Research

In the last post on Email Security, I commented on how easy it was to add outsourced email security services onto your existing email security deployment. That adding on an extra layer of anti-spam filtering on top of what you have not only provides an increase in the effectiveness of filtering, but also reduced the processing load on your existing hardware. But email security service vendors have been adding outbound email, data and web security offerings to their portfolio on top of their existing offerings, and these services solve different problems and offer different value propositions. Most companies I speak with state that 95~97% of the email that hits their servers are spam. A large percentage contain viruses, spyware and inappropriate content. The switch is cost effective and ‘painless’ in terms of administration and maintenance, and the large service providers tend to have very current and effective solutions. But it is worth noting that the problem you are solving is not protecting sensitive corporate information, rather keeping garbage out of your system. If you don’t see spam and your computers have not been infected, you have been successful. From the customer’s perspective, outbound email security offers many of the same advantages as inbound. As most companies have a very positive experience with inbound service, adoption of an outbound email security service is a natural extension of those advantages you enjoy today. It takes very little work to route your outbound email to a third party provider. These providers offer a canned set of security policies out of the box so you can be up and running in minutes, in conjunction with well designed web interfaces to customize and tune email (or even web security) policies. But the problem being set being addressed is very different; intellectual property leakage, use of private customer information, inappropriate content, violation of corporate policies and even bot-net detection. These problems are more complex and require policy and system verification. Just because you outsourced the operation does not mean you removed the responsibility of audit and security verification of the system itself. Specifically what do I mean by that? If all of your corporate correspondence is being routed through a third party provider, you need to make sure that they are secure, and their policies are in line with yours. Remember, the information you are sending out is all of your corporate email, your policies for enforcement, and possibly all of the web browsing history. The service providers offer ad-on email retention services for ‘compliance’, but as some of the data is stored for their own backup and recovery processes, your data will be stored for some period of time. How is privacy maintained? Who has access to the data? Is there verification of integrity? When and how is the data disposed? What the vendor will be selling you is the filtering service, the administrative interface, and the storage. What you need to ask for is their security policy, their data retention & data destruction policies, and audit reports for changes in permissions, data access and alterations to your data. The vendor will provide you a report on what was filtered and blocked according to policy; in addition you need reports on the operational controls around the system. If these services are being marketed to you as ‘must-have’ for compliance, then the vendor must be able to provide their own policies and audit trail of their service. The vendor will need to provide some degree of transparency both to their methods and processes in general, but specifics on who or what has access to your data. I know a lot of this sounds incredibly obvious, but I have yet to run across a company who has requested this information from their outbound email security provider. Share:

I was catching up with Rob Newby’s blog and this post on dealing with security policies vs. standards/processes caught my eye. Although policies form the foundation for our security programs (at least they should), I find that more often than not they are completely misused by many of my clients. While I’ve noticed definite improvement over the past few years, I still often walk into organizations and see big 3 inch binders full of their security policies. Rob does a great job of breaking these out, but I’d like to take it a step further. I’m going to dig into some nitty-gritty details, but feel free to skip to the end where I tell you why none of this parsing of language matters much. Here’s how I like to divide up the world of security gove ance documentation:200810071218.jpg Policies are high-level strategic governance with executive sponsorship. Policies should be short and to the point, since those who sign off on them don’t need to know the technical details. An example might be, “we shall monitor all database activity based on the sensitivity of the data and legal or contractual requirements”. Keep in mind, that since policies should be signed off by senior management you want to keep them generic enough that you don’t have to go back to the CEO/CIO/CFO/COO every time you want to change a firewall configuration or AV product. The next layer down are the high-level tactical documentations- plans and standards. The security plan is how you intend on achieving the policy, but it’s still not at the level of specific steps. Keeping with our policy above, the plan would specify the contractual requirements, basic data classification, which activity will be monitored, and so on. While plans define how security will do things, standards define how everyone else has to do things. Below that are your specific implementation documentations- processes, guidelines, and procedures. Here’s where you get into the bitty-gritty of actual implementation and step by step guides. A process is a repeatable series of steps to achieve an objective, while procedures are the specific things you do at each of those steps. Keeping with out example above, the process would define how monitoring occurs (e.g. third party DAM tool), and the procedure is which bits to flip within the tool. Yeah, I think that’s a whole lot of paper and a huge time sink myself. Here’s a slightly more pragmatic, and somewhat repetitive, way of looking at things: Policies are still high level strategic governance with executive sponsorship; that never changes. Short and sweet since it makes it easier to get them approved, and you want o have to change them as little as possible. I don’t really care what you call below that, but you should have a security plan for implementing your policies. Plans are managed at the CISO or security director level (whoever is in charge) and change more frequently. You don’t want to have to go to the CEO to change your plans. At this layer you also have your standards- which, if you think about it, is the next layer of gove ance. CEOs sign off on policies, and CISOs sign off on standards. Below that is where you detail how the heck you’ll accomplish all this gove ance. You document processes, list our procedures, and issue guidelines and configuration standards. This stuff will change all the time, and shouldn’t necessarily need the CISO to sign off on it unless it breaks with the layer above. The simpler the better, but if you don’t write this stuff down in an organized way you’ll eventually pay the price. By breaking it down into these three main layers, you can more easily change both the minutiae and the big picture as you adapt to changing conditions. Share:

Looks like the cat is out of the bag. Someone managed to figure out the details of clickjacking and released a proof of concept against Flash. With the information out in public, Jeremiah and Robert are free to discuss it. I highly recommend you read Robert’s post, and I won’t try and replicate the content. Rather, I’d like to add a little analysis. As I’ll spell out later, this is a serious browser flaw (phishers will have a field day), but in the big picture of risk it’s only moderate. Clickjacking allows someone to place an invisible link/button below your mouse as you browse a regular page. You think you’re clicking on a regular link, but really you are clicking someplace the attacker controls that’s hidden from you. Why is this important? Because it allows the attacker to force you to interact with something without your knowledge on a page other than the one you’ve been looking at. For example, they can hide a Flash application that follows your mouse around, and when you go to click a link it starts recording audio off your microphone. We have protections in browsers to prevent someone from automatically initiating certain actions. Also, many websites rely on you manually pressing buttons for actions like transferring large sums of money out of your bank account. There are two sides to look at this exploitation- user and website owner. As a user, if you visit a malicious site (either a bad guy site, or a regular site that’s been hit with cross site scripting), the attacker can force you to take a very large range of actions. Anytime you click something, the attacker can redirect that click to the destination of their choice in the context of you as a user. That’s the important part here- it’s like cross site request forgery (really, an enhancement of it) that not only gets you to click, but to execute actions as yourself. That’s why they can get you to approve Flash applications you might not normally allow, or to perform actions on other sites in the background. As with CSRF, if you are logged in someplace the attacker can now do whatever the heck they want as long as they know the XY coordinates of what they want you to click. As a website owner, clickjacking destroys yet more browser trust. When designing web applications (which used to be my job) we often rely on site elements that require manual mouse clicks to submit forms and such. As Robert (Rsnake) explains in his post, with clickjacking an attacker can circumvent nonces (a random code added to every form so the website knows you clicked submit from that page, and didn’t just try to submit the form without visiting the page, a common attack technique). Clickjacking can be used to do a lot of different things- launching Flash or CSRF are only the tip of the iceberg. It relies heavily on iFrames, which are so pervasive we can’t just rip them out. Sure, I turn them off in my browser, but the economics prevent us from doing that on a wide scale (especially since all the advertisers- e.g. Google/Yahoo/MS, will likely fight it). Clickjacking is very difficult to eliminate, although we can reduce its risk under certain circumstances. Because it doesn’t even rely on JavaScript and works with CSS/DHTML, it will take a lot of time, effort, and thought to eliminate. The fixes generally break other things. After spending some time talking with Robert about it, I’d rate clickjacking as a serious web browser issue (it isn’t quite a traditional vulnerability), but only a moderate risk overall. It will be especially useful for phishers who draw unsuspecting users to their sites, or when they XSS a trusted site (which seems to be happening WAY too often). Here’s how to reduce your risk as a user: Use Firefox/NoScript and check the setting to restrict iFrames. Don’t stay logged in to sensitive sites if you are browsing around (e.g., your bank, Amazon, etc.). Use something like 1Password or RoboForm to make your life easier when you have to enter passwords. Use different browsers for different things, as I wrote about here. At a minimum, dedicate one browser just for your bank. As a website operator, you can also reduce risks: Use iFrame busting code as much as possible (yes, that’s a tall order). For major transactions, require user interaction other than a click. For example, my bank always requires a PIN no matter what. An attacker may control my click, but can’t force that PIN entry. Mangle/generate URLs. If the URL varies per transaction, the attacker won’t necessarily be able to force a click on that page. Robert lays it out: From an attacker”s perspective the most important thing is that a) they know where to click and b) they know the URL of the page they want you to click, in the case of cross domain access. So if either one of these two requirements aren”t met, the attack falls down. Frame busting code is the best defense if you run web-servers, if it works (and in our tests it doesn’t always work). I should note some people have mentioned security=restricted as a way to break frame busting code, and that is true, although it also fails to send cookies, which might break any significant attacks against most sites that check credentials. Robert and Jeremiah have been very clear that this is bad, but not world-ending. They never meant for it to get so hyped, but Adobe’s last-minute request to not release caught them off guard. I spent some time talking with Robert about this in private and kept feeling like I was falling down the rabbit hole- every time I tried to think of an easy fix, there was another problem or potential consequence, in large part because we rely on the same mechanisms as clickjacking for normal website usability. Share:

Say you are an on-line retailer: Do you ever check to make sure your web site functions? If you don’t, start! Here are a few examples of why this is a good idea: Failure 1: When you email out a promotional flier to your user community, but the promotional form rejects the user login because the user email account you mailed the flyer to cannot be found in your database, odds are your sales response is not going to meet expectations. Failure 2: When you on line order form rejects purchases because the zip code does not match the state, but your web form lacks an entry for state, odds are your sales response is going to be nil. State of confusion … Failure 3: When your customer wants to do you the courtesy of pointing out some flaws that may limit revenue, the form you ask the customers to fill out should actually exist. Presenting potential customers with a FAQ when they click a form submission link is in essence telling them ‘RTFM!’, and a great way to alienate your want-to-be-buyers. When you are in a highly competitive market segment, you really want to check your web site for obvious bugs before the last day of the quarter. Wake up Parallels!!! P.S. I should say that if it was not for an exceptionally nice sales rep named Melinda, this effort would have been abandoned. Share:

The Securosis team is attempting to regroup and prepare for a busy Q4. It took three full days, but I am fully migrated into the Mac Universe and engaged in a couple of research projects. Now productive, I can finally start work on a couple research projects. Rich has left HQ in search of coffee, quiet and a security muse while he catches up on writing projects and white papers. But even though we have a short term ban on travel and conferences, there is a lot to talk about. Here is our summary of this weeks blogs, news and events. Webcasts, Podcasts, and Conferences: This week on the Network Security Podcast 123, guests Robert “Rsnake” Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security as they discuss their new clickjacking exploit. Favorite Securosis Posts: Rich: Impact of the Economic Crisis on Security. It doesn’t matter if you are a vendor or practitioner, we’ll feel the effects of this crisis, but in a predictable way. Adrian: Email Security. It’s getting cheaper, faster and easier to implement, but with some potential privacy issues depending on how you go about it. Favorite Outside Posts: Adrian: Brian Krebs post on lawsuits against ‘Scareware Purveyors’. Finally. Infecting someone’s machine with spyware and using it as a marketing and sales conduit is akin to stealing in my book. Now if they would only go after the purveyors of this scare tactic. Rich: Fyodor explains (probably) the looming TCP attack. Fyodor, creator of NMAP, does an excellent job of explaining how the big TCP DoS attack likely works. Top News: The recovery bill. Law makers look panicked, and the market goes down every time they get close to a ‘solution’. The TCP Denial of Service attack. Nothing to panic about, and we’ll write more on it, but very interesting. Blog Comment of the Week: Chris Pepper’s comment on Rich’s “Statistical Distractions” post: [snip]… I refuse to use unencrypted email, but that”s to the SMTP/IMAP/POP/webmail server. But for email we have to keep in mind that the second hop – to the destination SMTP server – is almost always plaintext (unencrypted SMTP). So it’s more about protecting the account credentials than about protecting the email itself, but someone gaining full access to my whole multi-gigabyte mail store would really really suck. …[/snip] Now, I am off to The Office for the Securosis weekly staff meeting. We hope you all have a great weekend. Share:

There’s been a bunch of new information coming out the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read are: Fyodor’s discussion of either the same, or a similar issue. Richard Bejtlich’s overview. Rob Graham’s take on the potential attack. Here’s what I think you need to know: It is almost certainly real. Using this technique, and attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (which could trash the host OS). Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe. The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible. Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack. This is the kind of thing we should be able to filter, once our defenses are updated. In other words- a bad attack, but a moderate risk. That said, there are aspects of this that still concern me and we need to keep in mind: We don’t know if our assumptions are correct. This could be a different, and much more serious, technique. Such as something spoofable. Unlikely, but possible. Nothing says a botnet can’t use this- and thus make filtering and tracing a real pain. Imagine a botnet rotating this attack technique around to different nodes. It could support more efficient botnet attacks, that could then drop to regular flood mode if it doesn’t think the more efficient direct mode is working. We don’t know it doesn’t do something to the router infrastructure or passive monitoring. Again, unlikely based on the information released, but I’d hate to dismiss this as concerning until we know more. Until there’s some sort of fix, the Defcon network and coffee shops near universities are really going to suck. Until this is fixed, small businesses and individuals are the most likely to suffer. An enterprise might be able to detect and drop an attack like this, but individual users and small business don’t have the resources. Get ready for vendor pouncing. Share:

Yesterday, following up after recording the podcast on clickjacking, I was talking with Robert Hansen about the TCP flaw some contacts of his found over in Sweden. He wrote it up in his column on Dark Reading, and Dennis Fisher over at TechTarget also has some information up. Basically, it’s massive unpatched denial of service attack that can take down nearly anything that uses TCP, in some cases forcing remote systems to reboot or potentially causing local damage. Codified in a tool called “Sockstress”, Robert E. Lee and Jack C. Louis seem to be having trouble getting the infrastructure vendors to pay attention. I can’t but help think it’s because they are with a smaller company in Sweden; had this fallen into the hands of one of the major US vendors/labs methinks the alarm bells would be ringing a tad louder. From what Robert told me, supported by the articles, this tool allows an attacker to basically take down anything they want from nearly anywhere (like a home connection). Robert and Jack are trying to report and disclose responsibly, and I sure as heck hope the vendors are listening. Now might be the time for you big end users to start asking them questions about this. It’s hard to block an attack when it takes down your firewall, IPS, and the routers connecting everything. One interesting tidbit- since this is in TCP, it also affects IPv6. Share:

Greg Young over at Gartner has a humorous post on possibly the best way to make money in network security- the “Security Silly Jar”. Just drop in a quarter anytime someone says something stupid from the list. My favorite is number 9: 9. software can”t be secure. Could you please at least try. If you don’t know Greg, he’s the lead for network security over at Gartner and someone definitely worth reading… Share:

Last night I managed to pull a serious Munson. My car battery was dead, so I jumped it from my wife’s car. Then both batteries were dead (her car literally shut down when I tried to start mine). Then my brother in law came over, and managed to jump both cars. We left them running, then turned them off- and both were dead again. One more trip from my brother in law and we were up and running. We drove around for a bit and then stopped to run an errand. We stopped, and restarted, one car at a time so we always had one running vehicle. Both restarted, so we ran them for a minute longer and then ran our errand. Come back, and both are dead. Mall security jumped her car, drove on the highways for 20 minutes, parked it at home. Dead. Dead. Dead. Her car is a hybrid, and we think my battery is dead and something about jumping it blew something in her electrical system. Good times, my friends. Good times. At least I get some amusement this morning out of this article with some of the usual statistical dribble used to scare people into buying products. There’s no need to go into detail- it’s just a survey talking about how few companies perform email encryption, how hard and manual it is, and how employees would use it more if it were easier. This is all, of course, tied into some Nevada law and sponsored by an email encryption vendor. They forget, of course, to mention how few compromises there are of unencrypted email. No reference at all to any real cases where encryption would have prevented the loss of personal data (never mind any fraud associated with said loss). In short, nothing useful to help you make any kind of risk decision. Remember, I’m not against numbers, nor am I against email encryption (I use it occasionally for business communications), but I am against silly numbers with no bearing to anything important. We need more quality metrics and surveys, not this dribble that likely won’t fool a single security professional into buying a product. You might, likely, use email encryption anyway, but this sure won’t affect your decision. Share:

Finally took the plunge last week- I went out and bought a Mac. Actually, I bought a couple of them. That was not what I originally intended, as my plan was to get a top-of-the-line MacBook Pro and a high-end monitor to go with it. But every time I sat down in front of my wife’s iMac, I was really impressed with the quality of the display and the simplicity of the machine itself. When I learned the 24-inch version had the Core 2 Duo at 3GHz, I was sold. Given the amount of travel I do I needed a laptop, so I picked up an entry-level MacBook as well. It worked out about even money as far as hardware costs, and it will only cost me a little more for software, so I kind of feel like I got two for one. For the last week I have not been blogging all that much as I have spent every waking hour moving files, downloading software, installing, configuring, and learning a bunch of new applications. I don’t think I have bought this much personal software before. And with Rich and myself reworking the Securosis infrastructure at the same time, it has been a hectic week. For those who do not know me; I started my career with UNIX; moved to CTOS; then a mixture of Windows, UNIX, and Linux for about 5 years; but over the last 8 years it has been almost all Windows PCs. So learning a new OS is no big deal, and the UI design on the Mac is pretty darn easy, which has helped smooth the transition. But I must say I am glad that there is a UNIX-based OS sitting underneath … makes me feel a little more comfortable and made the learning process faster. I wanted to share the experience as I was wondering if some people had come to the same conclusions that I have about the Apple products. First the MacBook: The MacBook is nice-looking, but nothing all that spectacular IMO. While the 2.4GHz Intel processor is fast and I like the OS, the keyboard is decidedly ordinary and the display is really not all that great. Contrast, color saturation and accuracy are all pretty poor. Tried to calibrate as best I could without tools, but I only think I am going to get so far with this effort. My real concern at the moment has been stability. I have only been running the machine for a couple of days and Mail has hung twice, and the machine would not respond to shutdown requests. I installed all of the patches I could and hopefully that will help. I also upgraded the machine to 4gb, and when I did, I found an interesting white residue caked on the pins of the DIMMs. I am wondering if the installers are putting talc or something on the pins to make insertion easier, but there was so much I have to wonder if there were memory errors. Seems to be more stable now and I am hoping for the best. The iMac- in a word, WOW! It is the nicest machine I have ever owned. Fast. Put 4 gig of memory in it. The aluminum keyboard has a great feel to it. Keep looking for the right mouse button, but that’s OK, I am retraining myself. But the most amazing thing about this box is the monitor. 24 inches of real estate. The color, depth and detail is stunning. It’s fun just to look at the pre-supplied backgrounds. And everything has worked without a hitch. Software installed in a fraction of the time of other platforms. The one time I messed up I simply drug the application to the trash, started from scratch, and was done in two minutes. The only anomaly I found is the machine is spec’ed for DDR2 800, but came with DDR2 667. Other than that, perfect. The MacBook is nice, but the iMac is why I am beyond happy. Hard for me to imagine that this is true, given the long line that I had to wait in when I went to the Apple store. Plus I know 5-6 people who just switched to Macs, and half the people I know are saving up to get iPhones. With a product that is this solid, I don’t think that they have a lot to worry about. Share: