Research

I was in Chicago this week for the Tech Target ISD event giving a presentation on Information Centric Security. Like most of the people who flew in from other parts of the country for this event, we were so focused on the election and getting out to vote before we flew in, that we completely missed the fact that Obama would be speaking about a mile from the Hyatt Regency at McCormick Place. Most of us simply forgot that this was Obama’s home, and that Grant Park would be the likely place for any speeches that were to be given. Dave Mortman was kind enough to show Adam Dodge, Andy the IT Guy, and myself around, and take us to dinner at the Russian Tea Room off Adams street. When we were done with dinner around 8:30, we wandered over to Michigan Avenue for some people watching. The crowd was just starting to build, with thousands of people walking down the street to the entrances of Grant Park. While early, there was no doubt about the outcome for the attendees at this point. The most amazing thing was the sense of energy and genuine elation in the crowd as they walked down the street. Not the wild frenzy you get in New York when the Yankees win a pendant, but more a feeling of relief and joy than anything else. We booked it back to the Hyatt and watched the election results, and Obama’s subsequent speech, on television before calling it a night. I am very glad that I got a chance to be there, albeit on the periphery, as the mood & energy of that crowd was something I have never experienced before. All in all a very nice trip, and hats off to the Tech Target team for putting on such a well run, professional event. The only downside of the whole week was my Southwest flight having to make an unscheduled stop due to running out of fuel(!!!!), and having to present opposite Captain Virtualization on Wednesday morning. Oh, one minor point of interest. While I was at the Hyatt, I noticed that the hotel has a new revenue model: Tel-evator. This is a little marketing device television that they are putting into the elevators to deliver targeted marketing to conference attendees while they take the ride to and from their rooms. Being a security guy, as well as someone who gets annoyed at marketing messages constantly shoved at me, I was thinking “how could I hack this”. In the one minute ride I got as far as determining these little devices are nothing more than laptops running Windows Vista, with content being pushed over the 802.11 wireless connection, before I had to go to the conference. That night when returning to my room, I saw that someone else had the same idea. The ‘Tel-evator’ was now at an MS-DOS prompt, running a script, before rebooting into Vista. Beaten to the punch I guess. If you were the one who hacked the system, shoot me an email and let me know what you found. It was a relatively quiet week on the security front, with no major disasters or announcements. And from what I hear, Comrade Mogull is alive and well. Webcasts, Podcasts, and Conferences: Rich is giving a presentation at a conference in Moscow this week. I was in Chicago at the TechTarget ISD event giving a presentation on the Information Centric Security Lifecycle. Favorite Securosis Posts: Rich: Somehow he manges to work scales, skeletons and Barbie into this discussion on the effect of publicly available personal information, in the future of privacy and politics post. Adrian: It’s long, but there is plenty of food for thought in the DAM: Event Collection Options post. Favorite Outside Posts: Adrian: The original reports of Mike Rothman being MIA, and subsequent rumored sighting of him at a Jimmy Buffet concert walking around in a giant foam parrot suit are unfounded. Eyewitness accounts place him in Chicago this week at the ISD conference. While the parrot suit might have been more flattering than the eIQ polo shirt he was seen wearing, Mike’s health and well being are no longer in doubt. Rich: No reason to dance around it; browser security is pretty bad. Jeremiah discusses a rational and pragmatic approach to addressing Browser Security issues from both the outside and the inside. Top News: Obviously the big news this week is Obama winning the election, and his process of filling out his staff and devising an economic plan to turn the economy around. The economy is still plunging, and despite falling oil prices, we are seeing stocks continue to fall. Craigslist comes of age. Interesting piece on Express Scripts receiving an extortion threat from unknown parties who breached their database. Just ran across this article on CNET about WPA being cracked. Don’t know if this is legit yet. [Pepper adds: Check out Glenn Fleishman’s analysis at Ars Technica] Blog Comment of the Week: Tod on the Felon Database post: “You know that Felonspy.com is a joke, right? More specifically, it’s almost certainly political satire of the sex offender databases.” I do now, Tod- I do now. Share:

Most of you probably have a friend like mine, someone who forward you every joke, video and picture they find amusing to their friends list. Sometimes humorous, I still look through all of the emails. Buried in the daily offering was the following link for a site called FelonSpy that I found somewhat fascinating. It was kind of like a reality TV show; insipid, but just different enough I had to check it out. First thing I have to mention is that the data is bogus. Click the ‘Search’ button a few times in a row with the same address and you will see that the graphs are random. I have felons appearing and then disappearing on raw BLM land down the road from me. And if you change the address often enough, you will see the same names and crimes appear over and over in different states. Whatever the real case is, this explanation is bull$!^#, and makes me believe that the entire site is bogus. Still, if the data was real, do you think this is a valuable tool? Would it help you with safety and security? Being someone who had a recent event that has changed my approach to personal safety, this sort of thing is on my mind. Part of me thinks that this type of education helps people plan ahead and react to threats around them. But once it became obvious the data was bogus, I started thinking about people I knew in my area that had criminal backgrounds; the startling discovery that half of the people I know who have criminal backgrounds are some of the nicest and most trustworthy people I know in the area! Some I don’t trust, most I do, which is a slightly better percentage than when I meet random strangers in public. It seems to me this type of technology blindly creates a virtual scarlet letter of sorts, and is an unreliable indicator of good or bad. It probably does not help anyone be more secure- instead listing events that feed paranoia and fear, but still inadequate to make any sort of valid assessment. Share:

Way back in November of 2006 I wrote a post on the impact of our electronic personas on the political process. I was thinking about re-writing the post, but after reviewing it realized the situation is the exact same two years later… if not a bit worse. As a generation raised on MySpace, FaceBook, and other social media starts becoming the candidates, rather than the electorate, I think we will see profound changes in our political process. I’m off in Moscow so I’m pre-posting this, and for all I know the election is in the midst of a complete meltdown right now. Here again, for your reading pleasure, is the text of the original post: As the silly season comes to a close with today’s election (at least for, like, a week or so) there’s a change to the political process I’ve been thinking about a lot. And it’s not e-voting, election fraud, or other issues we’ve occasionally discussed. On this site (and others) we’ve discussed the ongoing erosion of personal privacy. More of our personal information is publicly available, or stored in private databases unlocked with a $ shaped key, than society has ever experienced before. This combines with a phenomena I call “The Long Archive”- where every piece of data, of value or not, is essentially stored for eternity (unless, of course, you’re in a disaster recovery situation). Archived web pages, blog posts, emails, newsgroup posts, MySpace profiles, FaceBook pages, school papers, phone calls, calendar entries, credit card purchases, Amazon orders, Google searches, and … Think about it. If only 2% of our online lives actually survives indefinitely, the mass of data is astounding. What does this have to do with politics? The current election climate could be described as mass media shit-slinging. Our current crop of elected officials, of either party, survives mostly on their ability to find crap on their opponent while hiding their own stinkers. Historically, positive electioneering is a relative rarity in the American political system. We, as a voting public, seem to desire pristine Ken dolls we can relate to over issues-focused candidates. No, not all the time, but often enough that negative campaigning shows real returns. But the next generation of politicians are growing up online, with their entire lives stored on hard drives. From school papers, to medical records, to personal communications, to web activity, chat logs (kept by a “trusted” friend) and personal blogs filled with previously private musings. It’s all there. And no one knows for how long; not really. No one knows what will survive, what will fade, but all of it has the potential to be available for future opponent research. I’m a bit older, but there’s still an incredible archive of information out there on me, including some old newsgroup posts I’m not all that proud of (nothing crazy, but I am a bit of a geek). Maybe even remnants of ugly breakups with ex-girlfriends or rants never meant for public daylight. Never mind my financial records (missed taxes one year, but did make up for it) and such. In short, there’s no way I could run for any significant office without an incredibly thick skin. Anyone who started high school after, say, 1997 is probably in an even more compromising position. Anyone in the MySpace/FaceBook groups are even worse off. With so much information, on so many people, there’s no way it won’t change politics. I see three main options: We continue to look for “clean” candidates- thus those with limited to no online records. Only those who have disengaged from modern society, and are thus probably not fit for public leadership, will run for public office. The “Barbie and Ken” option. We, as society, accept that everyone has skeletons, everyone makes mistakes, and begin to judge candidates on their progression through those mistakes or ability to spin them in the media of the day. We still judge on personality over issues. The “Oprah/Dr. Phil” option. We focus on candidate’s articulations of the issues, and place less of an emphasis on a perfect past or personality. The “Issues-oriented” option. We weigh all the crap on two big scales. Whoever comes out slightly lighter, perhaps with a sprinkling of issues, wins. The “Scales of Shit” option. Realistically we’ll see a combination of all the above, but my biggest concern is how will this affect the quality of candidates? We, as a society, already complain over a lack of good options. We’re limited to those with either a drive for power, or a desire for public good, so strong that they’re willing to peel open their lives in a public vivisection every election cycle. When every purchase you’re ever made, email, IM or SMS, blog post, blog comment, social bookmark, WhateverSpace page, public record, and medical record becomes open season, who will be willing to undergo such embarrassing scrutiny? Will anyone run for office for anything other than raw greed? Or will we, as a society, change the standards by which we judge our elected officials. I don’t know. But I do know society, and politics, will experience a painful transition as we truly enter the information society. Share:

‘During several recent briefings, chats with customers, and discussions with existing clients, the topic of data collections methods for Database Activity Monitoring has come up. While Rich provided a good overview for the general buyer of DAM products his white paper, he did not go into great depth. I was nonetheless surprised that some people I was discussing the pros and cons of various platforms with, were unaware of the breadth of data collection options available. More shocking was a technical briefing with a vendor in the DAM space who did not appear to be aware of the limitations of their own technology choices … or at least they would not admit to it. Regardless, I thought it might be beneficial to examine the available options in a little greater detail, and talk about some of the pros and cons here. Database Audit Logs Summary: Database Audit Logs are, much like they sound, a log of database events that have already happened. The stream of data is typically sent to one or more files created by the database platform, and may reside at the operating system level or may be contained within the database itself. These audit logs contain a mixture of system resource recordings, transactional events, user events, system events, and other data definitions that are not available from other sources. The audit logs are a superset of activity. Logging can be implemented through an agent, or can be queried from the database using normal communication protocols. Strengths: Best source for accurate data, and the best at ascertaining the state of both data and the database. Breadth of information captured is by far the most complete: all statements are captured, along with trigger and stored procedure execution, batch jobs, system events, and other resource based data. Logs can capture many system events and DML statements that are not always visible through other collection methods. This should be considered one of the two essential methods of data collection for any DAM solution. Weaknesses: On some platforms the bind variables are not available, meaning that some of the query parameters are not stored with the original query, limiting the value of statement collection. This can be overcome by cross-referencing the transaction logs or, in some cases, the system tables for this information, but at a cost. Select statements are not available, and from a security standpoint, this is a major problem. Performance of the logging function itself can be prohibitive. Older versions of all the database platforms that offered native auditing did so at a very high cost in disk and CPU utilization- upwards of 50% on some platforms. While this has been mitigated to a more manageable percentage, if not properly set up, or if too much information is requested from high transaction rate machines, overhead can still creep over 15% unless carefully deployed. Not all system events are available. Network Monitoring Summary: This type of monitoring offers a way to collect SQL statements sent to the database. By monitoring the subnet, network mirror ports or TAPS, statements intended for a database platform can be ‘sniffed’ directly from the network. This method will capture the original statement, the parameters, and the returned status code, as well as any data that was returned as part of the query operation. Typically an appliance-based solution. Strengths: No performance impact to the database host, combined with the ability to collecting SQL statements. On legacy hardware, or where service level agreements prohibit any additional load being placed upon the database server, this is an excellent option. Simple and efficient method of collecting failed login activity. Solid, albeit niche applicability. Weaknesses: Misses console activity, specifically privileged user activity, against the database. As this is almost always a security and compliance requirement, this is a fundamental failing of this data collection method. Sniffers are typically blind to encrypted sessions, although this is still a seldom used feature within most enterprises, and not typically a limiting factor. Misses scheduled jobs that originate in the database. To save disk space, most do not collect the returned data, and some products do a poor job of matching failed status codes to triggering SQL statements. “You don’t know what you don’t know”, meaning that in cases where network traffic is missed, mis-read or dropped, there is no record of the activity. This contrasts with native database auditing where some of the information may be missing, but the activity itself will always be recorded. OS / Protocol Stack Monitoring Summary: This is available via agent software that captures statements sent to the databases, and the corresponding responses. The agents are deployed either in the network protocol stack, or embedded into the operating system to capture communications to and from the database. They see an external SQL query sent to the database, along with the associated parameters. These implementations tend to be reliable, and low-overhead, with good visibility into database activity. This should be considered a basic requirement for any DAM solution. Strengths: This is a low-impact way of capturing SQL statements and parameters sent to the database. What’s more, depending upon how they are implemented, agents may also see all console activity, thus addressing the primary weakness of network monitoring and a typical compliance requirement. They tend to, but do not always, see encrypted sessions as they are ‘above’ the encryption layer. Weaknesses: In rare cases, activity that occurs through management or OS interfaces is not collected, as the port and/or communication protocol varies and may not be monitored or understood by the agent. System Tables Summary: All database platforms store their configuration and state information within database structures. These structures are rich in information about who is using the database, permissions, resource usage, and other metadata. This monitoring can be implemented as an agent, or the information can be collected by a remote query. Strengths: For assessment, and for cross referencing status and user information in conjunction with other forms of monitoring. Weaknesses: Lacks much of the transactional information typically needed.

‘This story has it all … theft of State Department data, forged credit cards, multi-government branch conspiracy, and murdered suspects. Sounds like an afternoon soap opera more than a Stolen Passport Data story from the Washington Post: … On March 25, D.C. police officers on a routine patrol stopped a car on the suspicion that its windows were excessively tinted, an apparent violation of city law. Smelling marijuana, the officers searched the car and discovered that the 24-year-old driver was carrying 21 credit cards not in his name and printouts of eight passport applications – and that four of the names on the passport applications matched the names on four of the credit cards … But the investigation was hampered because Harris was fatally shot while getting into his car in Northeast Washington on April 17, just days after appearing in court on fraud charges and shortly after he agreed to cooperate in the probe … The passport applicant database, given the type, quality and quantity of data contained therein, is like winning the identity theft lottery. The State Department has some ‘splainin to do! Share:

Man, I love Halloween; it is the ultimate hacker holiday. When else do we have an excuse to build home animatronics, scare the pants off people, and pretend to be someone else (outside of a penetration test)? Last year I built something I called “The Hanging Man” using a microcontroller, some windshield wiper motors, wireless sensors, my (basic) home automation system, and streaming audio. When trick or treaters walked up to the house it would trigger a sensor, black out the front of the house, spotlight a hooded pirate hanging from a gallows, push out some audio of a screaming guy, drop him 15 feet so he was right over the visitors, and then slowly hoist him back up for the next group. This year Adrian and I were pretty slammed so I not only didn’t build anything new, I barely managed to pull the old stuff out. Heck, both of us have big parties, but due to overlapping travel we can’t even make it to each other’s events. But next year… next year I have plans. Diabolical plans… It was a relatively quiet week on the security front, with no major disasters or announcements. On the election front we’re already hearing reports of various voting machine failures, and some states are looking at pulling them altogether. Personally, I stick with mail in ballots. This year election day will be a bit surreal since I’ll be in Moscow for a speaking engagement, and likely won’t stay up to see who won (or whose lawyers start attacking first). While I’m in Moscow, Adrian will be speaking on the Information Centric Security Lifecycle in Chicago for the Information Security Magazine/TechTarget Information Security Decisions conference. I’m a bit sad I won’t be up there to see everyone, but it was impossible to turn down a trip to Moscow. So don’t forget to vote, please don’t hack the vote, and hopefully I won’t be kidnapped by the Russian Mafia next week… Webcasts, Podcasts, and Conferences: The Network Security Podcast, Episode 125. David Mortman joins us to talk about his new gig at Debix and a recent study they released on identity theft and children. I posted a pre-release draft of my next Dark Reading column The Security Pro’s Guide to Thriving in a Down Economy up on the Hackers for Charity Informer site. This is a subscription site many of us are supporting with exclusive and early content to help generate funds for HFC. And by posting, I helped feed a child in an underdeveloped country for a month… Favorite Securosis Posts: Rich: The Five Stage of Cloud Computing Grief. Seriously, this cloud stuff is getting over the top. Adrian: Seems that the people behind Arizona proposition 200 should be hauled in front of the FTC for misleading advertising; this is the most grotesque example I have seen on a state ballot measure. Favorite Outside Posts: Adrian: The Hoff has been on a roll lately, but the post that caught my attention was his discussion of the security and compliance shell game of avoidance through SaaS and ‘Cloud’ services. I mean, it doesn’t count if my sensitive data is in the cloud, right? Rich: Martin asks a simple and profound question. What the hell are you doing with those credit card numbers in the first place?!? (He used nicer words, but you get the point). Top News: What a shock, there’s a worm taking advantage of last week’s RPC flaw in Microsoft Windows. ICANN is going after a fraud-supporting domain name registrar in Estonia. Heck, I think we should go after criminal hosts more often. Maryland and Virginia are dropping electronic voting and going back to paper. Amrit on the 10th anniversary of the Digital Millennium Copyright Act. The DMCA has done more to stifle our rights than to actually protect content. On the positive side, the DMCA has actually somewhat helped website operators and hosts by offering some protection when they host infringing materials, since they have to respond to takedown notices, but aren’t otherwise penalized. A Facebook worm uses Google to get around Facebook security. Most of these sites are a mess because preventing user generated content from abusing other users is a very hard problem. Even when they bother to try. More voting machine idiocy. And here. Look folks, it isn’t like we don’t know how to manage these things. Walk into any casino and you’ll see highly secure interactive systems. Can you imagine how much fun Vegas would be if they treated the slots like we treat voting machines? Blog Comment of the Week: Dryden on The Five Stages of Cloud Computing Grief: My version: Denial: We can”t secure the cloud. Anger: Why the f&*k is my CIO telling me to secure the cloud? Bargaining: Can you please just tell me how you think we can secure the cloud?Depression: They”re deploying the cloud.Acceptance: We can”t secure the cloud. Disclaimer: “Cloud” can be replace with virtually (pun intended) any technology. See you all in 2 weeks… Share:

I was pretty honored a couple months ago when Johnny Long asked me to participate in a new project for Hackers for Charity called The HFC Security Informer. Johnny is a seriously cool guy who founded Hackers for Charity, which provides a mix of services and financial support in underdeveloped countries. I think most geeks that aren’t running evil botnets have a bit of altruism in them, and HFC is a great way we can use our technical backgrounds (and swag) to help out the rougher parts of the world. HFC runs with basically no funding- giving everything right to its target communities. To better support operations as it grows, Johnny created the HFC Informer- a subscription site with all sorts of behind the scenes content you can’t get anywhere else. This includes pre-release book chapters, discounts on books, exclusive content, and pre-release papers and posts from some of the top names in security… and the occasional lowly analyst. And every time someone contributes content, cash is donated to feed a child for a month. Yesterday I posted a pre-release (and pre-edited) version of my next Dark Reading column The Security Pro”s Guide To Thriving In A Down Economy. Please check it out, and other great content like Rsnake’s Clickjacking paper, and consider supporting HFC. Securosis is a firm believer in the project and we’re hoping to release more content on the HFC Informer, including some of our more in-depth whitepapers. Share:

As a security pro I tend to be a bit paranoid and cynical even outside the domain of technology. Heck, I can’t even get past a nice simple election without picking up on some interesting fraudulent twist. Last night my wife and I were filling out our absentee ballots; never an easy process here in Arizona. Oh, picking candidates is easy enough (Obama for me), but as far as I’m concerned all those ballot initiatives are one of the biggest frauds in our democratic system. I can’t even call it voting, so like any good security researcher I’ll make up a silly word and call it “photing”. Last election cycle we had two competing ballot measures to ban smoking- the real one, put together by a grass roots organization, and the fake one, which pretended to limit smoking but was sponsored by Philip Morris. The goal was simply to confuse the voters, perhaps passing both, and getting to fight it out in the courts. This year we have the worst case of photing I’ve seen since I cast my first ballot at the age of 18. Arizona is home to a ton of migrant labor, and in Phoenix you can’t go a block in certain parts of town without seeing those predatory PayDay loan outfits. A while back, the legislature temporarily suspended the law limiting usury short-term loans, creating this industry. People short on cash can get loans at ridiculous rates (up to 400%) to hold them over until their next paycheck… which clearly won’t go as far. This suspension is due to die in 2010, and the state legislature refuses to extend it. What’s an evil loan shark to do? I mean it isn’t like the voting public would support them? Thus was born Proposition 200 to “crack down on the PayDay loan industry”. There’s even a massive full-court-press ad campaign about how this will lock them down, keep them honest, and protect innocent kittens. One problem- the initiative, and the ad campaign to control these near-criminals, is nearly completely funded… by these even-nearer-criminals. Why? Because without this initiative, the entire industry will be shut down in 2010. Where are Joe Kennedy and Karl Rove when you need them? Share:

I’m very excited to announce a new project I’ve been working on for some time with Debix. Yesterday, they released a new study today on child identity theft. I was astounded to discover that on average one out of twenty kids has their identity compromised in some way before they reach adulthood. That’s essentially one kid in every classroom. And those kids had on average almost $12,800 of debt fraudulenly associated with them. Talk about a nightmare to clean up! Anyway, there are more details over on their blog which just happens to be written by your truly. I’d love to hear your comments either here or over there. Looking forward to hearing from you all. Share:

Denial: There is no cloud. Anger: Why the f&*k is this sales guy trying to sell me a cloud? Bargaining: Can you please just tell me what the f&^k your cloud is? Depression: The sales guy found my CIO. Now I have to by a cloud. Acceptance: There is no cloud. Share: