Research

H D Moore published details on exploiting the iPhone today using the same vulnerability as the jailbreaks/unlockers. It takes advantage of a vulnerability in the libtiff library for processing TIFF image files. The exploit is now in Metasploit, which means someone with only the technical skills of an ex-analyst can exploit you via email or a web page with a special image file. Apple will hopefully patch this quickly. The bad news is that it will kill all current attempts to load custom applications on the iPhone, but since it’s now remotely exploitable the risk outweighs the reward. Libtiff is a common library and this vulnerability was not unknown. This demonstrates a big problem in locking down a popular system like the iPhone or the Sony PSP- the same techniques needed to customize the device can often be used to exploit the security. For a wildly popular device like the iPhone it seems to make sense to open it up to legitimate, safe developers. This also proves that the excuse of locking the system down to protect the phone network (AT&T) is total bollocks, since it’s far from a perfectly secure system to start. Yes, I’m biased- I want custom apps on the iPhone I’ll probably eventually buy. Doesn’t mean I’m wrong… Share:

This weekend I was doing a little electrical work at my house, which is probably the riskiest area of Do-It-Yourself home repair. You only need to cross a couple of live AC wires once and see the “pop” (and smell the ozone) before the point hits home. In my case, I was installing a bunch of new light switches for a home automation project (dual-mode mesh network, if you care about those sorts of things). In the process I’m fixing some screwed up wiring installed by the builder; mostly three-way circuits they set up wrong. I was getting ready to work on the only four-way in the house (that’s when you have 3 switches controlling one light) and cut the power at the circuit breaker. Each of the switches was in multi-gang boxes with other switches controlling other lights, so I had to kill all those circuits as well. From what I could tell, all the power was off and it was safe to work. But being the paranoid that I am, I also checked with the AC indicator on my multimeter. I just press a button, wave it over a switch or outlet, and if it’s live the multimeter beeps. And beep it did. Despite killing (I thought) all the lighting circuits for the first floor of my house, one switch was still hot. I then started the methodical process of hitting the rest of the breakers to find the right one. About thirty minutes later I’d killed power to just about my entire house and still couldn’t find that damn circuit. Staring at my breakout panel (a second panel with the arc fault protection circuits for the bedrooms) I noticed two unlabeled breakers, figured out one of those was what I needed, and got back to work. In this case my instincts told me the circuit was safe, but my detection tool dissolved that particular illusion. In other cases, especially with my crappy stud detector, my tools are often wrong and my instincts are right. I guess it’s all a balancing act. Now I just need to figure out how to get my alarm panel to stop beeping randomly at me. Something about losing power really pissed it off. Share:

October 12, 2007, Phoenix, AZ Securosis, the world’s leading security blog, is proud to announce that it is now being protected by quantum cryptography. “After reading about Swiss officials using quantum cryptography to protect ballot results entered by hand we realized that this advanced technology is now ready for mainstream adoption,” stated Rich Mogull, Founder, CEO, and fun-guy-but-not-that-kind-of-fun-guy. “We feel that quantum cryptography is the ultimate data protection technology and the best way to assure that our blog posts are not tampered with until we post them on our remotely hosted WordPress blog.” Securosis has installed a fiber optic connection between their authoring system and posting system to support the new security program. Although posts were previously authored and posted using the same MacBook Pro, a second machine was needed to create the fiber connection required for the quantum cryptography. The two systems are located on the same desk with the fiber connection completely visible. The fiber line is under constant observation using video surveillance to further hamper tampering, but the recordings aren’t reviewed to avoid quantum effects such as the observed systems switching places or becoming “strangely attracted”. “We can now be assured that our posts maintain both their confidentiality and integrity during the development process, until they are posted unencrypted over the public Internet. We felt this was a far better investment than renewing our expired SSL certificate.” Securosis evaluated a number of competing technologies, including checksums, hashes, and TLS, but concluded that quantum cryptography was superior because it used the word “quantum”. “History has shown, as documented in Star Trek, that anything quantum has to be better. It’s a totally cool word and scientists are really into it, so it has to be more secure.” Share:

October 12, 2007, Phoenix, AZ Securosis, L.L.C., the world’s leading provider of security consulting services, announces that cybercrime has reached record levels since the dawn of history. “Cybercrime continues to increase at a staggering rate,” says Rich Mogull, Founder, CEO, Jedi, and part-time neurosurgeon. “Losses are higher this year than at any time in history. We highly advise companies to immediately engage with us at non-discounted rates to assure they are protecting their children and stopping terrorism.” About Securosis Securosis, L.L.C. is the world’s leading provider of IT security consulting services and impractical security dribble. Securosis’ customers include all of the Fortune 1000, most major governments, and a few minor religious institutions. Securosis helps customers achieve compliance with all international laws and defend themselves from all known zero-day attacks while leveraging synergies through thought leadership. We’re really smart- give us money or we’ll scare your grandma. Share:

Remember this post? If InfoWorld is accurate, Symantec will announce next week that they are acquiring Vontu. This would be consistent with the industry rumors that inspired my earlier post. I have no inside knowledge of this deal. The article states: Security software giant Symantec is preparing to announce an acquisition of Vontu, one the largest remaining independent providers of data leakage prevention software, which is used to control the flow of sensitive information across corporate networks. Multiple industry sources have confirmed to InfoWorld that Symantec will soon announce a buyout of Vontu, perhaps as early as next week, which will significantly further the trend of consolidation that has played-out in the red-hot DLP (data leakage prevention) space over the last year. … Sources said that the proposed deal will have Symantec paying $300-$350 million for privately-held Vontu, whose revenues are estimated at roughly $30 million per year by some industry analysts. Symantec and Vontu representatives declined to comment on the reported acquisition. This is a far more significant deal than McAfee’s acquisition of Onigma. Between Symantec, Websense, and EMC/RSA I think McAfee is now in the weakest position for DLP among the larger vendors. Since it’s late on a Friday, and the deal isn’t confirmed yet, I’ll save full analysis for next week. I think this is positive for Vontu and I hope that Symantec keeps them as independent as possible internally, similar to the Brightmail acquisition, and in opposition to most of their buys. It’s also positive for the remaining independent DLP players, especially Reconnex and Vericept. More next week… Share:

Database Activity Monitoring may not carry the same burden of hype as Data Loss Prevention, but it is one of the most significant data and application security tools on the market. With an estimated market size of $40M last year, and predictions of $60M to $80M this year, it rivals DLP in spending. Database Activity Monitoring also carries the best DAM acronym in the industry Sorry, couldn’t help myself. DAM is an adolescent technology with significant security and compliance benefits. The market is currently dominated by startups but we’ve seen large vendors starting to enter the space, although products are not currently as competitive as those from smaller vendors. Database Activity Monitoring tools are also sometimes called Database Auditing and Compliance, or various versions of Database Security. There’s a reason I’ve picked DAM as the second technology in my Understanding and Selecting series. I believe that DLP and DAM form the lynchpins of two major evolving data security stacks. DLP, as it migrates to CMF and CMP, will be the center of the content security stack; focused on classifying and protecting structured and unstructured content as it’s created and used. It’s more focused on protecting data after it’s moved outside of databases and major enterprise applications. DAM will combine with application firewalls as the center of the applications and database security stack, providing activity monitoring and enforcement within databases and applications. One protects content in a structured application and database stack (DAM) and the other protects data as it moves out of this context onto workstations and storage, into documents, and into communications channels (CMP). Defining DAM Database Activity Monitors capture and record, at a minimum, all Structured Query Language (SQL) activity in real time or near real time, including database administrator activity, across multiple database platforms, and can generate alerts on policy violations. While a number of tools can monitor various level of database activity, Database Activity Monitors are distinguished by five features: The ability to independently monitor and audit all database activity, including administrator activity and SELECT transactions. Tools can record all SQL transactions: DML, DDL, DCL, (and sometimes TCL) activity. The ability to store this activity securely outside of the database. The ability to aggregate and correlate activity from multiple, heterogeneous Database Management Systems (DBMS). Tools can work with multiple DBMS (e.g., Oracle, Microsoft, IBM) and normalize transactions from different DBMS despite differences in their flavors of SQL. The ability to enforce separation of duties on database administrators. Auditing activity must include monitoring of DBA activity, and solutions should prevent DBA manipulation of and tampering with logs and activity records. The ability to generate alerts on policy violations. Tools don’t just record activity, they provide real-time monitoring and rule-based alerting. For example, you might create a rule that generates an alert every time a DBA performs a SELECT query on a credit card column that returns more than 5 results. Other tools provide some level of database monitoring, including Security Information and Event Management (SIEM), log management, and database management, but DAM products are distinguished by their ability to capture and parse all SQL in real time or near real time and monitor DBA activity. Depending on the underlying platform, a key benefit of most DAM tools is the ability to perform this auditing without relying on local database logging, which often comes with a large performance cost. All the major tools also offer other features beyond simple monitoring and alerting, ranging from vulnerability assessment to change management. Market Drivers DAM tools are extremely flexible and often deployed for what may appear to be totally unrelated reasons. Deployments are typically driven by one of three drivers: Auditing for compliance. One of the biggest boosts to the DAM market has been increasing auditor requirements to record database activity for SOX (Sarbanes-Oxley) compliance. Some enterprises are required to record all database activity for SOX, and DAM tools can do this with less overhead than alternative approaches. As a compensating control for compliance. We are seeing greater use of DAM tools as a compensating control to meet compliance requirements even though database auditing itself isn’t the specified control. The most common example is using DAM as an alternative to encrypting credit card numbers for PCI compliance. As a security control. DAM tools offer significant security benefits and can sometimes even be deployed in a blocking mode. They are particularly helpful in detecting and preventing data breaches for web facing databases and applications, or to protect sensitive internal databases through detection of unusual activity. DAM tools are also beginning to expand into other areas of database and application security, as we’ll cover in a future post. Today, SOX compliance is the single biggest market driver, followed by PCI. Despite impressive capabilities, internally-driven security projects are a distant third motivation for DAM deployments. Use Cases Since Database Activity Monitoring is so versatile, here are a few examples of how it can be used: To enforce separation of duties on database administrators for SOX compliance by monitoring all their activity and generating SOX-specific reports for audits. If an application typically queries a database for credit card numbers, a DAM tool can generate an alert if the application requests more card numbers than a defined threshold (often a threshold of “1”). This can indicate that the application has been compromised via SQL injection or some other attack. To ensure that a service account only accesses a database from a defined source IP, and only runs a narrow range of pre-approved queries. This can alert on compromise of a service either a) from the system that normally uses it, or b) if the account credentials are stolen and used from another system. For PCI compliance you can encrypt the database files or media where they’re stored, then use DAM to audit and alert on access to the credit card field. The encryption protects against physical theft, while the DAM protects against insider abuse and certain forms of external attack. As a change and configuration management

As my readers know, I’m not the biggest fan of consumer DRM. I hate being treated like a criminal when I’m not, and I don’t believe anyone has the right to control more of my systems than I do. Something about my security being compromised to provide better security for some corporate entity whose products I may or may not purchase just bugs me. A while back I posted how the Barenaked Ladies distribute their content without DRM. Not for free, but once you buy it you’re free to use it as you wish. I like that. Now, thanks to TechCrunch, we learn that Madonna is leaving the record labels and working with Live Nation to distribute content directly. Nine Inch Nails, Radiohead, and a few others are also jumping the record label ship. Yahoo! Music stated they won’t distribute music with DRM. With MySpace and other social networking sites for promotion, low-cost digital distribution of content either directly to consumers or through online stores, and general frustration and anger with record company pricing, practices, and treatment of artists, it’s hard to see how the companies will survive. It won’t be an immediate death- years if not decades, but now that some of the biggest names in the business are running into independence the writing is clearly on the wall. And the record companies can take their damn DRM with them. Now it’s time to get cracking on the MPAA… Share:

I was reading a post over at Layer8 and it got me thinking about trust. Shrdlu attended a talk by Larry Ponemon where he took away this little tidbit: The trust given to an organization depends not only on how well it protects information, but also on how transparent it is. A long time ago I spent some time thinking about trust and digital relationships. I broke it down into three components: Intent, Capability, and Communications: Intent: How an organization (or person) intends to act within a relationship. This is their true intent, not necessarily what they communicate as their intent. For example, we collect credit card data solely to perform online transactions, and will protect it from unauthorized disclosure. Capability: Does an organization have the capability to meet its intent? For example, does it collect card numbers and only use them for transactions, but use security which could not stop a targeted attack? Communications: Does an organization effectively and accurately communicate its intentions and capabilities? If any of these factors fails, so does trust. Let’s look at some examples in the security world. Some vendors, I don’t even need to bother naming them, make outlandish claims about the security of their products that do not reflect reality. Then, when breaches occur, they spin the facts rather than admitting to an honest mistake. Result? No one trusts those vendors anymore. I remember our home town bank as a kid. We’d walk in and it was all marble and stone, with a huge walk-in vault surrounded by guards at the far end. Placing the vault where customers can see it doesn’t improve security, but it clearly communications of a capability to protect your money. These days, no one cares. Why? The world changed and with the FDIC and electronic banking we are far less concerned about a bad guy with a mask stealing our money. Heck, they could steal the entire bank, foundation and all, and we still wouldn’t be out a dime. Breach disclosure is another example of trust. If a company loses my personal information and clearly communicates how it was protected, how it was lost, and a reasonable plan for preventing a recurrence, I am not very likely to leave them. If, on the other hand, they attempt to cover it up, shift blame, or clearly lie about their intent or capability to protect my information, I am far more likely to switch to another provider. A privacy example? Years ago I cancelled my Amazon account after they changed their privacy policy and started sharing my data. The policy in effect when I signed up stated my information would be kept private. They then summarily changed it without my permission. They clearly either lied about, or changed, their intent, and lost me as a customer. It took me 5 years before I bought from them again. It’s very simple: trust is built on what you intend to do, your ability to do it, and your ability to communicate both. Share:

Once again Martin and I recorded late enough in the day that I could enjoy a fine beer during the taping (Moose Drool this week). I also need to shout out to Paul and Larry and Pauldotcom Security Weekly; based on their advice I picked up a WRTSL54GS for some wireless access point hacking. Too bad I bricked it… by opening the box. Needless to say that one is on its way back to the online store, and a new one is headed to me. I’ve been working on this pet project of mine for a year and really hope this is the right box to get the job done. Also, congrats to Martin on re-entering the world of the gainfully employed. He starts with Trustwave on Tuesday. Show Notes: Microsoft AutoRuns PGP Flaw not really a flaw at all Securosis: Slashdot bias and much ado about nothing PGP encryption issue Slashdot: Undocumented bypass in PGP whole disk encryption Securology: PGP whole disk encryption – barely acknowledged intentional bypass Retailers vs. PCI Securosis: Retailers btch slap PCI Security Standards Council Techtarget: National Retail Federation takes aim at PCI DSS Council SC Magazine: Retail Lobby offers alternative to PCI standards Network Security Blog: Merchants mad about credit card retention iPhone Jailbreak (missed the link on this one) Suit against Apple for bricking iPhones Six ticks to Midnight: One plausible journey from here to a total surveillance society Tech Liberation Front Onstar to stop supports RSA Speaking on Security interviews Shon Harris, and I get a mention too. CIO.com: Hacker Economics 1: Malware as a service Tonight’s Music: The Moon is Full by Albert Colins, Johnny Copeland and Robert Cray Network Security Podcast, Episode 80, October 9, 2007 Time: 46:51 Share:

Meerkat Manor, via the Guerilla CISO. Here’s an excerpt: 09 October 2007: Dear diary, I drew sentry duty for the third day this week. I know it’s my solemn duty to protect the clan, but my risk assessment has determined that, although a predator is a high-impact event, it is a low rate-of-occurance activity and so I think a better use of my time is in foraging for stray eggs. Besides, if the predators come and eat us all, it’s not like I’ll have to face the Meerkat Manor Board of Directors. 10 October 2007: Dear diary, I grow tired of the incessant looking for predators. I mean, why do us meerkats focus exclusively on detective controls which use up to 15% of our available manpower when we could just as easily reduce the sentries to 5% of our efforts and put in place corrective controls such as trap holes and punji sticks to reduce the threats to our home? The true cost savings is that the effort for corrective controls is a one-time installation where sentry duty is a recurring bill. Didn”t the alpha-pair learn anything in their Masters in Meerkat Administration classes? 11 October 2007: Dear diary, today I instituted a metrics program to gauge the effectiveness of our sentry program and to determine if we are getting the best level of risk for the time that we are investing. So far, I”ve made a bar chart to analyze the total number of predator alerts versus the total number of predator intrusions. I think I have a business case to slowly reduce the ratio of sentries to foragers during the day. Share: