Research

We’ve been talking a lot about application security since we started this blog, and one thing we’ve been tracking closely are training and certification programs. While we couldn’t talk about it, we’ve been quietly involved with the Institute for Certified Application Security Specialists. We reviewed the program during development, and were overall pretty impressed. It has very similar requirements to the CSSLP, but is more cost effective for security practitioners… something we can all appreciate in this economy. Believe it or not, despite my not-infrequent diatribes against various certifications, I actually went through the process myself and am fully certified. What I really appreciate is how pragmatic the program is, and how it really reflects the operational realities of application security. You can get more information at the Institute for Certified Application Security Specialists, and as a member of the affiliate program Securosis readers receive a 10% discount. Oh- and don’t forget to join the LinkedIn Group! Share:

Update: Dan just let me know that Tillmann Werner and Felix Leder have been working on this for 5 months! Dan came in (and then brought me in) only on Friday. They deserve major credit and thanks for this impressive work. Also, Nmap (which is still free) and the free feed of Nessus have their signatures out for those of you that don’t have an enterprise product. Ever since last year, I always get a little nervous when Dan Kaminsky starts asking me certain questions over Twitter. Last time it was the DNS vulnerability, and this time it was something not as big, yet still extremely cool. Some researchers with the Honeynet Project (Tillmann Werner and Felix Leder) discovered a way to remotely (as in via network scan) detect Conficker infections. It seems that whoever is behind Conficker attempts to patch the MS08-067 vulnerability when they infect a system so no other attackers can get in. The patch is flawed, causing a specific response to network probes. Yes folks, this means you can tell if a system is infected with Conficker just by scanning it. Now how cool is that?   < p>The HoneyNet guys contacted Dan for some help, and then he contacted me to get connected with the major scanning vendors. I called Adrian, and we managed to wrangle up nCircle, McAfee, nCircle, Nmap, Qualys, and Tenable (Nessus) and most have already incorporated, or are about to incorporate, Conficker sigs for their scanners. I think Dan is giving me too much credit in his post; all I did was connect the right people with each other; I wasn’t involved in the tool creation or testing. (We did shoot for some other vendors, but didn’t have the right contacts). I know Dan, the HoneyNet guys, and the vendor research teams all put in a heck of a lot of time on this over the weekend. Here’s what you enterprise guys need to know: There is a free proof-of-concept tool available from the HoneyNet Project, or you can contact your network vulnerability assessment vendor to see if they have an updated signature. This should work on all Conficker variants. (I suspect that won’t last long). The “Know Your Enemy” paper will be released by the HoneyNet Project in the next couple of days, with far greater detail. This doesn’t guarantee you will detect all infections, but it’s a powerful way to reduce your risk. We recommend you start scanning immediately if you have the slightest worry over Conficker. Expect the tools to undergo a series of updates in the next few days as we all learn more. This really is hot-out-of-the-oven stuff that still needs to settle in. The next phase will be to include this in NAC products for pre-connect scanning. That’s about it- simple enough! If you start using these and find anything interesting, please come back and post it in the comments. Share:

As you have probably read, a method for remotely detecting systems infected with the Conficker worm was discovered by Felix Leder and Tillmann Werner. They have been working with Dan Kaminisky, amongst others, to come up with a tool to detect the worm and give IT organizations the ability to protect themselves. This is excellent news. The bad news is how unprepared most applications are to handle threats like this. Earlier this morning, the guys at The Honeynet Project were kind enough to forward Rich and myself a copy of their Know Your Enemy: Containing Conficker paper. This is a very thorough analysis of how the worm operates. I want keep my comments on this short, and simply recommendation strongly that you read the paper. If you are in software development, you need to read this paper. Their analysis of Conficker illustrates that the people who wrote it are far ahead of your typical application development team in their understanding of application security. Developers need to understand the approach that attackers are taking, understand the dedication to their craft these guys are exhibiting, and increase their own knowledge and dedication if they are going to have a chance of producing code that can counter these types of threats. Is Conficker a well-written piece of code? Is it architected well? No idea. But it is clear that each iteration has advanced their three core functions (find & infect, maintain, & defend) and had this flexibility in mind from the begining. Look at how Conficker uses identification techniques to protect itself in avoid downloading the wrong/malicious patches to their worm. And check out the examination of incoming requests to help protect their now infected system from other viruses. This should serve as an example of how to write internal monitoring code to detect exploit attempts (see section 4), either in lieu of a full blown patch, or as self-defending code at critical points, or both. And it is done in a manner that gives them a generic tool that, when updated, will be an effective anti-malware tool. Neat, huh? The authors have a pretty good understanding of randomness and used multiple sources, not only to get better randomness, but to avoid an attack on any one- smart. These are really good application security practices that very few software authors actually put into practice. Heck, most web applications trust everything that comes in, and it looks like the authors of Conficker understand that you must trust nothing! Once again, if you are a software developer or IT practitioner, read the paper. The research that Felix and Tillmann have put into this is impressive. They have proof points for everything they believe to be true about the worm’s behavior, and have stuck with the facts. This is really time consuming, difficult work. Excellent job, guys! Share:

It is absolutely amazing how quickly time can rush past during the most momentous moments of your life. It was over three weeks ago that my daughter was born, and I’m still trying to figure out what the f&*% just happened. A lot of people made it sound like my life would suddenly crash to a halt as I vaulted into some other dimension of existence, but the changes, while massive, are also far more subtle and confusing. Needless to say, I blame the reduced sleep (which still isn’t as bad as it was in paramedic school). While my personal life is changing, so is the world that is Securosis. You may have noticed my nearly complete lack of blogging the past couple of weeks. While I’d like to blame The Nugget, our changes on the corporate side are just as big. We’re close (oh so very close) to unveiling our new website, a major new public project, and a big influx of content. We’re so close that this blog is officially in maintenance mode as we get the last of the old content transferred to the new site, our templates cleaned up, and new content filled in. And the refresh is just the start; as we get the new site stable we are going to keep adding features and content, the vast majority of which will be, as always, free. On a related note, we’re also working on our RSA schedules, and when the new site launches we will officially announce the Securosis Recovery Breakfast. I’d like to say we’re giving back to the community, but the truth is we’ll need the hangover relief just as badly as any of you. And now for the week in review… at least what little of it I managed to notice: Webcasts, Podcasts, Outside Writing, and Conferences: Rich presented “Building a Web Application Security Program” at the Phoenix SANS training. We’ll get it posted once we transfer over to the new site. Rich and Martin hosted another episode of The Network Security Podcast this week, covering some of the CanSecWest news and other happenings. Favorite Securosis Posts: Rich: Adrian’s CanSecWest Highlights. I really need to go next year. Adrian: My post on Security Speedbumps. Favorite Outside Posts: Adrian: Gunnar Peterson on security people in software development. Rich: John Gruber, at Daring Fireball, on Obsession Times Voice. This is pretty much the most important thing John has written about in a long time. Flat out- if you blog and are obsessed with numbers, you won’t achieve your goals. I barely check our stats, maybe once every other month, and once missed the fact that we had no stats for 3 or 4 months. It’s your passion for writing that brings in readers, not pandering for page views. Top News and Posts: Botnet targets modems and routers. Yowza. Symantec drops call center after (manual) security breach. Good move on their part, as a security company they can’t screw around with situations like this. Bad hacker stole $10M from banks. Using SQL injection. In 2008. Pardon my language, but how fucking stupid do you need to be to allow SQL injection at a financial institution in 2008?!?! Jesus people, I realize security is hard but we don’t have to give them our fracking wallets on a silver platter. With a mint. It’s Cisco IOS Patch day. Blog Comment of the Week: Dre on Security Speedbumps: No No No No No. Layers and defense-in-depth do not work unless you know YOUR OWN risks and point-solution defenses match the risks. “Layering for layering’s sake” does get adversaries poking right through billions of expensive layers. Don’t tempt me to argue against every point in this rant — you just set yourself up for massive failure. Share:

I’ve been out at the Phoenix SANS event so I almost forgot to post this… I’ll be presenting on endpoint encryption from 2-3 ET today. The event is sponsored by WinMagic, and you can register here. I’ll be covering the basics of endpoint encryption- a little bit on why you should do it (I think most of you have heard me say “just encrypt your freaking laptops” by now), an overview of the technology, and enterprise concerns and best practices. I’ll also spend some time talking about how to mix file/folder and full drive encryption. This one is targeting people without much of a background in endpoint encryption and is mostly introductory material. Share:

With the CanSecWest conference last week, right on the heels of Black Hat Europe, there have been many happenings in the security world. On top of that, our favorite investigative reporter managed to take down yet another group of bad guys by shining his flashlight in the right direction.   < p>But before we delve into the week’s security news, we spend a little time talking about my shiny new Mac Pro, as Martin gives me a few parenting tips (don’t worry, we try not to bore you too much). I rant a bit on Apple’s stupidity with their cord-length on the new 24” Cinema Display. Seriously, only 3’6”? With no extension available anywhere?!? Sigh. And now, on to the show. Network Security Podcast, Episode 143, March 24, 2009 Show Notes: Brian Krebs reveals the evil that is TrafficConverter. TrafficConverter is shut down. Coincidence? Nope. Is Conficker just a big April’s Fools day joke? Yeah, right. Jeremiah Grossman is seeking quick hits in web application security. Core Security researchers reveal BIOS attack. All browsers go down at CanSecWest. Except Chrome, but no one really targeted it. (Yes, Alan, I just cribbed my own show notes again.) Share:

Reading yet another comment on yet another blog about “what good is ABC technology because I can subvert the process” or “we should not use XYZ technology because it does not stop the threats” … I feel a rant coming on. I get seriously annoyed when I hear these blanket statements about how some technologies are no good because they can be subverted. I appreciate zeal in researchers, but am shocked by people’s myopia in applied settings. Seriously, is there any technology that cannot be compromised? I got a chance to chat with an old friend on Friday and he reminded me of a basic security tenet … most security precautions are nothing more than ‘speed bumps’. They are not fool-proof, not absolute in the security that they offer, and do not stand unto themselves without support. What they do is slow attackers down, make it more difficult and expensive in time, money, and processing power to achieve their goals. While I may not be able to brute force and already encrypted file, I can subvert most encryption systems, especially if I can gain access to the host. Can I get by your firewall? Yes. Can I get spam through your email filter? Absolutely. Can I find holes in your WAF policy set? Yep. Write malware that goes undetected, escalate user privileges, confuse your NAC, poison your logs, evade IDS, compromise your browser? Yep. But I cannot do all of these things at the same time. Some will slow me down while others detect what I am doing. With enough time and attention there are very few security products or solutions that would not succumb to attack under the right set of circumstances, but not all of them at one time. We buy anti-spam, even if it is not 100% effective, because it makes the problem set much smaller. We try not to click email links and visit suspect web sites because we know our browsing sessions are completely at risk. When we have solid host security to support encryption systems, we drop the odds of system compromise dramatically. If you have ever heard me speak on security topics, you will have heard a line that I throw into almost every presentation: embrace insecurity! If you go about selecting security technologies thinking that they will protect you from all threats under all circumstances, you have already failed. Know that all your security measures are insecure to some degree. Admit it. Accept it. Understand it. Then account for it. One of the primary points Rich and I were trying to make in our Web Application Security paper was that there are several ways to address most issues. And it’s like fitting pieces of a puzzle together to get reasonable security against your risks in a cost effective manner. What technologies and process changes you select depend upon the threats you need to address, so adapt your plans such that you cover for these weaknesses. Share:

I have been reading about the highlights of the CanSecWest show all over the net, and it seems like there were a lot of really cool presentations. TippingPoint’s ‘Pwn2Own’ contest at CanSecWest that started late last week concluded over the weekend. The contest awarded $5,000 to each hacker would could uncover an exploit for any of the major browser platforms (Firefox, Internet Explorer, Chrome, & Safari). Firefox, IE, & Safari were all exploited at least once during the contest, with Chrome the only browser to make it through the trials. Perhaps that is to be expected given its newness. Lots more wrap-up details on the DV Labs site. I know a lot of security researchers have a bitter taste from the way companies behave when a security flaw is revealed; still, I am always interested in seeing these types of contests as they are great demonstrations of creativity, and the ability to share knowledge amongst experts is great for all of the participants. If this method of “No Free Bugs” works to get discoveries back in the public eye, I think that’s great. I would have much like to have seen the presentation “Sniff keystrokes with lasers/voltmeters: Side Channel Attacks Using Optical Sampling of Mechanical Energy Emissions and Power Line”. Having previously witnessed what information can be gleaned from power lines, and things like over-the-air Tempest attacks, I would like to see how the state of the art on physical side channels has progressed. One of the other show highlights was covered by Dennis Fisher over on Threatpost- it appears that the Core Security Technologies team has demonstrated a persistent BIOS attack. There are next to now details on this one, but if they are able to perform this trick without the assistance of a secondary device and only obtaining admin access, this is a really dangerous attack. If you have access to the physical platform, all bets are pretty much off. Looking forward to seeing the details. Share:

Happy Friday! Rich is off with the family today and probably sneaking in some time to play with his new Mac Pro as well. If I know him, at the first opportunity he will be in the garage, soldering iron in hand, making his own 9’ mini-DVI cable to hook up his new monitor. Family, new baby, and cool new hardware mean I have Friday blog duties. But as I just got back from the Source Boston show, there is much to talk about this week. Across the board, the presentations at Source were really excellent, and some of the finest minds in security were in attendance, so Stacy Thayer and her team get very high marks from me for putting on a great event. Starting out with a bang, Peter Kuper gave a knockout keynote presentation on the state of financial markets and venture funding for startups. A no-nonsense, no-spin, honest look at where we are today was both a little scary and refreshing for its honesty. He has a post here if you want to read more of his work. David Mortman kicked off the morning sessions with I Can Haz Privacy, updating us on a lot of the privacy issues and legislation going on today. He highlighted the natural link between personal privacy and LOLCATS like no one else, and kept audience participation high by rewarding questions with some awesome homemade wheat bread. The always thought-provoking Adam Shostack gave a presentation on The Crisis in Information Security. I am in complete agreement that despite the hype, breached businesses will continue to function and operate as they always have, and the sky is not falling. And as always, his points are backed by solid research. Even if individual companies generally do not fall, I do still wonder about broader risk to the entire credit card system given its ease of (mis)use, its poor authentication, the millions of stolen credit card numbers floating around, and demonstrated capabilities to automate fraud. Hoff had his best presentation yet with The Frogs Who Desired a King. While you may or may not be interested in security or cloud computing, this is a must-see presentation. Even if you have been reading his Rational Survivability blog posts on the subject, the clarity of the vision he presented regarding the various embodiments of cloud computing and the security challenges of each is more than compelling, and he has backed it up with a staggering amount of research. I’ve got to say, Chris has raised the bar for all of us in the security field for the quality of our presentations. After almost missing the show because of a number of issues on the home front, including spending 4 days at the emergency vet clinic as someone accidentally poisoned one of my dogs, I got on the plane and I am glad I made it. I gave a presentation on Data Breaches and Encryption, examining where encryption technologies help and, just as importantly, where they don’t. My personal “Shock and Awe” award went to Mr. James Atkinson of Granite Island Group TSCM for his presentation on “Horseless Carriage Exploits and Eavesdropping Defenses”. I had no idea that all of these devices were in full effect in most automobiles today, nor that it was this easy to do. Having now given it some thought, though, I think I may have run into some of the devices he discussed. I will be looking through my car this weekend. It was good to see Dennis Fisher again … and he is just launching a new security news network called Threatpost. This effort is sponsored by Kaspersky and they have started off with a ton of stuff, so it’s worth checking out. Now I am off to try and enjoy the weekend, so here it is- the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: Rich and Adrian presented Building a Business Justification for Data Security through SANS. We co-presented with Chris Parkerson of McAfee … and apologies to Chris as Rich and I ran a little long. Adrian chatted with Amrit Williams on the subject of Information Centric Security on the Beyond The Perimeter podcast this week. It should be posted soon. Adrian presented Data Breaches and Encryption last week during the Source Boston event. Rich joined Martin McKeay on the Network Security Podcast this week, talking about Google behavioral ad targeting, Comcast passwords exposed, and the new DNS trojan. They were joined by Bill Brenner of CSO Online so you’ll want to check this one out! Favorite Securosis Posts: Rich: Adrian’s post on Immutable Log Files. Adrian: My post on Sprint Data Leak… I try not to post on breaches as there are so many, but this has been so bad for so long that I could not help myself. Favorite Outside Posts: Adrian: Rafal’s post on the Fox News Fail … not for the original post, but the dialog afterwards. Rich: Sure, we’re suckers for a plug, but Jeremiah posts a good list of recent web security related topics. Top News and Posts: Comcast usernames and passwords leaked. Oracle releases multiple Linux security patches. Wikileak exposes Blacklist The PCI compliance shell game …. compliant with the standard right up until the nano-second after they were breached. Blog Comment of the Week: From Ariel at CoreSecurity … Actually, Kelsey reinvented an idea that was previously exposed and published by Futoransky and Kargieman from Core ([1]) and implemented in the msyslog package ([2]) since 1996. I learn something new every day! Now, if so many great security minds think this is a good idea, why does no one want this technology? Share:

I have been working on a project lately that I don’t really get to talk about much, but it is a technology that I am quite fond of: Immutable Log Files. For those of you who do not know what these are, immutable logs are log files protected from tampering and erroneous insertion. Depending upon the implementation, the files can have additional protections from poisoning and fictional recreation/forgery as well. There are many other names for this type of technology, such as content integrity verification, court admissible evidentiary data, incontrovertible data, and even “signed and sequenced” data. Regardless of name, the intent is to create a tamper-resistant archive of events. A high level overview of the process might look like the following: Take a log entry, syslog for example, and add a time stamp and/or sequence number to that entry. Create a digital hash of the log entry to ensure integrity, and cryptographically sign it so you know the hash was produced by whatever authority is entrusted with managing the log. Now the log entry contains self-validating information as well. Each subsequent log entry would be bundled with one or more data points from previous log entries prior to creating the hash, to ensure that the sequence of events has not been altered. What you end up with is a chain of events that can be verified for data integrity. There are many variants to this process that offer additional assurances, but that is the gist of it. I had the opportunity back in 1998 to implement a variant of this technology based upon what I consider to be ground-breaking work by John Kelsey, then of Counterpane. We had a specific problem with dispute resolution we needed to address in our e-Commerce system, and this paper describes both a generic approach to solving the problem, but also includes some references that were specific to our technology and not applicable to most needs. There are a few vendors that have advanced the state of the art in this area, but they largely go unnoticed by the security community at large. While this is a valuable technology for solving certain problems, it remains a rare feature. I am writing this post as I have a request from both the security and the IT practitioner community. I am interested in knowing if you or your organization uses this type of technology today, or if it is something you have considered? If you are a product vendor and you are thinking about implementing such a technology as a competitive differentiator, I would greatly appreciate a heads-up. I am seeing some indications that this may be a requirement for government based upon the recent draft for tamper resistant syslog files by John Kelsey of NIST, J Callas of PGP, and A Clemm from Cisco, but the status of this draft work remains elusive. I have spoken with a half dozen security strategists who consider this a compelling solution to several different data integrity problems in the areas of eDiscovery and electronic data archival. If this is something you have interest in, please take a minute and post a comment or shoot me an email at alane at securosis with the obligatory dot and com postfix. I would very much like to know what your thoughts are. Share: