Fud

RSA Tomfoolery: APT is the Fastest Way to Identify Fools and Liars

By Rich

It is better to stay silent and let people think you are an idiot than to open your mouth and remove all doubt.

--Abraham Lincoln

Although we expected APT to be the threat du jour at RSA, I have to admit even I was astounded at the outlandish displays of idiocy and outright deception among pundits and the vendor community.

Now, let's give credit where credit is due -- only a minority of vendors hopped on the APT bandwagon. This post isn't meant to be a diatribe against the entire product community, only those few who couldn't help themselves in the race to the bottom.

I'm not claiming to be an expert in APT, but at least I've worked with organizations struggling with the problem (starting a few years ago when I began to get data security calls related to the problems of China-related data loss). The vast majority of the real experts I've met on the topic (those with direct experience) can't really talk about it in public, but as I've mentioned before I'd sure as heck read Richard Beijtlich if you have any interest in the topic. I also make a huge personal effort to validate what little I say with those experts.

Most of the APT references I saw at RSA were ridiculously bad. Vendors spouting off on how their product would have blocked this or that malware version made public after the fact. Thus I assume any of them talking about APT were either deceptive, uninformed, or stupid.

All this was summarized in my head by one marketing person who mentioned they were planning on talking about "preventing" APT (it wasn't in their materials yet) because they could block a certain kind of outbound traffic. I explained that APT isn't merely the "Aurora" attack and is sort of the concerted espionage efforts of an entire country, and they responded, "oh -- well our CEO heard about it and thought it was the next big thing, so we should start marketing on it."

And that, my friends, is all you need to know about (certain) vendors and APT.

–Rich

Stupid FUD: Weird Nominum Interview

By Rich

We see a lot of FUD on a daily basis here in the security industry, and it's rarely worth blogging about. But for whatever reason this one managed to get under my skin.

Nominum is a commercial DNS vendor that normally targets large enterprises and ISPs. Their DNS server software includes more features than the usual BIND installation, and was originally designed to run in high-assurance environments. From what I know, it's a decent product. But that doesn't excuse the stupid statements from one of their executives in this interview that's been all over the interwebs the past couple days:

Q: In the announcement for Nominum's new Skye cloud DNS services, you say Skye 'closes a key weakness in the internet'. What is that weakness?

A: Freeware legacy DNS is the internet's dirty little secret -- and it's not even little, it's probably a big secret. Because if you think of all the places outside of where Nominum is today -- whether it's the majority of enterprise accounts or some of the smaller ISPs -- they all have essentially been running freeware up until now. Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse.

...

Q: Are you talking about open-source software?

A: Correct. So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems.

...

By virtue of something being open source, it has to be open to everybody to look into. I can't keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker.

...

Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.

...

I would respond to them by saying, just look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its software.

The word "bullsh**" comes to mind. Rather than going on a rant, I'll merely include a couple of interesting reference points:

• Screenshot of a cross-site scripting vulnerability on the Nominum customer portal.
• Link to a security advisory in 2008. Gee, I guess it's older than 6 months, but feel free to look at the record of DJBDNS, which wasn't vulnerable to the DNS vuln.
• As for closed source commercial code having fewer vulnerabilities than open source, I refer you to everything from the recent SMB2 vulnerability, to pretty much every proprietary platform vs. FOSS in history. There are no statistics to support his position. Okay, maybe if you set the scale for 2 weeks. That might work, "over the past 2 weeks we have had far fewer vulnerabilities than any open source DNS implementation".

Their product and service are probably good (once they fix that XSS, and any others that are lurking), but what a load of garbage in that interview...

–Rich

Your WPA-PSK Wireless Network Is At Risk… If You Are An Idiot

By Rich

There was some great hype in the wireless security world this weekend thanks to an article that made it on to Slashdot, and some FUD pumping so-called security consultants. Elcomsoft issued a press release that they can now crack WPA keys WAY faster using the GPUs (Graphics Processing Units) on the latest video cards.

It's kind of cool, and for wireless pen testing the tool sounds useful, but some of the quotes in the article from the security firm GSS (who I never heard of) are the typical garbage:

"This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data," said GSS managing director David Hobson. "As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well." ... Hobson added that the development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organisations, particularly concerned about data privacy.

Idiots.

These guys are forgetting two things- first, this method doesn't work AT ALL against an enterprise installation (RADIUS) of WPA. George Ou has more on this.

Second, as the original article added as an update, this attack only speeds up brute forcing. Use a long, strong passphrase for your WPA key and you're fine. Rob Graham also has more on this.

WPA-PSK still sucks to manage, and keys go stale, but use a good one and you're fine. GCC should go back to playing Team Fortress or something with those video cards, because they were either misquoted, or clueless.

–Rich

Cyberterror! Cyberterror! Pfffft..Sputter…Gak!!

By Rich

Kevin Poulson over at Wired reports that a new National Journal report claims that Chinese hackers may have been responsible for a recent power outage in Florida and the big 2003 northeast blackout.

Kevin does a good job of ripping this report a new one, and I even learned about a SCADA bug I didn't know about the contributed to the 2003 event.

I'm not going to get into the Chinese paranoia. Truth is, I have no doubt they both have advanced offensive cyber capabilities they use for intelligence gathering, and encourage the local hacking community to target us. Why not? Countries have been spying on each other ever since the creation of nations; no reason to think it will stop now because we're too tied up watching American Idol to deal with it.

I sure as heck hope we're doing the same to them; that's what I pay taxes for.

But "cyberterrorism" and the 2003 blackout? Not so much. Unlike some I do consider cyberterrorism a legitimate concern for a nation-state, but I also consider the bar to be higher than any cyber event we've seen. If there isn't serious loss of life or property that creates fear in a population for political or social goals, it ain't terrorism. Sorry Estonia, we haven't seen this yet, and I won't be the idiot to predict it will happen in any given year. Bombs are a heck of a lot more effective at creating fear.

As for the blackouts, the various people I've talked with in the energy/utilities sector indicate that the Blaster virus may have played a part in slowing down control and communication systems, exacerbating the event. It's not that Blaster brought down the power systems, but that it infected the Windows control workstations, messing up email, alerting, and control software (because it hosed the OS, not because it infected those bits). That drops everything to a more manual process and the automated SCADA safeties, which combined with everything else going on weren't enough.

Could I be wrong? Absolutely; but it makes a lot more sense than Chinese hackers deliberately and successfully targeting our power grid. Not that I don't think they aren't capable, but there's no evidence to indicate that occurred.

You can always tell when it's budget and election season in Washington, especially in these days of national FUD.

–Rich