Evilsquirrel Enterprises Announces North American Expansion

Leaders in world domination to expand geographic services.

Undisclosed HQ, USA, Oct. 31, 2006 – Evilsquirrel Enterprises, the leading provider of world domination services, announced today that they are leveraging their best-in-class international infrastructure to expand into the North American market. As the preeminent world domination specialists, enterprises now have a truly global provider offering unmatched services and support.

“Our success at Evilsquirrel is that we listen to our customers,” said Squirrelzilla, CEO of Evilquirrel Enterprises. “Their screams of agony feed our demonic souls and desire to torture and dominate the market. Our victims customers have consistently cried in terror and fear for our expansion into North America. As a customer-focused organization we wanted to ensure our infrastructure, support services, and attack sales force were completely prepared to dominate the North American defenses markets before launching our expansion.”

The Only Name in World Domination

Evilsquirrel Enterprises is the global leader in world domination; providing unmatched international services for a decade. Their exclusive Fuzzy Technology (TM) and Claws of Death (TM) combine to offer an industry-unique, multilayered, attack-in-depth, solution capable of overwhelming traditional security solutions in record time.

The Best Defense

Once in place, Evilsquirrel utilizes their patent-pending Stop-Em-Cold (TM) defensive arsenal to stabilize entrenchment and prevent further incursion into their territory. Stop-Em-Cold (TM) defends against all zero day attacks using a holistic solution that integrates the end-to-end synergies in security infrastructure with no false positives.

Available Now

Evilsquirrel Enterprises’ North American expansion will enter general availability at sunset today. “Don’t worry,” states Frankensquirrel, Chief Scientist and Chef. “Evilsquirrel will be in your location before you know it. Our unparalleled attack sales force recognizes that rapid expansion leads to total market domination, and we’ll be destroying available in your location in record time”

###

Evilsquirrel Enterprises and the Evilsquirrel logo are trademarks of Evilsquirrel Enterprises, LLC. Use without permission is punishable by torture and death.
All other brand or product names are trademarks or registered trademarks of their respective holders.

(Happy Halloween! Bonus points if anyone can figure out which real press release I modeled this after.)

There’s been a lot of hubbub the past couple of days over Christopher Soghoian posting a tool to let anyone print their own boarding pass. While I’m all for publicizing security silliness, I personally try and avoid things that might invite 2 a.m. non-social visits from the FBI.

The thing is, anyone who thinks ID checks and boarding passes provide any security at all to planes (or any public area), shouldn’t be working in security.

I spent a lot of time providing security for large crowds and public spaces. ID’s and boarding passes are a weak form of authentication and authorization- one helps you prove who you are, the other that you’re allowed to do something (get on a plane). Combined with other checks (a passenger manifest) they can be reasonable tools to assure you’re allowed to get on a plane. That’s security, but not really the security we all worry about in airports and on planes.

They don’t do squat to keep anyone safe. Here’s why.

We don’t call them public areas for nothing. Anyone’s allowed in with, at most, just a cursory entrance fee. There’s no significant background check, and any background check short of Top Secret doesn’t really ensure you deserve any kind of trust anyway (and even the value of a TS clearance is arguable). Never mind something as weak as a photo ID and piece of paper anyone can print.

In my days we just kept it easy and didn’t trust anyone. We screened the heck out of everyone coming in, and assumed all of them were a security risk.

Since you can’t guarantee that anyone with a ticket and ID isn’t a security risk, you assume everyone is a security risk and put the proper controls in place to enforce safety and security.

A few computer checks aren’t going to catch a bad guy, Especially when smart bad guys don’t have existing records, and anyone else can easily fake an ID these days. Thus there’s no reliable way to trust someone. Especially with those idiotic “trusted traveler” programs anyone can join (I think they’re just a scam to get a little cash).

Thus we screen (effectively, not what’s done today), and provide security inside the terminals, and more security on the planes, and we screen cargo. And…

…all the other effective security controls that are, apparently, too expensive to actually implement.

It’s a lot easier to pay someone $6/hr and arrest the occasional college student who shows how silly it all is.

Good security will almost always make you compliant (or pretty darn close, not counting all the documentation). Compliance alone will pretty much never make you secure.

‘Nuff said.

(Inspired by this from Rothman, who I swear isn’t giving me kickbacks)

The blogoshpere is kind of funny sometimes as we all run around referencing each other constantly, so you’ll have to excuse the “my sister’s best friend’s 2nd cousin twice removed’s boyfriends bookie” path for this post. (Actually, I really dig all our cross referencing, I think it creates a cool community of experts).

Everything started with Alex Hutton’s What Risk Management Isn’t post, to which Mike Rothman replied, to which Arthur at Emergent Chaos replied. Follow that? Me neither, so here’s most of Arthur’s post (hopefully he doesn’t mind I lifted so much of it). And if it’s confusing at all make sure you read Alex’s original post:

Rothman: But I can’t imagine how you get all of the “analysts and engineers to regularly/constantly consider likelihood and impact.” Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall is protecting the right stuff. To me and maybe I’m being naive and keeping the proletariat down, but risk management is a MANAGEMENT discipline, and should be done by MANAGERS.

Arthur: I have to disagree here. Risk management in the end is the responsibility of management and as such the final decision belongs to them. But how can I as a manager make the right decision and know that a firewall is protecting the right stuff, if my team isn’t well educated on what the risks are? How am I supposed to make the right decisions if don’t know what the issues are? I need to have a staff of analysts, architects and engineers that I can trust to be regularly analyzing and evaluating the systems, applications and networks, so I can make the right choices or recommendations. I don’t need someone who blindly follows a help desk ticket. I don’t know a single CSO who wants to be micromanaging those sorts of decisions.

About 5 years ago I got tasked with writing some research in risk management, and it took me over two years to actually get anything published. It’s like, hard, and stuff.

Anyway, I came to the usual conclusions that risk management is stuck in too many silos, too many people focus on numbers of no real validity, management can’t understand detailed risks in a specific area, but domain experts can’t understand or manage risks outside of their domain.

(I even ended up authoring a called “The Gartner Simple Enterprise Risk Management Framework” (sorry, my employer owns it so you have to be a client to read it)).
The thing is, as these various posts illustrate, risk management falls into silos for a reason. We want domain experts making risk decisions in their domains. After nearly 20 years of various rescue work I can make a snap risk decision in that domain that’s far more accurate than any BS statistical model someone else comes up with. By the same token there’s no friggen way that expertise allows me to make a good risk decision outside that domain. In physical security I was great at managing the crowd safety issues at a concert, but we probably would have gone out of business if I chose the acts. (All Buffett all the time baby).

So whatever risk approach you take, you want one where executive management makes overall risk tolerance decisions, but individual domain experts measure risk in their areas of expertise. You want a system that gives you the ability to communicate between management and operations. No manager needs a detailed analysis of the latest RPC DCOM flaw, they just need to know if that could cause problems for the overall enterprise, how bad, and where.

So Rothman, Arthur, and Alex are all right. Mangement is responsible for overall risk, but domain experts must be the ones making and measuring risk decisions in their specific areas. Management needs to communicate risk tolerance to the experts in a language they can understand, and those domain experts need to communicate enterprise risks back to management in a way they can understand.

Yes, it’s possible and probably easier than you think. It can speed up risk management since you don’t get wrapped up in garbage stats and fake ROI arguments. It just takes a good framework, a little bit of effort, and a few people that know what they’re doing to kick it off.

Jim over at DCS Security (a great new blog) just finished his last in a series of good posts on security layers.

He brings up a favorite subject of mine, best practices:

Essentially best practices is a bunch of smart (hopefully) guys sitting around in Gartner, Forester, D&T, PWC, E&Y, SANS, and other groups coming to a consensus on which controls cover the closest to 100% for a given threat they are looking at and which are the best controls to put in place.

I hate to dash his hopes, but it turns out that’s not really how things work.

I break best practices into three categories:

1. Analyst best practices: What us white coat dudes who don’t work for a living come up with as best practices. These are the more aggressive, forward looking best practices that probably don’t reflect your operational realities. Basically, it’s what a bunch of industry experts think everyone should do, not that they (we) actually have to do it. Analyst best practices will make you really fracking secure, but probably cost more than a CEOs parachute and aren’t always politically correct. Maybe 2% of enterprises (and probably far fewer) adopt comprehensive analyst best practices, but a lot of you pick and choose and implement at least a few.
2. Industry best practices: These are the more formal best practices that more closely align to operational realities. ISO standards, the NERC/FERC CIP standards, PCI, etc. More measurable, more auditable, and while hard, more operationally realistic for most organizations. Let’s guess and call it 20% of enterprises, mostly large, that really hit the full spectrum of industry best practices. Thanks to compliance I expect this to rise significantly over the next 2 years. Some industries, like financial services, are better than others. Industry practices never represent the cutting edge, but are the foundstones of a good security program.
3. Common practices: what everyone is really doing: When most people ask about best practices, they really just want to know what everyone else is doing. It’s a dumb approach, but they figure as long as they don’t fall too far behind they won’t get in too much trouble when it hits the fan. Being a follower in security isn’t always the best idea; most crimes are crimes of opportunity. It’s the virtual equivalent of walking around a parking lot and seeing who left their car door unlocked, rather than picking that hot Beemer and figuring out how to bypass all the extra security. But the entire Internet is that big parking lot, and the bad guys can scan anonymously, at will, without anyone noticing them lurking around.

Just because someone else is doing something doesn’t make it right. Especially when everyone faces equal threats, never mind some of the industry specific threats.

Best practices are not best practices. It’s another term we tend to overuse without really delving into the meaning.

Anton Chuvakin eviscerates me here for claiming there are very few 0days (what Shimel is starting to call Less than Zero Days).

Come, one, Rich? How do YOU know? Given that we know (and you yourself state) that there very few ways to prevent, block or even detect it … What might be more true is that an average security-sloppy enterprise has more to fear and more to lose from “stale” attacks; however, it is NOT the same as to say that there are few 0days out there.

I am stunned when folks make those claims. BTW, check out this list that Pete Lindstrom maintains on public exposures of 0day attacks. But how many were used and are not on his (or anybody’s) list? Ominous silence is the answer :-)

How do I know?

Because we’d all be out of business if I were wrong. Most of our IT systems work, most of us aren’t seeing our bank accounts drained every month, most companies stay in business and don’t lose all their intellectual property, and most networks and servers seem to run fine with common security controls and without all sorts of strange back channel traffic we’d probably notice eventually.

Ergo the number of true 0day exploits is small enough we don’t have to freak out about them on a daily basis.

When we start seeing all sorts of mysterious failures and losses, then I’ll believe those 0days are something that we all need to start really worrying about.

We can hype up as many threats as we want, but as long as everyone seems to be able to do business as normal without the kind of losses we actually notice, we should save the FUD for when we need.

That’s how I can make that claim. At least for now.

If an exploit falls in the forest and no one hears it, are you really 0wn3d?

(remember- I’m talking real losses. yes, you can be hacked and not know it, but for this argument I’m assuming there are enough smart security types in enough enterprises that we’d notice something. it sometimes happens (e.g. some of the Office hacks and the .wmf vulnerability), but those attacks are in the vast minority).

John Girard (a coworker) sent me this.

I sometimes criticize vendors for bad practices. This is the opposite- taking customer service well beyond the customer’s expectations

Alan Shimel is reviving the zero day debate and coins a term “less than zero day” for vulnerabilities that are unknown from the public at large. Check out his series starting here, then here, and finally here. Rothman mostly agrees here, but (like me) isn’t enamored of the name.

As I stated in my initial support for Alan’s position I think he’s mostly nailed it. There is a distinct difference between an unknown vulnerability, an unknown vulnerability for which there’s an active exploit, a new vulnerability that’s not patched (what most people call a 0 day), and regular old vulnerabilities.

The difference being that I define the first case (a non-public vulnerability) as the real meaning of a zero day. Why? Because the vulnerability is discovered (day 0), but not propagated. This is Shimel’s “less than zero day”.

I don’t want to get caught up in any definition battles; especially when I’m fighting the marketing arms of every security vendor out there who claims they stop a 0 day. I’m willing to fight the noble fight, but let some other idiot go down with the ship.

Since the vulnerability is known, by however small a group, it’s a 0 day. If exploited, it’s a 0 day exploit. When it’s public knowledge, but not patched, it’s just an unpatched vulnerability, not a 0 day.

If we use this terminology we can get past everyone claiming 0 day protection when they just block an unpatched vulnerability. Zero day can regain its mythical splendor as the representation of evil, unknown vulnerabilities that will cause planes to crash and erase the history of all financial records. Or screw up your browser, whichever you consider worse.

There’s my last pitch.

(In case I lose and we keep calling unpatched vulnerabilities 0 days, I propose “T- ” instead of less than zero day.)

Arthur over at Emergent Chaos posted an amusing story on an organization’s reason for switching to Macs.

It’s security. Just not necessarily what we mean when we say Macs are more secure.

Yes- this company installed Windows on Intel Macs since Macs are more secure. We’re not talking virtualization or anything, but taking off OS X and installing Windows XP.

I really never thought of that.

(updated: direct link to the original story at deadbeat cafe)

A little birdie pointed me to the latest post over at the Metasploit blog.

For those of you that don’t know, Metasploit is the best thing to hit penetration testing since sliced bread. To oversimplify, it’s a framework for connecting vulnerability exploits to payloads. Before Metasploit it was a real pain to convert a new vulnerability into an actual exploit. You had to figure out how to trigger the vulnerability, figure out what you could actually do once you took advantage of the vulnerability, and inject the right code into the remote system to actually do something. It was all custom programming, so script kiddies had to sit idly by until someone who actually knew how to program made a tool for them.

The Metasploit framework solves most of that by creating a standard architecture where you can plug the exploit in one end, then choose your attack payload on the other. Assuming you can script (or find) the exploit, Metasploit takes care of all the difficult programming to connect to convert that exploit into something that can actually do anything. New exploits and payloads appear on a regular basis, and the tool is so easy even an analyst like me can use it (web interfaces are just so friendly).

Commercial equivalents used by penetration testers are Core Impact and Immunity Canvas. I tend to think the commercial versions are more powerful, but the open source nature of Metasploit means exploits usually appear faster, and it’s plenty powerful. Besides, any script kiddie (or analyst) can download it for free and be up and running in no time (full disclosure- I use Core Impact and Metasploit in live demos, and am on the Daily Dave email list run by Immunity).

So what the heck does this have to do with turning off wireless?

Metasploit is working on a module to transition kernel mode exploits into user mode. This is, say, exactly what you’d need to plug in a wireless driver hack on one side, and use that to create a reverse shell under root on the other. Sound familiar? This was one of the tricks Maynor demonstrated in the Black Hat wireless video (and why he didn’t need root).

The kernel runs in ring 0- this is below any concept of a user account. Think of it as the world before root even exists. When you exploit something in the kernel you’ve bypassed nearly every security control and can do whatever you want, but since you’re running at such a low level, without any user accounts, the kinds of commands we’re used to are a lot more limited. You can’t list a directory because “ls” or “dir” don’t exist yet. If you want a reverse shell, to execute user commands, or whatever you need to convert that kernel mode access into userland access- where concepts like user accounts and shells exist. In Maynor’s case he dropped code in the kernel to create a reverse shell to his second system over a second wireless connection. Tricky stuff (so I hear, it’s not like I can do any of this myself).

The Metasploit team specifically cites wireless driver hacks as one of their reasons for adding this to the framework. With confirmed vulnerabilities on multiple platforms and devices this could foretell a new wave in remote exploits- attacks where you just need to be in wireless (including Bluetooth) range, not even on the same network. I’ve heard underground rumors of even more vulnerabilities on the way in all sorts of wireless devices. The module isn’t complete, but everything in Metasploit tends to move fast.

Based on this advancement I no longer feel confident in leaving my wireless devices running when they aren’t in use. I’m not about to shut them off completely, but my recommendation to the world at large is it’s time to turn them off when you aren’t using them.

More device driver hacks are coming in 2007, and wireless will be the big focus.