Securosis

Research

Oracle Critical Patch Update, October 2008

The Oracle Critical Patch Update for October 2008 was released today. On the database side there are a lot of the usual suspects; DMSYS.ODM_MODEL_UTIL seems to be patched in every CPU during the last few years. All in all the database modifications appear minor so patch the databases according to your normal deployment schedules. It does seem that every time that I view this list there is an entirely new section. It is not just the database and Oracle Apps, but BEA, Siebel, JD Edwards, and the eBusiness suite. As a security researcher, one of the tough chores is to figure out if these vulnerabilities inter-relate, and if so, how any of these in conjunction with The others could provide a greater threat than the individual risks. I do not see anything like that this time, but then again, there is the BEA plug-in for Apache that’s flagged as a high risk item by itself. Without details, we cannot know if the BEA bug is sufficient to compromise of a web server and reach the associated vulnerable databases. The BEA plug-in was awarded Oracle’s highest risk score (10 out of 10), so if you’re using that Apache plug-in, PATCH NOW! I am guessing it is similar in nature to the previously discovered buffer overflow described in CERT VU #716387 (CVE-2008-3257). However, there is no mention of a workaround in this CERT advisory as with this previous attack, and in general Oracle is not very chatty about the specifics on this one. And I love the teflon coated catch-all phrase in the vulnerability ‘description’: “…which may impact the availability, confidentiality or integrity of WebLogic Server applications…”. Helpful! Friends I have contacted do not know much about this one. If you have more specific details on the threat, shoot me an email as I would love to know more. Share:

Share:
Read Post

Trio Arrested on WalMart Error

Thankfully most criminals are not that bright. Article in the Arizona Republic this morning about a group of three Mexican nationals who were on a little shopping spree in the Valley of the Sun. The trio was going to various electronic retailers and making purchased with fake credit cards. The cards appeared to be legitimate card stock from legitimate Mexican banks, but account numbers from valid U.S. accounts. The trouble starts when they buy a laptop from a WalMart, going out to the car, only to find that the laptop was missing. The WalMart employees legitimately messed up, and the box they provided the ‘customers’ was empty, and no one seemed to notice until after the group left the store. In what I assume was an unintentional remake of the classic scene ‘Somebody ripped off the thing I ripped off’, they got mad and went back to the store to complain. Loudly. To the point where the WalMart employees called the cops, panic ensued, with the three running out of the store flinging bogus credit cards around the parking lot … allegedly. Reports of their yelling ‘Whoop-whoop-whoop-whoop’ have not been independently confirmed. The three men were arrested and are being held on forgery and fraud charges pending an investigation. The real question in my mind will be where did the valid credit card account numbers originate from and who provided them. They were stolen from somewhere, and if the crooks had 19 cards made up, that should be enough to provide a statistically meaningful sample to match up with a point of origin. We have seen a lot of credit card number theft over the past several years, which tend to be highly publicized. We see much less on the use/fraud side. I am going to be interested to see what the police uncover … if it makes the news that is. Share:

Share:
Read Post

Mail Goggles

Someone at Google has created Mail Goggles. It’s a little Gmail utility to keep you from sending out email while, uh, under the influence. Jon Perlow, the author, had this to say … [snip] “Sometimes I send messages I shouldn’t send. Like the time I told that girl I had a crush on her over text message. Or the time I sent that late night e-mail to my ex-girlfriend that we should get back together,” [/snip] And who hasn’t, really? It’s no wonder I am not smart enough to work at Google. I would never have through this up, never mind actually coding it. I checked, and it’s really there, under the Lab’s section, along with a dozen or so other productivity tools. I really think they could be onto something here … just consider this from a ‘Reputational Risk’ perspective; this could be a hot product for Postini. One too many Martini’s with lunch? Drowning your sorrows as you watch your stock portfolio plunge? A little testy that your “spa day” executive retreat was cancelled? No problem, Google will quarantine your outbound email! And if your too drunk to remember to turn this off, your email probably should be sequestered. Hoff was right, Google really is becoming a security company. Now, where did I leave that glass of bourbon … Share:

Share:
Read Post

Symantec Buys MessageLabs

Well, I did not see this coming. Today Symantec Corp has agreed to acquire Message Labs for $695 million. That represents close to a 5x multiple on $145M in revenue. While market conditions are not rosy, this price is not out of line for a segment leader who is seeing growth in the highly competitive email security market. This appears to be a good strategic move; they address their largest weakness in email security (SaaS), they can leverage the continued convergence of security offerings in messaging and data protection, and there is a substantial cross-selling opportunity. If memory serves, the 19,000 customers of MessageLabs represents an order of magnitude larger customer base Brightmail brought to the table in the 2004 acquisition. It’s hard for me to fault this acquisition. The primary growth opportunity in the email sector appear to be on the hosted services side, and the bet here is being made that SaaS is the model for the future. Today you can get Brightmail as software, hosted email security or an appliance, so it’s not like you did not have the choice, but the focus was clearly not on SaaS. MessageLabs, along with Google’s Postini, are the current leaders in this space with hosted services. The danger for for the vendors who offer email security as a service is the ease of migration from one platform to the next. It’s not like software or hardware purchases where the investment & employee training creates a degree of ‘stickiness’. Migration from one hosted email security vendor to the next is relatively low, and Symantec will be under immediate pressure to keep the MessageLabs customer base happy as they are in serious competition from Postini. Postini is dirt cheap, so failure to convey the overarching vision or a significant alteration to pricing could result in a very quick loss of customers. Still, I don’t see that happening as Symantec offers a low risk choice for many companies. A large stable firm with strong commitment to the segment and the breadth of product offerings makes a compelling choice. Upstarts with better technology just cannot compete with the mature, high availability, low risk vendors. As the other major growth opportunity in this segment is the convergence of messaging, web and DLP security feature sets, customers are more commonly viewing these as similar problems and want to address with a unified solution. It is difficult for companies to offer highly competitive products in all areas, but Symantec is now able to take a leadership role in each. And what does this mean for Brightmail? Undoubtedly this will be rolled out as a hybrid model for now, with at least a short term commitment to existing customers. Symantec can hedge their bets on what the market will want in terms of technology for the short term. In response to John Thompsom’s quoate, yes, today’s customers have a great choice as far as the type of solution they choose, but my guess is the Brightmail investment will slowly atrophy, and Symantec will migrate customers onto the more profitable hosted platform. Share:

Share:
Read Post

Outsourced Email Security

In the last post on Email Security, I commented on how easy it was to add outsourced email security services onto your existing email security deployment. That adding on an extra layer of anti-spam filtering on top of what you have not only provides an increase in the effectiveness of filtering, but also reduced the processing load on your existing hardware. But email security service vendors have been adding outbound email, data and web security offerings to their portfolio on top of their existing offerings, and these services solve different problems and offer different value propositions. Most companies I speak with state that 95~97% of the email that hits their servers are spam. A large percentage contain viruses, spyware and inappropriate content. The switch is cost effective and ‘painless’ in terms of administration and maintenance, and the large service providers tend to have very current and effective solutions. But it is worth noting that the problem you are solving is not protecting sensitive corporate information, rather keeping garbage out of your system. If you don’t see spam and your computers have not been infected, you have been successful. From the customer’s perspective, outbound email security offers many of the same advantages as inbound. As most companies have a very positive experience with inbound service, adoption of an outbound email security service is a natural extension of those advantages you enjoy today. It takes very little work to route your outbound email to a third party provider. These providers offer a canned set of security policies out of the box so you can be up and running in minutes, in conjunction with well designed web interfaces to customize and tune email (or even web security) policies. But the problem being set being addressed is very different; intellectual property leakage, use of private customer information, inappropriate content, violation of corporate policies and even bot-net detection. These problems are more complex and require policy and system verification. Just because you outsourced the operation does not mean you removed the responsibility of audit and security verification of the system itself. Specifically what do I mean by that? If all of your corporate correspondence is being routed through a third party provider, you need to make sure that they are secure, and their policies are in line with yours. Remember, the information you are sending out is all of your corporate email, your policies for enforcement, and possibly all of the web browsing history. The service providers offer ad-on email retention services for ‘compliance’, but as some of the data is stored for their own backup and recovery processes, your data will be stored for some period of time. How is privacy maintained? Who has access to the data? Is there verification of integrity? When and how is the data disposed? What the vendor will be selling you is the filtering service, the administrative interface, and the storage. What you need to ask for is their security policy, their data retention & data destruction policies, and audit reports for changes in permissions, data access and alterations to your data. The vendor will provide you a report on what was filtered and blocked according to policy; in addition you need reports on the operational controls around the system. If these services are being marketed to you as ‘must-have’ for compliance, then the vendor must be able to provide their own policies and audit trail of their service. The vendor will need to provide some degree of transparency both to their methods and processes in general, but specifics on who or what has access to your data. I know a lot of this sounds incredibly obvious, but I have yet to run across a company who has requested this information from their outbound email security provider. Share:

Share:
Read Post

FAIL!

Say you are an on-line retailer: Do you ever check to make sure your web site functions? If you don’t, start! Here are a few examples of why this is a good idea: Failure 1: When you email out a promotional flier to your user community, but the promotional form rejects the user login because the user email account you mailed the flyer to cannot be found in your database, odds are your sales response is not going to meet expectations. Failure 2: When you on line order form rejects purchases because the zip code does not match the state, but your web form lacks an entry for state, odds are your sales response is going to be nil. State of confusion … Failure 3: When your customer wants to do you the courtesy of pointing out some flaws that may limit revenue, the form you ask the customers to fill out should actually exist. Presenting potential customers with a FAQ when they click a form submission link is in essence telling them ‘RTFM!’, and a great way to alienate your want-to-be-buyers. When you are in a highly competitive market segment, you really want to check your web site for obvious bugs before the last day of the quarter. Wake up Parallels!!! P.S. I should say that if it was not for an exceptionally nice sales rep named Melinda, this effort would have been abandoned. Share:

Share:
Read Post

Friday Summary

The Securosis team is attempting to regroup and prepare for a busy Q4. It took three full days, but I am fully migrated into the Mac Universe and engaged in a couple of research projects. Now productive, I can finally start work on a couple research projects. Rich has left HQ in search of coffee, quiet and a security muse while he catches up on writing projects and white papers. But even though we have a short term ban on travel and conferences, there is a lot to talk about. Here is our summary of this weeks blogs, news and events. Webcasts, Podcasts, and Conferences: This week on the Network Security Podcast 123, guests Robert “Rsnake” Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security as they discuss their new clickjacking exploit. Favorite Securosis Posts: Rich: Impact of the Economic Crisis on Security. It doesn’t matter if you are a vendor or practitioner, we’ll feel the effects of this crisis, but in a predictable way. Adrian: Email Security. It’s getting cheaper, faster and easier to implement, but with some potential privacy issues depending on how you go about it. Favorite Outside Posts: Adrian: Brian Krebs post on lawsuits against ‘Scareware Purveyors’. Finally. Infecting someone’s machine with spyware and using it as a marketing and sales conduit is akin to stealing in my book. Now if they would only go after the purveyors of this scare tactic. Rich: Fyodor explains (probably) the looming TCP attack. Fyodor, creator of NMAP, does an excellent job of explaining how the big TCP DoS attack likely works. Top News: The recovery bill. Law makers look panicked, and the market goes down every time they get close to a ‘solution’. The TCP Denial of Service attack. Nothing to panic about, and we’ll write more on it, but very interesting. Blog Comment of the Week: Chris Pepper’s comment on Rich’s “Statistical Distractions” post: [snip]… I refuse to use unencrypted email, but that”s to the SMTP/IMAP/POP/webmail server. But for email we have to keep in mind that the second hop – to the destination SMTP server – is almost always plaintext (unencrypted SMTP). So it’s more about protecting the account credentials than about protecting the email itself, but someone gaining full access to my whole multi-gigabyte mail store would really really suck. …[/snip] Now, I am off to The Office for the Securosis weekly staff meeting. We hope you all have a great weekend. Share:

Share:
Read Post

What to Buy: Part Three

Finally took the plunge last week- I went out and bought a Mac. Actually, I bought a couple of them. That was not what I originally intended, as my plan was to get a top-of-the-line MacBook Pro and a high-end monitor to go with it. But every time I sat down in front of my wife’s iMac, I was really impressed with the quality of the display and the simplicity of the machine itself. When I learned the 24-inch version had the Core 2 Duo at 3GHz, I was sold. Given the amount of travel I do I needed a laptop, so I picked up an entry-level MacBook as well. It worked out about even money as far as hardware costs, and it will only cost me a little more for software, so I kind of feel like I got two for one. For the last week I have not been blogging all that much as I have spent every waking hour moving files, downloading software, installing, configuring, and learning a bunch of new applications. I don’t think I have bought this much personal software before. And with Rich and myself reworking the Securosis infrastructure at the same time, it has been a hectic week. For those who do not know me; I started my career with UNIX; moved to CTOS; then a mixture of Windows, UNIX, and Linux for about 5 years; but over the last 8 years it has been almost all Windows PCs. So learning a new OS is no big deal, and the UI design on the Mac is pretty darn easy, which has helped smooth the transition. But I must say I am glad that there is a UNIX-based OS sitting underneath … makes me feel a little more comfortable and made the learning process faster. I wanted to share the experience as I was wondering if some people had come to the same conclusions that I have about the Apple products. First the MacBook: The MacBook is nice-looking, but nothing all that spectacular IMO. While the 2.4GHz Intel processor is fast and I like the OS, the keyboard is decidedly ordinary and the display is really not all that great. Contrast, color saturation and accuracy are all pretty poor. Tried to calibrate as best I could without tools, but I only think I am going to get so far with this effort. My real concern at the moment has been stability. I have only been running the machine for a couple of days and Mail has hung twice, and the machine would not respond to shutdown requests. I installed all of the patches I could and hopefully that will help. I also upgraded the machine to 4gb, and when I did, I found an interesting white residue caked on the pins of the DIMMs. I am wondering if the installers are putting talc or something on the pins to make insertion easier, but there was so much I have to wonder if there were memory errors. Seems to be more stable now and I am hoping for the best. The iMac- in a word, WOW! It is the nicest machine I have ever owned. Fast. Put 4 gig of memory in it. The aluminum keyboard has a great feel to it. Keep looking for the right mouse button, but that’s OK, I am retraining myself. But the most amazing thing about this box is the monitor. 24 inches of real estate. The color, depth and detail is stunning. It’s fun just to look at the pre-supplied backgrounds. And everything has worked without a hitch. Software installed in a fraction of the time of other platforms. The one time I messed up I simply drug the application to the trash, started from scratch, and was done in two minutes. The only anomaly I found is the machine is spec’ed for DDR2 800, but came with DDR2 667. Other than that, perfect. The MacBook is nice, but the iMac is why I am beyond happy. Hard for me to imagine that this is true, given the long line that I had to wait in when I went to the Apple store. Plus I know 5-6 people who just switched to Macs, and half the people I know are saving up to get iPhones. With a product that is this solid, I don’t think that they have a lot to worry about. Share:

Share:
Read Post

Oracle DBAs and Security

‘This is a very interesting article by Robert Westervelt over at Tech Target, and I wanted to make a couple of follow-on comments. Way back when, as a DBA, my morning ritual was to get into the office, grab a cup of coffee, and review the database and web app logs. Just wanted to make sure that the databases were running smoothly and there was nothing unusual going on I had a single web app and 5 or so databases. Took about 30 minutes. But that was pre-tech collapse, where DBA’s only had 10 or so databases to manage. If you are managing 100 or more database, you are not reviewing logs on a regular basis without automation. Whether it be security, systems management or configuration management, you have to have help. And today, you are buying a tool for each, and of those, 2 of the 3 are not typically supplied by the database vendor or the tools vendor. We talk a lot about security products for databases here at Securosis, but few of them operate the way that DBAs and IT operations personal want them to work. Yes, I understand separation of duties and I understand that the DBA is not the best person to provide security analysis, but still, a single platform to provide all these operational aspects would make sense. I used to love to go to the IOUG events around the country. I used to give presentations at some, but I wanted to go because I always learned something from the lectures or presentations. There was such a wealth of knowledge, and when you have hundreds of DBA’s with unique problems and willing to experiment, they often run across very cool solutions. I ran across some Perl scripts once for data discovery that were really amazing, and I borrowed from this source as much as I could. It dawned on me that Oracle has an amazing resource here and does not leverage this for either their, or their users, benefit. The model I am thinking of is Firefox and the community plug-ins. It would be nice to have the ability to browse and download utilities from the community at large and try them out. OEM could really use that kind of lightweight option. And, yes, this means I have my doubts that Fusion Middleware is going to be leveraged by the people that manage Oracle platforms and databases. Share:

Share:
Read Post

Let’s Play: Name That Regulation!

What do you think our new financial law will be? What piece of legislation will be enacted by our government to protect us from the greed that caused this current financial crisis? Last time it was Sarbanes-Oxley. Who will be the poster child for our current financial crisis? Who will be the “Keating 5” this time around? You know it is coming. It has every other time greed has torpedoed our economy. And it is an easy target for any politician when there is only one side to an issue. I mean, how many voters are pro-financial crisis? I am actually asking this as a serious question. I am really at a loss for a plan of action that would be effective in stopping financial institutions from making bad loans, or how the government could effectively regulate and enforce. The typical downside to bad business practices (falling stock value, bankruptcy) have been nullified with mergers and government funding. In this case the greed seemed to be evident from top to bottom, and not just within a company or region, but the entire industry. Financial institutions to the buyer and most of the parties in between. Yes, lenders skirted process and sanity checks to be competitive, but it took more than one party to create this mess. Buyers wanted more than they could afford, and eagerly took loans that led to financial ruin. Real estate agents writing the deals as fast as they could. Mortgage brokers looking for any angle to get a loan or re-fi done. Underwriters in absentia. Appraisers ‘making value’ to keep business flowing their way. You name it, everyone was bending the rules. So that is really is the question on my mind: what will comprise the new regulation? How do you keep businesses from saying ‘no’ to new business? How do you keep competitive forces at bay to reduce this type of activity from happening again? My guess about this (and why I am blogging about it) is that enforcement of this yet-to-be-named law will become an IT issue. Like Sarbanes-Oxley, much of the enforcement, controls and systems, along with separation of duties necessary to help with fraud deterrence and detection, will be automated. Auditors will play a part, but the document control and workflow systems that are in place today will be augmented to accommodate. Let’s play a game of ‘trifecta’ with this … put down the name of the company who you think will who will be the poster child for this debacle, the name of the politician who will sponsor the bill, and the law that will be proposed. I’ll go first: Poster Child: CountryWide Politician: John McCain Law: 3rd party creditworthiness verifications and audit of buyers If you win I will get you a Starbuck’s gift card or drinks at RSA 2010, but something. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.