Research

Apple uses XProtect to block the Java browser plugin due to security concerns. Draconian, but a good move, I think. Still, they should have notified users better for the ones who need Java in the browser (whoever that may be). You can still manually enable it to run if you need to. This doesn’t block Java itself, just the browser plugin. If complaint levels stay low, it indicates how few people use Java in the browser, and will empower Apple to make similar moves in the future. Share:

I was driving down the road the other day when I passed what I thought was a shipping container on the back of an 18-wheel truck. When I noticed data and power ports on the side, I realized it was a giant data center processing module. Supercomputing on wheels. Four trucks with two modules per truck, rolling down the highway. Inside reside thousands of stripped down motherboards stacked with tons of memory, packed side by side. Some of these are even designed to be filled with dielectric fluid to keep them cool. If you have not seen these things up close and personal, check out the latest article on Microsoft’s new data center When Microsoft wants to quickly ramp up a new data center, it can move dirt, pour a foundation, and build one of the most boring buildings you’ve ever seen. Or it can load up a few of its custom-designed data center modules onto a truck and drop them on the site. One of the key concepts behind big data is the realization that sometimes it’s cheaper to move computing to the data, rather than moving data to the processors. In that way you use any computing power that’s logically nearby. And there is a similar trend with data centers – in this case physically adjust location to your needs. Raw processing power. Modular. Mobile. In the event that a data center site gets flooded by a hurricane, you back up the truck, plug in a generator, and you’re back on line. It can be much for enterprises to buy a crate of computing than to provision a traditional data center. Share:

Everyone is all fired up that the APT is now targeting major media companies. Rich covered that in yesterday’s post, and now it seems the Wall Street Journal was also targeted by similar tactics The Wall Street Journal said its computer systems had been infiltrated by Chinese hackers for the apparent purpose of monitoring the newspaper’s China coverage. This is shocking why? Brazen, yes. Predictable, yes. Surprising? Not in the least. But that’s neither here nor there. What annoyed me about the NYT story was pointing the finger squarely and exclusively at Symantec. And their partner in slime, Mandiant, seemingly blaming the breach on the inability of their AV engine to catch the attacks. This is bush league and clear misdirection. I am not saying, in any way, that Symantec’s failure wasn’t the main cause of this breach. But I don’t know they were either. We don’t know the answers to a few fairly important questions, including what version of Symantec AV was running at the time of compromise? If they were using SEP 10 this result isn’t surprising. That product stunk and SYMC acknowledges that. It’s like blaming Microsoft for a breach because Windows XP got compromised. That would have been fine in 2003, but now? Come on, man! If the enterprise isn’t taking advantage of modern protection, how can they expect to defend against modern attacks? Before we can credibly place blame we need to know more. What operating system was in play? Was it fully patched? How was it configured? What other defenses were in place on the endpoints? The questions go on and on. We don’t know enough to point the finger. And if these devices weren’t taking advantage of the latest versions of pretty much everything, then the issue rests more on the NYT than on a security vendor. At least in my opinion. But what fun is that, right? It’s much easier to play into the same old story about how AV sucks. But no endpoint product is going to stop a 0day targeting crappy software (yes, Oracle and Adobe, I’m looking at you). Not 100% of the time anyway. And all the attackers needed to do was compromise one device, and then they owned the environment. OK, I’ll get off my soapbox now. Just to make sure we’re clear, I’m not saying Symantec is free of blame here. But I know there are a bunch of other folks who should have the finger of accountability pointing at them, starting with the NYT security team. Share:

Twitter announced this evening that some 250k user accounts were compromised. This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. Passwords and session tokens were reset to contain the problem. It is likely that personal information, including direct messages, were exposed. The post asks users to use strong passwords of at least 10 characters, and requests that they disable Java in the browser, which together provide a pretty fair indication of how the attacks were conducted. Disable Java in the browser – where have you heard that before? We will update this post as we learn more. Update by Rich: Adrian and I both posted this within minutes. Here is my comment: Also from the post: This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users. Twitter has a hell of a good security team with some serious firepower, including Charlie Miller. Share:

We talk a lot about Big Data Security, and over the next couple years we will talk about it a lot more. But I think articles like Big Goals for Big Data are a bit misleading. But Preston Wood, Zions Bancorporation’s CISO and executive VP of security, finds it puzzling that so many find big data such a struggle. Really? The rest of the article goes through how Zions hit the wall with SIEM and needed to use Hadoop and associated technologies to meet his needs. It’s a good read and they make a number of very good points. The article even quotes Adrian, but we shouldn’t hold that against them. Our pal Alex Hutton weighs in a bit as well. “His advice? Do your homework before rushing in. Take all the necessary time to flesh out a detailed road map for the data you’re looking to process, carefully review how Hadoop will behave with the rest of your network, and develop a clear taxonomy model and strict metrics for it to follow.” That’s the rub. Most practitioners have neither the time or inclination to do the homework, structure the security program, and do things right. It’s all about instant gratification – which is why it’s much easier to get companies to install a magic box (which isn’t really magic) than it is to get them to change process and embrace foundation technology. This is an irritating truth at far too many organizations. But it is what it is. Zions has done a great job of building their security program on analytics, but that doesn’t mean it will be easy for other companies to do likewise. Share:

A must-read reported by the Times itself: For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings. The article contains many more details than we usually see about these incidents. Pure APT, and I had Mandiant pegged as the responders by the second paragraph. Of greater interest AT&T’s role in initially identifying the attack. Some in the security community, especially researchers, like to dismiss APT, but there is no question that China (and others, including the US) are engaging in massive attack campaigns. The key difference is that China is brazen and appears to target anyone in the public who private sector who comes anywhere near their radar screen. This includes companies far smaller than the Times. Until there are consequences for these actions, don’t expect anything to slow down. Gumming up the Huawei deal doesn’t come close to a material consequence. Update: Looks like the Wall Street Journal is also under persistent attack from China. Share:

Plan. Build. Run. It’s a pretty straightforward process. One of those things that is so simple we rarely need to even call it out. We tend to structure our research this way, even if we use different terms that are more consistent with the context at hand. This morning my wife gave me one of those looks as I got all excited and mentioned our build phase was nearly over. You see, for the past four-plus years our lives have been in big-time family build mode. We knew we wanted kids, we planned a bit, and then started building the family. What I didn’t realize was the sort of stasis that you get into when you cram build mode into a short timeframe (three kids in under five years for us). Nothing is ever stable when you bring children into the picture, but life sort of goes on hold when you are having kids, in a weird way that’s different from adjusting to the various changes as they grow up. For example, our garage is chock full of strollers, baby clothes, and other accouterments. We can’t even throw away any toys because the next baby will need all the same stuff. Sophie the Giraffe ain’t cheap for a hunk of rubber, and it isn’t even worth pulling it out of rotation with our kids so close. I just know one day I will pull around the block and see a Hoarders film crew in front of my house. Cars? Carseats? Daycare costs? Vacation plans? Even framing family photos is all messed up when you know the next little bugger is on the way. I knew life would be more difficult with children, but I didn’t anticipate the time dilation as you put your life on hold for the build years. And let’s be perfectly clear – it is a hell of a lot easier on me than my wife. I’m not the one who has to plan my wardrobe nine months in advance. As the rest of the Securosis team, and many of you, head out to RSA, I will be back here in Phoenix working on our Build-to-Run transition. Well, more like witnessing – it’s not like I’m doing any of the real work. The Mogull family will be in full production mode, and we can start slowly cleaning out the dev archives. Er… maybe I’m working too much. Anyway, I’m as excited to know that we have three happy and healthy kids, and no more, as I am to meet the new one for the first time (really, they aren’t very exciting for the first six or so months anyway). We can start moving forward and enjoy the few short years we will have them around to wreck our sleep, break our sh**, and otherwise teach us levels of emotional pain we can’t possibly imagine. But damn, they’re cute. And while I miss the freedom of the pre-kid versions of our lives, this is exactly where I want to be at this point in my life. Without question or hesitation. Really, they’re very cute. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Big Data Tweet-jam roundup. Adrian quoted on Big Data. Rich quoted in the Economist on Android security. Rich reviews his favorite fitness gadget for TechHive. Favorite Securosis Posts Adrian Lane: No Limits – New York Times Hacked by China. Mike Rothman: Universal Plug and Play Vulnerable to Remote Code Injection. One of the things Adrian didn’t get in this post is that Rapid7’s tool requires Java. FAIL. David Mortman: IAM for cloud use cases. Rich: It it was easy, everyone would be doing it… Other Securosis Posts Remember, every jailbreak is a security exploit Incite 1/30/2013: Email autoFAIL The Internet is for Pr0n Gartner on Software Defined Security The Graduate: 2013 Style Threatpost on Active Defense The Inside Story of SQL Slammer Java Moving from Ridiculous to Surreal Marketers take the path of least resistance Mobile Commerce Numbers Don’t Lie In through the Barracuda Back Door Favorite Outside Posts Adrian Lane: Symantec Gets A Black Eye In Chinese Hack Of The New York Times. Low effectiveness, but who will remove it? Mike Rothman: Check Point, Juniper, Stonesoft shine in low-end network firewall test. I like the work NSS does to put these products through their paces. It can’t really reflect real world circumstances, but their tests are as close as we are going to get. Rich: Decoding SDN by Juniper. SDN is hitting, and it’s time to get up to speed on the fundamentals. David Mortman: Trust will make or break cloud ID management services. Rich (#2): Jeff Carr asks great questions on the NYT article. Top News and Posts Twitter flaw allowed third party apps to access direct messages Google Tells Cops to Get Warrants for User E-Mail, Cloud Data Backdoors Found in Barracuda Networks Gear Speedtest.net serving malvertiseing. How Yahoo allowed hackers to hijack my neighbor’s e-mail account. Wikr updates iOS app. I like Wikr, but don’t have enough people to use it with. Blog Comment of the Week This week’s best comment goes to David, in response to Threatpost on Active Defense. Rich, I am promoting using the term “Active Response Continuum” instead of “active defense” for the reason you cite, which is the term is too vague to be meaningful in discussion. The Active Response Continuum includes everything you list above, using two ranges (one capacity to respond, the other aggressiveness of actions). For more on this concept, see David Dittrich and Kenneth E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://papers.ssrn.com/sol3/papers.cfm? abstract_id=790585 and my Honeynet Project blog post responding to someone promoting “active defense” http://www.honeynet.org/node/1004 Share:

See update at the bottom TechHive’s piece on the new iOS 6.1 jailbreak. Only works on the pre-A5 processors, which means the iPhone 4S and iPad 2 and later are safe. The device must be connected to a computer for it to work. This is a tethered jailbreak which means it goes away when the device is rebooted. But this same technique enables you to forensically dump the phone, and all data is exposed except unless encrypted with Data Protection or another technique (see my Defending Data on iOS paper). It (and the source articles) suggests that an untethered jailbreak for all devices is coming. I can practically guarantee Apple will patch that pretty much immediately, because it will be a massive security issue allowing any attacker to control any iDevice that visits a malicious web page. If it’s real. Update: I misspoke a bit – my bad. Untethered doesn’t necessarily mean remote – it means the jailbreak persists across reboots. The security risks are obviously much less. Sleep deprivation is not my friend. Share:

This post delves into why companies are looking at new Identity and Access Management technologies for cloud deployments. Cloud computing poses (sometimes subtly) different challenges and requires rethinking IAM deployments. The following use cases are the principal motivators listed by organizations moving existing applications to the cloud – both internal or external deployments – along with how they integrate with third party cloud services. IAM architecture often feels pretty abstract; describing traits is a bit like postulating how many angels can dance on the head of a pin or whether light behaves more like a particle or a wave. And then there are standards – lots and lots of standards. But use cases are concrete – they show the catalyst, the activity, and the value to the enterprise and the user. Instead companies should start their decision process with use cases and then look for identity technologies and standards, rather than the other way around. To help understand why cloud computing requires companies to re-think their Identity and Access Management strategies, we will provide a handful of cases that illustrate common problems. The following cases embody the catalysts for altering IAM deployment structure, and embody the need for new protocols to propagate user privileges and establish identity in distributed environments. Before we get to the use cases themselves let’s look at the types of actors IAM introduces. There can be numerous different roles in a cloud IAM system, but the following are part of most deployments: Identity Provider: Consulted at runtime, the IdP is an authoritative source of information about users. This is often Active Directory or an LDAP server – which in turn provides token to represent the user identities. Cloud computing architectures often include more than one IdP. Relying Party: An RP is an application that relies upon an Identity Provider to establish identity. The relying party validates the provided token as genuine, and from the identity provider, and then uses it to assert the user’s identity. Attribute Provider: An AP either has access to or directly stores the fine-grained attributes that define user capabilities. Permissions may be role-based, attribute-based, or both. The value proposition is that attribute provider enable dynamic, data driven access control. This information is critical – it defines application behavior and gates user access to functions and data. How it provides attribute information, and how it integrates with the application, varies greatly. Authoritative Source: This is the authority on identity and provisioning settings. The AP is typically the HR system that stores master identity records, used as the source of truth for account status. This system has rights to add, edit, and disable accounts from other systems – typically via a provisioning system. For legal and compliance requirements, these systems keep detailed transaction logs. Policy Decision Point: The PDP handles authorization decisions by mapping each access request to a policy. This may be performed in application code or as a separately configured policy. There may be other IAM system roles in your deployment, but the above is the core set for cloud IAM. The location of each of these services varies, along with whether each role is supplied by the cloud provider and/or the enterprise, but these roles factor into every cloud deployment. Most cloud deployments address some combination of these three IAM Use cases: Use Cases Single Sign On Single sign on is the single greatest motivation for companies to look at new IAM technologies to support cloud computing. And for good reason – during our careers in security we have experienced few occasions when people have been glad to see security features introduced. Single Sign On (SSO) is one happy exception to this rule, because it makes every user’s life easier. Supply your password once, and you automagically get access to every site you use during the course of the day. Adding many new cloud applications (Salesforce, Amazon AWS, and Dropbox, to name a few) only makes SSO more desirable. Most security does not scale well, but SSO was built to scale. Behind the scenes SSO offers other more subtle advantages for security and operations. SSO, through management of user identity (Identity Provider), provides a central location for policies and control. The user store behaves as the authoritative source for identity information, and by extending this capability to the cloud – through APIs, tokens and third party services – the security team need not worry about discrepancies between internal and cloud accounts. The Identity Provider effectively acts as the source of truth for cloud apps. But while we have mastered this capability with traditional in-house IT services, extending SSO to the cloud presents new challenges. There are many flavors to SSO for the cloud, some based on immature and evolving standards, while other popular interfaces are proprietary and vendor-specific. Worse, the means by which identity is ‘consumed’ vary, with some services ‘pulling’ identity directly from other IT systems, while others requiring you ‘push’ information to them. FInally, the protocols used to accomplish these tasks vary as well: SAML, OAuth, OAuth II, vendor APIs, and so on. Fortunately SAML is the agreed-upon standard, used in most cases, but it is a complex protocol with many different options and deployment variations. Another challenge to cloud SSO is the security of the identity tokens themselves. As tokens become more than just simple session cookies for web apps, and embody user capabilities for potentially dozens of applications, they become more attractive as targets. An attacker with an SSO gains all the user rights conveyed by the token – which might provide access to dozens of cloud applications. This would be less of an issue if all the aforementioned protocols adequately protected tokens communicated across the Internet, but some do not. So SSO tokens should always be protected by TLS/SSL on the wire, and thought should be given to a protection regime for token access and storage from applications. SSO makes life easier for users and administrators, but for developers is only a partial solution. The sign-on

Rapid7 has announced that the UPnP (Universal Plug and Play) service is vulnerable to remote code injection. Because this code is deployed in millions of devices – that’s the ‘Universal’ part – there are a freakishly large number of people vulnerable to this simple attack. From The H Security: During an IP scan of all possible IPv4 addresses, Rapid7, the security firm that is known for the Metasploit attack framework, has discovered 40 to 50 million network devices that can potentially be compromised remotely with a single data packet. The company says that remote attackers can potentially inject code into these devices, and that this may, for example, enable them to gain unauthorised access to a user’s local network. All kinds of network-enabled devices including routers, IP cameras, NAS devices, printers, TV sets and media servers are affected. They all have several things in common: they support the Universal Plug and Play network protocol, respond to UPnP requests from the internet, and use a vulnerable UPnP library to do so. Rapid7 is offering users a free scanning tool to identify vulnerable devices, but the real question is “How can I protect myself?” The CERT Advisory advises users to block “untrusted hosts from access to port 1900/UDP”, but that’s provided they know how to do that, the devices are protected by a firewall, and disabling the port does not break legitimate apps. Honestly, not a lot to go on right now, so we will update this post if we come across more actionable advice. Share: