Securosis

Research

Marathon Down, Macworld Up

Okay, it was only a half-marathon, but considering I hurt my knee and wasn’t able to train for a month I feel pretty darn good about finishing. In my head that is; legs aren’t quite as pleased. I’m heading off to Macworld Expo tomorrow and will be in San Francisco all week. I’m helping cover the event for TidBITS. While most of my non-security writing will be over there, since TidBITS is an edited publication I’ll probably be pushing out some random Apple posts over here. I’m hoping for two announcements this week, although honestly don’t expect them. First is for the 3G iPhone, preferably with GPS and a functioning 2-way calendar/to-do list. I’ve been disappointed in my Blackberry Pearl for two reasons- the craptastic browser, and since I don’t have an Exchange server I don’t get truly real-time email. (Yes, I can do hosted Exchange, but that doesn’t make sense for me). Second, I’m hoping for a refresh on the MacBook Pros with SSD drives and LED screens for better battery life. The rumors seem to trend more towards a compact MBP or tablet which would be okay if the specs are high enough. Either way, I’m looking forward to the first non-security, non-Gartner conference I’ve been to in years. Share:

Share:
Read Post

SunSec Declared

SunSec last night was a roaring success- although my liver crawled under a small table and refuses to come out. We had 15+ people show up from all over the area. The Phoenix OWASP decided to crash the party and everyone had a heck of a good time (most people drank a tad more moderately than myself). I was finally dragged away from hanging out even longer with the ts/sci guys who just posted a full after action report. Devious little fellows, they shoved drinks in my hand until I invited them onto the Network Security Podcast (sorry Martin). We’ll definitely be doing this on a monthly basis. I’m also looking at starting an informal email list to keep people in the area connected (unless there’s another one floating around already). If you’re interested, drop me an email at rmogull@securosis.com. Thanks everyone for making it a successful event. Dammit! The liver is under the couch now, I’ll never get it out of there…. < p style=”text-align:right;font-size:10px;”>Technorati Tags: SunSec Share:

Share:
Read Post

Ask Securosis: Setting Up A Home Lab

Our question this week comes from Lee: Say you”re doing security research, what machines and OSes do you recommend for a home lab and why? Great one. This is something that tends to be pretty personal based on the kinds of research you’re doing, and your available funds. Let’s break it into a couple of pieces: Network Equipment One piece that’s hard to find, but really useful, is a dumb hub to simplify sniffing. I’ve got an old 3Com I pulled from an office that I use when I want to monitor traffic. Sure, you can also do it with wireless or with Ettercap on a (vulnerable) switch, but I like just being able to plug in and sniff. A spare wireless access point with a few switched ports is nice when you want to isolate off a small network so you don’t inadvertently brick your TiVo while playing with a network fuzzer. They’re cheap and you can plug and go. I do a fair bit of mucking with wireless so I have a few spare access points. I like Airport Expresses for something portable I can take on the road (Linksys has something similar, but I haven’t used it). They double up to stream music at home, making them a dual-use investment. I also have a WRT54GL for playing with OpenWRT, depending on the project. Thus the basics are a dumb hub, an extra access point/router with ports (probably a WRT), and a couple spare travel access points if you like to play with wireless. Oh, and a lot of cables. You can never have enough cables. Systems I do most work on my primary system- a MacBook Pro. I maxed out the memory and use Parallels for virtualization. VMware Fusion might be a bit better since you can set up virtual networks. I even run Core Impact in a virtual machine on my Mac and it runs really well. Ideally you want one dedicated laptop/desktop for each major OS- Windows and one flavor of Linux are good enough for most people. Just get a cheap desktop, max out the RAM, and configure as needed. If you can’t afford a bunch of systems, go with virtualization and live distribution CD/DVDs. I used to use a basic Windows laptop (XP) with VMware on it. Then I built virtual machines for other OSes I commonly used- Fedora and Ubuntu. When I want to run Unix attack tools that don’t work well in a virtual machine (wireless and Bluetooth stuff) I just boot into BackTrack. It’s also nice to have a couple dedicated target systems and virtual machines at various patch levels. I install a totally unpatched XP or Vista, then take snapshots at various levels of patching. I used to have a couple spare laptops at different Windows patch levels, but I had to give those back when I left my job. Thus you have one primary machine with your favorite OS. That runs virtualization software with a couple virtual machines for testing. Then 1-2 other attack/tools systems, usually one Windows and one Linux. Then, it’s nice to have 2-4 target systems at various patch levels of various operating systems. At least one dedicated machine where you can run VMware or Parallels and a bunch of virtual images to attack or monitor suspected viruses and such. That system should be isolated from your main home network, and keep the host OS fully patched. Most researchers I know use a lot of virtualization these days to keep the number of systems down and you can do a lot of good research with only 1-2 machines if your budget is limited. At work they might have dozens of boxes to play with, but far fewer at home. You want a good mix of operating systems since you want access to whatever tool gets the job done, no matter the platform. I also have a bunch of random hardware- old cell phones, wireless cards, Bluetooth adapters, and such. It all really comes down to personal taste and what you’re researching. Thanks to virtualization and live Linux distributions we have a lot more flexibility than in the past, even if you only have one beefy laptop or desktop. As for tools… that’s another, much longer post that could be better written by plenty of other people… Share:

Share:
Read Post

14 Year Old Boy Hacks, And Derails, Trains

(Thanks to Marcin) Thanks to some good old hardware hacking, a Polish teen built an infrared device that let him switch around the tracks. Twelve people were injured in one derailment, and the boy is suspected of having been involved in several similar incidents. Miroslaw Micor, a spokesman for Lodz police, said: “He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks. “He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change. Wow. I guess I don’t get to rant about SCADA security today. Share:

Share:
Read Post

SunSec Rises Tonight!

We’ve got people flying in from other states and I’m even getting a haircut! Tonight at 6pm at Furio in Scottsdale we’re reviving that most noble of institutions- security geeks hanging out, drinking, and lying about their l33t skilz. CitySec meetups are informal gatherings of anyone interested in security. We hang out, drink, and talk amongst ourselves. No presentations, no speakers; just a chance for local people to connect. You don’t need to be a full-time security geek to show up (that means you Tom, don’t make me taunt you). Happy Hour runs until 7 and that’s when they serve the normal food (gets a little Scottsdale-snobby after that). Drinks run all night, and the first round is on Securosis. Cya there, and email or IM me if you want my cell number in case you get lost… Share:

Share:
Read Post

Why You Shouldn’t Run An Open Wireless Network Like Bruce (Or Chuck Norris)

Bruce Schneier is one of the more venerated figures in the information security world, and rightfully so. But reading his article in Wired today, I think he might want to stick to encryption. (I know and like Bruce, so this isn’t a personal attack.) Bruce has long bragged that he runs a totally open home wireless network. He considers it a kind of “pay it forward” charity. I love open WiFi and don’t have a problem with free access. Someday I might even open up part of my own network, although it’s probably not worth it considering where I live. Bruce breaks the potential security risks down into two categories: Somebody abusing his network for illegal activity- spam, file sharing, attacking other systems, and so on. Connecting to his network and attacking his home systems. He evaluates these risks as acceptable: Odds are a bad guy will use one of the five open, anonymous coffee shops down the street rather than parking in front of his house for (probably) hours on end. By saying that he instantly guarantees that some prankster will park their VW van out front and spam everyone from “Bruce Schneier’s House”. Perhaps not, but he does accurately outline the potential legal risks. In his own words, “I’m also unmoved by those who say I’m putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it’s on, then it simply doesn’t matter. And if my computer isn’t secure on a public network, securing my own network isn’t going to reduce my risk very much.” While these risks might be acceptable to Bruce, I don’t recommend them for anyone else, including myself. Depending on population density, your risk of abuse of an open network may be higher. I could open part of my network in my current location without much worry, but I’ve previously lived in places where the pedophile living below me would take advantage of an open network. That’s not an exaggeration- for most of the time I lived in a particular condo in Boulder the person below me was known for risky activity. Never convicted, but concerning enough I sure as hell wouldn’t want him on my network. The risk of the RIAA going after you might also be higher if you live someplace with enough close neighbors that it’s worth someone’s effort to use your network to mask their activity. It’s a low risk for me where I am now, but has been high in the past. Very few people have the skills to secure their home network to the same degree as Bruce. I also suspect his network wouldn’t withstand a penetration test by a determined attacker. My home network is very secure; all systems are patched, firewalls turned on, and trust relationships are minimal. That said, I know I could crack it. I don’t encrypt all traffic (wireless is all WPA2 though) and I have some open file shares. Why? Because it’s “secure enough” for my home, and anything that leaves the walls and connects through the public Internet is totally locked down. In some cases, thanks to my consumer devices, I’m limited in the amount of security I can apply. I wouldn’t make a big deal out of this, but Bruce is a role model to those interested in security. I can guarantee at least a few people will open up their networks to emulate Bruce, and be the worse for wear because of it. He also mentions the risk of violating his ISP’s terms of service: Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn’t a big risk either. The worst that will happen to you is that you’ll have to find a new ISP. To give the press quote, if Bruce is doing this himself it looks like he has appropriately evaluated his personal risks and they are within his personal tolerance. If he’s recommending this to others, that’s just plain stupid. I’ve thought about opening my own access up via a separate, segregated segment, but it’s not worth the effort since almost no one around me would need it. Don’t follow Bruce’s example- he’s an industry pundit making a point. If you want to open up your wireless network, and are comfortable violating the terms of agreement with your ISP, please use a well-segregated open access point. Don’t just let anyone wander around and see what’s on your TiVo (since all TiVos have an open web server you can’t lock down without hacking, it ain’t that unusual a risk). Oh, and the Chuck Norris thing? Share:

Share:
Read Post

Yes, I’m Giving A DLP Webcast. No, I Won’t Post The Picture

I hate it when Farnum scoops me on my own presentation. On January 22nd I’m giving a live webcast on DLP. The topic is Demystifying Data Loss Prevention, and I’ll be covering everything from defining DLP, through the top features to look for, to running the selection process. The webcast is sponsored by Websense, but is my usual objective content. You can register for it here. I believe there will be live Q&A; if not I’ll set up a side-channel chat room for questions. There is more disinformation and weirdness regarding DLP than in any other market I’ve covered. This is your chance to stop by, hear what I think, and ask questions without having to hop on an airplane or pay my ridiculously high consulting rates. Share:

Share:
Read Post

Top Five Database Resultions- Registration Open And Looking For Reviewers

Updated : Forgot to list the date, it’s January 25th. Update 2 : Fixed stupid mistake in mailto link. Bad ex-web programmer. Bad! I must be the [edited] of webcasting or something. Considering I get paid for these you could probably use another word, but this is a family friendly blog. ZDNet has opened registration for my webcast on database security. As mentioned before, this one is designed to walk the line between DBAs and security admins- taking 5 key recommendations and giving actionable advice for each audience. It’s sponsored by Oracle. Since I want to make sure this one is really on target, if you are either a DBA interested in security, or a security admin interested in databases, drop me a line and I’ll send you a draft for review. I have a couple people taking a look already, but I’d like some input from people dealing with day to day operational issues. Just email me at rmogull@securosis.com. Here’s the full description of the event: The spotlight on database security and increasing demands for regulatory compliance require DBAs and security professionals to work more closely than ever before – both integrating and separating job duties. Security and database teams are being challenged to learn at least SOME of the skills of each other’s domains while applying these principles practically to achieve compliance and keep out the bad (and even some not-so-bad) guys. Join us for this informative eSeminar with useful information for both database and security professionals, where long-time database security industry expert Rich Mogull will highlight the top five recommendations for database security and compliance in this new year. Featured topics will include: Segregation of Duties for DBA and Security Pro alike Database Vulnerability Configuration Management Auditing and Activity Monitoring See how your resolutions for ‘08 compare with our experts – and bring your questions for the Q&A session following the presentation. Register now to ensure your spot at this important event. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Database Security, Oracle, Separation of Duties, Webcast Share:

Share:
Read Post

You’d Better Prepare For MS08-001

I generally try and avoid short posts on the blindingly obvious, but it’s clear there’s a lot of focus on the Microsoft IGMP vulnerability- from both sides (good guys and bad guys). SANS is starting to put some recommendations up, and unless you’re absolutely sure you have perfect patch management and everything is updated, it’s time to keep your eyes open. For the non-geeks, Microsoft released a patch yesterday for a serious vulnerability in most versions of Windows that could allow someone to take over your system. Make sure you update. There aren’t any known exploits in the wild, but that won’t last. Rumor is some of the consumer software firewalls won’t block this, so that isn’t enough protection. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Microsoft, Vulnerabilities, Patch Share:

Share:
Read Post

No Fly List Protects Airplane From 5-Year Old Security Risk

I mean a literal 5-year-old child, not some obscure threat. According to BoingBoing the child’s name is the same as someone else on the list, but according to this interview with the head of TSA by Schneier, you should only get a hit if the name and date of birth match. He was considered such a threat his mother wasn’t allowed to console him/touch him during the process. Which gives us three options: This child really is a national security threat. Having flown on many planes with out of control 5 year olds, this is my best bet. There is another five year old in the world with the same name and birthdate that is the real national security threat. The TSA messed up I find this amusing, and sad. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.