Login  |  Register  |  Contact
Wednesday, April 02, 2014

Incite 4/2/2014: Disruption

By Mike Rothman

The times they are a-changin’. Whether you like it or not. Rich has hit the road, and has been having a ton of conversations about his Future of Security content, and I have adapted it a bit to focus on the impact of the cloud and mobility on network security. We tend to get one of three reactions:

  1. Excitement: Some people rush up at the end of the pitch to learn more. They see the potential and need to know how they can prepare and prosper as these trends take root.
  2. Confusion: These folks have a blank stare through most of the presentation. You cannot be sure if they even know where they are. You can be sure they have no idea what we are talking about.
  3. Fear: These folks don’t want to know. They like where they are, and don’t want to know about potential disruptions to the status quo. Some are belligerent in telling us we’re wrong. Others are more passive-aggressive, going back to their office to tell everyone who will listen that we are idiots.

Stop messing with my lawn. I'm happy with it just the way it is.

Those categories more-or-less reflect how folks deal with change in general. There are those who run headlong into the storm, those who have no idea what’s happening to them, and those who cling to the old way of doing things – actively resisting any change to their comfort zone. I don’t judging any of these reactions. How you deal with disruption is your business.

But you need to be clear which bucket you fit into. You are fooling yourself and everyone else if you try to be something you aren’t. If you don’t like to be out of your comfort zone, then don’t be. The disruptions we are talking about will be unevenly distributed for years to come. There are still jobs for mainframe programmers, and there will be jobs for firewall jockeys and IPS tuners for a long time. Just make sure the organization where you hang your hat is a technology laggard.

Similarly, if you crave change and want to accelerate disruption, you need to be in an environment which embraces that. The organizations that take risks and understand not everything works out. We have been around long enough to know we are at the forefront of a major shift in the technology landscape. The last one of this magnitude I expect to see during my working career.

I am excited. Rich is excited, and so is Adrian. Of course that’s easy for us – due to the nature of our business model we don’t have as much at stake. We are proverbial chickens, contributing eggs (our research) to the breakfast table. You are the pig, contributing the bacon. It’s your job on the line, not ours.

–Mike

Photo credit: “Expect Disruption” originally uploaded by Brett Davis


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. The good old days of the security autocrat: At some point I will be old and retired, drinking fruity drinks with umbrellas in them, and reminiscing about the good old days when security leaders could dictate policy and shove it down folks’ throats. Yeah, that lasted a few days, before those leaders were thrown out the windows. The fact is that autocrats can be successful, but usually only right after a breach when a quick cleanup and attitude adjustment is needed – at any other time that act wears thin quickly. But as Dave Elfering points out, the rest of the time you need someone competent, mindful, diligent, well-spoken and business savvy. Dare I say it, a Pragmatic CSO. Best of all, Dave points out that folks who will succeed leading security teams need to serve the business, not have fixed best practices in mind, which they adhere to rigidly. Flexibility to business needs is the name of the game. – MR

  2. Throwing stones: I couldn’t agree more with Craig Carpenter, who writes in Dark Reading that folks need to Be Careful Beating Up Target. It has become trendy for every vendor providing alerts via a management console to talk about how they address the Target issue: missing alerts. But as Craig explains, the fact is that Target had as much data as they needed. It looks like a process failure at a busy time of year, relying on mostly manual procedures to investigate alerts. This can (and does) happen to almost every company. Don’t fall into the trap of thinking you’re good. If you haven’t had a breach, chalk it up to being lucky. And that’s okay! Thinking that it can’t happen to you is a sure sign of imminent doom. And for those vendors trying to trade on Target’s issue, or pointing fingers at FireEye or Symantec or any of the other vendors Target used, there is a special place in breach hell for you. Karma is a bitch, and your stuff will be busted. And I’ll laugh at your expense, along with the rest of the industry. – MR

  3. CC-DNS: We have been highlighting the role of attacking DNS in Distributed Denial of Service attacks (DDoS), and Dark Reading highlights some other DNS attack vectors. This foundational part of the Internet, designed decades ago, simply wasn’t designed to stand up to 400gbps attacks. Go figure. But it is a real problem – it’s not like you can just swap out DNS in one fell swoop across the entire Internet. And technologies meant to protect the infrastructure like DNSSEC, put in place after the Kaminsky attack was made public, can be used to overload the system. Finally, the article raises the issue of DNS tampering for mobile devices – a key employee in a coffee shop (me, for instance) could be routed to a fake server if the coffee shop’s DNS is busted. So many problems and few solutions – like pretty much everything else. – MR

  4. One log, multiple consumers: Stormy highlights the importance of logging in a DevOps context on Shimmy’s new devops.com site (yes, Rich is an advisor). His point is that you will need to pull information from the technology stack and applications to be sure you understand what’s happening as you move to continuous deployment. Though he draws a distinction between DevOps and Security, which for the time being is fine. Over time we expect the security function (except perhaps program management) to be subsumed within true operational processes. In a DevOps world there are no logical breakpoints for inserting security, which means it really will need to be built in. Finally. – MR

–Mike Rothman

Tuesday, April 01, 2014

Breach Counters

By Mike Rothman

The folks at the Economist (with some funding from Booz Allen Hamilton, clearly doing penance for bringing Snow into your Den) have introduced the CyberTab cyber crime cost calculator. And no, this isn’t an April Fool’s joke. The Economist is now chasing breaches and throwinging some cyber around. Maybe they will sponsor a drinking game at DEFCON or something.

It will calculate the costs of a specific cyber attack–based on your estimates of incident-response and business expenses and of lost sales and customers–and estimate your return on prevention.

Basically they built a pretty simple model (PDF) that gives you guidelines for estimating the cost of an attack. It’s pretty standard stuff, including items such as the cost of lost IP and customer data. They also provide a model to capture the direct costs of investigation and clean-up. You also try to assess the value of lost business – always a slippery slope.

I bet you say that to overcompensate for your little compute

You can submit data anonymously, and presumably over time (with some data collection), you should be able to benchmark your losses against other organizations. So you can brag to your buddies over beers that you lost more than they did. The data will also provide fodder for yet another research report to keep the security trade rags busy cranking out summary articles.

Kidding aside, I am a big fan of benchmarks, and data on the real costs of attacks can help substantiate all the stuff we security folks have been talking about for years.

Photo credit: “My platform is bigger than yours” originally uploaded by Alberto Garcia

–Mike Rothman

Monday, March 31, 2014

Defending Against DDoS: Magnification

By Mike Rothman

As mentioned in our last post, the predominant mechanism of network-based DDoS attacks involves flooding the pipes with standard protocols like SYN, ICMP, DNS, and NTP. But that’s not enough, so attackers now take advantage of weaknesses in the protocols to magnify the impact of their floods by an order of magnitude. This makes each compromised device far more efficient as an attack device and allows attackers to scale attacks over 400gbps (as recently reported by CloudFlare). Only a handful of organizations in the world can handle an attack of that magnitude, so DDoS + reflection + amplification is a potent combination.

Fat Packets

Attackers increasingly tune the size of their packets to their desired outcome. For example simple SYN packets can crush the compute capabilities of network/security devices. Combining small SYNs with larger SYN packets can also saturate the network pipe, so we see often them combined in today’s DDoS attacks.

Reflection + Amplification

The first technique used to magnify a DDoS attack is reflection. This entails sending requests to a large number of devices (think millions), spoofing the origination IP address of a target site. The replies to those millions of requests are reflected back to the target. The UDP-based protocols used in reflection attacks don’t require handshaking to establish new sessions, so they are spoofable.

The latest wave of DDoS attacks uses reflected DNS and NTP traffic to dramatically scale the volume of traffic hitting targets. Why those two protocols? Because they provide good leverage for amplifying attacks – DNS and NTP responses are typically much bigger than requests. DNS can provide about 50x amplification because responses are that much larger than requests. And the number of open DNS resolvers which respond to any DNS request from any device make this an easy and scalable attack. Until the major ISPs get rid of these open resolvers DNS-based DDoS attacks will continue.

NTP has recently become a DDoS protocol of choice because it offers almost 200x magnification. This is thanks to a protocol feature: clients can request a list of the last 600 IP addresses to access a server. To illustrate the magnitude of magnification, the CloudFlare folks reported that attack used 4,529 NTP servers, running on 1,298 different networks, each sending about 87mbps to the victim. The resulting traffic totaled about 400gbps. Even more troubling is that all those requests (to 4,500+ NTP servers) could be sent from one device on one network.

Even better, other UDP-based protocols offers even greater levels of amplification. An SNMP response can be 650x the size of a request, which could theoretically be weaponized to create 1gbps+ DDoS attacks. Awesome.

Stacking Attacks

Of course none of these techniques existing a vacuum, so sometimes we will see them pounding a target directly, while other times attackers combine reflection and amplification to hammer a target. All the tactics in our Attacks post are in play, and taken to a new level with magnification.

The underlying issue is that these attacks are enabled by sloppy network hygiene on the part of Internet service providers, who allow spoofed IP addresses for these protocols and don’t block flood attacks. These issues are largely beyond the control of a typical enterprise target, leaving victims with little option but to respond with a bigger pipe to absorb the attack. We will wrap up tomorrow, with look at the options for mitigating these attacks.

–Mike Rothman

Sunday, March 30, 2014

Defending Against DDoS: Attacks

By Mike Rothman

As we discussed in our Introduction to Defending Against Network-based Distributed Denial of Service Attacks, DDoS is a blunt force instrument for many adversaries. So organizations need to remain vigilant against these attacks. There is not much elegance in a volumetric attack – adversaries impact network availability by consuming all the bandwidth into a site and/or by knocking down network and security devices, overwhelming their ability to handle the traffic onslaught.

Today’s traditional network and security devices (routers, firewalls, IPS, etc.) were not designed to handle these attacks. Nor were network architectures built to easily decipher attack traffic and keep legitimate traffic flowing. So an additional layer of products and services has emerged to protect networks from DDoS attacks. But first things first. Before we dig into ways to deal with these attacks let’s understand the types of attacks and how attackers assemble resources to blast networks to virtual oblivion.

The Attacks

The first category of DDoS attacks is the straightforward flood. Attackers use tools that send requests using specific protocols or packets (SYN, ICMP, UDP, and NTP are the most popular) but don’t acknowledge the responses. If enough attack computers send requests to a site, its bandwidth can quickly be exhausted. Even if bandwidth is sufficient, on-site network and security devices need to maintain session state while continuing to handle additional (legitimate) inbound session requests. Despite the simplicity of the problem floods continue to be a very effective tactic for overwhelming targets.

Increasingly we see the DNS infrastructure targeted by DDoS attacks. This prevents the network from successfully routing traffic from point A to point B, because the map is gone. As with floods, attackers can overwhelm the DNS by blasting it with traffic, especially because DNS infrastructure has not scaled to keep pace with overall Internet traffic growth.

DNS has other frailties which make it an easy target for DDoS. Like the shopping cart and search attacks we highlighted for Application DoS, legitimate DNS queries can also overwhelm the DNS service and knock down a site. The attacks target weaknesses in the DNS system, where a single request for resolution can trigger 4-5 additional DNS requests. This leverage can overwhelm domain name servers. We will dig into magnification tactics later in this series. Similarly, attackers may request addresses for hosts that do not exist, causing the targeted servers to waste resources passing on the requests and polluting caches with garbage to further impair performance.

Finally, HTTP continues to be a popular target for floods and other application-oriented attacks, taking advantage of the inherent protocol weaknesses. We discussed slow HTTP attacks in our discussion of Application Denial of Service, so we won’t rehash the details here, but any remediations for volumetric attacks should alleviate slow HTTP attacks as well.

Assembling the Army

To launch a volumetric attack an adversary needs devices across the Internet to pound the victim with traffic. Where do these devices come from? If you were playing Jeopardy the correct response would be “What is a bot network, Alex?” Consumer devices continue to be compromised and monetized at an increasing rate, driving by increasingly sophisticated malware and the lack of innovation in consumer endpoint protection. These compromised devices generate the bulk of DDoS traffic.

Of course attackers need to careful – Internet Service Providers are increasingly sensitive to consumer devices streaming huge amounts of traffic at arbitrary sites, and take devices off the network when they find violations of their terms of service. Bot masters use increasingly sophisticated algorithms to control their compromised devices, to protect them from detection and remediation. Another limitation of consumer devices is their limited bandwidth, particularly upstream. Bandwidth continues to grow around the world, but DDoS attackers hit capacity constraints.

DDoS attackers like to work around these limitations of consumer devices by instead compromising servers to blast targets. Given the millions of businesses with vulnerable Internet-facing devices, it tends to be unfortunately trivial for attackers to compromise some. Servers tend to have much higher upstream bandwidth so they are better at serving up malware, commanding and controlling bot nodes, and launching direct attacks.

Attackers are currently moving a step beyond conventional servers, capitalizing on cloud services to change their economics. Cloud servers – particularly Infrastructure as a Service (IaaS) servers are inherently Internet-facing and often poorly configured. And of course cloud servers have substantial bandwidth. For network attacks, a cloud server is like a conventional server on steroids – DDoS attackers see major gains in both efficiency and leverage. To be fair, the better-established cloud providers take great pains to identify compromised devices and notify customers when they notice something remiss. You can check out Rich’s story for how Amazon proactively notified us of a different kind of issue, but they do watch for traffic patterns that indicate misuse. Unfortunately by the time misuse is detected by a cloud provider, server owner, or other server host, it may be too late. It doesn’t take long to knock a site offline.

And attackers without the resources or desire to assemble and manage botnets can just rent them. Yes, a number of folks offer DDoS as a service (DDoSaaS, for the acronym hounds), so it couldn’t be easier for attackers to harness the resources to knock down a victim. And it’s not expensive according to McAfee, which recorded DDoS costs from $2/hour for short attacks, up to $1,000 to take a site down for a month.

It is a bit scary to think you could knock down someone’s site for 4 hours for less than a cup of coffee. But when you take a step back and consider the easy availability of compromised devices, servers, and cloud servers, DDoS is a very easy service to add to an attacker’s arsenal.

Our next post will discuss tactics for magnifying the impact of a DDoS attack – including encryption and reflection – to make attacks an order of magnitude more effective.

–Mike Rothman

Friday, March 28, 2014

Analysis of Visa’s Proposed Tokenization Spec

By Adrian Lane

Visa, Mastercard, and Europay – together known as EMVCo – published a new specification for Payment Tokenisation this month. Tokenization is a proven security technology, which has been adopted by a couple hundred thousand merchants to reduce PCI audit costs and the security exposure of storing credit card information. That said, there is really no tokenization standard, for payments or otherwise. Even the PCI-DSS standard does not address tokenization, so companies have employed everything from hashed credit card (PAN) values (craptastic!) to very elaborate and highly secure random value tokenization systems. This new specification is being provided to both raise the bar on shlock home-grown token solutions, but more importantly to address fraud with existing and emerging payment systems.

I don’t expect many of you to read 85 pages of token system design to determine what it really means, if there are significant deficiencies, or whether these are the best approaches to solving payment security and fraud issues, so I will summarize here. But I expect this specification to last, so if you build tokenization solutions for a living you had best get familiar with it. For the rest of you, here are some highlights of the proposed specification.

  • As you would expect, the specification requires the token format to be similar to credit card numbers (13-19 digits) and pass LUHN.
  • Unlike financial tokens used today, and at odds with the PCI specification I might add, the tokens can be used to initiate payments.
  • Tokens are merchant or payment network specific, so they are only relevant within a specific domain.
  • For most use cases the PAN remains private between issuer and customer. The token becomes a payment object shared between merchants, payment processors, the customer, and possibly others within the domain.
  • There is an identity verification process to validate the requestor of a token each time a token is requested.
  • The type of token generated is variable based upon risk analysis – higher risk factors mean a low-assurance token!
  • When tokens are used as a payment objects, there are “Data Elements” – think of them as metadata describing the token – to buttress security. This includes a cryptographic nonce, payment network data, and token assurance level.

Each of these points has ramifications across the entire tokenization eco-system, so your old tokenization platform is unlikely to meet these requirements. That said, they designed the specification to work within todays payment systems while addressing near-term emerging security needs.

Don’t let the misspelled title fool you – this is a good specification! Unlike the PCI’s “Tokenization Guidance” paper from 2011 – rumored to have been drafted by VISA – this is a really well thought out document. It is clear whoever wrote this has been thinking about tokenization for payments for a long time, and done a good job of providing functions to support all the use cases the specification needs to address. There are facilities and features to address PAN privacy, mobile payments, repayments, EMV/smartcard, and even card-not-present web transactions. And it does not address one single audience to the detriment of others – the needs of all the significant stakeholders are addressed in some way. Still, NFC payments seems to be the principle driver, the process and data elements really only gel when considered from that perspective. I expect this standard to stick.

–Adrian Lane

Security Sharing

By Mike Rothman

I really like that some organizations are getting more open about sharing information regarding their security successes and failures. Prezi comes clean about getting pwned as part of their bug bounty program. They described the bug, how they learned about it, and how they fixed it. We can all learn from this stuff.

Invest in Boardwalk. Pays more.

Facebook talked about their red team exercise last year, and now they are talking about how they leverage threat intelligence. They describe their 3-tier architecture to process intel and respond to threats. Of course they have staff to track down issues as they are happening, which is what really makes the process effective. Great alerts with no response don’t really help. You can probably find a retailer to ask about that…

I also facilitated a CISO roundtable where a defense sector attendee offered to share his indicators with the group via a private email list. So clearly this sharing thing is gaining some steam, and that is great. So why now? What has changed that makes sharing information more palatable?

Many folks would say it’s the only way to deal with advanced adversaries. Which is true, but I don’t think that’s the primary motivation. It certainly got the ball rolling, and pushed folks to want to share. But it has typically been general counsels and other paper pushers preventing discussion of security issues and sharing threat information.

My hypothesis is that these folks finally realized have very little to lose by sharing. Companies have to disclose breaches, so that’s public information. Malware samples and the associated indicators of attack provide little to no advantage to the folks holding them close to the vest. By the time anything gets shared the victim organization has already remediated the issue and placed workarounds in place. I think security folks (and their senior management) finally understand that. Or at least are starting to, because you still see folks who will only share on ‘private’ fora or within very controlled groups.

Of course there are exceptions. If an organization can monetize the data, either by selling it or using it to hack someone else (yes, that happens from time to time), they aren’t sharing anything.

But in general we will see much more sharing moving forward. Which is great. I guess it is true that everything we need to know we learned in kindergarten.

Photo credit: “Sharing” originally uploaded by Toban Black

–Mike Rothman

Thursday, March 27, 2014

Friday Summary: March 28, 2014—Cloud Wars

By Adrian Lane

Begun, the cloud war has.

We have been talking about cloud computing for a few years now on this blog, but in terms of market maturity it is still early days. We are really entering the equivalent of the second inning of a much longer game, it will be over for a long time, and things are just now getting really interesting. In case you missed it, the AWS Summit began this week in San Francisco, with Amazon announcing several new services and advances. But the headline of the week was Google’s announced price cuts for their cloud services:

Google Compute Engine is seeing a 32 percent reduction in prices across all regions, sizes and classes. App Engine prices are down 30 percent, and the company is also simplifying its price structure. The price of cloud storage is dropping a whopping 68 percent to just $0.026/month per gigabyte and $0.2/month per gigabyte/DRA. At that price, the new pricing is still lower than the original discount available for those who stored more than 4,500TB of data in Google’s cloud.

Shortly thereafter Amazon countered with their own price reductions – something we figured they were prepared to do, but didn’t intend during the event. Amazon has been more focused on methodically delivering new AWS functionality, outpacing all rivals by a wide margin. More importantly Amazon has systematically removed impediments to enterprise adoption around security and compliance. But while we feel Amazon has a clear lead in the market, Google has been rapidly improving. Our own David Mortman pointed out several more interesting aspects of the Google announcement, lost in the pricing war noise:

“The thing isn’t just the lower pricing. It’s the lower pricing with automatic “reserve instances” and the managed VM offering so you can integrate Google Compute Engine (GCE) and Google App Engine. Add in free git repositories for managing the GCE infrastructure and support for doing that via github – we’re seeing some very interesting features to challenge AWS. GOOG is still young at offering this as an external service but talk about giving notice…

Competition is good! This all completely overshadowed Cisco’s plans to pour $1b into an OpenStack-based “Network of Clouds”. None of this is really security news, but doubling down on cloud investments and clearly targeting DevOps teams with new services, make it clear where vendors think this market is headed. But Google’s “Nut Shot” shows that the battle is really heating up.

On to the Summary, where several of us had more than one favorite external post:

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

This week’s best comment goes to Marco Tietz, in response to Friday Summary: IAM Mosaic Edition.

Thanks Adrian, it looks like you captured the essence of the problem. IAM is very fragmented and getting everything to play together nicely is quite challenging. Heck, just sorting it out corp internal is challenging enough without even going to the Interwebs. This is clearly something we need to get better at, if we are serious about ‘The Cloud’.

–Adrian Lane

Mike’s Upcoming Webcasts

By Mike Rothman

After being on the road for what seems like a long time (mostly because it was), I will be doing two webcasts next week which you should check out.

  1. Disruption Ahead: How Tectonic Technology Shifts Will Change Network Security. Next Tuesday (April 1 at 11 am ET) I will be applying our Future of Security concepts to the network security business. Tufin’s Reuven Harrison will be riding shotgun and we will have a spirited Q&A after my talk to discuss some of the trends he is seeing in the field. Register for this talk.
  2. Security Management 2.5: Replacing your SIEM Yet? On Wednesday, April 2 at 11 am ET I will be covering our recent SIEM 2.5 research on a webcast with our friends at IBM. I will be honing in on the forensics and security analytics capabilities of next-generation SIEM. You can register for that event as well.

See you there, right?

UPDATE: I added the links. Driver error.

–Mike Rothman

Wednesday, March 26, 2014

Incite 3/26/2014: One Night Stand

By Mike Rothman

There is no easy way to say this. I violated a vow I made years ago. It wasn’t a spur of the moment thing. I have been considering how to do it, without feeling too badly, for a few weeks. The facts are the facts. No use trying to obscure my transgression. I cheated. If I’m being honest, after it happened I didn’t feel bad. Not for long anyway.

It happened and now it's over...

This past weekend, I ate both steak and bacon. After deciding to stop eating meat and chicken almost 6 years ago. Of course there is a story behind it. Basically I was in NYC celebrating a close friend’s 45th birthday and we were going to Peter Luger’s famous steakhouse. Fish isn’t really an option, and the birthday boy hadn’t eaten any red meat for over 20 years. Another guy in the party has never eaten bacon. Never! So we made a pact. We would all eat the steak and bacon. And we would enjoy it.

It was a one night stand. I knew it would be – it meant nothing to me. I have to say the steak was good. The bacon was too. But it wasn’t that good. I enjoyed it, but I realized I don’t miss it. It didn’t fulfill me in any way. And if I couldn’t get excited about a Peter Luger steak, there isn’t much chance of me going back back to my carnivorous ways.

Even better, my stomach was okay. I was nervously awaiting the explosive alimentary fallout that goes along with eating something like a steak after 6 years. Although the familiar indigestion during the night came back, which was kind of annoying – that has been largely absent for the past 6 years – but I felt good. I didn’t cramp, nor did I have to make hourly trips to the loo. Yes, that’s too much information, but I guess my iron stomach hasn’t lost it.

To be candid, the meat was the least of my problems over the weekend. It was the Vitamin G and the Saturday afternoon visit to McSorley’s Old Ale House that did the damage. My liver ran a marathon over the weekend. One of our group estimated we might each have put down 2 gallons of beer on Saturday. That may be an exaggeration, but it may not be. I have no way to tell.

And that’s the way it should be on Boys’ Weekend. Now I get to start counting days not eating meat again. I’m up to 5 days and I think I’ll be faithful for a while…

–Mike

Photo credit: “NoHo Arts District 052309” originally uploaded by vmiramontes


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Palo Alto Does Endpoints: It was only a matter of time. After the big FireEye/Mandiant deal and Bit9/Carbon Black, Palo Alto Networks needed to respond. So they bought a small Israeli start-up named Cyvera for $200 million! And I thought valuations were only nutty in the consumer Internet market. Not so much. Although no company can really have a comprehensive advanced malware story without technology on the network and endpoints. So PANW made the move, and now they need to figure out how to sell endpoint agents, which are a little bit different than boxes in the perimeter… – MR

  2. Payment Tokenization Evolution: EMVCo – the Visa, Mastercard, and Europay ‘standards’ organization, has released the technical architecture for a proposed Payment Tokenisation Specification, which will alter payment security around the globe over the coming years. The framework is flexible enough to both enable Near Field Communication (NFC, aka mobile payments) and help combat Card Not Present fraud – the two publicly cited reasons for the card brands to create a tokenization standard in parallel with promotion of EMV-style “smart cards” in the US. The huge jump in recent transactional fraud rates demands some response, and this looks like a good step forward. The specification does not supersede use of credit card numbers (PAN) for payment yet, but would enable merchants to support either PAN or tokens for payment. And this would be done either through NFC – replacing a credit card with a mobile device – or via wallet software (either a mobile or desktop application). For those of you interested in the more technical side of the solution, download the paper and look at the token format! They basically create a unique digital certificate for each transaction, which embeds merchant and payment network data, and wrapped it with a signature. And somewhere in the back office the payment gateways/acquirer (merchant bank) or third-party service will manage a token vault. More to come – this warrants detailed posts. – AL

  3. Vultures are going to vulture: I’m not surprised that Trustwave is being sued as part of the Target breach. Class-action vultures (lawyers) see a company with money, so they sue. It’s the American way. Of course, the assessment contract removes much of the liability in what the customer actually does, but it’s an excuse to try for shakedown money. It would be really disappointing to see anyone settle in this kind of nonsensical case – setting an absolutely horrible precedent regarding liability for auditors/assessors. If there was truly malfeasance, that might be exposed during discovery, and that would be good to know. But pinning the Target breach on a PCI assessor would be ridiculous. – MR

  4. Password Hashing Competition: Most people know hashing as a means of validating someone’s password without actually storing the original value. To a developer hashing algorithms are a handy way to ‘fingerprint’ an object, allowing quick verification of whether an object is still in its original state, or it had been tampered with. But hash algorithms, as noted by Thomas Ptacek, are often employed incorrectly. Still, they remain a core cryptographic tool in the security toolbox. As we get better at breaking stuff, and computational power continues to double every couple years, it is good that a new password hashing competition is under way, with submissions due at the end of the month. If you think you have the math and coding chops, get your submission in! This is community innovation that both makes and breaks security, so give it a try, and maybe they’ll name a standard after you. – AL

  5. The Power of Change: Wendy kills it on her personal blog with her Power of Change post. Her point is that security is all about detecting and controlling change. Of course that is easier said than done, especially with the disruption we are seeing all over the security stack. But she is right on the money. If it is too hard to detect and manage change, you won’t. Until you need to, or perhaps your successor. She closes by pointing out that you don’t need to spend a lot of money to get a handle on change. It is about “knowing what your systems, applications and users are supposed to do,” and then looking for cases when they are doing otherwise. That i also a good metaphor for life, but that’s another story for another day. – MR

–Mike Rothman

Monday, March 24, 2014

Firestarter: The End of Full Disclosure

By Rich

Last week we held a wake for Windows XP. This week we continue that trend, as we discuss the end of yet era – coincidentally linked to XP. Last week the venerable Thunderdome of security lists bid adieu, as the Full Disclosure list suddenly shut down. And yes, this discussion is about more than just one email list going bye-bye.

The audio-only version is up too.

–Rich

Thursday, March 20, 2014

Friday Summary: March 21, 2014—IAM Mosaic Edition

By Adrian Lane

Researching and writing about identity and access management over the last three years has made one thing clear: This is a horrifically fragmented market. Lots and lots of vendors who assemble a bunch of pieces together to form a ‘vision’ of how customers want to extend identity services outside the corporate perimeter – to the cloud, mobile, and whatever else they need. And for every possible thing you might want to do, there are three or more approaches. Very confusing.

I have had it in mind for several months to create a diagram that illustrates all the IAM features available out there, along with how they all link together. About a month ago Gunnar Peterson started talking about creating an “identity mosaic” to show how all the pieces fit together. As with many subjects, Gunnar and I were of one mind on this: we need a way to show the entire IAM landscape. I wanted to do something quick to show the basic data flows and demystify what protocols do what. Here is my rough cut at diagramming the current state of the IAM space (click to enlarge):

IAM Mosaic

But when I sent over a rough cut to Gunnar, he responded with:

“Only peril can bring the French together. One can’t impose unity out of the blue on a country that has 265 different kinds of cheese.”

– Charles de Gaulle

Something as basic as ‘auth’ isn’t simple at all. Just like the aisles in a high-end cheese shop – with all the confusing labels and mingled aromas, and the sneering cheese agent who cannot contain his disgust that you don’t know Camembert from Shinola – identity products are unfathomable to most people (including IT practitioners). And no one has been able to impose order on the identity market. We have incorrectly predicted several times that recent security events would herd identity cats vendors in a single unified direction. We were wrong. We continue to swim in a market with a couple hundred features but no unified approach. Which is another way to say that it is very hard to present this market to end users and have it make sense.

A couple points to make on this diagram:

  1. This is a work in progress. Critique and suggestions encouraged.
  2. There are many pieces to this puzzle and I left a couple things out which I probably should not have. LDAP replication? Anyone?
  3. Note that I did not include authorization protocols, roles, attributes, or other entitlement approaches!
  4. Yes, I know I suck at graphics.

Gunnar is working on a mosaic that will be a huge four-dimensional variation on Eve Mahler’s identity Venn diagram, but it requires Oculus Rift virtual reality goggles. Actually he will probably have his kids build it as a science project, but I digress. Do let us know what you think.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

  • A Few Lessons From Sherlock Holmes. Great post here about some of the wisdom of Sherlock that can help improve your own thinking.
  • Gunnar: Project Loon. Cloud? Let’s talk stratosphere and balloons – that’s what happens when you combine the Internet with the Montgolfiers
  • Adrian Lane: It’s not my birthday. I was going to pick Weev’s lawyers appear in court by Robert Graham as this week’s Fav, but Rik Ferguson’s post on sites that capture B-Day information struck an emotional chord – this has been a peeve of mine for years. I leave the wrong date at every site, and record which is which, so I know what’s what.
  • Gal Shpantzer: Nun sentenced to three years, men receive five. Please read the story – it’s informative and goes into sentencing considerations by the judge, based on the histories of the convicted protesters, and the requests of the defense and prosecution. One of them was released on January 2012 for a previous trespass. At Y-12…
  • David Mortman: Trust me: The DevOps Movement fits perfectly with ITSM. Yes, trust him. He’s The Real Gene Kim!

Research Reports and Presentations

Top News and Posts

–Adrian Lane

Wednesday, March 19, 2014

Firestarter: An Irish Wake

By Rich

We originally recorded this episode on St. Patty’s Day and thought it would be nice to send off Windows XP with a nice Irish wake, but Google had a hiccup and our video was stuck in Never Never Land for an extra day. To be honest, we thought we lost it, so no complaints.

But yes, the end is nigh, all your coffee shops are going to be hacked now that XP is unsupported, yadda yadda yadda…

–Rich

Jennifer Minella Is Now a Contributing Analyst

By Rich

We are always pretty happy-go-lucky around here, but some days we are really happy.

Today is one of those days.

As you probably grasped from the headline, we are insanely excited to announce that Jennifer ‘JJ’ Minella is now a Contributing Analyst here at Securosis.

JJ has some of the deepest technical and product knowledge of anyone we know, on top of a strong grounding as a security generalist. As a security engineer she has implemented countless products in various organizations. She is also a heck of a good speaker/writer, able to translate complex topics into understandable chunks for non-techie types. There is a reason she worked her way up to the executive ranks. JJ also has one of the most refined BS sensors in the industry. Seems like a good fit, eh?

This is actually a weird situation because we always wanted to have her on the team but figured she was too busy to ask. Mike and JJ even worked together for months on their RSA presentation. It was classic over-analysis – she didn’t hesitate when we finally brought it up. Okay, probably over beers at RSA, which is how a lot of our major decisions are made.

JJ joins David Mortman, Gunnar Peterson, James Arlen, Dave Lewis, and Gal Shpantzer as a contributor. Mike, Adrian, and I feel very lucky to have such an amazing group of security pros practically volunteer their time to work with us and keep the research real.

–Rich

Incite 3/18/2014: Yo Mama!

By Mike Rothman

It’s really funny and gratifying to see your kids growing up. Over the weekend XX1 took her first solo plane trip. I checked her in as an unaccompanied minor, and she miraculously got TSA Pre-check. Of course that didn’t mean I did with my gate pass. So the TSA folks did their darndest to maintain the security theater, and swabbed my hands and feet.

We had some time so I figured we’d hang out in the airline club. Not so much. I have access to the SkyClub via my AmEx Platinum card, but evidently I have to be flying. So we got turned away at the door. Really? Total fail, Delta. And your club receptionist was mean. But I had XX1 with me, so I mumbled some choice words under my breath and just let her mention that person wasn’t nice.

Then the gate agent called for her, and after a quick goodbye… Okay, not so quick – no goodbye is quick with XX1 – she headed down the jetway and was gone. Of course I got dispatches every 10 minutes or so via text. So I knew when her bag was in the overhead bin, when she got a refreshment, how much she was enjoying Tower Heist on the iPad, when the plane was loaded, and finally when she had to shut down her phone. She made it to her destination in one piece, and met Grandma at the gate. Another milestone achieved.

yo mama and then some

Then on Saturday morning I had the pleasure of taking the boy to breakfast. His sports activities (tennis and LAX) weren’t until afternoon so we had some boy time. As we were chatting I asked him about his friends. He then launched into a monologue about how all his friends tell Yo Mama! jokes now. He even had some pretty funny ones ready to go. He asked me if I had heard of those kinds of jokes. I just had to chuckle. You know those kids today – they invented everything.

Though how they get their material is radically different. It seems they get the jokes on YouTube and then tell them to each other the next day at school. I had to actually read joke books to get my material and my delivery wasn’t very good. It seems to be in good fun, for now. I remember getting into fights with kids over those kinds of jokes, mostly because they weren’t really intended to be joking. And it’s a bit strange to think the Boss is the Mama in question, and at some point he may need to defend her honor. Although the Boy is pretty mild-mannered and very popular, so it’s hard to envision someone telling a joke to get a rise out of him.

All the same, the kids are growing up. And unaccompanied plane rides and Yo Mama! jokes are all part of the experience.

–Mike

Photo credit: “Yo Mama’s Sign” originally uploaded by Casey Bisson


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Pwn to Pwn: Our friend Mike Mimoso has a great summary of the annual Pwn2Own contest at CanSecWest. This is the one where prizes are paid out to researchers who can crack browsers and other high-value targets (all picked ahead of time, with particular requirements). The exploits are bought up and later passed on to the affected vendors. As usual, all the products were cracked, but the effort required seems higher and higher every year. This level of exploitation is beyond your usual script kiddie tactics, and it’s nice to see the OS and browser vendors make practical security advances year after year. On the downside, BIOS and firmware hacking are going beyond scary. I really feel bad I haven’t made it to CanSecWest (usually due to work conflicts so close to RSA), but I think I need to make it a priority next year. It’s a great event, and a powerful contributor to the security community. – RM

  2. PCI is relevant. Really. It’s just those careless retailers: I’m in the air right now so I can’t check the TripWire folks’ interview with the PCI Standards Council’s Bob Russo at RSA, but some of the quotes I have seen are awesome. “People are studying for the test. Passing the compliance assessment and then leaving things open. They’re being careless,” said Bob Russo. Man, that is awesome. The standards are great – the retailers are just careless. Really? To be clear, Target was careless, but nowhere in the PCI standards do I see anything about locking down third-party access to non-protected information. Or having a network-based malware detection device to detect malware before it exfiltrates data. How about this one? “Russo said it appears the companies affected were covered one way or another in the PCI standards. But if they learn something new, then they will update the standards accordingly.” So they will update the standards in 3 years? That’s how long it takes to implement any change. Listen, I’ll be the first to say that PCI helped 5 years ago. But today its low bar is just too low. – MR

  3. To PIN or not to PIN: If you still don’t believe us that PCI-DSS is just one of many liability-shifting games to improve banking profits, consider Visa and Mastercard’s recent announcement that they will market EMV ‘smart’ payment cards in the US. They want smart cards, but no PIN numbers to validate users – instead they intend to use the same signature-based system we have today. The National Retail Federation has jumped into the fray, saying Easy-to-forge signatures are a virtually worthless form of authentication. Fraud rates with mag-stripe cards in the US are a serious problem, and Chip and Pin style cards have proven to reduce fraud from card cloning and in-person misuse. So what’s the problem? The gripe is that the cards, along with the required systems to set up digital signatures on them, cost about ten times as much – but the real worry is that customers won’t use them. The issuers argue that setting a PIN is too much hassle so people won’t use the cards at all. They believe overall transaction volume would fall off – a no-no for the card brands. Credit cards are a proven financial lubricant, and they consider reductions in usage levels much worse than fraud. But under the shadow of never-ending breaches I suspect we will now get ‘chipped’ cards without PINs. At least for a while. – AL

  4. DDoS goes to 11: We have been hearing a bit less about Distributed Denial of Service attacks (DDoS) recently. Not because they aren’t happening, but many targets are getting better at defending against them and keeping their systems available. But the adversaries are evolving their tactics as well using amplification techniques. So as the fellows from Spinal Tap would say, “This attack goes to 11!” The OpenDNS Lab folks describe DNS amplification attacks in a blog post, with a good overview of the techniques. And they are in a good position to know what’s going on with DNS. Timing is everything, right? I am starting a network DDoS blog series so I will be covering a lot of these topics as well. Keep an eye out for that. – MR

  5. So bad it’s good: Despite the poorly written post, unfiltered vendor hype, and the even-more-horrific term “data lake”, there is something very cool going on with XACML based permissions for big data queries. The real story is the ability to retrofit fine-grained authorization mapping into big data queries. This means that you can implement attribute based authorization – not just typical role-based access controls – without modifying the application! Control down to the data element level is possible, but implemented as a proxy between the application and the database. Note that this does not protect data at rest and assumes that you route queries through a proxy, and you need to actually know what is in your big data repository. But regardless, it is a a viable approach to fine-grained authorization controls for big data clusters. For those identity geeks out there who were skeptical about the adoption of XACML, it just may sneak in through the back door. – AL

  6. Chasm jumping unicorns? Gene Kim has a great post on DevOps.com asking whether DevOps can cross the chasm to mainstream enterprises (disclosure: I’m on the DevOps.com advisory board). Gene, you may recall, wrote The Phoenix Project about the power of DevOps. I’ll be honest: I am biased. But I do believe DevOps operational frameworks can increase agility, resiliency, and security – all at the same time. Gene cites actual statistics, such as twice the change success rate when using DevOps, and 12x faster restorations after breaks (all from a Puppet Labs survey, so beware possible bias). DevOps isn’t the answer for everything, and it comes with its own risks, but once you start learning the patterns it makes a ton of sense. The ability to do things like build an entire application stack automatically and as needed, using templates with embedded security configurations, sure seem like a nifty way to build and fix things. – RM

  7. Understanding the different levels of malware analysis: With more advanced malware out there, many organizations have started dipping their toes into malware analysis to figure out what attacks do. Lenny Zeltser has a good overview of 4 different types of analysis in this post: discussing fully automated analysis, static analysis, interactive (dynamic) analysis, and finally full code reversing. Many of the cloud services out there doing malware analysis do at least the first three, and manage a decent job at this point. Of course you can’t (yet) completely displace a human analyst, so there will be room for carbon-based analysis for a quite a while, to understand the nuances and patterns across attacks. But it is very difficult to find folks who can do reverse code, so automated services may be the only option for many companies. For more detail on what’s involved in malware analysis, check out our Malware Analysis Quant research. – MR

–Mike Rothman

Tuesday, March 18, 2014

Webinar Tomorrow: What Security Pros Need to Know About Cloud

By Rich

Hey everyone,

I mentioned it on Twitter but also wanted to post it here. Tomorrow I will be giving a webinar on What Security Pros Need to Know About Cloud, based on the white paper I recently released.

CloudPassage is sponsoring the webinar, but, as always, the content is our objective view.

You can register online, and we hope to see you there…

–Rich