Login  |  Register  |  Contact
Thursday, March 26, 2009

Webcast on Endpoint Encryption Today

By Rich

I’ve been out at the Phoenix SANS event so I almost forgot to post this…

I’ll be presenting on endpoint encryption from 2-3 ET today. The event is sponsored by WinMagic, and you can register here.

I’ll be covering the basics of endpoint encryption- a little bit on why you should do it (I think most of you have heard me say “just encrypt your freaking laptops” by now), an overview of the technology, and enterprise concerns and best practices. I’ll also spend some time talking about how to mix file/folder and full drive encryption.

This one is targeting people without much of a background in endpoint encryption and is mostly introductory material.


Tuesday, March 24, 2009

Security Speed-bumps

By Adrian Lane

Reading yet another comment on yet another blog about “what good is ABC technology because I can subvert the process” or “we should not use XYZ technology because it does not stop the threats” … I feel a rant coming on. I get seriously annoyed when I hear these blanket statements about how some technologies are no good because they can be subverted. I appreciate zeal in researchers, but am shocked by people’s myopia in applied settings. Seriously, is there any technology that cannot be compromised?

I got a chance to chat with an old friend on Friday and he reminded me of a basic security tenet … most security precautions are nothing more than ‘speed bumps’. They are not fool-proof, not absolute in the security that they offer, and do not stand unto themselves without support. What they do is slow attackers down, make it more difficult and expensive in time, money, and processing power to achieve their goals. While I may not be able to brute force and already encrypted file, I can subvert most encryption systems, especially if I can gain access to the host. Can I get by your firewall? Yes. Can I get spam through your email filter? Absolutely. Can I find holes in your WAF policy set? Yep. Write malware that goes undetected, escalate user privileges, confuse your NAC, poison your logs, evade IDS, compromise your browser? Yep. But I cannot do all of these things at the same time. Some will slow me down while others detect what I am doing. With enough time and attention there are very few security products or solutions that would not succumb to attack under the right set of circumstances, but not all of them at one time. We buy anti-spam, even if it is not 100% effective, because it makes the problem set much smaller. We try not to click email links and visit suspect web sites because we know our browsing sessions are completely at risk. When we have solid host security to support encryption systems, we drop the odds of system compromise dramatically.

If you have ever heard me speak on security topics, you will have heard a line that I throw into almost every presentation: embrace insecurity! If you go about selecting security technologies thinking that they will protect you from all threats under all circumstances, you have already failed. Know that all your security measures are insecure to some degree. Admit it. Accept it. Understand it. Then account for it. One of the primary points Rich and I were trying to make in our Web Application Security paper was that there are several ways to address most issues. And it’s like fitting pieces of a puzzle together to get reasonable security against your risks in a cost effective manner. What technologies and process changes you select depend upon the threats you need to address, so adapt your plans such that you cover for these weaknesses.

–Adrian Lane

Network Security Podcast, Episode 143

By Rich

With the CanSecWest conference last week, right on the heels of Black Hat Europe, there have been many happenings in the security world. On top of that, our favorite investigative reporter managed to take down yet another group of bad guys by shining his flashlight in the right direction.


p>But before we delve into the week’s security news, we spend a little time talking about my shiny new Mac Pro, as Martin gives me a few parenting tips (don’t worry, we try not to bore you too much). I rant a bit on Apple’s stupidity with their cord-length on the new 24” Cinema Display. Seriously, only 3’6”? With no extension available anywhere?!?

Sigh. And now, on to the show.

Network Security Podcast, Episode 143, March 24, 2009

Show Notes:

(Yes, Alan, I just cribbed my own show notes again.)


Monday, March 23, 2009

CanSecWest Highlights

By Adrian Lane

I have been reading about the highlights of the CanSecWest show all over the net, and it seems like there were a lot of really cool presentations. TippingPoint’s ‘Pwn2Own’ contest at CanSecWest that started late last week concluded over the weekend. The contest awarded $5,000 to each hacker would could uncover an exploit for any of the major browser platforms (Firefox, Internet Explorer, Chrome, & Safari). Firefox, IE, & Safari were all exploited at least once during the contest, with Chrome the only browser to make it through the trials. Perhaps that is to be expected given its newness. Lots more wrap-up details on the DV Labs site.

I know a lot of security researchers have a bitter taste from the way companies behave when a security flaw is revealed; still, I am always interested in seeing these types of contests as they are great demonstrations of creativity, and the ability to share knowledge amongst experts is great for all of the participants. If this method of “No Free Bugs” works to get discoveries back in the public eye, I think that’s great.

I would have much like to have seen the presentation “Sniff keystrokes with lasers/voltmeters: Side Channel Attacks Using Optical Sampling of Mechanical Energy Emissions and Power Line”. Having previously witnessed what information can be gleaned from power lines, and things like over-the-air Tempest attacks, I would like to see how the state of the art on physical side channels has progressed.

One of the other show highlights was covered by Dennis Fisher over on Threatpost- it appears that the Core Security Technologies team has demonstrated a persistent BIOS attack. There are next to now details on this one, but if they are able to perform this trick without the assistance of a secondary device and only obtaining admin access, this is a really dangerous attack. If you have access to the physical platform, all bets are pretty much off. Looking forward to seeing the details.

–Adrian Lane

Friday, March 20, 2009

Friday Summary, March 20th, 2009

By Adrian Lane

Happy Friday! Rich is off with the family today and probably sneaking in some time to play with his new Mac Pro as well. If I know him, at the first opportunity he will be in the garage, soldering iron in hand, making his own 9’ mini-DVI cable to hook up his new monitor. Family, new baby, and cool new hardware mean I have Friday blog duties. But as I just got back from the Source Boston show, there is much to talk about this week. Across the board, the presentations at Source were really excellent, and some of the finest minds in security were in attendance, so Stacy Thayer and her team get very high marks from me for putting on a great event.

Starting out with a bang, Peter Kuper gave a knockout keynote presentation on the state of financial markets and venture funding for startups. A no-nonsense, no-spin, honest look at where we are today was both a little scary and refreshing for its honesty. He has a post here if you want to read more of his work. David Mortman kicked off the morning sessions with I Can Haz Privacy, updating us on a lot of the privacy issues and legislation going on today. He highlighted the natural link between personal privacy and LOLCATS like no one else, and kept audience participation high by rewarding questions with some awesome homemade wheat bread. The always thought-provoking Adam Shostack gave a presentation on The Crisis in Information Security. I am in complete agreement that despite the hype, breached businesses will continue to function and operate as they always have, and the sky is not falling. And as always, his points are backed by solid research. Even if individual companies generally do not fall, I do still wonder about broader risk to the entire credit card system given its ease of (mis)use, its poor authentication, the millions of stolen credit card numbers floating around, and demonstrated capabilities to automate fraud.

Hoff had his best presentation yet with The Frogs Who Desired a King. While you may or may not be interested in security or cloud computing, this is a must-see presentation. Even if you have been reading his Rational Survivability blog posts on the subject, the clarity of the vision he presented regarding the various embodiments of cloud computing and the security challenges of each is more than compelling, and he has backed it up with a staggering amount of research. I’ve got to say, Chris has raised the bar for all of us in the security field for the quality of our presentations.

After almost missing the show because of a number of issues on the home front, including spending 4 days at the emergency vet clinic as someone accidentally poisoned one of my dogs, I got on the plane and I am glad I made it. I gave a presentation on Data Breaches and Encryption, examining where encryption technologies help and, just as importantly, where they don’t.

My personal “Shock and Awe” award went to Mr. James Atkinson of Granite Island Group TSCM for his presentation on “Horseless Carriage Exploits and Eavesdropping Defenses”. I had no idea that all of these devices were in full effect in most automobiles today, nor that it was this easy to do. Having now given it some thought, though, I think I may have run into some of the devices he discussed. I will be looking through my car this weekend.

It was good to see Dennis Fisher again … and he is just launching a new security news network called Threatpost. This effort is sponsored by Kaspersky and they have started off with a ton of stuff, so it’s worth checking out.

Now I am off to try and enjoy the weekend, so here it is- the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences:

  • Rich and Adrian presented Building a Business Justification for Data Security through SANS. We co-presented with Chris Parkerson of McAfee … and apologies to Chris as Rich and I ran a little long.
  • Adrian chatted with Amrit Williams on the subject of Information Centric Security on the Beyond The Perimeter podcast this week. It should be posted soon.
  • Adrian presented Data Breaches and Encryption last week during the Source Boston event.
  • Rich joined Martin McKeay on the Network Security Podcast this week, talking about Google behavioral ad targeting, Comcast passwords exposed, and the new DNS trojan. They were joined by Bill Brenner of CSO Online so you’ll want to check this one out!

Favorite Securosis Posts:

  • Rich: Adrian’s post on Immutable Log Files.
  • Adrian: My post on Sprint Data Leak… I try not to post on breaches as there are so many, but this has been so bad for so long that I could not help myself.

Favorite Outside Posts:

  • Adrian: Rafal’s post on the Fox News Fail … not for the original post, but the dialog afterwards.
  • Rich: Sure, we’re suckers for a plug, but Jeremiah posts a good list of recent web security related topics.

Top News and Posts:

Blog Comment of the Week: From Ariel at CoreSecurity …

Actually, Kelsey reinvented an idea that was previously exposed and published by Futoransky and Kargieman from Core ([1]) and implemented in the msyslog package ([2]) since 1996.

I learn something new every day! Now, if so many great security minds think this is a good idea, why does no one want this technology?

–Adrian Lane

Wednesday, March 18, 2009

Immutable Log Files

By Adrian Lane

I have been working on a project lately that I don’t really get to talk about much, but it is a technology that I am quite fond of: Immutable Log Files. For those of you who do not know what these are, immutable logs are log files protected from tampering and erroneous insertion. Depending upon the implementation, the files can have additional protections from poisoning and fictional recreation/forgery as well. There are many other names for this type of technology, such as content integrity verification, court admissible evidentiary data, incontrovertible data, and even “signed and sequenced” data. Regardless of name, the intent is to create a tamper-resistant archive of events. A high level overview of the process might look like the following:

Take a log entry, syslog for example, and add a time stamp and/or sequence number to that entry. Create a digital hash of the log entry to ensure integrity, and cryptographically sign it so you know the hash was produced by whatever authority is entrusted with managing the log. Now the log entry contains self-validating information as well. Each subsequent log entry would be bundled with one or more data points from previous log entries prior to creating the hash, to ensure that the sequence of events has not been altered. What you end up with is a chain of events that can be verified for data integrity.

There are many variants to this process that offer additional assurances, but that is the gist of it. I had the opportunity back in 1998 to implement a variant of this technology based upon what I consider to be ground-breaking work by John Kelsey, then of Counterpane. We had a specific problem with dispute resolution we needed to address in our e-Commerce system, and this paper describes both a generic approach to solving the problem, but also includes some references that were specific to our technology and not applicable to most needs. There are a few vendors that have advanced the state of the art in this area, but they largely go unnoticed by the security community at large. While this is a valuable technology for solving certain problems, it remains a rare feature.

I am writing this post as I have a request from both the security and the IT practitioner community. I am interested in knowing if you or your organization uses this type of technology today, or if it is something you have considered? If you are a product vendor and you are thinking about implementing such a technology as a competitive differentiator, I would greatly appreciate a heads-up. I am seeing some indications that this may be a requirement for government based upon the recent draft for tamper resistant syslog files by John Kelsey of NIST, J Callas of PGP, and A Clemm from Cisco, but the status of this draft work remains elusive. I have spoken with a half dozen security strategists who consider this a compelling solution to several different data integrity problems in the areas of eDiscovery and electronic data archival. If this is something you have interest in, please take a minute and post a comment or shoot me an email at alane at securosis with the obligatory dot and com postfix. I would very much like to know what your thoughts are.

–Adrian Lane

Tuesday, March 17, 2009

Securosis at RSA

By Rich

Ah yes, as spring approaches, so does Sundance for Ugly People (as a friend likes to call the RSA Security Conference).

We will, of course, be there. But unlike other years we have a little surprise brewing.

Schedule-wise I’m giving one track session, and participating in 3 panels:

  • Tuesday at 1:30 PM: Discover, Protect, and Securely Share Sensitive Corporate Data (panel on DLP/DRM/etc.).
  • Tuesday at 4:10 PM: “Groundhog Day” – History Repeats Itself (with Rothman, McKeay, Mortman and Ron Woerner- my favorite panel).
  • Thursday at 9:20 AM (those bastards, 9am?): Which Security Tools Take Priority in a Challenging Economic Climate? (panel with Shimel, Rothman, and… okay, sorry to leave someone off). Should be a hoot.
  • Friday at 10:10 AM: Disruptive Innovation and the Future of Security (With The Hoff. Flat out, this session is going to rock, and it’s worth changing your flight to stay for).

We’re still figuring out our schedule for non-official speaking slots. Priority goes to the paying clients (since we are totally… “professionals”… and need to pay for our post RSA rehab trip). We have a few slots open, but also some things on the table and are hoping to lock it down by next week (breakfast/lunch/mid-day stuff only, evenings are all tied up already).

Like many of you, we plan to fully participate in all the evening activities. If you’ve been to RSA before, you also know that comes at a price to be extracted the following morning. To ease your pain, on Wednesday we are sponsoring the Securosis Recovery Breakfast. For a few hours we’ll have an open buffet with all the required recovery tools (aspirin, Tums, activated charcoal administered by an expired paramedic). No presentations, subdued lighting, and loud noises prohibited.

We’ll be posting more details on it next week, and highly encourage you to RSVP so we can make sure we have enough food. The location will be extremely convenient, and we should have it locked down in the next couple of days.

And that’s it! We look forward to seeing everyone there, and if you want to meet, please hit us up as soon as possible so we can coordinate schedules.


Monday, March 16, 2009

SANS Webcast Tomorrow - Business Justification for Data Security

By Rich

Hi everyone,

Just a quick note that tomorrow we’ll be giving a webcast about our research behind The Business Justification for Data Security paper we recently released. For those of you with too much ADD to read all 30+ pages, we’ll be covering all the core material and walking through an example case.

The webcast starts at 1pm ET, is with the SANS Institute, and is sponsored by McAfee; you can sign up here.

We’ll also have some time for Q&A, so this is your chance to dig in a little deeper with us.

On another note, we are very close to putting up the new version of the Securosis site- yes Virginia, pretty soon we’ll have more than a default WordPress template. As a consequence, our blog posts might be a little light this week. Don’t worry, the new site will make up for it.


Sprint Customer Data Leaked … again

By Adrian Lane

Brian Krebs posted last week that Sprint is claiming an employee has stolen customer data, including pin numbers and the “security question” you can use to recover a password. This is a vendor I have been following for a long time, and I’m surprised we have not seen this type of activity before. From Brian’s blog:

“It appears this employee may have provided customer information to a third party in violation of Sprint policy and state law. We have terminated this employee. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number, the answer to your security question, and the name of the authorized point of contact on your account.”

I wonder if they ever managed to remove the customer’s social security number as the primary key for their customer care database? It would appear that they did at least remove CC# and SSN# from the customer care application UI, which was my primary beef with them:

“We implemented a billing platform about a year ago that has advanced security features designed to catch things like an employee accessing information that they shouldn’t be,” Sullivan said. “That platform limits information that employees can access, such as Social Security numbers, and any sort of payment information.”

I have always considered Sprint lax in regards to their data security practices. They exposed my information before any breach notification laws were in effect, with my personal and billing information going to a third party. Worse, the person who obtained the data called customer care and was subsequently provided my SSN# and was able to shut off my account. Not sure what these “advanced security features” are exactly, but I would need to concede that the improvement must be working if the credit card numbers that they require for account creation were not stolen as well.

I really do wonder if (hope) this will prompt some form of internal investigation, and I always wonder if Sprint could be considered a contributor in this breach case if they provided employees far more data that was necessary to do their jobs. Think of it this way: If it was “thousands” of accounts, clearly the employee must have had access and been able to copy them electronically.

–Adrian Lane

Friday, March 13, 2009

No Friday Summary This Week

By Rich

Hi everyone,

With me adapting to the new baby and holding the fort here at Securosis Central, and Adrian out at the Source conference, I wasn’t able to get our usual weekly summary together.

But not to worry- we have a ton of news and announcements for next week, and some very big announcements over the next 2 weeks.

On that note, I’ll let you all get back to Happy Hour as I finish working on a presentation.


Wednesday, March 11, 2009

Go Vote for the Social Security Awards

By Rich

No, we don’t mean vote for your favorite geriatric patriarch or matriarch, but for your favorite security blog.


While I’m a little late posting this (I blame being distracted by the impending, then final, arrival of my incredibly cute daughter), there’s still plenty of time to vote. The awards are all part of the Security Blogger’s Meetup, which started as a little gathering put together by Martin and myself 3 years ago, and is now a pretty big & impressive event, with an actual budget. At least I think it’s impressive- it’s hard to remember after all the free booze.

The Social Security Awards were an idea Alan Shimel came up with to recognize the best security bloggers out there and continue to build our community. You can vote in the following categories:

  • Best Security Podcast
  • Best Technical Security Blog
  • Best Corporate Security Blog
  • Best Non-Technical Security Blog
  • Most Entertaining Security Blog

We’ll tabulate the votes, and then the final winners will be selected by our all-star panel of tech journalists. We’ll be having an awards ceremony at the meetup, and giving out prizes courtesy of Seagate (encrypted hard drives, of course).

Those of us on the organizing committee are excluded from the awards, so please don’t vote for me. Really, it wouldn’t be fair to all the other bloggers if I were competing anyway.

So go vote. Now. I know how many of you are out there reading, and if you don’t vote I’ll tell your mom.

Also, special thanks to Jennifer Leggio for doing nearly all the hard work putting this together.


Tuesday, March 10, 2009

New Release: Building a Web Application Security Program

By Rich

Adrian and I are proud to release our latest whitepaper: Building a Web Application Security Program.


For those of you who followed along with the blog series, this is a compilation of that content, but it’s been updated to reflect all the comments we received, with additional research, and the entire report was professionally edited. We even added a couple pretty pictures!

We’re very excited to get this one out, since we haven’t really seen anyone else show you how to approach web application security as a comprehensive program, rather than a collection of technologies and one-off projects. One of our main goals was to approach web application security as a business problem, not just an isolated technology issue.

We want to especially thank our sponsors, Core Security Technologies and Imperva. Without them, we couldn’t produce free research like this. As with all our papers, the content was developed independently and completely out in the open using our Totally Transparent Research process. In support of that, we also want to thank the individuals who affected the end report through their comments on the Securosis blog: Marcin Wielgoszewski, Andre Gironda, Scott Klebe, Sharon Besser, Mike Andrews, and ds (we only reveal the names they list as public in their comments).

This is version 1.0 of the document, and we will continue to update it (and acknowledge new contributions) over time, so keep coming with the comments if you think we’ve missed anything or gotten something wrong.


Saturday, March 07, 2009

Friday Summary, March 6 2009

By Adrian Lane

With Rich pretty much out of commission this week and my very last minute preparation for Source Boston underway, this week’s post with be a short one. Plus I need to install the current Mac OS X patches and reboot all of the computers in the house. That little bouncing icon is finally going to get it’s way. On that note, has anyone out there ever looked at the viability of polluting the Apple downloads? Every time I click one of these I am always uncertain why I trust it or how I could verify the contents if I really wanted to. But at the moment, that sounds like too much work to investigate. Perhaps I should simply remain happy and ignorant of the process.

Webcasts, Podcasts, Outside Writing, and Conferences:

  • Nothing. Nada. We have been oddly absent.

Favorite Securosis Posts:

Favorite Outside Posts:

  • Adrian: Thank goodness Mike Rothman wrote this, with typical humor and eloquence, to capture the essence of the recent Visa press releases and associated Network World article. We are all trying to decipher what exactly they are telling us, and speculating that there is a lot they are not telling us. No way I could have been this fair and even-handed.
  • Rich: Pass.

Top News and Posts:

Blog Comment of the Week from Stiennon:

One question: Is she a Parrot Head?

Congrats Rich and Sharon!

She will be … we have tickets to go next weekend!

–Adrian Lane

Friday, March 06, 2009

Director of National Cyber-Security Center Resigns

By Adrian Lane

A couple days ago I posted some thoughts on Data Security and the US Government, how I perceive the role of Cybersecurity, and what I suspected would be a difficult challenge as the Cybersecurity team was set up at cross-purposes with the intelligence community. Today the Wall Street Journal released an article on the resignation of National Cybersecurity Chief Rod Beckstrom. In a case of “even a blind squirrel occasionally finds a nut”, my estimate of internal conflict appears to already be going on. In his resignation letter, Mr. Beckstrom stated that the “NSA currently dominates most national cyber efforts” and “The intelligence culture is very different than a network operations or security culture”. The WSJ focuses on privacy and separation of power issues with additional comments from Mr. Beckstrom: “the threats to our democratic process … if all top level network security and monitoring are handled by any one organization”.

The resignation letter has a different feel and focus, pointing out that there was a general lack of support for the NCSC, and the specific ways Beckstrom feels his organizations was subjugated. If you have interest in this subject, you will want to read his resignation letter, as it contains more information. It also lists a couple methods by which the NSA can subtly (sneakily?) affect the effectiveness of Cybersecurity efforts that I did not mention in my post. Quite frankly I am surprised that the National Cybersecurity Center could somehow manage to only get 5 fully funded days of operation, but if true, this demonstrates the challenges faced by NCSC.

This could get ugly unless both sides understand that each organization can benefit the other, and realize the goals and agendas do not necessarily need to be at the expense of each other. Concessions have to be made, otherwise this is an expensive and ugly turf war and the entire security problem- which is quickly becoming a US government security problem- continues to fester.

–Adrian Lane

More on PDF /JBIGS2Decode Issue

By Adrian Lane

Via Slashdot, I just ran across Didier Stevens post on how to automate the JBIG2decode vulnerability in PDF documents. There is a video on the site where he runs through three scenarios to exercise the vulnerability - Manually starting up Reader, viewing a thumbnail PDF, and then automatic execution by simply visiting the page with the malicious document through Windows Explorer Shell Extensions, and shows you the results in the debugger. It’s worth the view.

When you install Adobe Acrobat Reader, a Column Handler Shell Extension is installed. A column handler is a special program (a COM object) that will provide Windows Explorer with additional data to display (in extra columns) for the file types the column handler supports. The PDF column handler adds a few extra columns, like the Title. When a PDF document is listed in a Windows Explorer windows, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info, like the Title, Author.

I also ran across another technical analysis here. As you don’t need to do anything other that drop onto an infected site, this is a pretty serious issue. There is supposed to be a patch available later this month. The more I look at this, the more I think it may be a good idea to disable Reader until there is a patch. There are some instructions on how to do this on the PC Mag site, and some additional information you might find helpful as well.

–Adrian Lane