Research

‘During several recent briefings, chats with customers, and discussions with existing clients, the topic of data collections methods for Database Activity Monitoring has come up. While Rich provided a good overview for the general buyer of DAM products his white paper, he did not go into great depth. I was nonetheless surprised that some people I was discussing the pros and cons of various platforms with, were unaware of the breadth of data collection options available. More shocking was a technical briefing with a vendor in the DAM space who did not appear to be aware of the limitations of their own technology choices … or at least they would not admit to it. Regardless, I thought it might be beneficial to examine the available options in a little greater detail, and talk about some of the pros and cons here. Database Audit Logs Summary: Database Audit Logs are, much like they sound, a log of database events that have already happened. The stream of data is typically sent to one or more files created by the database platform, and may reside at the operating system level or may be contained within the database itself. These audit logs contain a mixture of system resource recordings, transactional events, user events, system events, and other data definitions that are not available from other sources. The audit logs are a superset of activity. Logging can be implemented through an agent, or can be queried from the database using normal communication protocols. Strengths: Best source for accurate data, and the best at ascertaining the state of both data and the database. Breadth of information captured is by far the most complete: all statements are captured, along with trigger and stored procedure execution, batch jobs, system events, and other resource based data. Logs can capture many system events and DML statements that are not always visible through other collection methods. This should be considered one of the two essential methods of data collection for any DAM solution. Weaknesses: On some platforms the bind variables are not available, meaning that some of the query parameters are not stored with the original query, limiting the value of statement collection. This can be overcome by cross-referencing the transaction logs or, in some cases, the system tables for this information, but at a cost. Select statements are not available, and from a security standpoint, this is a major problem. Performance of the logging function itself can be prohibitive. Older versions of all the database platforms that offered native auditing did so at a very high cost in disk and CPU utilization- upwards of 50% on some platforms. While this has been mitigated to a more manageable percentage, if not properly set up, or if too much information is requested from high transaction rate machines, overhead can still creep over 15% unless carefully deployed. Not all system events are available. Network Monitoring Summary: This type of monitoring offers a way to collect SQL statements sent to the database. By monitoring the subnet, network mirror ports or TAPS, statements intended for a database platform can be ‘sniffed’ directly from the network. This method will capture the original statement, the parameters, and the returned status code, as well as any data that was returned as part of the query operation. Typically an appliance-based solution. Strengths: No performance impact to the database host, combined with the ability to collecting SQL statements. On legacy hardware, or where service level agreements prohibit any additional load being placed upon the database server, this is an excellent option. Simple and efficient method of collecting failed login activity. Solid, albeit niche applicability. Weaknesses: Misses console activity, specifically privileged user activity, against the database. As this is almost always a security and compliance requirement, this is a fundamental failing of this data collection method. Sniffers are typically blind to encrypted sessions, although this is still a seldom used feature within most enterprises, and not typically a limiting factor. Misses scheduled jobs that originate in the database. To save disk space, most do not collect the returned data, and some products do a poor job of matching failed status codes to triggering SQL statements. “You don’t know what you don’t know”, meaning that in cases where network traffic is missed, mis-read or dropped, there is no record of the activity. This contrasts with native database auditing where some of the information may be missing, but the activity itself will always be recorded. OS / Protocol Stack Monitoring Summary: This is available via agent software that captures statements sent to the databases, and the corresponding responses. The agents are deployed either in the network protocol stack, or embedded into the operating system to capture communications to and from the database. They see an external SQL query sent to the database, along with the associated parameters. These implementations tend to be reliable, and low-overhead, with good visibility into database activity. This should be considered a basic requirement for any DAM solution. Strengths: This is a low-impact way of capturing SQL statements and parameters sent to the database. What’s more, depending upon how they are implemented, agents may also see all console activity, thus addressing the primary weakness of network monitoring and a typical compliance requirement. They tend to, but do not always, see encrypted sessions as they are ‘above’ the encryption layer. Weaknesses: In rare cases, activity that occurs through management or OS interfaces is not collected, as the port and/or communication protocol varies and may not be monitored or understood by the agent. System Tables Summary: All database platforms store their configuration and state information within database structures. These structures are rich in information about who is using the database, permissions, resource usage, and other metadata. This monitoring can be implemented as an agent, or the information can be collected by a remote query. Strengths: For assessment, and for cross referencing status and user information in conjunction with other forms of monitoring. Weaknesses: Lacks much of the transactional information typically needed.

‘This story has it all … theft of State Department data, forged credit cards, multi-government branch conspiracy, and murdered suspects. Sounds like an afternoon soap opera more than a Stolen Passport Data story from the Washington Post: … On March 25, D.C. police officers on a routine patrol stopped a car on the suspicion that its windows were excessively tinted, an apparent violation of city law. Smelling marijuana, the officers searched the car and discovered that the 24-year-old driver was carrying 21 credit cards not in his name and printouts of eight passport applications – and that four of the names on the passport applications matched the names on four of the credit cards … But the investigation was hampered because Harris was fatally shot while getting into his car in Northeast Washington on April 17, just days after appearing in court on fraud charges and shortly after he agreed to cooperate in the probe … The passport applicant database, given the type, quality and quantity of data contained therein, is like winning the identity theft lottery. The State Department has some ‘splainin to do! Share:

Man, I love Halloween; it is the ultimate hacker holiday. When else do we have an excuse to build home animatronics, scare the pants off people, and pretend to be someone else (outside of a penetration test)? Last year I built something I called “The Hanging Man” using a microcontroller, some windshield wiper motors, wireless sensors, my (basic) home automation system, and streaming audio. When trick or treaters walked up to the house it would trigger a sensor, black out the front of the house, spotlight a hooded pirate hanging from a gallows, push out some audio of a screaming guy, drop him 15 feet so he was right over the visitors, and then slowly hoist him back up for the next group. This year Adrian and I were pretty slammed so I not only didn’t build anything new, I barely managed to pull the old stuff out. Heck, both of us have big parties, but due to overlapping travel we can’t even make it to each other’s events. But next year… next year I have plans. Diabolical plans… It was a relatively quiet week on the security front, with no major disasters or announcements. On the election front we’re already hearing reports of various voting machine failures, and some states are looking at pulling them altogether. Personally, I stick with mail in ballots. This year election day will be a bit surreal since I’ll be in Moscow for a speaking engagement, and likely won’t stay up to see who won (or whose lawyers start attacking first). While I’m in Moscow, Adrian will be speaking on the Information Centric Security Lifecycle in Chicago for the Information Security Magazine/TechTarget Information Security Decisions conference. I’m a bit sad I won’t be up there to see everyone, but it was impossible to turn down a trip to Moscow. So don’t forget to vote, please don’t hack the vote, and hopefully I won’t be kidnapped by the Russian Mafia next week… Webcasts, Podcasts, and Conferences: The Network Security Podcast, Episode 125. David Mortman joins us to talk about his new gig at Debix and a recent study they released on identity theft and children. I posted a pre-release draft of my next Dark Reading column The Security Pro’s Guide to Thriving in a Down Economy up on the Hackers for Charity Informer site. This is a subscription site many of us are supporting with exclusive and early content to help generate funds for HFC. And by posting, I helped feed a child in an underdeveloped country for a month… Favorite Securosis Posts: Rich: The Five Stage of Cloud Computing Grief. Seriously, this cloud stuff is getting over the top. Adrian: Seems that the people behind Arizona proposition 200 should be hauled in front of the FTC for misleading advertising; this is the most grotesque example I have seen on a state ballot measure. Favorite Outside Posts: Adrian: The Hoff has been on a roll lately, but the post that caught my attention was his discussion of the security and compliance shell game of avoidance through SaaS and ‘Cloud’ services. I mean, it doesn’t count if my sensitive data is in the cloud, right? Rich: Martin asks a simple and profound question. What the hell are you doing with those credit card numbers in the first place?!? (He used nicer words, but you get the point). Top News: What a shock, there’s a worm taking advantage of last week’s RPC flaw in Microsoft Windows. ICANN is going after a fraud-supporting domain name registrar in Estonia. Heck, I think we should go after criminal hosts more often. Maryland and Virginia are dropping electronic voting and going back to paper. Amrit on the 10th anniversary of the Digital Millennium Copyright Act. The DMCA has done more to stifle our rights than to actually protect content. On the positive side, the DMCA has actually somewhat helped website operators and hosts by offering some protection when they host infringing materials, since they have to respond to takedown notices, but aren’t otherwise penalized. A Facebook worm uses Google to get around Facebook security. Most of these sites are a mess because preventing user generated content from abusing other users is a very hard problem. Even when they bother to try. More voting machine idiocy. And here. Look folks, it isn’t like we don’t know how to manage these things. Walk into any casino and you’ll see highly secure interactive systems. Can you imagine how much fun Vegas would be if they treated the slots like we treat voting machines? Blog Comment of the Week: Dryden on The Five Stages of Cloud Computing Grief: My version: Denial: We can”t secure the cloud. Anger: Why the f&*k is my CIO telling me to secure the cloud? Bargaining: Can you please just tell me how you think we can secure the cloud?Depression: They”re deploying the cloud.Acceptance: We can”t secure the cloud. Disclaimer: “Cloud” can be replace with virtually (pun intended) any technology. See you all in 2 weeks… Share:

I was pretty honored a couple months ago when Johnny Long asked me to participate in a new project for Hackers for Charity called The HFC Security Informer. Johnny is a seriously cool guy who founded Hackers for Charity, which provides a mix of services and financial support in underdeveloped countries. I think most geeks that aren’t running evil botnets have a bit of altruism in them, and HFC is a great way we can use our technical backgrounds (and swag) to help out the rougher parts of the world. HFC runs with basically no funding- giving everything right to its target communities. To better support operations as it grows, Johnny created the HFC Informer- a subscription site with all sorts of behind the scenes content you can’t get anywhere else. This includes pre-release book chapters, discounts on books, exclusive content, and pre-release papers and posts from some of the top names in security… and the occasional lowly analyst. And every time someone contributes content, cash is donated to feed a child for a month. Yesterday I posted a pre-release (and pre-edited) version of my next Dark Reading column The Security Pro”s Guide To Thriving In A Down Economy. Please check it out, and other great content like Rsnake’s Clickjacking paper, and consider supporting HFC. Securosis is a firm believer in the project and we’re hoping to release more content on the HFC Informer, including some of our more in-depth whitepapers. Share:

As a security pro I tend to be a bit paranoid and cynical even outside the domain of technology. Heck, I can’t even get past a nice simple election without picking up on some interesting fraudulent twist. Last night my wife and I were filling out our absentee ballots; never an easy process here in Arizona. Oh, picking candidates is easy enough (Obama for me), but as far as I’m concerned all those ballot initiatives are one of the biggest frauds in our democratic system. I can’t even call it voting, so like any good security researcher I’ll make up a silly word and call it “photing”. Last election cycle we had two competing ballot measures to ban smoking- the real one, put together by a grass roots organization, and the fake one, which pretended to limit smoking but was sponsored by Philip Morris. The goal was simply to confuse the voters, perhaps passing both, and getting to fight it out in the courts. This year we have the worst case of photing I’ve seen since I cast my first ballot at the age of 18. Arizona is home to a ton of migrant labor, and in Phoenix you can’t go a block in certain parts of town without seeing those predatory PayDay loan outfits. A while back, the legislature temporarily suspended the law limiting usury short-term loans, creating this industry. People short on cash can get loans at ridiculous rates (up to 400%) to hold them over until their next paycheck… which clearly won’t go as far. This suspension is due to die in 2010, and the state legislature refuses to extend it. What’s an evil loan shark to do? I mean it isn’t like the voting public would support them? Thus was born Proposition 200 to “crack down on the PayDay loan industry”. There’s even a massive full-court-press ad campaign about how this will lock them down, keep them honest, and protect innocent kittens. One problem- the initiative, and the ad campaign to control these near-criminals, is nearly completely funded… by these even-nearer-criminals. Why? Because without this initiative, the entire industry will be shut down in 2010. Where are Joe Kennedy and Karl Rove when you need them? Share:

I’m very excited to announce a new project I’ve been working on for some time with Debix. Yesterday, they released a new study today on child identity theft. I was astounded to discover that on average one out of twenty kids has their identity compromised in some way before they reach adulthood. That’s essentially one kid in every classroom. And those kids had on average almost $12,800 of debt fraudulenly associated with them. Talk about a nightmare to clean up! Anyway, there are more details over on their blog which just happens to be written by your truly. I’d love to hear your comments either here or over there. Looking forward to hearing from you all. Share:

Denial: There is no cloud. Anger: Why the f&*k is this sales guy trying to sell me a cloud? Bargaining: Can you please just tell me what the f&^k your cloud is? Depression: The sales guy found my CIO. Now I have to by a cloud. Acceptance: There is no cloud. Share:

I don’t get it. I mean I really don’t get it. I can’t possibly imagine why it isn’t so obvious to everyone else!! Don’t you see what’s happening!!! Soylent Green is QSAs!!! One of the more frustrating aspects of our profession is the apparent lack of security prioritization by the rest of the world. We feel like we see things they don’t, and in that context many of their decisions make absolutely no sense. Are we just that much smarter than everyone else? Are they blindfully ignorant? Alan sums up our problem in his post on security gimmicks: Agree or disagree with the gimmicks. You have to ask yourself why. With all that we read and see about data breaches, with all of these compliance regulations and rules around, why can’t people take security seriously enough? Here is one man’s opinion. Security is a bad news generator of an industry. We focus on what happens when things go wrong. We focus on adding to the process. We don’t focus on the positive and the profitable. There is enough bad news in the world for people to focus on right now. They don’t want the bad news that security makes them confront. If we can figure out how to make security a way of bringing a message of good news, we wouldn’t need to resort to gimmicks. My position is a little more zen. Back in physical security/paramedic/firefighter/mountain rescue days I learned we all go through a process of dissociation with mainstream society. When all you see is nasty sh*t and dying people all day, every day, it’s hard to give a rat’s ass about someone getting the cold shoulder at the water cooler. The military, police, nurses, and many other professions suffer the same problem. In that world, there are two ways to handle it- shut up and deal, or isolate yourself into your chosen community. It’s no accident that so many cops are married to nurses. It’s pretty much the same deal for IT security, except we don’t have to wash blood off our shoes quite as often. We see the fragility and danger of our online economy and society. Stolen elections, rampant fraud, and pwned grandmothers. No website is safe, all PCs have trojans, and those damn Macs will all be compromised next week. We need to collectively chill out. Before we blow an aneurysm. As Marcus Ranum said (totally pissing me off because I didn’t say it first): Will the future be more secure? It’ll be just as insecure as it possibly can, while still continuing to function. Just like it is today. We need to do our best to communicate risks to the business and cost effectively keep those risks within tolerance. Then we clean up the mess if the business, after being well informed, decides to accept that risk. If we don’t take risks, we can’t possibly grow. No matter what someone tells us, we sometimes need to touch the hot stove and learn for ourselves. It’s human nature; don’t expect it to change. Security is only good news when it’s no news. Don’t worry. When things get bad enough, we’ll get the call. If you’ve kept your documentation and communication up, you won’t get shafted with the proverbial short end. Don’t end up like I did in college- working as a full time medic on top of being a student wasn’t exactly conducive to my dating life. That uniform didn’t work nearly as well as I expected. (However, a black belt a few years later was very… effective). Share:

The Skype gods definitely worked against us last night as David Mortman from Debix joined us to to talk about a new study the released on identity theft and children. No, you’re 8 month old is stealing identities like I suspect that creepy kid from the ETrade commercials is, but due to both error and fraud a surprising number of children have financial histories they didn’t know about. We also discuss last week’s Microsoft emergency update, Bono frolicking on MySpace, and the usual TSA foibles. We had some audio issues today so we kept the podcast short to spare your ears as much as possible. The Network Security Podcast, Episode 125 Show Notes: Debix sponsored research into the problem of children and identity theft. They are also hosting a webcast with the FBI on Wednesday, October 29th, at 3pm CDT. Microsoft released an out of cycle patch for a critical vulnerability. Bono showed up on some girl’s MySpace page. Oops. At least he wasn’t driving drunk without underwear and with an infant in his lap, like the usual MySpace divas. Tonight’s music is courtesy of George Thorogood and the Destroyers. Share:

  I was amused today when I logged into my business account bank (Wells Fargo) and they had me set up a new set of security questions. The variety wasn’t bad and the questions were reasonably original. After setting them, I was asked to confirm my contact information. A few minutes later, I received this email: Thank you for taking the time to set up your security questions. If we ever need to confirm your identity, your ability to give the correct answers to these questions will help us verify it’s you. If you did NOT set up security questions recently, please call Wells Fargo Online Customer Service immediately at 1-800-956-4442. Please do not reply to this email. It went right to the email address I could have updated after setting up the security questions. Anyone else notice the problem? Now there’s a chance that had I changed the email address on that screen after the security questions, I would have received notification at the old address. As a test, I changed my email a couple of times using the regular interface- but no notifications yet. UPDATE: Got the email, but at the wrong account (the one I changed to, not from). Is this an exploitable security flaw? Nope, but it’s amusing for us paranoid/cynical types. (For the record, they’ve been a great bank for the business, no complaints at all.) Share: