Research

The big news at Securosis this week centered around the Conficker worm. As Rich blogged earlier in the week, he got a call from Dan Kaminsky on Saturday with the outline of what was going on. Rich and I scrambled Saturday to reach as many AV vendors as we could to get the word out. While some were initially a little annoyed at getting called on their cell phones Saturday afternoon, everyone was really eager to see what Tillmann Werner and Felix Leder had discovered and get their scanning tools updated. I expected things to be quiet on April 1st. A lot of security researchers have been watching and studying the worm’s behavior, and devising plans for detecting and containing the threat. I imagine the authors of the worm are reading every bit of news they can get their hands on and learning how to improve their code in response. This has been fascinating to watch. Thanks again to the Honeynet Project and Dan Kaminsky for doing a great job, and for involving us in the effort. On a more personal note, you probably have noticed that neither Rich nor I have been blogging as much lately, partially due to our desire to not create more work for ourselves prior to the new site launch; partially because, well, family comes first. For those of you who know me, you know I have dogs. When people ask me if I have kids, I typically say “No, I have dogs.” What I mean to say is “Yes, several; of the four legged variety.” March has been a terrible month for me because in the first few days one of my puppies went into kidney failure as she had been prescribed the wrong pain medication and dosage. I spent 5 days at the emergency vet clinic with her, even signing the DNR papers as we did not think she would make it. Happy to say she did, and is slowly recovering her ability to walk and some of the 30 lbs. she lost. A couple of days after I got back from Source Boston, her brother, and our all time favorite, started having trouble breathing. To make a long story short, we found cancer everywhere, and he only made it five days after his first visible symptoms, dying in my lap Tuesday morning. We know even several of you hardened veterinarians and long time breeders who have “seen it all” shed a tear over this one, and Emily and I understand and appreciate your heartfelt condolences. Looking forward to a much brighter and happier April. And now for the week in review… at least what little of it I managed to notice: Webcasts, Podcasts, Outside Writing, and Conferences: Rich presented “Building a Web Application Security Program” at the Phoenix SANS training. We’ll get it posted once we transfer over to the new site. Rich’s article on Search Security on Data Loss Prevention Benefits in the Real World is available. Rich and Martin hosted episode 184 144 of The Network Security Podcast this week, covering not only Conficker news, but also a ton of stuff regarding security on the Mac platform with Dino Dai Zovi. Even recommended by the Macalope! Favorite Securosis Posts: Rich: Looking forward to getting ASS Certification. Adrian: Rich’s post on Detecting Conficker Favorite Outside Posts: Adrian: Know Your Enemy: Containing Conficker was a fascinating paper. Rich: From Anton Chuvakin’s Blog: Thoughts and Notes from PCI DSS Hearing in US House of Representatives. Top News and Posts: Microsoft Security Advisory 969136 for MS Office PowerPoint. Internet too dangerous? I think most people just do not appreciate how dangerous it is. Conficker ‘eye-chart’. This is a great idea and works for several malware variants. One topic I really wanted to blog on this week was the Internet Crime Complaint Center report that incidents (discovered and reported, of course) were up 33% year over year. Mini-Botnets. Smaller, just as much of a problem. The Open Cloud Manifesto. Ugh. Too many grandstanders with too little to say. If Hoff wants to fight that fight, fine, but it feels like yelling at the wind to me. Just not worth the time jumping into this mess until there is a bit more of a market. Don’t get me wrong- Rich and I will cover cloud and virtualization security in the future, maybe even this year. But not in response to this, and when we do, will will try to have something to say that does not suck. Blog Comment of the Week: This week’s best comment was from ‘Anonymous’: @Andre, I think once the Institute store makes its exclusive gear available, you should be the first to buy an ASS hat. We are working on the merchandise page for the new site … we will be sure to stock those hats. Share:

Just a quick note today since I’m totally distracted by having some family in town. Episode 144 is up and features Dino Dai Zovi… co-author of The Mac Hackers Handbook. It’s a great interview, especially if you are interested in Mac security issues. We also discuss the No More Free Bugs meme. You can download the episode here… Share:

We’ve been talking a lot about application security since we started this blog, and one thing we’ve been tracking closely are training and certification programs. While we couldn’t talk about it, we’ve been quietly involved with the Institute for Certified Application Security Specialists. We reviewed the program during development, and were overall pretty impressed. It has very similar requirements to the CSSLP, but is more cost effective for security practitioners… something we can all appreciate in this economy. Believe it or not, despite my not-infrequent diatribes against various certifications, I actually went through the process myself and am fully certified. What I really appreciate is how pragmatic the program is, and how it really reflects the operational realities of application security. You can get more information at the Institute for Certified Application Security Specialists, and as a member of the affiliate program Securosis readers receive a 10% discount. Oh- and don’t forget to join the LinkedIn Group! Share:

Update: Dan just let me know that Tillmann Werner and Felix Leder have been working on this for 5 months! Dan came in (and then brought me in) only on Friday. They deserve major credit and thanks for this impressive work. Also, Nmap (which is still free) and the free feed of Nessus have their signatures out for those of you that don’t have an enterprise product. Ever since last year, I always get a little nervous when Dan Kaminsky starts asking me certain questions over Twitter. Last time it was the DNS vulnerability, and this time it was something not as big, yet still extremely cool. Some researchers with the Honeynet Project (Tillmann Werner and Felix Leder) discovered a way to remotely (as in via network scan) detect Conficker infections. It seems that whoever is behind Conficker attempts to patch the MS08-067 vulnerability when they infect a system so no other attackers can get in. The patch is flawed, causing a specific response to network probes. Yes folks, this means you can tell if a system is infected with Conficker just by scanning it. Now how cool is that?   < p>The HoneyNet guys contacted Dan for some help, and then he contacted me to get connected with the major scanning vendors. I called Adrian, and we managed to wrangle up nCircle, McAfee, nCircle, Nmap, Qualys, and Tenable (Nessus) and most have already incorporated, or are about to incorporate, Conficker sigs for their scanners. I think Dan is giving me too much credit in his post; all I did was connect the right people with each other; I wasn’t involved in the tool creation or testing. (We did shoot for some other vendors, but didn’t have the right contacts). I know Dan, the HoneyNet guys, and the vendor research teams all put in a heck of a lot of time on this over the weekend. Here’s what you enterprise guys need to know: There is a free proof-of-concept tool available from the HoneyNet Project, or you can contact your network vulnerability assessment vendor to see if they have an updated signature. This should work on all Conficker variants. (I suspect that won’t last long). The “Know Your Enemy” paper will be released by the HoneyNet Project in the next couple of days, with far greater detail. This doesn’t guarantee you will detect all infections, but it’s a powerful way to reduce your risk. We recommend you start scanning immediately if you have the slightest worry over Conficker. Expect the tools to undergo a series of updates in the next few days as we all learn more. This really is hot-out-of-the-oven stuff that still needs to settle in. The next phase will be to include this in NAC products for pre-connect scanning. That’s about it- simple enough! If you start using these and find anything interesting, please come back and post it in the comments. Share:

As you have probably read, a method for remotely detecting systems infected with the Conficker worm was discovered by Felix Leder and Tillmann Werner. They have been working with Dan Kaminisky, amongst others, to come up with a tool to detect the worm and give IT organizations the ability to protect themselves. This is excellent news. The bad news is how unprepared most applications are to handle threats like this. Earlier this morning, the guys at The Honeynet Project were kind enough to forward Rich and myself a copy of their Know Your Enemy: Containing Conficker paper. This is a very thorough analysis of how the worm operates. I want keep my comments on this short, and simply recommendation strongly that you read the paper. If you are in software development, you need to read this paper. Their analysis of Conficker illustrates that the people who wrote it are far ahead of your typical application development team in their understanding of application security. Developers need to understand the approach that attackers are taking, understand the dedication to their craft these guys are exhibiting, and increase their own knowledge and dedication if they are going to have a chance of producing code that can counter these types of threats. Is Conficker a well-written piece of code? Is it architected well? No idea. But it is clear that each iteration has advanced their three core functions (find & infect, maintain, & defend) and had this flexibility in mind from the begining. Look at how Conficker uses identification techniques to protect itself in avoid downloading the wrong/malicious patches to their worm. And check out the examination of incoming requests to help protect their now infected system from other viruses. This should serve as an example of how to write internal monitoring code to detect exploit attempts (see section 4), either in lieu of a full blown patch, or as self-defending code at critical points, or both. And it is done in a manner that gives them a generic tool that, when updated, will be an effective anti-malware tool. Neat, huh? The authors have a pretty good understanding of randomness and used multiple sources, not only to get better randomness, but to avoid an attack on any one- smart. These are really good application security practices that very few software authors actually put into practice. Heck, most web applications trust everything that comes in, and it looks like the authors of Conficker understand that you must trust nothing! Once again, if you are a software developer or IT practitioner, read the paper. The research that Felix and Tillmann have put into this is impressive. They have proof points for everything they believe to be true about the worm’s behavior, and have stuck with the facts. This is really time consuming, difficult work. Excellent job, guys! Share:

It is absolutely amazing how quickly time can rush past during the most momentous moments of your life. It was over three weeks ago that my daughter was born, and I’m still trying to figure out what the f&*% just happened. A lot of people made it sound like my life would suddenly crash to a halt as I vaulted into some other dimension of existence, but the changes, while massive, are also far more subtle and confusing. Needless to say, I blame the reduced sleep (which still isn’t as bad as it was in paramedic school). While my personal life is changing, so is the world that is Securosis. You may have noticed my nearly complete lack of blogging the past couple of weeks. While I’d like to blame The Nugget, our changes on the corporate side are just as big. We’re close (oh so very close) to unveiling our new website, a major new public project, and a big influx of content. We’re so close that this blog is officially in maintenance mode as we get the last of the old content transferred to the new site, our templates cleaned up, and new content filled in. And the refresh is just the start; as we get the new site stable we are going to keep adding features and content, the vast majority of which will be, as always, free. On a related note, we’re also working on our RSA schedules, and when the new site launches we will officially announce the Securosis Recovery Breakfast. I’d like to say we’re giving back to the community, but the truth is we’ll need the hangover relief just as badly as any of you. And now for the week in review… at least what little of it I managed to notice: Webcasts, Podcasts, Outside Writing, and Conferences: Rich presented “Building a Web Application Security Program” at the Phoenix SANS training. We’ll get it posted once we transfer over to the new site. Rich and Martin hosted another episode of The Network Security Podcast this week, covering some of the CanSecWest news and other happenings. Favorite Securosis Posts: Rich: Adrian’s CanSecWest Highlights. I really need to go next year. Adrian: My post on Security Speedbumps. Favorite Outside Posts: Adrian: Gunnar Peterson on security people in software development. Rich: John Gruber, at Daring Fireball, on Obsession Times Voice. This is pretty much the most important thing John has written about in a long time. Flat out- if you blog and are obsessed with numbers, you won’t achieve your goals. I barely check our stats, maybe once every other month, and once missed the fact that we had no stats for 3 or 4 months. It’s your passion for writing that brings in readers, not pandering for page views. Top News and Posts: Botnet targets modems and routers. Yowza. Symantec drops call center after (manual) security breach. Good move on their part, as a security company they can’t screw around with situations like this. Bad hacker stole $10M from banks. Using SQL injection. In 2008. Pardon my language, but how fucking stupid do you need to be to allow SQL injection at a financial institution in 2008?!?! Jesus people, I realize security is hard but we don’t have to give them our fracking wallets on a silver platter. With a mint. It’s Cisco IOS Patch day. Blog Comment of the Week: Dre on Security Speedbumps: No No No No No. Layers and defense-in-depth do not work unless you know YOUR OWN risks and point-solution defenses match the risks. “Layering for layering’s sake” does get adversaries poking right through billions of expensive layers. Don’t tempt me to argue against every point in this rant — you just set yourself up for massive failure. Share:

I’ve been out at the Phoenix SANS event so I almost forgot to post this… I’ll be presenting on endpoint encryption from 2-3 ET today. The event is sponsored by WinMagic, and you can register here. I’ll be covering the basics of endpoint encryption- a little bit on why you should do it (I think most of you have heard me say “just encrypt your freaking laptops” by now), an overview of the technology, and enterprise concerns and best practices. I’ll also spend some time talking about how to mix file/folder and full drive encryption. This one is targeting people without much of a background in endpoint encryption and is mostly introductory material. Share:

With the CanSecWest conference last week, right on the heels of Black Hat Europe, there have been many happenings in the security world. On top of that, our favorite investigative reporter managed to take down yet another group of bad guys by shining his flashlight in the right direction.   < p>But before we delve into the week’s security news, we spend a little time talking about my shiny new Mac Pro, as Martin gives me a few parenting tips (don’t worry, we try not to bore you too much). I rant a bit on Apple’s stupidity with their cord-length on the new 24” Cinema Display. Seriously, only 3’6”? With no extension available anywhere?!? Sigh. And now, on to the show. Network Security Podcast, Episode 143, March 24, 2009 Show Notes: Brian Krebs reveals the evil that is TrafficConverter. TrafficConverter is shut down. Coincidence? Nope. Is Conficker just a big April’s Fools day joke? Yeah, right. Jeremiah Grossman is seeking quick hits in web application security. Core Security researchers reveal BIOS attack. All browsers go down at CanSecWest. Except Chrome, but no one really targeted it. (Yes, Alan, I just cribbed my own show notes again.) Share:

Reading yet another comment on yet another blog about “what good is ABC technology because I can subvert the process” or “we should not use XYZ technology because it does not stop the threats” … I feel a rant coming on. I get seriously annoyed when I hear these blanket statements about how some technologies are no good because they can be subverted. I appreciate zeal in researchers, but am shocked by people’s myopia in applied settings. Seriously, is there any technology that cannot be compromised? I got a chance to chat with an old friend on Friday and he reminded me of a basic security tenet … most security precautions are nothing more than ‘speed bumps’. They are not fool-proof, not absolute in the security that they offer, and do not stand unto themselves without support. What they do is slow attackers down, make it more difficult and expensive in time, money, and processing power to achieve their goals. While I may not be able to brute force and already encrypted file, I can subvert most encryption systems, especially if I can gain access to the host. Can I get by your firewall? Yes. Can I get spam through your email filter? Absolutely. Can I find holes in your WAF policy set? Yep. Write malware that goes undetected, escalate user privileges, confuse your NAC, poison your logs, evade IDS, compromise your browser? Yep. But I cannot do all of these things at the same time. Some will slow me down while others detect what I am doing. With enough time and attention there are very few security products or solutions that would not succumb to attack under the right set of circumstances, but not all of them at one time. We buy anti-spam, even if it is not 100% effective, because it makes the problem set much smaller. We try not to click email links and visit suspect web sites because we know our browsing sessions are completely at risk. When we have solid host security to support encryption systems, we drop the odds of system compromise dramatically. If you have ever heard me speak on security topics, you will have heard a line that I throw into almost every presentation: embrace insecurity! If you go about selecting security technologies thinking that they will protect you from all threats under all circumstances, you have already failed. Know that all your security measures are insecure to some degree. Admit it. Accept it. Understand it. Then account for it. One of the primary points Rich and I were trying to make in our Web Application Security paper was that there are several ways to address most issues. And it’s like fitting pieces of a puzzle together to get reasonable security against your risks in a cost effective manner. What technologies and process changes you select depend upon the threats you need to address, so adapt your plans such that you cover for these weaknesses. Share:

I have been reading about the highlights of the CanSecWest show all over the net, and it seems like there were a lot of really cool presentations. TippingPoint’s ‘Pwn2Own’ contest at CanSecWest that started late last week concluded over the weekend. The contest awarded $5,000 to each hacker would could uncover an exploit for any of the major browser platforms (Firefox, Internet Explorer, Chrome, & Safari). Firefox, IE, & Safari were all exploited at least once during the contest, with Chrome the only browser to make it through the trials. Perhaps that is to be expected given its newness. Lots more wrap-up details on the DV Labs site. I know a lot of security researchers have a bitter taste from the way companies behave when a security flaw is revealed; still, I am always interested in seeing these types of contests as they are great demonstrations of creativity, and the ability to share knowledge amongst experts is great for all of the participants. If this method of “No Free Bugs” works to get discoveries back in the public eye, I think that’s great. I would have much like to have seen the presentation “Sniff keystrokes with lasers/voltmeters: Side Channel Attacks Using Optical Sampling of Mechanical Energy Emissions and Power Line”. Having previously witnessed what information can be gleaned from power lines, and things like over-the-air Tempest attacks, I would like to see how the state of the art on physical side channels has progressed. One of the other show highlights was covered by Dennis Fisher over on Threatpost- it appears that the Core Security Technologies team has demonstrated a persistent BIOS attack. There are next to now details on this one, but if they are able to perform this trick without the assistance of a secondary device and only obtaining admin access, this is a really dangerous attack. If you have access to the physical platform, all bets are pretty much off. Looking forward to seeing the details. Share: