Research

We’ve been hinting at it over Twitter and in other blog posts, but it’s official. We’re sponsoring our First Annual Recovery Breakfast Wednesday morning at the RSA conference (8-11 am at Jillian’s). We’ll have hot and cold food, a selection of over-the-counter recovery items, and the hair of the dog of your choice. No marketing, speeches, or anything else (especially since we’ll be in rough shape ourselves). Since we have no idea how many people might show up, we’re asking you to RSVP if you think there’s a reasonable chance you’ll make it. To add a bit of incentive, we will be randomly selecting one RSVP to win a Chumby. You still have to show up to win, but we’ll pre-select your name so you don’t have to be there at any particular time. Just email us at rsvp@securosis.com. (We’ll need the winner’s real address to ship it to you, since it takes too much space in our bags, but we’ll just collect that at the event. We hope you’ll be able to join us, and we’ll see you at the show… Share:

It was nearly three years ago that I started the Securosis blog. At the time I was working at Gartner, and curious about participating in this whole “social media” thing. Not to sound corny, but I had absolutely no idea what I was getting myself into. Sure, I knew it was called social media, but I didn’t realize there was an actual social component. That by blogging, linking to others, and participating in comments, we are engaging in a massive community dialogue. Yes, since becoming an analyst I’ve had access to all the little nooks of the industry, but there’s just something about a public conversation you can’t get in a closed ecosystem. Don’t get me wrong- I’m not criticizing the big research model- I could never do what I am now without having spent time there, and I think it offers customers tremendous value. But for me personally, as I started blogging, I realized there were new places to explore. At Gartner I learned an incredible amount, had an amazingly good time, and made some great friends. But part of me (probably my massive ego) wanted to engage the community beyond those who paid to talk to me. Thus, after seven years it was time to move on and Securosis the blog became Securosis, L.L.C.. I didn’t really know what I wanted to do, but figured I’d pick up enough consulting to get by. I didn’t even bother to change my little WordPress blog, other than adding a short company page. It’s now nearly two years since jumping ship without a paddle, boat, lifejacket, any recognizable swimming skills, or a bathing suit. We’ve grown more than I imagined, had a hell of a lot of fun, posted hundreds of blog entries, authored some major research reports, and practically redefined the term “media whore”. But we still had that nearly unreadable white-text-on-black-background blog, and if you wanted to find specific content you had to wade through pages of search results. Needless to say, that’s no way to run a business, which is why we finally bit the bullet, invested some cash, and rebuilt the site from scratch. For months now we’ve been blogging less as we spent all our spare cycles on the new site (and, for me, having a kid). I realize we’ve been going on and on about it, but that’s merely the byproduct of practically crapping our pants because we’re so excited to have it up. We can finally organize our research, help people learn more about security, and not be totally embarrassed by running a corporate site that looked like some idiot pasted it together while bored one weekend. Which it was. I asked Adrian for some closing thoughts, and I absolutely promise this will be the last of our self-congratulatory, self-promotional BS. The next time you hear from us, we’ll actual put some real content back out there. -Rich Some of you may not know this, but I had been working with Rich for a couple of months before most people noticed. Learning that was unsettling! I was not sure if our writing was close enough that people could not tell, or worse, no one cared. But we soon discovered that the author names for the posts was not always coming up so people assumed it was Rich and not Chris or myself. It was several months later still when I learned that the link to my bio page was broken and was not viewable on most browsers. We were getting periodic questions about what we do here, other than blog on security and write a couple white papers, as lots of regular readers did not know. It never really dawned on Rich or I, two tech geeks at heart, to go look at how we presented ourselves (or in this case, did not present ourselves). When a couple business partners brought it up, it was a Homer Simpson “D’oh” moment of self-realization. Rich and I began discussing the new site October of last year, and as there was a lot of stuff we wanted to provide but could not because WordPress was simply not up to the challenge, we knew we needed a complete overhaul. And we still were getting complaints that most people had trouble reading the white text on black background. Yes, part of me will miss the black background ..It kind of conveyed the entire black hat mind set; breaking stuff in order to teach security. It embodied the feeling that “yeah, it may be ugly, but it’s the truth, so get used to it”. Still, I do think the new site is easier to read, and it allows us to better provide information and services. Rich and I are really excited about it! We have tons of content we need to tune & groom before we can put it public into the research library, but it’s coming. And hopefully our writing style will convey to you that this blog is an open forum for wide open discussion of whatever security topic you are interested in. Something on your mind? Bring it! -Adrian And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: I wrote the cover story on DLP for this month’s Information Security Magazine. They never told me it was the cover, so that was a very pleasant surprise. Martin and I had a guest interview on Hacker Spaces for this week’s Network Security Podcast. I did an interview for the New York Times on Mac security. It raised so much controversy that they did a follow on article, with our friend Dino Dai Zovi. I did an interview with Bill Brenner of CSO Magazine on federal cybersecurity and the latest congressional hearings. I also did a podcast with Dennis Fisher at ThreatPost on a bunch of topics, including Conficker. Wondered where Adrian was in the press, and considered revoking his whore status. Favorite Securosis Posts: Rich: Our new site announcement. I swear we’ll get over

If you can read this, you’ve found the brand spanking new Securosis! We’d call it Securosis 2.0, but we hate all that “2.0” stupidity. (We also hate “next generation”, for the record). If I was in the terrain park I’d say I’m totally stoked, but since I’m only sitting at home in the office I’ll have to settle for really fracking excited! We’ve been working on this for months, and we sure as heck hope you like it. There are a ton of new features, and we moved over to a new platform to support all sorts of goodness down the road. We know not everything is quite perfect yet, but we think we’re off to a great start and it’s far more functional than the old site. Aside from the platform switch, the biggest addition is the Securosis Research Library. We know a lot of people come here to learn about the topics we cover, and rather than forcing you to crawl through a search engine we wanted one nice area that guides you exactly to what you’re looking for. We have one page per topic, with all the best things we’ve written or recorded on that subject, in a recommended reading order. You can even subscribe to it as an RSS feed and it will stay current in your reader. Right now we have only a handful+ of pages in there, but our goal is to flush it out with all the topics we cover, at the rate of 1-2 per week. We’re also adding content, such as presentations, on a daily basis as we get everything converted. We now have a much better search engine and a cool tag cloud, and we’ve completely reorganized how we publish our whitepapers and other major content (you can find it in the Research Library). For those of you who have registered here before, we pulled your user accounts over but killed your passwords. Just click on this link to reset your password and you’ll be right back in. Finally, we know some of you were getting updates via email. We couldn’t migrate that over, but we set up a sweet new Daily Digest using MailChimp. I’m totally friggen’ exhausted, so with that I’m going to grab a beer, go to sleep, and see what’s broken in the morning. I’d like to thank Insight Design for our awesome look, and Adam Khan of Engaging.net for all the help getting things running. Need. Beer. Now. Share:

We are putting the final touches on the new site and should be launching it within the next 24 hours. Being the eternal optimists, we’re pretty sure something will go wrong, but maybe we’ll luck out and those beers we bought the migration gods will pay off. We’re pretty excited- aside from moving us off the Mogull Special design template, we’re switching to a more secure system, adding a bunch of features, and finally organizing all our content. Thursday’s move is only the first step- we’re already working on some additional content and features we hope you’ll like. If you subscribe to Feedburner RSS you won’t notice any changes. After this move we won’t be pointing people to Feedburner anymore, but we’ll keep it active. We don’t think we have any direct subscribers, but if you happen to use a non-Feedburner feed, you’ll need to visit the new site and re-subscribe. Otherwise, the transition should go smoothly, but we hope you RSS only readers will still come and check out the new site (and features). **If you subscribe to the email updates** We’re changing to an entirely new email system and your subscription may not carry over. Yeah, it stinks, but we didn’t have many options. If you get emails of our feed from Feedburner you won’t notice any changes. If you subscribed directly on the site, you’ll need to visit the new site and sign up again- we have a big link right there on the blog page (on the right side), and all you need to enter is an email address. Wish us luck- we’ll need it! And don’t forget to visit the new site… same address, more pizzaz. (not more pizzas, which would probably get us more readers) Share:

Did anyone else get this email? You are receiving this email because you are registered for RSA® Conference 2009. Your account information needs to be activated so that you can take full advantage of all the Conference activities including access to the Conference Personal Scheduler and access to the Conference wireless network while on-site. … Please take a moment now to log-in and complete your account activation athttps://sso.rsaconference.com/sso/LogIn.jsp   using the following temporary password – %_DWqwet(M. You will then be prompted to confirm your profile information and reset your password. Your username is not included in this email for security purposes. If you are unsure of what your username is, you can retrieve it online at https://sso.rsaconference.com/sso/RetrieveUserName.jsp. You can log in to your account anytime at https://sso.rsaconference.com/sso/LogIn.jsp. … For more information on RSA Conference Single Sign-on, please visit our website or contact us atloginhelp@rsaconference.com.  Sincerely, RSA® Conference Team Wow, is this a phishing attempt out to the RSA list? Awesome! Share:

The big news at Securosis this week centered around the Conficker worm. As Rich blogged earlier in the week, he got a call from Dan Kaminsky on Saturday with the outline of what was going on. Rich and I scrambled Saturday to reach as many AV vendors as we could to get the word out. While some were initially a little annoyed at getting called on their cell phones Saturday afternoon, everyone was really eager to see what Tillmann Werner and Felix Leder had discovered and get their scanning tools updated. I expected things to be quiet on April 1st. A lot of security researchers have been watching and studying the worm’s behavior, and devising plans for detecting and containing the threat. I imagine the authors of the worm are reading every bit of news they can get their hands on and learning how to improve their code in response. This has been fascinating to watch. Thanks again to the Honeynet Project and Dan Kaminsky for doing a great job, and for involving us in the effort. On a more personal note, you probably have noticed that neither Rich nor I have been blogging as much lately, partially due to our desire to not create more work for ourselves prior to the new site launch; partially because, well, family comes first. For those of you who know me, you know I have dogs. When people ask me if I have kids, I typically say “No, I have dogs.” What I mean to say is “Yes, several; of the four legged variety.” March has been a terrible month for me because in the first few days one of my puppies went into kidney failure as she had been prescribed the wrong pain medication and dosage. I spent 5 days at the emergency vet clinic with her, even signing the DNR papers as we did not think she would make it. Happy to say she did, and is slowly recovering her ability to walk and some of the 30 lbs. she lost. A couple of days after I got back from Source Boston, her brother, and our all time favorite, started having trouble breathing. To make a long story short, we found cancer everywhere, and he only made it five days after his first visible symptoms, dying in my lap Tuesday morning. We know even several of you hardened veterinarians and long time breeders who have “seen it all” shed a tear over this one, and Emily and I understand and appreciate your heartfelt condolences. Looking forward to a much brighter and happier April. And now for the week in review… at least what little of it I managed to notice: Webcasts, Podcasts, Outside Writing, and Conferences: Rich presented “Building a Web Application Security Program” at the Phoenix SANS training. We’ll get it posted once we transfer over to the new site. Rich’s article on Search Security on Data Loss Prevention Benefits in the Real World is available. Rich and Martin hosted episode 184 144 of The Network Security Podcast this week, covering not only Conficker news, but also a ton of stuff regarding security on the Mac platform with Dino Dai Zovi. Even recommended by the Macalope! Favorite Securosis Posts: Rich: Looking forward to getting ASS Certification. Adrian: Rich’s post on Detecting Conficker Favorite Outside Posts: Adrian: Know Your Enemy: Containing Conficker was a fascinating paper. Rich: From Anton Chuvakin’s Blog: Thoughts and Notes from PCI DSS Hearing in US House of Representatives. Top News and Posts: Microsoft Security Advisory 969136 for MS Office PowerPoint. Internet too dangerous? I think most people just do not appreciate how dangerous it is. Conficker ‘eye-chart’. This is a great idea and works for several malware variants. One topic I really wanted to blog on this week was the Internet Crime Complaint Center report that incidents (discovered and reported, of course) were up 33% year over year. Mini-Botnets. Smaller, just as much of a problem. The Open Cloud Manifesto. Ugh. Too many grandstanders with too little to say. If Hoff wants to fight that fight, fine, but it feels like yelling at the wind to me. Just not worth the time jumping into this mess until there is a bit more of a market. Don’t get me wrong- Rich and I will cover cloud and virtualization security in the future, maybe even this year. But not in response to this, and when we do, will will try to have something to say that does not suck. Blog Comment of the Week: This week’s best comment was from ‘Anonymous’: @Andre, I think once the Institute store makes its exclusive gear available, you should be the first to buy an ASS hat. We are working on the merchandise page for the new site … we will be sure to stock those hats. Share:

Just a quick note today since I’m totally distracted by having some family in town. Episode 144 is up and features Dino Dai Zovi… co-author of The Mac Hackers Handbook. It’s a great interview, especially if you are interested in Mac security issues. We also discuss the No More Free Bugs meme. You can download the episode here… Share:

We’ve been talking a lot about application security since we started this blog, and one thing we’ve been tracking closely are training and certification programs. While we couldn’t talk about it, we’ve been quietly involved with the Institute for Certified Application Security Specialists. We reviewed the program during development, and were overall pretty impressed. It has very similar requirements to the CSSLP, but is more cost effective for security practitioners… something we can all appreciate in this economy. Believe it or not, despite my not-infrequent diatribes against various certifications, I actually went through the process myself and am fully certified. What I really appreciate is how pragmatic the program is, and how it really reflects the operational realities of application security. You can get more information at the Institute for Certified Application Security Specialists, and as a member of the affiliate program Securosis readers receive a 10% discount. Oh- and don’t forget to join the LinkedIn Group! Share:

Update: Dan just let me know that Tillmann Werner and Felix Leder have been working on this for 5 months! Dan came in (and then brought me in) only on Friday. They deserve major credit and thanks for this impressive work. Also, Nmap (which is still free) and the free feed of Nessus have their signatures out for those of you that don’t have an enterprise product. Ever since last year, I always get a little nervous when Dan Kaminsky starts asking me certain questions over Twitter. Last time it was the DNS vulnerability, and this time it was something not as big, yet still extremely cool. Some researchers with the Honeynet Project (Tillmann Werner and Felix Leder) discovered a way to remotely (as in via network scan) detect Conficker infections. It seems that whoever is behind Conficker attempts to patch the MS08-067 vulnerability when they infect a system so no other attackers can get in. The patch is flawed, causing a specific response to network probes. Yes folks, this means you can tell if a system is infected with Conficker just by scanning it. Now how cool is that?   < p>The HoneyNet guys contacted Dan for some help, and then he contacted me to get connected with the major scanning vendors. I called Adrian, and we managed to wrangle up nCircle, McAfee, nCircle, Nmap, Qualys, and Tenable (Nessus) and most have already incorporated, or are about to incorporate, Conficker sigs for their scanners. I think Dan is giving me too much credit in his post; all I did was connect the right people with each other; I wasn’t involved in the tool creation or testing. (We did shoot for some other vendors, but didn’t have the right contacts). I know Dan, the HoneyNet guys, and the vendor research teams all put in a heck of a lot of time on this over the weekend. Here’s what you enterprise guys need to know: There is a free proof-of-concept tool available from the HoneyNet Project, or you can contact your network vulnerability assessment vendor to see if they have an updated signature. This should work on all Conficker variants. (I suspect that won’t last long). The “Know Your Enemy” paper will be released by the HoneyNet Project in the next couple of days, with far greater detail. This doesn’t guarantee you will detect all infections, but it’s a powerful way to reduce your risk. We recommend you start scanning immediately if you have the slightest worry over Conficker. Expect the tools to undergo a series of updates in the next few days as we all learn more. This really is hot-out-of-the-oven stuff that still needs to settle in. The next phase will be to include this in NAC products for pre-connect scanning. That’s about it- simple enough! If you start using these and find anything interesting, please come back and post it in the comments. Share:

As you have probably read, a method for remotely detecting systems infected with the Conficker worm was discovered by Felix Leder and Tillmann Werner. They have been working with Dan Kaminisky, amongst others, to come up with a tool to detect the worm and give IT organizations the ability to protect themselves. This is excellent news. The bad news is how unprepared most applications are to handle threats like this. Earlier this morning, the guys at The Honeynet Project were kind enough to forward Rich and myself a copy of their Know Your Enemy: Containing Conficker paper. This is a very thorough analysis of how the worm operates. I want keep my comments on this short, and simply recommendation strongly that you read the paper. If you are in software development, you need to read this paper. Their analysis of Conficker illustrates that the people who wrote it are far ahead of your typical application development team in their understanding of application security. Developers need to understand the approach that attackers are taking, understand the dedication to their craft these guys are exhibiting, and increase their own knowledge and dedication if they are going to have a chance of producing code that can counter these types of threats. Is Conficker a well-written piece of code? Is it architected well? No idea. But it is clear that each iteration has advanced their three core functions (find & infect, maintain, & defend) and had this flexibility in mind from the begining. Look at how Conficker uses identification techniques to protect itself in avoid downloading the wrong/malicious patches to their worm. And check out the examination of incoming requests to help protect their now infected system from other viruses. This should serve as an example of how to write internal monitoring code to detect exploit attempts (see section 4), either in lieu of a full blown patch, or as self-defending code at critical points, or both. And it is done in a manner that gives them a generic tool that, when updated, will be an effective anti-malware tool. Neat, huh? The authors have a pretty good understanding of randomness and used multiple sources, not only to get better randomness, but to avoid an attack on any one- smart. These are really good application security practices that very few software authors actually put into practice. Heck, most web applications trust everything that comes in, and it looks like the authors of Conficker understand that you must trust nothing! Once again, if you are a software developer or IT practitioner, read the paper. The research that Felix and Tillmann have put into this is impressive. They have proof points for everything they believe to be true about the worm’s behavior, and have stuck with the facts. This is really time consuming, difficult work. Excellent job, guys! Share: