Research

Writing is hard – I get it. Tech writing is hard – I get it. Tech journalism is hard, especially when you need to translate complex technological issues into prose that the common reader (depending on your demographic) can understand. Writing about security for TidBITS and Macworld for the past 6 or so years has been an amazing educational experience as I have had to learn exactly how to walk this tightrope and explain things like memory parsing vulnerabilities and ASLR to consumers. So it’s hard. But that isn’t an excuse for irresponsible shoddiness or laziness. Then I saw this on Twitter today: Don Reisinger at CNet published an article today that essentially accuses one of the stalwarts of the security industry of engaging in illegal activity. Gordon Lyon, also known as Fyodor, wrote nmap (among other accomplishments). He reposted an older Full Disclosure email by some researchers who created a botnet out of over 400,000 Internet connected devices. Reisinger? He read that post, assumed Fyodor did the work, wrote an article about it without fact checking or interviewing anyone, and in that article stated that Gordon hacked those devices for “benign research”. But that would be very illegal. And Fyodor had nothing to do with it. Reisinger wrote his article based completely on a repost of an email to Full Disclosure. That’s lazy, shoddy, and irresponsible. Don might be a good guy, and might mean well, but he needs to learn that this sort of ‘journalism’ isn’t acceptable. CNet needs to require at least some semblance of responsibility from their writers. Look, we know half the stuff posted on most tech sites today is rewritten press releases or single-sourced ‘interpretations’ of someone else’s blog post or article (without any additional analysis, which could make it fine). But an article like this actually meets the legal definition of libel (rough guess on my part). I work with some amazing online writers. I have seen inside publications, and know how the editing process works. You can do better CNet, and plenty of other organizations manage to do so while remaining profitable. Update: Fyodor posted a response to the article with a perfect quote: Since he found the full-disclosure post on my mailing list archive site, clearly I must be the hacker :). This has got to be the most bone-headed CNET move since they released the trojan Nmap installer on CNET Download.com. Share:

Internet troll “weev” sentenced to 41 months for AT&T/iPad hack Weev is a total sociopath (not just a troll), and I have no sympathy for him. He wouldn’t know altruism if it kicked him in the nads, and I have little doubt his goal was to harm AT&T with his discovery. But, by all appearances, this is a weak case and a stretch of the Computer Fraud and Abuse Act with consequences not only for legitimate security research, but for Internet use in general. But don’t make him a martyr or an antihero. Weev is vile scum, who appears to be getting off on all the attention. If he wins on appeal he is bound to end up in jail sooner or later, but at least then it will be for a real crime, and hopefully will not bad establish case law with chilling effects. Share:

Raising children in the age of the Internet is both exhilarating and terrifying. As a geek I am jealous of the technology my children will grow up with. You can make the argument that technology always advances, and my children will feel the same way about their offspring, but I think the genesis of the Internet is a clear demarcation line in human history. There is the world before the Internet, and the world after. The closest equivalents are the rise of agriculture and the Industrial Revolution, and I argue the Internet hit harder and faster. Mix in mobile devices, near-ubiquitous wireless data, and “the cloud”, and the changes are profound. Part of me feels incredibly lucky to have lived through this change, and another part is sad it wasn’t around sooner. It is an exciting time to raise kids. The resources available to us as parents are truly stunning. We have access to information resources our parents couldn’t conceive of. Want to know how to build a robot? Make the perfect sand castle? Build a solar-powered treehouse? Answer nearly any imaginable question? It’s all right there in your pocket. Anything my children choose to explore, I can not only support, I can get the supplies deliverd with free two-day shipping. My kids will grow up with drones, robots, 3D printers, and magical books with nearly all of human knowledge inside. Which isn’t always a good thing. Once they figure out the way around my filters (or go to a friend’s house), there won’t be any mysteries left to sex. Not that what they’ll find will represent reality, and some of it will warp their perceptions of normality. They will post their innermost thoughts online, without regard to what that may mean decades later. They will see and learn truly horrible things that, before the Internet, were physically isolated. They will witness lies and hatred on a colossal scale (especially if they post anything in a gaming forum). I accept that all I can do is try my best to prepare them to understand, filter, and think critically on their own. But I truly believe the benefits outweigh the dangers. Like this author, I will flood my children with technology. They have, today, essentially infinite access to technology. I don’t limit iPad time. I don’t count the television hours. We don’t restrict the laptops. This may change as they grow older, but my gut feeling is that the more you restrict something, the more they want it. And our family’s lifestyle is more centered on physical activity and creating than consuming. There is, however, one place where I have started restricting technology. Not for my children, but for myself. This week as I sat in the parents’ observation area at our swim school, I noticed every adult head wasn’t focused on their kids, but on the screens in their hands. Go to any playground or Chuck E Cheese and you will see more parental heads staring down than up. I noticed I do it. And my children notice me. Children, especially young children, don’t necessarily remember what we try to teach them. They, like nearly every other species, learn by watching us. And they remember absolutely everything we do, especially when it involves them. I don’t want my kids thinking that the screen in my hand is more important than they are. I don’t want them thinking that these wonderful devices are more important than the people around them (well, I do prefer Siri over most people I meet, but I’m a jerk). I can’t just tell them – I need to show them. I have started weaning myself off the screen. When I’m with my family, I try to only use it when absolutely necessary, and I verbalize what I’m doing. I am trying to show that it is a tool to use when needed, not a replacement for them. I am not perfect, and there are plenty of times it’s okay to catch up on email in front of my kids – just not when I should be focused on them. And, to be honest, once I got over the initial panic, it’s nice to just relax and see what’s around me. It doesn’t hurt that my kids are damned cute. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on Watering Hole Attacks. Adrian’s DR post: Database Security Operations. Favorite Securosis Posts Mike Rothman: Compromising Cloud Managed Infrastructure. You cloud is only as secure as the web interface you use to configure it… Adrian Lane: The BYOD problem is what? Rich: Ramp up the ‘Cyber’ Rhetoric. Other Securosis Posts Email-based Threat Intelligence: Quick Wins. Email-based Threat Intelligence: Industrial Phishing Tactics (New Series). A Brief Privacy Breach History Lesson. Incite 3/13/13: Get Shorty. Could This Be the First Crack in the PCI Scam? TripWire nCircles the Vulnerability Management Wagon. Untargeted Attack. Email-based Threat Intelligence: Analyzing the Phish Food Chain. In Search of … Data Scientists. Encryption Spending up in 2012. Security Education still an underused defense. Favorite Outside Posts Mike Rothman: Father hacks ‘Donkey Kong’ for daughter, makes Pauline the heroine. Hacking for the win. This is the right example to set for young girls. They can do anything they want. Adrian Lane: Which Encryption Apps Are Strong Enough to Help You Take Down a Government? People talk about privacy, but Matt Green arms you with some tools to actually help. The question is would you actually use these tools. Dave Lewis: Time Stamp Bug in Sudo Could Have Allowed Code Entry. Gunnar: Google services should not require real names – Vint Cerf. Two years back Bob Blakley brought us on a quick tour of the weak points of Google requiring real names – in a word: insane. Top News and Posts Spy Agencies to Get Access to U.S. Bank Transactions Database Microsoft and Adobe release patches to fix critical vulnerabilities. Deja patch. Obama Discusses Computer Security With Corporate Chiefs. Update on iOS 6 exploitation. TL;DR: it’s really hard. Blog Comment of the Week This week’s best comment goes to Nate, in response

The big ChoicePoint breach of 2004 was the result of criminals creating false business accounts and running credit reports on hundreds of thousands of customers (probably). Every major credit/background company has experienced this kind of breach of service going back decades – just look at the Dataloss DB. Doxxing isn’t necessarily hacking, even when technology is involved. All this has happened before, and all this will happen again. Even very smart humans are fooled every day. Share:

A sports clothing retailer is suing Visa to recover a $13M fine for a potential data breach. The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based. PCI is designed to push nearly all risks and costs onto merchants and their banks through a series of contracts. The PCI Security Standards Council has stated that no PCI compliant organization has ever been breached. This is a clear fallacy – merchants pass their assessments, they get breached, and then PCI retroactively revokes their certifications. Fines are then levied against the acquiring bank and passed on to the merchant. When a breach occurs, the card companies collect their fines from the third-party banks that process the card transactions, instead of the merchants, who have more incentive to fight the fines. Third-party banks then simply collect the money from the customer’s account or sue them for uncollected balances, using the indemnification clauses in their contracts to justify it. The card companies collect their fines with no hassle and merchants, in the meantime, are left fighting to dispute the fines and get their money back from the card companies. In this case, the retailer (Genesco) is suing Visa for violating their own policies, especially since there was no evidence that card numbers were exfiltrated or used for fraud. Watch this one closely. If it succeeds there will likely be a flood of similar cases. This case doesn’t seem to attack the root of the PCI system itself (the contract system), but I could see that easily getting wrapped into either this case or a future one if Genesco is successful. Seriously – I don’t think all of PCI is bad, but the PCI SSC claims that no compliant organization has been breached is a load of (my favorite word beginning with ‘s’). That position and their policies on fines convinces me PCI is a scam. Especially since they even try to intimidate PCI assessors who speak negatively about PCI in public (yes, direct warnings to shut up or else, I have been told). The card companies, especially Visa (who pulls most of the strings), have a chance to change course and clean up the issues that undermine a program that could be very beneficial. But PCI is currently losing what little legitimacy it has. Share:

I was perplexed by the wording of many initial reports on the recent attacks ‘against’ Apple, Facebook, Twitter, and Microsoft. Sure, maybe they were targeted, but it seems just as likely that the attackers just picked popular developer sites and harvested some big fish. That is the essence of a a good piece at securityledger: Rather, the wide net of watering hole web sites pulled in employees from organizations across a broad swath of the U.S. economy, say those with knowledge of the incident. That has made the operation look more like a fishing expedition than a narrowly focused operation.   Developers are typically soft targets, with extensive access to internal resources. In this case I would bet that most Mac-based developers have Java enabled in their browsers. As a former dev myself, they spend a lot of time in various fora with crappy security and which are thus prone to compromise. I still spend a lot of time on those sites, but I am probably more careful than most devs or admins. Developers and administrators are in jobs that require deep access to sensitive resources, more control over their own systems, and a larger software attack surface (Java is essential for managing certain systems and platforms); but they aren’t necessarily more secure than average users, beyond basic attacks. Targeting job roles rather than organizations seems like a good strategy. Hit something popular enough within the development or admin communities, and the odds are very good that you will gain access to a variety of prime targets. No one works in a vacuum. Image: a real watering hole, with a croc you can’t see. Took this one myself in Africa. He/she wasn’t hungry that day. Share:

Rich here, I need to apologize a bit for sending the Summary out a day late. As most of you know, this week is the big annual RSA Conference and we, Securosis, were busy as heck with conference activities. Between e10+, the Security Blogger’s Meetup, the Securosis Disaster Recovery Breakfast, and tons of conference meetings, it is the busiest week of our year. Well, except for me. As many of you know I spent the week here in Phoenix waiting for the birth of my next child. The due date was Monday, and there was no way in hell I was going to take the risk of missing that for a conference. But as you might guess based on the tone of this post, the kid is a no show. It was weird to miss RSA for the first time in many years. I was prepared to miss the social side of the show; as much as I enjoy seeing everyone, a conference is for work and I frequently dodge parties for meetings, to finish slides, or to stay rested. On the business development front I’m the first to admit Mike is a lot better at BD, and he probably closed more business for me than I could have closed myself. It was really nice to sit back and wait for the text messages of people I need to follow up with (thanks Mike!). What I didn’t expect was how much I miss the energy boost. You see, one thing about the nature of our business is that we often work in a vacuum. We advise users and vendors, and maybe get to see the outcomes someday, but we don’t get a lot of direct feedback on our work. This is important not only to ensure we that are on the right track, but it also helps keep us motivated. I don’t get a performance evaluation and bonus at the end of the year if I did well. I am extremely internally motivated. Anyone who works at home, for themselves, has to be or they don’t survive very long. But I’m also human, and we are social creatures. At RSA we get to engage with a much wider range of people than we do in our day-to-day work, and we get face-to-face feedback from people who use our research but don’t necessarily leave comments or feedback. Based on reports from the guys who were out there we are definitely on track, but hearing it isn’t the same as shaking the person’s hand or having breakfast with them. I can’t lie – I really missed that this year. I missed the feedback, good and bad, instead of talking to a blank screen or a captive audience before running to catch a plane. I don’t regret my decision in the slightest – my family is far more important than any of what i just talked about. I like the way Chris Hoff put it during the session we would have presented together had the baby come early, “the cost of missing RSA is a lot less than the cost of a divorce”. And one advantage is that I was here to get the Cloud Security Alliance Nexus launched. The CSA Nexus is a branded version of the Nexus platform we have been developing for two years. We launched with the CSA first because, at our annual internal planning meeting, we decided we needed to rework our content a bit before we go live for Securosis customers. It’s exciting to have actual, paying customers, and to get this thing out of the lab. It’s also weird to be a product manager, not just an analyst. We are going to open up our beta test again after we get a little more server work done, and we are still working out the dates for our official Securosis Nexus launch, but it should be soon. We are making a big bet on this platform, and I suspect getting actual customers in there will more than compensate for missing a few handshakes, head nods, and spilled beers. Note: since everyone was out this week and I was focused on the Nexus launch, this week’s Summary is missing most of the usual sections. Securosis in the news Rich on passwords in Digital Trends. Securosis posts Shattered Windows – the Impact of Attack Automation. Go buy Take Control of Your Passwords. Bit9 Details Breach. About the Security Blogger’s Meetup. Looky here. Adaptive Authentication works… When is a Hack a Breach? The Nexus Is Live with the Cloud Security Alliance! Everything I need to know about security, I learned in kindergarten. The end of MDM (as we know it). Or not. Attribution Meh. Indicators YEAH! Other news More Java 0-day. We are now adding this to the Summary with a weekly script. Botnet shut down live at RSA. AirWatch grabs $200M in funding. We don’t normally cover these things, but that is an insane amount of money. An interview with a ski patroller. Because I really miss ski patrol. Share:

In 2011, our friend Josh Corman codified “HD Moore’s Law”: Casual Attacker power grows at the rate of Metasploit For those who don’t know, Metasploit, created by HD Moore, is a free penetration testing framework (it is now owned by Rapid7, who also sells a commercial version). Metasploit allows an attacker to rapidly combine an exploit with a payload and initiate attacks, dramatically reducing the complexity compared to hand-coding an attack yourself. Unlike other commercial tools such as Immunity Canvas and Core Impact, Metasploit has a large community, and when new vulnerabilities or exploits become public they are typically converted into Metasploit modules extremely quickly (sometimes within hours). Once a module is published, anyone using Metasploit can leverage that attack. But Metasploit isn’t the only automated attack tool. Criminals have their own toolsets and markets, some of which advertise inclusion of 0-day vulnerabilities (for a price) and include better support than most of the security tools on the market. Being profitable, they fund their own research teams or acquire new exploits on the open market. Some software vendors have started talking about this in public, as Microsoft outlined in their RSA talk on their response to Flame. Brad Arkin from Adobe has also talked about this and presented hard data on their patch times and public disclosures and exploits. In the article Microsoft didn’t call out Metasploit or the criminal attack tools, but the inference is clear. There is no longer a window to patch when a vulnerability or exploit is discovered, in public or private.* If it isn’t public, it has already been used in attacks or – thanks to changes in the exploit market – sold to someone who intends to use it in attacks. If it is public, it will be included in attack tools (good and bad) faster than most vendors can create and distribute a patch, or most users can deploy even if the patch is available. Some vulnerabilities are still reported privately to vendors, but we can no longer assume this is the norm, especially for some of the most serious vulnerabilities with high market value. Cloud computing also affects this in both good and bad ways, but the core principle is the same. If a cloud service is a target they have nearly no time to patch, but when they do they can patch for all users at once (for public clouds). To be clear, I don’t consider Metasploit or other penetration testing tools ‘bad’. They are extremely important for security professionals to understand and use, but that doesn’t mean they can’t be misused. Share:

Joe Kissell, with whom I ‘work’ over at TidBITS, just published Take Control of Your Passwords. Joe asked me to review the book ahead of time, and it should be mandatory reading (no, I don’t get a cut – that’s my honest opinion). Joe covers the range of password issues I have ranted on before, then includes specific strategies for managing them. Many of you who read this site might not need the book, but I guarantee nearly everyone you know will get something out of it, even if they only read some sections. Seriously, it is extremely pragmatic and informative. Share:

Bit9 released more details of how they were hacked. The level of detail is excellent, and there seems to be minimal or no spin. There are a couple additional details it might be valuable to see (specifics of the SQL injection and how user accounts were compromised), but overall the post is clear, with a ton of specifics on some of what they are finding. More security vendors should be open and disclose with at least this level of detail. Especially since we know many of you cover up incidents. When we are eventually breached, I will strive to disclose all the technical details. I gave Bit9 some crap when the breach first happened (due to some of their earlier marketing), but I can’t fault how they are now opening up. Share: