Research

Mike Mimoso has a very good article on active defense at Threatpost. (Yes, we are linking to them a lot today). While every corporate general counsel, CIO and anyone with a CISSP will tell you that hacking back against adversaries is illegal and generally a bad thing to do, there are alternatives that companies can use to gain insight into who is behind attacks, collect forensic evidence and generally confound hackers, perhaps to the point where they veer away from your network. The one thing the article doesn’t spend enough time on is how useful these approaches can be for triggering alerts in your security monitoring. Especially if you correlate two or more events, which are highly unlikely to be a false positive. I wrote about this last June with some definitions. Finally, the CrowdStrike guys need to get their messaging lined up. Mixed messages aren’t great when you are in pretend-stealth mode. Share:

A first person account at Threatpost by David Litchfield, who discovered the vulnerability which was later exploited. Looking at my phone, I excused myself from the table and took the call; it was my brother. “David, it’s happened! Someone’s released a worm.” “Worm? Worm for what?” “Your SQL bug” My stomach dropped. Telling Mark I’d call him back later I rejoined the table. Someone, I can’t remember who, asked if everything was alright. “Not really,” I replied, “I think there’s going to be trouble.” Microsoft was going down the security path before this, but it clearly helped reinforce their direction and paid massive dividends on SQL Server itself. The first major flaw to be found in SQL Server 2005 came over 3 years after its release – a heap overflow found by Brett Moore, triggered by opening a corrupted backup file with the RESTORE TSQL command. So far SQL Server 2008 has had zero issues. Not bad at all for a company long considered the whipping boy of the security world. Oracle would prefer you not read that paragraph. Share:

Adam Gowdiak in [SE-2012-01] An issue with new Java SE 7 security features: That said, recently made security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit. This was via Ed Bott who has also been covering the deceptive installs included with nearly all Java updates: When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner. With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naive enough to trust Java’s “recommendation,” you end up with unwanted software on your PC. I have checked, and (so far) I cannot correlate kitten deaths with Java installs, so we’ve got that going for us. Which is nice. Share:

Symantec released their quarterly earnings today, which is the sort of thing we usually ignore. Especially because it’s only the third quarter, and not even a playoff game (I really need to hang out with Mike less). However… The learning period is over for new CEO Steve Bennett, and he is starting to implement his game plan. There shouldn’t be any surprises considering his background at GE – the focus is on streamlining, realigning assets, and reducing workforce cruft – especially in the middle and executive management levels. Talk is cheap and change is hard, so Bennett has his work cut out for him. The strategy of executing better in the field and with product delivery isn’t without risk. But it’s not like they really had a choice. Their sales costs were much higher than comparables in the industry, so that needed to be fixed. Organic innovation and acquired product integration have been problematic for years. At the same time Symantec drank at the trough of high multiple M&A to drive revenue growth, but too many of those deals didn’t pan out. So the focus will be on the stuff they already have, and even if they do more M&A given the return of capital to shareholders (in the form of a dividend and stock buyback), you’d look for lower priced and accretive deals. One message came across loud and clear: Don’t expect short term magic. Bennett managed expectations that this would be a multi-year process. What does this mean to you? SMB is now tied to consumer, not enterprise. That makes sense on the surface but is likely a tricky move under the covers, depending on where they draw the SMB line. Especially as more and more SMB customers look to the cloud for key services like web and email security and backup. On the enterprise side there will be some turmoil as they move BUs around, focus on profitable products, and perhaps start dropping distractions. This usually slows innovation, despite saying they are investing more into R&D. For most of you this won’t mean much yet, except that you should expect deck chairs to move even in the middle of deals. I don’t expect significant changes in the main product lines, and there is some base there to build on – per the article: The company also plans to increase research and development into areas such as mobile workforce productivity, data center security, integrated backup, information security services, cloud-based information management, and identity and content-aware security. Symantec really struggled with focus for a long time. They have started to clean that up, but nothing that big turns quickly. Mike might have more to add, but most of this won’t affect the enterprise business too much unless they decide to dump something big, and there’s no question they will be dumping little things that aren’t profitable enough. We don’t think they know what won’t make the cut at this point, but clearly some stuff will need to go. I suspect the SMB re-org/transition will be messy, but Symantec hasn’t had much of a strategy or success there for a while anyway. Basically, they are moving to address issues that the entire market has been pointing out for years. That should be good news to those Symantec faithful, and business as usual for everyone else. Share:

A student who legitimately reported a security breach was expelled from college for checking to see whether the hole was fixed. (From the original article): Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” … Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents. It was the President of the SaaS company who forced him to sign an NDA under threat of reporting him to law enforcement, and he was then expelled. Reactions like this have a chilling effect. They motivate discoverers to not report them, to release them publicly, or to sell or give them to someone who will use them maliciously. None of those are good. Even if it pisses you off, even if you think a line was crossed, if someone finds a flaw and tries to work with you to protect customers and users rather than using it maliciously, you need to engage with them positively. No matter how much it hurts. Because you sure as heck don’t want to end up on the pointy end of an article like this. Share:

When Mike wrote his review of Rob Graham’s post on what could define criminality on the Internet, he focused on the anonymization piece. Me? I was struck more by Rob’s “Witchcraft is not a crime” post in a very personal way: The problem with computer geeks is that they are too smart. Boundaries obvious to the average person are invisible to geeks. They will run afoul of the law without being aware of it. … What computer geeks do seems like magic to the average person, to the “jury of your peers”. What’s more, magic is essentially the same as witchcraft. Once you believe someone has magical powers, you start to fear them, and question their good intentions. Thus, no matter how good a geek’s intention, it’ll seem like evil black magic to prosecutors and juries. When I was young, before high school, I committed acts that I believe were criminal even under the laws at the time (mid 1980’s). The most common was phone phreaking – I had a source, and later a technique, for getting MCI codes that allowed me to make free phone calls from a pay phone. I also trafficked in stolen online credentials I gathered from the various bulletin board systems I was on. I even used some of these to log into services illegally. I pirated vast amounts of Commodore 64 software, often cracking some of it myself. I had almost no skills. It was all trial and error. At the time? I didn’t think I was doing anything wrong. To me it seemed no different than the times my dad tried to get free HBO by wrapping aluminum foil around our cable line and moving it around until we saw a blurry picture. I wasn’t “stealing” anything (by my flawed reasoning), just exploring a digital world that few people understood. Even my parents asked for the pay phone calls since there weren’t cell phones, and I could rarely hang onto a quarter to call home for a ride back after wrestling practice. By the end of junior high school I realized this activity was illegal and I was risking my future, so I stopped. I probably still pirated C64 games, and continued to poke at the edges of any system I had access to, but a combination of prescience and puberty moved my spare time more into organized sports and other activities than my pre-script-kiddie script-kiddie endeavors. But even as I got older I know I flirted with the illegal. I downloaded music in the early Napster days (and knew at least one FBI agent who did as well). I probed networks in ways that might now be considered breaking the terms of service. As careful as I was. As ethical and thoughtful as I thought I was, I still technically broke laws. Just like every other good security professional I know. We can’t but help see flaws in the system. Sometimes we probe the edges of those flaws to see where the limits are. By our interpretation this is often totally acceptable, but others do not always see it that way. Personally I have long erred on the side of caution. I don’t take certain actions I think are totally fine if I think someone who could cause problems for me might see them another way. But it is always, ALWAYS a struggle to stay aware of these, often apparently arbitrary, lines when I am anywhere near the edge. Any time actual harm isn’t clear. Share:

It appears that Java is still vulnerable to exploit after the latest patch from Oracle. Disabling Java completely probably isn’t possible for many of you, so I suggest you at least use a good web gateway/network IPS/NGFW that filters for malware, and something cloud or VPN based to protect mobile users. Events like this are why I’m so interested (and have been for a long time) in browser virtualization technologies (Bromium, Invincea, anyone else?). This isn’t going to end any time soon. Share:

As someone who has been part of the medical field my entire life (family business before I became a paramedic) the intersection between medicine and technology is of high personal interest. I still remember the time I got in trouble at work for hacking my boss’s password so we could get into the reporting application he accidentally locked everyone out of. Medical IT is, for the most part, the biggest fracking disaster you can imagine. The software is insanely complex and generally terribly written. The user interfaces are convoluted and exactly wrong for the kind of non-technical users they are built for. More often than not there is a massive disconnect between engineers, IT admins, and clinical users. And security? Frequently it’s the thought you have after an afterthought, when you get around to it, on the fifth Wednesday of the second month of the… you get the idea. Hospital IT tends to rely extremely heavily on vendors who use remote access. Inside, the networks are as soft as you can imagine. I’m not saying this to be insulting, and there are most definitely exceptions at some of the more profitable institutions, but most hospitals barely slide by financially, are SMBs, and lack the resources to really invest in a good, structured IT program. Adding fuel to the fire is a vendor community and regulatory body (the FDA) that make the SCADA folks look positively prescient. So it is no surprise that DHS finds themselves stepping in over the FDA to pressure vendors to patch vulnerable systems. After initial bids to contact Philips failed, researchers Rios and colleague Terry McCorkle sought assistance from the DHS, the FDA and the country’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT). Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software. The announcement comes month after the US Government Accountability Office said in a report (pdf) that action was required to address medical device flaws, adding that the FDA did not consider such security risks “a realistic possibility until recently”. We’ll see where this goes as the agencies battle it out. But I think this is the start of a long road – I don’t see the funds needed to really address this problem getting freed up any time soon. Share:

I will not write about Manti Te’o. I will not write about Manti Te’o. I will not write about Manti… ah hell, who am I kidding. Wednesday afternoon I was about to head out to meet a buddy for happy hour when he texted that he would be late because of getting caught up in the story (which had just broken). That was cool – I was in the middle of the same article. (If you don’t know what I’m talking about, this should get you up to speed. I admit I’m not the biggest pro sports guy in the world. I enjoy sports, especially football, and played in high school, but years of living in Colorado and spending my winter weekends hunting for fresh powder broke the habit. Living in Phoenix now, I have tried to get back into it, but even if I can snag a TV from my young kids to watch a game, the odds are very high that they will hunt me down to play with them. Seriously, I can’t even take a morning constitutional in peace anymore. Back to Te’o. It is barely conceivable to me that he wasn’t somehow in on it. If this was a catfish, it is one of the best in history (and Te’o should be sent back to community college for remedial reality training). Plus, his family also had to be in on it for their statements to make sense. And let’s not forget the lazy reporters who clearly made s–t up. No, Occam’s Razor likely applies, and Te’o had better sprint to Oprah’s couch before it cools down from Lance. That’s right, it’s liar’s week in the sports world. The buddy I met for happy hour works part time as a sportswriter, and our conversation naturally shifted from Te’o to Lance because I’m big into cycling. As the Lance saga continues I can’t but help be perplexed at the quintuple standard applied to different sports. A lot of people like to call cycling the dirtiest sport out there, but these days it has the strictest performance enhancing drug controls of any professional sport. Not that there still isn’t cheating – it is rampant. When I was out for the Tour last summer the rumor was that the only teams racing solidly clean were Garmin-Sharp-Barracuda (my hosts) and Sky. There were a lot of other clean riders, but more as individuals rather than being on a clean team that managed their own testing to keep things that way. And guess what? A rider from a clean team won the Tour despite battling the dopers. This was possible because the program limits the degree to which people can cheat. Unlike back in Lance’s day, the bio-passport system basically puts a hard limit on how much a rider can enhance without triggering alarm bells. Now go watch some football this weekend. If you think a 300+ pound lineman can legitimately runs a sub-5.0 40, I have a really cute girl on Facebook you should meet. Cycling gets a lot of guff because the riders get caught more, and for some reason people want clean riders. Maybe because, unlike football, a weekend cyclist can directly compare their stats to a pro. Talking with my sportswriter friend, he mentioned they have published articles on potential PEDs in football and no one cares. This despite the fact the increased player size and speed directly correlate to worse injuries and the current problems with traumatic brain injuries. We want our gladiators and we want them big. Sports is entertainment and Sports Center is no different than People Magazine in the end. We want our scandals, heroes, and blood sacrifices, no matter the costs. Just like our… —–, but I won’t go there. Crud. I meant this intro to end with humor. A linebacker, a cyclist, and Oprah walk into a bar… … never mind. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted by Reuters on Cisco’s network security competitiveness. Mike quoted in the Merc about Cisco’s network security (missed) opportunity. Adrian’s Dark Reading Post on DB Threats and Countermeasures. Rich’s excellent TidBITS post on Apple’s Security Efforts in 2012. Adrian’s Dark Reading post on Big Data Security Recommendations. Favorite Securosis Posts Adrian Lane: Emotional Whiplash. Mike nailed it. And I only saw the first and fourth quarters! Mike Rothman: Does Big Data Advance Security Analytics? Adrian wins buzzword bingo this week. But the post is important because both Big Data and Security Analytics will be front and center in a lot of security marketing this year. David Mortman: Don’t be a douche… So much for family friendly, eh, Mike? Rich: A different kind of APT. Mike totally stole this one from me. Other Securosis Posts The Fifth Annual Securosis Disaster Recovery Breakfast. My DHS Beats Your FDA. Understanding IAM for Cloud Services: Integration. Time to Play Nice with SCADA Kids. Beware of Self-Proclaimed Experts. Mobile Identity–WTF? Help Me Pick My Next Paper Topic. Bolting on Security – at Scale. Let’s Get Physical – Road Rules Edition. Happy Out of Cycle IE Patch Monday. You Can’t Handle the Truth. Favorite Outside Posts Adrian Lane: Five Mitzvahs of Cloud Computing. Leverage what you’ve got, point 4, is dead-on! Mike Rothman: Steak Drop. Physics FTW. If you ever asked yourself “From what height would you need to drop a steak for it to be cooked when it hit the ground?,” then you need to read this xkcd What-if? post. I wonder if the answer changes if you use a veggie burger? James Arlen: Great stuff in here: NERC CIP V5 is Coming. Places emphasis on the automation of data collection to enable compliant operations. More automation is useful – but much like with banking, you need to be able to do it by hand before you get infatuated with a system. David Mortman: Notes on distributed systems for young bloods. Rich: The Verge on Vegas casinos battling cheating. I’m fascinated by casino security. Research

Hey folks, Just a quick note that I am trying to decide between a few different topics for my next paper. If you have a moment, I could use your opinion. Which will take no more than 5-15 seconds when you click this link. The options are: BYOD Security Fundamentals Defending Cloud Data – Encrypting for Dropbox, Box.net, and Friends Defending Data in Cloud Infrastructures – IaaS Encryption and Data Security Defending Enterprise Data on Mobile Devices Other (please specify) I threw it out on Twitter and IaaS encryption took an early lead, which is interesting because I expected it to be BYOD. Thus I decided to double up and push it out through the blog. Thanks. Share: