Securosis

Research

Control Your Identity

One of the sessions I enjoyed at DefCon was Nathan Hamiel and Shawn Moyer’s, “Satan is on My Friends List”. Aside from directly hacking the security of some of these sites, they experimented with creating fake profiles of known individuals and seeing who they could fool. Notably, they created a profile (with permission) for Marcus Ranum on LinkedIn, then tried to see how many people they could fool into connecting to it. Yes, folks, I fell for it. In my case it wasn’t that big a deal- I only use LinkedIn as a rolodex, and always default to known email accounts before hopping into it. But that’s not how everyone sees it, and many people use it to ask questions, connect to people they want to be associated with but aren’t really connected to. Someone behind a fake profile could spoof all sorts of communications to either gather information or manipulate connections for nefarious reasons (pumping stock prices, getting fake references, disinformation campaigns, and so on). All social networks are vulnerable to manipulation, real world or virtual, but when you remove face to face interaction you eliminate the biggest barrier to spoofing. I avoid some of this by only linking to people I know, have met, and have a reason to keep in contact with. If you’ve sent me a link request because you read the blog or listen to the podcast, and I haven’t responded, that’s why. Otherwise it loses any usefulness as a tool for me. One of Shawn’s recommendations for protecting yourself is to build a profile, even if you don’t actively use it, on all the social networks. Thus I now have MySpace and Facebook pages under my real name, tied to a throwaway email account here at Securosis. WIll it help? Maybe not- it’s easy for someone to create another account with my name and a different email address, but after I tie in a few friends that should reasonably draw people to the real me, whatever that’s worth. One unexpected aspect of this was a brief blast of mortality as Facebook splattered my high school graduating class on a signup page. I haven’t really stayed in touch with many people from high school days; in my mind’s eye they were frozen in the youth and vibrance of those few years we felt we ruled the world. Seeing them suddenly years later, long past the days of teenage hopes and dreams, was a visceral shock to the system. No, we’re not all that old, but at 37 we’re far past any reasonable definition of youth. Damn you Mr. Moyer. I can forgive you for mildly pwning me in your presentation, but smashing open my vaulted teenage memories with a lance of reality? That sir, I can never forgive. Share:

Share:
Read Post

Visual Forensic Analysis

During the second day at Black Hat, somewhat depressed by yet another futile attempt to locate coffee and fighting human gridlock, I decided that it was no longer worth the effort and simply sat down in the nearest conference. And I am glad I did as that random selection of presentations turned out to be one of my favorites of the week. The presentation was called Visual Forensic Analysis and Reverse Engineering, presented by Gregory Conti and Erik Dean. I would offer a link for you, but I have been unable to find the slide deck on line. It is on the CD that was included in the Black Hat goodie bag for those of you who attended, and some of the discussion points are located here (http://lcamtuf.coredump.cx/oldtcp/tcpseq.html) The Conti & Dean presentation shows how, by using different graphing techniques, to identify the contents and even reverse engineer binary files. By performing ?dot plots? and ?byte plot? examples of binary files, you can very quickly detect certain patterns within the binary file that tell you what is contained within the file. Much like a human fingerprint, uuencoded content, text, Word documents, bit mapped images, jpegs, compressed files and encrypted files each had a unique visual signature. For files that may contain several items, it was easy to pick out the begining and ending points of blobs within the file, and then examine specific binary objects in more detail. They showed a couple of examples of extracting out image files from a huge binary file in less than 30 seconds. You know you are a geek when: I remember in the early ’90s that when debugging code or core dumps I was often just winging it. You really did not have a valid stack trace, so you were rummaging around memory looking for something unusual, or some pattern that gave you a clue as to what went wrong. It was more art than science, and it was usually some visual clue or something that just did not look right when you found the root cause of the bug. Again in the mid-90s I can remember loading binary files into a text editor to attempt to, ahem, circumvent and ?no-op? out the licensing module which could often be located through a visual inspection. Of course, this was purely for academic purposes. This same technique was effective in hacking video game binaries and save files (slide 46 of the presentation shows a Neverwinter Nights database file as an example). And it was all based upon looking at the binary structure for patterns and experimenting with value substitutions to alter game functionality. But the graphic tools take this to a whole new level. How do you know your PRNG is producing random numbers? During the presentation, the evolution from these early generation tools and methods was discussed, and then they showed off tools that provide different 3 dimensional graphic representation of what data looks like. One of the examples that I was most impressed with was the graphs that show a distribution for numbers. These are examples of PRNG output (http://lcamtuf.coredump.cx/newtcp/). Random? It is not particularly easy to demonstrate the pseudo-random number generator you are producing random numbers, or collecting entropy to see your random number generator. But by graphing them in this way, you can very quickly see if you have reasonably good randomness ? or not close at all. Anyway, I thought this was a very cool forensic tool for binary files. Check out the graphs as they are very impressive. Share:

Share:
Read Post

Do We Need A New Internet?

I ran across this article last week in the Arizona Republic regarding redesign of the Internet. This was very much in line with one of the recurring topics that seemed to be discussed in the halls at Caesars Palace during Black Hat: how might we change the Internet if we were to start from a clean slate? There are clearly many motivating factors to do so, from the fragility and dependency issues of the Internet on DNS as discussed by Kaminisky , email spam , DDOS, use of a basically insecure connectionless protocol for the vast majority of transactions, to encrypting all Internet traffic to keep government and other entities from spying on us, and the list goes on and on. I have not been following the organizations history all that closely nor am I aware of any published research at this time. I will admit to viewing the GENI effort with a bit of skepticism. While the web site FAQ states ‘It is not a replacement for the Internet (or any other communications technology). Rather the purpose of GENI to test and mature a wide range of research ideas in data communications and distributed systems’. Not sure if the intent with the statement is to underscore the intention to build something entirely new, or if this is hyperbole, but it is clearly at odds with the way the project is being marketed as “A massive project to redesign and rebuild the Internet”, which is why it makes news and why US National Sciences Foundation would consider $12 million in funding. This dichotomy makes me worried right off the mark. I always assumed the success of the Internet was because it was a cheaper and faster way to do things. Simple to understand, easy to use, freedom to say what you want, and almost free to participate. Yes, low cost helps, but the organic growth IMO is really about simplicity and freedom. And the more people who participate, the more information available, and more value. A ‘clean slate’ redesign of the Internet will certainly have design goals of greater reliability, accountability and security. These points are on the agenda’s of every Internet redesign discussion I have seen, and they will come with greater control, expense and monitoring of personal activity. The more I think about it, the more I believe what we need is not a new Internet, but one that sits parallel to the one we have today. The Internet we have today works great for sharing information, which is largely what it was indented to do. It was not designed to be secure, keep data private or conduct commerce. If the intention of the GENI project is to provide a secure medium for commerce in parallel, I am all for it. I am not eager to give up what I like about the Internet to solve the security issues at hand. Share:

Share:
Read Post

Overly Paranoid?

During a recent eBay auction, when clicking the “Pay Now” button for an item I had won, I was taken off the eBay site, to a third party merchant site. The merchant site was attempting to verify address information and shipping options, and then forward me to PayPal. I tried going back into my eBay account and making the payment directly to PayPal several times, in an attempt to avoid the third-party site, without success. It appears that eBay is allowing third party merchants to insert their own code and web sites into the checkout process. What’s more, this particular merchant page was a mixture of secure and insecure content and some JavaScript. NoScript took care of the issue for me, but it leaves me wondering. I am not sure if it is my heightened sense of post-DefCon paranoia, but this just seems like a bad idea to me. If I were a hacker, wouldn’t I just love a way to insert myself into the payment process? With most security analysis processes, I start by examining trust relationships I can exploit. This tends to be fertile ground for logic flaws, and these trust points tend not to be closely inspected by users. If I can insert myself into an established trust relationship to launch my attack, I am far more likely to succeed, and this seems like an open window for me to do just that. Bogus image tags, XSS, XSRF, inline frames, or whatever attack du jour; it seems like a natural target for inserting myself between these two trusted entities. I am not saying that any particular merchant site is insecure at this time, but I am willing to bet that regardless of any vetting process third parties go through, their security is not uniformly as strong as eBay’s and PayPal’s. In general, I have no relationship with any of the third party merchant software, so I have no reason to trust the sites or their security. I make purchases on eBay with PayPal because I have a basic trust in their sites, processes, and security teams. This trust does not fully extend to every one of their affiliated merchants and third party sites, now and in the future. Not only that, the third party site offers me, the buyer, no added value, only potentially decreased security. From PayPal’s own “Top Ten Safety Tips”, which they provide with the Security Key, tip number nine is “Stay Safe on eBay: … Pay safely using PayPal, the secure payment method that enables you to shop without sharing your financial information with the seller”. But if the merchant has been linked into the process, and you have to go to a merchant site first, it is somewhat at the seller’s discretion. And if the merchant site has been hacked, all bets are off. I sent the question over to eBay and PayPal security and have not received a response, so I wanted to know what the community at large felt about this. Share:

Share:
Read Post

Network Security Podcast, Episode 116 (With A Lot Of Bad Words)

A bit of a different episode this week. Since Martin is traveling, rather than a guest host this week we’re posting the last of the interviews recorded at DefCon- but this one is a doozy. David Mortman, Dave Maynor, Chris Hoff, Robert “Rsnake” Hanson, and Larry Pesce join us immediately after we all finished our DefCon panel. Martin, as the sober one, interviews us as we record what is our first clearly explicit podcast. Yes folks, we hit all 7 dirty words plus a few bonuses. Not to worry, we do include some content as we discuss what we covered in the panel and whatever other topics flew into our adult-beverage-addled brains. We had a heck of a lot of fun putting the DefCon back into DefCon, and we hope you enjoy this little slice of the unfiltered. Yes, this really is an explicit episode, so consider yourselves warned. Network Security Podcast, Episode 116 Length: 24:00 (or so) Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.