Research

During the second day at Black Hat, somewhat depressed by yet another futile attempt to locate coffee and fighting human gridlock, I decided that it was no longer worth the effort and simply sat down in the nearest conference. And I am glad I did as that random selection of presentations turned out to be one of my favorites of the week. The presentation was called Visual Forensic Analysis and Reverse Engineering, presented by Gregory Conti and Erik Dean. I would offer a link for you, but I have been unable to find the slide deck on line. It is on the CD that was included in the Black Hat goodie bag for those of you who attended, and some of the discussion points are located here (http://lcamtuf.coredump.cx/oldtcp/tcpseq.html) The Conti & Dean presentation shows how, by using different graphing techniques, to identify the contents and even reverse engineer binary files. By performing ?dot plots? and ?byte plot? examples of binary files, you can very quickly detect certain patterns within the binary file that tell you what is contained within the file. Much like a human fingerprint, uuencoded content, text, Word documents, bit mapped images, jpegs, compressed files and encrypted files each had a unique visual signature. For files that may contain several items, it was easy to pick out the begining and ending points of blobs within the file, and then examine specific binary objects in more detail. They showed a couple of examples of extracting out image files from a huge binary file in less than 30 seconds. You know you are a geek when: I remember in the early ’90s that when debugging code or core dumps I was often just winging it. You really did not have a valid stack trace, so you were rummaging around memory looking for something unusual, or some pattern that gave you a clue as to what went wrong. It was more art than science, and it was usually some visual clue or something that just did not look right when you found the root cause of the bug. Again in the mid-90s I can remember loading binary files into a text editor to attempt to, ahem, circumvent and ?no-op? out the licensing module which could often be located through a visual inspection. Of course, this was purely for academic purposes. This same technique was effective in hacking video game binaries and save files (slide 46 of the presentation shows a Neverwinter Nights database file as an example). And it was all based upon looking at the binary structure for patterns and experimenting with value substitutions to alter game functionality. But the graphic tools take this to a whole new level. How do you know your PRNG is producing random numbers? During the presentation, the evolution from these early generation tools and methods was discussed, and then they showed off tools that provide different 3 dimensional graphic representation of what data looks like. One of the examples that I was most impressed with was the graphs that show a distribution for numbers. These are examples of PRNG output (http://lcamtuf.coredump.cx/newtcp/). Random? It is not particularly easy to demonstrate the pseudo-random number generator you are producing random numbers, or collecting entropy to see your random number generator. But by graphing them in this way, you can very quickly see if you have reasonably good randomness ? or not close at all. Anyway, I thought this was a very cool forensic tool for binary files. Check out the graphs as they are very impressive. Share:

I ran across this article last week in the Arizona Republic regarding redesign of the Internet. This was very much in line with one of the recurring topics that seemed to be discussed in the halls at Caesars Palace during Black Hat: how might we change the Internet if we were to start from a clean slate? There are clearly many motivating factors to do so, from the fragility and dependency issues of the Internet on DNS as discussed by Kaminisky , email spam , DDOS, use of a basically insecure connectionless protocol for the vast majority of transactions, to encrypting all Internet traffic to keep government and other entities from spying on us, and the list goes on and on. I have not been following the organizations history all that closely nor am I aware of any published research at this time. I will admit to viewing the GENI effort with a bit of skepticism. While the web site FAQ states ‘It is not a replacement for the Internet (or any other communications technology). Rather the purpose of GENI to test and mature a wide range of research ideas in data communications and distributed systems’. Not sure if the intent with the statement is to underscore the intention to build something entirely new, or if this is hyperbole, but it is clearly at odds with the way the project is being marketed as “A massive project to redesign and rebuild the Internet”, which is why it makes news and why US National Sciences Foundation would consider $12 million in funding. This dichotomy makes me worried right off the mark. I always assumed the success of the Internet was because it was a cheaper and faster way to do things. Simple to understand, easy to use, freedom to say what you want, and almost free to participate. Yes, low cost helps, but the organic growth IMO is really about simplicity and freedom. And the more people who participate, the more information available, and more value. A ‘clean slate’ redesign of the Internet will certainly have design goals of greater reliability, accountability and security. These points are on the agenda’s of every Internet redesign discussion I have seen, and they will come with greater control, expense and monitoring of personal activity. The more I think about it, the more I believe what we need is not a new Internet, but one that sits parallel to the one we have today. The Internet we have today works great for sharing information, which is largely what it was indented to do. It was not designed to be secure, keep data private or conduct commerce. If the intention of the GENI project is to provide a secure medium for commerce in parallel, I am all for it. I am not eager to give up what I like about the Internet to solve the security issues at hand. Share:

During a recent eBay auction, when clicking the “Pay Now” button for an item I had won, I was taken off the eBay site, to a third party merchant site. The merchant site was attempting to verify address information and shipping options, and then forward me to PayPal. I tried going back into my eBay account and making the payment directly to PayPal several times, in an attempt to avoid the third-party site, without success. It appears that eBay is allowing third party merchants to insert their own code and web sites into the checkout process. What’s more, this particular merchant page was a mixture of secure and insecure content and some JavaScript. NoScript took care of the issue for me, but it leaves me wondering. I am not sure if it is my heightened sense of post-DefCon paranoia, but this just seems like a bad idea to me. If I were a hacker, wouldn’t I just love a way to insert myself into the payment process? With most security analysis processes, I start by examining trust relationships I can exploit. This tends to be fertile ground for logic flaws, and these trust points tend not to be closely inspected by users. If I can insert myself into an established trust relationship to launch my attack, I am far more likely to succeed, and this seems like an open window for me to do just that. Bogus image tags, XSS, XSRF, inline frames, or whatever attack du jour; it seems like a natural target for inserting myself between these two trusted entities. I am not saying that any particular merchant site is insecure at this time, but I am willing to bet that regardless of any vetting process third parties go through, their security is not uniformly as strong as eBay’s and PayPal’s. In general, I have no relationship with any of the third party merchant software, so I have no reason to trust the sites or their security. I make purchases on eBay with PayPal because I have a basic trust in their sites, processes, and security teams. This trust does not fully extend to every one of their affiliated merchants and third party sites, now and in the future. Not only that, the third party site offers me, the buyer, no added value, only potentially decreased security. From PayPal’s own “Top Ten Safety Tips”, which they provide with the Security Key, tip number nine is “Stay Safe on eBay: … Pay safely using PayPal, the secure payment method that enables you to shop without sharing your financial information with the seller”. But if the merchant has been linked into the process, and you have to go to a merchant site first, it is somewhat at the seller’s discretion. And if the merchant site has been hacked, all bets are off. I sent the question over to eBay and PayPal security and have not received a response, so I wanted to know what the community at large felt about this. Share:

A bit of a different episode this week. Since Martin is traveling, rather than a guest host this week we’re posting the last of the interviews recorded at DefCon- but this one is a doozy. David Mortman, Dave Maynor, Chris Hoff, Robert “Rsnake” Hanson, and Larry Pesce join us immediately after we all finished our DefCon panel. Martin, as the sober one, interviews us as we record what is our first clearly explicit podcast. Yes folks, we hit all 7 dirty words plus a few bonuses. Not to worry, we do include some content as we discuss what we covered in the panel and whatever other topics flew into our adult-beverage-addled brains. We had a heck of a lot of fun putting the DefCon back into DefCon, and we hope you enjoy this little slice of the unfiltered. Yes, this really is an explicit episode, so consider yourselves warned. Network Security Podcast, Episode 116 Length: 24:00 (or so) Share:

Perusing my blogs this morning I caught a post by Anton on DLP and compliance. That’s the blogging equivalent of chaining a nice fat bunny to a stake in the middle of coyote territory here in Phoenix (in other words, the park behind our house). I, as the rabid coyote of DLP-ness, am compelled to respond. Anton starts by wondering why he doesn’t see compliance more in DLP vendor literature: Today I was thinking about DLP again 🙂 (yes, I know that “content monitoring and protection” – CMF – is a better description) Specifically, I was thinking about DLP and compliance. At first, it was truly amazing to me that DLP vendors “under-utilize” compliance in their messaging. In other words, they don’t push the “C-word” as strongly as many other security companies. Compliance dog doesn’t snarl at you from their front pages and it doesn’t bite you in you ass when you read the whitepapers, etc. Sure, it is mentioned there, but, seemingly, as an after-thought. Then, he nails the answer: But you know what? I actually think that it is something different, much more sinister. It is the ominous checklist mentality (here too)! You know, DLP is newer than most regulations (PCI DSS, HIPAA, FISMA, etc) and – what a shock! – the documentation for these mandates just doesn’t mention DLP (or CMF) by name. Sure, they talk about data protection (e.g. PCI DSS Requirements 3 and 4), but mostly in terms of encryption, access control, logging (of course!). Also, PCI DSS directly and explicitly says “get a firewall”, “deploy log management”, “get scanned”, “install and update AV” – but where is DLP? Ain’t there… I’ve spent a heck of a lot of time working with DLP vendors and users, and this is a problem that affects technologies beyond just DLP. Early on, the DLP vendors all talked about how they’d make you SOX, HIPAA, or XXX compliant. Problem was, there isn’t a regulation out there that requires DLP. The customer conversations went like this: Vendor: PCI compliance is bad. Buy DLP. User: Okay, is that section 3.1 or 3.2 that requires DLP? Vendor: It’s not in there yet, but… {sales guy monkey dance} User: Ah. I see. Can you come back after we finish remediating our audit deficiencies? Say in 2012? Q3? The truth is that DLP can help significantly with compliance with a variety of regulations, but none of them require it. As a result, vendors have softened their message and the good ones adjust it to show this value. I don’t know if I really influenced this, but it’s something I’ve spent a lot of time working on with my vendor clients over the years. Other markets face this same challenge, and if you look back they almost always start by hitting compliance for the apparently easy cash, and are then forced to adjust messaging unless they are explicitly required. Users also face the same problem: User: We need to do X for compliance with Y. Money Guy/Boss: Okay, where is that on the audit report? User: It’s not, but {monkey dance}. Money Guy/Boss: Ah. I see. Maybe we can discuss this during your annual review. Be it a vendor or an end user, the compliance sell is either the easiest or hardest you’ll ever face. If the regulation (or your auditor) explicitly requires something, there’s an immediate business justification. While there’s a lot more to compliance, if it isn’t on that list you can’t sell it with merely the C word. Instead, evaluate the tool or process in the context of compliance and show the business benefits. Does it reduce compliance costs? Does it reduce your risk of an exposure? For example, DLP content discovery, by identifying where credit card data is stored, can reduce both audit costs and the risk of non-compliance. Database Activity Monitoring can reduce SOX audit costs and the cost of maintaining appropriate logging on financial databases. There are a ton of internal process changes that improve audit efficiency and reduce the burden of generating compliance reports last minute every year or quarter. When something is on the checklist, sell it as compliance. When it’s off that list, sell it as cost or risk reduction. If it doesn’t hit those categories, buy a monkey to do the dance- it’s cuter than you are and more likely to get the banana. Share:

There’s been a bit of debate on the blogs recently over the role of analysts, and how they pay their bills. It started with the Hoff, and Alan Shimel followed up (no link right now due to Alan’s blog issues). I know Chris wasn’t calling me out on this one (because he told me), but I do recognize I put a lot of content out there that people trust to help make decisions, and it’s only fair they know of any potential conflicts of interest I might have. I’m not going to get into a big debate over the role of analysts in the IT industry. I think the good ones offer tremendous value, but I’m clearly biased. Where I’m not biased is in my positions. No matter who pays the bills, I recognize that most of my value in the security world is my objectivity. Everything I write is for the end user, even if a piece is sponsored by vendor or written internally for an investor. As soon as I forget that, my career is over. It’s one thing for me to claim that, and another for you to believe it. I don’t assume you’ll take me at my word, and that’s why I throw everything out here on the blog and leave it for public comment. If you think I’m biased, call me on it. I don’t think I’ve ever deleted a a comment, other than spam and personal insults. Insulting argument is okay, but I decline to host pointless insults – there are lots of other places for that, and this is my (our) soapbox – you can set up your own website or find another board if you just want to flame online; there’s no shortage of venues. We also encourage vendors to comment, as long as they identify themselves clearly if it’s on something related to their offerings. It’s also only fair you know who pays my bills, and my policies on papers and webcasts. Right now about 85% of our income is from vendors, with the remaining 15% split between investment clients, end users, and media companies (magazines/conferences). We’re expensive for consultants, and don’t typically engage in long-term projects, which cuts out a lot of paid end user business, although we do a ton of (short) free calls, emails, and meetings when I’m traveling. As for papers and webcasts, the rules are we (Adrian and myself) will work with a vendor on a topic, but they have no input on the content. To make this work we give them detailed outlines of what they can expect before we write it, and all contracts are written so that if they don’t like the content, we go our separate ways and we won’t charge them. In all cases we (Securosis) own the content and only license it to the vendors for (usually) a year. And yes, I’ve walked away from deals, although we haven’t had one fall apart after the draft was written, since we prefer to work out any conflicts before we start. Also, all the content appears first on the blog for public input- this is the best way we can think of to be transparent. So who pays the bills? I can’t talk about our strategy clients, but we’ve done public work (papers/webcasts/speaking) with all of the following vendors (I’m assuming you don’t care about the media companies): Core Security Guardium Imperva Mozilla Oracle Powertech RSA Secu o Sentrigo Symantec Tizor Vericept Websense Winmagic Workshare There aren’t any surprises here- I’ve announced all those papers, webcasts, and such here on the blog already, along with who the sponsor was. No, I can’t talk about all our clients, but if they aren’t on that list, they’ve never sponsored any content. Another thing we do to balance objectivity is work with competitors- we won’t engage in contracts that exclude us from working with competitors. This was all already public, so I’m not giving away any big secrets. Also, don’t take this as a “look how great we are!” post; we’re doing this for transparency, not marketing. We’ve also worked with SANS, CMP Media, TechTarget, some large financials (doesn’t everyone?), and a few investment types. That doesn’t count the end users we don’t charge. That’s it. If you think we’re biased, call us on it and we won’t delete the comment. Our goal is to be as open as possible so you know where the information you’re reading comes from. Do we push some technologies? Yep, because we think they can help. We’ve definitely turned away work for things we don’t believe in. Share:

We’re proud to announce a new whitepaper dedicated to best practices in endpoint DLP. It’s a combination of our series of posts on the subject, enhanced with additional material, diagrams, and editing. The title is (no surprise) Best Practices for Endpoint Data Loss Prevention. It was actually complete before Black Hat, but I’m just getting a chance to put it up now. The paper covers features, best practices for deployment, and example use cases, to give you an idea of how it works. It’s my usual independent content, much of which started here as blog posts. Thanks to Symantec (Vontu) for Sponsoring and Chris Pepper for editing. Share:

So we took the plunge at the Lane household and bought an iMac. That is the good news. The bad news: it was my wife, and not me, who made the purchase. My wife’s laptop performed the 25 month post-warranty belly flop while I was at DefCon. A few flickers on the monitor and nothing. A very cold no-boot followed. So off we went to Fry’s today and after an hour browsing she wandered by the Macs. She was looking at the iMac and asked. “Where is the box? Doesn’t this thing have a disk drive?”, to which I replied “The disk and processor are built into the monitor housing, so there is no box”. Her eyes opened a little wider and she stared for another minute or two. That was all it took, and she jumped in with both feet. I warned her there would be a learning curve with the new OS and software, but she was not deterred. I made the statement more for my benefit than for hers, as she is a type ‘A’ personality with a bullet, so patience is not usually a word used in her vicinity. However there is one consolation prize in this effort, as the phrase “I don’t know” is the correct answer. Let me explain what I mean by that. As many of you may have experienced, when you are the Computer Guy in the house, it is expected that for anything that goes wrong with anything that has electricity, YOU will fix it. You know what is wrong with any piece or hardware or software and exactly how to fix it instantly. Otherwise you get the “You call yourself a CTO”? jokes. Not only that, when you’re married, friends and family get to ask for IT tech support as well. This is one of my major annoyances in life. But when you know next to nothing about a Mac, the stream of questions directed at me always results in “I don’t know, why don’t you look it up?” This brings a wonderful, liberating sense of freedom from responsibility. “Why is Safari doing that?” “How do I ______?” and my personal favorite, “I am taking this &;@%”@%/ of *&@(;( back to the store if this does not, oh, wait, now it works.” And I have been smiling at the fact it is not my problem all day long. She has let me use the machine for a bit. All in all this is a seriously nice, well engineered and very cool looking piece of hardware. While the approach is different, everything is conceptually easy once you get used to the difference in perspective. She really likes it and I am very much looking forward to buying a MacBook for myself. In the meantime, I am going to fly off to California for the next couple of days until the swearing stops. Share:

No, we didn’t hack any networks or laptops, but we absolutely dominated when it comes to podcast coverage. This was our second series of microcasts since RSA, and we really like the format. Short, to the point interviews, posted nearly as fast as we can record them. We have 9 (yes 9) microcasts up so far, with about 2-3 more to go. A few people also promised us phone interviews which we plan on finishing as soon as possible. Here’s the list:   Our pre-show special; where we talk about or plans for coverage and what we’d like to see. The first morning; our initial impressions before the main start of the show. Mike Rothman of Security Incite, hot after Chris Hoff’s virtualization presentation. Tyler Regully of nCircle on web development and the learning curve of researchers. Jeremiah Grossman from WhiteHat Security on what he’s seen and what he talked about in his session. Martin turns the tables on Jon Swartz of USA Today and the book, Zero Day Threat. Martin and I close out Black Hat (don’t worry, there’s still DefCon). Nate McFeters and Rob Carter talk with us about GIFARs and other client side fun. Raffal Marty discusses security visualization, which he coincidentally wrote a book on. I never saw Johnny Long, but Martin managed to snag an interview with him on his new hacker charity work. Don’t worry, there’s more coming. Stay tuned to netsecpodcast.com for an interview with the slightly-not-sober panel I was on (Hoff, David Mortman, Rsnake, Dave Maynor, and Larry Pesce) and some other surprises. Share:

I saw this article in the Arizona Republic Monday about how the insurance companies are able to save money by gathering health care records electronically, make more accurate analyses of patients (also saving money) and be able to adjust premiums (i.e., make more money) based upon your poor health or various other things. You know, like ‘pre-existing’ conditions, or whatever concept they choose to make up. Does anyone think that they will be offered an option? The choice of not providing these electronically? Not a chance. This will be the insurer’s policy, and you can choose to not have insurance, or turn over your records. Does this violate HIPPA? To me it does, but since you are given the illusion of choice, their legal team will surely protect them with your ‘agreement’ to turn over these electronic documents. And why not, with all the money they saved through data analysis, they have plenty of money for their legal expenses. Does anyone think that the patient will be allowed to see this data, verify accuracy, or have it deleted after the analysis? Not a chance. Your medical data will most likely have a “half life” longer than your life span. That stuff is not going anywhere, unless it is leaked of course. But then you will be provided a nice letter in the mail about how your data may or may not have been stolen and how you can have free credit monitoring services if you sign this paper saying you won’t sue. It’s like watching a car wreck in slow motion. Or a Dilbert comic strip. Let me take another angle on the data accuracy side of this proposition. When I first graduated college, I walked down the street to open a checking account with one of the big household names in banking. For the next 12 months I received a statement each month, and not one of those banking statements was 100% correct. Every single statement had an error or an omission! My trials and angst with a certain cell phone provider are also well documented. Once again, charges for things I did not order, rates that were not part of the plan, leaked personal data, and many, many other things during the first year. I had one credit card for a period of 12 years, and like clockwork, a late fee was charged every 6-9 months despite postmarks and deposit dates which conclusively showed I was on time. I finally got tired of having to call in to dispute it, and just plain fed up with what I assumed was a dastardly business practice to generate additional revenue from people too lazy to look at their bills or pick up the phone and complain. I had a utility company charge me $900, for a single month, on a vacant home I had moved out of three months prior. One out of two grocery store receipts I receive is incorrect in that one or more prices are wrong or one of the items scans as something that it is not. Other companies who saved my credit card information, without my permission, tried to bill me for things I did not want nor purchase. Electronic records typically have errors, they are not always caught, and there may or may not be a method to address the problem. The studies I have seen on measuring the accuracy of data contained within these types of databases is appalling. If memory serves, over 20% of the data contained in these databases is inaccurate due to entry or transcription errors, is incorrect logic errors in transformational algorithms, or has become inaccurate with the passage of time. That later item means each subsequent year, the accuracy degrades further. There is no evidence that Ingenix will have any higher accuracy rates, or will not be subject to the same issues as other providers, such as Choicepoint. They say computers don’t lie, but they are flush with bogus data. Now think about how inaccurate information is going to affect you, the medical advice you receive, and the cost of paying for treatment! There is a strong possibility you could be turned down for insurance, or pay twice as much for insurance, simply because of data errors. And most likely, the calculation itself will not be disclosed, for “Pharmacy Risk Score” or any other actuarial calculation. If this system does not have a built-in method for periodically certifying accuracy and removing old information, it is a failure from the start. I know this is a recurring theme for me, but if companies are going to use my personal information for their financial gain, I want to have some control over that information. Insurance companies will derive value from electronic data sharing because it makes their jobs easier, but the consumer will not see any value from this. Share: