Research

Joe Kissell, with whom I ‘work’ over at TidBITS, just published Take Control of Your Passwords. Joe asked me to review the book ahead of time, and it should be mandatory reading (no, I don’t get a cut – that’s my honest opinion). Joe covers the range of password issues I have ranted on before, then includes specific strategies for managing them. Many of you who read this site might not need the book, but I guarantee nearly everyone you know will get something out of it, even if they only read some sections. Seriously, it is extremely pragmatic and informative. Share:

Bit9 released more details of how they were hacked. The level of detail is excellent, and there seems to be minimal or no spin. There are a couple additional details it might be valuable to see (specifics of the SQL injection and how user accounts were compromised), but overall the post is clear, with a ton of specifics on some of what they are finding. More security vendors should be open and disclose with at least this level of detail. Especially since we know many of you cover up incidents. When we are eventually breached, I will strive to disclose all the technical details. I gave Bit9 some crap when the breach first happened (due to some of their earlier marketing), but I can’t fault how they are now opening up. Share:

It’s funny how some technologies fall out of the hype cycle and folks kind of forget about them. But that doesn’t mean these technologies don’t work any more. Au contraire, it usually means a technology works too well, and just isn’t exciting to talk about any more. Let’s take the case of adaptive authentication: using analytics to determine when to implement stronger authentication. It appears Google has started taking an adaptive approach to authentication for Gmail over the past 18 months: Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made. If a sign-in is deemed suspicious or risky for some reason–maybe it’s coming from a country oceans away from your last sign-in–we ask some simple questions about your account. Yeah, man. Not that a targeted attacker won’t have those answers based on some rudimentary recon. Obviously there are ways to beat this approach, but for run-of-the-mill attackers, more challenging authentication provides enough of a bar to get them looking elsewhere. Remember, these folks chase the path of least resistance, and there are tons of cloud-based email services to chase that don’t perform this kind of sophisticated analytics on authentication requests. And amazingly enough, it works. Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011. Good on Google. Maybe they are evil, but at least they are trying to improve security. Share:

Seven years ago I had recently started blogging and emailed a few other bloggers to see if we should get together at the RSA Conference. Some of these people I knew, many I didn’t, and I thought it would be fun to have face to face arguments with a beer in hand, instead of behind a keyboard (with a beer in hand). Very very quickly we received offers to sponsor, and we turned it into an actual invite-only event organized by myself, Martin McKeay, and Alan Shimel, with Jennifer Leggio doing, literally, all the hard work. This year I’m missing the event (and the Securosis Disaster Recovery Breakfast tomorrow morning) since my wife is about to have a baby. Maybe; these things seem somewhat unpredictable. A lot has changed about the Meetup. The RSA Conference itself is an official sponsor thanks to Jeanne Friedman. There is a waiting list for sponsors. And the number of attendees is now hitting a couple hundred, not the few dozen of that first year when we hopped cabs to a dodgy part of town for a nice dinner. We have entertainment, an effectively unlimited beverage budget, and the Social Security Awards. What hasn’t changed is what this event is all about, and based on feedback we are getting, a lot of people miss the point. The SBM is by security bloggers for security bloggers. This isn’t merely another RSA event that anyone can get into if they know the right person. The only people admitted, to the best of our ability to manage, are bloggers. No plus-ones, no friends, no marketing managers (even if they manage your blog). It doesn’t matter if you do a lot for the blogger community – you need to be a member of the community. That means someone who writes (or podcasts) and is a subject matter/technical expert (and yes, we use that term loosely) and contributes to the security community dialog. Your ticket is your name on a byline of a security blog (not a security company blog, depending on the content). Look, those of us running this thing for the past 7 years are volunteers. We do our best, and that means we sometimes make mistakes. But this isn’t run by a company or even the sponsors – it’s run by the handful of people who started it out of nowhere. We are going to make some changes next year. A bigger venue, some changes in sponsorship, and maybe a few other tweaks (like letting spouses in, which we can’t do this year due to capacity). But the one thing that won’t change is who this event is for, and why we hold it. It is the Security Blogger’s Meetup, and those words pretty clearly define the event. You can get into a lot of RSA parties based on who you know, but this one is based on what you do, and the choice is yours. Share:

