Research

Our weekly research meeting started with an optimistic plea from yours truly. Will 2010 finally be the year the signature dies? I mean, come on now, we all know endpoint AV using only signatures is an accident waiting to happen. And everywhere else signatures are used (predominantly IPS & anti-spam) those technologies are heavily supplemented with additional behavioral and heuristic techniques to improve detection. But the team thought that idea was too restrictive, and largely irrelevant because regardless of the technology used, the vendors adapt their products to keep up with the attacks. Yes, that was my idea of biting sarcasm. We broadened our thinking significantly, to think about why we haven’t been able to really kill off any security technology, ever. How many of you still use token authenticators? Or line encryptors? It seems once we implement something, we get to live with it for 20 years. Have you ever tried to actually kill a technology? Someone always finds an edge case where you’d be dead if it happens, so you can’t pull the trigger. Who cares that you have a higher likelihood of getting hit by a meteor in the cranium? Not sure about you, but that annoys the crap out of me. With all the time and money we spend maintaining and paying for these tools, we aren’t doing more strategic things for the business. Our world is complex enough. We need to make it a point this year to get rid of some of these long-in-the-tooth technologies. So for this week’s thought generator, let’s put together a security “endangered species list” of things we want to kill. I’ll start: Signature-based AV Engines – Come on, man! We keep these fat and dumb AV engines around because we are worried that the Melissa virus will make a comeback. Now the vendors need a frackin’ cloud to keep track of all the signatures, which don’t work anyway – given that most of the bad guys use AV*Test.org to make sure the major engines are blind to their stuff. As an alternative, we can (and should) be moving towards a whitelist based approach on servers, where you can lock down the applications, since your servers don’t get pissed when they can’t run Tiger Woods golf or watch March Madness online. These tools are ready for prime time now, and it’s time we killed off the old and busted way of doing things. And you shouldn’t need to keep paying your desktop AV vendor to maintain that signature database, especially since most of them already offer white-list technology as a different product. On the endpoints, do we think these AV engines are actually doing any good? Aren’t we better off focusing on patching and ensuring some of the anti-exploitation technologies (like DEP and ASLR) are used within the applications you let users run on their devices? Then we also have to make sure we are watching more closely for compromised endpoints, so bust out that network monitor and ensure you have egress filtering in use. I described these techniques in Low Hanging Fruit: Network Security last week. With the increasing consumerization of IT, assuming you have control of the endpoint is probably naive at best. Imagine what good all the AV researchers could do if they weren’t spending all day auto-generating signatures? OK, that one was a bit easy and predictable. As Rich would say, what’s different about that? Nothing, I just wanted to get rolling. HIPS – As I continue my attack on everything signature, why does HIPS (Host Intrusion Prevention) still exist? I get that folks don’t really do HIPS on the endpoint, but far too many still kill the performance of their servers by comparing activity to known attack code. I’m sure there are some use cases where HIPS is useful, but is it worth the performance penalty and the cost of management and maintenance? Yeah, probably not. Repeat after me: Black lists are for the birds. Black lists are for the birds. So why do we care about HIPS anymore? Should this also be on the list of security technologies to die? What say you? Tell me why I’m wrong. What’s on your list? Put it in the comments, and be sure to mention: The technology Why it needs to go What compensating controls can be used for at least equal protection Remember the best comment of the week can feel good about making a donation to a worthy charity. Let’s all sing now: The Roof, the roof, the roof is on fire… Now discuss! Share:

Good Morning: I love the Internet. In fact, I can’t imagine how I got anything done before it was there at all times to help. Two examples illustrate my point. On Monday, I went to lunch with the family at Fuddrucker’s, since they had off from school. They say a big poster of Elvis with a title “The King” underneath. They had heard of Elvis, but didn’t know much about him. The Boss and I were debating how old Elvis was when he had that unfortunate toilet incident. I whipped out the iPhone, took a quick peek at Wikipedia, and learned the King died when he was 42. Oh crap, that’s not much older than I am right now. Then we went into his history and music and the kids actually learned something. Thanks, Mr. Internet. Next up, I’ve been having some problems with my washing machine. So I check out the appliance boards on the Internet (thanks to the Google) and figure out what the error code means and a few ideas on how to fix it. Turns out it’s very likely a control unit issue. Amazingly enough, there is a guy in the Southeast who fixes the unit for half the price of buying a new part. The guy sends me a little PDF on how to remove the control unit (it was a whopping 3 Torx screws and unplugging a bunch of wires). I put the unit in a box and sent it off. It could not have been easier. Thanks, Mr. Internet. Now what would I have done 10 years ago? I would have called Sears. They would have come over, charged me for the service call ($140), replaced the control unit ($260), and I’d be good to go. $400 lighter in the wallet, of course. They say an educated consumer is the best consumer. Not for the old Maytag Man, I guess. Don’t think he’s sending thanks to Mr. Internet. –Mike Photo credit: “Maytag Man Inflatable” originally uploaded by arbyreed Incite 4 U This week we got contributions from almost everyone, which has always been my evil plan. And as much as I like the help, I do think having a number of opinions weighing in makes things a lot better – for everyone. China wastes a zero day on IE6? – It seems that the zero day vulnerability exploited by China doesn’t only work on Internet Explorer 6, but according to this article in Dark Reading may also work on IE 7 and 8, and might even work around the DEP (Data Execution Protection) feature of XP and Vista. Considering all the old vulnerabilities in IE6 (you know, something you should have dumped years ago), you have to wonder if the attackers just assumed we weren’t dumb enough to still use ancient code open to old exploits. Without listing all the permutations, it looks like IE8 on Vista or Windows 7 (because of that ASLR anti-exploitation thingy) may be secure, but everything else is exploitable and Microsoft is issuing an emergency patch. I realize it’s painful to think you might have to actually update that 10 year old enterprise application so it works with a browser released after 2001, but it’s time to suck it up and browse like it’s 2010. – RM They are better than us – Clever programmers working on a single project, test their code against live servers, monitor effectiveness, and evolve the code to get better every day. Working with operating systems I used to see this dedication. Some of the programming teams I worked on bordered on fanaticism and worked hard to become better programmers. Teams were like coder’s guilds, where more experienced members would review, teach, and occasionally shred other members for shoddy work. They worked late into the night, building new libraries of code, and studied their craft every night on the train ride home. They knew minutiae about protocols and compilers. I swear a couple of them thought in hexadecimal! When I read blogs like “An Insight into the Aurora Communications Protocol” I get the picture that the hackers are more professional than the “good guys” are. Hackers use obfuscation, SSL variations, code injection, command and control networks, and stolen source code to create custom 0-days. These highly motivated people have rapidly evolving skills. What worries me about Aurora isn’t the sophistication of the attack, but the disparity in dedication between attacker and your typical corporate developer. One side lives this stuff and one has a job. This is getting worse before it gets better. – AL Here’s a serving of humble pie. Eat it! – The truth of the matter is that a lot of security folks fail. Almost as often as marketing folks. Combine the two and you get…me. It does make sense to do a little soul searching and this post from Dan Lohrmann on CSOOnline really resonated. Basically his contention is that security folks come across as unusually proud or overconfident. That’s politically correct. I’d say in general we’re a bunch of arrogant asses. Not everyone, but more than a few. The reality is security folks need a bit of an edge, but at the end of the day we still need to be respectful to our customers. Yes, those idiots who get pwned all the time are our customers. So think about that next time you want to throw some snark in their direction. Just share it on Twitter. Like me. – MR Things in public, are, you know, public – On The Network Security Podcast last night we talked a bit about this article by James Urquhart over at CNet on the Fourth Amendment in the cloud. Actually, forget about the fourth amendment (that’s the search and seizure one for you engineering majors), when it comes to the Internet and privacy repeat after me – “if it’s on the Internet, it isn’t private, and never goes away”. The article emphasizes that anything you store on Internet services (I’m not limiting this to cloud) that is accessible by your service provider can’t be considered private under current law. Phone and paper mail are