Research

When in doubt, throw money at the problem. From the Washington Post, Pentagon to boost cybersecurity force: The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries, according to U.S. officials. Of course US adversaries have allegedly tasked 100,000 folks to cybersecurity activities, but this clearly indicates the reality of nation-state behavior in 2013. Evidently a couple different kinds of kung fu will be valued by the military-industrial complex. And when they inevitably remake The Graduate, plastics won’t be the can’t-miss occupation. And Mrs. Robinson will be going after the pen tester – tattoos, earrings, and all. Share:

Mike Mimoso has a very good article on active defense at Threatpost. (Yes, we are linking to them a lot today). While every corporate general counsel, CIO and anyone with a CISSP will tell you that hacking back against adversaries is illegal and generally a bad thing to do, there are alternatives that companies can use to gain insight into who is behind attacks, collect forensic evidence and generally confound hackers, perhaps to the point where they veer away from your network. The one thing the article doesn’t spend enough time on is how useful these approaches can be for triggering alerts in your security monitoring. Especially if you correlate two or more events, which are highly unlikely to be a false positive. I wrote about this last June with some definitions. Finally, the CrowdStrike guys need to get their messaging lined up. Mixed messages aren’t great when you are in pretend-stealth mode. Share:

A first person account at Threatpost by David Litchfield, who discovered the vulnerability which was later exploited. Looking at my phone, I excused myself from the table and took the call; it was my brother. “David, it’s happened! Someone’s released a worm.” “Worm? Worm for what?” “Your SQL bug” My stomach dropped. Telling Mark I’d call him back later I rejoined the table. Someone, I can’t remember who, asked if everything was alright. “Not really,” I replied, “I think there’s going to be trouble.” Microsoft was going down the security path before this, but it clearly helped reinforce their direction and paid massive dividends on SQL Server itself. The first major flaw to be found in SQL Server 2005 came over 3 years after its release – a heap overflow found by Brett Moore, triggered by opening a corrupted backup file with the RESTORE TSQL command. So far SQL Server 2008 has had zero issues. Not bad at all for a company long considered the whipping boy of the security world. Oracle would prefer you not read that paragraph. Share:

Adam Gowdiak in [SE-2012-01] An issue with new Java SE 7 security features: That said, recently made security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit. This was via Ed Bott who has also been covering the deceptive installs included with nearly all Java updates: When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner. With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naive enough to trust Java’s “recommendation,” you end up with unwanted software on your PC. I have checked, and (so far) I cannot correlate kitten deaths with Java installs, so we’ve got that going for us. Which is nice. Share:

Rich constantly reminds us that “correlation does not imply causation,” relevant when looking at a recent NetworkWorld article talking about the decrease in spam, which concludes that botnet takedowns and improved filtering have favorably impacted the amount of spam being sent out. Arguably, the disruption of botnets – the platform used to send most spam – has probably had a larger effect, with the downing of several large distribution networks coinciding with the start of spam’s decline in 2010. Meh. Of course, that makes better headlines than all the various botnet chasing efforts paying off. But if you dig into Kaspersky’s research you get a different take. Ads in legal advertising venues are not as irritating for users on the receiving end, they aren’t blocked by spam filters, and emails are sent to target audiences who have acknowledged a potential interest in the goods or services being promoted. Furthermore, when advertisers are after at least one user click, legal advertising can be considerably less costly than advertising through spam. Based on the results from several third-party studies, we have calculated that at an average price of $150 per 1 million spam emails sent, the final CPC (cost per click, the cost of one user using the link in the message) is a minimum of $.4.45[sic]. Yet the same indicator for Facebook is just $0.10. That means that, according to our estimates, legal advertising is more effective than spam. Our conclusion has been indirectly confirmed by the fact that the classic spam categories (such as fake luxury goods, for example) are now switching over to social networks. We have even found some IP addresses for online stores advertising on Facebook that were previously using spam. Duh. Spam was great for marketers of ill repute because it was cheaper than any other way of reaching customers. If that changes marketers will move to the cheapest avenue. They always do – that’s just good business. So we can all pat ourselves on the back because our efforts to reduce spam have been effective, or we can thank places like Facebook that are changing the economics of mass online marketing. For now anyway. Share:

We all want security to be front and center in terms of decisions on new applications. We all follow the researchers who show time and again how mobile apps, or web apps, or pretty much anything, can and will be gamed. Yet all that doesn’t matter, as security cannot get in the way of business. Branden Williams did a great job digging into the economics of Starbucks’ stored value cards to make a pretty compelling case that this stuff will happen, whether security likes it or not. Now, let’s say that I install the app on my phone, and set it to recharge $50 every time my balance gets low. I have now reduced their transaction volume with me to 10% of the original (26 times to recharge vs 260 transactions). This changes the fees to $23.27, or a 60% reduction in my cost burden to the company with the added benefit that they get to use my cash for anything they want while I work it off over a period of time. You should read the post because it hits on a number of the economic drivers that make stored value cards a huge win for small-ticket shops like Starbucks. Of course providing access to micropayments from a mobile app introduces risk. But given the numbers Branden outlines, that won’t stop Starbucks from doing everything they can to get everyone using their stored value cards & accounts. The numbers don’t lie – this stuff is going to happen. And these environments will be attacked because they represent a path of least resistance to get financial data. Which underscores the importance of working with the business people and app development team as early as possible to get ahead of the risks of these mobile-driven business processes. Photo credit: “Starbucks Mobile Card iPhone App” originally uploaded by Joe McCarthy Share:

Given the angst, conspiracy theories, and tinfoil hats around any network/security products built in China, it’s curious to see Krebs’ story on the backdoors in Barracuda products found by Stefan Viehboeck of SEC Consult Vulnerability Lab. Viehboeck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort. But having that back door creates exposures that most security conscious folks find unacceptable. As Viehboeck says: “In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them.” Clearly you can draw the conclusion that this is bad, especially because Barracuda is playing the ostrich game a bit, calling these issues just ‘medium’ severity. But given that Barracuda caters to the small and mid-market, how many of these boxes are actually installed in secure environments? And how many of these unsophisticated customers will apply the fixes to eliminate the back doors? Right, not too many. We can’t let Barracuda off the hook here just because the back doors are there to facilitate support access in the event the box needs to be remotely fixed. Users lose their credentials and lock themselves out of their boxes all the time. They misconfigure stuff and a support rep would need deep (probably root) access to fix things. We get that. But we aren’t in the excuses business, and neither are Barracuda’s customers. Barracuda just can’t rely on a locked-down IP address range to provide security. That’s too easy to spoof and those addresses may change over time. Obscurity isn’t the answer. Moreover, customers need to have the option to shut down the back doors, especially if they install in one of these mythical secure environments. There must be a middle ground between installing an undocumented back door and not being able to support the device remotely. Maybe they ship the box without the default accounts and lock down the root account. Maybe they have a script that adds the support accounts to the box when a special “Activate Remote Support” setting is selected within the interface. They could use some kind of two-factor authentication to ensure Barracuda support is involved when activating the script. Then when the box is repaired, the user unchecks the box and another script cleans out the user accounts and locks down the box. Is that a perfect answer? Of course not – I’m just throwing crap against the wall. There must be a better way to ensure thousands of customers don’t have to ship their boxes back to Barracuda for simple fixes that can be done remotely by support. But having an undocumented back door isn’t it. Photo credit: “Vancouver, BC, Canada – Robson Street – Hippies Please Use Back Door (Antique Sign)” originally uploaded by Adam Jones Share:

Most folks appreciate the challenges of securing a mid-sized company. They have important data and enough employees that someone is going to screw something up. They often don’t have the budget or infrastructure maturity to take security seriously. Many get by due more to obscurity (who is going to attack them?) than any active controls. And as automated tools make it easier to find chinks in any and every company’s armor, the seriousness of the problem is going to become much higher-profile. No less than Dan Geer has weighed in on the topic in a CSO contribution. He looks at it from the perspective of what the mid-sized company can do and what they can’t. By introducing the concept of a third party, which he calls a mentor, Dan is talking about helping an organization kickstart their security program and prioritize. Later, the mentor can move on to their next stop, when the organization is ready to do stand on its own. Information protection means a program, not a tool, not a silver bullet, not a small number of enlightened facts. It means learning what it is that you don’t know that you don’t know (without the expensive embarrassment of the serious errors our opponents will surely deliver). An information protection program is, at its best, something that a mentor jump starts for you and, over time, brings you to the point where whether you take it over entirely for yourself, or keep it as a partnership with your mentor, is a choice that you make for reasons that no longer include whether you know what you are doing. Everyone understands that, say, driving tractor trailers or doing surgery is not something you would teach yourself. Basically Dan is calling for the mentor to take a snapshot of an organization and use their experience, methods, and analysis to help the organization prioritize what they should fix first. This first-things-first approach demands a mentor with the tools to take a high definition photograph of your information in motion movement – the source, target, frequency, volume, etc., mentioned above. If experience is a guide, then you will have some surprises. Again, this is nothing to be ashamed of, but better you get those surprises quickly and from a trusted mentor rather than reading about your data breach in a newspaper. Note that the kind of mentor we suggest is not a penetration tester, not an auditor, not a per-diem consultant, and not a reformed criminal peddling a product. Dan is one of the big thinkers in the business, and he doesn’t talk much. But when he does, pay attention. As with any out of the box thinking, you can come up with a million reasons why something like this won’t work. But we should focus on how to make something like this happen; as technology advances (yes, Big Data) this kind of concept becomes more achievable. The reality is that far too many organization don’t know what they don’t know. And until they do things aren’t going to get better. Photo credit: “MSH0110-12 Squeeze Me” originally uploaded by f1uffster (Jeanie) Share:

Will Hadoop be to NoSQL what Red Hat is to Linux? Will it become more known for commercial flavors than the open-source core? Lately I have been noticing similarities between the two life-cycles, with the embrace of packaged variants. What I notice is this: In 1994 I replaced an unreliable BSD distribution with a Slackware distribution of Linux – itself a UNIX derivative. Suddenly “this old PC” was not only reliable, it felt 5x faster than it did running from the Windows partition. Slackware Linux was a great product limited to the realm of uber-geeks – you needed to assemble and compile before you could use it. But you could customize it any way you wanted – and it put a truly powerful OS on the desktop – free. Then Linux started to go a bit mainstream as it allowed us to cost-effectively run applications that previously required a substantial investment and very particular hardware. Caldera was a big deal for a while because they produced a ‘corporate’ flavor. Some companies noticed Linux was a powerful platform and embraced it; others viewed it – along with most open source – as a security threat. But its flexibility and ability to deliver a server-quality OS on commodity hardware were too compelling to ignore. Then we got ‘professional’ distributions, tools, and services. Adoption rates really started to take off. But while the free and open nature of the platform still roots the movement, it started to feel like you need a commercial version for support and tools. These days few people grab different pieces and assemble their own custom Linux distributions. I think Big Data is already moving from the fully open source “piece it together yourself” model into complete productized versions. If that’s true I expect to see the 125+ versions of NoSQL begin to simplify, dropping many of the esoteric distributions, likely boiling the market down to a few main players within the next few years – and eventually the Big Data equivalent of a LAMP stack. After that the NoSQL growth curve will be about standardized versions of Hadoop. The question is whether it will look more like Red Hat or Ubuntu? This really has nothing to do with security, but I thought there were too many similarities to ignore. -Adrian On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Milestone: Episode 300 of NetSec podcast. Mike quoted on Reuters on Cisco’s network security competitiveness. Mike quoted in the Merc about Cisco’s network security (missed) opportunity. Favorite Securosis Posts Mike Rothman: Don’t respond to a breach like this. Small minds make poor decisions. And everyone else should continue to do the right thing, even if small minds can’t understand it and take action against it. Adrian Lane: Emotional Whiplash. Mike nailed it. And I only saw the first and fourth quarters! Favorite Outside Posts Adrian Lane: “Cyber” Insurance and an Opportunity. Fascinating. Mike Rothman: XSS, password flaws found in popular ESPN app. Man, this sucks. Any big sports fan uses the ESPN app. Good thing it doesn’t store anything sensitive because I can’t live without my scores and NFL news. Recent Research Papers Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Top News and Posts Aaron Swartz’s death Backdoors Found in Barracuda Networks Gear Google Tells Cops to Get Warrants for User E-Mail, Cloud Data Twitter flaw allowed third party apps to access direct messages Blog Comment of the Week This week’s best comment goes to -ds, in response to It’s just Dropbox. What’s the risk?. If we make security break users, we make users break security. This is such a basic principle. I’m tired of being in an industry where my peers would rather have the illusion of control then actual, effective, risk proportinate security. We have so many pretenders and unfortunately many of them are loud voices and dominate the coversation to the extent that newly minted security practicioners think they are the ideal. Next one of them that says “we do X because it is a best practice” is getting a wedgie. Share:

Symantec released their quarterly earnings today, which is the sort of thing we usually ignore. Especially because it’s only the third quarter, and not even a playoff game (I really need to hang out with Mike less). However… The learning period is over for new CEO Steve Bennett, and he is starting to implement his game plan. There shouldn’t be any surprises considering his background at GE – the focus is on streamlining, realigning assets, and reducing workforce cruft – especially in the middle and executive management levels. Talk is cheap and change is hard, so Bennett has his work cut out for him. The strategy of executing better in the field and with product delivery isn’t without risk. But it’s not like they really had a choice. Their sales costs were much higher than comparables in the industry, so that needed to be fixed. Organic innovation and acquired product integration have been problematic for years. At the same time Symantec drank at the trough of high multiple M&A to drive revenue growth, but too many of those deals didn’t pan out. So the focus will be on the stuff they already have, and even if they do more M&A given the return of capital to shareholders (in the form of a dividend and stock buyback), you’d look for lower priced and accretive deals. One message came across loud and clear: Don’t expect short term magic. Bennett managed expectations that this would be a multi-year process. What does this mean to you? SMB is now tied to consumer, not enterprise. That makes sense on the surface but is likely a tricky move under the covers, depending on where they draw the SMB line. Especially as more and more SMB customers look to the cloud for key services like web and email security and backup. On the enterprise side there will be some turmoil as they move BUs around, focus on profitable products, and perhaps start dropping distractions. This usually slows innovation, despite saying they are investing more into R&D. For most of you this won’t mean much yet, except that you should expect deck chairs to move even in the middle of deals. I don’t expect significant changes in the main product lines, and there is some base there to build on – per the article: The company also plans to increase research and development into areas such as mobile workforce productivity, data center security, integrated backup, information security services, cloud-based information management, and identity and content-aware security. Symantec really struggled with focus for a long time. They have started to clean that up, but nothing that big turns quickly. Mike might have more to add, but most of this won’t affect the enterprise business too much unless they decide to dump something big, and there’s no question they will be dumping little things that aren’t profitable enough. We don’t think they know what won’t make the cut at this point, but clearly some stuff will need to go. I suspect the SMB re-org/transition will be messy, but Symantec hasn’t had much of a strategy or success there for a while anyway. Basically, they are moving to address issues that the entire market has been pointing out for years. That should be good news to those Symantec faithful, and business as usual for everyone else. Share: