Research

I was pretty honored a couple months ago when Johnny Long asked me to participate in a new project for Hackers for Charity called The HFC Security Informer. Johnny is a seriously cool guy who founded Hackers for Charity, which provides a mix of services and financial support in underdeveloped countries. I think most geeks that aren’t running evil botnets have a bit of altruism in them, and HFC is a great way we can use our technical backgrounds (and swag) to help out the rougher parts of the world. HFC runs with basically no funding- giving everything right to its target communities. To better support operations as it grows, Johnny created the HFC Informer- a subscription site with all sorts of behind the scenes content you can’t get anywhere else. This includes pre-release book chapters, discounts on books, exclusive content, and pre-release papers and posts from some of the top names in security… and the occasional lowly analyst. And every time someone contributes content, cash is donated to feed a child for a month. Yesterday I posted a pre-release (and pre-edited) version of my next Dark Reading column The Security Pro”s Guide To Thriving In A Down Economy. Please check it out, and other great content like Rsnake’s Clickjacking paper, and consider supporting HFC. Securosis is a firm believer in the project and we’re hoping to release more content on the HFC Informer, including some of our more in-depth whitepapers. Share:

As a security pro I tend to be a bit paranoid and cynical even outside the domain of technology. Heck, I can’t even get past a nice simple election without picking up on some interesting fraudulent twist. Last night my wife and I were filling out our absentee ballots; never an easy process here in Arizona. Oh, picking candidates is easy enough (Obama for me), but as far as I’m concerned all those ballot initiatives are one of the biggest frauds in our democratic system. I can’t even call it voting, so like any good security researcher I’ll make up a silly word and call it “photing”. Last election cycle we had two competing ballot measures to ban smoking- the real one, put together by a grass roots organization, and the fake one, which pretended to limit smoking but was sponsored by Philip Morris. The goal was simply to confuse the voters, perhaps passing both, and getting to fight it out in the courts. This year we have the worst case of photing I’ve seen since I cast my first ballot at the age of 18. Arizona is home to a ton of migrant labor, and in Phoenix you can’t go a block in certain parts of town without seeing those predatory PayDay loan outfits. A while back, the legislature temporarily suspended the law limiting usury short-term loans, creating this industry. People short on cash can get loans at ridiculous rates (up to 400%) to hold them over until their next paycheck… which clearly won’t go as far. This suspension is due to die in 2010, and the state legislature refuses to extend it. What’s an evil loan shark to do? I mean it isn’t like the voting public would support them? Thus was born Proposition 200 to “crack down on the PayDay loan industry”. There’s even a massive full-court-press ad campaign about how this will lock them down, keep them honest, and protect innocent kittens. One problem- the initiative, and the ad campaign to control these near-criminals, is nearly completely funded… by these even-nearer-criminals. Why? Because without this initiative, the entire industry will be shut down in 2010. Where are Joe Kennedy and Karl Rove when you need them? Share:

I’m very excited to announce a new project I’ve been working on for some time with Debix. Yesterday, they released a new study today on child identity theft. I was astounded to discover that on average one out of twenty kids has their identity compromised in some way before they reach adulthood. That’s essentially one kid in every classroom. And those kids had on average almost $12,800 of debt fraudulenly associated with them. Talk about a nightmare to clean up! Anyway, there are more details over on their blog which just happens to be written by your truly. I’d love to hear your comments either here or over there. Looking forward to hearing from you all. Share:

Denial: There is no cloud. Anger: Why the f&*k is this sales guy trying to sell me a cloud? Bargaining: Can you please just tell me what the f&^k your cloud is? Depression: The sales guy found my CIO. Now I have to by a cloud. Acceptance: There is no cloud. Share:

I don’t get it. I mean I really don’t get it. I can’t possibly imagine why it isn’t so obvious to everyone else!! Don’t you see what’s happening!!! Soylent Green is QSAs!!! One of the more frustrating aspects of our profession is the apparent lack of security prioritization by the rest of the world. We feel like we see things they don’t, and in that context many of their decisions make absolutely no sense. Are we just that much smarter than everyone else? Are they blindfully ignorant? Alan sums up our problem in his post on security gimmicks: Agree or disagree with the gimmicks. You have to ask yourself why. With all that we read and see about data breaches, with all of these compliance regulations and rules around, why can’t people take security seriously enough? Here is one man’s opinion. Security is a bad news generator of an industry. We focus on what happens when things go wrong. We focus on adding to the process. We don’t focus on the positive and the profitable. There is enough bad news in the world for people to focus on right now. They don’t want the bad news that security makes them confront. If we can figure out how to make security a way of bringing a message of good news, we wouldn’t need to resort to gimmicks. My position is a little more zen. Back in physical security/paramedic/firefighter/mountain rescue days I learned we all go through a process of dissociation with mainstream society. When all you see is nasty sh*t and dying people all day, every day, it’s hard to give a rat’s ass about someone getting the cold shoulder at the water cooler. The military, police, nurses, and many other professions suffer the same problem. In that world, there are two ways to handle it- shut up and deal, or isolate yourself into your chosen community. It’s no accident that so many cops are married to nurses. It’s pretty much the same deal for IT security, except we don’t have to wash blood off our shoes quite as often. We see the fragility and danger of our online economy and society. Stolen elections, rampant fraud, and pwned grandmothers. No website is safe, all PCs have trojans, and those damn Macs will all be compromised next week. We need to collectively chill out. Before we blow an aneurysm. As Marcus Ranum said (totally pissing me off because I didn’t say it first): Will the future be more secure? It’ll be just as insecure as it possibly can, while still continuing to function. Just like it is today. We need to do our best to communicate risks to the business and cost effectively keep those risks within tolerance. Then we clean up the mess if the business, after being well informed, decides to accept that risk. If we don’t take risks, we can’t possibly grow. No matter what someone tells us, we sometimes need to touch the hot stove and learn for ourselves. It’s human nature; don’t expect it to change. Security is only good news when it’s no news. Don’t worry. When things get bad enough, we’ll get the call. If you’ve kept your documentation and communication up, you won’t get shafted with the proverbial short end. Don’t end up like I did in college- working as a full time medic on top of being a student wasn’t exactly conducive to my dating life. That uniform didn’t work nearly as well as I expected. (However, a black belt a few years later was very… effective). Share:

The Skype gods definitely worked against us last night as David Mortman from Debix joined us to to talk about a new study the released on identity theft and children. No, you’re 8 month old is stealing identities like I suspect that creepy kid from the ETrade commercials is, but due to both error and fraud a surprising number of children have financial histories they didn’t know about. We also discuss last week’s Microsoft emergency update, Bono frolicking on MySpace, and the usual TSA foibles. We had some audio issues today so we kept the podcast short to spare your ears as much as possible. The Network Security Podcast, Episode 125 Show Notes: Debix sponsored research into the problem of children and identity theft. They are also hosting a webcast with the FBI on Wednesday, October 29th, at 3pm CDT. Microsoft released an out of cycle patch for a critical vulnerability. Bono showed up on some girl’s MySpace page. Oops. At least he wasn’t driving drunk without underwear and with an infant in his lap, like the usual MySpace divas. Tonight’s music is courtesy of George Thorogood and the Destroyers. Share:

  I was amused today when I logged into my business account bank (Wells Fargo) and they had me set up a new set of security questions. The variety wasn’t bad and the questions were reasonably original. After setting them, I was asked to confirm my contact information. A few minutes later, I received this email: Thank you for taking the time to set up your security questions. If we ever need to confirm your identity, your ability to give the correct answers to these questions will help us verify it’s you. If you did NOT set up security questions recently, please call Wells Fargo Online Customer Service immediately at 1-800-956-4442. Please do not reply to this email. It went right to the email address I could have updated after setting up the security questions. Anyone else notice the problem? Now there’s a chance that had I changed the email address on that screen after the security questions, I would have received notification at the old address. As a test, I changed my email a couple of times using the regular interface- but no notifications yet. UPDATE: Got the email, but at the wrong account (the one I changed to, not from). Is this an exploitable security flaw? Nope, but it’s amusing for us paranoid/cynical types. (For the record, they’ve been a great bank for the business, no complaints at all.) Share:

I just read over at Computerworld that the TSA will start requiring gender and date of birth when we buy plane tickets. This is part of Secure Flight, and meant to increase the accuracy of matches to the terrorist watch list(s). As brought up by Bruce and many others over the years, the TSA has yet to identify a single case where this list… umm… you know… actually caught a terrorist. Yes, they’ve snagged some people with warrants, but this is supposedly the terrorist watch list, not the random dumb-ass criminal watch list. They’ve even been questioned about it in their blog comments multiple times, and have yet to answer. Thus, I think we all know the answer. (A special request to the TSA- when you add the colonoscopies, can we get copies to give to our physicians? I’m almost 40 and that would be a cool way to save on health care costs). Note: I don’t blame the people working hard at the checkpoints (other than the few bad eggs common in all workplaces). They are in a crappy position and we shouldn’t blame them for the idiocy of their superiors. Share:

‘Rich forwarded me the RSA Wireless Security Survey for 2008 that was just released this morning. The cities that they scanned were Paris, London & New York. Public hotspots — designed to allow anyone with a wireless device to access the Internet on a pay-as-you-go or pre-paid basis — continue to grow in prevalence across all three cities, and in each case the growth of available hotspots accelerated significantly in 2008 compared with development in the preceding year. Paris saw the largest jump, with numbers increasing by over 300% and comfortably outstripping the comparative growth in New York City (44%) and London (34%). However, New York City remains the leader in regards to its concentration of hotspots. At 15%, New York City is well clear of London where just 5% of wireless access points were found to be hotspots. In Paris, hotspots represented 6% of all the access points we located. It is interesting to compare the year over year changes, and to see what kind of encryption is being employed. It’s certainly worth a review, and a little vendor hype is to be expected, but there are two things that worry me about survey’s like this. First, the public perception that if the connection is encrypted that all is safe. Unless there is a shred secret or some other type of protection, most of these systems are vulnerable to man-in-the-middle attacks. Second is that the rogue hotspots are difficult to detect, which is the de-facto method for wireless man-in-the-middle. If your an IT manager, you have very little way to assess risk from this report, so just assume wireless hotspots are compromised and that you need to deploy a system to thwart these attacks on externally accessible corporate WiFi. And as an end users, if you think you are safe just because you have established an encrypted connection at Starbucks, think again. The guy in the tiny corner apartment overlooking the store makes his living by sniffing personal information and passwords. Share:

I was asked about the recent post by Pete Finnigan regarding the APEX vulnerability that he discovered, was part of the recent Oracle CPU, and Pete elaborated upon in a recent post. Pete is one of the best in the business at Oracle security, so when he lists something as a vulnerability, people usually react. The question was why had I recommended applying the new Oracle CPU under normal patch cycles when this looked like a reasonably serious vulnerability. Why wait? You don’t need to wait, but if you are vulnerable to this attack, you probably have bigger issues that should have been addressed already. Specifically: Don’t leave development tools and accounts/environments on production databases, especially those that serve web content. Don’t leave development schemas and associated users/grants/roles on production database servers. This just adds to the complexity and potential overlooked security holes. Occasionally run checks for weak passwords. There are free tools available for most of the common database platforms like Oracle Password Checker, SQL Ping, Scuba and others (just be careful where you download them from), there are vendors that offer this for sale as part of their assessment suite (Fortinet, Application Security), or you can write your own. Some look for a small subset of known default passwords, so I recommend using one where you can edit the dictionary to adjust as you see fit. At least a couple of times a year, review the database accounts to see if there are accounts that should not be there, or if accounts that have execute privileges that should not. Once again, I believe there are free tools, vendor tools as well as scripts that are available from database user groups that will accomplish this task and can be customized to suit your needs. APEX is a handy development tool, but if you are a DBA or a security professional, reading Oracle’s description should make the hair on the back of your neck stand up: “APEX is operated from a web browser and allows people with limited programming experience to develop professional applications.” A powerful tool in the hands of inexperienced programmers sounds like handing out loaded guns. Patch if you think you are susceptible to this vulnerability, but for self-preservations sake, run some assessments to catch this class of vulnerability and not just this issue. Share: