Research

Alan Shimel is reviving the zero day debate and coins a term “less than zero day” for vulnerabilities that are unknown from the public at large. Check out his series starting here, then here, and finally here. Rothman mostly agrees here, but (like me) isn’t enamored of the name. As I stated in my initial support for Alan’s position I think he’s mostly nailed it. There is a distinct difference between an unknown vulnerability, an unknown vulnerability for which there’s an active exploit, a new vulnerability that’s not patched (what most people call a 0 day), and regular old vulnerabilities. The difference being that I define the first case (a non-public vulnerability) as the real meaning of a zero day. Why? Because the vulnerability is discovered (day 0), but not propagated. This is Shimel’s “less than zero day”. I don’t want to get caught up in any definition battles; especially when I’m fighting the marketing arms of every security vendor out there who claims they stop a 0 day. I’m willing to fight the noble fight, but let some other idiot go down with the ship. Since the vulnerability is known, by however small a group, it’s a 0 day. If exploited, it’s a 0 day exploit. When it’s public knowledge, but not patched, it’s just an unpatched vulnerability, not a 0 day. If we use this terminology we can get past everyone claiming 0 day protection when they just block an unpatched vulnerability. Zero day can regain its mythical splendor as the representation of evil, unknown vulnerabilities that will cause planes to crash and erase the history of all financial records. Or screw up your browser, whichever you consider worse. There’s my last pitch. (In case I lose and we keep calling unpatched vulnerabilities 0 days, I propose “T- ” instead of less than zero day.) Share:

John Girard (a coworker) sent me this. I sometimes criticize vendors for bad practices. This is the opposite- taking customer service well beyond the customer’s expectations Share:

Arthur over at Emergent Chaos posted an amusing story on an organization’s reason for switching to Macs. It’s security. Just not necessarily what we mean when we say Macs are more secure. Yes- this company installed Windows on Intel Macs since Macs are more secure. We’re not talking virtualization or anything, but taking off OS X and installing Windows XP. I really never thought of that. (updated : direct link to the original story at deadbeat cafe) Share:

A little birdie pointed me to the latest post over at the Metasploit blog. For those of you that don’t know, Metasploit is the best thing to hit penetration testing since sliced bread. To oversimplify, it’s a framework for connecting vulnerability exploits to payloads. Before Metasploit it was a real pain to convert a new vulnerability into an actual exploit. You had to figure out how to trigger the vulnerability, figure out what you could actually do once you took advantage of the vulnerability, and inject the right code into the remote system to actually do something. It was all custom programming, so script kiddies had to sit idly by until someone who actually knew how to program made a tool for them. The Metasploit framework solves most of that by creating a standard architecture where you can plug the exploit in one end, then choose your attack payload on the other. Assuming you can script (or find) the exploit, Metasploit takes care of all the difficult programming to connect to convert that exploit into something that can actually do anything. New exploits and payloads appear on a regular basis, and the tool is so easy even an analyst like me can use it (web interfaces are just so friendly). Commercial equivalents used by penetration testers are Core Impact and Immunity Canvas. I tend to think the commercial versions are more powerful, but the open source nature of Metasploit means exploits usually appear faster, and it’s plenty powerful. Besides, any script kiddie (or analyst) can download it for free and be up and running in no time (full disclosure- I use Core Impact and Metasploit in live demos, and am on the Daily Dave email list run by Immunity). So what the heck does this have to do with turning off wireless? Metasploit is working on a module to transition kernel mode exploits into user mode. This is, say, exactly what you’d need to plug in a wireless driver hack on one side, and use that to create a reverse shell under root on the other. Sound familiar? This was one of the tricks Maynor demonstrated in the Black Hat wireless video (and why he didn’t need root). The kernel runs in ring 0- this is below any concept of a user account. Think of it as the world before root even exists. When you exploit something in the kernel you’ve bypassed nearly every security control and can do whatever you want, but since you’re running at such a low level, without any user accounts, the kinds of commands we’re used to are a lot more limited. You can’t list a directory because “ls” or “dir” don’t exist yet. If you want a reverse shell, to execute user commands, or whatever you need to convert that kernel mode access into userland access- where concepts like user accounts and shells exist. In Maynor’s case he dropped code in the kernel to create a reverse shell to his second system over a second wireless connection. Tricky stuff (so I hear, it’s not like I can do any of this myself). The Metasploit team specifically cites wireless driver hacks as one of their reasons for adding this to the framework. With confirmed vulnerabilities on multiple platforms and devices this could foretell a new wave in remote exploits- attacks where you just need to be in wireless (including Bluetooth) range, not even on the same network. I’ve heard underground rumors of even more vulnerabilities on the way in all sorts of wireless devices. The module isn’t complete, but everything in Metasploit tends to move fast. Based on this advancement I no longer feel confident in leaving my wireless devices running when they aren’t in use. I’m not about to shut them off completely, but my recommendation to the world at large is it’s time to turn them off when you aren’t using them. More device driver hacks are coming in 2007, and wireless will be the big focus. Share:

Before I delve into this topic I’d like to remind readers that I’m a Mac user and Apple fan. We are a 2 person, 2 Mac, 3 iPod, 2 Airport Express household, with another Mac in the plans this spring. By the same token I don’t think Microsoft is evil and consider some of their products to be quite good. That said I prefer OS X and have no plans to switch to Vista, although I’ll probably run it in a virtual machine on my Mac. What I’m about to say is in the nature of protecting, not attacking, one of my favorite vendors. Apple faces a choice. Down one path is the erosion of trust, lost opportunities, and customers facing increased risk. On the other path is increased trust, greater opportunities, and happy, safe, customers. I have a lot vested in Apple, and I’d like to keep it that way. As most of you probably know by now, Apple shipped a limited number of video iPods loaded with a Windows virus that could infect an attached PC. The virus is well known and all antivirus software should stop it, but the reality is this is an extremely serious security failure on the part of Apple. The numbers are small and damages limited, but there was obviously some serious breakdown in their security controls and QA process. As with many recent Apple security stories this one was about to quietly fade into the night were it not for Apple PR. In Apple’s statement they said, “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.”. As covered by George Ou and Amrit Williams, this statement is embarrassing, childish, and irresponsible. It’s the technical equivalent of blaming a crime victim for their own victimization. I’m not defending the security problems of XP, which are a serious epidemic unto themselves, but this particular mistake was Apple’s fault, and easily preventable. While Mike Rothman agrees with Ou and Williams, he correctly notes that this is just Apple staying on message. That message, incorporated into all major advertising and marketing, is that Macs are more secure and if you’d just switch to a Mac you wouldn’t have to worry about spyware and viruses. It’s a good message, today, because it’s true. I bought my mom a Mac and talked my sister into switching her small business to Macs primarily because of security. I’m overprotective and no longer feel my friends and family can survive on the Internet on XP. Vista is a whole different animal, fundamentally more secure than its predecessors, but it’s not available yet so I couldn’t consider that option. Thus it was iMac and Mac mini city. But when Apple sticks to this message in the face of a contradictory reality they expose themselves, and their customers, to greater risks. Reality is starting to change and Apple isn’t, and therein lies my concern. All relationships are founded on trust and need. (Amrit has another good post on this topic in business relationships). One of the keystones of trust is security. I like to break trust into three components: Intent: How do you intend to treat participants in a relationship? Capability: Can you behave in compliance with your intent? Communication: Can you effectively communicate both your intent and capability? Since there’s no perfect security we always need to make security tradeoffs. Intent decides how far you need to go with security, while capability defines if you’re really that secure, and communication is how you get customers to believe both your intent and capability. Recent actions by Apple are breaking their foundations of trust. As a business this is a critical issue; Apple relies heavily on trust to grow their market. Trust that their products work well, are simple to use, include superior capabilities, and are more secure. Apple’s message is that Macs are secure, simple, elegant, and reliable. Safe and secure is a powerful message, one that I suspect (based on personal experience) drives many switchers. When I told my cab driver today that Macs have no spyware or active viruses he was stunned. Should Apple lose either their intent to provide superior security, their capability to achieve security, or their ability to communicate either of those, they face reasonable risk of losing customers, or at least growth opportunities. Security, today, is one of Apple’s cornerstones. Anything that erodes it increases their business risks. At the same time, should communication disconnect from either intent or capability, Apple places then places both their trust relationship, and their customers, at risk. Take my favorite snake-oil salesmen at Diebold– by having no intent to secure their products and no security capabilities in their products, and communicating that the products are secure, they create huge potential for security failures. Less educated customers buy products thinking they’re secure, but the products are so flawed it places these customers (the voting public) at extreme risk. Software vendors have done this in the past- claiming products are secure and covering up failures in the hopes the customers and prospects won’t notice. Recent events indicate that Apple may stay on an impossible message (perfect security) and face failures in capability despite the best intent. The entire Black Hat debacle showed Apple pushing the message so hard that the debate lived far longer than needed, exposing more of the public to a potential security failure than would have otherwise noticed, drawing the attention of researchers who may now want to prove Apple isn’t invincible, and losing the trust of some of us in the industry disappointed by PR’s management of the incident. The iPod virus infections shows a lack of capability (security QA in shipping products) and poor communications (failure to take full responsibility). It’s a very small problem, but their arrogant approach to spinning the story lead me to question how they might respond to more serious issues. We have, over the course

I’ve noticed a marked decrease in the customer service from my phishers. Lately spam messages have been originating from “On-line Bank” and other generic addresses. Spelling mistakes are returning, and links no longer even pretend to go to a real bank’s site. Where’s the customer service guys? What’s wrong- is my business no longer important to you? Can’t you even make the effort to personalize your fraudulent messages and entice me with your ever-so-mangled, yet poetic, use of English? Phishing must be big business these days because, like other big businesses, they no longer seem to make the effort to acquire and retain customers through personal services. I really think I’m worth the effort. At least make me think you’re trying. Share:

Stiennon covered the McAfee/Onigma deal over at Threat Chaos this weekend. Although I knew about the deal I try and avoid vendor/industry coverage here at Securosis, and, to be honest, it really isn’t worth covering. (Onigma is tiny and agent based, not really the direction the market is heading, and by the time McAfee integrates the tech they’ll be WAY behind the ball). But Richard does make an interesting statement; defining data protection as leak prevention + encryption + device management. It’s a reasonable start, but far too narrow. For the past 5 years I’ve covered data security pretty exclusively; long before it was cool and sexy. Until recently data security’s been the red-headed step-child of the security world- always hanging out on the side of the playground, but the last kid you’d pick for your kickball team. These days that little red-head is all grown up, making his way through the early draft picks and getting read to go pro (take THAT you overused security metaphors). I like to define defensive security as four main security stacks (listed in a data/application centric order, you network guys tend to look at it differently): Host Security: a secure place to put stuff Data Security: securing the stuff Application Security: securing the things that access the stuff Network Security: securing the environment around the stuff On the data security side I took about two years to develop a framework to pull together the disparate technologies being thrown at the problem, from database encryption, to DRM, to activity monitoring. While I can’t dig in too deep here (since all that intellectual property is controlled by my employer), I can still outline the framework since, at this point, all the information’s been used in multiple press interviews and public presentations. The Data Security Hierarchy consists of: Content Monitoring and Filtering (sometimes called leak prevention) Activity Monitoring and Enforcement Logical Controls Encryption Enterprise DRM Access Controls These are just high-level general layers that sometimes encompass multiple technologies. CMF is usually a single technology, but, for example, there are about 10 different encryption technologies/markets. Overall there are about 20-30 different technologies shoved into the different layers, some with a very narrow scope (like portable device control), others with a pretty broad scope (like CMF). Data security isn’t just a bunch of additive technologies tossed together. Just as we spent the 90’s and early 00’s devising models, frameworks, and approaches to network security, we need to do the same for data security. Protecting data is very different from protecting networks and one of the bigger challenges in security in the coming years is to manage it strategically… …and it ain’t just encrypt everything. Share:

While I was out running around the country, turns out there was an interesting security article in my own backyard. Seems the local school system can’t keep up with those innovative students exploring their network. A students was caught after hacking a teacher’s computer to steal a copy of an upcoming test. “As a parent, I think it’s kind of scary all the technology, because the kids know more than we do,” she said. “They have different lines of communication compared to when we were growing up.” Haug added that it’s unfortunate that a student smart enough to hack into a computer did not put his intelligence to better use. But she said she is pleased that another student reported the hacker. “That’s pretty remarkable,” Haug said. “That says a lot about their morals and that they’re ethical enough to do that.” I suspect it was another kid hitting on the same girl, but I suppose even high school kids have their ethical moments. My brother in law works on the tech education side of a high school and has relayed some interesting stories about the problems of intelligent students on public education networks. At Symposium I met with a group from a school system struggling to limit access to MySpace and porn. The kids were avoiding URL filters by tunneling through their home computers. I used to work in higher ed, but that was in the days where we didn’t really care (well, I did, but not the higher admins). I really feel for those of you working in public schools. School boards and activist parents (the ones not very involved with their kids lives, who scream and rant at the school system for fun) hold witch trials, complete with the public burning at the end, if any student so much as glances at a stray boob. Not that theses kinds of parents actually monitor their kid’s Internet and TV usage at home, using it as an educational tool. When it comes to censorship, China has nothing on an inflamed school board. Here’s the problem. Smart teenage boys + technical skills + the Internet = boobs. You can take your best precautions, but you’ll never stop them. Every high school probably has one kid who can tunnel HTTP over SSH over DNS to their proxy at home and bounce out to MyBoobs.com. I made some suggestions to the clients that should reduce their exposure significantly, but also told them that if they’ll face disciplinary action if that smart kid goes public, they might as well polish up the resumes now. What’s a school district to do? Start by accepting you can’t control the Internet. Then install whatever reasonable security controls you can afford, especially a good URL filter and endpoint protection for teachers’ computers. Be smart about it- high school students will need to research breast cancer and read National Geographic; don’t low-ball and buy some tool that won’t even let them research Essex County. Most important? Educate teachers and parents. Parents should actively participate online with your kids. Nothing else will work. And there’s no humanly possible way to keep a teenage boy from his boobs. Trust me. Share:

Microsoft is making key changes to Vista to avoid antirust problems. They’re adding an API to PatchGuard, and loosening control on the Security Center. From the ZDNet article: In another change, Microsoft had planned to lock down its Vista kernel in 64-bit systems, but will now allow other security developers to have access to the kernel via an API extension, Smith said. Additionally, Microsoft will make it possible for security companies to disable certain parts of the Windows Security Center when a third-party security console is installed, the company said. … Microsoft will provide a way to ensure that Windows Security Center will not send an alert to a computer user when a competing security console is installed on the PC and is sending the same alert, the company said. Opening the kernel through a secure API is a reasonable idea- not as secure as a complete lockdown, but it does enable some valuable security tools outside of antivirus and host intrusion prevention that would have been locked out (like activity monitoring). MS would have had to do this eventually. I’m not as thrilled with the Security Center change- I want the operating system itself to warn me when core security functions are changing. In both cases I hope code signing will be required to limit hacker exploitation of these functions, but I doubt MS will be allowed to enforce it. Share:

Shimel has a good post on the whole 0day vulnerability thing. He nails it. This has been a pet peeve of mine for a long time. A real 0day isn’t the time from when a vulnerability is announced until a patch is released. A real zero day is a vulnerability no one knows about except those who discovered it. A zero day exploit is an attack against a non-public, unknown vulnerability. A real zero day is bad juju. It slices through any signature based security defenses since there’s no known signature. If it’s on a common port, and you don’t detect it through some sort of behavioral based or impact based technique (like the server dying), it’s hard or impossible to stop. A smart attacker with a true zero day implementing a targeted attack is extremely hard, if not impossible, to stop. Odds (for us) are a little better if they’re dumb enough to go for the mass exploit, thus setting off all sorts of alarms (maybe). There are very few true zero day attacks. Even fewer on a large scale. Be thankful they don’t happen more often. Those “0day” protection tools you bought or compiled on your own probably won’t help a whole lot. Layer the defenses, follow best practices, and realize you can’t stop them all. Share: