Research

A few months back I did a series of posts demonstrating a proof of concept for implementing some basic software defined security (using AWS, Chef, and Ruby). This ended up being the basis for my KickaaS Security with APIs and Cloud talk at Black Hat. I decided to release it as a white paper. Because I think there are too many trees in the world, and this will encourage you to print it out. Or buy a tablet – doesn’t matter to me. Landing Page: A Practical Example of Software Defined Security Direct Download (PDF) In all seriousness, I hope you like it; and that this white paper, with complete content from the posts, is useful to you. Share:

Brian Krebs breaks another story: Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering. And on hiring a hit man (seriously): On March 31, DPR began haggling over the price, responding: “Don’t want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80k. Are the prices you quoted the best you can do? I would like this done asap as he is talking about releasing the info on Monday.” I wonder if Benedict Cumberbatch will play DPR in the movie? Compelling read. Nothing to do with IT security unless you plan on hosting an illegal site, but fascinating. Share:

Threatpost has another good piece on exploit disclosure (I swear I still read other sites). This is the other side of vulnerability disclosure, where you need to decide on releasing exploit details based on factors such as detecting live exploits in the field. A quote from a talk by Tom Cross from Lancope and Holly Stewart from Microsoft: “If there’s nothing you can tell the users to do, there’s not a lot of point in disclosing the exploits,” he said. “It depends on the level of exploitation, the geographic distribution, is a patch available, when will it be if it’s not. If the answer is to tell people not to use a piece of software that’s necessary to do business, the reality is that’s not going to happen.” It’s also true that the decision is not always solely in the hands of the vendor or even the researcher who discovered the vulnerability. In some cases, a third party security company may notice exploit attempts against a previously unknown vulnerability and take the step of notifying customers. Vulnerability disclosure often seems more about philosophy and ego. Exploit disclosure is far more complex, with even farther-reaching implications. Exploit disclosure makes vulnerability disclosure look like a kid’s game. Share:

I’m really looking forward to this, although my skills will keep me in the back of the room: October 2013 Chicago Crypto-For-Developers Class Share:

A vulnerability in Internet Explorer has been known and unpatched for two weeks. According to ThreatPost, an exploit module is now in Metasploit, and real attacks are growing. Better deploy the FixIt tool if you don’t have some other way of blocking exploits. But I’m probably screwed, because I can’t get that mitigation to run on my Mac. Share:

I haven’t worked at Gartner for over six years now, so I’m not surprised that many people still think vendors can pay to move up the rankings in a Magic Quadrant. I mean, just look at them. Big vendors almost always show up in the top left or right, so they have to be paying for play. Vendors can’t buy Magic Quadrant ratings. Let me say it again: vendors cannot directly buy MQ ratings. I don’t expect to change any minds here, but that isn’t how it works. Not that money can’t influence the process, which I will get into. Analysts are totally walled off from the financial side of Gartner. They are not compensated, at all, based on how much a vendor spends. Many analysts have a very negative view of the vendor community, which can actually be destructive. It doesn’t matter how much a vendor spends – the analyst makes the same. In the seven years I was there I never saw management ask an analyst to adjust an MQ because a new client spent more money. Really, the anti-vendor attitude is so deep that an analyst is more likely to reduce a rating if a vendor tries to play those games. There used to be a loophole. Analysts used to get paid more for participating on strategy days with vendors. Some unscrupulous analysts effectively used blackmail to get vendors to buy more days. Gartner cut that off around the time I became an analyst, sometime around 2001 I think. It pissed off some analysts who were basically doubling their salary with strategy days. Today, all a strategy day does is keep an analyst away from their family – they don’t get paid more. However. Gartner clients get to talk with the analysts more. Anyone can brief an analyst once a quarter or so, but paying clients get longer calls, more frequently. Strategy days mean the vendor gets face time with the analyst and can build a personal relationship (there are guidelines limiting gifts, meals, and such to reduce influence there). This can subtly influence an analyst over time, even though it isn’t explicit buying. Smart vendors can do much the same thing without spending a dime, because most analysts don’t care about contract value, but paying up can definitely be used as an advantage. So why do all the big companies score better, especially in ability to execute? Because, in many MQs, that’s where a larger, more mature organization will almost always score better. They have mature sales, marketing, and channel programs. Bigger support teams. The ability to support larger clients. As much as we slam them for inefficiency all the time, you can throw enough bodies at certain problems to make them go away. It doesn’t mean the product executes or performs better, but that the company has accountants. That’s why startups tend to do much better on vision (since they, you know, actually innovate). One of my weirdest post-Gartner experiences was helping some vendors work through the MQ process. All I really did was help them figure out what the analysts wanted (honest answers) and how to avoid getting into trouble (legal threats if your dot moved 3mm, which happens). I even warned them away from trying to schedule strategy days too close to an MQ, which could be seen as trying to cheat. I wouldn’t say it is a perfect process. And there is a reason Securosis will never engage in vendor comparison research like an MQ, but money doesn’t directly buy results. I have no skin in this game (not even stock) and have been out for a long time, so take it as you will. But if you are an analyst reading this, don’t think for an instant that vendors aren’t trying to influence you every second of every day, and there’s a reason they call it the “Gartner Tax”. Share:

Over at Network World Anton Gondalves wrote Security industry in ‘rut,’ struggling to keep up with cybercriminals: Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say. Some technology pros say the industry needs to develop new technologies and architectures that send hackers back to the drawing boards. Meh. In many cases the technologies are already here, or deep into development. The problem isn’t a lack of innovation, but that people keep spending money on the same old crap. That’s a different kind of rut. Besides, no matter what we do, the bad guys will keep innovating around it, as they have been for thousands of years. There are a couple good bits deeper in the article, including: On the white hat side, security professionals get paid for how they defend, not what they share, and companies view knowledge as a competitive advantage. In addition, companies fear being sued by customers or partners, if the data shared relates to them. That is a big one, and worthy of a separate article. Share:

Hurt back yesterday Too much pain to write much now Haiku easier And don’t forget to sign up for our Black Hat cloud security training in December! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s Dark Reading article on Shiny and New. Rich’s Touch ID and Secure Enclave article was picked up by Daring Fireball, AllThingsD, and who knows where else. Dave Lewis at CSO: Stuffing The Social Media Genie Back In Favorite Securosis Posts Adrian Lane: Investigating Touch ID and the Secure Enclave. Really good analysis from Rich on the security implementation of Touch ID on the iPhone 5s. But I’m not buying the ‘article’ angle – he just wanted a cool new toy! Mike Rothman: Cybercrime at the Speed of Light. Everything can (and will) be gamed. Everything. Gal Shpantzer: API Gateways. Especially because it made @beaker jealous. Rich: Keep Calm and Bust out the Tinfoil Hat. Mike is supposed to be an engineer, not a history major. But this is exactly what I have been thinking. Plus, every other country is doing the same thing to the best of their ability. Other Securosis Posts Continuous Security Monitoring [New Paper]. Data brokers and background checks are a massive security vulnerability. Walled Garden Fail. Incite 9/25/2013: Road Trip. Firewall Management Essentials: Quick Wins. A Quick Response on the Great Touch ID Spoof. Favorite Outside Posts Adrian Lane: Meet the machines that steal your phone’s data. Interesting to see professional eavesdropping devices for mainstream law enforcement. Nothing state of the art, but it allows Officer Barbrady to jack a cell tower. Still, before Snowden nobody cared about this stuff. Mike Rothman: Apple’s Fingerprint ID May Mean You Can’t “Take the Fifth”. We’re entering (yet) another new age, when the legal system is nowhere near keeping pace with technological innovation. Interesting thoughts from Marcia Hoffman about the legal question of whether you can be compelled to unlock your phone (with presumably damning evidence on there) because biometrics are not protected under the 5th Amendment, while passwords would be. Rich: A TED talk by master pickpocket Apollo Robbins. This is more entertainment than learning (as are most TED talks), but damn. You may think you understand the limits of your perception, but you don’t. The last line is the real kicker. Dave Lewis: London schoolboy secretly arrested over ‘world’s biggest cyber attack’ Gal Shpantzer: Yahoo recycled email accounts may contain emails destined to old account owner. No matter how they try to talk this up, or what they do to recover, this is a mess. Research Reports and Presentations Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Email-based Threat Intelligence: To Catch a Phish. Top News and Posts Chaos Computer Club breaks Apple Touch ID. A Survey of the State of Secure Application Development Processes. Just downloaded a copy. Review forthcoming. TouchID defeated: what does it mean? New CA law will let minors digitally erase their past. ‘Mr Big’ of UK cyber-crime among gang of eight arrested over £1.3million Barclays computer hijack plot in carbon copy of Santander scam Blog Comment of the Week This week’s best comment goes to Gunnar, in response to Cybercrime at the Speed of Light. HFT is about trading, not investing. Traders buy and sell every second of every day. Investors have multi year time horizons. That’s how ordinary should approach it, long term, buy and hold investment not as traders. These events which continue to happen on a more regular basis and show no signs of stopping, are worrisome, for traders. They can bankrupt themselves with their own algorithms, as one of the biggest Knight Capital did last year http://www.forbes.com/sites/halahtouryalai/2012/08/06/knight-capital-the-ideal-way-to-screw-up-on-wall-street/ Share:

A few years ago our very own James Arlen presented at Black Hat on the security risks of high-speed trading. Today I read in The Verge: Last week’s Federal Reserve announcement made big waves on Wall Street, sending markets skyrocketing and financial organizations scrambling to spread the news – but a new report raises concerns that some were spreading it faster than they should have. The high-speed trading experts at Nanex say they saw simultaneous reactions in both Washington D.C. and Chicago, when the news should have taken at least three milliseconds to travel the 600 miles from the Federal Reserve Building to the Chicago’s commodities exchanges. I await Gunnar’s response, but it seems to me that ordinary people have little chance of surviving the markets as computers take over ‘our’ economy. Share:

Brian Krebs has done some amazing investigative reporting over the years, but this story is an absolute bombshell. An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity. … The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013, … Two other compromised systems were located inside the networks of Dun & Bradstreet, … The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides background, drug, and health screening for employers. In my research for the Involuntary Case Studies in Data Breaches presentation I update every few years, I come across many dozens of breaches of credit check services, data brokers, and other information-gathering services. Go check it out yourself at the DataLossDB and search on Experian, LexisNexis, and so on. What I didn’t know is how many institutions rely on this data for Knowledge Based Authentication, and that it has been broken since at least 2010, according to Avivah Litan of Gartner (who is great – rely enjoyed working with her). I am fascinated because although I always considered this data aggregation a privacy risk – now we see it also as a security risk. Share: