Security

Will we ever learn? Big Data: Same security issues different technology

2013-08-15T18:11:00.003-07:00

One thing stuck with me over the years that my history professor told me. "Only thing from History we have learned is that we have never learned anything from History"

Think about that for a moment and now let me provide you the context. Remember 1980's when Internet was hot new thing and people were just so excited about the new frontier. We never thought about security. Fast forward in 1990's we got this amazing application servers which serves up content to the user. We never thought about security when we developed those.
Then we did the same thing with new protocols and services we developed on top of the existing infrastructure. Then to secure Network, Operating System, Applications and databases we started bolting on the security such as Firewall, IPS (Host and network), Web application firewalls, Database monitoring and virtual patching and so on that resulted in "Good Enough" Security.

I am sure right now you are frowning at the use of word "Good Enough" security, because definition of that is very subjective and depends on the person to person and title to title.

Everytime we come up with new shiny toy we look at the business benefits of the toy, forget about the security and then all hell break lose when that toy is ubiquitous.

Big Data is going through the same cycle. Everyone wants to implement Hadoop and do something with it. They want to bring in every single click , every single network flow and every single repository to uncover the hidden information in the data.

Very seldom companies are thinking about security of this huge data set which contains personally identifiable information (PII), Credit card information. Just because it is in HDFS doesn't make it secure. What about encrypting that information? How many of you are actually doing it?

You might think that SQL-injection type of attacks are only for the databases. With Big Data comes MDX injection. Concept remains the same, name changes ! You should definitely read the paper on MDX injection that was presented at BlackHat 2013. Paper can be found here

In summary, if you are pen tester, don't get blinded by shiny big data platforms. If you are an auditor your audit checklist still remains the same, if you are a developer your considerations are still the same about bound checking, input sanitation, and other secure application development practices.

This is our chance to learn something from history and instead of waiting for someone to bolt security on top of the platform we incorporate security within the platform.
If you want to take away one thing from this post then here it is...
1. BIG DATA platform is still growing and we can embed security in the platform.

RIP Barnaby Jack )-:

2013-07-26T12:51:00.000-07:00

It is sad that I am writing this post after a long time on such a bad day. I recently learned from twitter that Barnaby Jack passed away. I am hoping its a prank , I am hoping its not true, I am hoping he would show up in his presentation at Blackhat.

Barnaby requires no introduction, he hacked away Insulin pumps, ATMs, Pacemakers and all sorts of embedded devices.

My eyes are wet while writing this post. I vividly remember while he was a part of Trace team at McAfee. Inspite of his deep insights and knowledge in hardware hacking and hacking in general , he was extremely humble. I remember when asked about hacking the hardware, he said "Just get the soldering iron and Nitric acid mate"

I had privilege of discussing couple things and partying with him at Blackhat. It was an honor to know him and no words can do justice to his contribution to the security community.

I would like to link his famous Jackpotting presentation at Defcon18. My deepest condolences to his family and friends. It is a huge loss and only time can make things little easier. RIP Barnaby. You will be missed. I can't believe that you are gone.

geo location tagging and IPhone :

2011-06-26T17:00:00.000-07:00

I am sure lot of articles were written on geo location tagging of the iPhone pictures and with different opinions. For some it was convenience and for others it was privacy issue.

I believe in having a choice. As long as users have ability to turn on or off the given feature, it shouldn't matter. However Apple crossed the line when they stored this data on the phone without user's consent or knowledge. In this blog I am primarily going to talk about extracting metadata information , (including geo location tag ) from any pictures.

Metadata is data about a data, and in our case its data about the picture or photo itself. When was picture taken ? From Which camera it was taken? Where it was taken ?

Why it is important to know about this ? Well to start with , we dont need to upload the pictures on facebook and twitter mindlessly because it contains lot more information about you and your device than you think.

Another reason is that, same technique can be used to exchange information secretly ! Thats cool isn't it ? I can edit the metadata and send the picture to you while for others its just a picture, the receiver will exactly know what was communicated through metadata. To make things even more hard to crack we can use encrypted message in Metadata. Though this project will be for later date, I am going to focus on retrieving information from the pictures.

Today we are going to select any random picture and will determine its location and device identity. You ready?
Pre-requisite:
If you want to have some fun, download EXIF Viewer and keep world Atlas open in the other window.

Experiment:
To start with, take a picture from your own cell phone or select any picture from your library (preferably picture taken from your Cell phone). I have downloaded the picture as below.

Now drag the picture on to your EXIF viewer and you will see information as below. Most importantly you will see device information in this case iPhone 3GS and the geo location tags where the picture was taken !

Now here comes the best part , take the coordinates in Latitude and Longitude and stick it in to World atlas. In our case it is , Latitude N 37 34.67 and Longitude W 122 2.35

You should see something as below. Clearly you know the location that the picture was taken in Fremont California!

Isn't it cool ? I am sure there are ways and means to strip the metadata from the pictures. I would let you research on it and if you think some of the metadata strippers are worth sharing then please provide the link in the comment section.

Design Inner security layers assuming outer security layers are already breached

2011-06-13T13:10:00.000-07:00

Lockheed Martin, EMC, Sony: Design Inner Security Layer assuming Outer Layer is already breached.
Recent breach at Lockheed Martin, confirmed that the attacks we saw with Aurora and Stuxnet are just the beginning of the new era of the targeted attack. Now cybercriminals are executing perfect plan to get closer to the target without raising any red flags. In case of Aurora attack, more than 30 US companies were breached. Apparently Google lost its intellectual property (IP) in this attack. Attack was identified by McAfee. We were very sure that this is not the end but the beginning of the new era and paradigm shift is required as soon as possible.
Sure enough, there were series of attacks, such as Night Dragon, attack on EMC which put SecureID tokens at risk, Sony, and recently Lockheed Martin.
Lockheed Martin is very important for USA as a defense contractor. Some of the most critical information such as the arsenal used in Afghanistan war and future military technology information are residing in Lockheed Martin network. I don’t want to speculate how the attackers were able to break in. There are multiple theories, such as Spear-Phishing, and some of the blogs and reports are correlating Lockheed Martin attack with EMC breach and attackers came in via VPN. Lockheed Martin has officially neither confirm nor denied this. So we have to wait for this information to unfold.

However one thing is for sure, that we need paradigm shift. At McAfee we see 55,000 new malware every day. There are 2,000,000 (2 Million) malicious website detected every month. These numbers are just unmanageable by patches or blacklisting technology alone. But before we talk about solution let’s look at the anatomy of an attack. Any attack involves following three stages.
1. Exploit the service or application.
2. Drop and execute the payload either in the memory or on the disk and
3. Finally get p0wned!!

You should be able to dissect any attacks in to these three stages. Aurora, Night Dragon, Stuxnet, and possibly other future attacks. Let me briefly explain the protection. For blacklisting solution, we need to have a signature to stop the vulnerability or the behavior based detection to identify something is wrong but behavior based detection is not 100% and signature for zero day vulnerabilities are not available. So Attackers will be able to successfully be able to go to step 2 after exploiting the “zero” day vulnerability. Don’t forget, Stuxnet used four “Zero Day” Vulnerabilities. So it is not a story from Mission impossible or Sword Fish movie. This is real. Once the vulnerability is exploited it’s time to execute payload and connect to command and control center to download some more malicious code such as keyloggers and sniffers.
But with paradigm shift to application white-listing solution, you can protect against such attacks at all stages. Memory protection will prevent attacker from exploiting the vulnerability and in case attacker was successful in exploiting the vulnerability, the payload will not be able to execute from the disk or from the memory because payload is not part of the white list.
It’s time to change the paradigm, and we need combination of white-list and blacklisting solution.
Look out for the solution which can cater to your server and desktop environment and supports *nix and windows operating system.
For Lockheed Martin , there is a possibility that it is linked to RSA token breach or maybe not, but we have to design our defenses in layers in such a way that while designing internal layer we are assuming that outer defense layer is already breached. Application white-listing is definitely going to play huge role in security architecture in the years to come! So next time when you are designing the security architecture with VPN, Firewall and two factor authentication and Antivirus , ask yourself a simple question, if there is a zero day vulnerability, will that be prevented with any of these technology?

CISO, it is easier to justify security expenses than you think !

2010-06-06T15:26:00.001-07:00

Almost every single IT-Security Managers or CISO faces three core questions when they present their case for budget.
1. We invested in product A last year, how are we doing with that product?
2. How to justify the cost of new products that are required to mitigate the new threat ?
3. Do I really need new product or existing product can be tweaked to mitigate new threats?

These are very crucial questions in getting new budget. Demonstrating the value of existing security solution and conclusively proving that CISO is efficiently securing the organization with limited budget.

To show value of the existing solution you have to show the report on the total threats per quarter being protected by the particular product and solution.

To mitigate new threats , you must know
1. New threats which is applicable to your environment.
2. Once new threats are identified you quickly need assessment of which assets are impacted
3. Finally answer to question 2 will answer which products are required, Do you need to tweak existing products or buy new product?

Automation is of prime importance. No manual processes, every Monday morning you should have simple charts displaying which unprotected new threats you should be worried about.

For example: Company A has Antivirus and they have identified 400 new threats this quarter which are currently unprotected by AV and 50% of assets are at risk. CISO can clearly quantify the total number of threats new Network IPS product or Application whitelisting product will be able to protect the organization and reduce their risk profile.

This is very important, quantifiable matrix to justify product procurement or tweaking of existing product or patch deployment.

Obviously the next question in your mind is, how to automate this ? I don't have budget nor resources to create such solution. In that case I would recommend McAfee Risk Advisor. This product will not help you if you are not McAfee shop. However it is very easy to implement if you are existing McAfee customers with ePO and any one of the McAfee endpoint solution.

As we know numbers never lie ! and as business demands more and more justification for the product procurement, it will be very important for CISO to create automated way to justify the expense on security. Something I would call P&L of Security.

Security Trend and Integration

2009-11-03T01:10:00.000-08:00

In last 15 years, security has changed drastically. Initially security was focused on Operating System and its patches. Windows NT Operating System + IIS 4.0 webserver spelled disaster in default configuration. By default everything will work and for security you need to run the hardening script. Advent of Internet brought altogether different perspective and outlook to the word stealing !
With this technology someone in Russia can hack in to the servers in US via some zombies sitting in Germany. To prevent the attack from Internet , Firewall was developed. Best practice for firewall was to allow required protocols and services and deny everything else. Deny ANY ANY was catch all rule for every firewall.
As time went by hackers became more sophisticated and there came the whole new level of attacks with Firewalk and specially via TCP and IP fragmentation which could bypass the firewall. Also for the allowed services there was no security , some one can easily exploit bug in IIS, if Port 80 was allowed.
If you have Unicode vulnerability on IIS, then sure enough, Firewall (Stateful or packet filter) will allow directory traversal and if IIS root is in the same logical drive as the system root , one can get the shell of remote machine.
Hence the advent of IDS and IPS technology to thwart these attacks on the allowed services and protocols.
Soon Hacker realized that Firewall and IPS both has some inherent vulnerability in its protocol stack specially with IP Fragmentation(Overlapping fragments) which can bypass the IPS and Firewalls. Many tricks were identified , and papers were written on IPS evasion techniques one of the paper was eluding IDS by Thomas H. Ptacek and Timothy N. Newshamand . Based on this paper Dug Song wrote Fragroute.
Soon Whitehat realized that IPS is not Nirvana and we required something more than IPS and Firewall.
Some key security players came with concept of security closer to host to avoid the typical issues with Network based security devices. Hence the Start of AV+ Hostbased IDS/IPS+Firewall.
If you look at the product set all the security products, except for firewall, came with the approach of identifying all the bad things which is infinite in number, on the other hand firewall denied all the bad things except for few allowed trusted sources and protocols.
Network based or Host based, except for firewall technology, all the other technology was based on Signature or behavior or some hybrid approach (combination of both) to identify malicious intent.
While Whitehats were busy securing OS and networks with these technologies, suddenly Web 2.0 and new application based attacks were identified like XSS, SQL injection and Cross-site request forgery on the application server side.
Clients became more and more powerful , technologies like AJAX, Java Script, Activex on the client side created whole new category of vulnerabilities which is client side vulnerabilities and were hard to detect with the scanners.
To reduce such attacks Application Firewall, IPS with appropriate application vulnerabilities signatures and protocol decode capabilities were introduced to the market.
For client side vulnerabilities scanner started adding the checks to identify key vulnerabilities in MS Office, Web browser and other client side and P2P applications.
Soon everyone realized that this is not enough, and came Application Whitelisting technology, which is based on the concept same as of the firewall, to allow known application to execute and disable execution of any other applications/code.
As I said before, conceptually we are back to square one ! Same concept as of the firewall where everything started , Allow required service and Deny everything else, this time its on the host for applications !
We took complete 360 degree turn and we are back to the same point.
As you can see the clear trend of Network to Host.
Firewall-->IDS-->IPS-->Application Proxy.
On Host, AV-->Firewall -->IDS/IPS-->Application Whitelisting

Soon another paradigm was introduced by DLP players, of Data centric Security and new gadgets were introduced for IT, to prevent unauthorized malicious or unintentional data leakage.

However question is if you have all these technology to secure your data, how do you integrate and identify trend in order to pro-actively identify the threats?

Integration between these technologies is must! All the security products in the organization should create this huge ecosystem , with ability to share information and alerts and learn from the information and alerts. This is organization wide Integration which is must in todays challenging and evolving technology space.

While Organization wide integration is great, I am envisaging the Inter Organization Information Sharing, Like blackhat contribute and support each other in the community, whitehat should have some way of sharing their data between organization which allows them to better prepare for the threats.
Having said that we are not too far away from it, I believe cloud computing will allow us to do just that !
Only time will tell....

Proactive and Reactive approach to Risk

2009-02-21T18:38:00.000-08:00

Proactive and reactive approach to Risk ….

Everybody is joining the bandwagon of ITGRC or GRC, if you are database Security Company or networking Product Company, all of them have their messaging around compliance. Compliance is small piece of the big picture, in my opinion big picture is RISK which drives G and C.
Risk is what we want to manage and will decide our survival. I may be all compliant, and still have lot of Risk unaddressed or at unacceptable level.
Risk is relatively new concept to IT and CISO/CIO has started understanding this concept but still we are light years behind financial risk managers who has very good understanding of risk and its different models (don’t look at financial stocks right now to prove me wrong ;) !!! )
I am sure you get the point, when financial industry has been using risk since last 100 odd years versus IT has started using risk in last 5 years or may be decade before.
Just like controls risk identification can be proactive or reactive in nature. This is not a debate about which one is better, we need both. By very nature of risk assessment, it is future prediction based on certain parameters which is nothing but “Perceived Risk”. Other is your reactive approach to risk which is backed by hard to refute numbers, for example Anti Virus incidents in last 1 year or emergency change management which can be directly correlated to Network Downtime. Based on these numbers you can associate new risk or change the existing risk and controls mitigating the risk. This is very powerful autonomous system. Perceive Risk is nothing but what you are afraid of and reactive approach will be what you should afraid of !!! This self correcting system will improve over time and will self adjust it self, its not perfect but its very powerful and effective. There is always systemic risk ! Anyone in wall street today knows about this risk , there is always a risk of system failure and no one is saved from that, since you are part of the system unless you change or create your own system, then you have some control over system risk. Like any thing in life this system is also not flawless and has its own risk, but this approach is defnintely better than just risk identification and assessment in board room for few hours.

Question is how to get the reactive risk numbers? Its simple, most of the organization has Security and networking product implemented. Only required thing is product to collect the numbers from these silo solution and provide the trending. Based on trends and threshold one can definitely identify what you should be worried about, again in financial world these people have been doing this for years with VIX index, S&p 500 , Unemployment numbers and so on, some of them are leading indicators of things to come or some of them are lagging indicators .

Apply same concept to IT and you will get similar indices for your environment, which is true only for your environment and business, since business objective for every company is different their risk appetite will obviously be different.

Risk is such a fascinating topic, which involves, imaginations, math( discrete probability in math class remember ? ), Business and strategy !! Haven’t seen any topic covering so much of depth and breath.
Proactive and reactive is just the nomenclature assuming you are identifying risk after something has happened versus you identifying the risk before something !
However continuing from my first blog, business has all the rights to take their chances and accept the risk in order to achieve their business goals as long as Risk is acceptable. Million dollar question is who will decide what is acceptable? And what is acceptable risk ? May be good topic for my next blog….till then ….Keep watching DOW ;) Risk may reduce and then its time to buy :)

Is fully Compliant = Good Security ?

2007-08-22T22:31:00.001-07:00

Buzz word IT-GRC , who doesn't know about it !! 17 billion dollar market as per Gartner report.
You must be wondering what is this GRC acronym stands for ? why people are talking about it ?

I would like to take this opportunity and dwell a bit in to IT-GRC and express my thoughts on this market. Let me answer the question what GRC is , G stands for Governance, R stands for Risk and C stands for Compliance, as easy as it sounds...well not really !:).

Why people are talking about GRC ? Simple because Government and Compliance industry combination have created havoc for institution specially for finance and medical insurance companies in US. Regulations like SOX, HIPAA, GLBA, FFIEC BASELII ,PCI and what not !!! Every country has its own standards, Europe will have its own version of SOX and HIPAA . To comply to this regulation smart marketing people came up with Frameworks, Initially BS-7799 now ISO -27001, COBIT and now I am hearing ITIL , all claiming to be master framework which can manage other frameworks regulation and standards. Each framework has its certification from which they create revenue.

All the regulation and standards has one thing in common , Due care/Due diligence, Which means there is sufficient effort to prevent something catastrophic from happening and if fatal event happenes then organization is ready for the same. Also it takes in to account that Risk to the business is known and either it is accepted or mitigated or transferred.

However , these giant frameworks and strict regulations are good to have but as they say "Everything in Excess is Poison". Too many regulations and too many framework will create chaos for the management and last but not least too many threats and vulnerability and hence too many RISK. Hence there is a need for GRC which can manage these many compliance to regulations.

If we see current scenario, compliance is merely a tick mark against the requirement. Do You have IDS? Yes ...complied ! woohoo ... Well if Auditor is good he might get in to the details of log management , sometimes they do but at the end of the day BufferOverflow in .dll sounds like latin to Auditor. He will see a process, is this bufferoverflow mitigated?, and my worry is most of compliance auditors doesn't have the expertise to question the mitigation efficacy !

Million dollar question if I am completely compliant to say PCI regulation does it mean that I am secure ? More often than not , answer is no. original scope of regulation is to strengthen security but the results are totally opposite !! In the burden of so many regulations, security takes the backseat ! Multiple issues, Internal security guys are loaded with too many regulations, External auditor can not be expert in all the areas, and if you go to Defcon you will realize that no matter what you do , you are always hackable ! so why create strict regulation to compliance , its better to provide some leeway to the companies in midst of so many regulations.

We have seen so many hacking incidence in the past , TJ MAX, and similar and Monster being the recent.

We will continue to be like Ostrich and will be happy looking at all the compliance reports and sending them to management to make them happy but at the end of the day it takes single Security breach to break that myth.

Finally you are as good as your people. You make sure that people has required ethical and technical skills and you should be good ! No compliance standard or regulation can beat the security that you get from your loyal employees !