As the hubbub over Apple, Twitter, and Facebook being hacked with the Java flaw slowly ebbs, word hit late last week that Microsoft was also hit in the attack. Considering the nature of the watering hole attack, odds are that many many other companies have been affected. This begs the question: does it matter? The headlines screamed “Apple and Facebook Hacked”, and technically that’s true. But as I wrote in the Data Breach Triangle, it isn’t really a breach unless the attacker gets in, steals or damages something, and gets out. Lockheed uses the same principle with its much-sexier-named Kill Chain. Indications are that Apple and Microsoft, and possibly Facebook, all escaped unscathed. Some developers’ computers were exploited, the bad guys got in, they were detected, and nothing bad happened. I do not know if that was the full scope of the exploits, but it isn’t unrealistic, and successful hacks that aren’t full-on breaches happen all the time. I care about outcomes. And someone bypassing some controls but being stopped is what defense in depth is all about. But you rarely see that in the headlines, or even in many of our discussions in the security world. It is the exact reason I didn’t really write about the hacks here before – from what I could tell some of the vendors disclosed only because they knew it probably would have come out once the first disclosure happened, because their use of the site was public. Share:

After two years of development, yesterday we flipped the switch and our Nexus product is officially live with our first partner, the Cloud Security Alliance. After all the stress of a nearly-failed launch (one of our security controls decided to filter the payment system) it is incredibly exciting to have this out there for paying customers. Here are some details: You can access the CSA Nexus at nexus.cloudsecurityalliance.org. Subscriptions are $200 annually, and it is available internationally. We launched with the CSA first because the timing was better to support a number of CSA initiatives. Also, we decided to completely rework our content structure for Securosis research to better fit our target market, and that will take us a few months. The systems are otherwise identical, running on the same platform (ain’t SaaS wonderful?). CSA customers gain access to existing and draft CSA research, some exclusive non-public research, and all the Securosis cloud research under development. Since we will be charging a lot more for the full Securosis library, this is a good way for cloud-only people to get discounted access to the exact same content. In other news, I’m a crappy sales guy. Questions submitted to the Ask an Analyst system will be handled by Securosis and CSA experts, depending on who is best for the question at hand. That’s right, full access to Securosis analysts for only $200 (on cloud issues). To support the CSA, we added a full discussion (forum) system that’s tightly integrated with the research, as well as the ability to ask the community (public) questions, not just the experts. You get to pick who you are asking when you submit a question, and our experts will watch both queues. Think of it like Quora or Stack Overflow, except you get to pick whether you want a guaranteed answer from us or responses from your peers. CSA enterprise members get licenses to the system as part of their memberships. We will have more activities and announcements over the next weeks and months, but those are the basics. We really aren’t aware of anything like this on the market that combines structured, professional research with access to both experts and peers for direct answers to your tough questions. Then again, for once, we are totally and completely biased. I also need to thank our developers JT and Jon, and James at our hosting provider (no links because they aren’t ready to take more business right now). I think once you look at what we built, you’ll be amazed that a small company without external funding could pull this off. Share:

Let’s just say I almost failed sharing back in kindergarten. Almost 40 years later I’m not a hell of a lot better at sharing (just ask my kids), but if you want to be good at security, you had better do better at sharing than me. Good points here by Don Srebnick (CISO of the City of NY) on using an ISAC to your advantage: A structure for this type of sharing has been developed within multiple sectors. If you haven’t heard, the Information Sharing and Analysis Center, or ISAC, is that structure. An ISAC provides members with a private community for dispensing information about security threats, incidents and response, and critical infrastructure protection. ISACs are an effective method of sharing your information without direct attribution. If your site is under cyber attack or you become aware of an imminent threat to your sector, details can be exchanged without ever revealing your identity, thereby facilitating sharing, but maintaining confidentiality. I’ve been doing a lot of research on threat intelligence and believe (as many of the CISOs I speak with believe) that no one organization can do it themselves. The only way to shorten the window between attack and detection is to get much better at searching for indicators of compromise in your environment. And bi-directional sharing of the attacks you’re seeing, and learning about attacks similar organizations are seeing, are becoming key success criteria for security in the age of advanced attackers. The New School guys were absolutely right years ago about the need to share. They were just way ahead of the curve. It’s good to see a lot more discussion about sharing happening in the industry. It’s about time… Photo credit: “Sharing” originally uploaded by Toban Black Share:

You know a technology is close to the top of the hype cycle when talking heads start calling for its demise. Zeus Kerravala goes medieval on MDM in this NetworkWorld column: I believe we’re starting to see the beginning of the end of the red hot MDM market. More and more network vendors are rolling out solutions for BYOD that make the traditional solutions somewhat of a commodity. Now Zeus is talking about a new product from F5 that basically wraps apps before delivery to a mobile device, to ostensibly provide proper protection, authorization, etc. Hmmm. Sounds a lot like VDI to me. Or remote control. Or the zillion other technologies that are supposed to take devices out of the equation and manage applications and desktops and everything else remotely. Let’s just say we have seen this movie before and device-centric management approaches continue to be alive and well. And I don’t have any doubt that MDM will be here for the foreseeable future to manage the configurations and hygiene of mobile devices. Will MDM be bundled into a broader endpoint and/or IT management suite? Absolutely. Everything is a feature (in time). Though some folks think this is very big market, as evidenced by AirWatch raising $200 MILLION. Not that investors are always right, but that sounds like a market on the upswing. To say it’s the beginning of the end is, well, wrong. It’s the beginning of the beginning. Photo credit: “it’s dead Jim” originally uploaded by Eddie Codel Share:

In addition to all the cycles we spent in our weekly research meeting trying to come up with cool t-shirt ideas featuring APT1, we also spent a bunch of time talking about the real impact of the Mandiant report, and how hacking for the Chinese is just different than what the US (and most other governments) do. I’m pretty sure Rich will do a much more detailed post on this, following up on his great House of Cybercards ideas. But suffice it to say you probably wouldn’t get much of a hearing if you asked the US military apparatus to help figure out what price a Chinese competitor was planning to bid on a big power plant in South America. But the Chinese have no issue with hacking into all sorts of places to assist their commercial entities, many of which are still at least partially owned by the government. But that’s another discussion for another day – one with a lot of beer. I want to follow up on this week’s Incite snippet, Attribution. Meh. Indicators. WIN! on what I see as the real value of Mandiant’s report. It’s not like most of us in the industry didn’t know that the Chinese military was behind a lot of the so-called APT activity. Now we have a building to go visit. Whoopee! I was far more interested to see the malware indicators they found published, if only to see how some smart folks will use that information to help the industry. First send some kudos over to the folks at Tenable, who quickly posted checks you can load directly into Nessus to look for the malware. Part of the reason to do malware analysis in the first place is to be able to search for those indicators within your environment, using tools you already have. This audit file determines possible infections by several of the malware items identified in the Mandiant Intelligence Center Report – APT1: Exposing One of China’s Cyber Espionage Units. It includes checks for 34 of the malware variants identified in Appendix C The Malware Arsenal. The audit file utilizes a combination of registry checks and file system checks to find hosts that might likely be at risk or infected. Wesley McGrew’s students at Mississippi State also got a little gift, in terms of a bunch of new samples to analyze, as described by TechWorld. It’s great to see students able to learn on real world ammo. “Oh, it’s fantastic,” said McGrew, who will defend his doctoral thesis on the security of SCADA (supervisory control and data acquisition) systems next month. “The importance of having malware that has an impact on the economic advantage of one company over another or the security of a nation is priceless. This is exactly what they should be learning to look at.” Not to get all New School now, but access to the malware and associated indicators used in many of these advanced attacks can be instructive for tons of reasons. We can only hope this is the first of many instances where the industry works together to improve the practice of security, as opposed to competing against each other for purely economic gain. Yeah, not sure what I was thinking with that last statement. Share:

One of the responses that keeps coming up as everyone discusses Mandiant’s report on APT1 is, “yeah, but China isn’t the only threat, and even the U.S. engages in offensive hacking”. That is completely true, but there is a key difference. China is one of the only nations which uses government resources to steal intellectual property and provides it to domestic business for competitive economic advantage. Of the countries that do this (France and Israel come to mind, according to rumor), China is the only one operating at such a massive scale and scope. Most countries engage in cyberattacks for traditional espionage or, on occasion, in offensive actions like Stuxnet designed to support or obviate a kinetic (boom) response. (“Cyber Missiles” as Gal Shpantzer called it in our research meeting today). China is using the power of the government, at scale, to steal from private businesses in other countries and provide the spoils to its own businesses. This is an important difference, and the reason the response to Chinese hacking is so complex. We can’t treat it like traditional criminal activity because there isn’t anyone to arrest. We can’t treat it as normal government espionage because private businesses are both the targets and the beneficiaries. We can’t treat it like war or offensive operations like Stuxnet, since we sort of can’t go to war with China right now. We can’t stick it back to them and do the same thanks to a combination of our laws and the different natures of our economies. We can’t write it off like we do certain other countries which also steal our IP, because the scale is so massive and the consequences (losses) have grown to measurable levels. In other words, China is different, so the potential responses are more complex. The threat is also greater than many of the other cybersecurity (and I use that term advisedly) problems we face – again due to the scope and losses. There are ulterior motives all over the place right now, and little is as it seems on the surface. There are vested financial interests, both at agency budget levels and within private corporations, manipulating the public dialogue. But that doesn’t mean the threat isn’t real, or that doesn’t need a response. We just should avoid being naive about it. (As a side note, in the same meeting today Gunnar Peterson reminded us that China isn’t doing anything that the US didn’t do back when we were a developing nation. I believe his exact words were, “the US stole everything from Britain that wasn’t nailed down”. We are seeing a natural political progression, but that doesn’t mean we should take it up the ….). Share: