We’ve covered tunneling before on HiR. I even wrote a little about reverse tunneling in my quick-and-dirty tunneling howto. This time, I’m building a setup to make an always-on reverse tunnel with a cron-powered watchdog script.

Here’s what’s needed to make it work:

• A Linux/BSD/Unix system on the inside of your target network that’s capable of SSH-ing out to the Internet (even if via strange ports)
• An SSH server you control on the Internet. This can be at home, or elsewhere

The reverse tunnel can handle pretty much any protocol. To a squid proxy, for example. I’ll be using SSH to reverse-tunnel SSH, though, to allow SSH access to a server behind a firewall that I do not control. Here’s how it’ll work:

Cron will run a script on the server on the inside. This script will check to see if the SSH tunnel is working properly. If it’s not (or if it hasn’t been started yet), it will start the reverse tunnel.

Here’s the script, which I put in /usr/local/bin/rtunnel.sh. Obviously, you need to edit the first 4 variables to reflect your environment.

#!/bin/shUSERHOST=axon@somewhere.labs.h-i-r.net # Login and External systemRPORT=22 # SSH Listener port on your external systemFPORT=1337 # Port that will be opened locally to tunnel SSHCONN=localhost:22   # SSH Listener on the system behind the firewall

COMMAND="ssh -q -N -R $FPORT:$CONN $USERHOST -p $RPORT"pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMANDssh $USERHOST -p $RPORT netstat -an | egrep \"tcp.*:$FPORT.*LISTEN">/dev/null 2>&1if [ $? -ne 0 ] ; thenpkill -f -x "$COMMAND"$COMMANDfi

And then I put the entry in root’s crontab, to run every 5 minutes:

*/5     *       *       *       *       /usr/local/bin/rtunnel.sh

In my implementation, the firewalled host (An OpenBSD box) is connecting to a Ubuntu desktop system at my home. I can just log into it, then use the tunnel on port 1337, using the -p [port] option.

axon@somewhere:~$ ssh localhost -p 1337axon@localhost's password:Last login: Sat Nov 14 00:01:04 2009 from localhost.labs.h-i-r.netOpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.Before reporting a bug, please try to reproduce it with the latestversion of the code.  With bug reports, please try to ensure thatenough information to reproduce the problem is enclosed, and if aknown fix for it exists, include that as well.

-bash-3.2$

If the connection times out or fails for any other reason, the remote end should re-spawn the connection in the next 5 minutes. If you’ve waited, and don’t get a response, something else might be amiss. DNS rules, a network admin that’s blocked you, etc…

The one problem I’ve had is that occasionally the session will be alive, the port will be forwarded, but I can’t get it to log in. It just hangs then times out. If this happens, I use lsof on my workstation to find and kill off the process that’s listening on the TCP port I am using for forwarding.

axon@somewhere:~$ sudo lsof -n | grep TCP.*:1337sshd   20386   axon    9u   IPv6    2862057  TCP [::1]:1337 (LISTEN)sshd   20386   axon   10u   IPv4    2862058  TCP 127.0.0.1:1337 (LISTEN)axon@somewhere:~$ kill 20386

Of course, you can also tunnel stuff over this reverse tunnel. The possibilities are endless!

HiR Information Report is brought you you by Edgeos, Your Network Security Platform. We are proud members of the Security Bloggers Network.

This content originally posted on HiR Information Report. Copyright © 1997-2009, HiR

• National Journal on use of “cyber attacks” against Iraqi insurgents by Bush . http://bit.ly/H851n #
• Shadowserver analysis of July 4th attacks: http://tinyurl.com/nhbfrk #
• Finished putting together DDoS preso for Thursday’s Webinar with Verisign: Sign up here! http://tinyurl.com/yl7xt4m #

Post from: ThreatChaos

Cyber Defense News Daily Digest 2009-11-14

I have collected all my AES posts here for convenient reference from my blog homepage.

• The Luxembourg Attacks and AES-256
• AES-256 and Reputational Risk
• The spin on passwords for AES
• Are AES 256-bit keys too large?

I have collected all my passwords posts here for convenient reference from my blog homepage.

• Outline of a book on Passwords
• How will my loved ones break my password?
• Enterprise Password Management Guidelines from NIST
• The Boys are Back in Town – the return of L0PHT
• Rethinking Thresholds for Account Lockouts
• Password Roundup #2
• NIST, Passwords and Entropy
• Password Roundup #1
• Downadup’s Password Cracking List
• The spin on passwords for AES
• Some Black Swans in IT Security
• Are AES 256-bit keys too large?
• More on Counting Restrictive Password Spaces
• Counting Restricted Password Spaces

http://www.theregister.co.uk/2009/11/14/ssl_renegotiation_bug_exploited/

Sun’s SPARC servers have the ability to boot a kernel and run an installer across a routed network using only HTTP or HTTPS. On SPARC platforms, the
(BIOS|Firmware|Boot PROM) can download a bootable kernel and mini root file
system via HTTP/HTTPS, boot from the mini root, and then download and install Solaris. This allows booting a server across a local or wide area network without having any
bootable media attached to the chassis. All you need is a serial console, a network connection, an
IP address, a default gateway and a web server that’s accessible from the bare SPARC server. You set a few variables, then tell it to boot. Yep, it’s cool.

From the Boot PROM prompt (the SPARC equivalent of the
BIOS)

OK> setenv network-boot-arguments host-ip=client-IP,
router-ip=router-ip,subnet-mask=mask-value,
hostname=client-name,http-proxy=proxy-ip:port,
file=wanbootCGI-URL

OK> boot net -v install

Our base Solaris install is fairly small - on the order of a
few hundred megabytes - so booting across a WAN through a proxy or
an SSH tunnel works pretty well. We usually build a temporary SSH tunnel from our management  infrastructure out to another server in the same security container and point the new server at the tunnel end point.

PXE is an attempt to provide similar functionality. It’s got a
dependency on having DHCP available on the deployed subnet, something
which I’m absolutely do not want to enable on non-desktop networks, and
it’s based on UDP, which makes it slightly less suitable for booting
across WAN’s where packet loss might be an issue. In any case, we’ve had
enough issues with network boots on x86/x64 platforms that we’ve pretty
much defaulted to using bootable USB’s or CD/DVD’s for remote installs. That makes an x86/x64 deploy significantly more work effort, as we have to arrange for a bootable USB or CD/DVD’s to be delivered on site, or we need to leave bootable media installed in production servers.

Linux
has ‘BKO‘, but as far as I can tell, it’s still dependent on having
either bootable media or PXE.

SPARC’s Wan boot is pretty slick, but not as slick as Cisco’s AutoInstall. AutoInstall allows you to drop ship an unconfigured router to a remote site. The router will learn it’s IP address from it’s upstream router via either SLARP or BootP,  automatically download a configuration file, and re-boot with a valid configuration.

A couple of closing thoughts:

• If the SPARC platform ever goes away, I’ll miss it.
• If router engineers ever decide to build application servers, they’d probably come up with radically new ways of solving old problems. 

Government Use Of Windows 7 Hinges On Security Spec

The Federal Desktop Core Configuration, which defines 300 PC settings for improved security, has yet to be finalized for Windows 7.

By J. Nicholas Hoover, InformationWeek
Nov. 12, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=221601528

More than a dozen federal agencies, including the White House and all branches of the military, are testing Windows 7, according to Microsoft. But it may be another six months before agencies can move ahead with Windows 7 deployment because a government-mandated security standard hasn’t been finalized.

The Federal Desktop Core Configuration spells out 300 settings for Windows PCs and laptops, with a goal of making them less vulnerable to hackers and data breaches. FDCC settings exist for Windows XP and Windows Vista, but not yet for Windows 7.

"It will take until spring 2010, at least," said Ken Page, Microsoft’s FDCC program manager, in a presentation today at Microsoft’s Washington, D.C., office. "This process does not happen fast."

A number of agencies are pilot testing Windows 7, including all branches of the military, the FDIC, White House, Internal Revenue Service, National Archives, and the Departments of Agriculture, Interior, Homeland Security, Justice, said Page.

The Department of Defense, with input from Microsoft, is taking the lead in defining the FDCC for Windows 7 and drafted initial settings in June at Microsoft’s Redmond, Wash., headquarters. The next step is for DOD deputy CIO Dave Wennergren to sign off on the specs, which Microsoft program manager Page expects to happen within days. After that, the configuration will be vetted by the Federal CIO Council and by the National Institute of Standards and Technology.

NIST will post the government’s FDCC proposal for public comment. NIST has already built a lab for creating and testing operating system images and has begun exploring the feasibility of a "cloud solution" that would let agencies do FDCC compatibility and compliance testing remotely.

FDCC started as an Air Force project to cut down on the array of OS images it managed, and was later mandated government-wide by the Office of Management and Budget. Over the past five years, the Air Force has saved $140 million through FDCC and bulk purchasing, taken security patch times down from 57 days to 3 days, and cut back on help desk calls to Microsoft by 40%, says Nate Morin, Microsoft’s team architect for the Air Force.

The Air Force recently completed its migration to Windows Vista. Microsoft expects that within six to seven months of the release of the Windows 7 FDCC, the Air Force will roll out Windows 7 to almost all of its 525,000 desktops.

阅读全文

类别：Cybersecurity 查看评论

A secret global treaty, the Anti-Counterfeiting Trade Agreement was leaked on the “total transparency” site Wikileaks. This treaty can have a huge affect on the way the Internet is used, and how people that download copyrighted material will get punished. Under the ACTA, Internet providers (I.S.P.s)  in the U.S., Europe, Japan, Korea, and other signatory markets will be required to monitor their users activity online, or face huge lawsuits themselves. Any material that will be considered copyrighted will have to be removed as soon as found, even without proof of infringement of copyright. Even casual violators will be threatened with losing Internet access and facing criminal charges. The worst part is that service providers, customs agents, and law enforcement officials will have the power to search private accounts and personal devices such as laptops, MP3 players, and even cellphones all without the need of warrants or probable cause.

“It’s almost like there’s an institutional disrespect for copyright in Asia… People feel like, ‘If I can’t touch it, why should I have to pay for it?’” says Seung Bak, co founder of the video streaming startup DramaFever, which brings free, English-subtitled Asian television to U.S. audiences.

In places like China and Korea, the disrespect of copyright laws actually leads to innovation and better products. Even before the official release of new models of technology like the iPhone, BlackBerry, or the Sony Vaio-P laptops, these nations had better running and and improved versions on sale, and all for cheaper prices then they went for officially (links point to the knock-off versions).

With Korea’s extremely fast Internet connection, most of the companies who own copyrighted material actually try to work with the Internet companies and the people who “break” copyright laws. The way they see it is that if more people that use their content, even in some ways that seem to be wrong, (such as streaming them online for free or altering them for different story lines, sometimes pornographic) the more customers and the more sales that will occur. The mentality there is to try to help and work with the customers and see them as allies, even if it means blurring the lines of copyright infringement sometimes, instead of viewing them as potential pirates and criminals.

“They realize these unauthorized spin-offs help to build the fandom, and ultimately drive sales of the original”, says Kai-Ming Cha, manga editor of Publishers Weekly.

(Via SFGate)

Read the Cramer Mad Money blog tonight on Fortinet being the top pick next week as it debuts with its IPO. While it is always amusing to hear the mainstream media try to describe what security is about, I don’t necessarily disagree with his view that at 9 to 11 dollars a share, the stock is undervalued.

Cramer thinks the secret is Fortinet’s subscription business which he describes as “100 professionals in eight locations worldwide who monitor security outbreak in real time – for a fee, of course. Pay subscribers get the white-glove treatment, and Fortinet gets some seriously sticky revenues, as few people ever opt out. The service accounts for 60% of total revenues and carries a higher margin than Fortinet’s hardware.

Hey I wonder if that is not true of most security appliance vendors who all sell the subscription to rule updates and such.  However, I don’t think the stock is a bargain because of their CFO. Nothing against the Fortinet CFO, but is that what should drive this stock up?  Cramer is right though that when you look at their revenue and bottom line the stock is underpriced and looks like a good buy.

Good luck to Fortinet! Also remember that sometimes a rising tide lifts all ships. Maybe other public security companies will feel the love.

Microsoft has issued a statement and published an advisory about the problems in the SMB protocol.
“Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this DoS vulnerability would not allow an attacker to take control of, or install malware on, the customer’s system but could cause the affected system to stop responding until manually restarted.

A recent blog post referenced the following URLs as being potentially involved in “scams”:

67.221.34.202
1. Fliqz.com
2. M0v1.biz
3. Realsimplemedia.com

Further research indicates that these sites are not directly involved in scam activity and are clean.

We will continue our research and if anything changes our view, will post an update.

Of course, it wouldn’t be right to talk about this topic without first acknowledging one of my major biases; that is, my strong preference toward the model I developed specifically toward how to structure an information assurance program (see my earlier posts “Do You Need a Security Department?” and the slightly older “My Philosophy of Security”). Below is a snapshot of the TEAM Model, which I’ll most likely mention in my responses.

With that said, let me tackle some of Andy’s comments and my gripe with them. Please note that I am working from the assumption of “building a security program from the ground up” and all that this implies (such as that there isn’t already a program in place).

“Here are a couple of assumptions: They already have a firewall and host based security suite installed and up to date. Beyond that, it’s a crap shoot.”

These are rather unfortunate assumptions. What is meant by “host based security suite”? AV? Something else? If you’re coming into an existing organization to build a security program from the ground up, then you shouldn’t come in with any assumptions. I’ve been in more than one organization that hasn’t had a firewall, let along ANY host-based security (no AV, no HIDS, no logging, no monitoring, etc). Assumptions - especially bad assumptions - can be very bad things (see what a certain analyst says on this topic).

If you’re going to assume anything going into a new “green field” opportunity like this, it should be that nothing exists, nothing is being done, and that you will be met with inordinate amounts of resistance and organizational inertia. You should assume that you will have been given the “happy” story during the interview process, and that reality is far more stark. You should also assume that, despite the lip service paid in the interviews, there will be no way to know the commitment of executive management until you are actually onboard and asking them to put some skin in the game.

“If I were coming into a company and had a free hand to do what I wanted I would first look at what I could do to get the biggest bang for my buck quickly and then focus on the long-term strategic planning.”

Here we have another bad implicit assumption. There’s no such thing as having a “free hand to do what I wanted” in an existing organization. To think otherwise is to be somewhat deluded. The reality is that the business existed before you got there, and it’s likely to exist without you being there in the future, or so they’ll all be thinking in the back of their minds.

In the comments of Andy’s post Kevin Riggins makes the excellent observation that one of the first things you’re going to need to do is go back to executive management AFTER the interview (and after you’ve started, presumably) to truly test their commitment and support. Without it, your life will be much more difficult. If you’re thinking “not true, you can always do bottom-up”, then sure, that’s ok for certain operational concerns, but don’t you dare bring up strategy or risk.

“I’d say the first thing I’d do is implement a monitoring system so I can have some insight into what is going on.”

This comment isn’t wrong, per se, it just fast-forwards through a number of steps. Monitor what? Logs? IDS? Firewall logs? Do you have a log server? Are you talking about *shudder* a SIEM solution? At the same time, what about policies and practices? So you’re monitoring and seeing bad things… then what? Do you have the policies and executive support necessary to actually do something when you start seeing badness (and it definitely is when and not if).

Your goal from the outset should be to quickly assess the state of the environment and start architecting a path to a defensible and recoverable posture (see my posts “Defensibility and Recoverability” and “Surviving in Degraded Conditions: A Human Analogy” for more on what this means). Note that I say “quickly assess”. Depending on the size of the organization, this could be done fairly quickly. Walk through a facility or two, talk to as many people as people, from execs to tech to the manager in between, and then start building that roadmap.

More important that anything here is that you need to learn what is critical to the business. If X blows up, then Y really bad consequence will occur. That sort of thing.

Also, note here that I’m not even talking about “risk” at all. Forget about risk for a moment and just think about basic prioritization. It very simply comes down to a) identifying what’s critical to the business, b) defending what’s critical to the business, and c) building contingency plans for adequate recovery of what’s critical to the business when something bad happens.

“Once that was in place I’d probably implement a Vulnerability Management program that starts with Application and OS patching and then focus on the scanning, testing, exploiting etc…”

I have to be honest, my jaw dropped a bit when I read this one. That’s quite the leap in logic. Don’t get me wrong, patching is very important, but the way he says it here, almost nonchalantly, gives one the false impression that this is somehow easy or trivial. There is, in fact, so much more that needs to be done than simply going out and implementing such a program. Change management, configuration management, access control and management, etc. Sure, none of these are mandatory for patching, but they absolutely have ties into a Vulnerability Management program. As for scanning, testing, and exploiting… well, let’s just say that this is somewhat jumping the gun, and an area where one needs to be very cautious, too.

Specifically, as you shift from the “push and pray” patch model to a formal Vulnerability Management program, don’t forget that you are going to need to know what changes are being in your environment, when they’re going in, what they’re doing (impact), who made the change, and who authorized them, among other things. Yes, get the patching going (if it’s not already), but hold off on the Vulnerability Management project until you have a better handle on processes.

—
After the last quote he talks about awareness training, governance, and policies & procedures being all run in parallel as much as possible. Gack. He talks earlier about long-term strategic planning, which is good in theory, but in practice not so much. He ends with “This is just a starting point.” Fair enough, but the approach is far too technical without really knowing or understanding anything about the business, the environment, and - far more importantly - the people.

Allow me to offer alternative advice:

1. Garner Strong Executive Support: You must have strong executive support. None of this “responsibility without authority” nonsense. The minute you walk through the door, you will have to seek out and build support for everything you want to do. Unless you’re given the authority to go make changes directly (extremely unlikely) then you will have to get various levels of management onboard for everything you want to do. Passive resistance can be deadly.
2. Lightning Assessment: You must understand what is important to the business, as well as begin to get a picture of why things are the way they are today (tech decisions, etc.). I’m not advocating here any sort of formal assessment, and I’m certainly not talking about “risk” anything. This is quite literally a very rapid organizational walk-through, if you will, to see who’s around, what people do, and, more important than anything else, what is absolutely critical to the business. If you’re unable to find this out, then I suggest looking for a new job, because what you’re facing will be a situation not dissimilar to the one I was in. If the business doesn’t have a solid direction (”making money” is not a solid direction), then you’re not going to have much luck contributing to the success of the business. By the way, in addition to identifying what is critical to the business, you should also keep your eyes peeled for major gaping holes that need immediate redress.
3. Share Responsibility, Gain Accountability: Security needs to be a responsibility shared by everybody in the organization. Hence the role of basic awareness training. What I’m talking about here is something more radical. It’s not enough to try to make people aware of security. Instead, you need them to have a vested interest in making sure critical assets are defended and can be recovered rapidly when something bad happens. From the investment comes a lever for establishing accountability. And, sad to say, it’s then time to help move the business back from the squishy touchy-feely approach and get HR engaged so that when people do dumb, stupid, or patently bad things, they are disciplined accordingly, up to and including termination of employment. We seem to have lost the edge in the business world, and this is one area where we can start getting it back.
4. Not All Low-Hanging Fruit Are Equal: It’s very tempting to walk into a new situation and immediately chase after the things that you personally know how to handle quickly and easily. Unfortunately, those things may be completely worthless in the grand scheme of things (well, not completely, I suppose). Based on the outcome of your Lightning Assessment above, you should know what’s truly important to the business. From this, you should then be able to start focusing on how well protected those critical assets are. This is where you should start tackling low-hanging fruit. Now, obviously at the same time you need to keep an eye out for gaping holes that are so egregious that they cannot be allowed to stand.
5. Fight to Simplify: One of the biggest challenges in a ground-up opportunity is keeping yourself grounded. It’s too easy - as I can attest from first-hand experience - to get completely overwhelmed by everything that needs to be done. This is why I recommend the previous steps, forcing yourself to find the truly important systems and then focus almost exclusively on them. It could be argued that this approach could be dangerous, and that is absolutely true. A long-term focus on just a narrow slice of the enterprise is fool-hardy. It will lead you to an outcome akin to all the major breaches we’ve read about recently. Now, in fact, this whole stripped-down approach is meant as a starter, not as a long-term strategy. At some point, you will have to look at the big picture. BUT… you can’t really do any of that until you first establish the basics, building some political capital that will then free you to move onto bigger, better things.
6. Documentation and Processes: The one thing you will definitely have in your control is the ability to generate documentation. Whether it goes anywhere is, of course, a different story, but it is at least one thing you can - and definitely should - make use of. You’ll want to document your findings, your short-term plans, your ideas, your low-hanging fruit, your critical business findings, etc. The other piece of documentation that is very useful relates to processes. It’s great to start by documenting what people are doing today, and then offering incremental improvements to better formalize and standards those practices. Similarly, if nothing formal is being done (e.g. change management), you can develop basic processes to get the fundamentals in place (a formal write-up, a formal approval, a paper trail) and then you can go about iterating through incremental improvements over time as necessary. The key take-aways here are that a) you can write documentation from Day 1, b) make sure to bear in mind the difference between writing a process and having it followed.
7. Strategy: Everybody wants one, but how many actually use them? Seriously. Security has historically been reactive in nature. There are many proactive things we can do to help reduce some threats, but in the grand scheme of things it can be very difficult to make a case for proactive efforts until you have a baseline against which to measure success. Nonetheless, you will need a big picture at some point - though preferably after the first 6 months. The important role of a strategy is that it will look at the full breadth of the organization, rather than the short-term focus you’ve maintained just on critical resources. You NEED to look at everything at some point, because it is the weak links that will lead to the deepest attacks. Your strategy should also establish levels of tolerance for downtime, interruption, and loss of data. What we’re talking about here is taking the critical resources initial assessment and expanding that into a broader conversation with executive management about how much pain they can tolerate in certain areas. This will help you set overarching priorities for the long-term. It will help you determine what your minimal level of defensibility and recoverability will need to be.

It would be easy to go on and on and on here, but I think the main points are covered. Certainly, there are other ways to tackle this challenge, but the above represents a significant chunk of what I learned in my 7 months facing such a challenge.

(Please Note: This is cross-posted from the T2PA Practical Security Core.)

Just when you think that the self-appointed copyright Gestapo can’t sink any lower they kick the old limbo stick down another notch. Now before you jump to the conclusion that I’m one of those “content wants to be free” activists, rest assured that I am not. All of my career has been spent as a code monkey writing software for somebody else (as a “work made for hire” in copyright lingo). And trust me, I’m all about getting paid. Which doesn’t happen if my employer goes broke because their products were pirated. I’m also a musician who composes and records original material. Now my attitude towards copyright protection is quite a bit different with my music because, as Cory Doctorow says in the forward material to his latest book Makers [you can download the e-book  here for free] my problem isn’t piracy, it’s obscurity. But what about that piracy notion? I just said that I won’t get paid if my employer goes broke because their products were pirated. Well guess what? That has never happened. Not to me. Not to anyone. In short, I’m not opposed to copyright or copyright enforcement.

What I am opposed to, and baffled by, is a business model that comes down to “we aren’t selling as much of our stuff as we want, so we will go after people who are pirating it.” The most recent episode in this ridiculous jihad against customers is reported by Cory Doctorow in boingboing.

The MPAA has successfully shut down an entire town’s municipal WiFi because a single user was found to be downloading a copyrighted movie. Rather than being embarrassed by this gross example of collective punishment (a practice outlawed in the Geneva conventions) against Coshocton, OH, the MPAA’s spokeslizard took the opportunity to cry poor (even though the studios are bringing in record box-office and aftermarket receipts).

That’s right, the entire public WiFi net of Coshocton, OH. The same net that is used by Coshocton County Sheriff’s deputies to complete a traffic or incident report without leaving their vehicle. The same net that out-of-town business people can park and use their laptops to make connections. The very same net that during festival times, vendors use to check the status of credit cards being used to make purchases. And the same net that has a single address used by many people, so it’s difficult to tell who made the illegal download (although the county plans to investigate the matter).

Great job MPAA! Way to look out for your own financial interests in blatant disregard for the interests of everyone else. So what exactly have the MPAA clowns (I love Cory’s reference to the MPAA’s spokeslizard) accomplished here. Several things come to mind:

1. Users of Coshocton public WiFi will likely never download another pirated movie again… without going through TOR.
2. Users of Coshocton public WiFi will likely never purchase any movie ever again.

As I said before, I’m not a fan of pirating movies. Quite frankly there is so much stuff legitimately available for free or incredibly cheap that I can’t begin to consume everything I might be interested in. But in addition, I can’t for the life of me see how alienating your customers because somebody downloaded a movie and allegedly deprived you of $10 or less (assuming of course that the perp would have actually paid for it anyway) makes any sense at all. What I can say is that cheesy stunts like this almost make me want to fire up bit torrent and snag some episodes of Desperate Housewives. Just on principle. That and I’ve never seen Desperate Housewives. But I can get it from Netflix way easier. And I don’t have to use TOR. But believe me, I’m not going to purchase any movie or TV show. Not now. Not ever.

This:

Takes you to this:

Thanks Anupam, Stu and Alex

Tom Kelchner

Lori says its not lock-in if the vendor:  (a) does what it says it does, (b) solves all their problems and (c) the company isn’t going anywhere. I agree monolithic vendor solutions can be quite efficient. Hey Mussolini was loved by the Italian people early on because he made the trains run on time.  That didn’t mean that a fascist form of government was best for Italy and that it was not a bad thing. But a single party dictatorship is more efficient than a democracy usually.  Doesn’t make it beter.

What does this have to do with data center vendor lock-in.  I think where Lori’s wheels fall of the tracks on this one is when the vendor uses that monopolistic lock-in to ensure that customers now have to use vendors products for ancillary products.  Imagine if you will (well you don’t have to imagine, it used to be like this) that if you want to use VOIP and your a Cisco shop, unless you use Cisco VOIP phones they just done work so well on your Cisco network. Take wireless as another example. Aruba gear in a Cisco shop is a real nightmare.  Now does Cisco purposely make it harder for another vendors gear to work on with their switches? I will leave it to you to decide. The real problem as I see it is when does lock-in become so prohibitive that it crosses over to monopolistic. When it does we don’t live in a world of corporate saints, so you can’t expect them to do what is best for customers and not for themselves.

Lori also points out that standards are so supposed to alleviate some of that angst. But as Lori says that ain’t a panacea either.  Even within standards there is too much “embracing and extending” that renders them greatly diminished.  Try making 802.1x switches from different vendors work together as a great example.

Calling the discovered flaw “noob,” researcher Laurent Graffie said in blog post that it should have been spotted years ago.

My silence can partially be explained by simple mundane things like a high workload and the desire to spend time with my family when I am at home, but there has been a secondary cause also.

I believe that it is important to reflect about who I am professionally and how I want to portray myself. After having collected a bunch of security certifications (in chronological order: CISSP, GCIH, CISM, OSCP, CISA), I think I’m done with that for a while. All certifications have contributed to my understanding of the field, and they reconfirmed that I am exactly where I want to be.

While up to recently, I advertised myself as a information security generalist, I believe that I am currently in the process of shifting focus towards becoming an information security strategist.

My day to day work, and my general thinking, has been impacted by the fact that I have few operational responsibilities. For one, it means that the only ‘real’ reasons that I am touching security technology are out of curiosity, to prove a point, or to evaluate a product’s potential. Actual implementation and operation is not something that I have done in quite a while.

Likewise, while I am fairly proficient with vulnerability scanning and penetration testing techniques, I have not done full tests recently. It doesn’t mean that I don’t like to tinker around in my own lab to try out new tools, or that I don’t assess new vulnerabilities and exploits, but the pressing need to be current to the minute is something that it slowly fading.

I feel a little sad about this realization. Being on the bleeding edge of technology, developing and performing assessments, and being in the loop on what’s going now on is incredibly rewarding. But, setting strategy, determining direction and ensuring that an organization moves forward in its level of professionalism and its quality of service is something that also has its rewards.

At the very least, not being on call 24/7 for operational emergencies has its benefits.

The more time I spend in security, the more I realize that economics plays a far larger role than technology in what we do.

Anonymization, combined with internationalization, shifts the economics of online criminal activity. In the old days to rob or hurt someone you needed a degree of physical access. The postal and phone systems reduced the need for this access, but also contain rate-limiters that reduce scalability of attacks. Physical access corresponds to physical risk — particularly the risk of apprehension. A lack of sufficient international cooperation (or even consistent international laws), combined with anonymity, and the scope and speed of the Internet, skew the economics in favor of the bad guys. There is a lower risk of capture, a lower risk of prosecution, limited costs of entry, and a large (global) scope for potential operations.

Heck, with economics like that, I feel like an idiot for not being a cybercriminal.

In security circles we spend a lot of time talking about the security issues of anonymity and internationalization, but these really aren’t the problem. The real problem isn’t the anonymity of users, but the anonymity of losses.

When someone breaks into your house, you know it. When a retailer loses inventory to shrinkage, the losses are directly attributable to that part of the supply chain, and someone’s responsible. But our computer security losses aren’t so clear, and in fact are typically completely hidden from the asset owner. Banking losses due to hacking are spread throughout the system, with users rarely paying the price.

Actually, that statement is completely wrong. We all pay for this kind of fraud, but it’s hidden from us by being spread throughout the system, rather than tied to specific events. We all pay higher fees to cover these losses. Thus we don’t notice the pain, don’t cry out for change, and don’t change our practices. We don’t even pick our banks or credit cards based on security any more, since they all appear the same.

Losses are also anonymized on the corporate side. When an organization suffers a data breach, does the business unit involved suffer any losses? Do they pay for the remediation out of their departmental budget? Not in any company I’ve ever worked with — the losses are absorbed by IT/security.

Our system is constructed in a manner that completely disrupts the natural impact of market forces. Those most responsible for their assets suffer minimal or no direct pain when they experience losses. Damages are either spread through the system, or absorbed by another cost center.

Now imagine a world where we reverse this situation. Where consumers are responsible for the financial losses associated with illicit activity in their accounts. Where business unit managers have to pay for remediation efforts when they are hacked. I guarantee that behavior would quickly change.

The economics of security fail because the losses are invisibly transfered away from those with the most responsibility. They don’t suffer the pain of losses, but they do suffer the pain/inconvenience of security. On top of that, many of the losses are nearly impossible to measure, even if you detect them (non-regulated data loss). No wonder they don’t like us.

Security professionals ask me all the time when users will “get it”, and management will “pay attention”. We don’t have a hope of things changing until those in charge of the purse strings start suffering the pain associated with security failures.

It’s just simple economics.

- Rich
(0) Comments

No. 1: Windows 7 is better than XP, which is now already eight years old. While Windows 7 may not be the perfect OS, it’s certainly better than almost decade-old technology. And in our knowledge-based economy, forcing knowledge workers to stay on old technology may be difficult. If people feel that their technological evolution is being thwarted by the organization, they’ll find ways around it – as we’ve talked about before – because they’re thinking, “How do I stay current with the latest technology and tools? How do I remain effective and efficient? How do I keep my skill set relevant? How will that impact my career?” It’s better to be in charge of an organized plan to provide employees with what they need, rather than have to react to employees going behind your back.

No. 2: Third-party tools will augment Windows 7 to provide enterprise-level security. Windows 7 is the most secure Windows OS out there for desktops, laptops, etc., and is definitely better than previous versions. In fact, in its report entitled “Planning for the Security Features of Windows 7,” Gartner points out that Windows 7 includes “free” security features such as Data Execution Prevention (DEP), Address Stack Layout Randomization (ASLR) and Safe Unlinking.

The problem is that people may get lulled into thinking they’re completely secure when, in fact, lots of the lessons learned over the last decade or so still apply. Third-party tools will still be necessary to ensure enterprise-level security. For example, Microsoft has dialed back user account control (UAC), which most people disabled on their Vista boxes because they found it annoying. Yet Sophos – one of our colleagues in the antivirus/malware space – suggests that Windows 7 doesn’t block 8 out of 10 viruses that Vista would have blocked. [Of course, Microsoft disagrees with this assessment.] Another example: BitLocker – an encryption tool included with Windows 7 – is pretty much all or nothing. And as far as I’m aware, it doesn’t have limits on file types, limits by amount (per user, per day), or provide shadowing. Many of the capabilities that third-party tools have incorporated over the years will be better than what you get with Windows 7.

In addition, Gartner recommends using group policy object (GPO)-based management to support Windows 7 deployments. Group policy is a method by which the network admin can configure boxes on the network. Unfortunately a user running as admin can change the configuration (Gartner also recommends “running as a standard user wherever possible.” For more on this issue, check out our previous discussion). This brings to mind a common complaint heard by those running XP: “Gee, you offer this great tool but I have no way of knowing whether those changes I’ve made have taken effect or whether any users have changed them.” Microsoft has changed that a bit in Windows 7 but, in general, third-party tools do a much better job of providing the overview of your network and can actually enforce the rules in ways that GPO doesn’t.

Plus, “free” doesn’t mean without cost. If you run a very small organization, free tools make sense. But they don’t make sense as your organization grows. Why? First because Microsoft takes care of Microsoft-related issues only. For instance, Adobe is considered by some to be the #1 threat vector into your network and endpoints (laptops, desktops, and so on) at the moment. Microsoft tools are not going to fix these issues. Second, these free tools don’t give you central management control. You can set things but you don’t necessarily get the reporting and ability to lock down that you get with third-party tools. That lack of visibility means you’re never quite sure what’s happening in your environment.

In addition, if you’re a large organization that needs to prove compliance with statutes and regulations – whether state, federal, industry, and/or pan-national laws – you’ll be better off with third-party tools that provide better reporting and lock-down capabilities. Third-party tools can also be the best way to provide best-in-class capabilities because third-party vendors are laser-focused on those issues – Microsoft has a lot of other things to think about.

No. 3: Consider the overall costs of migrating. There are always challenges when moving enterprises to a new OS. How do you migrate people, how do you time it, how do you train them, what productivity losses will you incur, how will we handle increased calls to the help desk, and so on. If you’re running XP, you need to make sure everything will migrate, especially if you’re running custom software. I read somewhere that a typical large organization has 600 custom-developed software programs running on their boxes. You’ll have to do a lot of work to make sure everything tests out.

In addition, Gartner points out that many of the Windows 7 security features are only available for those who are enterprise agreement / software assurance (EA / SA) subscribers, or in the consumer-focused Ultimate version. Oh, and by the way, it looks like you’ll need Windows Server 2008 R2 to take advantage of several of the new security capabilities in Windows 7, such as the integrated Network Access Control (NAC, which they call Network Access Protection or NAP) and DirectAccess (an integrated VPN solution).

So you need to factor in all these costs too, which might impact you differently depending on your needs, your organization’s size and your current licensing status – all while bearing in mind which of the security points I discussed above apply, or don’t.

No. 4: Don’t be afraid of the change that’s coming. You don’t need to be at the cutting edge, but you needn’t be afraid of it and wait for the 1st or 2nd service release. Windows 7 technology, especially when coupled with the new underlying hardware, should improve your workplace productivity and effectiveness. Sure, there will continue to be patches and security bulletins – that’s the nature of the beast. But combine the undeniable strides Microsoft has made with Windows 7 in the security arena with some good third-party tools to round out your defense-in-depth strategy, and you’ll be doing quite well. And the latter are especially important if you also need centralized control and visibility.

So, in the end, here are the key points as I see it:

1. Don’t get fooled by built-in security features.
2. Make sure your third-party vendors are going to support Windows 7 as you migrate.
3. Keep your eye on the security ball – Microsoft can’t do it all by itself.
4. Microsoft Windows 7 plus third-party tools adds up to much better security than what you had before.
5. By migrating in an organized, thoughtful manner, you’ll be able to manage the change and maximize the utility.

While at the OWASP DC conference, an interesting thought came to me, which I’d like to hear people’s opinion about. So you all probably know about technical vs. logical vulnerabilities, right? I think it was Jeremiah Grossman who came up with this classification. Anyway, while thinking about this classification, I noticed that (almost) all technical vulnerabilities stem from insecure software implementation and (almost) all logical vulnerabilities, stem from insecure software design and/or architecture. If you think about it some more, most technical vulnerabilities, are fixed by repairing your code, and most logical vulnerabilities, are fixed by applying secure design patterns (fixing your design), or modifying your architecture to be more secure.

So, IMHO:

Technical vulnerabilities == Implementation vulnerabilities

Logical vulnerabilities == Design & Architecture vulnerabilities

What do you think? I’d love to hear your comments.

Posted every Friday, our “Infosec Ramblings” post takes the best security tweets from the past week and puts them into one easy to digest post.

If you don’t want to wait an entire week to read the best security tweets, be sure to stop by @grecs or learn more about the NovaInfosec Twits.

There seemed to be quite a few meetups this past week. Did you get to attend any of them?

• RT @IBMFedCyber Also hitting the TechAmerica Cloud Security Round table Thursday: http://bit.ly/10rLIn – full week of fun! #mtg #

There’s also some upcoming meetups for those of you who are interested.

• RT @CharmSec 19 has been booked @slaintepub for Nov 19th instead of the usual last-Thursday-of-the-month for numerology reasons #mtg #
• New grp #mtg? RT @securitytwits @mwollenweber: DC Org of Hackers (DoH!), Wash’s vs of AHA. 11/25. 7PM GWU Campus off Foggy Bottom Metro ^Q #

If you don’t have time to make it to any of the weekly security meetups, why not try attending one of these upcoming conferences?

• RT @evejou RT @[everyone in the whole world, except those still unaware] Dojocon Videos are online now: http://bit.ly/3qkmSD #con #
• RT @signalmag Reg is open for next #AFCEA SOLUTIONS event on cyberspace & cyberthreats! Great speakers. http://bit.ly/2Dmajv #con #
• RT @AppSecDC09 Remember, the #OWASP Summit is tomorrow! Use the #AppSecDC hash tag for Summit and Conference tweets! #con #

For those of you that don’t know, we have some pretty awesome infosec bloggers in the local area. You can check out some of their articles below.

• TRIAL & ERROR: @falconsview ’s experience in trying out the Arizona thing. http://ow.ly/zJko #novablogger #
• RT @rybolov I put up my DojoCon presentation, slides, and compliancy panel on my blog: http://bit.ly/4nty3U #novablogger #
• SECURITY JUSTICE PODCAST: And @taosecurity made it on this post cast too. http://ow.ly/BK9K #novablogger #
• HAYDEN NOTES: @taosecurity got chance to attend 1 of Gen Hayden’s talks & wrote up sum of it. Pic too! http://ow.ly/BKd8 #novablogger #
• 60 MINUTES STORY: @taosecurity ’s reaction. Says real issue is APT. Of course t/i whole Brazil thingy. http://ow.ly/BKjE #novablogger #
• BRAZIL POWER OUTAGES: @moranned put this up pre-60 Mins. Bet there will b lots of discussn around this. http://ow.ly/BKpR #novablogger #
• 60 MINUTES: See a theme this week. Anyway, @moranned posts the episode up for his class. http://ow.ly/BKsG #novablogger #
• FOOD 4 THOUGHT: @moranned posts snipits fr Errata’s 60 Min counterpoint. Brazil thing keeps coming up. http://ow.ly/BKu4 #novablogger #
• CRIMINAL SOPHISTICATION: @moranned points out good Wired article on how the bad guys getting better. http://ow.ly/BKw5 #novablogger #
• WASH POST REHASH: @moranned points out China story with nothing new. May be worth a read though. http://ow.ly/BKxv #novablogger #
• ITS FULL OF COLOR: @carnal0wnage shows screenshot of new Metasploit interface. Guess what’s new. http://ow.ly/BKyF #novablogger #
• EFF QOTD: @falconsview points out interesting quote. What was suppose 2 b bad is now being embraced. http://ow.ly/BKzZ #novablogger #
• MORE FLASH PROBLEMS: Guess this just came out this afternoon and @falconsview did quick post on it. http://ow.ly/BKBv #novablogger #
• ROOM 362 ORIGINS: In case U were wondering here is @mubix ’s repost. Apparently got lost but now is back. http://ow.ly/BKDp #novablogger #

In case you missed them, here were some of our blog posts from this week.

• BLOGGED: Grecs’ Weekly Infosec Ramblings for 2009-11-05 http://ow.ly/15ZM9s #
• BLOGGED: Top 3 NoVA Infosec Blog Posts of the Week http://ow.ly/15ZTLA #
• BLOGGED: Where You Want to Be This Week (11-09) http://ow.ly/160tcv #

You can also keep yourself busy with these interesting newsbites:

• NEW CERT ALERT: RT @IBMFedCyber CAP Certified? DoD Approves new credentials for Security Pro’s: http://bit.ly/4i1zHR #
• Good first step but need more control of actual info. RT @briankrebs Poking at Google’s new privacy Dashboard http://bit.ly/fTxJT #
• Dashboard is all privacy theatre. RT @regsecurity Vint Cerf: ‘Google doesn’t know who you are’ http://bit.ly/1zyYpf #
• Like the graphic though. RT @danphilpott When people ask who I work for maybe I’ll say I’m a messenger fr CIA Triad. http://bit.ly/5lNv2 #
• Always good to gave handy. RT @DrInfoSec Default Passwords List (via @proactivedefend | @opexx) http://ow.ly/1606db #
• Lots of articles on this today. You’re ok unless U jailbreak. RT @sans_isc [Diary] iPhone worm in the wild http://bit.ly/3fJwAD #
• Good ?. RT @mckeay Cofee law enforce tool leaked 2 bitorrent, http://bit.ly/2vN2YO What R ethical implications of download & trying? #
• I knew it. RT @angelinaward RT @PCSecurityNews: Google Dashboard Creates Security and Privacy Concerns. http://bit.ly/1NwxKw #
• Watched. Nothing big. Good for awareness though. RT @RodBeckstrom 60 Minutes CBS Cybersecurity piece: http://bit.ly/3mOfbG #
• Interesting. RT @moranned really interesting counterpoint to the 60 Minutes hackers piece by Errata Security – http://bit.ly/DKAhw #
• Awesome article. #todo RT @Shpantzer @vcuinfosec Consider hiding ur bday on Facebook/MySpace. Better yet.. http://bit.ly/10YKde #
• RT @GovInfoSecurity Will 60 Minute cybersecurity segment force Obama to name sooner than later a cyber czar? http://bit.ly/3ilgeV #
• RT @danphilpott Cybersecurity Comparison Matrix: Nice summation of cybersecurity activity http://bit.ly/1URZov #
• RT @danphilpott RT @fedcomputerweek: New contractor db draws fire: Industry and good-gov grps criticize http://bit.ly/OtHxN #
• RT @sans_isc [Diary] Microsoft Nov Black Tues Overview: Overview of Nov 2009 Microsoft patches … http://bit.ly/3pFDzc #

If newsbites aren’t your thing, you can keep yourself busy with these reports:

• Always a good watch. RT @VRT_Sourcefire November 2009 Vulnerability Report http://bit.ly/3JXVLJ #

Here are some job openings in the security field:

• Hope people get this in time. It’s on Sat! RT @GovInfoSecurity DISA Job Fair Targets Cybersecurity Students http://bit.ly/5ATCH #job #
• #job RT @bobgourley Just posted job opening Disruptive Tech Analyst: http://j.mp/rASq Please check out write up and help connect #

And in closing, who could forget the tweet of the week?

• RT @rik_ferguson: “iPhone worm” like smashing yr car win 4 yer keys, not getting it fixed, then wondering where yr CD player went. #totw #

Well, that’s all for this week. Be sure to follow us @grecs for more great tweets during the week!

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!

• OWASP Top 10 (2010 release candidate 1)
• Flash Origin Policy Issues and FAQ
• Microsoft to release security guidelines for Agile
• WhiteHat Security 8th Website Security Statistics Report Edit Presentation
• Securely deploying cross-domain policy files
• Vulnerability assessment integration with web application firewalls
• ModSecurity Core Rule Set (CRS) <-> PHPIDS Smoketest
• Website Vulnerability Assessment Q4 2009 (EMA Radar Report™ Summary)
• Facebook groups hacked through design flaw
• Microsoft Tries To Censor Bing Vulnerability

---

WhiteHat Security is a leading provider of website security services.

---

SecurityOrb.com Interview Glen from HFC from SecurityOrb on Vimeo.

SecurityOrb.com Interview Glen from HFC from SecurityOrb on Vimeo.

The title of our presentation is:  Cover Your Assets:  Real Time Application Security Assessment & Protection

In addition to the presentation, we'll also have a live application and database hacking demonstration.

There are several other interesting security presentations next week. Some of them are:

• Five Common Mistakes in Securing Web Applications by Lars Ewe - CTO of Cenzic; Lars and I recently did a podcast together
• Mining for Value in the Data Log Fire Hose: Top Five Governance, Risk and Compliance Metrics in Logs by Paul Stamp of RSA
• Business Resiliency: Are You Really Prepared? by none other than John Pironti, Chief Information Risk Strategist, Archer Technologies; John and I have also recorded a podcast

Hope to see you there.

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all security bulletins, and a network-based uncredentialed check for MS09-064.

Severity is a Matter of Perspective

What struck me as interesting this month are the severity ratings. Microsoft publishes these ratings as a guide to help customers evaluate the vulnerability risk. In many cases, they seem to be doing their customers a disservice. For example, a remotely exploitable vulnerability in Microsoft Word or Excel could be leveraged by attackers to compromise desktop systems. These types of vulnerabilities are frequently exploited by attackers and penetration testers alike to gain access to sensitive information. The advice I always give to organizations is to evaluate each vulnerability with respect to how it affects your business, not what has been published by the vendor.

In addition, if the evaluation of severity is coming from a vendor, it should adhere to some industry accepted standard calculation, such as the CVSS score. Nessus plugins use this scale (1-10, with 10 being the most severe) as a rating for the severity of the vulnerability. While Microsoft rates MS09-067 (a vulnerability in which arbitrary code can be executed as a result of opening an Excel file) as important, Nessus gives it a CVSS score of 9.3. Use these ratings as a guide to develop your patching strategy. For example, if you heavily use Excel, you will need to patch right away. If you do not use Excel, then it is not as critical to patch. You could employ a temporary solution for mitigation by blocking incoming Excel file attachments while you focus on vulnerabilities that pose a bigger risk.

Patch Tuesday Breakdown & Thoughts

What follows is a breakdown of the patches that have been released by Microsoft in the latest “Patch Tuesday” set and the associated Nessus plugins:

• MS09-063 - Nessus Plugin ID 42437 (Credentialed Check) - This is an interesting vulnerability in a networking protocol called Web Services on Devices API (WSDAPI). More information http://msdn.microsoft.com/en-us/library/aa385800(VS.85).aspx. Essentially it allows clients to find devices on the network. If you really want to dig deep into this protocol check out http://blogs.msdn.com/dandris/archive/2007/11/09/wsdapi-101-part-1-web-services-from-10-000-feet.aspx
• MS09-064 - Nessus Plugin ID 42438 (Credentialed Check) & Nessus Plugin ID 42443 (Uncredentialed Check) - This patch only affects Windows 2000 Servers. If you are running this operating system, you need to upgrade. Now, that’s easy for me to say, but much harder to implement in your environment. If I look at the penetration tests I’ve done over the years there is almost always an older Windows NT and/or 2000 system laying around. Usually the excuses are “it’s a test system”, “it’s a lab system”, “we’re retiring that system”, or the worst case “it runs some mission critical software provided by a vendor that does not support the recent patches or upgrade to a new operating system”.
• MS09-065 - Nessus Plugin ID 42439 (Credentialed Check) - A vulnerability that can be executed by rendering fonts! I would expect that there might be other attack vectors, such as in any program that can display text beyond something in the browser. Since this vulnerability is in the Windows kernel, other vectors such as documents, instant message programs and more could access the vulnerable functions.
• MS09-066 - Nessus Plugin ID 42440 (Credentialed Check) - This vulnerability relates to a denial of service condition in LDAP running on Windows 2003/2008 servers. Typically the servers running this service provide the function of a domain controller, which is essential for authentication to occur in the Windows domain. The ability to cause a denial of service condition on these systems could lead to significant downtime and prove to be quite costly to an organization.
• MS09-067 - Nessus Plugin ID 42441 (Credentialed Check) - A question for Microsoft: why is this vulnerability rated “important” and not “critical”? In case you haven’t heard, the way attackers are getting in is via phishing attacks and emailing end users. If you can slip something past the SPAM filter, email anti-virus software and desktop anti-virus software, it is a sure win. That may sound like a lot of “hurdle jumping”, but it is much easier than you may think. An attacker is relying on the fact that your organization needs to do business, and part of that process is exchanging documents via email. Thus, certain document types are allowed to pass, and differentiating between the ones that contain exploits and those that do not turns out to be pretty difficult.
• MS09-068 - Nessus Plugin ID 42442 (Credentialed Check) - Same scenario as above, but affects Word.

References

Misleading Patch Audits

When you go into security consulting engagements with a new business
unit you usually face a few questions from the developers and business
owners. “What is it exactly that you’re going to tell us?”

We always answer this the same way: “Things that will surprise you.”

Most developers have read a lot about security these days – they
understand SQL Injection, Cross Site Scripting, access control, not to
use their own cryptographics, and all sorts of other security truisms.

What they can’t possibly understand is how a hacker’s mind works, and
what they’re likely to find. Even security specialists who have only
worked defence often have never really seen a hacker go.

Largely I think this is because there’s a difference between someone
playing cards with chips and someone with their house and life on the
line. People say penetration testing is a model of an attacker. But how
do you model obsession?

- -dave

I totally agree. We can use the same tools, adopt the same techniques, but the mind of an intruder may be so completely alien to any defender that the yawning gulf of difference in mindsets that separates us prevents comprehension and hinders our efforts to combat them.

According to the recent trust catalyst (their use of capitalization, not mine) 2009 Encryption and Key Management Industry Benchmark Report, 10 percent of people think that the reason that more people don’t encrypt backup tapes is that encrypting tapes costs more than a data breach so that encrypting backup tapes isn’t cost-effective.

What I learned from reading that is that 10 precent of people will pretty much believe anything.

Computer security blogger Dave Piscitello of Hilton Head Island, S.C. (“The Security Skeptic”) ran an interesting piece: “Nine ways to mitigate malicious domains.” It’s a list of proposals that ICANN has collected from the security community that it will consider for new rules for top level domain applicants. It’s an effort to help prevent the establishment of malicious web sites.

ICANN is taking public comments at: http://www.icann.org/en/public-comment/

Dave said the suggestions under consideration are:

– Vetting registry operators to filter out criminal organizations. (Recommended by the Anti-Phishing Working Group and others.)

– Demonstrated plan for the deployment of Domain Name System Security Extensions. This would require written plans for signing zone files and delegations (domain names registered in its top level domain.).

– Prohibition of redirection by top level domains. (ICANN’s SSAC, the ICANN Board of Directors) “…applicants must return negative responses when a DNS query is made to a non-existent domain and must not synthesize (redirect) queries for error resolution or advertising purposes.”

– Removal of orphan glue records. “Orphaned glue records frequently point to name servers that host malicious domains. This measure requires applicants to explain the policy they will enforce to ensure that a name server record in a delegation will not persist in the TLD zone file when the parent domain name is deleted from the zone.”

– A requirement for detailed Whois records.

– Centralization of zone file access. Presently, applications must contract with top level domain registries to get FTP access to zone files.

– Documented registry level abuse contacts and procedures.

– Participation in the Expedited Registry Security Request process to help ICANN and registries to maintain security during an incident.

– Establishment of High Security Zones Verification.

See Dave’s blog piece here.

Thanks Dave

Tom Kelchner

Wait. I know, you have heard this before. Yes, there has been a lot of crying wolf this decade but there are strong signs that it has finally left the realm of fiction.

When you look at something like the ANT Census of the Internet Address Space, the empty IPv4 space appears to be vast, but that’s only based on an ICMP scan. Some IPs have firewalls in place to only allow access to certain sources. Others have ICMP blocked, and in the case of ISPs some entire ranges will only be intermittently active. No one really knows how much of the address space is really in use.

What they do know is that the amount of new blocks to allocate is running dangerously low. The reports vary anywhere between one and three years.

After that, what will we have? IPs For Sale. Yes, party to party selling of IP address spaces without control by the IANA or any other group. Can you say seller’s market?

But there is a problem with trading, beyond the obvious price gouging to come. Many available address spaces have become Internet Ghost-towns, IPs made toxic by previous malicious activity that has earned them a spot on blacklists. A fellow Trender was recently quoted in The Washington Post:

"The problem is once an address block gets so polluted and absorbed into all these blocklists, it’s difficult to get off all of them because there is no central blocking authority," said Paul Ferguson, an advanced threat researcher at Trend Micro. "That space won’t be toxic for all time to come, but certainly it is going to be tainted for whoever ends up with it…"

Lovely, just what I wanted for Christmas, a tainted IP.

So is this it? I for one hope so. IPv6 bring it on, then we can worry about this again sometime after Y10K.

If you can’t get enough of the local security scene, check out our NovaInfosec Twits list for even more great security blogs and people to follow on Twitter. Also be sure to follow us on Twitter @grecs if you want to know more about what’s going on in the local security community during the week.

And without further ado … here are the top picks for this week.

#3 – China proves to be an aggressive foe in cyberspace: An informative post about China’s cyber espionage and cyber warfare capabilities. Read it here

#2 – DojoCon 2009 Presentation: The dojocon has come and gone, if you would like to catch a presentation by one of the speakers at the dojocon, you can see rybolov’s dojocon presentation here!!

#1 – Notes from Talk by Michael Hayden: Richard Bejtlich summarizes NetWitness’s user conference with Michael Hayden. Read Richard Bejtlich post here to see what a former CIA director and previously NSA director had to say about cyber intelligence.

Well, that’s all this week. Be sure to check back next week for more great blog posts from local security bloggers.

This piece of code (see Figure 1) has been verified to successfully remotely crash Microsoft Windows 7 and Windows 2008-R2. It is caused by sending a specially crafted NetBIOS header wrongly specifying the SMB (Server Message Block) packet size. No error messages dialog box nor evidence of the bug is recorded in the event logs, the computer just freezes.

Figure 1: code extract
Moreover, the issue occurs in pre-authentication stage so no credential is needed.

To trigger this issue, the victim must be trapped to open a Windows share, so just a link of type file://ip/something on an HTML page could do the trick. As of writing, no CVE number has been associated to this issue, however thanks to our IPS decoder signature, Fortinet customers are proactively protected with ¨NBSS.Invalid.Fragment¨ detection.

G’morning, long time no see.

How’ve you been? You look great, lost a few pounds I see. Great to run into you – let’s grab a beer soon!

All the Best,

The Intern

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. How Google Voice Violates Google’s Own Privacy Policy – Tech Crunch
2. Masking vs. Truncating – Network Security Blog
3. Community criticises security firm’s vulnerability report – Heise
4. Secure Sockets Layer (SSL) vulnerable to man-in-the-middle hacks – Last Watchdog
5. The Problem with Browser Security – Andy, IT Guy
6. Spam Campaign Targets Payment Transfer System – PC World
7. Suspicious wife posed as schoolgirl to trap paedophile husband, court hears – Telegraph
8. New Microsoft patent may put Linux security components at risk – Heise
9. A CNET Conversation with Eric Schmidt – C|NET
10. Nastygram: Beware the NACHA gotcha – Security Fix
11. Sophisticated parcel mule scam unpicked – The Register

Tags: News, Daily Links, Security Blog, Information Security, Security News

My fudsec post (reposted below for backup purposes with a two week delay) was not “an endorsement” of FUD, it was a reminder to many overly excited folks that FUD is largely all we have today – and there are signs that change just ain’t coming.  As I hinted in  my quick follow-up (“Smelly Goat vs Flying Unicorn”), I am not defending Fear/Uncertainty/Doubt for the merits, I am explaining that we are largely stuck with it, for now. Another way to explain is to quite Churchill, as I do in the comments. Those who know me can confirm that I am a huge proponent of metrics (but also highly skeptical of some metrics ever being achievable).

Here are some of the insightful responses to it:

• Just say ‘no’ to FUD from New School of Security (personally, I think that “trumping with ethics” is a low card in intellectual arguments! IMHO it is one step above name calling)
• On smelly goats, unicorns, and FUD from New School of Security.

 A Treatise on FUD

FUD or Fear/Uncertainty/Doubt triad seems better known than the other security triad: C-I-A. It seems inextricably linked with security industry as well as with security technologies. After all, don’t we reach for some extra safety and security if we fear something, feel uncertain about something or doubt something?

While few CSOs and security leaders admit that they build their security programs based on FUD, below we will hypothesize that FUD is indeed a meta-level above risks, threats, vulnerabilities as well as compliance mandates. FUD’s role in security today probably overshadows the role of any other factor we know. To put more substance into our discussion, here are some well-known examples where fear, uncertainty and doubt manifest themselves:

· Fear

• Getting compromised by attackers
• Failing an audit
• Suffering big loss
• All of the above: Failing an audit + getting hacked + being dragged into a media circus

· Uncertainty

• Keeping a security leadership job
• “Keeping the wheels on” for security infrastructure
• In case of an incident, loss amount is uncertain
• Threats and their impact

· Doubt

• Security mission success
• Effectiveness of security measures
• Support of senior management

Further, many people view using FUD for driving security spending and security technology deployments as the very opposite of sensible risk management. However, FUD is risk management at its best: FUD approach is simply risk management where risks are unknown and unproven but seem large at first glance, information is scarce, decisions uncertain and stakes are high. In other words, just like with any other risk management approach today! Big Hairy Ass Risks (BHARs) dominate both the FUD-infested security vendor materials as well as internal CSO presentations. Note that very few of the BHARs are truly imminent and thus fall out of FUD realm as there is no uncertainty about them - just like only few people develop phobias of poisonous snakes (which would be a very useful phobia to have).

In light of this, we have to accept that there are benefits of FUD – as well as risks.

The benefits of FUD stem from the above view of security which is defined as “being free from danger” or ”measures taken as a precaution” against something bad.

First, in the world we live in, FUD works! Demonstration of a BHAR followed by technology purchase or control implementation does reduce possible loss of not only due to said BHAR, but also due to other threats (if BHAR ends up being completely mythical). Such implementations often also deliver other useful things for the organization. It is worthwhile to remind that “FUD selling” applies to CISOs no less than to “enterprise software” sales people. It also applies to “fear of auditors” as well as “fear of attackers” – both drive security adoption, even if lately the former seems to be winning.

Second, keep in mind that many of the BHARs are both genuinely scary and, in fact, likely. Scaring a company into updating its anti-malware tools (despite all the concerns about their relative efficiency) or into deploying tools to collect and analyze logs is excusable, at the very least.

Third, many proclaim that people need to be naturally drawn towards doing "the right thing" after being educated about what the right thing might be and scaring people into action is not that efficient. The technical answer to such concern is a resounding “Ha-har-ha!!!”

Finally, for years FUD was used to sell insurance as well as safety features in cars and other products, legal services, to make people update their boring DR and BC plans, and other good things. Fear might not be a very positive emotion to experience, but acting out of fear has led to things that are an overall positive, all the way down to resolving political tensions out of fear of a nuclear war…

Admittedly, Fear/Uncertainty/Doubt approach has issues as well. The key issue with FUD is its “blunt weapon” nature. It is a sledgehammer, not a sword! If you use FUD to “power through” issues, you might end up purchasing or deploying things that you need and things that you don’t.

Second, it is well-known that magic of FUD wanes if you invoke it too often. If you scare your customers or your management into taking your product or your security agenda seriously, they are almost guaranteed to stop listening to you at some point. However, if enough BHARs manifest , FUD approach will continue to be fairly productive. One can get desensitized upon hearing that "sky is falling" too often, but here is the thing: I am willing to take the risk of such "desensitization" given that sky is indeed "not quite stable."

Third, FUD power – as any other power – corrupts whoever wields it too often. If you end up scaring people into action or spreading uncertainty, you might well lose an ability to win security arguments any other way. Also, if fear is a motivation for every decision you make, checking into a mental institution is not a bad idea. You might actually be paranoid!

Finally, I’d like to bring up the good old “greed vs fear” model for advancing security, last mentioned at BlackHat by one of the speakers. As “greed-based” ROI scams fail to move security ahead, the role of fear has nowhere to go but up. In other words, all of us get to pick out favorite 3 letter abbreviation – and I’d take honest FUD over insidious ROI any day…

To conclude, fighting FUD is a noble pursuit; Don Quixote thought the same about fighting windmills. Even if objective metrics will ever replace FUD as the key driver for security, we have a bit of time to prepare now. After all, in that remote future age interstellar travel, human cloning, teleportation and artificial intelligence will make the life of a security practitioner that much more complicated…

Original post.

About me: http://www.chuvakin.org

I was on my Google Feedburner page today updating my settings to go to my hotmail address (that is the subject for another blog, moving your email address at all of the accounts you have) when I came across what is for me a new feature in the stats section. They have a world map showing distribution of subscribers to my blog feed.

I guess I just always assumed that the bulk of my readers were in the US. This despite the fact that while at StillSecure we would constantly see more web leads come in from the rest of the world then from the US (having an international strategy can be the subject of a blog on another day). So I was surprised that actually about half of my subscribers actually come from outside the US.  After reflection I came to realize that this is how it should be.  Need to stop thinking US centric and remember it is a world wide web like the name says.

While I am at it, I think that is an important lesson to learn for many US companies.  Many companies I have spoken to have the “first we will make it here attitude” and then go international. In today’s economic reality, you can’t afford to just ignore more then half of your potential market. Yes language and time barriers present a problem, but not insurmountable by any means.  In this regard maybe companies that are not US based have an advantage.  Internationalization and penetrating “foreign” markets such as the US is a must for them because many of their home markets would be too small to sustain the business.  Anyway, food for thought on this cold Friday the 13th down in Florida.

In an article published in CSO Magazine titled “PCI DSS: No Angel, But Certainly Not the Devil,” Chuvkin and Rothke agree that the PCI standard is far from complete and is flawed, but it provides a baseline for what constitutes security best practices and compels businesses that handle credit card and payment information to exercise a minimum level of due diligence.

Corman’s position—as noted in the CSO article “Analyst: PCI Security a Devil, ‘Like No Child Left Behind,’” is simple: Focusing on compliance alone does not make an organization secure and, in some cases, will actually make a business more susceptible to a compromise. By focusing purely on the checklist of security tasks and requirements, businesses will overlook the real threats poised to their business, he says.

Corman is right, and he has case history on his side. Companies—such as Hannaford Bros. supermarkets—that have adopted the PCI standard as their security foundation have suffered catastrophic security breaches. By going down a checklist of security controls, Corman argues that a company will exercise a control—such as deploying a firewall or ensuring all clients have antivirus—without an understanding of what it’s guarding against. It’s like saying you speak a foreign language when all you know is a few words that have no context.

True risk management, Corman’s position goes, requires an understanding of the threat landscape, an organization’s risk exposure, and the potential loss and consequences of a compromise. From there, a business should devise a security strategy that counters the threats and the ability to adjust to shifting threat conditions.

Again, Corman is right, and he’s very utopian in his point of view. While that type of approach to security is ideal, it’s not practical and not every organization has the ability to execute proper risk management, as Chuvkin and Rothke point out. What PCI does for companies that don’t have mature security organizations or adequate understanding of risk management is provide a foundational blueprint for safeguarding data. In other words, PCI is better than nothing.

It actually goes a bit deeper than that, and Chuvkin and Rothke only touch on PCI’s justification benefits. This is particularly important to security solution providers who are selling the technologies and services that help organizations become and stay compliant.

Several security vendors and solution providers have talked about how end users - particularly small and midmarket companies - are reluctant to spend money on security in spite of the damning headlines of breaches. One security vendor’s channel account manager told me this week that he hears all the time about customers telling their VARs that they have no data that needs protection. The customer doesn’t actually believe they are immune to threats or don’t have valuable data, but they don’t see a compelling need to spend money on security. For companies like this, industry standards and government regulations are more than just a carrot that guides them to a better security place, but the stick that ensures they take at least minimal action. In that regard, PCI performs its task well.

I’ll take the argument one step further: PCI and other regulatory compliance is an effective conversation starter when approaching companies about security products and services. PCI and other standards by no means guarantee a company will be secure, but they do provide the opportunity for security professional and solution providers to engage in a dialogue with business stakeholders about what it takes to ensure business continuity and operational integrity. The challenge—which I believe both parties in this debate has missed—is that it’s incumbent upon the security professional—be it an internal manager or an external solution provider—to take the security discussion beyond the standards.

I think I’ve found the cz32ts executable – VirusTotal has this to say about it. What is more interesting is what Anubis has to say about it – check out the Network Activity section.

Basically, the executable goes off to a C&C server on 205.209.143.94 for a list of URLs to attack using the GETPHPURL command. It then tries to SQL inject the victim site, using the executable name as its user agent (all of the ones in my capture have i1 as the user agent, because that was the name of the executable I retrieved). Once the SQL injection tests have been carried out, it then reconnects to the C&C server to report the result of the attempt using the CMDPUTLINK command.

I have no idea how cz32ts.exe is distributed, but it would seem like the ideal thing for a dropper to pull down and set to run once on startup.

Anyone fancy shutting down 205.209.143.94?

Khalid Shiekh Mohammed, the alleged mastermind behind the September 11 terrorist attacks on the Twin Towers and the Pentagon, will be going to trial in New York. Virginia (home of the Pentagon) was competing with New York over who will decide the fate of this senior al Qaeda leader, but decided on a joint effort in a New York based courtroom. With President Obama’s decision to close down the Guantanamo Bay prison, all the terrorist suspects held at Guantanamo Bay prison will get criminal trials in state courts instead of military commissions.

Khalid Shiekh Mohammed’s formal charges will not be announced for a couple of weeks, but Mr. Mohammed did claim that he was the one responsible for the terrorist attacks and was the head of the operation. However, he also accused the the U.S. of torturing him for their use of admitted harsh tactics, including water boarding, a technique intended to simulate drowning. Will this affect Mohammed’s trial? We will see once formal charges are made against Mohammed.

(Via WSJ)

Unless Britney Spears converted to being a Satan worshiper and a member of the Illuminati, it’s pretty safe to say that her account got hacked by some prankster yesterday. Halfway through the day, her Twitter background and picture were changed to Illuminati pictures and soon after two new tweets popped up on her page. They read:

“I give myself to Lucifer every day for it to arrive as quickly as possible. Glory to Satan!” and “I hope that the new world order will arrive as soon as possible!”

Britney’s people are not sure what happened or how the hackers got the log-in information, but they think it was either someone that already had access to her account and decided to mess with it for fun, or just some hackers trying to cause some mischief. Either way, this is not the first time her account has been hacked, as hackers usually target celebrities for their huge number of followers and international influence.

(Via Mashable)

Everyone has at least heard that Friday the 13th is unlucky, but most people don’t even know why. The unlucky association with this day dates back to hundreds of years ago from a superstition that if 13 people sit together at a table, the first one to get up is bound to die within a year. This superstition is generally thought to have originated from the Last Supper, Where Jesus and his 12 disciples sat down together at the table and within the year Jesus died.

Even before this, cultures all around the world such as Native Americans, Mayans,  and Ancient Egyptians, considered the number 13 unlucky. Another religious connotation, people couple bad luck with Friday the 13th because Jesus was killed on a Friday. In fact, most of the public executions that took place were on a Friday. And for the people with extreme fear of Friday the 13th (paraskevidekatriaphobics), this year is especially unlucky with 3 Friday the 13th dates (one in February, March, and November).

Now if you really are a paraskevidekatriaphobics, or just a bit superstitious, there are a few simple precautions you can take to minimize your bad luck. First, is paying close attention to your surroundings and the people around you. Being aware is the first step towards staying safe. Or you may want to take the high tech route and choose some security products to enhance your well being. For example, many people turn to GPS trackers with panic buttons to ensure safety and send alerts if they get into a bind. Or maybe you need a hidden camera to monitor your things. High tech or low tech, this Friday the 13th you may want to take some extra precautions and maybe pick up a few lucky pennies just in case.

(Via BSUDailyNews)

There is an update to this post here.

In the past, we’ve seen various automated SQL Injection attempts bearing a User-Agent of NV32ts. It’s all a little odd, since:

• The attempts are dead easy to spot, thanks to the user agent (there’s even a Snort rule for detecting it)
• The attempts could be described as recon-only, since they didn’t seek to change anything.

Two injection attempts would be made by the attacker. The injected SQL would look like this:

%20And%20char(124)%2b(Select%20Cast(Count(1)%20as
%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]
%20Where%201=1)>0

And this:

‘%20And%20char(124)%2b(Select%20Cast(Count(1)%20as
%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]
%20Where%201=1)>0%20and%20”=’

These two cover the cases for vulnerable non-string and string parameters, and each case would be attached to the end of  the URL under test, after the last parameter. We’d usually see a spate of attempts in a short space of time from different source IP addresses, possibly suggesting that some botnet or other is doing all the work (possibly even Conficker).

Yesterday, we saw another run of attempts with the same pattern. A handful of source IP addresses targetted the same victim websites, each trying the same URL twice, appending the same two SQL statements as above. The only difference is the user agent – what was NV32ts has become cz32ts.

It’s still something of a mystery, though. Why use such a distinctive user agent? Why change it? What are the baddies looking for? If they’re going to go to the bother of scanning for sites vulnerable to SQL injection, why don’t they just try to inject something? Why conduct all this recon, when it would be difficult to reliably detect if you’re actually talking to a vulnerable site? Are the botmasters selling lists of potentially vulnerable sites rather than exploiting them themselves?

Any ideas?

As many of you have already heard, there was a very serious vulnerability discovered in the TLS protocol that is used across the general internet to secure many many forms of communication, from the browser used to access banking online, to the protocols used to secure messaging servers.

The vulnerability itself is a design weakness found in the protocol’s ability to renegotiate the encryption used in a session after a long-standing connection.

Here is a good write-up and links to some other information regarding the issue.

Stay tuned on this though - and expect many many patches and work-arounds to be issued by vendors.