Incite 2/15/2012: BrushfireBy Mike Rothman
I had this fraternity brother back in college named Lucas. We gave him a pretty hard time, mostly because he was the nicest guy you’d ever want to meet. Turns out he didn’t know what jobs just sucked. We’d ask Luke to clean the grease trap, a typical task when we were pledges. Not a problem for him, and that was probably the nicest thing we asked him to do. Remember that when you live in a house with 40+ guys, you tend to share a lot of things.
Get your heads out of the gutter. I’m talking about things like toiletries. It wouldn’t be a surprise to see your brand new shampoo bottle in the gang shower 80% gone. Nor should it have surprised anyone to find their toothpaste ravaged by the cheap slugs I lived with. I always figured it was a decent investment because most of these guys wouldn’t have brushed their teeth at all, if it weren’t for my toothpaste.
But Luke would have none of that. He went berserk one day when he found his toothpaste mostly gone. He proceeeded to write his name on everything he owned, as if that would make a difference. He was ranting and raving. Of course, once we knew that bothered him, we hit the gas. We’d still take his toothpaste, but we’d put it back in his room – empty. We’d hide his stuff all over the house. Come on, you would have done the same thing when you were 20.
But slowly I’ve become Luke in terms to my stuff. I live with 4 other people and they are constantly using my stuff. I know when the Boss has been in my toothpaste because she squeezes from the top, not the bottom like I do. Yeah, that annoys me, so I put a new tube in her drawer, hoping she won’t screw with mine. But it’s the brush that really annoys me. I know instantly when one of the girls has polluted my brush. There are all sorts of long hairs tickling my ears when I brush my hair. So I peek at my brush and sure enough there is a ton of long brown hair in my brush. My hair is short and gray – I know it’s not mine. I don’t know why, but it annoys me. In a fit of rage, I did consider lighting the brush on fire, as that seemed like the only way I could ever keep everyone else from using it. Now that would be a cool brushfire.
So I did what any person does when annoyed. I bought about 10 other brushes. I put extra brushes in each girl’s room and a few downstairs. Just in case. But amazingly enough, even with the extra brush inventory, half the time we can’t find a brush when we need it. There must be some kind of gremlin with long hair in the house who keeps taking our brushes. So time and time again, they go to the only place where they can be absolutely sure there is always a brush in the house. Right, my drawer.
Either that, or maybe they are just screwing with me, because they know finding hair in my brush annoys me. I annoy them enough that I probably deserve to be messed with a bit. I guess karma balances out in the long run. But who could have guessed it would be in the form of a brush?
Photo credits: “Hairy Brush” originally uploaded by Ashley Coombs
After a bit of a blogging hiatus, we are back at it. The Heavy Research feed is hopping, and here are a couple of links of our latest stuff. So check them out and (as always) let us know what you think via comments.
We posted a new paper earlier this week, assembling the Network-based Malware Detection series into a spiffy document. Check it out.
And we have started posting our annual RSA Conference Guide. The first post was on our Key Themes. It seems over the past year we haven’t lost our snark, so our themes include stuff like “Is that a Cloud in Your Pocket?” “#OccupyRSA,” “Ha-Duped about Security BigData,” and “Data Olestra.” Yes, we insist on having fun if we have to write. We’ll be doing 1-2 a day over the next week, and then we’ll package it up as a paper you can take with you to the conference.
Here’s the other stuff we have been up to:
- Implementing and Managing a Data Loss (DLP) System: Index of Posts. Rich is still at it, so check out his latest on deploying DLP.
- Malware Analysis Quant: Take the Survey (and win fancy prizes!) We need your help to understand what you do (and what you don’t) for malware analysis. And you can win some nice gift cards from Amazon for your trouble.
Remember, you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory.
Incite 4 U
Behold the Nortel ostrich: Great expose in the WSJ about Nortel being totally and utterly compromised for over a decade. Seems there was no part of their infrastructure that the attackers didn’t have access to. But that’s kind of an old, tired story. What’s more interesting is the reaction from former Nortel folks. As the carcass of what used to be Nortel has been auctioned off from bankruptcy, the folks acquiring the assets play stupid. The old CEOs play stupid. And then they mention one of the main forensics guys would cry wolf. But he wasn’t crying wolf, was he? But this is the kind of institutional disregard we, alas, expect to see. It’s not like Nortel had anything interesting to state-sponsored hackers, right? Like the signaling software that runs a huge fraction of the national voice networks. This is just a reminder: your organization is pwned. The question is whether you know it or not. Or want to know it, I guess. – MR
Probing the unprobable: I have to admit that I have not formally requested, as a customer of an IaaS cloud provider, to pen test the provider’s environment. What Adam Ely is stating is that cloud service providers will agree to pen tests provided it occurs within an acceptable window of time. Call me skeptical. I have heard from enough companies who state they were not allowed to conduct pen tests on infrastructure, and herded towards security documents that attest to prior security accreditation of the provider. Given the self-service nature of cloud resources, it’s up to you to get your basic questions addressed from the published documents, so plan on digging first. But the provided materials do leave out a lot of important details, and it’s up to you to ask the open questions. That’s why it’s critical that you understand which questions must be addressed, and be prepared to find another vendor if you can’t get answers. As far as independent validation of security through pen tests: it’s great if the provider will agree, so ask, but don’t count on receiving permission. – AL
Poor man’s white listing: Given that negative security models have all been total failures for stopping malware, we have always thought that, at least theoretically, application whitelisting held the promise of turning the tide. Unfortunately deployment remains challenging, as users still hate it, and as you ease restrictions (grace periods, etc.) you increase attack surface, which is eats away at the point of installing AWL in the first place. It looks like the NSA got a bit creative in employing a less restrictive, but reasonably effective mechanism using software restriction capabilities based on file paths (as opposed to file hashes), a bit of HIPS, and some custom permissions. Of course this isn’t as secure as commercial AWL and can be gamed in various ways, such as changing
PATHstatements or installing code via drive-by in an authorized directory, but it’s better than nothing. The NSA folks were kind enough to write a paper (back in 2010) to tell you how to do it yourself. 2010? And they are just deploying it now? Yeah, no one said anything moved quickly in the Fed space. But we have pointed out the logic of doing some whitelisting on fixed function devices like printers. So now we see Xerox get some religion in partnering with McAfee to embed some whitelisting goodness on their document systems. I guess Intel really is everywhere. – MR
A quick start to detecting intruders: When Bejtlich talks, a lot of folks listen. So when he succinctly describes how to get started with his network security monitoring approach in a couple paragraphs, you should read it. And do it. I have been a disciple of the monitoring-centric approach for years (the ops section of the P-CSO is based on some of Richard’s work), mostly because it makes sense. Richard describes three general steps, which basically involve building a set of threat models and gathering the data to detect those attacks. Then have a red team run those attacks to make sure you can detect them. Then a less restrictive test to identify more gaps. I’d add a 4th step, which is to take what you learn in the less restrictive test and go back to the threat model. This isn’t a static process, but should be constantly evolving based on the kinds of attacks you model. Check out the NSO Quant project to get (a lot) more detail on our flavor of security monitoring. – MR
Open container: Smart Phone Camp claims to have found another flaw with the Google Wallet, which provides full access to the wallet should someone gain physical possession of your phone. Basically if you use the admin function to ‘clear’ the wallet, and then restart the app with a new PIN, it automatically links the phone to the Google payment account. BAM! Pwnage. It’s a little like using a password reset to gain credentials for an account you have gained access to. For now this is only a problem if someone steals your mobile device, as they need physical control to execute the attack. But it’s a serious design flaw. Google needs to decouple local wallet access from account access, or future attacks will impersonate the phone and request unauthorized resets even without possession of the device. – AL
Bonus: Success is as much (if not more) about what you choose not to do: It can be difficult to get true wisdom into or out of 140 characters, but Jack Dorsey managed to do it with a tweet acknowledging the 3 year anniversary of Square, the payment processor. “Happy 3rd Birthday @Square! I’m so proud of all we’ve accomplished, & all we decided not to do.” Regardless of what you do or who you work for, you have neither infinite time nor infinite resources. So you need to decide what not to do. Choose wisely – you will never get that time back. – MR