Reports are flying in over Twitter about the latest Cold Boot attack demonstrations at CanSecWest. Looks like the folks over at Intelguardians are showing practical exploits using different techniques, including USB devices and iPods.

We’ve talked about this before, and it’s time to start asking your encryption vendors for their response.

I’m definitely heading up to Vancouver next year; there’s a lot of great stuff coming out of the show.

Technorati Tags: Cold Boot, Encryption, CanSecWest, Vulnerability

Remember that cold boot encryption attack we talked about last week? Looks like someone went out and released a public tool that replicates part of the functionality of the Princeton tool. I thought it would take a little longer; guess I was wrong. Does this change my advice? Not really- your best bet is still to maintain physical control of your laptop, and the odds are still pretty low you’ll have to deal with this in the real world. But keep asking your vendors how you need to configure your encryption product to limit the attack. Still, I’m always impressed with how quickly those Internets are able to recreate this stuff; talk about the end of security by obscurity. It’s almost as if there are an infinite number of really smart monkeys out there with computer science degrees.Thanks to Hack A Day for the link…

It’s no surprise that I’m a big fan of Microsoft’s Trustworthy Computing Initiative- something I was skeptical of when it was first announced. MS proved me wrong, and years later we’ve seen a very positive impact. Vulnerabilities are down, response times are up, and products ship in more secure configurations. Yes, they still screw up every now and then, but it’s overall been a huge improvement. Just because I don’t like to use Vista doesn’t mean I don’t appreciate all the security work that went into it, and let’s not forget all the benefits across the rest of the product line. Go count SQL Server 2005 vulnerabilities if you want any proof. You’ll only need one hand, and you’ll have 4 fingers left over (5, if you really look where the vuln came from).

If MS buys Yahoo! and implements TCI, the impact could be enormous. Google isn’t doing a very good job of managing security issues, and if these things hit a certain point they could affect user behavior.

Realistically it will take 3-5 years for the full implications of TCI to affect any product line, but we’ll see incremental improvements fairly quickly. Yahoo!’s security track record isn’t all that bad to start with, and I much prefer their privacy policy over Google’s.

Should Microsoft! use security for competitive advantage (and it work), we can expect Google to respond fairly quickly. They aren’t stupid, and if security affects business they will get on the ball immediately.

None of this, of course, will come to pass if market forces don’t place a priority on security. It doesn’t even need to be a top priority, just somewhere moderately high on the list. There could also be peripheral benefits to a major Web 2.0 company building the tools, techniques, and education for secure coding.

My guess? Nothing earth shattering, but if the deal goes through there will be a net security benefit substantial enough that we’ll all be referring back to it in our blog posts in 5 years.

Technorati Tags: Application security, Microsoft, Yahoo!

Our question this week comes from Lee:

Say you’re doing security research, what machines and OSes do you recommend for a home lab and why?

Great one.

This is something that tends to be pretty personal based on the kinds of research you’re doing, and your available funds. Let’s break it into a couple of pieces:

Network Equipment

One piece that’s hard to find, but really useful, is a dumb hub to simplify sniffing. I’ve got an old 3Com I pulled from an office that I use when I want to monitor traffic. Sure, you can also do it with wireless or with Ettercap on a (vulnerable) switch, but I like just being able to plug in and sniff.

A spare wireless access point with a few switched ports is nice when you want to isolate off a small network so you don’t inadvertently brick your TiVo while playing with a network fuzzer. They’re cheap and you can plug and go.

I do a fair bit of mucking with wireless so I have a few spare access points. I like Airport Expresses for something portable I can take on the road (Linksys has something similar, but I haven’t used it). They double up to stream music at home, making them a dual-use investment. I also have a WRT54GL for playing with OpenWRT, depending on the project.

Thus the basics are a dumb hub, an extra access point/router with ports (probably a WRT), and a couple spare travel access points if you like to play with wireless. Oh, and a lot of cables. You can never have enough cables.

Systems

I do most work on my primary system- a MacBook Pro. I maxed out the memory and use Parallels for virtualization. VMware Fusion might be a bit better since you can set up virtual networks. I even run Core Impact in a virtual machine on my Mac and it runs really well.

Ideally you want one dedicated laptop/desktop for each major OS- Windows and one flavor of Linux are good enough for most people. Just get a cheap desktop, max out the RAM, and configure as needed.

If you can’t afford a bunch of systems, go with virtualization and live distribution CD/DVDs. I used to use a basic Windows laptop (XP) with VMware on it. Then I built virtual machines for other OSes I commonly used- Fedora and Ubuntu. When I want to run Unix attack tools that don’t work well in a virtual machine (wireless and Bluetooth stuff) I just boot into BackTrack.

It’s also nice to have a couple dedicated target systems and virtual machines at various patch levels. I install a totally unpatched XP or Vista, then take snapshots at various levels of patching. I used to have a couple spare laptops at different Windows patch levels, but I had to give those back when I left my job.

Thus you have one primary machine with your favorite OS. That runs virtualization software with a couple virtual machines for testing. Then 1-2 other attack/tools systems, usually one Windows and one Linux. Then, it’s nice to have 2-4 target systems at various patch levels of various operating systems. At least one dedicated machine where you can run VMware or Parallels and a bunch of virtual images to attack or monitor suspected viruses and such. That system should be isolated from your main home network, and keep the host OS fully patched.

Most researchers I know use a lot of virtualization these days to keep the number of systems down and you can do a lot of good research with only 1-2 machines if your budget is limited. At work they might have dozens of boxes to play with, but far fewer at home. You want a good mix of operating systems since you want access to whatever tool gets the job done, no matter the platform.

I also have a bunch of random hardware- old cell phones, wireless cards, Bluetooth adapters, and such.

It all really comes down to personal taste and what you’re researching. Thanks to virtualization and live Linux distributions we have a lot more flexibility than in the past, even if you only have one beefy laptop or desktop.

As for tools… that’s another, much longer post that could be better written by plenty of other people…

Chris Hoff and I decided to have a little fun and fake some back and forth exploits to highlight some security risks. It’s nearing the end of the year; either crunch time for some of you, or boring time for the rest. We figured a little humor couldn’t hurt in either case. We decided to blow this open early so it doesn’t get away from us.

The attack Chris described could clearly work, but I’m surprised more people didn’t pick up the holes. While I do have a home automation system (but no cameras) I don’t know of any that use SCADA-based technologies. Then again, SCADA is going all IP so it might not be a stretch to define my system that way. For the record, I use an Insteon system but haven’t finished implementation yet.

Bonus points to the commenters that noticed there’s no way I’d have a yard with that much green in Phoenix.

The idea of the Quicktime rtsp attack was completely real. Until Apple released the patch a day or so ago, the only defense was avoiding clicking on potentially hostile links. I trust Chris, and would click on most things he sends me. Outbound filtering (which I do one one of my machines) could block the request unless it directed me to an unusual port; something Chris is capable of.

The idea of pwning my workstation is dead on- and one reason I often recommend SCADA workstations be isolated from the Internet. I don’t have to take over your SCADA network if I can take over the workstation and do whatever I want when you aren’t looking.

We were planning on highlighting a few other attack vectors in the next few days. Among them was a fake pretexting of Chris’s phone (we had a viable way for me to get his SSN) and username/password sniffing from wireless access points. All are common vectors that even us security pros are a little lax with sometimes.

I suspect most of you enjoyed this, and we’ll come up with something more creative for April 1.

My second monthly column is up over at Dark Reading; The Perils of Predictions & Predicting Perils.

This is not your ordinary year-end prediction special. Here’s an excerpt:

As the end of the year approaches, a strange phenomenon begins. As we relax and prepare for the holidays, we feel a strange compulsion to predict the future. For some, this compulsion is so overwhelming that it bursts the bounds of late night family dinners and explodes onto the pages of blogs, magazines, newspapers and the ever-dreaded year-end specials on TV.

Ah, year’s end. Legions of armchair futurists slobber over their keyboards, spilling obvious dribble that they either predict every year until it finally happens or is so nebulous that they claim success if a butterfly flaps its wings in Liechtenstein.

As you can tell, I’ve never been the biggest fan of these year-end predictions, especially in the security business. Since the days of the slide rule, scores of pundits have consistently, inaccurately predicted a devastating SCADA attack or the next big worm.

Instead, I focus on two major threat trends and the security innovation they are inspiring. My favorite line in the column is near the end, so I’ll pull it out:

Vulnerability scanning, secure software development, and programmer security training cannot solve the Web application security problem.

I’ll leave you with two words: anti-exploitation, but you should really go read the article.

According to the time tracking feature of my Wii (which you can’t disable, nice parental feature), I played 3 hours and 46 minutes of Guitar Hero III last night after picking it up at Target. I have to fully admit I was skeptical of the whole Guitar Hero thing when it first came out, but it’s incredibly addictive. And not just when I’m drunk at a Christmas party. Not that I’d drink at a Christmas party and play video games. That wouldn’t be proper behavior for a non-practicing Jew.

I’ve been gaming my entire life but have definitely strayed the past few years. Sure, there was plenty of compelling game content, but nothing really innovative. I don’t have the time for something like World of Warcraft, and some of the coolest games were so difficult that us mere mortals who just wanted to pick them up for an hour or two a week were totally excluded.

Then comes the Wii, where the simplest of games take no learning but entertain for hours on end. Sure, the graphics aren’t that great, but that’s not the point. I’m loving that I can pick it up for 15 minutes and actually get something out of it; be it a quick game of tennis, a few rounds of golf, or a couple of songs on the guitar. Nintendo rethought gaming and made it fun again. For everyone, not just the hard core.

Oh wait, this is my security blog. Got it, so what the heck does the Wii have to do with security? Other than fuzzing the browser?

Innovation my friends, innovation.

(This post is inspired by some conversations over the past few months with Chris Hoff, based on his disruptive innovation series).

Nintendo knew they couldn’t beat Sony and Microsoft head-on, so they tossed out the rules and changed the game. By focusing on casual gaming and a younger audience they didn’t fight for existing market share- they grew the entire market.

Innovation in business is nearly always driven by the same need- competitive advantage. Either you innovate to create it, innovate to regain it, or innovate to increase efficiency and thus profitability. Nintendo made two major breaks with the rest of the industry- they designed a console they could sell at a profit out of the gate (MS and Sony lose money on every box and make it up with games). Then they changed the entire game interaction mechanism to appeal to a wider audience.

But security follows different rules.

We have very little control of the environment around us in security. As much as we like to get ahead of the game, we are responsive by the nature of our mission. Innovation is driven through three needs:

1. Improving Efficiency: The one driver we share with the business. By increasing efficiency, we reduce costs and improve effectiveness, thus contributing to the bottom line.
2. Responding to Threats: The bad guys are just like a business- they innovate to improve the top line, but at the expense of our bottom line. We can never fully predict their innovation, and as they come up with new attacks we are forced to respond with new defenses.
3. Responding to Business Innovation: Just as the bad guys are looking for competitive advantage, so are the businesses we support. They adopt new technologies before we’re fully able to understand and protect them. Just when we have our program operationalized, someone comes up with a new business initiative (Web 2.0 anyone?) or internal technology.

Most pundits (and startups, and investors, and…) fail to accurately predict the future of security because they fail to account for all three drivers. Most often, they look at pure threats without accounting for either efficiency or business innovation. Or, they look at business innovation solely as a threat, rather than an opportunity for security innovation (or the related problem- by the time they recognize the business innovation it’s already in production, and thus a new risk/threat).

When you look at security innovation, either to predict next year’s budget or to predict the market in three years, study the world around you. Understand your business and general technology trends as deeply as the threats. Pay particular attention to business technology trends, like the consumerization of IT, that change the game. In many cases we can make decisions today that make our lives much easier when that business or threat innovation is in full swing. It’s your opportunity to get ahead of the curve and look like a freaking genius.

Technorati Tags: Security Innovation

H D Moore got an iPhone. This is both good news and bad news for Apple.

The bad news is that once some remote vulnerabilities appear (including clientside vulns), and get coded into exploits, the Metasploit Framework is ready for them with some iPhone-specific payloads. Let the iPhone pwnage begin.

The good news is that I think this will help keep the iPhone more secure. There will be clear motivation to keep this thing patched, and researchers and Apple’s own developers can more easily demonstrate the exploitability of any particular vulnerabilities.

And the really good news is you can update your iPhone. Easily. This is a first for the mobile phone market and a clear security advantage. Even if Apple makes mistakes (which they have and will), they can fix them far more easily than other mobile phone manufacturers.

Sheesh… just when you think they’re over the hump, more details leak on the TD Ameritrade breach and they aren’t looking quite so competent anymore.

Network World has a good article up summarizing the latest developments. A few tidbits stand out:

The Ameritrade spokeswoman says the company believes no Social Security numbers have been taken because the only known illicit activity traceable to the breaches is spam, not identity theft.

There’s a word for statements like this… bullshit! Just because they haven’t traced any identity theft or other fraud to the SSNs in their database doesn’t mean the numbers aren’t sitting on some bad guy’s hard drive someplace. If they determined that SSNs are not at risk because the specific malicious software involved was analyzed and limited itself to email, then that’s one thing. But saying “nothing bad has happened so far, so nothing bad will ever happen” is stupid.

Folks, time for a reminder. This is all Crisis Communications 101- as history has shown, the best way to defend your reputations in a major incident is to admit the failing, spare nothing to protect your customers, and act as openly and honestly as possible. Otherwise we wouldn’t have seen a bottle of Tylenol on a store shelf since the 1980’s.

This:

The company says it will sign its customers up for the service on an exception basis -meaning they don’t automatically get it - but it doesn’t advertise this option in any of the literature it has put out concerning the data compromise.

is not putting your customers first.

The rest of us should learn from this; TD Ameritrade is now suffering more negative publicity than if they had come clean from the start.

I’ve moved our little poll on this to the sidebar, and will post the results on Monday. I’m starting to think it might be something other than SQL injection…

I’m getting caught up on my blog reading after my big APAC (that’s Asia Pacific) tour with a half-busted Mac, and noticed Tom’s post at Matasano on detecting unauthorized hypervisors. Tom and Nate have been going back and forth with Joanna Rutkowska on how detectable these things might be. For those of you less familiar with all this virtualization stuff, let’s review a little bit.

There are a lot of different types of “virtualization”, but for purposes of this discussion we’re talking about operating system/platform virtualization. For a bit more background there’s always Wikipedia. OS virtualization is where we run multiple operating system instances on a single piece of hardware. To do this most efficiently, we use something called a hypervisor, which (oversimplified) is a shim that lets multiple operating systems run side by side all nice and happy. The hypervisor abstracts and emulates the PC hardware and manages resources between all the operating systems on top (yes you geeks, I’m skipping all sorts of things like Type 1 vs. Type 2 hypervisors and full vs. partial virtualization). Most people today run the hypervisor as software in a “host” operating system, with multiple “guest” operating systems inside. For example, I’m a massive fan of Parallels on my Mac, and use it to run Windows within OS X (I really should upgrade to version 3 soon).

The simple diagram is:

First things first; I feel lucky that Joanna and Ptacek (haven’t met Nate yet) let me in the same room as them. They’re smart, REALLY smart. I’ve also never programmed at that level (I was a DB/web application guy) so sometimes I can miss parts of their arguments.

Joanna has been doing some cool work around something called the Blue Pill and virtualized rootkits. To do my usual over-simplification, on a system not already running a hypervisor, the attacker runs code that launches a hypervisor. The hostile hypervisor drops below the host operating system it launched from, virtualizing the host itself. Now everything the user knows about is virtualized and the malicious hypervisor can Do Bad Things unnoticed. Our diagram becomes:

Joanna originally called this undetectable. Thomas and Nate did an entire Black Hat presentation on how they can always detect this, with some blog posts on Nate’s site and at Matasano.

Problem is, they’re looking at the wrong problem. I will easily concede that detecting virtualization is always possible, but that’s not the real problem. Long-term, virtualization will be normal, not an exception, so detecting if you’re virtualized won’t buy you anything. The bigger problem is detecting a malicious hypervisor, either the main hypervisor or maybe some wacky new malicious hypervisor layered on top of the trusted hypervisor.

Since I barely know my way around system-level programming I could easily be wrong, but reading up on Nate and Tom’s work I can’t see any techniques for detecting an unapproved hypervisor in an already virtualized environment. Long term, I think this is a more important issue (especially on servers). Since Intel will be putting some trusted virtual machines on our hardware by default, maybe that’s where we need to look.

Spinning the wrong wheels perhaps?