Research

17 years. That’s a long time. The last time the US Government shut down was December 1995 through January 1996. I was working for META Group at the time, probably on an airplane heading to a meeting with some client. I wasn’t married yet. I could sleep in on a Saturday. Those were the days. Life was fundamentally different. Looking back I don’t remember the specifics of what happened during the last shutdown, as that group of politicians battled each other over funding this, that, or the other thing. In fact, until this latest shutdown because a possibility, I didn’t even remember it happened in the first place. 17 years later, in my mind that shutdown was an inconsequential footnote in history that I needed to look up on Wikipedia to even remember it happened. I suspect we will see the same outcome this time. 17 years from now I doubt I’ll even remember how this group of politicians fought over funding this, that, or the other thing. The more things change, the more the stay the same. Negotiating deadlines are blown, activities are impacted, and people (a lot of people) aren’t working today because these folks can’t find the middle ground. But they’ll work it out. They always do. The last time the shutdown lasted for a total of 28 days. Maybe this one will be shorter. Maybe longer. The only thing I know for sure is that it will be more visible. With social media, you’ll be seeing tweets from folks out of work and Facebook blasts talking about how they are right and the opposition is wrong. So even though it’s the same, it will feel worse because we will see much more of it. That’s just the way things go down nowadays. We know how this movie ends. At some point they will make a compromise. Both sides will claim victory. Everyone will get back to work. Programs will be funded. Money will be squandered. Life will go on. Which is why it’s hard for me to get fired up about this stuff any more. The system is broken, but it’s the one we have. My efforts are far better spent worrying about the things I can control, and the idiotic machinations in Washington just aren’t on that list. So shutdown all you like. I have writing to do. –Mike Photo credit: “Anarchist computer” originally uploaded by Michael Bingaman Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Application Denial of Service Introduction Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Newly Published Papers Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Distributing workloads won’t fill the gap: No, this isn’t my attempt to infringe on Rich’s cloud security coverage. I am talking about the significant security skills gap. In my CISO Roundtables at the IANS Forums this year, a very consistent theme has been the challenges of staffing. From finding qualified folks, to retaining the good ones, to keeping pace with technology… most CISOs spend a large (and increasing) portion of their time dealing with these softer personnel issues. After spending a day with HR, a firewall console probably never looked so good. Michael Santarcangelo explains in his CSO blog how believes that distributing the workload among operational groups is the answer. He even said: “We don’t need more security professionals.” Uh, WTF? That’s dead wrong. I’m not saying we don’t need help, or that we don’t need the rest of the organization to become more security aware. But they have no real incentive to be secure. So over the long run, they won’t. Period. We clearly don’t have enough skills internally to even work with the ops groups and business folks to help them become more secure. So there is a skills gap, and it’s serious – and no amount of internal redistribution is going to solve it. – MR MS RAMPing up: For those who don’t know, FedRAMP is the US government’s way of setting up a security baseline for cloud providers. While every agency (well, the ones still in business) needs to still meet its own requirements, FedRAMP is an assessment baseline they can leverage to reduce their overhead. So not every agency needs to deeply audit each cloud provider. Like most cloud security certifications, FedRAMP says the cloud meets a baseline, so you can focus on the bits you deploy above that. Microsoft Azure was just granted its FedRAMP certification (Okay, it isn’t a certification per se, but close enough). Microsoft is the first cloud service to get the sign off-from the Joint Assessment Board (DoD, DHS, and GSA), while Amazon has theirs from HHS and a third party assessor. Why do you care? Even if you aren’t a Fed (and you aren’t, because they aren’t allowed on the Internet right now for no apparent reason), FedRAMP, especially from the JAB, is a decent security baseline. It doesn’t mean you are ‘secure’ on that cloud, but it sure is a nice additional assurance. – RM Better memory: Oracle’s big announcement at OOW 2013 was an in-memory database option. With a single configuration change and a metric crapton of DRAM, you basically can run the database in memory. What does that have to do with security, you wonder? Absolutely nothing. This really does not change any threats to the database, to answer a question a couple of you have asked me this week. But what’s most interesting is that the database loads data into memory as columnar and row stores, and

A vulnerability in Internet Explorer has been known and unpatched for two weeks. According to ThreatPost, an exploit module is now in Metasploit, and real attacks are growing. Better deploy the FixIt tool if you don’t have some other way of blocking exploits. But I’m probably screwed, because I can’t get that mitigation to run on my Mac. Share:

I haven’t worked at Gartner for over six years now, so I’m not surprised that many people still think vendors can pay to move up the rankings in a Magic Quadrant. I mean, just look at them. Big vendors almost always show up in the top left or right, so they have to be paying for play. Vendors can’t buy Magic Quadrant ratings. Let me say it again: vendors cannot directly buy MQ ratings. I don’t expect to change any minds here, but that isn’t how it works. Not that money can’t influence the process, which I will get into. Analysts are totally walled off from the financial side of Gartner. They are not compensated, at all, based on how much a vendor spends. Many analysts have a very negative view of the vendor community, which can actually be destructive. It doesn’t matter how much a vendor spends – the analyst makes the same. In the seven years I was there I never saw management ask an analyst to adjust an MQ because a new client spent more money. Really, the anti-vendor attitude is so deep that an analyst is more likely to reduce a rating if a vendor tries to play those games. There used to be a loophole. Analysts used to get paid more for participating on strategy days with vendors. Some unscrupulous analysts effectively used blackmail to get vendors to buy more days. Gartner cut that off around the time I became an analyst, sometime around 2001 I think. It pissed off some analysts who were basically doubling their salary with strategy days. Today, all a strategy day does is keep an analyst away from their family – they don’t get paid more. However. Gartner clients get to talk with the analysts more. Anyone can brief an analyst once a quarter or so, but paying clients get longer calls, more frequently. Strategy days mean the vendor gets face time with the analyst and can build a personal relationship (there are guidelines limiting gifts, meals, and such to reduce influence there). This can subtly influence an analyst over time, even though it isn’t explicit buying. Smart vendors can do much the same thing without spending a dime, because most analysts don’t care about contract value, but paying up can definitely be used as an advantage. So why do all the big companies score better, especially in ability to execute? Because, in many MQs, that’s where a larger, more mature organization will almost always score better. They have mature sales, marketing, and channel programs. Bigger support teams. The ability to support larger clients. As much as we slam them for inefficiency all the time, you can throw enough bodies at certain problems to make them go away. It doesn’t mean the product executes or performs better, but that the company has accountants. That’s why startups tend to do much better on vision (since they, you know, actually innovate). One of my weirdest post-Gartner experiences was helping some vendors work through the MQ process. All I really did was help them figure out what the analysts wanted (honest answers) and how to avoid getting into trouble (legal threats if your dot moved 3mm, which happens). I even warned them away from trying to schedule strategy days too close to an MQ, which could be seen as trying to cheat. I wouldn’t say it is a perfect process. And there is a reason Securosis will never engage in vendor comparison research like an MQ, but money doesn’t directly buy results. I have no skin in this game (not even stock) and have been out for a long time, so take it as you will. But if you are an analyst reading this, don’t think for an instant that vendors aren’t trying to influence you every second of every day, and there’s a reason they call it the “Gartner Tax”. Share:

Another day, another breach – that’s not novel. A bunch of personal information (including driver’s license numbers) was stolen from Virginia Tech. But having the organization own up to the fact that the breach resulted from a human error is uncommon. Of the 144,963 individuals affected, only 16,642 provided their driver’s license numbers. According to school officials, the breach was a result of “human error” involving compliance protocols when dealing with the personal data. A forensic investigation into the issue revealed that the information was “partly” accessed through a Virginia Tech server in Italy. “The issue here is that someone on our staff goofed,” Larry Hincker, associate vice president for University Relations, said. Kudos to these folks for not blaming a super-sophisticated attack or the APT or any other way to skirt responsibility. They screwed up and lost data. It is also a reminder about the downside of poor security and IT operations. Photo credit: “Professional Strength [GOOF OFF]” originally uploaded by Chapendra Share:

Over at Network World Anton Gondalves wrote Security industry in ‘rut,’ struggling to keep up with cybercriminals: Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say. Some technology pros say the industry needs to develop new technologies and architectures that send hackers back to the drawing boards. Meh. In many cases the technologies are already here, or deep into development. The problem isn’t a lack of innovation, but that people keep spending money on the same old crap. That’s a different kind of rut. Besides, no matter what we do, the bad guys will keep innovating around it, as they have been for thousands of years. There are a couple good bits deeper in the article, including: On the white hat side, security professionals get paid for how they defend, not what they share, and companies view knowledge as a competitive advantage. In addition, companies fear being sued by customers or partners, if the data shared relates to them. That is a big one, and worthy of a separate article. Share:

Hurt back yesterday Too much pain to write much now Haiku easier And don’t forget to sign up for our Black Hat cloud security training in December! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s Dark Reading article on Shiny and New. Rich’s Touch ID and Secure Enclave article was picked up by Daring Fireball, AllThingsD, and who knows where else. Dave Lewis at CSO: Stuffing The Social Media Genie Back In Favorite Securosis Posts Adrian Lane: Investigating Touch ID and the Secure Enclave. Really good analysis from Rich on the security implementation of Touch ID on the iPhone 5s. But I’m not buying the ‘article’ angle – he just wanted a cool new toy! Mike Rothman: Cybercrime at the Speed of Light. Everything can (and will) be gamed. Everything. Gal Shpantzer: API Gateways. Especially because it made @beaker jealous. Rich: Keep Calm and Bust out the Tinfoil Hat. Mike is supposed to be an engineer, not a history major. But this is exactly what I have been thinking. Plus, every other country is doing the same thing to the best of their ability. Other Securosis Posts Continuous Security Monitoring [New Paper]. Data brokers and background checks are a massive security vulnerability. Walled Garden Fail. Incite 9/25/2013: Road Trip. Firewall Management Essentials: Quick Wins. A Quick Response on the Great Touch ID Spoof. Favorite Outside Posts Adrian Lane: Meet the machines that steal your phone’s data. Interesting to see professional eavesdropping devices for mainstream law enforcement. Nothing state of the art, but it allows Officer Barbrady to jack a cell tower. Still, before Snowden nobody cared about this stuff. Mike Rothman: Apple’s Fingerprint ID May Mean You Can’t “Take the Fifth”. We’re entering (yet) another new age, when the legal system is nowhere near keeping pace with technological innovation. Interesting thoughts from Marcia Hoffman about the legal question of whether you can be compelled to unlock your phone (with presumably damning evidence on there) because biometrics are not protected under the 5th Amendment, while passwords would be. Rich: A TED talk by master pickpocket Apollo Robbins. This is more entertainment than learning (as are most TED talks), but damn. You may think you understand the limits of your perception, but you don’t. The last line is the real kicker. Dave Lewis: London schoolboy secretly arrested over ‘world’s biggest cyber attack’ Gal Shpantzer: Yahoo recycled email accounts may contain emails destined to old account owner. No matter how they try to talk this up, or what they do to recover, this is a mess. Research Reports and Presentations Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Email-based Threat Intelligence: To Catch a Phish. Top News and Posts Chaos Computer Club breaks Apple Touch ID. A Survey of the State of Secure Application Development Processes. Just downloaded a copy. Review forthcoming. TouchID defeated: what does it mean? New CA law will let minors digitally erase their past. ‘Mr Big’ of UK cyber-crime among gang of eight arrested over £1.3million Barclays computer hijack plot in carbon copy of Santander scam Blog Comment of the Week This week’s best comment goes to Gunnar, in response to Cybercrime at the Speed of Light. HFT is about trading, not investing. Traders buy and sell every second of every day. Investors have multi year time horizons. That’s how ordinary should approach it, long term, buy and hold investment not as traders. These events which continue to happen on a more regular basis and show no signs of stopping, are worrisome, for traders. They can bankrupt themselves with their own algorithms, as one of the biggest Knight Capital did last year http://www.forbes.com/sites/halahtouryalai/2012/08/06/knight-capital-the-ideal-way-to-screw-up-on-wall-street/ Share:

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there. Given that you can’t prevent all attacks, you need to ensure you detect attacks as quickly as possible. The concept of continuous monitoring has been gaining momentum, driven by both compliance mandates (notably PCI-DSS) and the US Federal Government’s guidance on Continuous Diagnostics and Mitigation, as a means to move beyond periodic assessment. This makes sense given the speed that attacks can proliferate within your environment. In this paper, Securosis will help you assemble a toolkit (including both technology and process) to implement our definition of Continuous Security Monitoring (CSM) to monitor your information assets to meet a variety of needs in your organization. We discuss what CSM is, how to do it, and the most applicable use cases we have seen in the real world. We end with a step-by-step list of things to do for each use case to make sure your heads don’t explode trying to move forward with a monitoring initiative. We are indebted to all our licensees for supporting our research and broadening our reach, including Qualys, Tenable Network Security, and Tripwire. We don’t expect you to rebalance security spending between protection and detection overnight, but by systematically moving forward with security monitoring and implementing additional use cases over time, you can balance the scales and give yourself a fighting chance to figure out you have been owned – before it’s too late. Check out the landing page in our Research Library or download the paper directly: Continuous Security Monitoring (PDF) Share:

A few years ago our very own James Arlen presented at Black Hat on the security risks of high-speed trading. Today I read in The Verge: Last week’s Federal Reserve announcement made big waves on Wall Street, sending markets skyrocketing and financial organizations scrambling to spread the news – but a new report raises concerns that some were spreading it faster than they should have. The high-speed trading experts at Nanex say they saw simultaneous reactions in both Washington D.C. and Chicago, when the news should have taken at least three milliseconds to travel the 600 miles from the Federal Reserve Building to the Chicago’s commodities exchanges. I await Gunnar’s response, but it seems to me that ordinary people have little chance of surviving the markets as computers take over ‘our’ economy. Share:

Brian Krebs has done some amazing investigative reporting over the years, but this story is an absolute bombshell. An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity. … The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013, … Two other compromised systems were located inside the networks of Dun & Bradstreet, … The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides background, drug, and health screening for employers. In my research for the Involuntary Case Studies in Data Breaches presentation I update every few years, I come across many dozens of breaches of credit check services, data brokers, and other information-gathering services. Go check it out yourself at the DataLossDB and search on Experian, LexisNexis, and so on. What I didn’t know is how many institutions rely on this data for Knowledge Based Authentication, and that it has been broken since at least 2010, according to Avivah Litan of Gartner (who is great – rely enjoyed working with her). I am fascinated because although I always considered this data aggregation a privacy risk – now we see it also as a security risk. Share:

Mailbox is a very popular replacement mail app for iOS that apparently auto-executes JavaScript in incoming emails, according to a post by Italian security researcher Michele Spanuolo (@MikiSpag) Jeremiah Grossman summarized it best: “XSS to account takeover.” Think about it – this app auto-executes any JavaScript received via email. Oops. I emphasize that this is not Apple’s Mail app included with iOS – it is a third-party app called Mailbox in Apple’s Apple App Store. Initially, I thought, hey, they’ll fix it soon – they just got a public report on it from Spaguolo’s blog. But Michele has updated the post – @bp_ posted this issue on Twitter in MAY. So they have been sitting on a big hole for months. This is interesting for two reasons: Apple’s App Store code analysis clearly missed it. Then again, should it have even caught it? The vulnerability doesn’t expose anything on the iOS device itself, and doesn’t violate any of the App Store rules. It also demonstrates that walled gardens, while ‘safer’, aren’t actually ‘safe’. There are entire classes of attacks that likely comply with App Store rules. Like Candy Crush, which is ruining marriages and destroying grades throughout the world. Someone needs to stop the insanity. Enterprises should make damn sure employees aren’t using these services without security vetting. Mailbox is only the start – just look at the many calendar enhancement apps out there. All these little startups use full access to your calendar, mail, contacts, reminders, and social networks to provide a more usable calendar. And almost none of them talk about security in any meaningful way. Rich has been doing some analysis here – they all fail. Mailbox is now owned by Dropbox (confirmed by the Dropbox copyright on the bottom-left of mailboxapp.com). So either Dropbox didn’t do much appsec due diligence when they bought Mailbox, or they found and ignored it, and now they are on the hook and in the spotlight. A spokesperson for Mailbox said the patch for the auto-execution vulnerability is inbound by end of Wednesday (today), according to that article. It is interesting to see how software vendors react to such disclosure, but to me the more interesting aspect is the insight into what Apple’s App Store vetting misses… Share: