Research

I’m happy to report that we have finished the process description posts for the Malware Analysis Quant project. Not all of you follow our Heavy Feed (even though you should), so here is a list of all the posts. The Malware Analysis Quant project addresses how organizations confirm, analyze and then address malware infections. This is important because today’s anti-malware defenses basically don’t work (hard to argue), and as a result way too much malware makes it through defenses. When you get an infection you start a process to figure out what happened. First you need to figure out what the attack is, how it works, how to stop or work around it, and how far it has spread within your organization. That’s all before you can even think about fixing it. So let’s jump in with both feet. Process Map Confirm Infection Subprocess This process typically starts when the help desk gets a call. How can they confirm a device has been infected? Notification: The process can start in a number of ways, including a help desk call, an alert from a third party (such as a payment processor or law enforcement), or an alert from an endpoint suite. However it starts, you need to figure out whether it’s a real issue. Quarantine: The initial goal is to contain the damage, so the first step is typically to remove the device from the network to prevent it from replicating or pivoting. Triage: With the device off the net, now you have a chance to figure out how sick it is. This involves all sorts of quick and dirty analysis to figure out whether it’s a serious problem – exactly what it is can wait. Confirm: At this point you should have enough information to know whether the device is infected and by what. Now you have to decide what to do next. Confirm Infection Process Descriptions Based on what you found you will either: 1) stop the process (if the device isn’t infected), 2) analyze the malware (if you have no idea what it is), or 3) assess malware proliferation (if you know what it is and have a profile). Analyze Malware Subprocess By now you know there is an infection, but you don’t know what it is. Is it just an annoyance, or is it stealing key data and presenting a clear and present danger to the organization? Here are some typical malware analysis steps for building a detailed profile. Build Testbed: It’s rarely a good idea to analyze malware on production devices connected to production networks. So your first step is to build a testbed to analyze what you found. This tends to be a one-time effort, but you’ll always be adding to the testbed based on the evolution of your attack surface. Static Analysis: The first actual analysis step is static analysis of the malware file to identify things like packers, compile dates, and functions used by the program. Dynamic Analysis: There are three aspects of what we call Dynamic Analysis: device analysis, network analysis, and proliferation analysis. To dig a layer deeper, first we look at the impact of the malware on the specific device, dynamically analyzing the program to figure out what it actually does. Here you are seeking perspective on the memory, configuration, persistence, new executables, etc. involved in execution of the program. This is done by running the malware in a sandbox. After understanding what the malware does to the device you can start to figure out the communications paths it uses. You know, isolating things like command and control traffic, DNS tactics, exfiltration paths, network traffic patterns, and other clues to identify the attack. The Malware Profile: Finally we need to document what we learned during our malware analysis, packaged in what we call a Malware Profile. With a malware profile in our hot little hands we need to figure out how widely it spread. That’s the next process. Malware Proliferation Subprocess Now you know what the malware does, you need to figure out whether it’s spreading, and how much. This involves: Define Rules: Take your malware profile and turn it into something you can search on with the tools at your disposal. This might involve configuring vulnerability scan attributes, IDS/IPS rules, asset management queries, etc. Define Rules: Process Description Find Infected Devices: Then take your rules and use them to try to find badness in your environment. This typically entails two separate functions: first run a vulnerability and/or configuration scan on all devices, then search logs for indicators defined in the Malware Profile. If you find matching files or configuration settings, you need to be alerted of another compromised device. Then search the logs, as malware may be able to hide itself from a traditional vulnerability scan but might not be able to hide its presence from log files. Of course this assumes you are actually externalizing device logs. Likewise, you may be able to pinpoint specific traffic patterns that indicate compromised devices, so look through your network traffic logs, which might include flow records or even full packet capture streams. Find Infected Devices: Process Description Remediate: Finally you need to figure out whether you are going to remediate the malware, and if so, how. Can your endpoint agent clean it? Do you have to reimage? Obviously there is significant cost impact to clean up, which must be weighed against the likelihood of reinfection. Remediate: Process Description Monitor for Reinfection One of the biggest issues in the fight against malware is reinfection. It’s not like these are static attacks you are dealing with. Malware changes constantly – especially targeted malware. Additionally, some of your users might make the same mistake and become infected with the same attack. Right, oh joy, but it happens – a lot. So making sure you update the malware profile as needed, and continuously check for new infections, are key parts of the process as well. Monitor for Reinfection: Process Description At this point we’re ready to start Phase 2 of Quant, which is to take each of the process steps and define a set of metrics to

A flaw in the Oracle database has been disclosed, whereby the Oracle System Change Number (SCN) – a feature that helps synchronize database events – outgrows its defined limits. The SCN is an ever-increasing sequence number used to determine the ‘age’ of data. It is incremented automatically by 16k per second to provide a time reference, and again each time data is ‘committed’ (written to disk). This enables transactions to be referenced to the second, and ordered within each second. As you might imagine, this is a very large number, with a maximum value and a maximum increase per day. If the SCN passes its maximum value the database completely stops. The new discovery concerns the SCN. I’ll get more into the scope of the problem in a second, but first some important background. When I started learning about database internals – how they were architected and the design of core services – data integrity was the number one design goal. Period! Performance, efficiency, and query execution paths were important, but actually getting the right data back from your queries was the essential requirement. That concept seems antiquated today, but storing and then retrieving correct data from a relational system was not a certainty in the beginning. Power outages, improper thread handling, locking, and transactional sequencing issues have all resulted in database corruption. We got transactions processed in the wrong order, calculations on stale data, and transactions simply lost. This resulted in nightmares for DBAs who had to determine what went wrong and reconstruct the database. If this hits an accounting system suddenly nothing adds up in the general ledger and the entire company is in a panic at the end of the quarter. We can normally take data consistency for granted today, thanks to all the work that went into relational database design and solving those reliability problems in the early years. One of the basic tools embedded into relational platforms to solve data consistency issues is the sequence generator. It’s an engine that generates a sequence of numbers used to order and arrange events. Sequence numbers provide a mechanism for synchronization, and help provide data consistency within a single database and across many databases. Oracle created the SCN many years ago for this purpose, and it’s literally a core capability, upon which many critical database functions rely. As an example, every database read operation – looking at stored data – compares the current SCN with the SCN of the data stored on disk to ensure data was not changed by another process during the query. This ensures that each operation in a multi-threaded database reads accurate data. The SCN plays a roll in the consistency checks when databases are brought online and is core to database recovery in the event of corruption. In a nutshell, every data block in a database is tied to the SCN! Now back to the bug: This flaw was discovered as a result of a backup and recovery feature abnormally advancing the SCN by a few billion or even a few trillion. For most firms this will never be an issue, as the number is simply too large for a few extra billion to matter. But for large organizations who have designed their databases to synchronize using common SCNs the possibility of failure is real – and the impact would be catastrophic. At this time Oracle has both patched the flaw during recovery where the number is erroneously advanced and changed the database to double the SCN range. Just as importantly, the provided the patch quickly. The patch appears to fix the bug and with the increased SCN range we assume this problem will never occur in a normal setting. The odds are infinitesimally small. What has people worried is that attackers could leverage this into a denial of service attack and disable a database – or possibly every linked database in a cluster – for an extended period. There are a couple known ways to exploit the vulnerability so patch your systems as soon as possible. What worries me even more is, with this focus on the SCN, that researchers might discover new ways to attack inter-database SCN synchronization and corrupt data. It’s purely speculative on my part, but this capability was designed before developers worried much about security, so I would not be surprised if we see an exploit in the coming months. A couple closing comments: The InfoWorld article that broke news of this flaw is excellent. It’s lengthy but thorough, so I encourage you to read it. Second, if your environment relies on inter-database SCN you need to do two things: level set security across all participating databases, and start looking at a migration plan to reduce or eliminate the inter-database dependency to mitigate risk. For most firms I know that rely on the SCN, the best bet will be to tighten security, as the rewrite costs to leverage another synchronization method would be prohibitive. Finally, Oracle assigned a risk score of 5.5 to CVE-2012-0082. Does that sound accurate to you? Once again Oracle’s risk scores do a poor job of describing risk to your systems, so take a closer look at your exposure and decide for yourself. Share:

I think I need to ban Mike from Arizona. Scratch that – from a hundred mile radius of me. A couple weeks ago he was in town so we could do our 2012 Securosis strategic planning. He rotates between my screaming kids and Adrian’s pack ‘o dogs, and this was my turn to host. We woke up on time the next morning, hopped in my car, and headed out to meet Adrian for breakfast and planning. About halfway there the car sputtered a bit and I lost power. It seemed to recover, but not for long. I popped it into neutral and was able to rev up, but as soon as there was any load we stalled out. I turned around and started creeping toward my local mechanic when it died for good. In a left turn lane. A couple workers (they had a truck but I couldn’t see what tools they had to identify their work) offered to help push us out of the road. Seemed like a good idea, although I was arranging our tow at the same time. I kicked Mike out, hopped in the driver’s seat, and was waiting for a gap in traffic. They weren’t. These dudes were motivated to get us the hell out of their way. Here I am on the phone with the tow company, watching Mike’s face as he decided the rest of us were about to get creamed by the traffic speeding our way… with him on outside the car. I was wearing my seatbelt. We made it, the tow truck showed up on time, and I quickly learned it was what I expected – a blown fuel pump. My 1995 Ford Explorer was the first car I ever bought almost new (a year old, under 25k miles). I had it for about 16 years and it showed it. Living in Colorado and working with Rocky Mountain Rescue, it drove through all sorts of off-road conditions and on rescue missions (including roads closed due to avalanche quirks) that would have pissed off my insurance company. Anyway, despite my emotional attachment, the repair costs were over my mental limit, and it was time to find a younger model. I briefly toyed with minivans but just couldn’t do it. Logically they are awesome. But… err… it’s a friggin’ minivan. I then moved on to SUVs, even though they aren’t nearly as practical. I have rescue deeply ingrained into my brain, and it’s hard for me to not get something with 4WD. And yes, I know I live in Phoenix – it isn’t exactly rational. The GMC Arcadia wasn’t bad. The Dodge Durango drove like my 1980’s Chevy Blazer. The Mazda CX-9 drove well but couldn’t handle our car seat requirements. Eventually I ended up with another Explorer… but damn, they have improved over 16 years! Two words – glass cockpit. Ford is really ahead of most of the other car manufacturers when it comes to telematics. Aside from the big screen in the middle, two others are integrated into the dash to replace analog instruments. They actually issue software updates! Sure, they might be due to the bugs, but late last year I decided I would do my darned best to avoid buying anything with a screen I couldn’t update. Aside from all the cool software stuff, it comes with tons of USB ports, charging ports, and even a built-in 110V inverter and WiFi hotspot so the kids can play head-to-head games. And safety systems? I have… for real… radar in every direction. Blind spot, backup, cross traffic, and even a nifty “you are about to ream the car in front of you up the tailpipe, maybe slow down” alert. It also… er… drives and stuff. Mileage isn’t great but I don’t drive much. And when my phone rings the brakes lock up and the wipers go off, but I’m sure the next software update will take care of that. Almost forgot – the Mike thing? One of the first times he was out here my kid got stomach flu and Mike had to watch her while I took client calls. Then there was the time he had to drive me to the emergency room in DC. Then there was the time we had to end our video session early because I got stomach flu. You get the idea. He’s a bad man. Or at least dangerous. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich on How to Monitor Employees Without Being a Perv. I still can’t believe they let me use that title. Mort on counterattacks at CIO Magazine. Mike also quoted at CIO – this time on cloud security. Favorite Securosis Posts We didn’t write much this week, but here’s an old post I’m about to revive. Principles of Information Centric Security. Other Securosis Posts Oracle SCN Flaw. Incite 1/19/2012: My Seat. Censored #sopa. Network-based Malware Detection: The Impact of the Cloud. Favorite Outside Posts Adrian Lane: InfoWorld’s ‘Fundamental Oracle Flaw’ post. Really well done. Mike Rothman: Eating the Security Dog Food. The only way to really lead (sustainably, anyway) is by example. Wendy makes that point here, and it’s something we shouldn’t ever forget. If policies are too hard for us to follow, how well do you expect them to work for users? Project Quant Posts Malware Analysis Quant: Process Descriptions. Malware Analysis Quant: Monitoring for Reinfection. Malware Analysis Quant: Remediate. Malware Analysis Quant: Find Infected Devices. Malware Analysis Quant: Defining Rules. Malware Analysis Quant: The Malware Profile. Malware Analysis Quant: Dynamic Analysis. Malware Analysis Quant: Static Analysis. Malware Analysis Quant: Build Testbed. Research Reports and Presentations Tokenization Guidance Analysis – Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Top News and Posts Symantec Acquires LiveOffice. Norton Source Code Stolen in 2006. Feds Shutdown Megaupload, Bust Founder. Training employees – with phishing! Internet SOPA/PIPA Revolt:

Before we get to the Incite we should probably explain why it’s a day late. Like many other sites we have huge issues with PIPA and SOPA, so we took down our site yesterday in protest. We don’t expect the big companies with big lobbying budgets to give up, so we need to keep the pressure on. Copyright holders have a right to protect their content, but not at the cost of our freedom and liberty. Period. Now back to our regularly scheduled pot stirring. Growing up I spent a lot of time in our den. It was a pretty small room, in a pretty small house, but it’s where the TV was. First it was a cabinet-style tube TV. Remember those? Yeah, you kids today have no appreciation for the TV repair man who showed up to fix your TV with a case full of tubes. Then we got a 15” model with cable, and my brother and I spent a lot of time in that room. The furniture was pretty spartan as well. We had a chair and we had a couch. The couch was, uh, uncomfortable. A plaid model with fabric that was more like sandpaper. Not that microsuede stuff we see today. So amazingly enough, there was a lot of competition for the chair. I usually won. OK. I always won, mostly because I was older and a lot bigger. That may have been the only positive to having a childhood weight problem. I always got the chair. Even if my brother was there first. I’d just sit down. Yes, right on him. It didn’t take long for him to realize I wasn’t moving and my bulk wasn’t going to get any more comfortable. After about the zillionth time I used this approach to get the chair, and my Mom got (justifiably) fed up with my brother crying about it, she instituted a new policy. You could call “my seat” once you entered the den, and you’d have to respect the call. Kind of like calling “shotgun” to sit in the front of the car. My brother may have been small, but he was quick. And more often than not, he beat me to the den and called the seat. I wasn’t happy about it, and when the babysitter was there I’d forget the rule. But inevitably I’d suffer the consequences when Mom got home. So it was funny to see XX2 sit in the passenger side captain’s chair in the van over the weekend. That’s where XX1 usually sits. The little one had this look, like she ate a canary, sitting in that seat. XX1 was not happy at all. I’m not sure whether it was because she likes her seat or that XX2 got the best of her. So the squealing started. And I’m not too tolerant of squealing. For a second I thought about instituting the my seat policy for the van. But that’s overkill for now. The girls don’t physically bully each other, and even if they did, I’m not sure XX2 wouldn’t win her fair share of battles. Though it did give me a chuckle to remember the old days of abusing my little bro. Speaking of which, it’s probably time to take him out to dinner, since I’m still running a huge karma deficit with him. Suffice it to say sitting on him was probably the nicest thing I did when we were growing up. -Mike Photo credits: “I gotta get me one of these!” originally uploaded by sk8mama Heavy Research We have been busy blasting through process descriptions for the Malware Analysis Quant project. Here are the last week’s posts, which zero in on the Malware Proliferation subprocess: Defining Rules Find Infected Devices Remediate Monitoring for Reinfection You can find all the posts on the Project Quant blog. We have also finished up our Network-based Malware Detection series, so here is a link to the last post, on assessing the impact of the cloud. Yes, the forecast is cloudy. Ha ha. Network-based Malware Detection: The Impact of the Cloud As always you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. Incite 4 U Revisiting the STRATFOR breach: Looks like Nick re-graded the folks at STRATFOR on their breach response and it went from a B- to a D-. Personally I think that’s too harsh, but ultimately it’s a subjective opinion and Nick is entitled to his. The key is constant communication, which STRATFOR failed at. It seems they spent the two weeks totally rebuilding their infrastructure, as they should have. I also liked the video from their CEO and agree it should have come earlier, if only to initially accept responsibility at the highest level. Then you communicate what you know as you can. I guess everything is relative and I personally think STRATOR did an okay job of response. You can always improve, and you should learn by what they didn’t do well, so you can factor that into your own response plans. – MR Unbreakably irresponsible: I think Adrian is going to cover the latest Oracle security flaw/patch in more detail, but I want to address a long-standing pet peeve I have with the big O. First, let’s give them credit for getting this out relatively quickly, even though it isn’t something that will (probably) affect a large percentage of Oracle customers. Then again, the ones most at risk tend to have 3-4 letter acronym names. Knowing that some flaws are ignored for years, it’s nice to see a relatively quick response – even if it may be due to the press being involved from the beginning. But that isn’t my peeve. You’ll notice that patches only go back a few versions for Oracle 10 and 11, and aren’t available for anything earlier. Oracle reps have told me (not that we talk much anymore) that they don’t believe a significant number of customers are running older versions. And if they are, since said versions are out of support, those customers are

We blacked out Securosis (mostly – it was a rush job) to protest SOPA, PIPA, and the future variants we are sure will appear now that everyone has targeted these two acronyms. We don’t support criminal activity, but by the same token we don’t support poorly-written laws that can do nearly nothing to prevent privacy while doing a lot to stifle free speech. Especially when these laws would seriously undermine our ability to secure the Internet. ‘Nuff said. You can read more at americansensorship.org. Share:

Is it that time already? Yep, it’s time to wrap up our series on Network-based Malware Detection. We started with the need to block malware more effectively on the perimeter, particularly because you know you have users who are not the sharpest tools in the shed. Then we discussed the different techniques involved in detecting malware. Finally we tackled location, assessing critically whether the traditional endpoint protection model has outlived its usefulness. So far we have made the case for considering gateway-based malware detection as one of the next key capabilities needed on your perimeter. Now it’s about wading through the hyperbole and evaluating the strengths and weakness of each approach. AV on the Box To provide a full view of all the alternatives we need to start with the status quo, which is a traditional AV engine (typically OEMed from an endpoint AV vendor) on your gateway. Yes, this is basically what lower-end UTM devices do. This approach focuses on detecting malware within the content stream (think email/web filtering), and (just like traditional AV approaches) it isn’t very effective for detecting modern malware. AV doesn’t work very well on your endpoint, and alas it’s not much better on perimeter gateways. Sandboxing on the Box The latest iteration, beyond running a traditional AV engine on the box, involves executing malware in a protected sandbox on the perimeter device and observing what it does. Depending on the behavior of the file – whether it does bad things – it can be blocked in real time. Virtualizing victim devices on perimeter platforms to test malware at network speeds is a substantial advance. And we have seen these devices provide a measurable improvement in ability to block malware at the gateway. But of course this entails trade-offs. First of all, do you really want to be executing malware within your production network? Of course it is supposed to be an isolated environment, but it’s still a risk – even if a small one. The second trade-off is performance. You are limited to the performance of the perimeter device. Only so many virtual victims can be spun up on a given network device at a time, so at some point you will hit a scalability wall. You can throw bigger boxes at the problem but local analysis is inherently limiting. And remember that these are new and additional dedicated devices. For some organizations that isn’t a problem – they simply get a new box to solve a new problem. Others are more resistant to spending rack space on the perimeter on one more niche device. Finally, this model provides no leverage. This approach requires you to execute every suspicious file locally, even if the malware has been sent to every company in the world. And because detecting malware is an inexact science, you will probably miss the first time something comes in, and suffer the consequences. You need a feedback loop to take advantage of what you learned during incident response / malware analysis (as described in the Malware Analysis Quant research) on the device. Shame on you if you do all the work to analyze the malware, but don’t make sure it cannot strike again. So to net this out, doing more sophisticated malware detection on the perimeter gateway represents a major advance, and has helped to detect a lot of the lower-hanging fruit missed by traditional AV. It is at a disadvantage against truly targeted unique malware, but then again nothing aside from unplugging from the Internet can really solve that problem. Leveraging the Cloud for Malware Detection We often point out there is rarely anything really new – just recycled ideas packaged a bit differently. We see this again with network-based malware detection, as we did for endpoint AV. When it became impractical to continue pushing a billion malware signatures to each protected endpoint, AV vendors started leveraging the cloud to track the reputation of individual file, determine if they are bad, and then tell endpoints to block them. The vendor’s AV cloud would analyze unknown files and make a determination of goodness or badness depending on what the file does. Of course that analysis isn’t real-time, so the first couple iterations of each new attack end poorly for the victims. But over time the malware is profiled, and then blocked when it shows up again. This concept also applies to detecting malware on the perimeter security gateway. A list of bad files can be cached on the devices, and new unrecognized files can be uploaded to the cloud service for analysis and an approve/block verdict. This addresses a number of the issues inherent to local analysis, as described above. You send the malware off to someone else’s cloud service rather than executing it locally. You have no performance limitations (assuming the network itself is reasonably fast) because the analysis isn’t on your hardware, and this capability adds little overhead to perimeter security gateways, which are likely already overburdened dealing with all these new application-aware policies. And you can take full advantage of the vendor’s cloud service, with its excellent leverage. If organization A sees a new malware file and the cloud service learns it’s bad, all subscribers to the cloud service can automatically block that malware and any recognizable cousins. So the larger the network, the less likely you are to see (and be infected by) the first specimen of any particular malware file – instead you can learn from other people’s misfortune and block the malware. So what’s the catch? It’s about the same as the latest generation of endpoint AV. The latency between when you see the attack and when specific malware files are known bad. That could be days at this point, but as the technology improves (and it will) the window will shrink to hours. But there will always be a window of exposure, since you aren’t actually analyzing the malware at the perimeter. And detection will never be perfect – malware writers already make it

You’ve probably noticed we have not been doing a lot of blogging lately. Sorry about that – we’ll start back up with a bang very soon. This will be a very exciting year for Securosis – we have a bunch of projects in the pipe. I’ll be launching a re-start of the Database Activity Monitoring 2.0 series now that we have finally settled on the terminology and done sufficient research on the trends to actually convey what’s going on. Mike and I want to cover some Log Management topics, and I have a data masking research project underway as well. All that is over and above new developments with the Securosis Nexus, the Cloud Security Alliance Training, and our RSA Guide – so Q1 will be very busy and we will be writing a lot. I’ll publish my Q2 research agenda in the coming weeks, so if you have anything you want to talk about at RSA we can go into detail then. And I wanted to comment on a ton of great posts I have seen, but alas… On a personal note, during the Christmas break I was wandering the local mall, when I saw this guy with a mountain bike. It’s cool! It’s got carbon fiber, big-azz shocks, and hydraulic disk brakes. He let me pick it up and it’s like 20 lbs. 20 lbs is less than a tire from my old bike! So I was fascinated. I had to have one. I did some looking on the Internet and decided to visit the last couple bike shops still in business in my area. I found a bike I like, they threw some pedals on it, and I headed out. I got on the bike and the first thing that ran through my mind was “FREEDOM! I can go anywhere. And I should!” Weird. Freedom. I felt like a kid with my first new bike – which would prove prophetic as I crashed it 4 times a few days later, just as I did with my first bike at age four. That was a weird sensation. It’s not like I don’t have freedom, and I have owned cars since I was sixteen, so I can pretty much go anywhere I want. But this was different. I went back into the shop, and the guy asked me how I liked it. “Beautiful” I said, and bought it. I got home, saddleed up, and headed straight out into the desert. I just pointed the bike in a direction I had never gone, over a hill I had never seen the other side of, and started pedaling. Open desert. Cactus, coyotes, and boulders be dammed! And it was awesome. Of course there are practical downsides to this freedom – other than plucking thorns out of my skin with tweezers and bathing road rash in betadine. I have over 10k hours on a BMX bike as a kid, and 5k hours on road bikes, so I considered myself an expert rider. Wrong! This is a totally difference experience. I am a novice, as proven emphatically by the four crahes on my second ride. Well, ‘crashed’ is not quite correct – technically the bike and I just swapped places, with the bike taking me for a short ride. And as with a new pair of shoes, you should make sure everything is broken in and comfortable before you go pushing the envelope. I found out – about 2 milliseconds after I needed to bail out – that my new snap-in pedals were much too tight. Jumping simply meant the bike followed me, turning the tables, so it was – ahem – in the driver’s seat. And I learned that mountain bikes have a variable stall speed: when pedaling furiously uphill in low gear you don’t actually have sufficient momentum to go over boulders like a badass – instead you can quickly find yourself going backwards. It’s a thought-provoking experience. Regardless, I am hooked. And now Christmas break is over and I am back at work. But like a little kid I keep looking out the window, wishing I could play with my new Christmas toy instead of talking to this vendor about a product of questionable quality, with its suspect value proposition. “Please tell me more about how you stop APT in a totally new way nobody has ever thought of before.” sigh On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted in Sandhill Channels. Rich’s guest post on Trustworthy Computing. Mike and Jack Daniel on Continuous Monitoring. Securosis Posts Checking out a bootable Windows TPM thumb drive. Incite 1/11/2012: Spoilsport. Social Security Blogger Awards: Voting Open! Network-based Malware Detection: Where to Detect the Bad Stuff? Favorite Outside Posts Mike Rothman: Costco’s Value Chain. Of course it’s Gunnar who points out a great perspective on understanding your company’s value and sticking to that, using an example from Costco. Even if it’s hard. Even if it costs money in the short term. Rich: Nick Selby on how we need to stop blaming the victims. I’m not going to defend Stratfor’s massive mistakes, but we need to stop acting like a room full of a-holes, blaming the victims of crimes for being stupid… especially because we will all be eventual victims. And for the record, good luck using my 20-character random Stratfor password. Adrian Lane: Apple iWallet Security? Leverage “what you have” security – provided you don’t leave it in your hotel room! Dave Mortman: AES on the iPhone isn’t broken by Default. Project Quant Posts Malware Analysis Quant: Find Infected Devices. Malware Analysis Quant: Defining Rules. Malware Analysis Quant: The Malware Profile. Malware Analysis Quant: Dynamic Analysis. Malware Analysis Quant: Static Analysis. Malware Analysis Quant: Build Testbed. Malware Analysis Quant: Confirm Infection. Malware Analysis Quant: Process Map (Draft 1). Research Reports and Presentations Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM?. Fact-Based Network Security: Metrics and the Pursuit of

It’s almost RSA time again. Which means one very important thing: I need to finally post the review of the very slick TPM-based Windows bootable thumb drive Jeff Jones (@securityjones) gave me at RSA 2011. I have been promising him this review since last March, and it would be just too embarrassing to not get it done before RSA 2012. So here we go. As I said above, this slick little device provides a full self-contained Windows install protected by TPM. The entire thing is encrypted. When I was still doing ops, I kept it in my car for when I was out and about without my laptop. It was great for doing quick and dirty troubleshooting using a friend’s computer or library machine without having to worry about what might be on the machine I was using. You know, those public machines can be cesspools of all sorts of badness. Unfortunately it gets less use now that I’m during pure security, but I still pull it out now and again. Pluses Completely encrypted Uses its own memory and disk instead of the host’s Great form factor Ridiculously easy to use Minuses Doesn’t play nice with some laptop video cards Not as fast as using the native hardware by a long shot Can’t boot off a Mac or via a virtual machine What would have made this better? If it completely blocked access to the underlying drives and memory of the host box. Then I would have also used it as a safe browsing environment for conferences and airports and the like. That kind of capability would also be useful for those of you who need research NSFW sites using corporate machines. Admittedly, this would be a substantial feat, especially considering the need to access USB drivers for access to the host. When I used it regularly it was great for confirming that production services were live at my company, and it also allowed me to respond to email using the web gateway. For long emails this was far more efficient then trying to use my phone. If I were buying one, I’d have them preinstall essential security tools such as gpg, 1Password or another password manager, and the appropriate strong authentication software (such as a soft token). You’d also need ssh and VPN clients to make it even more useful. And while I’m putting together a shopping list, how about Skype? That would be really nice to communicate in a pinch. Though I’m not sure if it supports audio devices. Jeff? There are a couple other good use cases. For onsite incident response I would want forensics tools. If I were doing more technical consulting/pen testing I’d want one that booted Linux so I could have tools like BackTrack at my disposal. All in all, even without those tools, it’s a nice form factor for carrying around an emergency OS. I wonder if it’d be possible to get one that dual-booted – that would be even cooler then carrying a couple. You know you have to cut ounces of extra weight when you can. And I know I can get a lot of this functionality from a regular USB thumb drive, which would greatly expand the available options and undoubtedly lower the cost. But for specialized use cases, including toting around ssh and X.509 keys, having a TPM chip and an encrypted drive is very attractive – not to mention the dedicated memory & disk. There are a couple of this type of device out there, and adhering to Securosis’ policy of not being vendor-specific, I won’t mention specific models, but if you have this kind of requirements you should check them out. Share:

The winter holidays aggravate me. They are a consumption binge, and I know we all want a healthier global economy (which includes folks spending money they don’t have on things they don’t need) but it still irks me. I grew up modestly in a single-parent home, and we did stuff, but not a lot. We didn’t have the fancy things, which forced me to go out and earn whatever I’ve gotten. I remember being ecstatic one Hanukkah when I got a plastic briefcase-type thing to bring my books to school. We didn’t get 8 gifts or have a big-ass tree with all sorts of goodies under it. We got one thing and it was fine. I know how hard it was for my Mom to even provide those little things, and how hard she worked. That awareness has always driven me. I’ve been very fortunate, and we can provide plenty of gifts to our kids over the holidays. And we do. And the grandparents do. And they get lots of stuff from their cousins. The list goes on and on. But in the back of my mind is a fear that the kids don’t appreciate what they have. We have had to threaten to take all the stuff out of their room more than once, when they act like spoiled brats. I do try to lead by example. They see that I work a lot, but I’m not sure they understand that just working hard might not be enough. That they’ll have to find their talent, be persistent, and have a little luck, to achieve and earn everything they want. Though at times we get a glimmer of hope that despite their very comfortable lifestyle the kids have some perspective. When we got back from our holiday trip, the Boss sat down with XX2, who had a pretty interesting question. XX2: Mom, am I spoiled? The Boss (TB): You tell me? Do you think you are spoiled? XX2: Yes. I have everything I need, and get pretty much everything I want, so I guess I am spoiled. Win! Of course just because one of three understood, at that moment in time, that she has it pretty good, doesn’t mean she won’t be squealing like a stuck pig the next time we won’t buy something she wants when she wants it. But at least we can remind her of this conversation to introduce some perspective. It’s a fine line, because I work hard and have earned a certain lifestyle. I shouldn’t have to sacrifice having some nice things to make a point to my kids. But ultimately it’s our responsibility as parents to make sure they understand that the world is a tough and unforgiving place. Which means at times I need to be a spoilsport and say no, even when I get the cute pouty face. But that’s a lot better than allowing my kids to be soft, spoiled, and unprepared to deal when they leave the nest. -Mike Photo credits: “spoiled” originally uploaded by Kim ‘n’ Cris Knight Heavy Research We’re plowing through the latest Quant project on Malware Analysis. Here are the posts over the past week: Static Analysis Dynamic Analysis The Malware Profile Defining Rules You can find all the posts on the Project Quant blog. We are also finishing up our Network-based Malware Detection series. You see a trend here? Yep, it’s all malware, all the time. Here are the posts so far in that series, which we will wrap up this week. Introduction Identifying Today’s Malware Where to Detect the Bad Stuff? In case you aren’t interested in our Heavy RSS Feed, where you can get all our content in its unabridged glory. Incite 4 U The Sound of Inevitability: Kevin Mandia says if you are targeted by an advanced attacker, you will be breached (pdf). That’s not when, not if. And he should know – his firm spends a lot of time doing high-end breach response. If the effectiveness of targeted attacks by knowledgable attackers is approximately 100%, do you just accept this as an inevitability? Or do you ratchet up protections to make it harder for attackers? Those are the basic questions – they are the two most common CEO responses to this type of choice. Do you just accept this as part of the business landscape – cost of doing business – or are you determined to be a faster than the other gazelles competitors for the lions attackers to eat focus their intensive and persistent efforts on. Or maybe you can compartmentalize damage – knowing some user will inevitably click an email link with targeted malware – to just the mail server or select employee systems? It’s a worthwhile read: he lists all the data we repeatedly say you should keep – but which companies don’t have, can’t find, or take a week to recover. Breach preparedness drills? Anyone? – AL Brute force still works: King Krebs does some very interesting research into how the bad guys are defeating tests to figure out whether forms, etc. are being filled out by bots or other automated mechanisms. Basically, they’ve built sweatshops where all folks do is fill out CAPTCHAs and respond to other tactics to bypass bot detection tests. Even better, these folks have basically built a multi-level marketing scheme to get other folks to fill out the CAPTCHAs. The folks at the top of the pyramid can make real money, while folks at the bottom might make $3/day. Not unlike other MLM schemes, I guess. It’s just interesting to see tried and true business models applied to computer crime. What’s old is new again… – MR Nothing to see here. Really! Last week I got a call from a reporter at a major publication I have worked with in the past, to ask about some Symantec source code hackers claimed they stole from the Indian government and then posted online. Normally when something like this happens and the vendor denies it’s

It’s hard to believe, but the RSA Conference is almost upon us. We have a lot of very cool stuff planned, including an update to our RSA Guide, a few cool partnerships, and of course the Disaster Recovery Breakfast. We will have more details on all the above as we get closer to the show. In the meantime we want you to know that voting has opened for the 2012 Social Security Blogger Awards. Rich, Adrian, and I are unbelievably flattered to be nominated for two awards this year: The Most Entertaining Security Blog and The Blog that Best Represents The Security Industry. Us? Really? But we’ll take it – especially in light of the esteemed panel which handled the nominations. So go vote. For whoever you think should win the award. As long as it’s us, because we’ll know. We are hackers after all, and we’re watching. I kid! See you at the Blogger Party! Share: