s a digression.

The article on the Joint Strike Fighter (JSF) goes on: ”…need for redesign of critical equipment. Examples include specialized communications and antenna arrays for stealth aircraft, as well as significant rewriting of software to protect systems vulnerable to hacking.”

The JSF’s software systems had serious vulnerabilities: “Defense analysts note that the JSF’s information system was not designed with cyberespionage, now called advanced persistent threat, in mind.” The JSF’s Multifunction Advanced Data Link (MADL) was dropped entirely because of reported “money issues.”

We were building one of the most “computerized” and “networked” fighter planes in the world. Imagine if the plane went into production with those serious software vulnerabilities and it was open to attack via it’s own aerial network? It’s not like adversaries haven’t already demonstrated their ability to hack our communications channels in the field to hijack drone telemetry, video, and perhaps to crash them.

If there is a silver lining here, it’s that when the JSF does fly it’s systems will be better protected against software vulnerabilities and it won’t be broadcasting a SSID, although a Mach-2 WAP would have been pretty cool.

I’ll tell you what I want, what I really, really want from a Cloud Provider

noreply@blogger.com (Anonymous) — Wed, 25 Jan 2012 01:06:00 +0000

If you want my business, you better make it fast

Self-service: 7x24 add, remove, change resources, workloads, and connectivity

Elastic: scale up or down automatically within the limits I set

Available: stand up to hurricanes, DDOS, and replication storms. Your mistakes should never be my problem.

If you want my data, you better make it secure

Auditing: network and management

Network – I need to audit and or inspect all the traffic between my systems. This includes but is not limited to traffic between users, systems, and applications even where they share the same physical host and virtual switch.

Management – I need to see all management events that may impact the security or configuration of my systems. This includes but is not limited to privileged access to my systems or data through the hypervisor or cloud management APIs.

Control: policy and assurance

Policy – I need to express and apply security policies via a method that is both human understandable and translatable into a machine-interpreted language.

Assurance – I need to know when an event or incident occurs that violates a policy and I need a method for testing that controls exist and are effective for enforcing my policies.

Metrics: continuous and interoperable

Continuous – Per our agreed standards of measurement I must be able to quantify the security attributes of my system. This may include but is not limited to measurements for: vulnerability, configuration, performance, incident detection, incident response, and incident containment.

Interoperable – All security relevant data and events must be available in a documented machine-readable format. It should either comply with standards such as Cyberscope and SCAP or my preferred GR&C system.

If you want my money, you better not ask for much

Value – Not just cheaper than if I do it myself. Your services should give my organization new capabilities to meet our objectives. These capabilities could include user experience, logistic support, and accessibility …

No lock-in – I should be able to easily move my data and workloads back inside my enterprise or to one of your competitors.

Tell me again where these devices are made?

noreply@blogger.com (Anonymous) — Fri, 20 Jan 2012 04:54:00 +0000

I’ve been “upgrading” my home infrastructure:

Seagate GoFlex Network Storage
Netgear WNDR3800
(other stuff)

All my toys run linux, so imagine my surprise when this starts showing in my logs:
[LAN access from remote] from 210.51.17.227:40986 to 192.168.35.119:22, Thursday, January 19,2012 16:56:47
[LAN access from remote] from 210.51.17.227:39316 to 192.168.35.119:22, Thursday, January 19,2012 16:56:36
[LAN access from remote] from 210.51.17.227:37023 to 192.168.35.119:22, Thursday, January 19,2012 16:56:32
[LAN access from remote] from 210.51.17.227:34192 to 192.168.35.119:22, Thursday, January 19,2012 16:56:28
[LAN access from remote] from 210.51.17.227:50809 to 192.168.35.119:22, Thursday, January 19,2012 16:56:21
[LAN access from remote] from 210.51.17.227:47558 to 192.168.35.119:22, Thursday, January 19,2012 16:56:16
[LAN access from remote] from 210.51.17.227:44530 to 192.168.35.119:22, Thursday, January 19,2012 16:56:11
[LAN access from remote] from 210.51.17.227:42159 to 192.168.35.119:22, Thursday, January 19,2012 16:56:07
[LAN access from remote] from 210.51.17.227:39236 to 192.168.35.119:22, Thursday, January 19,2012 16:56:02
(repeat about 500 times)

whois 210.51.17.227?
Answer someone inside a /16 registered to Beijing Tongtai IDC of China Netcom.

Turns out my Seagate device was advertising port 22 via upnp and my Netgear was helpfully port mapping it to the Internet.

Go figure.

SQL Injection and Cross-Site Scripting (XSS) are Hot

noreply@blogger.com (Anonymous) — Sat, 02 Apr 2011 15:03:00 +0000

Custom and automated attacks against web sites continue as vendors and developers still have not gotten the hang of secure coding techniques.

In one case, an automated attack has infected more than 600,000 sites in about two days.

The other, was a case of a targeted attack against MySQL. Interestingly, the attackers are taking credit for this exploit.

Broad automated attacks like the first are usually driven by botnot groups who are ultimately seeking to compromise a large number of end-user systems.

The second attack is becoming less common. My guess, is that they are seeking to establish credibility for their attack skills and to demonstrate their ability to launch a 0-day hack. This sort of activity ranges from the somewhat benign: the hacker equivalent of resume fodder, or more malignantly: demonstrating value before selling their exploits to the criminal underground.

While defects will always exist, it is clear that web site providers still fail to perform the security basics: vetting code before deployment and monitoring their site for compromise.

(updated)
Current infection counts can be found (for a few of the domains hosting the malicious scripts) with Google:

HyperSentry

noreply@blogger.com (Anonymous) — Wed, 22 Sep 2010 13:34:00 +0000

HyperSentry is a technology that uses IPMI to allow an out-of-band method for checking hypervisor integrity.

IPMI is a backdoor to the system, so it is something that has to be managed carefully. When I did pen-testing I often found that it was not secured properly. That said, it is a very interesting idea.

I think the hardware "root-of-trust" technology: that has been developed by AMD and Intel is also interesting

I think we will see availability of tools, including Catbird, where a combination of these technologies is built-in to the system. I do have to point out that IPMI based checks have been possible for years and yet no one has touted them as a solution for detecting conventional rootkits. I've learned that anything with "IBM" in the release has a certain amount of FUD factor and it may be a year or longer before we see a real capability that can be built into a product.

Perhaps the broader implication is that work like this is common on open-source hypervisors and is much harder to perform on proprietary systems.

VA cloud outage

noreply@blogger.com (Anonymous) — Thu, 02 Sep 2010 15:39:00 +0000

--Virginia Gov't Agencies Suffer Massive Outage
(August 27 & 30, 2010)
A storage area network (SAN) memory card failure at the Virginia
Information Technologies Agency (VITA) left at least two dozen agencies
without the ability to conduct business. Among the affected agencies
are the Department of Motor Vehicles, which was unable to issue driver's
licenses, and the Department of Social Services, which was unable to
distribute benefits. The data center where the failure occurred is run
by Northrop Grumman.

[Editor's Note (Northcutt): The state of Virginia was an early adopter
of blades and virtualization. The advantages and economics are obvious.
These outages may prove to be a cautionary tale. With virtualization,
you end up with a lot of eggs concentrated in a fairly small basket so
that if your continuity of operations plans fail, you go down pretty
hard.

(Schultz): This is a perfect example of what can go wrong when cloud
services fail. People in general neither recognize the real risk nor
plan for loss of availability in cloud services.]

Wow, they were not running dual HBAs into the SAN? Can't be.

Outage report from VA is here: http://www.vita.virginia.gov/about/default.aspx?id=12596

I am not sure the SANS editor comments are warranted. This may be related to an architectural error in the deployment of the EMC DMX 3 and its backup.

The DMX is an SMP-based HA system with a petabyte of capacity. The comment about too many eggs in one basket is accurate with respect to the State of Virginia's use of a monster SAN, but not so much as per use of virtualization.

The real failure here is whether or not they tested their COOP capability ... ever. Then we have to ask when was the last time they ran a DR test because their time to recover seems a little long as well.

My failure analysis: over reliance on a vendor's claim that their hardware never fails.

Web site reputation

noreply@blogger.com (Anonymous) — Sat, 28 Aug 2010 14:23:00 +0000

Recently several companies have developed features or products to make web surfing more secure. One of these technologies uses reputation. Reputation is a measure of trust for a web site or web page. In this case trust is typically measured by how much SPAM, malicious traffic, or attacks a site is known to generate. It turns out that measuring these things is not that hard because a majority of web traffic flows through a relatively small number of gateways and backbone networks.

This is a very good idea. If a web site is known to host malware or send a lot of SPAM, then block or warn users before they visit a site. Of course, cyber-criminals have started to figure out how to bypass these checks. They simply attack sites with good reputations and get them to host the malware. In some cases, it's just a matter of providing an advertisement.

Reputation based security is still a great idea because it forces the crooks to work harder. However, we can't get over confident and rely on this technique to always protect us. This means keep your software patched, don't click on suspicious links, and ignore any offer that is to good to be true.

Alert FOX News!

noreply@blogger.com (Anonymous) — Tue, 24 Aug 2010 13:41:00 +0000

So, I got this funny SPAM email, and I thought someone will take this seriously and alert FOX news to yet another massive government intrusion into our lives... ;-)

By the way the SPAM came with a ZIP file that will probably p0wn your computer if you install it...

------ Begin Message
From: Alfreda Robertson
Date: Tue, 24 Aug 2010 16:04:07 +0200
To:
Subject: IRS Notification - For Tax Payer xxx-x-xxxx-x@catbird.com

Dear Tax Payer,

As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.

To begin the update, install the attached file

After doing so, no further action is required on your part.

Thank you for your cooperation.

Sincerely,
IRS Agent #175
Alfreda Robertson

------ End of Message

Always a good idea to keep your BIOS up to date....

noreply@blogger.com (Anonymous) — Fri, 02 Jul 2010 18:11:00 +0000

Looks like Sony has learned from Dell’s leaky capacitor debacle.

Sony says 535,000 laptops at risk of
overheating. More than half a million Sony laptops sold this year contain a software
bug that could lead them to overheat, the company said June 30. Sony has recorded 39
cases of overheating among Vaio F and C series laptops that have been on sale since
January. In some cases, the overheating has led the laptop case to deform. A bug in the
heat-management system of the BIOS software is to blame. Sony is asking users to
either update the software themselves or return their laptops so it can apply the update.
The fault affects 535,000 computers, although Sony is asking a total of 646,000 owners
to update their machines. The additional 111,000 machines are susceptible to several
less serious problems that have also been found in the software, said Sony. BIOS is
present in every PC and runs below the operating system, controlling the most basic
functions of the computer and interaction between major components. It is usually
invisible to users except for a BIOS start-up message that is typically seen when a PC
boots. The problem affects machines sold both in Japan and the rest of the world.
Affected models sold outside Japan are the VPCCW25FG/B, VPCCW25FG/P and
VPCCW25FG/W.

Source: Computerworld

Are Open Source Applications More Secure?

noreply@blogger.com (Anonymous) — Wed, 17 Mar 2010 13:08:00 +0000

Full Disclosure: I am a long time Firefox user

Recently, there have been serious security advisories for Chrome, Safari, and Internet Explorer:

http://www.eweek.com/c/a/Security/IE-Attacks-Circulate-as-Microsoft-
Updates-Advisory-766154/
http://www.v3.co.uk/v3/news/2259391/apple-updates-safari-browser

While a patch is now available for Safari (and perhaps Chrome), the community is still waiting on a fix from Microsoft.

Browsers, and Internet Explorer in particular, are the most commonly used application in the world. Additionally, most web users visit one of the top 500 sites at least once a day. This intersection makes for a very attractive target for criminals. At any given moment, the site you are visiting, even the site you are using to read this post, could be attacking you through your browser and trying to seed your system with malware.

Your first line of defense is a secure browser. I can't prove this easily, but I think an open-source browser like Firefox will always be more secure than a proprietary browser.

My advice:

Keep your browser up to date, note ie8 is not exposed by this current vulnerability
Keep your OS up to date
Run some sort of host-based intrusion protection system, if you have one of the consumer security suites you have this
Run at least a basic network firewall
Businesses should run a network intrusion protection system

For the really advanced users out there:

Make use of virtualization software and run a special purpose virtual machine for your banking and financial applications, run another virtual machine for casual web browsing and entertainment. Never ever browse the web using your host system.

One last piece of advice:

Don't forget to wear some green today!

Michael

Imagine a World where passwords were useless

noreply@blogger.com (Anonymous) — Tue, 16 Mar 2010 14:05:00 +0000

Recently, in the press:

March 12, The Register – (International) SSD tools crack passwords 100 times
faster. Password-cracking tools optimised to work with SSDs have achieved speeds up to 100 times quicker than previously possible. After optimizing its rainbow tables of password hashes to make use of SSDs Swiss security firm Objectif Securite was able to crack 14-digit WinXP passwords with special characters in just 5.3 seconds. Objectif Securite spokesman told Heise Security that the result was 100 times faster than possible with their old 8GB Rainbow Tables for XP hashes. The exercise illustrated that the speed of hard discs rather than processor speeds was the main bottleneck in password cracking based on password hash lookups. Objectif’s test rig featured an ageing Athlon 64 X2 4400+ with an SSD and optimised tables containing 80GB of password hashes. The system supports a brute force attack of 300 billion passwords per second, and is claimed to be 500 times faster than a password cracker from Russian firm Elcomsoft that takes advantages of the number crunching prowess of a graphics GPU from NVIDIA.

(By the way, SSD stands for Solid-State Drive -- a faster way to store data)

An SSD is much faster than a hard drive but orders of magnitude slower than fast RAM, so if these folks ran the same test with the Rainbow Tables in local RAM they'd be cracking the same passwords in 0.0053 seconds (unless this moved the performance bottleneck to the CPU).

If you want a solution, I recommend something like this.

Sometimes you're already in the cloud

noreply@blogger.com (Anonymous) — Thu, 25 Feb 2010 15:44:00 +0000

Federal Trade Commission links wide data breach to file sharing

The Federal Trade Commission (FTC) said Monday that it has uncovered widespread data breaches at companies, schools and local governments whose employees are swapping music, software and movie files over the Internet.

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/22/AR2010022204889.html?hpid=sec-tech

Peer-to-Peer (P2P) file sharing was perhaps the second killer app for the Internet (after Mosaic) because of its ease of use and utility for sharing free music and porn.

P2P is very easy to use, after installing the application select the files you want to share, then start browsing and downloading files from other users. P2P networks are comprised of millions
and often tens of millions of users -- making these applications the largest compute and storage networks in the world.

There are two big risks with P2P:

Oversharing -- incorrectly configuring the P2P application to share all of your files
Compromise -- P2P is often leveraged to download malware to unsuspecting users

The FTC warning described in the Post article arises from the problem of oversharing. For business, the problem arises because the more P2P users you have, the more likely that one or more of them are sharing confidential information -- without realizing it.

Assuring the secure configuration of P2P file sharing across more than a handful of users is very, very difficult. For a large enterprise infeasible. In an enterprise of any size, security depends on the detection of P2P and either on blocking all use or limiting use to selected systems that are subject to stringent access and configuration controls.

Don't be fooled into thinking that your firewalls protect you from this threat. Most P2P applications have been designed to bypass firewalls. P2P detection and control requires the deployment of effective Intrusion Detection (IDS) or Intrusion Protection (IPS) systems.

IPS systems will give you the capability of discriminating between types of P2P applications, selecting a response, and protecting your data.

Michael

You Should Use Profiling

noreply@blogger.com (Anonymous) — Wed, 24 Feb 2010 17:58:00 +0000

Thanks to Headline T-shirts for this amusing image.

Torn from the headline, "Chinese school linked to Google
attacks also linked to ‘01 attacks on White House site." Comes the thought that only idiots fail to profile threats.

For network security this is a simple matter:

Know your services and
Know your users

The first item requires that you self-check with port scans, vulnerability scans, and traffic analysis to understand your networked application and your potential vulnerabilities. You should always plan that there will be defects you do not know about -- these are called zero-day attacks. Always patch everything you can and what you can't patch will require even more protection. Between zero-day worries and the things you can't patch, you'll need intrusion detection and prevention.

The second item should be incorporated in your site user statistics and operation's processes. This means understanding on a statistical and individual basis who, where, and how your users access your network applications. Once you have a grasp of these behaviors it becomes very simple to develop two key profiles: one that describes how authorized users behave, and second, the converse -- how unauthorized users behave. For example, an Austin Texas based music store will typically have many local customers and a few other customers from around Texas or perhaps more remote places like Nashville, New York, or Los Angeles. Once you have the geographic profile of your customers it becomes very useful to think about places you don't have customers. Places like South Korea, China, Eastern Europe, and Brazil; by extension everywhere except North America. Obviously, the same store in Shanghai will have a different customer profile.

Now comes the important part.

USE THE PROFILE.

If folks from Lilliput never visit your site, treat their traffic with care, blocking it is best, but if you can't bring yourself to block them then at least redirect Lilliputian visitors to an "interest" form, gather some marketing information and put them on a white list. Now, that's for people from Lilliput visiting you, even less likely is authorized traffic from your network going to Lilliput (and really Lilliput is just a place holder for real threat countries: China for example.) IDS and IPS exist for a reason, so do firewalls, make sure you are filtering, blocking, or at least detecting traffic to specific countries and regions of the world you are not doing business with.

The Cloud is Attacking You

noreply@blogger.com (Anonymous) — Fri, 22 Jan 2010 15:20:00 +0000

Collected from US-CERT and other sources:

Microsoft has released out-of-band Security Bulletin MS10-002
(http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx) to resolve seven privately reported vulnerabilities and one publicly disclosed vulnerability. This update includes resolution for a recently, reported zero-day vulnerability in Internet Explorer (IE) which is detailed in Microsoft Security Advisory 979352. (http://www.microsoft.com/technet/security/advisory/979352.mspx)

This vulnerability may have been used in the recent attacks on Google and other organizations. Knowledge of this attack is now widely known and the broader criminal community is now leveraging this exploit.

Organizations should review Microsoft Security Bulletin MS10-002 and apply the patches as soon as possible. US-CERT recommends that the patches be tested within your organization enterprise first and then deployed in an expedited manor. In addition to patching, the recommendations below may be leveraged to better position your organization to withstand future serious vulnerabilities.

Enable Data Execution Prevention (DEP) both in software and hardware if supported (see Microsoft KB 912923). This may provide future vulnerability resiliency. (http://support.microsoft.com/kb/912923)

Be proactive by defining internal servers that should generally be trusted that can be placed in Internet Explorer’s "Trusted Sites" list. By doing so, this may ease the impact to your organization should a future reactive measure be required to set the "Internet Zone" to a "High" security setting. (See Microsoft KB 174360 -- http://support.microsoft.com/kb/174360)

PCI compliance in the cloud (Part B)

noreply@blogger.com (Anonymous) — Mon, 21 Dec 2009 18:32:00 +0000

First published here on 12/14/2009:

In Part A, I discussed the functional requirements for a virtual firewall. Now let's take a look at the technologies required to make this work.

Traffic segmentation

Firewalls segment traffic. That's obvious, but think about this in the cloud. For this to work, there must be a method to assure that all traffic to/from a tenant is available for inspection and the application of access controls by the firewall. This means the virtualization host must support at least one of the following:

Routing traffic to/from a tenant system through the virtual firewall at the network layer, this is how "bump-in-the-wire" devices work. This is a poor solution in virtual environments.
Routing traffic to/from a tenant system through the virtual firewall at the hypervisor layer. This is a more efficient technique because it reduces latency and the number of CPU cycles needed to inspect packets.
Other novel techniques enabled by virtualization -- Magic. I call this "Magic" because it is now possible to create intelligence around which packets need to be inspected or filtered by the firewall.

Configuration management

Virtual firewalls must include configuration management capabilities. Why? Because it is much easier to reconfigure ports and networks in the virtual environment, or even configure a virtual machine to bridge networks. This is a tricky situation in the cloud because this capability requires visibility and integration into the cloud provider’s management framework.

Dynamic policy enforcement

Virtual machines migrate. This requires policy enforcement capabilities that are independent of location and layer 2 and 3 connectivity. Segmentation and access controls must transparently follow virtual machines as they migrate or are copied between virtualization hosts, data centers, or cloud providers.

Cloud management

Unless cloud providers wish to assume all of the responsibility for correct configuration of their customer's virtual firewalls, the provider must give their customers control of the firewall policies while at the same time preventing one customer from inappropriately blocking traffic to another customer.

Can anyone name a cloud provider who makes this all possible?

Michael

Catbird

PCI compliance in the cloud (Part A)

noreply@blogger.com (Anonymous) — Mon, 21 Dec 2009 18:29:00 +0000

First posted here on 12/07/2009:

The new cloud (or if you prefer hosted computing services, or IAAS) rests on top of virtualization. If we’re going to take the cloud seriously, it will have to be compliant. One of the more stringent compliance frameworks is PCI DSS. Let’s look at requirement one and start building a solution for the cloud.

PCI DSS 1.2.1, test procedure 1.1: Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete.

Deploying virtual firewalls is insufficient, as the virtual firewall must share the support structure with the virtual machines, virtual switches, and hypervisor. Technical controls must also be deployed to validate the configuration of a virtual firewall and to detect and alert if tampering occurs.

Physical firewalls are insufficient unless every virtual machine is on a unique VLAN, VLAN hopping is mitigated, and all traffic must flow through the physical firewall. Further, virtual machine mobility must be constrained and virtual machines must be subjected to the same firewall policy regardless of physical location or layer 2 connectivity.

While sufficient, the physical solution may be impractical due to the constraints it places on deployment, consolidation, and high availability.

The optimal solution will be one that allows deployment of a best practice virtualization architecture for security, integrity, and availability, which also maximizes consolidation and the virtualization return on investment.
This requires a virtualized firewall deployment with the following characteristics:

Assurance of integrity for the security management framework
Enforcement of separation of duties for server, network, and security operations
Enforcement of least privilege
Dynamic network segmentation that is independent of location, IP address, or layer 2 connectivity
Integrated auditing and configuration management for virtualization layers

If that sounds like more than a firewall, you’re right.

Michael

Missing Russian Ship

noreply@blogger.com (Anonymous) — Thu, 13 Aug 2009 13:59:00 +0000

Right out of a Tom Clancy novel, a 4,000 tonne cargo ship is missing. Reportedly, this ship had nothing worth hijacking. There are not a lot of facts about this available but there are some interesting bits:

10 armed men boarded the ship about a week before it disappeared. They left 12 hours later.
The ship spent two weeks in Kaliningrad before beginning its voyage.
The Russians are searching for the ship with all available resources.

As reported here, the Russians have battlefield nuclear weapons in Kaliningrad.

I wish the Russians good luck in their search and I hope the NATO forces provide all available resources to assist.

Data Protection for Virtualized Servers

noreply@blogger.com (Anonymous) — Fri, 24 Apr 2009 03:45:00 +0000

I am recording a webcast live next Wednesday. It's free and only requires a short pre-registration.

Data Protection for Virtualized Servers

How many manhole covers are in San Jose, CA?

noreply@blogger.com (Anonymous) — Fri, 10 Apr 2009 14:05:00 +0000

From the Mercury News:

John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down eight to 10 feet and cut four or five fiber-optic cables. Britton also said there was a report of underground cables being cut in San Carlos.
AT&T's contract with the Communication Workers of America expired at 11:59 p.m. Saturday, but Britton said "we have a really good relationship with the union" and that negotiations continue between the two sides.

It's my understanding that a single cut in one location would not cause the outage we recently experienced. There would need to be two or more cuts at strategic locations to cause an outage to cell phone, land line, and emergency services.

Knowing which manhole covers to open would require very specific knowledge of the Bay Area fiber infrastructure.

Securing the Dynamic Data Center

noreply@blogger.com (Anonymous) — Tue, 31 Mar 2009 19:56:00 +0000

I am recording a webcast live today. It's free and only requires a short pre-registration.

Securing the Dynamic Data Center