Research

Things are so crazy this week, getting ready for RSA, that I nearly forgot we record this little podcast thing every week. Sure, I’ve only been doing it every week for over a year, but you’d think I’d learn to remember. This week we start by reviewing all the happenings at RSA, before talking about the cable cuts in the Bay Area and the Twitter worm. Martin and I will be doing our best to push out shorter daily shows (usually interviews) every day at RSA, and these tend to be some of our more popular episodes. The Network Security Podcast, Episode 146. Share:

Oracle released the April 2009 Critical Patch Update; a couple serious issues are addressed with the database, and a couple more that concern web application developers. For the database server, there are two vulnerabilities that can be remotely exploited without user credentials. As is typical, some of information that would help provide enough understanding or insight to devise a workaround is absent, but a couple are serious enough that you really do need to patch, and I will forgo a zombie DBA patching rant here. If you are an Oracle 9.2 user, and there are a lot of you out there still, there is a vulnerability with the resource manager. Basically, any user with create session privileges, and as all users are required to have this in order to connect to the database, it is only going to take one “Scott/Tiger”, default account or brute forced user account to exercise the bug and take control of the resource manager. Very few details are being published, and the CVSS “Base Score” system is misleading at best, but a score of 9 indicates a takeover of the resource manager, which is often used to enforce polices to stop DoS and other security/continuity policies, and possibly leveraged into other serious attacks I am not clever enough to come up with in my sleep deprived state. If this can be implemented by any valid user, it is likely a hacker will locate one and take advantage. The second serious issue, referenced in CVE-2009-0985, is with the IMP_FULL_DATABASE procedure created by catexp.sql, which runs automatically when you run catalog.sql after the database installation. This means you probably have this functionality and role installed, and have a database import tool that runs under admin privileges- which a hacker can use on any schema. Attack scenarios over and above a straight DoS may not be obvious, but this would be pretty handy for surreptitious alteration and insertion, and the hacker would be able to then exercise this imported database. As I have mentioned in previous Oracle CPU posts, these packages tend to be built with the same set of assumptions and coding behaviors, so I would not be surprised if we discover that EMP_DATABASE_FULL and EXECUTE_CATALOG_ROLE have similar exploits, but this is conjecture on my part. This is serious enough that you need to patch ASAP! And if you have not already done so, you’ll want to review separation of user responsibilities across admin roles as well. I know it is a pain in the @$$ for smaller firms, but it avoids cascaded privileges in the event of a breach/hack. Finally, CVE-2009-1006 for JRockit and CVE-2009-1012 for the WebLogic Server are in response to complete compromises (Base Score 10) to the system, and should be considered emergency patch items if you are using either product/platform. If we get enough information to provide any type of WAF signature I will, but it will be faster and safer to download and patch. Red Database Security has been covering many of the details on these attacks, and there are some additional comments on the Tech Target site as well. Share:

Despite my intensive research into cryonics, I have to accept that someday I will die. Permanently. I don’t know when, where, or how, but someday I will cease to exist. Heck, even if I do manage to freeze myself (did you know one of the biggest cryonincs companies is only 20 minutes from my house?), get resurrected into a cloned 20-year-old version of myself, and eventually upload my consciousness into a supercomputer (so I can play Skynet, since I don’t really like most people) I have to accept that someday Mother Entropy will bitch slap me with the end of the universe. There are many inevitabilities in life, and it’s often far easier to recognize these end results than the exact path that leads us to them. Denial is often closely tied to the obscurity of these journeys; when you can’t see how to get from point A to point B (or from Alice to Bob, for you security geeks), it’s all too easy to pretend that Bob Can’t Ever Happen. Thus we find ourselves debating the minutiae, since the result is too far off to comprehend. (Note that I’d like credit for not going deep into an analogy about Bob and Alice inevitably making Charlie after a few too many mojitos). Security includes no shortage of inevitabilities. Below are just a few that have been circling my brain lately, in no particular order. It’s not a comprehensive list, just a few things that come to mind (and please add your own in the comments). I may not know when they’ll happen, or how, but they will happen: Everyone will use some form of NAC on their networks. Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely won’t be magnetic strips. Everyone will use some form of DLP, we’ll call it CMP, and it will only include tools with real content analysis. Log management and SIEM will converge into single products. Completely. UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore. Virtualization and information-centric security will totally fuck up network security, especially internally. Any critical SCADA network will be pulled off the Internet. Database encryption will be performed inside the database with native functionality, with keys managed externally. The WAF vs. secure development debate will end as everyone buys/implements both. We’ll stop pretending web application and database security are different problems. We will encrypt all laptops. It will be built into the hardware. Signature AV will die. Mostly. Chris Hoff will break the cloud. Share:

We’ve been hinting at it over Twitter and in other blog posts, but it’s official. We’re sponsoring our First Annual Recovery Breakfast Wednesday morning at the RSA conference (8-11 am at Jillian’s). We’ll have hot and cold food, a selection of over-the-counter recovery items, and the hair of the dog of your choice. No marketing, speeches, or anything else (especially since we’ll be in rough shape ourselves). Since we have no idea how many people might show up, we’re asking you to RSVP if you think there’s a reasonable chance you’ll make it. To add a bit of incentive, we will be randomly selecting one RSVP to win a Chumby. You still have to show up to win, but we’ll pre-select your name so you don’t have to be there at any particular time. Just email us at rsvp@securosis.com. (We’ll need the winner’s real address to ship it to you, since it takes too much space in our bags, but we’ll just collect that at the event. We hope you’ll be able to join us, and we’ll see you at the show… Share:

It was nearly three years ago that I started the Securosis blog. At the time I was working at Gartner, and curious about participating in this whole “social media” thing. Not to sound corny, but I had absolutely no idea what I was getting myself into. Sure, I knew it was called social media, but I didn’t realize there was an actual social component. That by blogging, linking to others, and participating in comments, we are engaging in a massive community dialogue. Yes, since becoming an analyst I’ve had access to all the little nooks of the industry, but there’s just something about a public conversation you can’t get in a closed ecosystem. Don’t get me wrong- I’m not criticizing the big research model- I could never do what I am now without having spent time there, and I think it offers customers tremendous value. But for me personally, as I started blogging, I realized there were new places to explore. At Gartner I learned an incredible amount, had an amazingly good time, and made some great friends. But part of me (probably my massive ego) wanted to engage the community beyond those who paid to talk to me. Thus, after seven years it was time to move on and Securosis the blog became Securosis, L.L.C.. I didn’t really know what I wanted to do, but figured I’d pick up enough consulting to get by. I didn’t even bother to change my little WordPress blog, other than adding a short company page. It’s now nearly two years since jumping ship without a paddle, boat, lifejacket, any recognizable swimming skills, or a bathing suit. We’ve grown more than I imagined, had a hell of a lot of fun, posted hundreds of blog entries, authored some major research reports, and practically redefined the term “media whore”. But we still had that nearly unreadable white-text-on-black-background blog, and if you wanted to find specific content you had to wade through pages of search results. Needless to say, that’s no way to run a business, which is why we finally bit the bullet, invested some cash, and rebuilt the site from scratch. For months now we’ve been blogging less as we spent all our spare cycles on the new site (and, for me, having a kid). I realize we’ve been going on and on about it, but that’s merely the byproduct of practically crapping our pants because we’re so excited to have it up. We can finally organize our research, help people learn more about security, and not be totally embarrassed by running a corporate site that looked like some idiot pasted it together while bored one weekend. Which it was. I asked Adrian for some closing thoughts, and I absolutely promise this will be the last of our self-congratulatory, self-promotional BS. The next time you hear from us, we’ll actual put some real content back out there. -Rich Some of you may not know this, but I had been working with Rich for a couple of months before most people noticed. Learning that was unsettling! I was not sure if our writing was close enough that people could not tell, or worse, no one cared. But we soon discovered that the author names for the posts was not always coming up so people assumed it was Rich and not Chris or myself. It was several months later still when I learned that the link to my bio page was broken and was not viewable on most browsers. We were getting periodic questions about what we do here, other than blog on security and write a couple white papers, as lots of regular readers did not know. It never really dawned on Rich or I, two tech geeks at heart, to go look at how we presented ourselves (or in this case, did not present ourselves). When a couple business partners brought it up, it was a Homer Simpson “D’oh” moment of self-realization. Rich and I began discussing the new site October of last year, and as there was a lot of stuff we wanted to provide but could not because WordPress was simply not up to the challenge, we knew we needed a complete overhaul. And we still were getting complaints that most people had trouble reading the white text on black background. Yes, part of me will miss the black background ..It kind of conveyed the entire black hat mind set; breaking stuff in order to teach security. It embodied the feeling that “yeah, it may be ugly, but it’s the truth, so get used to it”. Still, I do think the new site is easier to read, and it allows us to better provide information and services. Rich and I are really excited about it! We have tons of content we need to tune & groom before we can put it public into the research library, but it’s coming. And hopefully our writing style will convey to you that this blog is an open forum for wide open discussion of whatever security topic you are interested in. Something on your mind? Bring it! -Adrian And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: I wrote the cover story on DLP for this month’s Information Security Magazine. They never told me it was the cover, so that was a very pleasant surprise. Martin and I had a guest interview on Hacker Spaces for this week’s Network Security Podcast. I did an interview for the New York Times on Mac security. It raised so much controversy that they did a follow on article, with our friend Dino Dai Zovi. I did an interview with Bill Brenner of CSO Magazine on federal cybersecurity and the latest congressional hearings. I also did a podcast with Dennis Fisher at ThreatPost on a bunch of topics, including Conficker. Wondered where Adrian was in the press, and considered revoking his whore status. Favorite Securosis Posts: Rich: Our new site announcement. I swear we’ll get over

If you can read this, you’ve found the brand spanking new Securosis! We’d call it Securosis 2.0, but we hate all that “2.0” stupidity. (We also hate “next generation”, for the record). If I was in the terrain park I’d say I’m totally stoked, but since I’m only sitting at home in the office I’ll have to settle for really fracking excited! We’ve been working on this for months, and we sure as heck hope you like it. There are a ton of new features, and we moved over to a new platform to support all sorts of goodness down the road. We know not everything is quite perfect yet, but we think we’re off to a great start and it’s far more functional than the old site. Aside from the platform switch, the biggest addition is the Securosis Research Library. We know a lot of people come here to learn about the topics we cover, and rather than forcing you to crawl through a search engine we wanted one nice area that guides you exactly to what you’re looking for. We have one page per topic, with all the best things we’ve written or recorded on that subject, in a recommended reading order. You can even subscribe to it as an RSS feed and it will stay current in your reader. Right now we have only a handful+ of pages in there, but our goal is to flush it out with all the topics we cover, at the rate of 1-2 per week. We’re also adding content, such as presentations, on a daily basis as we get everything converted. We now have a much better search engine and a cool tag cloud, and we’ve completely reorganized how we publish our whitepapers and other major content (you can find it in the Research Library). For those of you who have registered here before, we pulled your user accounts over but killed your passwords. Just click on this link to reset your password and you’ll be right back in. Finally, we know some of you were getting updates via email. We couldn’t migrate that over, but we set up a sweet new Daily Digest using MailChimp. I’m totally friggen’ exhausted, so with that I’m going to grab a beer, go to sleep, and see what’s broken in the morning. I’d like to thank Insight Design for our awesome look, and Adam Khan of Engaging.net for all the help getting things running. Need. Beer. Now. Share:

We are putting the final touches on the new site and should be launching it within the next 24 hours. Being the eternal optimists, we’re pretty sure something will go wrong, but maybe we’ll luck out and those beers we bought the migration gods will pay off. We’re pretty excited- aside from moving us off the Mogull Special design template, we’re switching to a more secure system, adding a bunch of features, and finally organizing all our content. Thursday’s move is only the first step- we’re already working on some additional content and features we hope you’ll like. If you subscribe to Feedburner RSS you won’t notice any changes. After this move we won’t be pointing people to Feedburner anymore, but we’ll keep it active. We don’t think we have any direct subscribers, but if you happen to use a non-Feedburner feed, you’ll need to visit the new site and re-subscribe. Otherwise, the transition should go smoothly, but we hope you RSS only readers will still come and check out the new site (and features). **If you subscribe to the email updates** We’re changing to an entirely new email system and your subscription may not carry over. Yeah, it stinks, but we didn’t have many options. If you get emails of our feed from Feedburner you won’t notice any changes. If you subscribed directly on the site, you’ll need to visit the new site and sign up again- we have a big link right there on the blog page (on the right side), and all you need to enter is an email address. Wish us luck- we’ll need it! And don’t forget to visit the new site… same address, more pizzaz. (not more pizzas, which would probably get us more readers) Share:

Did anyone else get this email? You are receiving this email because you are registered for RSA® Conference 2009. Your account information needs to be activated so that you can take full advantage of all the Conference activities including access to the Conference Personal Scheduler and access to the Conference wireless network while on-site. … Please take a moment now to log-in and complete your account activation athttps://sso.rsaconference.com/sso/LogIn.jsp   using the following temporary password – %_DWqwet(M. You will then be prompted to confirm your profile information and reset your password. Your username is not included in this email for security purposes. If you are unsure of what your username is, you can retrieve it online at https://sso.rsaconference.com/sso/RetrieveUserName.jsp. You can log in to your account anytime at https://sso.rsaconference.com/sso/LogIn.jsp. … For more information on RSA Conference Single Sign-on, please visit our website or contact us atloginhelp@rsaconference.com.  Sincerely, RSA® Conference Team Wow, is this a phishing attempt out to the RSA list? Awesome! Share:

The big news at Securosis this week centered around the Conficker worm. As Rich blogged earlier in the week, he got a call from Dan Kaminsky on Saturday with the outline of what was going on. Rich and I scrambled Saturday to reach as many AV vendors as we could to get the word out. While some were initially a little annoyed at getting called on their cell phones Saturday afternoon, everyone was really eager to see what Tillmann Werner and Felix Leder had discovered and get their scanning tools updated. I expected things to be quiet on April 1st. A lot of security researchers have been watching and studying the worm’s behavior, and devising plans for detecting and containing the threat. I imagine the authors of the worm are reading every bit of news they can get their hands on and learning how to improve their code in response. This has been fascinating to watch. Thanks again to the Honeynet Project and Dan Kaminsky for doing a great job, and for involving us in the effort. On a more personal note, you probably have noticed that neither Rich nor I have been blogging as much lately, partially due to our desire to not create more work for ourselves prior to the new site launch; partially because, well, family comes first. For those of you who know me, you know I have dogs. When people ask me if I have kids, I typically say “No, I have dogs.” What I mean to say is “Yes, several; of the four legged variety.” March has been a terrible month for me because in the first few days one of my puppies went into kidney failure as she had been prescribed the wrong pain medication and dosage. I spent 5 days at the emergency vet clinic with her, even signing the DNR papers as we did not think she would make it. Happy to say she did, and is slowly recovering her ability to walk and some of the 30 lbs. she lost. A couple of days after I got back from Source Boston, her brother, and our all time favorite, started having trouble breathing. To make a long story short, we found cancer everywhere, and he only made it five days after his first visible symptoms, dying in my lap Tuesday morning. We know even several of you hardened veterinarians and long time breeders who have “seen it all” shed a tear over this one, and Emily and I understand and appreciate your heartfelt condolences. Looking forward to a much brighter and happier April. And now for the week in review… at least what little of it I managed to notice: Webcasts, Podcasts, Outside Writing, and Conferences: Rich presented “Building a Web Application Security Program” at the Phoenix SANS training. We’ll get it posted once we transfer over to the new site. Rich’s article on Search Security on Data Loss Prevention Benefits in the Real World is available. Rich and Martin hosted episode 184 144 of The Network Security Podcast this week, covering not only Conficker news, but also a ton of stuff regarding security on the Mac platform with Dino Dai Zovi. Even recommended by the Macalope! Favorite Securosis Posts: Rich: Looking forward to getting ASS Certification. Adrian: Rich’s post on Detecting Conficker Favorite Outside Posts: Adrian: Know Your Enemy: Containing Conficker was a fascinating paper. Rich: From Anton Chuvakin’s Blog: Thoughts and Notes from PCI DSS Hearing in US House of Representatives. Top News and Posts: Microsoft Security Advisory 969136 for MS Office PowerPoint. Internet too dangerous? I think most people just do not appreciate how dangerous it is. Conficker ‘eye-chart’. This is a great idea and works for several malware variants. One topic I really wanted to blog on this week was the Internet Crime Complaint Center report that incidents (discovered and reported, of course) were up 33% year over year. Mini-Botnets. Smaller, just as much of a problem. The Open Cloud Manifesto. Ugh. Too many grandstanders with too little to say. If Hoff wants to fight that fight, fine, but it feels like yelling at the wind to me. Just not worth the time jumping into this mess until there is a bit more of a market. Don’t get me wrong- Rich and I will cover cloud and virtualization security in the future, maybe even this year. But not in response to this, and when we do, will will try to have something to say that does not suck. Blog Comment of the Week: This week’s best comment was from ‘Anonymous’: @Andre, I think once the Institute store makes its exclusive gear available, you should be the first to buy an ASS hat. We are working on the merchandise page for the new site … we will be sure to stock those hats. Share:

Just a quick note today since I’m totally distracted by having some family in town. Episode 144 is up and features Dino Dai Zovi… co-author of The Mac Hackers Handbook. It’s a great interview, especially if you are interested in Mac security issues. We also discuss the No More Free Bugs meme. You can download the episode here… Share: