Research

As usual, one of our friends has succinctly captured the heart of an issue far better than we can. Gunnar, while flattered to be considered for a Security Blogger Hall of Fame award, takes the opportunity to discuss the drop in real conversation as the Tweeter has taken time and attention from many folks who used to hold those real conversations in blogs. Why I would really like to see the scene keep making progress is that I think security is an industry where its easy to get lost in the urgent and forget the important. Its a non stop flow of urgent operational issues, but not much time to look at – why does this keep happening and how do we fix it or stop it from recurring? These are things you cannot do in 140 characters, and we need something between a Tweet and a Whitepaper to have an industry conversation. Blogs fill that space very well, look at the issues, consider the deployment options, integration concerns, and what we might realistically do. These are the conversations we need to have. That is the reason we chose the Securosis blog as our main content vehicle. It gives us an audience and a mechanism to interact with thousands of folks, without building a large sales force and go-to-market engine. And for a few years it worked great. A business like Securosis (or Security Incite, for that matter) couldn’t have existed in 2003. But we have definitely felt the same drop-off in conversation on our blog. The number of comments we get on our blog posts is far lower than it used to be. Yes, we have some of those conversations in 140 character chunks via Twitter, but it has been a long time since we had more than 2-3 comments on any post. Of course we have adapted to stay relevant, as every organization needs to adapt to market realities. We accept the increasingly serious ADD we all suffer from, and now do much shorter and more frequent posts (like this one). We automagically tweet a link to every post to make sure the echo chamber doesn’t miss anything we write. And most of important, we accept that the way things are may not be the way we would like them to be. But kudos to our friend and contributor Gunnar for at least forcing us all to acknowledge how things have changed. Share:

Everyone is all fired up that the APT is now targeting major media companies. Rich covered that in yesterday’s post, and now it seems the Wall Street Journal was also targeted by similar tactics The Wall Street Journal said its computer systems had been infiltrated by Chinese hackers for the apparent purpose of monitoring the newspaper’s China coverage. This is shocking why? Brazen, yes. Predictable, yes. Surprising? Not in the least. But that’s neither here nor there. What annoyed me about the NYT story was pointing the finger squarely and exclusively at Symantec. And their partner in slime, Mandiant, seemingly blaming the breach on the inability of their AV engine to catch the attacks. This is bush league and clear misdirection. I am not saying, in any way, that Symantec’s failure wasn’t the main cause of this breach. But I don’t know they were either. We don’t know the answers to a few fairly important questions, including what version of Symantec AV was running at the time of compromise? If they were using SEP 10 this result isn’t surprising. That product stunk and SYMC acknowledges that. It’s like blaming Microsoft for a breach because Windows XP got compromised. That would have been fine in 2003, but now? Come on, man! If the enterprise isn’t taking advantage of modern protection, how can they expect to defend against modern attacks? Before we can credibly place blame we need to know more. What operating system was in play? Was it fully patched? How was it configured? What other defenses were in place on the endpoints? The questions go on and on. We don’t know enough to point the finger. And if these devices weren’t taking advantage of the latest versions of pretty much everything, then the issue rests more on the NYT than on a security vendor. At least in my opinion. But what fun is that, right? It’s much easier to play into the same old story about how AV sucks. But no endpoint product is going to stop a 0day targeting crappy software (yes, Oracle and Adobe, I’m looking at you). Not 100% of the time anyway. And all the attackers needed to do was compromise one device, and then they owned the environment. OK, I’ll get off my soapbox now. Just to make sure we’re clear, I’m not saying Symantec is free of blame here. But I know there are a bunch of other folks who should have the finger of accountability pointing at them, starting with the NYT security team. Share:

We talk a lot about Big Data Security, and over the next couple years we will talk about it a lot more. But I think articles like Big Goals for Big Data are a bit misleading. But Preston Wood, Zions Bancorporation’s CISO and executive VP of security, finds it puzzling that so many find big data such a struggle. Really? The rest of the article goes through how Zions hit the wall with SIEM and needed to use Hadoop and associated technologies to meet his needs. It’s a good read and they make a number of very good points. The article even quotes Adrian, but we shouldn’t hold that against them. Our pal Alex Hutton weighs in a bit as well. “His advice? Do your homework before rushing in. Take all the necessary time to flesh out a detailed road map for the data you’re looking to process, carefully review how Hadoop will behave with the rest of your network, and develop a clear taxonomy model and strict metrics for it to follow.” That’s the rub. Most practitioners have neither the time or inclination to do the homework, structure the security program, and do things right. It’s all about instant gratification – which is why it’s much easier to get companies to install a magic box (which isn’t really magic) than it is to get them to change process and embrace foundation technology. This is an irritating truth at far too many organizations. But it is what it is. Zions has done a great job of building their security program on analytics, but that doesn’t mean it will be easy for other companies to do likewise. Share:

It’s the end of January, which means my favorite day of the year is coming up. Yup, Super Bowl Sunday. It’s a huge bummer that the Falcons couldn’t close it out in the NFC Championship, but it was a great season nonetheless. But now on to the important stuff. We will be hosting our 8th Super Bowl party, and we get pretty festive. After this many years we have it down to a system. Pretty much. This past weekend we consulted the running list of who brings what. We track what went fast last year, so we can ask for more. And we also note what was left over so we don’t have too much surplus. For instance, a few years ago we mowed through 150+ chicken wings. This past year we barely consumed 75. For some reason, the wing surplus seemed to correlate to when I stopped eating meat. Go figure. I got plenty of beer, and I am prepped to drink my annual Super Bowl Snake Bite. Or 10. Though it should be interesting this year, as XX1 will tell me at least 10 times that drinking is bad for me and I should stop. I usually just smile and go back to refill my glass. Unfortunately we don’t have infinite space at the house. As it is, we invite some 25 families, which usually equates to 80-90 people. It’s friggin’ packed, which is great. But we do have to make some tough choices, as we can’t accommodate everyone. At this point we have RSVPs from most of the folks we invited. But there are always those stragglers we need to chase for the RSVP. So as my head was about to hit the pillow Monday night, the Boss came in to wish me a good night. Or so I thought. That’s when I learned about the email faux pas where she meant to send a note to confirm attendance, but she actually sent the email to someone we didn’t invite. Oops. Email autofill fail. I hate when that happens. What to do? What to do? We can’t accommodate any more folks or the fire chief may make a visit. I thought about making light of the situation, and saying it could be worse. Then telling her the story of the poor sap in a big Pharma company who inadvertently sent poor clinical test results to a NY Times reporter with the same last name as his intended recipient. That was a true email autofill fail. In comparison, this situation was pretty minor. But I though better of it because at that moment it was a problem. Turns out serendipity comes into play sometimes – we had a spot open up for our inadvertent invitee. Which is probably the way it was supposed to happen. We have randomly run into that family around town twice in the last two weeks, so the universe clearly wanted us to invite them to the party. Hopefully the Boss learned the old carpenter’s adage – measure twice, cut once. Or the modern day version: check the recipient list twice, hit Send once. –Mike Photo credits: Fail Road originally uploaded by Dagny Mol Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services Integration The Solution Space Introduction Newly Published Papers Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U Alien invasions and intelligence-driven integration: Here is a good thought provoking piece by EMA’s Scott Crawford about what he sees ahead in 2013. Much of it is about the need to share information better (intelligence) and deliver integrated defenses. Scott was very early on the Security Big Data bandwagon, and this makes some of those concepts more real and tangible. Thankfully Scott provides some cautions on our collective ability to do the things we need to. For a while I worried that Scott had been taken over by an overly optimistic alien – from a planet where they actually get folks to work together, share bad news, and deliver an end-to-end solution. Clearly that is nothing we see on Earth… – MR *Forget plastics: the future is automation: Automation. Automation. Automation. Did I say Automation? As we continue our advancement to the cloud and the continual decoupling of assets from the underlying infrastructure, the only way to manage these environments is through extensive automation. Actually, we have always needed more automation, but it sort of worked as well as a square wheel. Thanks largely to cloud computing, IT operations is making massive strides in automation, as indicated by VMWare investing $30M in Puppet Labs. Puppet Labs produces Open Source software for managing application and system configurations based on templates, at massive scale (that’s a simplification but you get the idea). Why am I writing about it here? Because security is woefully behind on these advancements, led by dev and ops, or DevOps (see what I did there?). We know how the story ends when security can’t scale and adapt as quickly as the rest of the organization. The Texas Chainsaw Massacre seems tame by comparison. – RM Identity calculus: DBA Village is one of my favorite Oracle blogs. It offers a lot of pragmatic information on how to administer Oracle, and they have a handful of very knowledgeable people who take on all technical questions, no matter how hard or obscure. But I was shocked this week when someone asked how they integrate LDAP with Oracle to handle authorization duties, and the response was to contact Oracle and hire a consultant for 5 days.

Apparently the folks at Twitter forgot the first rule of the Internet. As Avenue Q so elegantly stated, The Internet is for Porn. NetworkWorld points out a minor unintended consequence of Twitter’s new Vine video sharing application, Sex and NSFW clips flood new Vine app from Twitter. Will Apple respond? The Vine app, much like Twitter, lets users explore and discover content via hashtags. However, it didn’t take long at all for hashtags for words like #sex and #porn to take center stage. Indeed, any NSFW term one can think of likely already has a listing via Vine. While the Vine app has functionality that enables users to flag videos as inappropriate, this only serves to provide a warning to users before a video begins playing. So you’re telling me no one in a product management meeting at Twitter suggested that some enterprising user would upload pictures of their, uh, equipment? I find that hard to believe. Chatroulette, anyone? Of course, Apple is pretty sensitive to their apps being used to serve up NSFW content. I’d assume they’ll put up the 17+ gate when downloading the app, but besides that I don’t think there is much they can do. They could kick it out of the App Store, but that seems a bit heavy handed. And it’s not like kids can’t get around the protections and view the app on the web if they want to. When there’s a will there’s a way. And for 14-year-old boys there is a will. Not that I’d know anything about that. Share:

When in doubt, throw money at the problem. From the Washington Post, Pentagon to boost cybersecurity force: The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries, according to U.S. officials. Of course US adversaries have allegedly tasked 100,000 folks to cybersecurity activities, but this clearly indicates the reality of nation-state behavior in 2013. Evidently a couple different kinds of kung fu will be valued by the military-industrial complex. And when they inevitably remake The Graduate, plastics won’t be the can’t-miss occupation. And Mrs. Robinson will be going after the pen tester – tattoos, earrings, and all. Share:

Rich constantly reminds us that “correlation does not imply causation,” relevant when looking at a recent NetworkWorld article talking about the decrease in spam, which concludes that botnet takedowns and improved filtering have favorably impacted the amount of spam being sent out. Arguably, the disruption of botnets – the platform used to send most spam – has probably had a larger effect, with the downing of several large distribution networks coinciding with the start of spam’s decline in 2010. Meh. Of course, that makes better headlines than all the various botnet chasing efforts paying off. But if you dig into Kaspersky’s research you get a different take. Ads in legal advertising venues are not as irritating for users on the receiving end, they aren’t blocked by spam filters, and emails are sent to target audiences who have acknowledged a potential interest in the goods or services being promoted. Furthermore, when advertisers are after at least one user click, legal advertising can be considerably less costly than advertising through spam. Based on the results from several third-party studies, we have calculated that at an average price of $150 per 1 million spam emails sent, the final CPC (cost per click, the cost of one user using the link in the message) is a minimum of $.4.45[sic]. Yet the same indicator for Facebook is just $0.10. That means that, according to our estimates, legal advertising is more effective than spam. Our conclusion has been indirectly confirmed by the fact that the classic spam categories (such as fake luxury goods, for example) are now switching over to social networks. We have even found some IP addresses for online stores advertising on Facebook that were previously using spam. Duh. Spam was great for marketers of ill repute because it was cheaper than any other way of reaching customers. If that changes marketers will move to the cheapest avenue. They always do – that’s just good business. So we can all pat ourselves on the back because our efforts to reduce spam have been effective, or we can thank places like Facebook that are changing the economics of mass online marketing. For now anyway. Share:

We all want security to be front and center in terms of decisions on new applications. We all follow the researchers who show time and again how mobile apps, or web apps, or pretty much anything, can and will be gamed. Yet all that doesn’t matter, as security cannot get in the way of business. Branden Williams did a great job digging into the economics of Starbucks’ stored value cards to make a pretty compelling case that this stuff will happen, whether security likes it or not. Now, let’s say that I install the app on my phone, and set it to recharge $50 every time my balance gets low. I have now reduced their transaction volume with me to 10% of the original (26 times to recharge vs 260 transactions). This changes the fees to $23.27, or a 60% reduction in my cost burden to the company with the added benefit that they get to use my cash for anything they want while I work it off over a period of time. You should read the post because it hits on a number of the economic drivers that make stored value cards a huge win for small-ticket shops like Starbucks. Of course providing access to micropayments from a mobile app introduces risk. But given the numbers Branden outlines, that won’t stop Starbucks from doing everything they can to get everyone using their stored value cards & accounts. The numbers don’t lie – this stuff is going to happen. And these environments will be attacked because they represent a path of least resistance to get financial data. Which underscores the importance of working with the business people and app development team as early as possible to get ahead of the risks of these mobile-driven business processes. Photo credit: “Starbucks Mobile Card iPhone App” originally uploaded by Joe McCarthy Share:

Given the angst, conspiracy theories, and tinfoil hats around any network/security products built in China, it’s curious to see Krebs’ story on the backdoors in Barracuda products found by Stefan Viehboeck of SEC Consult Vulnerability Lab. Viehboeck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort. But having that back door creates exposures that most security conscious folks find unacceptable. As Viehboeck says: “In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them.” Clearly you can draw the conclusion that this is bad, especially because Barracuda is playing the ostrich game a bit, calling these issues just ‘medium’ severity. But given that Barracuda caters to the small and mid-market, how many of these boxes are actually installed in secure environments? And how many of these unsophisticated customers will apply the fixes to eliminate the back doors? Right, not too many. We can’t let Barracuda off the hook here just because the back doors are there to facilitate support access in the event the box needs to be remotely fixed. Users lose their credentials and lock themselves out of their boxes all the time. They misconfigure stuff and a support rep would need deep (probably root) access to fix things. We get that. But we aren’t in the excuses business, and neither are Barracuda’s customers. Barracuda just can’t rely on a locked-down IP address range to provide security. That’s too easy to spoof and those addresses may change over time. Obscurity isn’t the answer. Moreover, customers need to have the option to shut down the back doors, especially if they install in one of these mythical secure environments. There must be a middle ground between installing an undocumented back door and not being able to support the device remotely. Maybe they ship the box without the default accounts and lock down the root account. Maybe they have a script that adds the support accounts to the box when a special “Activate Remote Support” setting is selected within the interface. They could use some kind of two-factor authentication to ensure Barracuda support is involved when activating the script. Then when the box is repaired, the user unchecks the box and another script cleans out the user accounts and locks down the box. Is that a perfect answer? Of course not – I’m just throwing crap against the wall. There must be a better way to ensure thousands of customers don’t have to ship their boxes back to Barracuda for simple fixes that can be done remotely by support. But having an undocumented back door isn’t it. Photo credit: “Vancouver, BC, Canada – Robson Street – Hippies Please Use Back Door (Antique Sign)” originally uploaded by Adam Jones Share:

Most folks appreciate the challenges of securing a mid-sized company. They have important data and enough employees that someone is going to screw something up. They often don’t have the budget or infrastructure maturity to take security seriously. Many get by due more to obscurity (who is going to attack them?) than any active controls. And as automated tools make it easier to find chinks in any and every company’s armor, the seriousness of the problem is going to become much higher-profile. No less than Dan Geer has weighed in on the topic in a CSO contribution. He looks at it from the perspective of what the mid-sized company can do and what they can’t. By introducing the concept of a third party, which he calls a mentor, Dan is talking about helping an organization kickstart their security program and prioritize. Later, the mentor can move on to their next stop, when the organization is ready to do stand on its own. Information protection means a program, not a tool, not a silver bullet, not a small number of enlightened facts. It means learning what it is that you don’t know that you don’t know (without the expensive embarrassment of the serious errors our opponents will surely deliver). An information protection program is, at its best, something that a mentor jump starts for you and, over time, brings you to the point where whether you take it over entirely for yourself, or keep it as a partnership with your mentor, is a choice that you make for reasons that no longer include whether you know what you are doing. Everyone understands that, say, driving tractor trailers or doing surgery is not something you would teach yourself. Basically Dan is calling for the mentor to take a snapshot of an organization and use their experience, methods, and analysis to help the organization prioritize what they should fix first. This first-things-first approach demands a mentor with the tools to take a high definition photograph of your information in motion movement – the source, target, frequency, volume, etc., mentioned above. If experience is a guide, then you will have some surprises. Again, this is nothing to be ashamed of, but better you get those surprises quickly and from a trusted mentor rather than reading about your data breach in a newspaper. Note that the kind of mentor we suggest is not a penetration tester, not an auditor, not a per-diem consultant, and not a reformed criminal peddling a product. Dan is one of the big thinkers in the business, and he doesn’t talk much. But when he does, pay attention. As with any out of the box thinking, you can come up with a million reasons why something like this won’t work. But we should focus on how to make something like this happen; as technology advances (yes, Big Data) this kind of concept becomes more achievable. The reality is that far too many organization don’t know what they don’t know. And until they do things aren’t going to get better. Photo credit: “MSH0110-12 Squeeze Me” originally uploaded by f1uffster (Jeanie) Share: