Research

After a mostly miserable winter, at least in terms of the weather, spring is here. And some days it feels like summer. This past weekend was awesome. A little hot, but nice. Sun shining. Watching the kids play LAX. Dinner/drinks to celebrate two of my best friends completing a trail marathon. Yes, they ran 26.2 miles through the woods. I didn’t say my friends were overly bright, did I? What I didn’t wear was sunscreen. So when you check out the Firestarter we recorded Monday, you will see I spent some time in the sun. I guess I shouldn’t be surprised – I do this every year. I just forget. It’s doesn’t feel that hot. The sun isn’t that strong. Until I’m getting ready for bed and I look like a tomato. Evidently the sun is that strong. And it was that hot. So the farmer sunburn is in full effect. When I think of sunscreen I always think of an awesome column by Mary Schimich, which was wrongly attributed to Kurt Vonnegut for years. It’s not quite Steve Jobs’ commencement speech, but it’s pretty good. Because it reminds us of the important stuff, like wearing sunscreen. She also reminds us to not worry. Worrying is not important, and it doesn’t help you do anything anyway. If it’s out of your control then what can you do? If it is within your control, then fix it. We also shouldn’t waste time on jealousy or competing with folks. It’s not a race. Not with anyone else anyway. It is about consistent improvement, and being the best you that you can be. At least that’s the way I try to live. But the title of that speech is “Advice, like youth, probably just wasted on the young”. Which is exactly right. I couldn’t understand the logic of wearing sunscreen when I was 22. Just like I couldn’t understand why I shouldn’t worry about what I have or haven’t accomplished. Nor could I understand the importance of living right now – not tomorrow, and certainly not reliving yesterday. I couldn’t understand that stuff, and if you’re 22, you probably have no idea what I’m talking about. But at some point you will, and the folks in my age bracket probably understand. I wouldn’t go back in time because I didn’t know anything. And it turns out I am actually in better physical shape, and can afford better beer now than 25 years ago. I finally understand what’s important and can appreciate how every setback taught me something I use almost every day. Cool, huh? By the way, that doesn’t mean I will wear sunscreen next spring either. But at least I’ll have the perspective to laugh at the fact that I do the same stuff every year, as I reach for the aloe. –Mike Photo credit: “Use plenty of sunscreen originally uploaded by Alex Liivet Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Advanced Endpoint and Server Protection Quick Wins Detection/Investigation Prevention Assessment Introduction Newly Published Papers Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U Revisiting monoculture: Dan Geer is at it again. One of our preeminent security thinkers is back on the monoculture theme, revisiting his position that any single component used by a majority of technology users represents undue risk. Back in 2003 Dan talked about the risks of Windows dominance. He was right and still is. Now he has applied the monoculture concept to OpenSSL, which was the component that enabled Heartbleed. The reality is, these base components are everywhere. You probably remember that SQL*Slammer leveraged the Jet database. You didn’t buy the Jet DB? Of course you did! It was just built into stuff you wanted. Same deal with OpenSSL, and about a zillion other components that are built in everywhere. Is there a way to contain this kind of risk? Or at least understand it? Um, ask Josh Corman. – MR Sometimes good enough is… Does anyone outside the SIM card alliance really think that Host Card Emulation – mobile app software that mimics a secure element function – is not a threat to their hardware strategy? For that matter, does anyone really believe that HCE is not secure enough for EMV payments? While mobile carriers and device manufactures fumble about putting different secure elements with capabilities on a subset of devices and call that a standard, firms like Apple and Square will simply deliver a seamless, consistent, user-friendly payment experience for most mobile devices. Sure, SIM cards are more secure, but when we are talking about basically one credit card per mobile device, HCE solutions do not need to provide infallible security to be

Windows XP’s recent end of life has garnered a bit of industry recognition. Mostly from vendors pushing controls to lock down the ancient operating system. Folks who are stuck on XP are, well, stuck. And now there is a new exploit in the wild that takes advantage of IE, so what are XP users to do? About 30% of all desktops are thought to be still running Windows XP and analysts have previously warned that those users would be vulnerable to attacks from cyber-thieves. Microsoft has suggested businesses and consumers still using the system should upgrade to a newer alternative. Twist in the wind, that’s what, at least according to Microsoft. That’s their answer: upgrade. If that’s not an option, lock down the device using a technology like privilege management or full application whitelisting. If those aren’t options either, you had better get some good forensics tools, because those devices will be owned. Sooner rather than later. This is the first unpatched XP issue in the new regime. It won’t be the last. Photo credit: “Four storms and a twister” originally uploaded by JD Hancock Share:

What’s a couple hundred gigabits per second of traffic between friends, right? Because that is the magnitude of recent volumetric denial of service attacks, which means regardless of who you are, you need a plan to deal with that kind of onslaught. Regardless of motivation attackers now have faster networks, bigger botnets, and increasingly effective tactics to magnify the impact of their DDoS attacks – organizations can no longer afford to ignore them. In Defending Against Network-based Distributed Denial of Service Attacks we dig into the attacks and tactics now being used to magnify those attacks to unprecedented volumes. We also go through your options to mitigate the attacks, and the processes needed to minimize downtime. To steal our own thunder, the conclusion is pretty straightforward: Of course there are trade-offs with DDoS defense, as with everything. Selecting an optimal mix of defensive tactics requires some adversary analysis, an honest and objective assessment of just how much downtime is survivable, and clear understanding of what you can pay to restore service quickly. We owe a debt of gratitude to A10 Networks for licensing this content and supporting our research. We make this point frequently, but without security companies understanding and getting behind our Totally Transparent Research model you wouldn’t be able to enjoy our research. Check out the paper’s permanent landing page, or download it directly (PDF). Share:

I can certainly empathize with folks who suffer from burnout, in any occupation. It is miserable and clinical and not to be minimized or swept under the rug. But if this whole mindfulness approach has shown me anything, it is that we control how we respond to situations. So yes, security is a tough job. Yes, you probably can’t win. Yes, your senior management has no idea what you do and can’t understand your value. But that doesn’t mean you should go reaching for the hemlock at the first opportunity. You have to be able to handle the job – good, bad, and ugly – on a daily basis. Or find something else to do. And I say that from a position of kindness, not to be a dick. If you can’t find happiness, engagement, and a sense of accomplishment from your career, get a new career.   Krypt3ia posts his perspectives on the burnout issue. I am pretty sure he isn’t coming from a place of kindness but he delivers the facts. In order to survive and possibly even thrive doing security, you need to understand the job. And Scot has a great summary in a few bullet points: – It is your job to inform your client/bosses of the vulnerabilities and the risks – It is your job ONLY to inform them of these things and to recommend solutions – Once you have done this it is up to them to make the decisions on what to do or not do and to sign off on the risks – Your job is done (except if you are actually making changes to the environment to fix issues) Did you get that last one? Your job is done. Remember the Serenity prayer? I don’t care if you kneel at the alter of the Flying Spaghetti Monster or nothing at all – if you know the difference between what you control and what you don’t, you have a chance. If you don’t, then you don’t. Photo credit: “Nice Cup of Hemlock?” originally uploaded by Kova Shostakovich Share:

It is interesting to see the concept of mindfulness enter the vernacular. For folks who have read the Incite for a while, I haven’t been shy about my meditation practice. And next week I will present on Neuro-Hacking with Jen Minella at her company’s annual conference. I never really shied away from this discussion, but I didn’t go out of my way to discuss it either.   If someone I was meeting with seemed receptive to talking about it, I would. If they weren’t, I wouldn’t. I doesn’t really matter to me either way. Turns out I found myself engaging in interesting conversations in unexpected places once I became open to talking about my experiences. It turns out mindfulness is becoming mass market fodder. In our Neuro-Hacking talk we reference Search Inside Yourself, which describes Google’s internal program, which is broadening into a mindfulness curriculum and a variety of other resources to kickstart a practice. These materials are hitting the market faster and faster now. When I was browsing through a brick and mortar bookstore last weekend with the Boy (they still exist!), I saw two new titles in the HOT section on these topics. From folks you wouldn’t expect. 10% Happier is from Dan Harris, a weekend anchor for ABC News. He describes his experiences embracing mindfulness and meditation. I am about 75% done with his book, and it is good to see how a skeptic overcame his pre-conceived notions to gain the aforementioned 10% benefit in his life. I also noticed Arianna Huffington wrote a book called Thrive, which seems to cover a lot of the same topics – getting out of our own way to find success, by drawing “on our intuition and inner wisdom, our sense of wonder, and our capacity for compassion and giving.” At this point I start worrying that mindfulness will just be the latest in a series of fads to capture the public’s imagination, briefly. ‘Worry’ is probably the wrong word – it’s more that I have a feeling of having seen this movie before and knowing it ends up like the Thighmaster. Like a lot of fads, many folks will try it and give up. Or learn they don’t like it. Or realize it doesn’t provide a quick fix in their life, and then go back to their $300/hr shrinks, diet pills, and other short-term fixes. And you know what? That’s okay. The nice part about really buying into mindfulness and non-judgement is that I know it’s not for everyone. How can it be? With billions of people on earth, there are bound to be many paths and solutions for people to find comfort, engagement, and maybe even happiness. And just as many paths for people to remain dissatisfied, judgmental, and striving for things they don’t have. I guess the best thing about having some perspective is that I can appreciate that nothing I’m doing is really new. Luminaries and new-age gurus like Ekhart Tolle and Deepak Chopra have put a new coat of paint on a 2,500 year old practice. They use fancy words for a decidedly unfancy practice. That doesn’t make it new. It just makes it shiny, and perhaps accessible to a new generation of folks. And there’s nothing wrong with that. –Mike Photo credit: “Wet Paint II originally uploaded by James Offer Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Introduction NoSQL Security 2.0 Introduction Defending Against Network Distributed Denial of Service Attacks Mitigations Magnification The Attacks Introduction Advanced Endpoint and Server Protection Quick Wins Detection/Investigation Prevention Assessment Introduction Newly Published Papers Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing What CISOs Need to Know about Cloud Computing Incite 4 U Questions driving the search for answers: Whatever you are doing, stop! And read Kelly White’s 3-part series on Questioning Security (Part 1, Part 2, and Part 3). Kelly’s main contention is that the answers we need to do security better are there, but only if we ask the right questions. Huh. Then he provides a model for gathering that data, contextualizing it, using some big data technologies to analyze it, and even works through an example or two. This echoes something we have been talking about for a long time. There is no lack of data. There is a lack of information to solve security problems. Of course a lot of this stuff is easily said but much harder to do. And even harder to do consistently. But it helps to have a model which provides a roadmap. Without some examples to make the model tangible you woon’t even know where to start. So thank Kelly for a piece of that. Now go read the posts. – MR Bounties on open source security flaws: The Veracode blog’s latest post is thought-provoking, asking whether it is time to Crowdfund Open Source Software.

Akamai’s research team has an interesting post on how attackers now use web proxies to shield their identities when launching DDoS attacks. Using fairly simple web-based tools they can launch attacks, and by routing the traffic through an exposed web proxy they can hide the bots or other devices performing the attacks. 234 source IP addresses is a surprisingly low number when considering the duration of the collected data (one month), further analysis into the data revealed that out of the 234 IPs, 136 were web proxies – this explains the low number of source IPs – attackers are using web proxies to hide their true identity. In order to understand the nature of these web proxies, we analyzed the domain (WHOIS) information as well as certain HTTP headers and discovered that 77% of all WebHive LOIC attack traffic came from behind Opera Mini proxy servers. So the hackers are abusing Opera’s mobile browser system to launch their attacks. Akamai tracked that back to the devices, which were largely in Indonesia. But were they? Were other obfuscation techniques used to further hide the attackers? Who knows? It doesn’t really matter. The Akamai researchers go on to talk about blocking attackers’ source IP addresses. Of course that requires you to be pretty nimble, able to mine those IP addresses, and to get blocks configured on your network gear (or within your scrubbing service). Then they talk about using WAF rules to protect applications by blocking DoS tools. And blocking HTTP from well-known DoS apps, assuming the attackers aren’t messing with headers.   Understand that blocking some of these IP addresses and applications may result in dropping legitimate sessions from legitimate former customers. Because people who cannot complete a transaction will find a company which can. So it becomes a balance of loss, between downtime and failed transactions. Akamai doesn’t mention built-in application defenses (as discussed in our AppDoS paper), but that’s okay – when you have a hammer, everything looks like a nail. Photo credit: “Hide & Seek” originally uploaded by capsicina Share:

It was a crummy winter. Cold. Snowy. Whiplash temperature swings. Over the past few weeks, when ATL finally seemed to warm up for spring (and I was actually in town), I rejoiced. One of the advantages of living a bit south is the temperate weather from mid-February to late November. But there is a downside. The springtime blooming of the flowers and trees is beautiful, and brings the onslaught of pollen. For a couple weeks in the spring, everything is literally green. It makes no difference what color your car is – if it’s outside for a few minutes it’s green. Things you leave outside (like your deck furniture and grill), green. Toys and balls the kids forget to put back in the garage when they are done. Yup, those are green too. And not a nice green, but a fluorescent type green that reminds you breathing will be a challenge for a few weeks.   Every so often we get some rain to wash the pollen away. And the streams and puddles run green. It’s pretty nasty. Thankfully I don’t have bad allergies, but for those few weeks even I get some sniffles and itchy eyes. But XX2 has allergies, bad. It’s hard for her to function during the pollen season. Her eyes are puffy (and last year swelled almost shut). She can’t really breathe. She’s hemorrhaging mucus; we can’t seem to send her to school with enough Sudafed, eye drops, and tissues to make it even barely comfortable. It’s brutal for her. But she’s a trooper. And for the most part she doesn’t play outside (no recess, phys ed, and limited sports activities) until the pollen is mostly gone. Unless she does. Last night, when we were celebrating Passover with a bunch of friends, we lost track of XX2. With 20+ kids at Seder that was easy enough to do. When it was time to leave we found her outside, and she had been playing for close to an hour. Yeah, it rained yesterday and gave her a temporary respite from the pollen. But that lulled her into a false sense of security. So when she started complaining about her eyes itching a bit and wanted some Benadryl to get to sleep, we didn’t want to hear about it. Yes, it’s hard seeing your child uncomfortable. It’s also brutal to have her wake you up in the middle of the night if she can’t breathe and can’t get back to sleep. But we make it clear to all the kids that they have the leeway to make choices for themselves. With that responsibility, they need to live with the consequences of their choices. Even when those consequences are difficult for all of us. But this will pass soon enough. The pollen will be gone and XX2 will be back outside playing every day. Which means she’ll need to learn the same lesson during next year’s pollen onslaught. Wash, rinse, repeat. It’s just another day in the parenting life. –Mike Photo credit: “I Heart Pollen!” originally uploaded by Brooke Novak See Mike Speak Mike will be moderating a webcast this coming Thursday at 2pm ET, discussing how to Combat the Next Generation of Advanced Malware with folks from Critical Assets and WatchGuard. Register here: http://secure.watchguard.com/how-to-survive-an-apt-attack-social.html Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Introduction NoSQL Security 2.0 Introduction Defending Against Network Distributed Denial of Service Attacks Mitigations Magnification The Attacks Introduction Advanced Endpoint and Server Protection Quick Wins Detection/Investigation Prevention Assessment Introduction Newly Published Papers Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing What CISOs Need to Know about Cloud Computing Incite 4 U Traitors are the new whistleblowers: A good thought-provoking post by Justine Aitel on how security needs to change and evolve, given some of the architectural and social disruptions impacting technology. She makes a bunch of points about how the cloud and the “compete now/share first/think later mentality, “ impacts risk. It comes back to some tried and true tactics folks have been talking about for years (yes, Pragmatic CSO reference). Things like communications and getting senior folks on board with the risks they are taking – and ignorance is no excuse. She also makes good points about new roles as these changes take root, and that’s where the traitors and whistleblowers in the title comes from. Overall her conclusion: “This game is no longer just for us nerds” rings true. But that’s not new. Security has been the purview of business folks for years. It’s just that now the stakes are higher. – MR A glimpse of DBSec’s future: From a database design perspective, the way Facebook is customizing databases to meet their performance needs is a fascinating look at what’s possible with modular, open source NoSQL platforms. Facebook’s goals are performance related,

I have to admit the USAirways porno tweet had me cracking up. Business Insider has good coverage (even including the NSFW link, if you are a glutton for well, whatever). It was funny not because of the picture, but as an illustration of how a huge corporation could have its brand and image impacted by the mistake of one person. Also because it didn’t happen to me. I assure you the executive suite at the company did not think this was funny, at all.   But it highlights the need for much greater control of social media. With advertising there are multiple layers of approval before anything ever hits the airwaves – and we still have branding fiascos. Social media changes the rules. One person can control a very highly followed account, and that person’s device can be attacked and compromised – giving attackers free reign to behave badly and impact the brand. Or a malicious insider could do the same. Or just plain old human error. It happens all the time, but not like the USAir tweet. That went viral fast, and the damage was done even faster. It’s like Pandora’s Box. Once it’s open, you shouldn’t try to put a plane in it. (Sorry, had to…) I know you have to move fast with social media. But folks will be lampooning USAirways for years over this. I don’t think their real-time response to the customer outweighs the downside, or that a little check and balance would be a terrible thing – if only to make sure you have multiple eyes on the corporate social media accounts. Photo credit: “Cannot Unsee” originally uploaded by Lynn Williams Share:

Yeah, we hit on the Heartbleed vulnerability in this week’s FireStarter, but I wanted to call attention to how Akamai handled the vulnerability. They first came out with an announcement that their networks (and their customers) were safe because their systems were already patched. Big network service providers tend to get an early heads-up when stuff like this happens, so they can get a head start on patching. They were also very candid about whether they have proof of compromise: Do you have any evidence of a data breach? No. And unfortunately, this isn’t “No, we have evidence that there was no breach of data;” rather, “we have no evidence at all.” We doubt many people do – and this leaves data holders in the uncomfortable position of not knowing what, if any, data breaches might have happened. Sites using Akamai were not measurably safer – or less safe – than sites not using Akamai. So kudos are due Akamai for explaining the issue in understandable terms, discussing their home-grown way of issuing and dealing with certs, discussing the potential vulnerability window before they started patching, and owning up to the fact that they (like everyone else) have no idea what (if anything) was compromised. Then they assured customers they were protected. Unless they weren’t. Over the weekend a researcher pointed out a bug in Akamai’s patch. Ruh Roh. But again, to Akamai’s credit, they came clean. They posted an update explaining the specifics of the buggy patch and why they were still exposed. Then they made it clear that all the certs will be re-issued – just to be sure. As a result, we have begun the process of rotating all customer SSL keys/certificates. Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer. It is okay to be wrong. As long as an organization works diligently to make it right, and they keep customers updated and in the loop. Preferably without requiring an NDA to figure out what’s going on… Share:

You have to love compliance mandates, especially when they are anywhere from 18 months to 3 years behind the threat. Recently the FFIEC (the body that regulates financial institutions) published some guidance for financials to defend against DDoS attacks. Hat tip to Techworld.   It’s not like the guidance is bad. Assessing risk, monitoring inbound traffic, and having a plan to move traffic to a scrubber is all good. And I guess some organizations still don’t know that they should even perform that simple level of diligence. But a statement in the FFIEC guidance sums up rear-view mirror compliance: “In the latter half of 2012, an increased number of DDoS attacks were launched against financial institutions by politically motivated groups,” the FFIEC statement says. “These DDoS attacks continued periodically and increased in sophistication and intensity. These attacks caused slow website response times, intermittently prevented customers from accessing institutions’ public websites, and adversely affected back-office operations.” Uh, right on time. 18 months later. It’s not that DDoS is going away, but to mandate such obvious stuff at this point is a beautiful illustration of solving yesterday’s problem tomorrow. Which I guess is what most compliance mandates are about. Sigh. Photo credit: “mtcook” originally uploaded by Jim Howard Share: