Research

Okay, I had to troll a bit with that title. From a piece in SC Magazine: Oracle formally has announced improvements in Java that are expected to harden a software line with a checkered security past. Oracle’s post has the details. Java has been part of Oracle’s Software Assurance processes since it was acquired, but they aren’t as robust as Microsoft’s Trustworthy Computing principles. Not that Oracle is following Microsoft (DO NOT TAUNT HAPPY FUN ORACLE) but there are two specific principles they are moving toward: Secure by design. Instead of code testing and bug fixing, they announced they are moving into stronger sandboxing and fundamental security. Secure by default. Altering existing settings in the product for a more secure initial state. If they keep on this path and build a stronger sandbox, Java in the browser might make a return just in time for HTML5 to kill it. But hey, at least then it won’t be because of security. Share:

Google has stated they will now disclose vulnerability details in 7 days under certain circumstances: Based on our experience, however, we believe that more urgent action – within 7 days – is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised. Gunter Ollm, among others, doesn’t like this: The presence of 0-day vulnerability exploitation is often a real and considerable threat to the Internet – particularly when very popular consumer-level software is the target. I think the stance of Chris Evans and Drew Hintz over at Google on a 60-day turnaround of vulnerability fixes from discovery, and a 7-day turnaround of fixes for actively exploited unpatched vulnerabilities, is rather naive and devoid of commercial reality. As part of responsible disclosure I have always thought disclosing actively exploited vulnerabilities immediately is warranted. There are exceptions but users need to know they are at risk. The downside is that if the attack is limited in nature, revealing vulnerability details exposes a wider user base. Its a no-win situation, but I almost always err toward giving people the ability to defend themselves. Keep in mind that this is only for active, critical exploitation – not unexploited new vulnerabilities. Disclosing those without time to fix only hurts users. Share:

Websense announced today that they are being acquired by Vista Equity Partners and will be going private when the transaction closes. From the press release: Under the terms of the agreement, Websense stockholders will receive $24.75 in cash for each share of Websense common stock they hold, representing a premium of approximately 29 percent over Websense’s closing price on May 17, 2013 and a 53 percent premium to Websense’s average closing price over the past 60 days. The Websense board of directors unanimously recommends that the company’s stockholders tender their shares in the tender offer. Let’s be honest – Websense needed to do something, and John McCormack was elevated to the CEO position to get some sort of deal done. They have been languishing for the last few years under serious execution failures, predominantly in sales, and their channel strategy. The competition basically wrote them off, and has spent the last few years looting the Websense installed base. But unlike most companies which end up needing rescue from a private equity firm, Websense still has a decent product and technology. I have heard from multiple competitors over the past couple years that they have been surprised Websense hasn’t been more of a challenge given the capability of their rebuilt product line. TRITON is a good platform, combining email and web security with DLP – available on-premise, in the cloud, or as a hybrid deployment. That cloud piece holds the potential to save this from being a total train wreck for Vista. The on-premise web filtering market is being subsumed by multiple perimeter security vendors. Email security has substantially moved to the cloud, and is a mature market with highly competitive products from larger competitors. DLP isn’t enough to support a standalone company. Even combining these three pieces isn’t enough when the UTM guys advertise it all on one box for the mid-market, particularly because large enterprises look for best-of-breed components rather than for bundles. We assume Vista wants to break out the standard private equity playbook, focusing on sales execution and rebuilding distribution channels to generate cash by leveraging the installed base. Then they can sell Websense off in 2-3 years to a strategic acquirer. Thoma Bravo has proven a few times that if you can execute on the PE playbook in the security market, it’s great for the investors and remaining management, who walk away with a big economic win. TRITON has the potential to drive a positive exit, but only because of the cloud piece. On-premise they won’t be able to compete with the broader UTM and NGFW boxes. But Security as a Service bundles for email, web, and DLP are a growing market – especially in the mid-market, and even some enterprises are moving that way. Think ZScaler, not Check Point. Unlike the box pushers Websense is already a legitimate SecaaS player. We are not fortune tellers but if Vista expects a return similar to the SonicWALL deal, that is a stretch. Acquiring Websense is certainly one place to start in the security market, and there is a reasonable chance they won’t lose money – especially when they recapitalize the debt in a few quarters and take a distribution to cover their equity investment. The PE guys aren’t dumb. But in order to create a big win they need to inject some serious vision, rebuild the product teams, and streamline around TRITON with an emphasis on the cloud and hybrid options, all while stopping the bleed-off of the installed base. We hope internally they have a sense of urgency and excitement, as they step away from the scrutiny of the public market – not one of relief that they can hide for a few more years. As far as existing customers, it’s hard to see a downside unless Vista decides to focus on sales and channels while totally neglecting product and technology. They would be idiots to take that approach, though, so odds are good for the product continuing to improve and remaining competitive. Websense isn’t dead in the water by any means – if anything this deal gives them a chance to make the required changes without worrying about quarterly sales goals. But there will be nothing easy about turning Websense around. Vista and Websense have a lot of work in front of them. Photo credit: “Private” originally uploaded by Richard Holt Share:

They say you can’t go home. What a load of garbage. You can totally go home (unless you’re from Fukushima or Chernobyl). In fact I am writing this week’s Summary in Boulder, Colorado – on a three-week trip to catch up with old friends, play hipster in coffee shops, and change my attitude with a little altitude. Better yet, I am writing this sitting in the Boulder Library while my kids enjoy musical story time. You can always go home – what you can’t do is go back in time. It doesn’t matter if you live within 15 miles of where you grew up, or run off to distant lands like me – time marches on. People leave, restaurants change, and even culture evolves and adapts. The point isn’t how much home changes, but how much you change – or don’t. I am not the same person I was when I arrived in Boulder back in 1989, and that’s a good thing. I’m not the same person I was 8 years ago when I left for a girl in Arizona. Among other things I have 3 kids and can’t spend my free time running off for mountain rescues. I had an awesome life back then, but it isn’t the life I want now. There is nothing wrong with nostalgia, but there is a fine line between reminiscing for days on the past and trying to live in the past. We all have friends stuck in their own personal glory days, making themselves miserable by refusing to move on. I may miss my kid-free freedom back then, but I am living the life I want now, and I would be missing out on the constant stream of amazing experiences my family gives me. Some stores have changed, some bars have changed, and some buildings were updated, but it’s still Boulder. As much as I miss Tulagis, Potters, and Pearls, I would be pathetic if I tried to hang there now, over 40. There seems to be more money in town, but this was always the national headquarters of the Limousine Liberals of the People’s Republic. It’s just as intolerantly tolerant as ever, and after spending time in Phoenix I really do notice the hippies more. (And the hippies still suck). I’m home and loving it. I may not be hanging with my old friends at the old places but I get to take my kids on my favorite hikes, enjoy the surprising number of local restaurants still here, and sneak off for some favorite rides and runs. I am also learning how much better a place this is to be with children than I thought when living here – there are an amazing range of activities, even without popping down to Denver. On that note, I need to take my bike in for service, pick up a new bike trailer for the baby, decide which organic, sustainably fed and ‘humanely’ slaughtered ground bird I will grill for dinner, and arrange a few post-hike microbrew excursions. Yeah, my life is hard. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian presenting next week on Tokenization vs. Encryption. Favorite Securosis Posts Adrian Lane: Bloomberg Pulls a News Corp on Goldman. We have hypothesized about this type of thing happening for a few years – this is the greatest fear of enterprises about cloud services. Mike Rothman: $45M Heist Used a 5 Year Old (at least) Technique. Rich nails it: what’s old is new. Rich: The Onion hack brings tears to my eyes. What’s not to love? Other Securosis Posts Boundaries won’t help GRC. Incite 5/15/2013: Fraud Hits Close to Home. Favorite Outside Posts Adrian Lane: A Saudi Arabia Telecom’s Surveillance Pitch. “What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that.” < That. Governments and enterprise often place more value on your social media communications than you do. Mike Rothman: Warren Buffett: The three things I look for in a person. Adrian and Gunnar are card-carrying Buffett fanboys so I expect them to like this. I love this way to evaluate people: “Intelligence, energy, and integrity. And if they don’t have the last one, don’t even bother with the first two.” Rich: Ricky Gervais on the difference between US and UK humor. Actually, there is a lot in here about how we approach writing about security, and the difference between analytical humor and pure trolling. Dave Lewis: Hear Ye, Future Deep Throats: This Is How to Leak to the Press. Research Reports and Presentations Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Top News and Posts Indian companies at center of global cyber heist. Update on last week’s $45M theft. Bloomberg reporters allegedly used financial terminals to spy on Wall Street. Larry Page I/O keynote: Google CEO blasts Microsoft, Oracle, laws, and the media. Chinese internet: ‘a new censorship campaign has commenced’. Apple deluged by police demands to decrypt iPhones. Skype with care – Microsoft is reading everything you write. Boston judge limits access to Aaron Swartz court records < wagons circling. Blog Comment of the Week This week’s best comment goes to Andrew, in response to Boundaries won’t help GRC. I mischievously ask GRC vendors “who is the intended budget holder, G, R or C?” And often as not, the benefits of GRC tools go to audit. Business lines, as we all know, love to make audit more powerful …. Share:

Big news, big money – hackers stole $45M in a flash attack. They hacked into the bank system, focused on debit and pre-paid cards that lack the usual credit card anti-fraud detection, then made massive rapid withdrawals using mules scattered around the world. Not new. Viktor Pleshchuk, Sergei Tsurikov, Oleg Covelin and a fourth man, identified only as “Hacker 3,” pooled their talents, and with the help of a worldwide network of “cashers” in more than 280 cities, they were able to walk away with $9 million of RBS WorldPay’s money. The attack, detailed in a federal indictment announced Tuesday by the Department of Justice, illustrates clearly the level of organization and sophistication involved in ATM and payment-card fraud, as well as the difficulty banks face in guarding against these schemes. The scam began simply and came together quickly. In early November 2008, prosecutors allege that Covelin discovered a vulnerability in the network of RBS WorldPay, a subsidiary of the Royal bank of Scotland that handles payroll and other payment-processing transactions for companies around the world. As Gal Shpantzer said in our chat room today: this is the sort of ATM hack that should be in the Verizon DBIR – not necessarily skimming. Share:

From the New York Post, of all places: Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said. The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was – and if the privacy of their business strategy had been compromised. Oops. Imagine if AWS or Salesforce did something like this? They won’t because it is a kiss-of-death type mistake if there are viable alternatives, but Bloomberg is too entrenched for this to damage them materially. Share:

There is no single right way to pick the best encryption option. Which is ‘best’ depends on a ton of factors including the specifics of the cloud deployment, what you already have for key management or encryption, the nature of the data, and so on. That said, here are some guidelines that should work in most cases. Volume Storage Always use external key management. Instance-managed encryption is only acceptable for test/development systems you know will never go into production. For sensitive data in public cloud computing choose a system with protection for keys in volatile memory (RAM). Don’t use a cloud’s native encryption capabilities if you have any concern that a cloud administrator is a risk. In private clouds you may also need a product that protects keys in memory if sensitive data is encrypted in instances sharing physical hosts with untrusted instances that could perform a memory attack. Pick a product designed to handle the more dynamic cloud computing environment. Specifically one with workflow for rapidly provisioning keys to cloud instances and API support for the cloud platform you use. If you need to encrypt boot volumes and not just attached storage volumes, select a product with a client that includes that capability, but make sure it works for the operating systems you use for your instances. On the other hand, don’t assume you need boot volume support – it all depends on how you architect cloud applications. The two key features to look for, after platform/topology support, are granular key management (role-based with good isolation/segregation) and good reporting. Know your compliance requirements and use hardware (such as an HSM) if needed for root key storage. Key management services may reduce the overhead of building your own key infrastructure if you are comfortable with how they handle key security. As cloud natives they may also offer other performance and management advantages, but this varies widely between products and cloud platforms/services. It is hard to be more specific without knowing more about the cloud deployment but these questions should get you moving in the right direction. The main things to understand before you start looking for a product are: What cloud platform(s) are we on? Are we using public or private cloud, or both? Does our encryption need to be standardized between the two? What operating systems will our instances run? What are our compliance and reporting requirements? Do we need boot volume encryption for instances? (Don’t assume this – it isn’t always a requirement). Do root keys need to be stored in hardware? (Generally a compliance requirement because virtual appliances or software servers are actually quite secure). What is our cloud and application topology? How often (and where) will we be provisioning keys? Object storage For server-based object storage, such as you use to back an application, a cloud encryption gateway is likely your best option. Use a system where you manage the keys – not your cloud provider – and don’t store those keys in the cloud. For supporting users on services like Dropbox, use a software client/agent with centralized key management. If you want to support mobile devices make sure the product you select has apps for the mobile platforms you support. As you can see, figuring out object storage encryption is usually much easier than volume storage. Conclusion Encryption is our best tool protecting cloud data. It allows us to separate security from the cloud infrastructure without losing the advantages of cloud computing. By splitting key management from the data storage and encryption engines, it supports a wide array of deployment options and use cases. We can now store data in multi-tenant systems and services without compromising security. In this series we focused on protecting data in IaaS (Infrastructure as a Service) environments but keep in mind that alternate encryption options, including encrypting data when you collect it in an application, might be a better choice or an additional option for greater granularity. Encrypting cloud data can be more complex than on traditional infrastructure, but once you understand the basics adapting your approach shouldn’t be too difficult. The key is to remember that you shouldn’t try to merely replicate how you encrypt and manage keys (assuming you even do) in your traditional infrastructure. Understand how you use the cloud and adapt your approach so encryption becomes an enabler – not an obstacle to moving forward with cloud computing. Share:

Dennis Fisher writes in Finger-Pointing on Cyberespionage does little good without a plan: The acknowledgement from the Pentagon, in truth, feels fairly anticlimactic. It’s the equivalent of Mark McGwire admitting to using steroids-10 years after every fan in the country had already accepted that fact. At some point it becomes sort of silly to even mention it. Water is wet, ice cream is delicious and China is attacking our networks. It just is. It’s a good piece but misses a couple key elements: in geopolitics, finger-pointing is an essential part of every plan, and execution on cybersecurity started a few years ago (Aurora/Google and Lockheed). This is a propaganda campaign to generate political and popular support, and nothing – nothing – progresses without this foundation. The problem is the invasion by other special interests, including copyright holders, that complicates the narrative. Make no mistake – this story was written years ago, and we are just watching the latest episodes to air. Share:

Sorry, but the title is a bit of a bait and switch. Before we get into object storage encryption we need to cover using proxies for volume encryption. Proxy encryption The last encryption option uses an inline software encryption proxy to encrypt and decrypt data. This option doesn’t work for boot volumes, but may allow you to encrypt a wider range of storage types, and offers an alternate technical architecture for connecting to external volumes. The proxy is a virtual appliance running in the same zone as the instance accessing the data and the storage volume. We are talking about IaaS volumes in this section, so that will be our focus. The storage volume attaches to the proxy, which performs all cryptographic operations. Keys can be managed in the proxy or extended to external key management using the options we already discussed. The proxy uses memory protection techniques to resist memory parsing attacks, and never stores unencrypted keys in its own persistent storage. The instance accessing the data then connects to the proxy using a network file system/sharing protocol like iSCSI. Depending on the pieces used this could, for example, allow multiple instances to connect to a single encrypted storage volume. Protecting object storage Object storage such as Amazon S3, Openstack Swift, and Rackspace Cloud Files, is fairly straightforward to encrypt, with three options: Server-side encryption Client/agent encryption Proxy encryption As with our earlier examples overall security is dependent on where you place the encryption agent, key management, and data. Before we describe these options we need to address the two types of object storage. Object storage itself, like our examples above, is accessed and managed only via APIs and forms the foundation of cloud data storage (although it might use traditional SAN/NAS underneath). There are also a number of popular cloud storage services including Dropbox, Box.com, and Copy.com – as well as applications to build private internal systems – which include basic object storage but layer on PaaS and SaaS features. Some of these even rely on Amazon, Rackspace, or another “root” service to handle the actual storage. The main difference is that these services tend to add their own APIs and web interfaces, and offer clients for different operating systems – including mobile platforms. Server-side encryption With this option all data is encrypted in storage by the cloud platform itself. The encryption engine, keys, and data all run within the cloud platform and are managed by the cloud administrators. This option is extremely common at many public cloud object storage providers, sometimes without additional cost. Server-side encryption really only protects against a single threat: lost media. It is more of a compliance tool than an actual security tool because the cloud administrators have the keys. It may offer minimal additional security in private cloud storage but still fails to disrupt most of the dangerous attack paths for access to the data. So server-side encryption is good for compliance and may be good useful in private clouds; but it offers no protection against cloud administrators and depending on configuration it may provide little protection for your data in case of management plane compromise. Client/agent encryption If you don’t trust the storage environment your best option is to encrypt the data before sending it up. We call this Virtual Private Storage because, as with a Virtual Private Network, we turn a shared public resource into a private one by encrypting the information on it while retaining the keys. The first way to do this is with an encryption agent on the host connecting to the cloud service. This is architecturally equivalent to externally-managed encryption for storage volumes. You install a local agent to encrypt/decrypt the data before it moves to the cloud, but manage the keys in an external appliance, service, or server. Technically you could manage locally, as with instance-managed encryption, but it is even less useful here than for volume encryption because object storage is normally accessed by multiple systems, so we always need to manage keys in multiple locations. The minimum architecture is comprised of encryption agents and a key management server. Agents implement the cloud’s native object storage API, and provide logical volumes or directories with decrypted access to the encrypted volume, so applications do not need to handle cloud storage or encryption APIs. This option is most often used with cloud storage and backup services rather than for direct access to root object storage. Some agents are advances on file/folder encryption, especially for tools like Dropbox or Box.com which are accessed as a normal directory on client systems. But stock agents need to be tuned to work with the specific platform in question – which is outside our object storage focus. Proxy encryption One of the best options for business-scale use of object storage, especially public object storage, is an inline or cloud-hosted proxy. There are two main topologies: The proxy resides on your network, and all data access runs through it for encryption and decryption. The proxy uses the cloud’s native object storage APIs. The proxy runs as a virtual appliance in either a public or private cloud. You also set two key management options: internal to the proxy or external; and the usual deployment options: hardware/appliance, virtual appliance, or software. Proxies are especially useful for object storage because they are a very easy way to implement Virtual Private Storage. You route all approved connections through the proxy, which encrypts the data and then passes it on to the object storage service. Object storage encryption proxies are evolving very quickly to meet user needs. For example, some tie into the Amazon Web Services Storage Gateway to keep some data local and some in the cloud for faster performance. Others not only proxy to the cloud storage service, but function as a normal network file share for local users. Share:

Okay, it is entirely possible he paid for it, but HOW DO WE KNOW? U.S. Finds Porn Not Secrets on Suspected China Spy’s PC A Chinese research scientist suspected of spying on the National Aeronautics and Space Administration – and pulled from a plane in March as he was about to depart for China – is set to plead to a misdemeanor charge of violating agency computer rules. Bo Jiang, who was indicted March 20 for allegedly making false statements to the U.S., was charged yesterday in a separate criminal information in federal court in Newport News, Virginia. Jiang unlawfully downloaded copyrighted movies and sexually explicit films onto his NASA laptop, according to the court filing. A plea hearing is set for tomorrow. This is why it’s important to read breaking news with skepticism. Not that China is above this sort of theft, per documented history, but that doesn’t mean everyone is working for APT1138. Share: