Research

In response to this SC Magazine article (thanks @pauljudge), I tweeted: An important distinction to keep in mind when you read these articles. Share:

Yep – we are doing our very best to overload you with research this year. Here’s my latest. From the paper’s home page: Between new initiatives such as cloud computing, and new mandates driven by the continuous onslaught of compliance, managing encryption keys is evolving from something only big banks worry about into something which pops up at organizations of all sizes and shapes. Whether it is to protect customer data in a new web application, or to ensure that a lost backup tape doesn’t force you to file a breach report, more and more organizations are encrypting more data in more places than ever before. And behind all of this is the ever-present shadow of managing all those keys. Data encryption can be a tricky problem, especially at scale. Actually all cryptographic operations can be tricky; but we will limit ourselves to encrypting data rather than digital signing, certificate management, or other uses of cryptography. The more diverse your keys, the better your security and granularity, but the greater the complexity. While rudimentary key management is built into a variety of products – including full disk encryption, backup tools, and databases – at some point many security professionals find they need a little more power than what’s embedded in the application stack. This paper digs into the features, functions, and a selection process for key managers. Understanding and Selecting a Key Manager (PDF) Special thanks to Thales for licensing the content. Share:

Thanks to your friends at Accuvant labs. Very worth reading for security pros. Peter Morgan, Ryan Smith, Braden Thomas, and Josh Thomas did an excellent job breaking it down. Here’s the security risk: One important point to make is that unlike the previous jailbreakme.com exploits, which could be used against an unwitting victim, jailbreaks that require USB tethering have a lower security impact, and are usually only useful to the phone’s owner. Attackers are less interested because iPhones with a passcode set will refuse to communicate over USB if they are locked, unless they have previously paired with the connecting computer. So your phone is stolen and it’s locked, attackers won’t be able to jailbreak it. Therefore, only malicious code already running on your computer can leverage USB jailbreaks nefariously. In case you didn’t know, iOS devices that pair with a computer will re-pair with other user accounts on that computer. It is device-based, not user account based. Share:

Evad3rs releases an iOS 6.1 jailbreak for all devices. Update: According to @drscjmm this will not work when a passcode is set, which means we are still in pretty good shape from a security standpoint. Untethered, which means you still need to plug the device into a computer, but the jailbreak lasts across reboots (this is not remotely executable at this time). This means all iOS devices are exposed to hands-on forensics, even with a passcode. Data protection still needs to be broken, but an attacker can jailbreak and install a back door to sniff your password if they have physical control of the device for long enough. if you lose your phone and recover it, wipe it and restore from a known unjailbroken backup. From the jailbreak notes: Please disable the lock passcode of your iOS device before using evasi0n. It can cause issues. I can’t test right now, but will be interesting if a passcode prevents the jailbreak, or is sometimes just an obstacle. Please leave comments if you know or find out. Update: As we said above, a passcode appears to block this jailbreak, which is good. (Hat tip to The Verge for the link). Share:

What’s the over/under on this one working? Mac users – this means XProtect won’t block it in your web browser, so if you don’t want it active be careful. I actually feel bad for the team that has to clean Java up. I’d hate to be in that mess. Share:

Apple uses XProtect to block the Java browser plugin due to security concerns. Draconian, but a good move, I think. Still, they should have notified users better for the ones who need Java in the browser (whoever that may be). You can still manually enable it to run if you need to. This doesn’t block Java itself, just the browser plugin. If complaint levels stay low, it indicates how few people use Java in the browser, and will empower Apple to make similar moves in the future. Share:

A must-read reported by the Times itself: For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings. The article contains many more details than we usually see about these incidents. Pure APT, and I had Mandiant pegged as the responders by the second paragraph. Of greater interest AT&T’s role in initially identifying the attack. Some in the security community, especially researchers, like to dismiss APT, but there is no question that China (and others, including the US) are engaging in massive attack campaigns. The key difference is that China is brazen and appears to target anyone in the public who private sector who comes anywhere near their radar screen. This includes companies far smaller than the Times. Until there are consequences for these actions, don’t expect anything to slow down. Gumming up the Huawei deal doesn’t come close to a material consequence. Update: Looks like the Wall Street Journal is also under persistent attack from China. Share:

Plan. Build. Run. It’s a pretty straightforward process. One of those things that is so simple we rarely need to even call it out. We tend to structure our research this way, even if we use different terms that are more consistent with the context at hand. This morning my wife gave me one of those looks as I got all excited and mentioned our build phase was nearly over. You see, for the past four-plus years our lives have been in big-time family build mode. We knew we wanted kids, we planned a bit, and then started building the family. What I didn’t realize was the sort of stasis that you get into when you cram build mode into a short timeframe (three kids in under five years for us). Nothing is ever stable when you bring children into the picture, but life sort of goes on hold when you are having kids, in a weird way that’s different from adjusting to the various changes as they grow up. For example, our garage is chock full of strollers, baby clothes, and other accouterments. We can’t even throw away any toys because the next baby will need all the same stuff. Sophie the Giraffe ain’t cheap for a hunk of rubber, and it isn’t even worth pulling it out of rotation with our kids so close. I just know one day I will pull around the block and see a Hoarders film crew in front of my house. Cars? Carseats? Daycare costs? Vacation plans? Even framing family photos is all messed up when you know the next little bugger is on the way. I knew life would be more difficult with children, but I didn’t anticipate the time dilation as you put your life on hold for the build years. And let’s be perfectly clear – it is a hell of a lot easier on me than my wife. I’m not the one who has to plan my wardrobe nine months in advance. As the rest of the Securosis team, and many of you, head out to RSA, I will be back here in Phoenix working on our Build-to-Run transition. Well, more like witnessing – it’s not like I’m doing any of the real work. The Mogull family will be in full production mode, and we can start slowly cleaning out the dev archives. Er… maybe I’m working too much. Anyway, I’m as excited to know that we have three happy and healthy kids, and no more, as I am to meet the new one for the first time (really, they aren’t very exciting for the first six or so months anyway). We can start moving forward and enjoy the few short years we will have them around to wreck our sleep, break our sh**, and otherwise teach us levels of emotional pain we can’t possibly imagine. But damn, they’re cute. And while I miss the freedom of the pre-kid versions of our lives, this is exactly where I want to be at this point in my life. Without question or hesitation. Really, they’re very cute. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Big Data Tweet-jam roundup. Adrian quoted on Big Data. Rich quoted in the Economist on Android security. Rich reviews his favorite fitness gadget for TechHive. Favorite Securosis Posts Adrian Lane: No Limits – New York Times Hacked by China. Mike Rothman: Universal Plug and Play Vulnerable to Remote Code Injection. One of the things Adrian didn’t get in this post is that Rapid7’s tool requires Java. FAIL. David Mortman: IAM for cloud use cases. Rich: It it was easy, everyone would be doing it… Other Securosis Posts Remember, every jailbreak is a security exploit Incite 1/30/2013: Email autoFAIL The Internet is for Pr0n Gartner on Software Defined Security The Graduate: 2013 Style Threatpost on Active Defense The Inside Story of SQL Slammer Java Moving from Ridiculous to Surreal Marketers take the path of least resistance Mobile Commerce Numbers Don’t Lie In through the Barracuda Back Door Favorite Outside Posts Adrian Lane: Symantec Gets A Black Eye In Chinese Hack Of The New York Times. Low effectiveness, but who will remove it? Mike Rothman: Check Point, Juniper, Stonesoft shine in low-end network firewall test. I like the work NSS does to put these products through their paces. It can’t really reflect real world circumstances, but their tests are as close as we are going to get. Rich: Decoding SDN by Juniper. SDN is hitting, and it’s time to get up to speed on the fundamentals. David Mortman: Trust will make or break cloud ID management services. Rich (#2): Jeff Carr asks great questions on the NYT article. Top News and Posts Twitter flaw allowed third party apps to access direct messages Google Tells Cops to Get Warrants for User E-Mail, Cloud Data Backdoors Found in Barracuda Networks Gear Speedtest.net serving malvertiseing. How Yahoo allowed hackers to hijack my neighbor’s e-mail account. Wikr updates iOS app. I like Wikr, but don’t have enough people to use it with. Blog Comment of the Week This week’s best comment goes to David, in response to Threatpost on Active Defense. Rich, I am promoting using the term “Active Response Continuum” instead of “active defense” for the reason you cite, which is the term is too vague to be meaningful in discussion. The Active Response Continuum includes everything you list above, using two ranges (one capacity to respond, the other aggressiveness of actions). For more on this concept, see David Dittrich and Kenneth E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://papers.ssrn.com/sol3/papers.cfm? abstract_id=790585 and my Honeynet Project blog post responding to someone promoting “active defense” http://www.honeynet.org/node/1004 Share:

See update at the bottom TechHive’s piece on the new iOS 6.1 jailbreak. Only works on the pre-A5 processors, which means the iPhone 4S and iPad 2 and later are safe. The device must be connected to a computer for it to work. This is a tethered jailbreak which means it goes away when the device is rebooted. But this same technique enables you to forensically dump the phone, and all data is exposed except unless encrypted with Data Protection or another technique (see my Defending Data on iOS paper). It (and the source articles) suggests that an untethered jailbreak for all devices is coming. I can practically guarantee Apple will patch that pretty much immediately, because it will be a massive security issue allowing any attacker to control any iDevice that visits a malicious web page. If it’s real. Update: I misspoke a bit – my bad. Untethered doesn’t necessarily mean remote – it means the jailbreak persists across reboots. The security risks are obviously much less. Sleep deprivation is not my friend. Share:

Neil MacDonald on Software Defined Security: Here’s what I propose: “Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on. I believe to truly be “software-defined”, these foundational characteristics must be in place Abstraction – the decoupling of a resource from the consumer of the resource (also commonly referred to as virtualization when talking about compute resources). This is a powerful foundation as the virtualization of these resources should enable us to define ‘models’ of infrastructure elements that can be managed without requiring management of every element individually. Instrumentation – opening up of the decoupled infrastructure elements with programmatic interfaces (typically XML-based RESTful APIs). Automation – using these APIs, wiring up the exposed elements using scripts and other automation tools to remove “human middleware” from the equation. This is an area where traditional information security tools are woefully inadequate. Orchestration – beyond script-based automation, automating the provisioning of data center infrastructure through linkages to policy-driven orchestration systems where the provisioning of compute, networking, storage, security and so on is driven by business policies such as SLAs, compliance, cost and availability. This is where infrastructure meets the business. I will surely quibble on the details when I publish my own research on the topic, but Neil’s take is excellent. The key piece we need ASAP is security product APIs. You don’t want to know the ugliness which security abstraction and automation startups need to go through for even the most mundane tasks. Share: