Research

A good update at Threatpost: Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski. More motivation to move to updated browsers, as difficult as that often is. I’m really hoping IE 10 can break this cycle a bit (and I bet Microsoft is as well). Still, IE 8 is only a bit over 3 years old, which isn’t all that ancient compared to XP. If you are stuck on old browsers, and have the capability, take a serious look at EMET. Kills most of these attacks cold. Share:

The Washington Post sort-of covers honeypots, but mixes in national security issues. But one paragraph is out of place, because the article doesn’t really cover strike-back: Those actions probably would violate federal law, FBI officials said. The bureau also warns that the use of deceptive tactics could backfire – hackers who identify data as bogus may be all the more determined to target the company trying to con them. TL;DR: good guys are baiting systems with data, not just standing up honeypots. Then they can alert any time anyone touches the bait – there are a bunch of ways to do this. We talked a little about this last year. And yep, we are implementing it ourselves in a few places – no special security products needed. Don’t ask us where. Share:

For the short version, read Rob Graham at Errata Security. Google detected someone attempting a man in the middle attack using a certificate issued in Turkey. TURKTRUST issued two subsidiary Certificate Authority certs which allowed whoever had them to sign any certificate they wanted, for any domain they wanted. Yes, this is how SSL works and it’s a big mess (I talked about it a little in 2011). Google likely detected this using DNS Pinning. Every version of Chrome checks any Google certificate against a list of legitimate Google certificates, which they build into Chrome itself. If there’s a mismatch, Chrome detects and can report it. Nice, eh? That’s why Rob says don’t mess with Google. You try to MitM any of their domains, and if any users run Chrome they are likely to find out. Everyone else (who can) should do this. Share:

Technewsdaily has an interesting follow up to yesterday’s NYT article on AV effectiveness, as we covered. I agree that using VirusTotal isn’t the best approach – far from it. But I have also heard AV-Test doesn’t use good criteria. I like the NSS Labs methodology myself, which shows higher numbers than Imperva, but much lower than most other tests. Their consumer report is free. and they also offer a companion report. But consumer products are often more different from enterprise versions than you might expect, and the tests weren’t against 0-day like the Imperva ones. These reports by NSS tested effectiveness against exploits using known vulnerabilities, rather than Imperva’s test of signature recognition of new virus variants. Apples and oranges, but I am generally more interested in exploit prevention than signature recognition. Share:

Levelling up in the real world. When you are looking out for the welfare of your organization instead of focusing on what you can get for yourself, that’s when you’ll be given the chance to do more and own more. Wendy provides some hard-earned career guidance on promotions. She presents a great list on what won’t get you promoted and what you shouldn’t do. Wendy talks about the hazards of being irreplaceable, but ultimately gets back to the real secret. It’s not about you. Yeah, it’s about karma, if you believe in that kind of stuff. Do the right thing for your organization without worrying much about how it will impact your pay or title, and good things will happen. Maybe not within that specific organization, as sometimes you’ll need to switch horses if there is nowhere to move. But the point is the same. Work consistently. Stop climbing over people on your way to the top. The big jobs can be overrated. But ultimately it’s about doing the right stuff, consistently. I talked about that in yesterday’s Incite. But I will mention one key aspect of career planning. Be careful what you wish for. Don’t be ashamed if your boss’s job is not interesting to you. That’s okay. What’s not okay is to accept a promotion or added responsibility that will make you unhappy. You’ll suck at the new job. You will become the problem. You’ll be moved out. That’s the anti-promotion. So if you like what you do, then do that. Live your life without regret. Share:

2013?!? WTF?!?! I have this time dilation theory of aging. The older you get, the smaller a as a fraction of your existence each year is, so the shorter it feels. I don’t like it. Anyway, another year down, another at bat. We had a hell of a good year for the company (I’d give a growth number, but we make fun of all the other private companies for doing that), and other than illness I can’t complain about my personal year. A few weeks ago we finished up our Securosis 2013 planning, and things are looking really interesting. A lot has changed since I started this blog company, and we try to evolve with the times. The biggest change you are likely to notice is the pace and nature of our blogging. We are trying to do more linked-list style posts, which include a link or three and some short exposition. The idea is to push more of them out daily, instead of saving everything up for the Incite and Summary. This won’t affect our bigger posts – we’ll still do those – but we realized that when we are busy or working on big projects we fall back to little more than the monster posts that build research projects, and less of the lighter daily posts. We realized you don’t need 1,000 words on everything we cover, and a few sentences can cover lots of it. Some days you might see 10 posts, others you might see none – it all depends on what we are up to. This is an experiment, and we definitely need your feedback. A ton of you are on our daily email list (more than I thought) and since those compile all our posts, that mail might make a good once-a-day every morning – you can sign up. We are also now tweeting all blog content at the @securosis account, and only pushing bigger stuff through our personal accounts. Personally, I realized the blogs I tend to read daily are mostly composed of shorter posts highlighting interesting things I can dig into if I want, and we want to bring more of that flavor to Securosis.com. We are also looking at playing more with short video and maybe even audio content, but we are holding off on other changes while we work out the blog posting and pacing first. Finally, we have a ton more coming up this year. The Nexus launch is going to happen, for real, and we learned a ton in the beta test, which has driven many adjustments. It’s definitely time to ship that puppy. We are also looking at providing more end-user advisory services, but we don’t want to hire any sales execs so that will all be opportunistic. Additionally, our agendas are firming up nicely, and you will hear more on that soon. We weirdly think we can pull all this off with our little cadre of folks. Silly us. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading Post on Database Threats and Countermeasures. Rich’s excellent TidBITS post on Apple’s Security Efforts in 2012. Adrian’s Dark Reading post on Big Data Security Recommendations. Favorite Securosis Posts Mike Rothman: Best Post of 2012: Inflection. As we enter 2013, I wanted to point to probably the best piece we did in 2012, at least IMO. That’s Rich’s Inflection post. Things are always changing, and if you don’t see the change coming you can get steamrollered. Read this. Then read it again. And see whether you’ll see 2013 from the undercarriage of the bus that’s about to run you over. Or not. Mike Rothman: The CloudSec Chicken or the DevOps Egg. I had a very similar conversation regarding the impact of SDN on network security this week. It’s hard to balance being ahead of the market and showing so-called thought leadership against building something the market won’t like. Most of the network security players are waiting for VMWare to define the interfaces and interactions before they commit to much of anything. Adrian Lane: Can we effectively monitor big data?. Yes, it’s my post, but I think DAM needs re-engineering to accommodate big data. Other Securosis Posts Yes, honeypots are new again. SSLpocalypse, part XXII. Responses to AV articles. Karmic Career Advancement. Incite 1/2/13: Consistent Variety. Threatpost: What Have We Learned in 2012. The New York Times on Antivirus. Favorite Outside Posts Adrian Lane: A Pickpocket’s Tale. The use of diversion and control of the subject’s attention is the key ingredient. Fascinating story. Mike Rothman: How to Live Without Regret in 2013. It’s a new year. Folks take time to reset. But are you moving in the right direction? Interesting food for thought here… Mike Rothman: Why Collect Full Content Data? Rich: Stephen Haywood on SSH issues. With PoC code, while still debunking the hype. Excellent. James Arlen: The process myth. Incredibly useful way of thinking about process for Infosec folks. Research Reports and Presentations Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Understanding and Selecting Data Masking Solutions. Top News and Posts Does Your Alarm Have a Default Duress Code? How PCI Standards Will Really Die. Enhancing Certificate Security. Dell acquires Credant Technologies. Cloudpassage adds file integrity monitoring for cloud servers. Someone totally should have patented that FIM stuff. Blog Comment of the Week This week’s best comment goes to our friend Jack Daniels, in response to The New York Times on Antivirus. Amazing, next the NYT will discover newspapers are largely obsolete, too. Or maybe we’ll have to read that new flash on an anti-virus company’s blog to even things up. Share:

Happy 2013 everybody! At the dawn of a new year, most folks think more proactively about what they want to change – and what they don’t. I have spoken many times about the need to embrace change and even to learn to love change. Change is good. Stagnation is bad. But the trouble lies in how you achieve that change – and how you react when change is forced upon you. We were in the car the other day, and the Boss asked the kids about their New Year Resolutions. She and XX1 had some great ideas about what they resolved to do in the coming year. Everything they said was outstanding. But here’s the rub. Talk is easy. Resolutions are easy. Writing down resolutions is harder than saying them. And actually doing something consistently is infinitely harder. That’s why so many folks fail year after year regarding their resolutions. I am working on not putting a pin in every thought balloon floated in my direction. Cynics are trained to deflate ideas before they get airborne. It’s not the most positive feature of my OS. So in an attempt to do things differently, I held off from the typical interrogation that would follow a resolution. My instinct is to dig into the plan. I want everyone to lose weight or communicate better or get in shape or do whatever you’ve resolved to do. But without a plan – and more importantly an accountability partner – the odds are not in your favor. That’s not being pessimistic, it’s being realistic. You see, resolutions have to do with what you want to change. By the time we get through January, the best laid plans will be totally screwed up by external forces requiring you to adapt. Maybe it’s an injury that inhibits your exercise resolution. Or a new high profile project that gets in the way of family dinners. That’s why I largely stopped setting goals. And I don’t make New Year’s resolutions. Why should I wait until the end of December to do the right thing? That doesn’t mean I plan to stagnate. I know where I want to get to. But I’m less set on how I get there. Regardless of what happens, I’ll adapt accordingly. I did a bunch of analysis at the end of last year to figure out what needs to happen every month to hit my desired economic outcome. But life will intrude and I’ll need to adapt. I know how I need to eat to maintain my desired weight and how many days I need to exercise to strengthen my body accordingly. Some days I’ll do well, other days I won’t. My plan is to look back in 12 months and feel good about what I’ve accomplished. But there are no hard or fast rules about what that means. There are no specifically defined goals. It’s about making sure I’m moving in the right direction. I’ll get there when I get there. If I get there. The only thing I specifically focus on is consistent effort. The beauty of not being tied to specific goals is that I can add variety to my actions and my activities. I get that’s an oxymoron. To me, consistent variety means to work hard every day. Be kind every day. Make good choices every day. And adapt as needed. You know, grind. Do stuff. Make mistakes. But move forward. Always. For a pessimist, I’m pretty optimistic about 2013. –Mike Photo credits: Consistency originally uploaded by Matt Hampel Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Building an Early Warning System Deploying the EWS Determining Urgency Understanding and Selection an Enterprise Key Manager Management Features Newly Published Papers Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U Editors note: With great pleasure we welcome one of our two favorite Canadians as an Incite contributor. Jamie Arlen (@myrcurial for you Twitterati) will be contributing a piece each week, and his stuff will be tagged JA. So now you know where to send the hate mail… Monetizing the entire PC: Krebs’ recent post about the market for stolen passwords made me think of the huge markets the Boss and I visited in Barcelona last spring. The butchers there would sell pretty much every part of the animal. You’d look at the display case and think “WTF is that?” There is very little waste. It seems that PCs are silicon goats, and the underground markets Krebs frequents are the places where the parts get traded. By the way, it’s not much different than how Wall Street packages up pretty much everything, slices it, values it, and sells it in various tranches. Then they sell derivatives on the tranches, making transaction fees on every step of the cycle. I don’t think there is a big market for the meat of a lemming, but there is a huge market for consumer PC lemmings. That’s for sure. – MR Have fun without the echoes: 2012 is in the bag, and for some of us it couldn’t come soon enough. Oh, I had some nice highlights of the year (especially the bit about going to the Tour de France), but it seems I spent too much time sick or buried in less-interesting projects. Despite all that, one thing I avoided was getting caught up in the echo-chamber security BS that sometimes plagues Twitter, blogs, and the press. Almost none of these debates matter in any meaningful way, as Dave Shackleford says so well: “There’s been a lot of acrimonious discussion in the security community this year…and I

2012: What Have We Learned The biggest shift in 2012 was the emergence of state-sponsored malware and targeted attacks as major factors. The idea of governments developing and deploying highly sophisticated malware is far from new. Such attacks have been going on for years, but they’ve mainly stayed out of the limelight. Security researchers and intelligence analysts have seen many of these attacks, targeting both enterprises and government agencies, but they were almost never discussed openly and were not something that showed up on the front page of a national newspaper. A good read by Dennis Fisher, but I have a slightly different take. State-level cyberattacks definitely “broke out” in 2012, but I think a bigger lesson is that pretty much every organization finally realized that signature-based AV isn’t very helpful. Some of this is related to what China has been up to, but not all of it. Over the past year I couldn’t talk to any large organization, or many medium, that isn’t struggling with malware. I couldn’t say that on December 31, 2011. Share:

Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses. Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly. Everyone in security knows this, but it is a bigger deal when the mainstream press starts covering it. Although too much of the article is a love song to various vendors who still need to prove themselves more. Share:

It’s the holiday season, people are leaving for vacation, and most people have things other than security on their minds – including me – so I’ll keep today’s Friday Summary short. It’s time to reflect on the successes – and failures – of the past year. For the most part 2012 has been a good year for the Securosis Team: Rich, Mike, Dave Mortman, Dave Lewis, Jamie Arlen, Gunnar Peterson, and I have all been active with research, conference presentations, webcasts, consulting projects, and engaging the community at large. We did more deep-dive research projects than we have ever done before. And more importantly, despite the huge amount of work, it remains fun. I believe everyone on the Securosis team loves working in the field of IT Security, and despite having seen the ugly underbelly of the profession, it is simply one of the most interesting and challenging fields imaginable. Our candid internal research debates are a genuine treat; and chat discussions are simultaneously illuminating, depressing, funny, and rewarding. I am really lucky to work with such a great team and have so many interesting projects to work on! Sure, I could do without the daily baths in vendor FUD, but I just can’t imagine doing anything else. Well, perhaps I can imagine running off to be a roadie for an AC/DC world tour, but then reality sets in and I come back here. For those of you who are wondering what we will be up to in the New Year, we will publish a full research calendar in the coming weeks. We have several projects starting on endpoint security, web applications, mobile, and cloud IAM. And several of us will be presenting at conferences early next year – notably the Phoenix ISSA meeting January 8 and the Open Group conference in Newport Beach, California on the 28th of January. This is the last Friday Summary of 2012. I would like to thank all of you who read and participate on the blog, chat with us on Twitter, and help with our Totally Transparent Research process – open public debate over content makes the research better. Happy Holidays! –Adrian On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading Post on DB Threats and Countermeasures. Rich’s excellent TidBITS post on Apple’s Security Efforts in 2012. Securosis Posts Incite 12/19/2012: Celebration. Friday Summary: December 13, 2012 – You, Me, and Twitter. The CloudSec Chicken or the DevOps Egg? Favorite Outside Posts Mike Rothman: Why Collect Full Content Data? Adrian Lane: On Puppy Farm Vendors, Petco and The Remarkable Analog To Security … Nobody works a theme like Chris. I’m just wondering which part he would play in a remake of “Best In Show”? Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics – Monitor for Reinfection. Malware Analysis Quant: Metrics – Remediate. Malware Analysis Quant: Metrics – Find Infected Devices. Malware Analysis Quant: Metrics – Define Rules and Search Queries. Malware Analysis Quant: Metrics – The Malware Profile. Malware Analysis Quant: Metrics – Dynamic Analysis. Research Reports and Presentations Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Understanding and Selecting Data Masking Solutions. Top News and Posts Dell acquires Credant Technologies. Senator introduces bill to regulate data caps. Rebooting Security Engagement at Mozilla. Adobe hasn’t yet fixed Critical Shockwave vulnerability reported in 2010. Point-of-Sale Skimmers: No Charge…Yet. CSRF Protection for Public Functionality. Delta Air Lines publishes privacy policy, but reseacher finds a fault. Living with HTTPS. An HSTS discussion – from July apparently, but interesting. Hosting Antagonist automatically fixes vulnerabilities in customers websites. Blog Comment of the Week Securosis makes a $25 donation to Hackers for Charity. While there were no comments this holiday week, we have raised a sizable sum, which we will be donating this week. Thanks again for all your comments! Share: