Research

A couple years ago Brian Sullivan of Microsoft demonstrated blind SQLi and server-side JavaScript injection attacks on Mongo, Neo4j, and other big data engines, but this is the first time I have seen someone get a shell and bypass ASLR. From the SCRT Information Security Team Blog, they found an 0-day to do just that: Trying some server side javascript injection in mongodb, I wondered if it would be possible to pop a shell. … nativeHelper is a crazy feature in spidermonkey missused by mongodb: the NativeFunction func come from x javascript object and then is called without any check !!! … This feature/vulnerability was reported 3 weeks ago to 10gen developers, no patch was commit but the default javascript engine was changed in last version so there is no more nativeHelper.apply function. A metasploit module is comming soon… Go read the post! They laid out their work step by step, so it’s easy to see how they performed their analysis and tried different tweaks to get this to work. A side note to NoSQL vendors out there: It may be time for some of you to consider a bug bounty program on commonly used components – or maybe throw some money SCRT’s way? Nice work, guys. A big “thank you” to Zach (@quine) for spotting this post and bringing it to our attention! Share:

You read stories about badasses tracking down trolls and showing up at their houses, and you get fired up about attribution. The revenge gene is strong in humans and there is nothing like taking that Twitter gladiator out the woodshed for a little good old fashioned medieval treatment. Now, payback daydreams aside, Keith Gilbert asks a pretty important question about attribution. Do you really need to know exactly who the attacker is? The question: Do you or your organization need to know the PERSON sitting behind the keyboard at the other end of the attack? I still believe that the answer, in most situations, is no. The exceptions I see are localized (physical tampering, skimming, etc) types of crime, or for organizations that are serious about prosecuting (which usually means a financial motivation) the perpetrator. That’s right. It may make you feel better to know the perpetrator was brought to justice, but in most cases doing the work to pinpoint the person is well past the point of diminishing returns. That being said, though it’s not critical to identify the actual attacker, you need to understand the tactics and profile of the adversaries. The idea is that knowing the tactics that the adversary is likely to use can be immensely valuable in prioritizing defenses and focusing employees. While understanding tactics is part of knowing your adversary, it also helps to understand the motivations behind your attackers. Why are you a target? What data are they going after (or prevent others from reaching)? How will they attempt to reach their goal? This is really no different than any other business intelligence function. If you don’t have a clear profile of your adversaries, how can you figure out how to protect yourself? As long as you understand that the profile is dynamic (meaning the attackers are always changing) and that you’re using the intelligence to make educated guesses about the controls that will protect your environment, it’s all good. Photo credit: “Caught red handed?” originally uploaded by Will Cowan Share:

When writing about the flaw in Apple’s account recovery process last week, something set my spidey sense tingling. Something about it seemed different than other similar situations, even though exploitation was blocked quickly and the flaw fixed within about 8 hours. At first I wanted to blame The Verge for reporting on an unpatched flaw without getting a response from Apple. But I can’t, because the flaw was already public on the Internet, they didn’t link to it directly, and users were at active risk. Then I realized that it is the nature of cloud attacks and disclosures in general. With old-style software vulnerabilities when a flaw is disclosed, whatever the means, attackers need to find and target victims. Sometimes this is very easy and sometimes it’s hard, but attacks are distributed by nature. With a cloud provider flaw, especially against a SaaS provider, the nature of the target and flaw give attackers a centralized target. Full disclosure can be riskier for users of the service, depending on the degree of research or effort required to attack the service. All users are immediately at risk, all exploits are 0-days, and users may have no defensive recourse. This places new responsibilities on both cloud providers and security researchers. I suspect we will see this play out in some interesting ways over the next few years. And I am neither equating all cloud-based vulnerabilities, nor making a blanket statement on the morality of disclosure. I am just saying this smells different, and that’s worth thinking about. Share:

What happened to the guru? The magician? The computer expert at your company who knew everything. I have worked at firms that had several who knew IT systems inside and out. They knew every quirky little trick of how applications worked and what made them fail, and they could tell you which page of the user manual discussed the exact feature you were interested in. If something went wrong you needed a guru, and with a couple keystrokes they could fix just about anything. You knew a guru by their long hair, shabby dress, and the Star Trek paperback in their back pocket. And when you needed something technical done, you went to see them. That now seems like a distant memory. I have lately been hearing a steady stream of complaints from non-IT folks that IT does not respond to requests and does not seem to know how to get out of their own way. Mike Rothman recently made a good point in The BYOD problem is what? BYOD is not a problem because it’s already here and is really useful. Big Data is the same. Somewhere along the line business began moving faster than IT could keep up. Users no longer learn about cool new technologies from IT. If you want a new Android or iPad for work, you don’t ask IT. You don’t ask them about “the cloud”. You don’t consult them about apps, websites, or even collecting credit card payments. In fact we do the opposite – we see what our friends have and what our kids are doing, Google what we need to know, and go do it! The end-run around IT is so pervasive that we have a term for it: Rogue IT. Have credit card, will purchase. How did the most agile and technically progressive part of business become the laggard? Several things caused it. High-quality seamless rollouts of complex software and hardware take lots of time. Compliance controls and reports are difficult to set up and manage. It takes time to set up identity and access management systems to gate who gets to access what. Oh, and did I mention security? When I ask enterprise IT staff and CISOs about adoption of IaaS services, the general answer is “NO!” – none of the controls, systems, and security measures they rely on are yet fully vetted, or they simply do not work well enough. The list goes on. Technologies are changing faster than they can be deployed into controlled environments. Their problems are not just a simple download away from being addressed, and no trip to the Apple Store will solve them. It’s fascinating to watch the struggle as several disruptive technologies genuinely disrupt technology management. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s DR paper: Security Implications Of Big Data. Rich quoted on Watering Hole Attacks. Gunnar’s DR Post: Your Password Is The Crappiest Identity Your Kid Will Ever See. Favorite Securosis Posts Mike Rothman & Adrian Lane: When Bad Tech Journalism Gets Worse. Totally ridiculous. The downside of page view whores in all its glory. Certainly wouldn’t want a fact to get in the way of the story… Other Securosis Posts Services are a startup’s friend. New Paper: Email-based Threat Intelligence. Who comes up with this stuff? The World’s Most Targeted Critical Infrastructure. DHS raises the deflector shields. Incite 3/20/2013: Falling down. If you don’t know where you’re going… When Bad Tech Journalism Gets Worse. The Right Guy; the Wrong Crime. New Job Diligence. Preparation Yields Results. The Dangerous Dance of Product Reviews. Limit Yourself, Not Your Kids – Friday Summary: March 15, 2013. Ramping up the ‘Cyber’ Rhetoric. Favorite Outside Posts Adrian Lane: Firefox Cookie-Block Is The First Step Toward A Better Tomorrow. Mike Rothman: Indicators of Impact. Kudos to Russell Thomas for floating an idea balloon trying to assess the impact of a breach. I’ll do a more thorough analysis over the next week or so, but it’s a discussion we as an industry need to have. Project Quant Posts Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Top News and Posts Critical updates for Apple TV and iOS available Ring of Bitcoins: Why Your Digital Wallet Belongs On Your Finger Subway Hit By The Ultimate Cyberthief Inside Job: A Double-Insider. Two opportunities to vet – both failed. Cisco switches to weaker hashing scheme, passwords cracked wide open Why You Shouldn’t Give Retailers Your ZIP Code Microsoft, Too, Says FBI Secretly Surveilling Its Customers The World Has No Room For Cowards. Krebs ‘SWATted’ in case you missed it. On Security Awareness Training Gravatar Email Enumeration in JavaScript. Clever. Spy Agencies to Get Access to U.S. Bank Transactions Database Blog Comment of the Week This week’s best comment goes to Dwayne Melancon, in response to New Job Diligence. Good advice, Mike. Surprised at how many people don’t look before they leap. If you apply some of your own “social engineering for personal gain” to this, you can avoid a lot of pain. Mining LinkedIn is a great shortcut, assuming the company you’re investigating has a decent presence there. Not only can you talk with specific people (including the ones who’ve left, as you mentioned), you can get a feel for whether there is a mass exodus going on. If there is, it can be a sign of a) opportunity b) Hell, or c) both. But at least you know what you’re getting into. Share:

According to The Verge, someone discovered a way to take over Apple IDs using only the owner’s email address and date of birth. This appears to be an error exposed when they enabled 2-factor authentication, but as soon as it went public Apple disabled the iForgot feature and locked all accounts down. This seems to be one of those annoying cases where someone decided to disclose something in the press instead of just reporting it and getting it fixed. That’s really damn dangerous when cloud services are involved. I expect this to be resolved pretty quickly. Possibly before my bracket is blown to unrecoverable levels. We’ll update as we learn more … Share:

The next chapter in our Threat Intelligence arc, which started with Building an Early Warning System and then delved down to the network in Network-based Threat Intelligence, now moves on to the content layer. Or at least one layer. Email continues to be the predominant initial attack mechanism. Whether it is to deliver a link to a malware site or a highly targeted spear phishing email, many attacks begin in the inbox. So we thought it would be useful to look at how a large aggregation of email can be analyzed to identify attackers and prioritize action based on the adversaries’ mission. In Email-based Threat Intelligence we use phishing as the jumping-off point for a discussion of how email security analytics can be harnessed to continue shortening the window between attack and detection. This excerpt captures what we are doing with this paper: So this paper will dig into the seedy underbelly of the phishing trade, starting with an explanation of how large-scale phishers operate. Then we will jump into threat intelligence on phishing – basically determining what kinds of trails phishers leave – which provides data to pump into the Early Warning system. Finally we will cover how to get Quick Wins with email-based threat intelligence. If you can stop an attack, go after the attackers, and ultimately disrupt attempts to steal personal data you will, right? We wrote this paper to show you how. You can see the landing page in the research library or download Email-based Threat Intelligence (PDF) directly. We would like to thank Malcovery Security for licensing the content in this paper. Obviously we wouldn’t be able to do the research we do, or offer it to you folks for this most excellent price, without sponsors licensing our content. Share:

I try to read a variety of different non-security resources each week, to stay in touch with both technology and startup culture. Of course, we at Securosis are kind of a startup. We are small and we’re investing significantly in software (which is late and over budget, like all software projects). But we choose not to deal with outside investors and to have reasonable growth expectations, since ultimately we do this job because we love it. Not because we’re trying to retire any time soon. It is instructive to read stuff from former operating folks who find themselves advising other startups. Mark Suster, who is now a VC, has a good post on TechCrunch about One of the Biggest Mistakes Enterprise Startups Make. He’s talking about the hazards of trying to introduce an enterprise product without a professional services capability. Ultimately any startup must be focused on customer success, and drop shipping a box (or having them download software) may not be enough. The line of reasoning goes, “Services businesses are not scalable and the market won’t reward this revenue so make sure that third-parties do your implementation or clients do it themselves. We only want software revenue.” This is a huge mistake. If you’re an early-stage enterprise startup services revenue is exactly what you need. In the security business this is a pretty acute fear. Let’s call this ArcSight-itis. Customers can be very resistant to technology that requires more investment in services than in software. The old ERP model of paying X for software and 4X for services to make it work is pretty much dead. Thus the drive to make things easier to use, requiring less services. And they don’t want to revisit their experience with early SIEM offerings. But as with everything, there is nuance. Ultimately customers want to be successful which is why they bought the product in the first place. So if customers left to their own devices can’t get quick value from any technology investment, then who’s the loser? Everyone, that’s who. Mark’s point is that for startups in emerging markets, customers don’t know what to do with the technology. They haven’t done the integration to provide a whole product (yes, break out Crossing the Chasm if you don’t know what I’m talking about). And the channel doesn’t have the expertise to really support the customer. So the startup needs to provide that expertise. Even better, services can goose revenues to partially cover costs while the software business matures. Over time, license revenues (or increasingly services/SaaS revenues) are far more highly valued. But Mark’s point is that if smaller companies selling an enterprise product don’t have the capability to integrate and service the product, they may not be around long enough for the software to mature. Of course there are exceptions, and that is why he prefaced everything with the ‘enterprise’ term. If a mid-market focused offering requires significant services it’s a epic fail. But if the Global 2000 is the target market, recruit good services folks early and often. Share:

Galaxy Note II security flaw lets intruders gain full device access. Confirmed: iOS 6.1.3 Has Another Passcode Security Flaw The iOS one in particular is very limited, but I am continuously astounded by the creativity of some of these passcode flaws. Give me SQL injection or heap sprays any day… Share:

All you IT professionals out there who want to divert attention, give your exec’s a warm and fuzzy feeling you’re saving money and making you’re users experience better, just do what the DHS did. Margaret Graves, DHS deputy CIO, pulled a page from Star Trek and flummoxed Congress with some Techno-Babble. From [Network World](http://www.networkworld.com/news/2013/032013-dhs-shifting-to-cloud-agile-267910.html): > At a hearing before the House Committee on Homeland Security on Tuesday, a DHS IT official gave lawmakers an overview of agile development methodologies, one of the tools that the department is using to fix its IT project management. Agile came up after U.S. Rep Ron Barber (D-Ariz.), a former staffer in Rep. Gabrielle Gifford’s office who won that seat after Giffords resigned, asked what DHS was doing to ensure that its IT systems met user needs. Margaret Graves, DHS deputy CIO, said the department is using agile methodologies to create user stories to help shape the systems. In agile development, user stories can be short and informal descriptions of some of the functions users would like to see. She blinded him with science! Throw out a ‘solution’ that sounds good, which lots of people ‘in the know’ approve of, but it too esoteric or complex for critics to understand. In this case it’s Agile development on Cloud resources tuned by User Stories. It’s a red-herring trifecta! I’d be a hypocrite if I said I’d not used this IT-Judo technique before. It works! It always worked on Star Trek. Get in trouble and just re-phase the shield generators and send out a broad spectrum particle beam to detect cloaked vessels. Just so happens the technique works in real life too. All kidding aside – Agile is a great development _process_ as the approach forces simplification of grand projects into simple tasks. And it intrinsically offers the benefits that you are always be working on the most important part of the project – or at least a portion that can be delivered within the coming sprint. But Agile pushes a lot of the burden of successful implementation onto the project manager. PM’s take more control over product and service enhancements, really steering the course of development through prioritization. But _if your product management already sucks, you’ll still fall off the tracks with Agile_. You’ll just do it faster. Dare I say faster than an anti-matter explosion from a warp core breach. And if you don’t understand what that means, fear not, neither does U.S. Representative Ron Barber (D-Ariz.). Chalk one up for Ms. Graves of the DHS. Share:

I read a profile of Spanx’s Sara Blakely in Forbes Billionaires issue, and the tip that really resonated was that at dinner each night, her father would ask each child what they failed that day. Wait, what? He would be disappointed if the kids didn’t fail something because it meant they weren’t stretching far enough out of their comfort zone. Damn, I wish I thought of that. There is an unnecessary stigma about failure and it’s counter-productive. This is programmed into our heads from a young age. “Winning isn’t everything, it’s the only thing.” Hyper-competitive helicopter parents screaming at their kids to win their 4-year-old T-ball game. I have to say the Boy competes in both lacrosse and tennis, but he doesn’t much care whether he wins or loses. He just moves on. He certainly didn’t get that trait from me – I was very competitive growing up and hated to lose at anything. But I admire it in him. As a result of my unwillingness to screw up, I didn’t really try enough new things. I would compete when I knew I had a very good chance to win. Looking back, it would have served me much better to have tried stuff and made mistakes and realized that I could fall down, and it would be okay. Think about it – we fail every day at all sorts of things, both little and big. Entrepreneurs talk about failing fast and pivoting to the next idea quickly. They fall down but reload and move on. I love the guys who breathe their own exhaust and think they are all who because they joined a company like Google or Facebook early enough to make some money, but not so early that they had much to do with the company’s success. These folks think it was them, while in reality they were lucky. To be fair, these lucky few do learn from being around success. Some can parlay that into success in their next venture. But most don’t. The folks who got blown out are more interesting. As one of them I can tell you that I learned a lot more from failing. In the security world a breach occurs when something fails. Some of the small-minded clean up the mess and move on. They don’t spend enough time trying to figure out what went wrong. They hope the problem will go away. It won’t. It never does. They should do a post-mortem. They need to identify what didn’t work and fix it. An organization’s culture must allow for mistakes, though it’s realistic to expect employees not to make the same mistake twice. I am pretty good about telling my kids that it’s okay to make mistakes. As long as they learn from them. So when they have a no good, horrible, very bad day, messing everything up, I always ask what they have learned. Usually they can tell me, but if not I’ll use it as a teaching moment to explain what they could do differently next time. Ultimately I try to make it clear to them that it’s okay to fail. Really, it’s okay. As long as they get back up and jump into the mix. –Mike Photo credits: Oops! “This Was NOT What I Intended!” originally uploaded by Bridget Coila Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading UK on April 8-10. Sign up now. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Quick Wins Analyzing the Phishing Food Chain Industrial Phishing Tactics Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Vulnerability scoring snoring: I have to admit I have never been a fan of generic vulnerability scoring because it doesn’t take into account the context required to understand the impact of the issue on your network. It’s nice to see Tyler Reguly of nCircle make the same point. He says it pretty bluntly: “The current state of vulnerability scoring is useless. With the frequency of vulnerability disclosure and the number of vulnerabilities patched in products, a bucket consisting of High, Medium, and Low tells me nothing.” Back in Vulnerability Management Evolution I talked a lot about how prioritizing what to do is the key value of these platforms. Tyler then goes on to talk about risk scoring, which adds a few key attributes like exploit availability and access to the system. Right – if you can’t exploit the vulnerability or get to the system, your urgency score needs to drop. Period. – MR SCADA chum: Even today we still run into far too many Operational Technology (OT, as opposed to IT) people who like to pretend they are still safe behind their firewalls. Or that their systems are too specialized for Internet attackers to do anything with, even if they do get in. New research by Trend Micro shatters those misconceptions. The research team put up 3 honeypot networks designed to emulate real utility company networks, and watched as they were hit with 39 attacks from 14 nations (guess who came first?). This is merely one more in a series of wake-up calls, and you can bet that these sorts of results are driving more of the cybersecurity activity in DC than the more-public IP theft. – RM Right idea, wrong direction: This attacks to critical infrastructure story is making the rounds as news. But this is the same story we heard for years about SCADA; vulnerable – we know. But why is it an issue now, and why is it any