Research

Updated : Forgot to list the date, it’s January 25th. Update 2 : Fixed stupid mistake in mailto link. Bad ex-web programmer. Bad! I must be the [edited] of webcasting or something. Considering I get paid for these you could probably use another word, but this is a family friendly blog. ZDNet has opened registration for my webcast on database security. As mentioned before, this one is designed to walk the line between DBAs and security admins- taking 5 key recommendations and giving actionable advice for each audience. It’s sponsored by Oracle. Since I want to make sure this one is really on target, if you are either a DBA interested in security, or a security admin interested in databases, drop me a line and I’ll send you a draft for review. I have a couple people taking a look already, but I’d like some input from people dealing with day to day operational issues. Just email me at rmogull@securosis.com. Here’s the full description of the event: The spotlight on database security and increasing demands for regulatory compliance require DBAs and security professionals to work more closely than ever before – both integrating and separating job duties. Security and database teams are being challenged to learn at least SOME of the skills of each other’s domains while applying these principles practically to achieve compliance and keep out the bad (and even some not-so-bad) guys. Join us for this informative eSeminar with useful information for both database and security professionals, where long-time database security industry expert Rich Mogull will highlight the top five recommendations for database security and compliance in this new year. Featured topics will include: Segregation of Duties for DBA and Security Pro alike Database Vulnerability Configuration Management Auditing and Activity Monitoring See how your resolutions for ‘08 compare with our experts – and bring your questions for the Q&A session following the presentation. Register now to ensure your spot at this important event. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Database Security, Oracle, Separation of Duties, Webcast Share:

I generally try and avoid short posts on the blindingly obvious, but it’s clear there’s a lot of focus on the Microsoft IGMP vulnerability- from both sides (good guys and bad guys). SANS is starting to put some recommendations up, and unless you’re absolutely sure you have perfect patch management and everything is updated, it’s time to keep your eyes open. For the non-geeks, Microsoft released a patch yesterday for a serious vulnerability in most versions of Windows that could allow someone to take over your system. Make sure you update. There aren’t any known exploits in the wild, but that won’t last. Rumor is some of the consumer software firewalls won’t block this, so that isn’t enough protection. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Microsoft, Vulnerabilities, Patch Share:

I mean a literal 5-year-old child, not some obscure threat. According to BoingBoing the child’s name is the same as someone else on the list, but according to this interview with the head of TSA by Schneier, you should only get a hit if the name and date of birth match. He was considered such a threat his mother wasn’t allowed to console him/touch him during the process. Which gives us three options: This child really is a national security threat. Having flown on many planes with out of control 5 year olds, this is my best bet. There is another five year old in the world with the same name and birthdate that is the real national security threat. The TSA messed up I find this amusing, and sad. Share:

You can find the episode and the show notes over at NetSecPodcast.com This week we dedicate the show to the loving memory of privacy. Share:

If you’re a geek, interested in security, or both, the official revival of SunSec is this Thursday! Let’s shoot for 5:30-6 pm at Furio, in Old Town Scottsdale. It’s a funky little place, has a good happy hour (until 7), and is more conducive to conversation (and parking) than Four Peaks in Tempe (another suggestion, but we tried that a while back). For those unfamiliar with SunSec, it’s just an informal gathering of security-minded folks. No presentations, no agenda, no leader, lots of libations. A particular small security consulting biz might even buy a round. Email or IM me direct if you want my cell number. If you prefer another location, drop it in the comments. If you aren’t there, we’ll hack you. Share:

On January 25th I’ll be giving a ZDNet webcast (sponsored by Oracle, but objective content, as always!) on database security resolutions for 2008. I’m taking a bit of a different approach on this one; the presentation is targeted at both database administrators and security professionals. Yes folks, I’ll be bridging the great divide. (I used to be a DBA, so I know a little of what I’m talking about). For each of the resolutions we’ll discuss the implications for both sides- what does the DBA need to do? How about the security admin? Here are the Top 5 Resolutions with a little descriptive text. Let me know what you think, and if you have a better suggestion and I use it I’ll make sure you get full credit in the webcast… Identify, and classify, databases with sensitive information: one of the biggest database security issues we face is just figuring out where the heck our databases with sensitive content are in the first place. If you think you know, you’re probably wrong. I can’t tell you how many calls I’ve been on with clients where the application, database, and security admins in the room each think they have a good idea and are proven wrong within 30 minutes. We’ll discuss how to locate these systems and prioritize them for later remediation. We’ll also discuss tools that can help with the process (generically- I’m not pushing any products). We’ll also discuss how security and database teams can work together on the process, and where their mutual interests overlap (killing rogue DBs). Implement database configuration and vulnerability management for your highest-priority systems: no, not all at once. And while tools help, you can also do much of it manually. We’ll talk about the roles of configuration and vulnerability management, who is responsible for what, and how teams can work together. Yes, it’s basic, but not something that everyone has down, and like making that annual resolution to lose 5 pounds, it’s worth revisiting every now and then. Enforce separation of duties between DBAs and security: now we’re getting into the more interesting stuff. As much as we trust DBAs and security, when sensitive information is concerned (especially regulated information) we have to… enforce that trust. We’ll talk about the different ways to to this, and how to implement it without interfering with anyone’s ability to get their jobs done. While DBAs might not be happy with this change in trust, security pros have a large burden- to start learning how to protect databases they won’t manage (SoD works both ways). Start Database Activity Monitoring (or at least better auditing): no surprises to those of you who read this site. I’m a huge fan of DAM. We’ll talk about using it for separation of duties, for security, and even for regular old database tuning. Control ad-hoc access: I hear from a LOT of clients that ad-hoc query access by users is out of control, often on data users shouldn’t get near outside a business application. Here we’ll talk about how DBAs and security managers can team up to end this bad habit, without pissing off the entire business. For once, compliance will be your friend. Bonus Resolution: Start paying attention to web applications and connection pooling: I’ll save this one for the webcast. Over time I’ll cover most of these issues in blog posts as well. Let me know what you think. Are your database security resolutions any different? Am I just full of my usual $#%^? I’ll post the webcast details when I get them; the registration page should be up later this week. And don’t forget to pass it on to your DBA friends… < p style=”text-align:right;font-size:10px;”>Technorati Tags: Oracle, Database Security, Database Activity Monitoring, Compliance, Separation of Duties Share:

This one comes to us thanks to Rob: http://www.wired.com/politics/security/news/2008/01/dreamliner_security And I quote: Boeing’s new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane’s control systems, according to the U.S. Federal Aviation Administration. The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals. … Gunter wouldn’t go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as “air gaps,” and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn’t want to discuss in public. I can’t imagine anything so insanely stupid as to allow any physical connection between the control system and the passenger side of the network. Haven’t we learned anything over the past 30 years? We can never fully predict how a system like that will behave. I’m not even talking terrorist scenarios; all it takes is one accidental denial of service glitch to, well, you know. I think I’m going to go play some video games or something now. Share:

Have a security question? Want a straight answer? Even if you’re not a geek? I get a random assortment of security questions on a fairly regular basis and it seems like a good time to open the blog up a little more to covering what you’re interested in, not just what I feel like rambling about. I’m thus starting a new series of posts- “Ask Securosis”. Once a week I’ll put up a post soliciting questions. You can either email me your question, or put a response in the comments. I’ll pick one a week to answer and try and pop it up on Fridays. If I can’t answer the question, I’ll find someone who can. Questions can be anything security related- from the simple (what should I use at home?) to the complex (what’s your recommended architecture for xxx). You can stay anonymous in the comments, and if you email me I won’t reveal your identity unless you want me to. And now for our first answer… Share:

Our first question comes from Tom, who is security minded but not a full-on security geek: “In my Dlink 4300 there is functionality to log fire wall rules to a outside logging server (I’ve seen this functionality in my old WRT54G’s as well). At the same time Linux has logging functionality that you can setup to receive outside log messages. How do I get my dlink/linksys/brand X router to talk to my Linux at server and log all of the messages? Looking at firewall logs is a great way to get your feet wet with security. For the home user I’m not convinced it adds a lot of security, but it will be extremely educational. It won’t take long before you drop Wireshark onto your network and really start digging into traffic. The D-Link outputs logs using syslog to any compatible syslog server. The exact configuration will vary depending on your internal network structure and which version of Linux you are using, but here’s a general overview to get it running. A number of home routers/wireless access points support this functionality. Set up your Linux server Start syslogd, and make sure it’s configured to run on startup (“chkconfig –list syslog”?). You will probably need to adjust your syslogd configuration file before it will work properly- this varies based on which version you’re running, but a quick Google search should give you what you need; likely you need to add “-r” somewhere (/etc/sysconfig/syslog on Red Hat based systems). Wikipedia is a good place to start. If you have a firewall on your Linux box, make sure UDP port 514 is open to your home network (/etc/sysconfig/iptables on Red Hat based systems). On your D-Link router, go into DHCP settings and assign a permanent address to your Linux server. Otherwise, its IP address will probably change when it reboots. You’ll probably need the MAC address of your Linux server, which you can get by running ifconfig from a shell. Some D-Links make this really easy and you can lift the address right from the screen where you assign permanent addresses. If it’s not feasible, you might just want to configure your Linux server with a static address – if you do, make sure it’s not in the DHCP scope assigned by your router. Now, on your router go start logging, and enter the IP address of your Linux box. Give it a little while, then see if you have any log entries (depending on how your configured things in syslog.conf). And that should be it! I know this isn’t totally detailed, but it really can vary a lot depending on what you’re running, and I don’t have everything on my end to test it. The most common mistakes are leaving the syslog server on a dynamic IP address, filtering the traffic, and bad syslog configurations. Pepper adds: You can do all this with a Mac too – I send Linksys WRT54G & AirPort Extreme logs to mine. Share:

Credit monitoring services, especially those from the credit agencies themselves, leave a bad taste in my mouth. I find it unconscionable that I need to pay to gain access to personal information on me that affects my life at the deepest levels. In our modern society, a good credit rating is as important for our future safety and stability (and sex, to be honest) as a sharp spear and 20/10 vision were to early man. It sucks, but money makes the world go round and we can’t feed Maslow without it (nor can most of us afford homes without good credit). I started using credit monitoring services long before identity theft was a big issue. Back then, reports were never free and credit scores weren’t in as wide use. I wasn’t paranoid or prescient, I’d just managed to screw my credit up so badly in college that I wanted to know exactly what I needed to clean up. It would probably still be screwed up if it weren’t for online banking; I’m really bad about using the mail. When free reports were mandated by the government I kept with the monitoring service for two reasons- to gain access to my credit score, and for identity theft monitoring. And monitoring is not protection- I may be able to detect new activity on my credit report within 1-3 days, but by that time the damage might be done. Along comes Debix. The government has mandated that credit services allow consumers to place “locks” on their reports. No, this won’t stop the bank from reporting you as late, but it does mean they can’t open a new account tied to your record without explicit permission. Being a bunch of wimps beholden to big money, the government only mandated they lock (place a “fraud alert” on) your record for 90 days. For the same price (or less) as credit monitoring, Debix will place a lock on your record and renew it automatically every 90 days. They link the lock to their call center, and when a creditor calls to verify that you really want to open the account the call center routes it to up to three numbers you provide. This has the added advantage of keeping your phone number off your record. (Full disclosure: I was given a free preview, so I didn’t pay for the service. But it’s cheaper than the credit monitoring service I’m dropping). Pretty cool- kind of like anti-exploitation for identity theft. They also insure you and provide a few other features. They are a direct competitor of LifeLock, but LifeLock’s been in the news a bunch here in Phoenix for some… irregularities… that make me uncomfortable with the company. I do like seeing inquiries on my credit report, but I can get that for free on a quarterly basis rather than needing it instantly. Debix is $4/month cheaper than my monitoring was, and blocks unwanted activity. I like that. Share: