Research

We all want security to be front and center in terms of decisions on new applications. We all follow the researchers who show time and again how mobile apps, or web apps, or pretty much anything, can and will be gamed. Yet all that doesn’t matter, as security cannot get in the way of business. Branden Williams did a great job digging into the economics of Starbucks’ stored value cards to make a pretty compelling case that this stuff will happen, whether security likes it or not. Now, let’s say that I install the app on my phone, and set it to recharge $50 every time my balance gets low. I have now reduced their transaction volume with me to 10% of the original (26 times to recharge vs 260 transactions). This changes the fees to $23.27, or a 60% reduction in my cost burden to the company with the added benefit that they get to use my cash for anything they want while I work it off over a period of time. You should read the post because it hits on a number of the economic drivers that make stored value cards a huge win for small-ticket shops like Starbucks. Of course providing access to micropayments from a mobile app introduces risk. But given the numbers Branden outlines, that won’t stop Starbucks from doing everything they can to get everyone using their stored value cards & accounts. The numbers don’t lie – this stuff is going to happen. And these environments will be attacked because they represent a path of least resistance to get financial data. Which underscores the importance of working with the business people and app development team as early as possible to get ahead of the risks of these mobile-driven business processes. Photo credit: “Starbucks Mobile Card iPhone App” originally uploaded by Joe McCarthy Share:

Given the angst, conspiracy theories, and tinfoil hats around any network/security products built in China, it’s curious to see Krebs’ story on the backdoors in Barracuda products found by Stefan Viehboeck of SEC Consult Vulnerability Lab. Viehboeck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort. But having that back door creates exposures that most security conscious folks find unacceptable. As Viehboeck says: “In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them.” Clearly you can draw the conclusion that this is bad, especially because Barracuda is playing the ostrich game a bit, calling these issues just ‘medium’ severity. But given that Barracuda caters to the small and mid-market, how many of these boxes are actually installed in secure environments? And how many of these unsophisticated customers will apply the fixes to eliminate the back doors? Right, not too many. We can’t let Barracuda off the hook here just because the back doors are there to facilitate support access in the event the box needs to be remotely fixed. Users lose their credentials and lock themselves out of their boxes all the time. They misconfigure stuff and a support rep would need deep (probably root) access to fix things. We get that. But we aren’t in the excuses business, and neither are Barracuda’s customers. Barracuda just can’t rely on a locked-down IP address range to provide security. That’s too easy to spoof and those addresses may change over time. Obscurity isn’t the answer. Moreover, customers need to have the option to shut down the back doors, especially if they install in one of these mythical secure environments. There must be a middle ground between installing an undocumented back door and not being able to support the device remotely. Maybe they ship the box without the default accounts and lock down the root account. Maybe they have a script that adds the support accounts to the box when a special “Activate Remote Support” setting is selected within the interface. They could use some kind of two-factor authentication to ensure Barracuda support is involved when activating the script. Then when the box is repaired, the user unchecks the box and another script cleans out the user accounts and locks down the box. Is that a perfect answer? Of course not – I’m just throwing crap against the wall. There must be a better way to ensure thousands of customers don’t have to ship their boxes back to Barracuda for simple fixes that can be done remotely by support. But having an undocumented back door isn’t it. Photo credit: “Vancouver, BC, Canada – Robson Street – Hippies Please Use Back Door (Antique Sign)” originally uploaded by Adam Jones Share:

Most folks appreciate the challenges of securing a mid-sized company. They have important data and enough employees that someone is going to screw something up. They often don’t have the budget or infrastructure maturity to take security seriously. Many get by due more to obscurity (who is going to attack them?) than any active controls. And as automated tools make it easier to find chinks in any and every company’s armor, the seriousness of the problem is going to become much higher-profile. No less than Dan Geer has weighed in on the topic in a CSO contribution. He looks at it from the perspective of what the mid-sized company can do and what they can’t. By introducing the concept of a third party, which he calls a mentor, Dan is talking about helping an organization kickstart their security program and prioritize. Later, the mentor can move on to their next stop, when the organization is ready to do stand on its own. Information protection means a program, not a tool, not a silver bullet, not a small number of enlightened facts. It means learning what it is that you don’t know that you don’t know (without the expensive embarrassment of the serious errors our opponents will surely deliver). An information protection program is, at its best, something that a mentor jump starts for you and, over time, brings you to the point where whether you take it over entirely for yourself, or keep it as a partnership with your mentor, is a choice that you make for reasons that no longer include whether you know what you are doing. Everyone understands that, say, driving tractor trailers or doing surgery is not something you would teach yourself. Basically Dan is calling for the mentor to take a snapshot of an organization and use their experience, methods, and analysis to help the organization prioritize what they should fix first. This first-things-first approach demands a mentor with the tools to take a high definition photograph of your information in motion movement – the source, target, frequency, volume, etc., mentioned above. If experience is a guide, then you will have some surprises. Again, this is nothing to be ashamed of, but better you get those surprises quickly and from a trusted mentor rather than reading about your data breach in a newspaper. Note that the kind of mentor we suggest is not a penetration tester, not an auditor, not a per-diem consultant, and not a reformed criminal peddling a product. Dan is one of the big thinkers in the business, and he doesn’t talk much. But when he does, pay attention. As with any out of the box thinking, you can come up with a million reasons why something like this won’t work. But we should focus on how to make something like this happen; as technology advances (yes, Big Data) this kind of concept becomes more achievable. The reality is that far too many organization don’t know what they don’t know. And until they do things aren’t going to get better. Photo credit: “MSH0110-12 Squeeze Me” originally uploaded by f1uffster (Jeanie) Share:

Will Hadoop be to NoSQL what Red Hat is to Linux? Will it become more known for commercial flavors than the open-source core? Lately I have been noticing similarities between the two life-cycles, with the embrace of packaged variants. What I notice is this: In 1994 I replaced an unreliable BSD distribution with a Slackware distribution of Linux – itself a UNIX derivative. Suddenly “this old PC” was not only reliable, it felt 5x faster than it did running from the Windows partition. Slackware Linux was a great product limited to the realm of uber-geeks – you needed to assemble and compile before you could use it. But you could customize it any way you wanted – and it put a truly powerful OS on the desktop – free. Then Linux started to go a bit mainstream as it allowed us to cost-effectively run applications that previously required a substantial investment and very particular hardware. Caldera was a big deal for a while because they produced a ‘corporate’ flavor. Some companies noticed Linux was a powerful platform and embraced it; others viewed it – along with most open source – as a security threat. But its flexibility and ability to deliver a server-quality OS on commodity hardware were too compelling to ignore. Then we got ‘professional’ distributions, tools, and services. Adoption rates really started to take off. But while the free and open nature of the platform still roots the movement, it started to feel like you need a commercial version for support and tools. These days few people grab different pieces and assemble their own custom Linux distributions. I think Big Data is already moving from the fully open source “piece it together yourself” model into complete productized versions. If that’s true I expect to see the 125+ versions of NoSQL begin to simplify, dropping many of the esoteric distributions, likely boiling the market down to a few main players within the next few years – and eventually the Big Data equivalent of a LAMP stack. After that the NoSQL growth curve will be about standardized versions of Hadoop. The question is whether it will look more like Red Hat or Ubuntu? This really has nothing to do with security, but I thought there were too many similarities to ignore. -Adrian On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Milestone: Episode 300 of NetSec podcast. Mike quoted on Reuters on Cisco’s network security competitiveness. Mike quoted in the Merc about Cisco’s network security (missed) opportunity. Favorite Securosis Posts Mike Rothman: Don’t respond to a breach like this. Small minds make poor decisions. And everyone else should continue to do the right thing, even if small minds can’t understand it and take action against it. Adrian Lane: Emotional Whiplash. Mike nailed it. And I only saw the first and fourth quarters! Favorite Outside Posts Adrian Lane: “Cyber” Insurance and an Opportunity. Fascinating. Mike Rothman: XSS, password flaws found in popular ESPN app. Man, this sucks. Any big sports fan uses the ESPN app. Good thing it doesn’t store anything sensitive because I can’t live without my scores and NFL news. Recent Research Papers Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Top News and Posts Aaron Swartz’s death Backdoors Found in Barracuda Networks Gear Google Tells Cops to Get Warrants for User E-Mail, Cloud Data Twitter flaw allowed third party apps to access direct messages Blog Comment of the Week This week’s best comment goes to -ds, in response to It’s just Dropbox. What’s the risk?. If we make security break users, we make users break security. This is such a basic principle. I’m tired of being in an industry where my peers would rather have the illusion of control then actual, effective, risk proportinate security. We have so many pretenders and unfortunately many of them are loud voices and dominate the coversation to the extent that newly minted security practicioners think they are the ideal. Next one of them that says “we do X because it is a best practice” is getting a wedgie. Share:

Symantec released their quarterly earnings today, which is the sort of thing we usually ignore. Especially because it’s only the third quarter, and not even a playoff game (I really need to hang out with Mike less). However… The learning period is over for new CEO Steve Bennett, and he is starting to implement his game plan. There shouldn’t be any surprises considering his background at GE – the focus is on streamlining, realigning assets, and reducing workforce cruft – especially in the middle and executive management levels. Talk is cheap and change is hard, so Bennett has his work cut out for him. The strategy of executing better in the field and with product delivery isn’t without risk. But it’s not like they really had a choice. Their sales costs were much higher than comparables in the industry, so that needed to be fixed. Organic innovation and acquired product integration have been problematic for years. At the same time Symantec drank at the trough of high multiple M&A to drive revenue growth, but too many of those deals didn’t pan out. So the focus will be on the stuff they already have, and even if they do more M&A given the return of capital to shareholders (in the form of a dividend and stock buyback), you’d look for lower priced and accretive deals. One message came across loud and clear: Don’t expect short term magic. Bennett managed expectations that this would be a multi-year process. What does this mean to you? SMB is now tied to consumer, not enterprise. That makes sense on the surface but is likely a tricky move under the covers, depending on where they draw the SMB line. Especially as more and more SMB customers look to the cloud for key services like web and email security and backup. On the enterprise side there will be some turmoil as they move BUs around, focus on profitable products, and perhaps start dropping distractions. This usually slows innovation, despite saying they are investing more into R&D. For most of you this won’t mean much yet, except that you should expect deck chairs to move even in the middle of deals. I don’t expect significant changes in the main product lines, and there is some base there to build on – per the article: The company also plans to increase research and development into areas such as mobile workforce productivity, data center security, integrated backup, information security services, cloud-based information management, and identity and content-aware security. Symantec really struggled with focus for a long time. They have started to clean that up, but nothing that big turns quickly. Mike might have more to add, but most of this won’t affect the enterprise business too much unless they decide to dump something big, and there’s no question they will be dumping little things that aren’t profitable enough. We don’t think they know what won’t make the cut at this point, but clearly some stuff will need to go. I suspect the SMB re-org/transition will be messy, but Symantec hasn’t had much of a strategy or success there for a while anyway. Basically, they are moving to address issues that the entire market has been pointing out for years. That should be good news to those Symantec faithful, and business as usual for everyone else. Share:

You know those overnight successes who toiled in the background for 10 years before they finally broke through? How did they get there? How did they work through the Dip to reach the other side? I am fascinated by organizations which have success year after year. They seem to take the long view, set up the foundation, and stay committed to the plan. Even when other folks push for (and get) faster results, opting for short-term fixes. These band-aids may provide a short-term pop, but rarely result in longer-term results. Sure that’s part of my rationalization for why the Falcons lost at the precipice of the Super Bowl. That they have built the organization the right way over the past 5 years, and will be back. You see those attributes in all the NFL organizations that seem to be competitive year after year. They work the plan. They build through the draft. They don’t react to a bad season or two. It’s unlikely Pittsburgh or the NY Giants will blow up their environment because they missed the playoffs this year. They have stability. And that stability leads to sustained success. By the way, it’s not just my football obsession that cause me to fixate on this. As Rich said, we had a good 2012. But my paranoid self (I am a security guy, after all) continues to look for our Achilles heel. One good year – hell, even two good years – doesn’t mean the foundation for sustainable success is there. And as you see with all our new linky posts, even when things are going well, we need to adapt and change based on market realities. As Deming so famously said, “It is not necessary to change. Survival is not mandatory.” So I spent a good deal of time over the holidays digging into our good year. Partly because I was curious, but mostly trying to determine whether our results are sustainable. The honest answer is that I don’t know. I know what we did from an activity standpoint and we are still doing that. But past success is no guarantee of future results. So I will keep looking for holes in the story. We all keep looking for holes. We’ll keep trying new things to see what works, and more importantly what doesn’t. But most of all, we will continue to grind. We may not achieve sustained success, but it won’t be due to lack of effort. That I can guarantee. –Mike Photo credits: Sustainable Food Poster originally uploaded by Steven-L-Johnson Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services Integration The Solution Space Introduction Newly Published Papers Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U The Hunt for Red October: Not that you had any doubts as to the sophistication of today’s attackers, but Kaspersky’s description of the Red October attack drives it home loudly and clearly. This is a multi-faceted effort undertaken over the past 5 years using sophisticated malware and tactics to infiltrate lots of places where information can be stolen and monetized. AlienVault worked with the Kaspersky folks to isolate the indicators of compromise (IoC) shown by Red October, and this is an example of Early Warning, but not early enough. You can now use the IoC information to see if you have devices already compromised. We will also see lots of hand wringing about who was behind the attacks. The stolen data is sensitive nation-state stuff, but that doesn’t mean nation-states are actually behind the attacks. Kaspersky says it’s Russian crime syndicates, adding a lot of news value to the research, but RSA says there isn’t enough information to draw a conclusion one way or the other. And at the end of the day, I’m not sure identifying the actor really makes a difference. It’s not like you can send them a cease and desist letter. – MR PCI drops pants, doesn’t care: Oh, PCI Standards Council, there you go again. The same people who claim, “no PCI compliant organization has ever been breached” apparently can’t even decide what their own standards are. Approved Scanning Vendors (ASVs) are the companies authorized to perform scans on Internet-facing applications. If you run so much as the smallest doggie donut web store, and you take credit cards, you need to be scanned. There’s an annual review process for ASVs, which costs $10K a shot, and according to Brett Hardin not only does everyone fail the first time, but the same report submitted twice under different letterhead gets graded differently. In the words of the grader, “Well, security and PCI-DSS aren’t exact sciences.” Uh huh, then how about some free passes? – RM Eyes on the prize: Every large retail firm I have spoken with has a VP or Director of Data Analytics. Macy’s foray into big data in the cloud is one example, and Target’s recent ‘success’ has been highlighted as well. Many other verticals have similar positions within marketing or IT. These people are popping up everywhere as data analysis becomes a core function of business. Make no mistake – big data is a huge trend and it is changing the way companies market and sell products. And assess risk. And evaluate investments. But every firm also has Identity and Access management, both for customers and employees. Ever hear about a VP of access and identity? Director? Me either. Every employee uses IAM every day, and it gates access to every electronic service. Think about that the next time you wonder where security ranks

Do you want to know what you will be reading about in the coming weeks? HIPAA. The Department of Health and Human Services has updated the HIPAA requirements. The 563-page package of regulations includes: Extensive modifications to the HIPAA privacy, security, and enforcement rules, including security and privacy requirements for business associates and their subcontractors. A final version of the HIPAA breach notification rule, which clarifies when a breach must be reported to authorities. Dramatic changes to marketing and fundraising requirements. Modifications to the Genetic Information Nondiscrimination Act (GINA) which prohibits health plans from disclosing genetic information for underwriting purposes. With topics such as breach notification and marketing constraints, it’s the page-turner you’d imagine it to be. Hundreds of pages of distilled public comments and final rulings. Even if you’re like me, and have an interest in these esoteric topics, they are just words on a page. Does this change anything? Probably not. We have been hearing about the serious nature of HIPAA and HITECH for about a decade without meaningful changes to data privacy or security for health related information. While there is a renewed focus on discouraging healthcare firms from marketing protected health data, or selling patient data to third-party marketing firms, there is little do promote proactive changes to data security or privacy. HIPAA will remain a “topic of interest”, but see little action until we see serious fines or someone goes to jail. Expect lots of media coverage and very little action. Share:

From Ben Kepes’ post: Sure Dropbox is Potentially Insecure, but Does it Matter? First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and easily share some content. Evidently folks are storing important stuff in Dropbox, even though many of them know if violates their corporate policy. Duh. We have seen this over and over and over again through the years. Either IT and security helps employees get their jobs done, or employees find ways around the policies. Period. Then Ben gets into a discussion of risk, and trying to understand how bad all this file sharing is. He is trying to gauge the real risk of these folks storing that stuff on Dropbox. He uses a firefighter analogy too, so Rich must love this guy. It gets back to remembering the role of security, which is to ensure business operates safely. It would be great to just implement a blanket policy preventing Dropbox or any application you don’t like. Spend a zillion dollars on a whole mess of NGFW to enforce the policies, and everyone wins, no? It always comes back to making the right decision for your business. Don’t ever forget who you work for and why you are there. Ben sums up pretty well to close his post. Now of course my infosec friends are paid to be eternally suspicious. These guys are (professionally at least) glass half empty – their concerns are valid and they bring an important balance to the picture. But it’s just that, balance, at the same time we need to look long and hard at the benefits that “rogue IT” can bring and ask ourselves whether we shouldn’t in fact lighten up a little. There shouldn’t be absolutes, which irks me. I like clear black & white decisions. But that’s not the real world. If you are Dr. No, let me remind you of the immortal words of Sgt Hulka. Lighten up, Francis. I made my Stripes reference for the day, so I’m done. [drops mic] Share:

One topic that has resonated with the industry has been Early Warning. Clearly looking through the rearview mirror and trying to contain the damage from attacks already in process hasn’t been good enough, so figuring out a way to continue shortening the window between attack and detection continues to be a major objective for fairly mature security programs. Early Warning is all about turning security management on its head, using threat intelligence on attacks against others to improve your own defenses. This excerpt from the paper’s introduction should give you a feel for the concept: Getting ahead of the attackers is the holy grail to security folks. A few years back some vendors sold their customers a bill of goods, claiming they could “get ahead of the threat.” That didn’t work out very well, and most of the world appreciates that security is inherently reactive. The realistic objective is to reduce the time it takes to react under attack, in order to contain the eventual damage. We call this Reacting Faster and Better. Under this philosophy, the most important thing is to build an effective incident response process. But that’s not the end of the game. You can shrink the window of exploitation by leveraging cutting-edge research to help focus your efforts more effectively, by looking in the places attackers are most likely to strike. You need an Early Warning System (EWS) for perspective on what is coming at you. These days proprietary security research is table stakes for any security vendor, and the industry has gotten much better at publicizing its findings via researcher blogs and other media. Much more information is available than ever before, but what does this mean for you? How can you leverage threat intelligence to provide that elusive Early Warning System? That’s what this paper is all about. We will define a process for integrating threat intelligence into your security program, and then dig into each aspect of the process. This includes baselining internal data sources, leveraging external threat feeds, performing the analysis to put all this information into the context of your business, and finally building a scenario so you can see how the Early Warning system works in practice. Direct Download (PDF): Building an Early Warning System We would like to thank Lookingglass Cyber Solutions for licensing the content in this paper. Obviously we wouldn’t be able to do the research we do, or offer it to you folks for this most excellent price, without clients licensing our content. Share:

A student who legitimately reported a security breach was expelled from college for checking to see whether the hole was fixed. (From the original article): Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” … Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents. It was the President of the SaaS company who forced him to sign an NDA under threat of reporting him to law enforcement, and he was then expelled. Reactions like this have a chilling effect. They motivate discoverers to not report them, to release them publicly, or to sell or give them to someone who will use them maliciously. None of those are good. Even if it pisses you off, even if you think a line was crossed, if someone finds a flaw and tries to work with you to protect customers and users rather than using it maliciously, you need to engage with them positively. No matter how much it hurts. Because you sure as heck don’t want to end up on the pointy end of an article like this. Share: