Research

Richard Bejtlich, on President Obama’s interview on Charlie Rose: This is an amazing development for someone aware of the history of this issue. President Obama is exactly right concerning the differences between espionage, practiced by all nations since the beginning of time, and massive industrial theft by China against the developed world, which the United States, at least, will not tolerate. Obama’s money quote: Every country in the world, large and small, engages in intelligence gathering and that is an occasional source of tension but is generally practiced within bounds. There is a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese which is standard fare and we’ve tried to prevent them from – penetrating that and they try to get that information. There’s a big difference between that and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that. I think a key issue here is whether China recognizes and understands the difference. Culturally, I’m not so sure, and I believe that’s one reason this continues to escalate. Share:

From the BlueHat blog, Microsoft’s security community outreach: In short, we are offering cash payouts for the following programs: Mitigation Bypass Bounty – Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest. BlueHat Bonus for Defense – Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered. IE11 Preview Bug Bounty – Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers. This doesn’t guarantee someone won’t sell to a government or criminal organization, but $100K is a powerful incentive for those considering putting the public interests at the forefront. Share:

Alex Hutton has been on the leading edge of IT security risk management as long as I have known him. He has a new blog, and if you don’t think we can ever quantify risk, you need to read this post The next age of risk management, science, & craftsmanship: And that’s the crux of the third age, the move to what I’ve past referred to as a Modern Approach to Risk Management (borrowing heavily from the white page of the same name). Forward thinking programs are blending things like fraud analytics, InfoSec controls, and risk modeling so that there is no longer a boundary between these disciplines. Even folks who are grumpy sticks in the mud about risk, big data and so forth have had to acknowledge the benefits of at least basic “Data Science” methods. Alex is using some of these techniques in the real world. I have always challenged any quantitative risk modeler to show me a model that consistently and reasonably accurately predicts security outcomes. A few people are close, but not likely using any of the models you have been taught. Alex and some others, including Jack Jones, are taking a scientific approach and slowly making progress. I expect that some day during my career a model will pass my risk management test, thanks to their hard work. That will change our profession dramatically. Share:

Moxie Marlinspike has a must-read editorial over at Wired: For instance, did you know that it is a federal crime to be in possession of a lobster under a certain size? It doesn’t matter if you bought it at a grocery store, if someone else gave it to you, if it’s dead or alive, if you found it after it died of natural causes, or even if you killed it while acting in self defense. You can go to jail because of a lobster. If the federal government had access to every email you’ve ever written and every phone call you’ve ever made, it’s almost certain that they could find something you’ve done which violates a provision in the 27,000 pages of federal statues or 10,000 administrative regulations. You probably do have something to hide, you just don’t know it yet. I’ve mostly stayed away from the recent NSA news because it isn’t infosec per se. But here’s the thing: private businesses are collecting what are essentially our innermost thoughts (search engines, email, writing, what you read online, etc.) – never mind our physical locations and physical actions. If someone in a position of power decides to look at you they will find something. I recently had a friend threatened, very directly, merely for speaking out against something innocuous in a public forum. I support our government and law enforcement, but I also believe in privacy and appropriate checks and balances in the system. The NSA likely hasn’t done anything illegal, but the laws themselves are the issue. These are good people doing the job we put before them, but we neglected to have the serious social discussion about the potential consequences first. I will step down off the soapbox now. Share:

We realize it has been a while, but we are insanely excited to open up the next phase of the Securosis Nexus beta test. This is an open beta but we reserve the right to kick out anyone who annoys us. Getting Started Signing into the Nexus is easy. Just go to http://nexus.securosis.com, click “Sign Up” and enter “4111-1111-1111-1111” as your credit card number – sorry if that’s your real credit card number. You will then receive activation information via email.   What to Expect The Nexus is code complete but our content is far from complete. The system is completely functional, so now we need help making sure it scales beyond our internal testing. We have some starter content in there, but it is only representative of where we are headed, and this structure is temporary. We will be adding content weekly basis as we get closer to launch, and will send out occasional updates to beta testers so you know what we are up to. We are fully supporting the “Ask an Analyst” feature, which means you get free advice (well, in exchange for your help testing). But this is a (free) beta test, so we make no promises of timeliness. 🙂 We anticipate staying in test mode for 3-6 months because it will take at least that long to write all the content. Most of the material is brand new, and this isn’t merely a repository for our white papers. If you find bugs or have questions, email us at nexus@securosis.com or use the Support link. Thanks! We are really looking forward to getting more people into the system and taking it for a test drive. Share:

I am in the airport lounge after attending the WWDC keynote, and here are some quick thoughts on what we saw today: The biggest enhancement is iCloud Keychain. Doesn’t seem like a full replacement for 1Password/etc. (yet), but Apple’s target is people who won’t buy 1Password. Once this is built in, from the way it appears designed, it should materially help common folks with password issues. As long as they buy into the Apple ecosystem, of course. It will be very interesting to see how the activation lock feature works in the real world. Theft is rampant, and making these devices worthless will really put a dent in it, but activation locking is a tricky issue. Per-tab processes in Safari. I am very curious about whether there is more additional sandboxing (Safari already has some). My main concern these days is Flash, and that’s why I use Chrome. If either Adobe or Apple improve Flash sandboxing I will be very happy to switch back. For enterprises Apple’s focus appears to be on iOS and MDM/single sign on. I will research the new changes more. Per-app VPNs also looks quite nice, and might simplify some app wrapping that currently does this through alternate techniques. iWork in the cloud could be interesting, and looks much better than Google apps – but collaboration, secure login, and sharing will be key. Many questions on this one, and I’m sure we will know more before it goes live. I didn’t see much else. Mostly incremental, and I mainly plan to keep an eye on what happens in Safari because it is the biggest point of potential weakness. Nothing so dramatic on the defensive side as Gatekeeper and the Java lockdowns of the past year, but integrating password management is another real-world, casual user problem that hasn’t been cracked well yet. Share:

From Share and share alike? Not Quite, by Mike Mimoso at Threatpost: “With retail, the challenge is that most of the companies we share with are direct competitors,” Phillips said. “From a security perspective, you have to get over that and share because we’re all facing the same challenges. There’s no way any of us will win the war on our own.” If sharing information on attacks provides your competitors a business advantage, you have serious issues unrelated to security. Share:

I haven’t been writing much over the past few weeks because I took a few weeks with the family back in Boulder. The plan was to work in the mornings, do fun mountain stuff in the afternoons with the kids, and catch up with friends in the evenings. But the trip ended up turning into a bit of medical tourism when a couple bugs nailed us on day one. For the record, I can officially state that microbrews do not seem to cure viruses. But the research continues… It was actually great to get back home and catch up as best we could under the circumstances. My work suffered but we managed to hit a major chunk of the to-do list. For the kids I think the highlight was me waking up, noticing it was raining, and bundling the family up to the Continental Divide to chase snow. We bounced along an unpaved trail road in the rain, keeping one eye on the temperature and the other on our altitude, until the wet stuff turned into the white stuff. Remember, we live in Phoenix – when it started dumping right when we hit the trailhead, with enough accumulation for snowmen and angels, I was in Daddy heaven. For me, aside from generally catching up with people (and setting a PR in the Bolder Boulder 10K), another highlight was grabbing lunch with some rescue friends and then hanging out in the new headquarters with the kids for a couple hours. It has been a solid 7-8 years since I was on a call, but back at the Cage, surrounded by the gear I used to rely on and vehicles I used to drive, it all came back. Surprisingly little has changed, and I was really hoping the pager would go off so I might hitch along on a call. Er… then again, I’m not sure you are allowed to respond with lights and sirens when kids are in the back in their car seats. There is an intensity to the rescue community that even the security community doesn’t quite match. Shared sweat and blood in risky conditions, as I wrote about in The Magazine. That doesn’t mean it’s all one big lovefest, and there’s no shortage of personal and professional drama, but the bonds formed are intense and long-lasting. And the toys? Oh, man, you can’t beat the toys. That part of my life is on hold for a while as I focus on kids and the company, but it’s comforting to know that not only is it still there, it is still very familiar too. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading article on Database DoS. Favorite Securosis Posts David Mortman: New Google disclosure policy is quite good. Adrian Lane: Mobile Security Breaches. Astute, concise analysis from Mogull. Rich: Security Analytics with Big Data: New Events, New Approaches. Adrian is killing it with this series. Other Securosis Posts API Gateways: Security Enabling Innovation [New Series]. Matters Requiring Attention: 100 million or so. Apple Expands Gatekeeper. Incite 6/5/2013: Working in the House. Oracle adopts Trustworthy Computing practices for Java. A CISO needs to be a business person? No kidding… Security Analytics with Big Data: Defining Big Data. LinkedIn Rides the Two-Factor Train. Security Surrender. Finally! Lack of Security = Loss of Business. Network-based Malware Detection 2.0: Scaling NBMD. Friday Summary: May 31, 2013. Evernote Business Edition Doubles up on Authentication. Favorite Outside Posts David Mortman: Data Skepticism. Adrian Lane: NSA Collects Verizon Customer Calls. Interesting read, but not news. We covered this trend in 2008. The question was why the government gave immunity to telecoms for spying on us, and we now know: because they were doing it for the government. Willingly or under duress is the current question. Rich: Why we need to stop cutting down security’s tall poppies. Refreshing perspective. Research Reports and Presentations Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Top News and Posts Democratic Senator Defends Phone Spying, And Says It’s Been Going On For 7 Years. Expert Finds XSS Flaws on Intel, HP, Sony, Fujifilm and Other Websites. Whom the Gods Would Destroy, They First Give Real-time Analytics. Apple Updates OS X, Safari. Original Bitcoin Whitepaper. Unrelenting AWS Growth. Not security related, but the most substantive cloud adoption numbers I have seen. Note that the X axis of that graph is logarithmic – not linear! StillSecure acquired. Microsoft, US feds disrupt Citadel botnet network. Blog Comment of the Week This week’s best comment goes to Andy, in response to LinkedIn Rides the Two-Factor Train. This breaks the LinkedIn App for Windows phone. But who uses Windows phone, besides us neo-Luddites who refuse to buy into the Apple ecosystem? Share:

From an article based on ‘work’ by Check Point: 79% of businesses had a mobile security incident in the past year, in many cases incurring substantial costs, according to Check Point. The report found mobile security incidents cost over $100,000 for 42% of respondents, including 16% who put the cost at more than $500,000. Bullshit. Share:

I missed this when the update went out last night, but Gregg Keizer at Infoworld caught it: “Starting with OS X 10.8.4, Java Web Start applications downloaded from the Internet need to be signed with a Developer ID certificate,” Apple said. “Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed.” This was a known hole – great to see it plugged. Share: