Research

Yesterday, following up after recording the podcast on clickjacking, I was talking with Robert Hansen about the TCP flaw some contacts of his found over in Sweden. He wrote it up in his column on Dark Reading, and Dennis Fisher over at TechTarget also has some information up. Basically, it’s massive unpatched denial of service attack that can take down nearly anything that uses TCP, in some cases forcing remote systems to reboot or potentially causing local damage. Codified in a tool called “Sockstress”, Robert E. Lee and Jack C. Louis seem to be having trouble getting the infrastructure vendors to pay attention. I can’t but help think it’s because they are with a smaller company in Sweden; had this fallen into the hands of one of the major US vendors/labs methinks the alarm bells would be ringing a tad louder. From what Robert told me, supported by the articles, this tool allows an attacker to basically take down anything they want from nearly anywhere (like a home connection). Robert and Jack are trying to report and disclose responsibly, and I sure as heck hope the vendors are listening. Now might be the time for you big end users to start asking them questions about this. It’s hard to block an attack when it takes down your firewall, IPS, and the routers connecting everything. One interesting tidbit- since this is in TCP, it also affects IPv6. Share:

Greg Young over at Gartner has a humorous post on possibly the best way to make money in network security- the “Security Silly Jar”. Just drop in a quarter anytime someone says something stupid from the list. My favorite is number 9: 9. software can”t be secure. Could you please at least try. If you don’t know Greg, he’s the lead for network security over at Gartner and someone definitely worth reading… Share:

Last night I managed to pull a serious Munson. My car battery was dead, so I jumped it from my wife’s car. Then both batteries were dead (her car literally shut down when I tried to start mine). Then my brother in law came over, and managed to jump both cars. We left them running, then turned them off- and both were dead again. One more trip from my brother in law and we were up and running. We drove around for a bit and then stopped to run an errand. We stopped, and restarted, one car at a time so we always had one running vehicle. Both restarted, so we ran them for a minute longer and then ran our errand. Come back, and both are dead. Mall security jumped her car, drove on the highways for 20 minutes, parked it at home. Dead. Dead. Dead. Her car is a hybrid, and we think my battery is dead and something about jumping it blew something in her electrical system. Good times, my friends. Good times. At least I get some amusement this morning out of this article with some of the usual statistical dribble used to scare people into buying products. There’s no need to go into detail- it’s just a survey talking about how few companies perform email encryption, how hard and manual it is, and how employees would use it more if it were easier. This is all, of course, tied into some Nevada law and sponsored by an email encryption vendor. They forget, of course, to mention how few compromises there are of unencrypted email. No reference at all to any real cases where encryption would have prevented the loss of personal data (never mind any fraud associated with said loss). In short, nothing useful to help you make any kind of risk decision. Remember, I’m not against numbers, nor am I against email encryption (I use it occasionally for business communications), but I am against silly numbers with no bearing to anything important. We need more quality metrics and surveys, not this dribble that likely won’t fool a single security professional into buying a product. You might, likely, use email encryption anyway, but this sure won’t affect your decision. Share:

We had a killer episode of the Network Security Podcast this week as Jeremiah Grossman and Robert “Rsnake” Hansen joined us to talk a bit about their new clickjacking exploit. I definitely had some fun on this one, even though Jeremiah and Robert couldn’t dig too deeply into the details. We also managed to sneak in a bit on open source voting, and the top 10 ways to know you’ve been exploited. But mostly, you want to hear is making fun of each other. This was also one of our first episodes we streamed live. Although we record at irregular times, we plan on live streaming as much as we can. Just keep an eye on us on twitter (rmogull or netsecpodcast) for a few hours warning if you want to listen in and harass us over IM. You can download the episode here, and full show notes are at NetSecPodcast.com. Share:

As I write this, the Dow is down nearly 600, Congress struggles to pass a bailout bill, and both the Broncos and Buffs lost over the weekend. Bad times my friends, bad times. Like many of you, although my current financial situation is pretty solid, I can’t help but wonder what the future holds. We’re not merely entering uncharted territory, we’re headed straight for that big black circle marked “There Be Monsters Here”. That doesn’t mean we won’t make it to the other side, but the journey is fraught with danger and challenge. First, a couple of assumptions: Some sort of bailout package will pass. Times will get tough, but we won’t enter a full depression. If we hit a depression all bets are off- since, at that point, much of society essentially collapses. But short of total economic collapse, or a miracle economic recovery, we can somewhat effectively follow the trends and postulate some conclusions. I lost my crystal ball years ago during a wild night with Hoff and Amrit involving some bottles of 40 year old scotch, the real Travelosity gnome, and a Vegas cab driver snorting pure ground Brazilian sugar cane, but if we step back we can probably make a few guesses as to the collective future of the security world. First, our starting assumptions: We’ll continue to see severe credit restrictions- even tighter than now. With limited credit and a weak stock market, the economic effects will spread beyond the financial sector. Retail, auto, and other credit-heavy industries will suffer the most. We will see no decline in security threats, but the threats will morph to adapt to changing market conditions. We don’t need to get fancy; belts will tighten, credit will be harder to obtain, the bad guys will keep adapting, and business will continue, albeit more slowly. These lead directly to some conclusions about the security market: Startup cash will dry up, and IPOs are no longer an exit strategy option. There will be less security product innovation, and what is created will be bought earlier, and cheaper, by established players who can’t afford big acquisitions anymore. We will see continued, massive, consolidation as small companies struggle to survive and larger players can’t create growth. These won’t be big buyouts with happy founders retiring on the beach, but survival consolidations. Think Symantec buying Checkpoint, or Oracle buying Symantec. More middle players will consolidate as well, like the Sophos/Utimaco deal. We’ll have a few big generalists, a smattering of middle-sized guys glomming together, and the occasional small company that bootstrapped with a couple paying clients and isn’t dependent on external financing. Best of breed loses to security suites. Users will demand more suites from their vendors, and “good enough” will be the name of the game. If you have a technologically superior solution no one will care. To be honest, no one really cares today, but they’ll care less in the future. Large price pressure. Users will demand these suites at no (or minimal) additional cost. Vendors will grind over each other in a race to the bottom just to keep customers. It may not look like it on the surface price sheets, but in the nitty gritty street battles on deals you’ll see sales guys tossing in their firstborn essentially for free. A continued obsession with compliance, cost reduction, and obvious threats. If a tool isn’t required by the auditors, doesn’t reduce ongoing operational costs, or stop a threat (like spam/viruses) that knocks people offline, it won’t sell very well. Vendors who don’t solve a clear and present business problem are in trouble. It will be nearly impossible to get budget for anything else. We’ll also see some threat evolution: Tighter credit issuing will reduce new account fraud. If it’s harder for the good guys to get credit, it will also be harder for the bad guys. Existing account fraud will increase. It isn’t like the bad guys will go get some non-existent legitimate jobs. They’ll hammer the financial system, especially phishing/preying on financial fears. As any historian will tell you, fraud tends to increase during times of economic extremes- good and bad. Major attack vectors will be similar to what we see today- clientside and web application. I don’t see anything in an economic downturn that changes the technical nature of the attacks we see today- they’ll continue to get more sophisticated, but that’s happening regardless of any economic issues. And, of course, this will impact security professionals and how we do our jobs: The bad guys will keep us employed, but salaries will be under pressure. “Good enough” applies to us as much as it does to our tools. We’ll see a little professional erosion as underexperienced newbies enter the market to stay employed, and non-security IT folks take added security responsibility. Now will be a good time for a diverse skill set to survive fat trimming. We’ll have to do more with less. That’s so obvious I’m embarrassed to write it. We’ll be under even greater pressure to justify what we do, and what we spend on. Again, really obvious, but as we’ve been talking about long before these economic troubles, the most successful security professionals will be those who can clearly communicate with the business and articulate their value. Get used to accepting more risk. We’ll have to take hits on the small stuff to focus our efforts on the biggest risks. Pragmatic wins. The broader your skill set, the less you cost the company while stopping most of the bad stuff; and the better you can communicate all of this the happier you’ll be. It’s always been about getting the job done, but let’s be honest and admit that it isn’t always about getting the job done. While internal politics and BS will never go away, odds are those who take a practical approach will survive better, and perhaps thrive, during tough economic times. In other words, get used to people trying to nibble at your job, tighter

Over at the Washington Post they note that it looks like a “McCain Wins Debate” ad and quote accidently leaked before the… you know… debate actually happens. While I don’t plan on voting for him, criticizing preparing ads and responses ahead of time would be silly. It’s only prudent since there really isn’t time to create this content after the fact in our obsessive 24 hour news cycle driven society. What can be criticized is this could show a little lack of organization and discipline. Or not. If I were the Democratic equivalent of Karl Rove I might drop a few of these things on my own. Through front companies, of course. Sure, it would eventually be repudiated, but the initial damage will be done. Heck, that’s not even all that creative- aside from the ubiquitous YouTube ads and testimonials, there are all sorts of new attack vectors thanks to the Internet age. We already see plenty of this going on through email campaigns, which seem even more effective than the push polling of Bush II vs. McCain eight years ago. One reason this garbage is so effective? Most people have intense confirmation bias. As Adam posted recently, study after study shows we are inclined to believe that which aligns with our existing beliefs. On top of that, functional MRI studies have shown that political discussions trigger the same parts of the brain as religion- in other words, faith, and sections of our mind that are core to our identity. It is far easier to manipulate someone into believing what they want to believe than introducing contradictory information. The net is fracking perfect for this. Share:

As most of you know, Adrian and I have been pretty slammed lately; bouncing all over the inter-tubes (and airports) on our quest to save freedom and not default on our mortgages. One thing we’ve been wanting to do for a while is summarize everything that’s been going on through the week in a bit more of a structured format, a la Rothman’s Daily Incite. But we’re not nearly as motivated as Mike, but we figure we can handle once a week before we attend the official Securosis Weekly Research Offsite (happy hour). It’s a summary of what we’ve been up to, and our top post selections for the week. Webcasts, Podcasts, and Conferences: I put together the DLP Security School for TechTarget a few weeks back, but it was published while I was in the middle of my travel binge. I really like this education format, and believe it or not there are a few tidbits in there that aren’t in all the other stuff I’ve published on DLP. Adrian just finished the SIM Security School. Did I mention we like this format? Unlike the DLP school he put together a full webcast (as opposed to a video segment) with a ton of content. I spoke on a data masking panel at Oracle World. Here’s a post inspired by the session. This week on the Network Security Podcast Episode 121 our guest was T-Rob discussing Palin’s email hack, and MQ middleware security. Yeah, we thought it was a weird combo too. Outside Writing: The big one for me this week was Macworld- I was heavily involved in the security issue that’s sitting on newsstands this month. Except where it’s sold out, like my neighborhood Barnes and Noble. (I swear I didn’t buy them all). I’m really proud of the issue- it addresses the security needs and questions of average users, and is the kind of thing I can send to my mom. Favorite Securosis Posts: Rich: The Breach Reporting Dilemma. We really need to start looking at breach reporting differently, but I don’t expect it to happen anytime soon. Adrian: Behavioral Modeling. Some of the most significant advances we can make in security are in heuristics, but it’s also an extremely difficult problem. Favorite Outside Posts: Adrian: Jeremiah Grossman on YouTube. (description) Rich: Tim Wilson on Premature Chasm Crossing. I love articles/posts on thinking differently about the security market and, oh, I don’t know, focusing on the end users. Top News: The economy. Is there any other news? Blog Comment of the Week: I don’t agree with all of them, but Dre has some of the deepest comments on the blog. Here’s one on our PCI scanning post: [snip]… Most organizations implement firewall/IPS incorrectly. They assume it’s something you plug in. Most firewalls/IPS don’t protect on the outbound, and most policies allow outbound SYN origination from the DMZ on externally facing interfaces. Most firewalls/IPS don’t provide the real protections one would need without excessive CPU and memory usage. A few null routes (or uRPF) at the border is all that is necessary to prevent traffic to the 80 percent of the Internet we know we can”t trust. …[/snip] We hope you all have a great weekend. Share:

Some days I feel the suffocating weight of travel more than others. Typically, those days are near the end of a long travel binge; one lasting about 3 months this time. When I first started traveling I was in my 20’s, effectively single (rotating girlfriends), and relatively unencumbered. At first it was an incredibly exciting adventure, but that quickly wore off as my social ties started to decay (friends call less if you’re never around) and my physical conditioning decayed faster. I dropped from 20 hours or more a week of activity and workouts to nearly 0 when on the road. It killed my progression in martial arts and previously heavy participation in rescues. Not that the travel was all bad; I managed to see the world (and circumnavigate it), hit every continent except Antarctica, and, more importantly, meet my wife. I learned how to hit every tourist spot in a city in about 2 days, pack for a 2-week multi-continental trip using only carry-on, and am completely comfortable being dropped nearly anywhere in the world. Eventually I hit a balance and for the most part keep my trips down to 1 or 2 a month, which isn’t so destructive as to ruin my body and piss off my family. But despite my best scheduling efforts sometimes things get out of control. That’s why I’m excited to finish off my last trip in the latest binge (Oracle World) for about a month and get caught up with blogging and the business. For those of you earlier in your careers I highly recommend a little travel, but don’t let it take over your life. I’ve been on the run for 8 years now and there is definitely a cost if you don’t keep it under control. As we say in martial arts, there is balance in everything, including balance. Now on to Oracle World and a little security. I’m consistently amazed at the scope of Oracle World. I go to a lot of shows at the Moscone Center in San Francisco, from Macworld to RSA, and Oracle World dwarfs them all. For those of you that know the area, they hold sessions in the center and every hotel in walking distance, close of the road between North and South, and effectively take over the entire area. Comparing it to RSA, it’s a strong reminder that we (security) are far from the center of the world. Not that Oracle is the center, but the business applications they, and competitors, produce. This year I was invited to speak on a panel on data masking/test data generation. As usual, it’s something we’ve talked about before, and it’s clearly a warming topic thanks to PCI and HIPAA. I’ve covered data masking for years, and was even involved in a real project long before joining Gartner, but it’s only VERY recently that interest really seems to be accelerating. You can read this post for my Five Laws of Data Masking. Two interesting points came out of the panel. The first was the incredible amount of interest people had in public source and healthcare data masking. Rather than just asking us about best practices (the panel was myself, someone from Visa, PWC, and Oracle), the audience seemed more focused on how organizations are protecting their personal financial and healthcare data. Yes, even DNA databases. The second, and more relevant point, is the problem of inference attacks. Inference attacks are where you use data mining and ancillary sources to compromise your target. For example, if you capture a de-identified healthcare database, you may still be able to reconstruct the record by mining other sources. For example, if you have a database of patient records where patient names and numbers have been scrambled, you might still be able to identify an individual by combining that with scheduling information, doctor lists, zip code, and so on. Another example was a real situation I was involved with. We needed to work with a company to de-identify a customer database that included deployment characteristics, but not allow inference attacks. The problem wasn’t the bulk of the database, but the outliers, which also happened to be the most interesting cases. If there are a limited number of companies of a certain size deploying a certain technology, competitors might be able to identify the source company by looking at the deals they were involved with, which ones they lost, and who won the deal. Match those characteristics, and they then identify the record and could mine deeper information. Bad guys could do the same thing and perhaps determine deployment specifics that aid an attack. If logic flaws are the bane of application security design, inference attacks are the bane of data warehousing and masking. Share:

Thanks to Slashdot, here’s a story on Adobe PDF vulnerabilities: The Portable Document Format (PDF) is one of the file formats of choice commonly used in today”s enterprises, since it’s widely deployed across different operating systems. But on a down-side this format has also known vulnerabilites which are exploited in the wild. I normally ignore stories coming out of vendor labs on new exploits that are coincidentally blocked by said vendor’s products, but on occasion they highlight something of interest. Back in February I mentioned three applications that are a real pain in our security behinds- IE/ActiveX, QuickTime, and Adobe Acrobat (the entire pdf format, to be honest). It’s nice to see a little validation. Each of these, in their own way, allows expansion of their formats. In the Adobe case they keep shoveling all sorts of media types and scripting into the format. This creates intense complexity that, more often than not, leads to security vulnerabilities. When you manage an open format, content validation/sanitization is an extremely nasty problem. Unless you design your code for it from the ground up, it’s nearly impossible to keep up and lock down a secure format. I suspect Adobe’s only real option at this point is to start failing with grace and focus on anti-exploitation and sandboxing (if that’s even possible, I’ll leave it up to smarter people than me). Truth is I should have also put Flash on the list. My bad. Share:

Over at Emergent Chaos, Adam raises the question of whether we are seeing more data breaches, or just more data breach reporting. His post is inspired by a release from the Identity Theft Resource Center stating that they’ve already matched the 2007 breach numbers this year. Personally, I think it’s a bit of both, and we’re many years away from any accurate statistics for a few reasons: Breaches are underreported. As shown in the TJX case, not every company performs a breach notification (TJX reported, other organizations did not). I know of a case where a payment processor was compromised, records lost for some financial services firms that ran through them, and only 1 of 3-4 of the companies involved performed their breach notification. Let’s be clear, they absolutely knew they had a legal requirement to report and that their customer information was breached, and they didn’t. Breaches are underdetected. I picked on some of the other companies fleeced along with TJX that later failed to report, but it’s reasonable that at least some of them never knew they were breached. I’d say less than 10% of companies with PII even have the means to detect a breach. Breaches do not correlate with fraud. Something else we’ve discussed here before. In short, there isn’t necessary any correlation between a “breach” notification and any actual fraud. Thus the value of breach notification statistics is limited. A lost backup tape may contain 10 million records, yet we don’t have a singe case that I can find where a lost tape correlated with fraud. My gut is that hacking attacks result in more fraud, but even that is essentially impossible to prove with today’s accounting. There’s no national standard for a breach, never mind an international standard. Every jurisdiction has their own definition. While many follow the California standard, many others do not. Crime statistics are some of the most difficult to gather and normalize on the planet. Cybercrime statistics are even worse. With all that said I need to go call Bank of America since we just got a breach notification letter from them, but it doesn’t reveal which third party lost our information. This is our third letter in the past few years, and we haven’t suffered any losses yet. Share: