Research

The Skype gods definitely worked against us last night as David Mortman from Debix joined us to to talk about a new study the released on identity theft and children. No, you’re 8 month old is stealing identities like I suspect that creepy kid from the ETrade commercials is, but due to both error and fraud a surprising number of children have financial histories they didn’t know about. We also discuss last week’s Microsoft emergency update, Bono frolicking on MySpace, and the usual TSA foibles. We had some audio issues today so we kept the podcast short to spare your ears as much as possible. The Network Security Podcast, Episode 125 Show Notes: Debix sponsored research into the problem of children and identity theft. They are also hosting a webcast with the FBI on Wednesday, October 29th, at 3pm CDT. Microsoft released an out of cycle patch for a critical vulnerability. Bono showed up on some girl’s MySpace page. Oops. At least he wasn’t driving drunk without underwear and with an infant in his lap, like the usual MySpace divas. Tonight’s music is courtesy of George Thorogood and the Destroyers. Share:

  I was amused today when I logged into my business account bank (Wells Fargo) and they had me set up a new set of security questions. The variety wasn’t bad and the questions were reasonably original. After setting them, I was asked to confirm my contact information. A few minutes later, I received this email: Thank you for taking the time to set up your security questions. If we ever need to confirm your identity, your ability to give the correct answers to these questions will help us verify it’s you. If you did NOT set up security questions recently, please call Wells Fargo Online Customer Service immediately at 1-800-956-4442. Please do not reply to this email. It went right to the email address I could have updated after setting up the security questions. Anyone else notice the problem? Now there’s a chance that had I changed the email address on that screen after the security questions, I would have received notification at the old address. As a test, I changed my email a couple of times using the regular interface- but no notifications yet. UPDATE: Got the email, but at the wrong account (the one I changed to, not from). Is this an exploitable security flaw? Nope, but it’s amusing for us paranoid/cynical types. (For the record, they’ve been a great bank for the business, no complaints at all.) Share:

I just read over at Computerworld that the TSA will start requiring gender and date of birth when we buy plane tickets. This is part of Secure Flight, and meant to increase the accuracy of matches to the terrorist watch list(s). As brought up by Bruce and many others over the years, the TSA has yet to identify a single case where this list… umm… you know… actually caught a terrorist. Yes, they’ve snagged some people with warrants, but this is supposedly the terrorist watch list, not the random dumb-ass criminal watch list. They’ve even been questioned about it in their blog comments multiple times, and have yet to answer. Thus, I think we all know the answer. (A special request to the TSA- when you add the colonoscopies, can we get copies to give to our physicians? I’m almost 40 and that would be a cool way to save on health care costs). Note: I don’t blame the people working hard at the checkpoints (other than the few bad eggs common in all workplaces). They are in a crappy position and we shouldn’t blame them for the idiocy of their superiors. Share:

‘Rich forwarded me the RSA Wireless Security Survey for 2008 that was just released this morning. The cities that they scanned were Paris, London & New York. Public hotspots — designed to allow anyone with a wireless device to access the Internet on a pay-as-you-go or pre-paid basis — continue to grow in prevalence across all three cities, and in each case the growth of available hotspots accelerated significantly in 2008 compared with development in the preceding year. Paris saw the largest jump, with numbers increasing by over 300% and comfortably outstripping the comparative growth in New York City (44%) and London (34%). However, New York City remains the leader in regards to its concentration of hotspots. At 15%, New York City is well clear of London where just 5% of wireless access points were found to be hotspots. In Paris, hotspots represented 6% of all the access points we located. It is interesting to compare the year over year changes, and to see what kind of encryption is being employed. It’s certainly worth a review, and a little vendor hype is to be expected, but there are two things that worry me about survey’s like this. First, the public perception that if the connection is encrypted that all is safe. Unless there is a shred secret or some other type of protection, most of these systems are vulnerable to man-in-the-middle attacks. Second is that the rogue hotspots are difficult to detect, which is the de-facto method for wireless man-in-the-middle. If your an IT manager, you have very little way to assess risk from this report, so just assume wireless hotspots are compromised and that you need to deploy a system to thwart these attacks on externally accessible corporate WiFi. And as an end users, if you think you are safe just because you have established an encrypted connection at Starbucks, think again. The guy in the tiny corner apartment overlooking the store makes his living by sniffing personal information and passwords. Share:

I was asked about the recent post by Pete Finnigan regarding the APEX vulnerability that he discovered, was part of the recent Oracle CPU, and Pete elaborated upon in a recent post. Pete is one of the best in the business at Oracle security, so when he lists something as a vulnerability, people usually react. The question was why had I recommended applying the new Oracle CPU under normal patch cycles when this looked like a reasonably serious vulnerability. Why wait? You don’t need to wait, but if you are vulnerable to this attack, you probably have bigger issues that should have been addressed already. Specifically: Don’t leave development tools and accounts/environments on production databases, especially those that serve web content. Don’t leave development schemas and associated users/grants/roles on production database servers. This just adds to the complexity and potential overlooked security holes. Occasionally run checks for weak passwords. There are free tools available for most of the common database platforms like Oracle Password Checker, SQL Ping, Scuba and others (just be careful where you download them from), there are vendors that offer this for sale as part of their assessment suite (Fortinet, Application Security), or you can write your own. Some look for a small subset of known default passwords, so I recommend using one where you can edit the dictionary to adjust as you see fit. At least a couple of times a year, review the database accounts to see if there are accounts that should not be there, or if accounts that have execute privileges that should not. Once again, I believe there are free tools, vendor tools as well as scripts that are available from database user groups that will accomplish this task and can be customized to suit your needs. APEX is a handy development tool, but if you are a DBA or a security professional, reading Oracle’s description should make the hair on the back of your neck stand up: “APEX is operated from a web browser and allows people with limited programming experience to develop professional applications.” A powerful tool in the hands of inexperienced programmers sounds like handing out loaded guns. Patch if you think you are susceptible to this vulnerability, but for self-preservations sake, run some assessments to catch this class of vulnerability and not just this issue. Share:

Holy 0day Batman! What started as a quiet week definitely got a little more interesting yesterday as Microsoft released an out-of-band patch for a critical vulnerability affecting most versions of Windows. It’s been a while since MS had to push out an emergency fix like this, and boy was it a whacky vulnerability. For those of you who haven’t kept up on it, it is a flaw in the RPC service that allows remote code execution without authentication. What’s really interesting is that this flaw is in a part of the code base that was patched already for a very similar problem. What’s even more interesting is that this was discovered due to active exploits in the wild. I’ve been known to be a little persnickety about definitions, and I’ve never liked that we call all unpatched vulnerabilities zero-days. In my book, a true 0day is a vulnerability that is being actively exploited but we don’t know about it. The bad guys have information we don’t and are using it against us. When the details are public, but no patch is available, I just consider that an unpatched vulnerability. But who am I to say- I still consider hackers good guys. On a totally different note, I think I found a minor security flaw in the RSA Conference session submission system. It appears that if you submit a session and add a speaker, you can overwrite some of the attributes of that speaker if they are already in the system. Minor, but annoying since I was submitted for something like 10 sessions and part of my bio kept changing while I was submitting my own stuff. On that note, it’s time to head off and start decorating for our annual Evilsquirrel Halloween Party. We have about 13 tubs of decorations we’ve collected since my old roommates and I started holding parties around 1995 or so. I even have homemade animatronics I built using microcontrollers and other geeky stuff. Yeah, I fear for my impending children too, but the neighborhood kids love us. At least the ones who don’t pee themselves when the motion sensor kicks off. Webcasts, Podcasts, and Conferences: The Network Security Podcast, Episode 124. Jacob West from Fortify joined us to rail against electronic voting. If Dick Cheney wins the election, we’ll all know why. I participated in a virtual conference put on by InformationWeek and Dark Reading. I was on Ten Security Threats Your Organization May Be Unable to Prevent, with H D Moore of Metasploit and BreakingPoint and Trey Ford of WhiteHat Security. I felt a little weird talking about XSS and SQL Injection with H D following me, but it was a pretty good panel. Favorite Securosis Posts: Rich: Your Simple Guide to Endpoint Encryption. I’ve been writing a lot about market issues lately, and I really enjoy it when I can give out practical advice. Adrian: WAF vs. Secure Code vs. Dead Fish. Look folks, we’re far too polarized politically in this country to fight out over which of these things solves our problem better, when both are equally good and bad. Favorite Outside Posts: Adrian: Rsnake captures the everyman experience and puts the fun back into Internet browsing. I mean, can’t we all just get along? Rich: Andy reminds us what it’s like to work in the real world. Researchers, analysts, and vendors often forget what it’s like to be in the trenches, even though most of us have been there. I think it’s refreshing to read about Andy’s pain. Er… maybe that wasn’t the best way to say that. Top News: Microsoft Security Patch was released this week. We covered it a bit ourselves. Princeton posts a guide to hacking Sequoia voting machines. Jimmy Buffett for President! FTW! Australian government massively censoring the Internet. I love that country and have spent a lot of time down there, but the government is really whacky. Did you know that hard core pornography is illegal everywhere except the Australian Capital Territory (you know, where all the politicians are). Guess writing censorship bills is boring work. Voting machines flipping votes. Notice a trend? (Thanks to Dave at Liquidmatrix, who does a great daily summary). Blog Comment of the Week: Windexh8er’s comment on the Microsoft vulnerability post: So even though this sort of thing is less common as SDLs mature further (honestly Microsoft is doing a much better job in this space — but legacy code that’s in the OS is still there). This just goes back to the position wherein do corporations really need client side processing? Some may have valid reasoning (i.e. graphics / architecture / modeling / etc), but for the majority of the end users out there in corporate America they really don’t need a fully functional end system. In a Microsoft environment I’d like to see the next iteration of OS go to stripped down systems like you can leverage in Server2k8 – obviously most “work” today from a variety of different locations and the laptop has overwhelmingly displaced the standard desktop workstation for day to day business. With that respect the standard installation should be minimalistic at best. Stripped stack, host based filtering (in and out), no user rights with the exception of approved applications and then strictly managed socket / protocol connections to approved devices. Give them what they need through established connections. At that rate client processing goes way down and visibility and control sky rockets. It’s far too much for any given internal IT / IS departments to manage numerous deployed apps and multiple desktop configurations in the state business as usual is running today. Everyone I know has a corporate laptop (these are big businesses right) but all of these users can pretty much all connect to outside networks and do casual computing – even if it’s restricted, it’s still wide open enough to let the user infect themselves unknowingly. I’d love to do a formal PoC, like this, with one of my large clients. Cost savings

If you don’t already know, Microsoft is releasing an out of band critical update today. Rumor is it is not related to the TCP DoS issue, and may involve an 0day with remote code execution. Here’s the link to the webcast where they will detail what’s going on. We don’t normally jump on a bandwagon like this, but it sounds like a big one you’ll want to fix ASAP. UPDATE: Woops- literally 2 minutes after I posted this, Ryan Naraine posted details and a link to the official advisory. It’s a nasty vulnerability in the Server service that allows remote code execution without authentication. You should already be blocking TCP ports 139 and 445 at the perimeter, so nothing unusual to change on the firewall. But this is totally wormable, requires no authentication, and allows arbitrary code execution. It’s the evil trinity of vulnerabilities. You should pay extra attention to your mobile users and friends and family- have them update ASAP since the odds are they aren’t blocking those ports. Don’t get too cocky if you have a firewall- like Slammer it will only take one infected sales dude to plug back in at the office and ruin your day. These are the kinds of vulns NAC is made for. Also, don’t forget about those virtual versions of Windows running on your Mac. It looks so easy to exploit, that by the time you read this it’s probably too late 🙂 Share:

I’ve been slowly catching up on my reading after months of near-nonstop travel, and this post over at Imperviews caught my eye. Ignoring the product promotion angle, it raises one of my major pet peeves these days. I’m really tired of the Web Application Firewall vs. secure coding debate, never mind using PCI 6.6 to justify one over the other for security effectiveness. It’s like two drunk cajuns arguing over the relative value of shrimp or pork in gumbo- you need both, and if either is spoiled the entire thing tastes like sh&t. You also can’t dress up the family dog and fish in a pinch, use them as substitutes, and expect your kids to appreciate either the results or use of resources (resulting gumbo or the loss of Rover). Here’s the real deal- Secure coding is awesome and you need to adopt a formal process if you produce any meaningful volume of code. But it takes a ton of resources to get to the old code (which you should still try to do), and can’t account for new vulnerability classes. Also, people screw up… even when there are multiple layers to detect or prevent them from screwing up. On the other hand, WAFs need to get a hell of a lot better. We’re seeing some positive advancements, as I’ve written about before, but they still can’t stop all vulnerabilities, can’t stop logic flaws and certain other categories of attack, can’t deal with the browser end, and I hear a lot of complaints about tuning (while I think liking WAFs with Vulnerability Assessment is a great start on this problem, we’re just at the start of that race). I absolutely hate to tell you to buy more than you need, but if you have a major web presence you likely need both these days, in the right combination (plus a few other things). If you don’t have the resources for both, I suggest two options. First, if you are really on the low end of resources, use hosted applications and standard platforms as much as possible to limit your custom coding. Then, make sure you have kick ass backups. Finally, absolutely minimize the kinds of information and transaction you expose to the risk of web attacks- drop those ad banners, minimize collecting private information, and validate transactions on the back end as much as possible. If you do have some more resources available, I suggest starting with a vulnerability assessment (not a cheap ass bare-bones PCI scan, but something deeper), and using that to figure out where to go next. Yes- we are eating our own dog food on this one. The blog is hosted using a standard platform. We know it’s vulnerable, so we’ve minimized the attack surface as best we can and make sure we have backups of all the content. I’ve been pleasantly surprised we haven’t been nailed yet, but I expect it to happen eventually. None of our sensitive operations are on that server, and we’ve pulled email and our other important stuff in house. Early next year we’re going to be launching some new things, and we will again go with remote hosting (on a more powerful platform). This time, we are switching to a more secure platform than WordPress (Expression Engine) and will pay for a full vulnerability assessment and penetration test (at least annually, or when any major new components come online). We may perform some financial transactions, and we’ll use an external provider for that. A WAF is out of budget for us, so we’ll focus on minimizing our exposure and manually fixing problems discovered by ongoing assessments. We also plan on using as little custom code as possible. But seriously- I’m tired of this debate. Both options have value, they aren’t exclusionary, and which you need depends on what you are doing and how many resources you have. Eventually we’ll get a better lock on this problem, but that’s a few years out. Share:

Want to talk about electronic voting? We did. So we invited Jacob West from Fortify to talk with us about a paper he just published with a couple of engineers at Fortify. Guess what- they found electronic voting using DRE voting machines are the least secure way to vote. Makes me feel good going into the election. It’s a good thing we’re fairly self-policing when it comes to time; this is a conversation that could have gone on for a couple of hours. We had a number of technical issues tonight, so be glad we’ve got a podcast up at all. Network Security Podcast, Episode 124, October 21, 2008 Show Notes: Dear Mr. President: Let’s talk tech – We desparately need a geek in the Cabinet! Miley Cyrus Hacker Raided by FBI – Don’t brag to the press when you’re already in the cross-hairs! Flash Suckage: Eat your cookies – Now you can be tracked through Flash too. VeriSign and ICANN square off over the DNS root – Let’s just give it to Dan K. and let him manage it. Judge Suppresses Report on Voting Machine Security – Which brings us to why we’re really here Fortify’s paper on e-voting Share:

I missed including this in the Friday summary. The Electronic Frontier Foundation is challenging the legality of telecom’s being granted immunity in their participation of NSA’s warrant-less spying on US citizens, claiming the executive branch of the government has overstepped it’s authority. Indirectly they will open the entire program up for scrutiny as well. EFF Senior Staff Attorney Kevin Bankston: “In our constitutional system, it is the judiciary’s role as a co-equal branch of government to determine the scope of the surveillance and rule on whether it is legal, not the executive’s. The Atto ey General should not be allowed to unconstitutionally play judge and jury in these cases, which affect the privacy of millions of Americans.” Seems to have a point. This is going to be a very interesting and very important fight for personal privacy, as well as an interesting inspection of the close relationship between industry and sections of our government. And this case will be argued in a political climate that has less 9-11 fear and more annoyance with corporations misbehavior, so I think that EFF will have traction and we will be seeing this in the headlines for some time. Share: